Forgot your password?
typodupeerror
Privacy Your Rights Online

Cnet Apologizes For Nmap Adware Mess 231

Posted by samzenpus
from the careful-how-you-click dept.
Trailrunner7 writes "Officials at Cnet's Download.com site have issued a statement apologizing for bundling the popular open source Nmap security audit application with adware that installed a toolbar and changed users' search engine to Microsoft properties. Fyodor, the author of Nmap, raised the issue earlier this week, saying that his app was being wrapped in malware on Download.com. It's not unusual for download sites to bundle free applications with some kind of adware or toolbar, but the creators of open-source applications take a dim view of this practice, given the nature and ethic of open source projects. Nmap is a venerable and widely used tool for mapping networks and performing security audits and Fyodor wrote in a message to an Nmap mailing list earlier this week that Download.com, which is part of Cnet, a subsidiary of CBS Interactive, was bundling the application with its installer, which, if a user agreed, would install a search toolbar and change the user's search engine to Bing."
This discussion has been archived. No new comments can be posted.

Cnet Apologizes For Nmap Adware Mess

Comments Filter:
  • by unity100 (970058) on Thursday December 08, 2011 @07:23PM (#38309620) Homepage Journal
    Do some shady/shitty dealing and make big money. Then apologize for the mess you have caused. IF thats not enough and you get sued, pay some reparations which is ridiculously low compared to your profits.

    This cycle is what is driving the society down under. What BP did, what Lockheed did, what intel did. im sure you know about what bp did last year - killed an entire ecosystem. you may also know about intel's bribery case with pc manufacturers. but you probably dont know what lockheed did - they have bribed nato country defense ministers to buy f104s over more capable aircraft. as a result numerous things happened, including, approx 600 nato pilots dying due to design deficiencies (it had a tendency to maul its tail on landing and take off - hence nicknamed flying coffin) over the years, british and other european aerospace industries died.

    what happened ? lockheed was sued, then admitted to bribery, apologized, paid pathetic sums.

    unless people running corporations AND their shareholders start being held responsible for their doings, these will continue.
    • by InsightIn140Bytes (2522112) on Thursday December 08, 2011 @07:26PM (#38309646)
      But they didn't do anything illegal. They're basically just using their own download application that comes with extra stuff. In fact, Google does exactly the same with Chrome, so you should blame them too.
      • by Hatta (162192) on Thursday December 08, 2011 @07:40PM (#38309780) Journal

        They distributed nmap in a manner inconsistent with its licensing, running afoul of copyright law. They should be forced to pay applicable statutory damages.

        • by sconeu (64226) on Thursday December 08, 2011 @08:08PM (#38310034) Homepage Journal

          Or if PIPA or SPA were law, he could have tried to seize the domain "download.com"

      • But they didn't do anything illegal. They're basically just using their own download application that comes with extra stuff. In fact, Google does exactly the same with Chrome, so you should blame them too.

        No, they didn't. So what?

        There are plenty of things that are perfectly legal that people don't like.

        In this case, the author of the open source security software should just make his own software blacklist the download.com site for malware/shadyware, which is also completely legal to do. And then hopefully, download.com would retaliate by blacklisting his software, so then everybody is happy. The author is happy. The consumer is happy. And download.com is relieved not to have to his software listed on their

      • by cjcela (1539859)
        The thing is, when talking about what is right and what is wrong, "illegal" should not be the boundary, but a far extreme towards "bad", which most companies should avoid by far. As I see it, the fact that a company does anything that is "legal" and in its power to generate profit, in real life means that the company is driven by greedy individuals and often ethically questionable practices. And if a company does something illegal, somebody somewhere has to go to jail. Period. I know, I know, there is the f
      • by fv (95460) * <fyodor@insecure.org> on Thursday December 08, 2011 @10:22PM (#38311026) Homepage

        But they didn't do anything illegal. They're basically just using their own download application that comes with extra stuff.

        Yes, but Download.com still assures users that they will never bundle that "extra stuff". Their Adware & Spyware Notice [cnet.com] says:

        In your letters, user reviews, and polls, you told us bundled adware was unacceptable--no matter how harmless it might be. We want you to know what you're getting when you download from CNET Download.com, and no other download site can promise that.

        Also, they make it look like a download link for the real installer (which it used to be), and then the user gets this CNET crap. But they still used our name liberally in the trojan installer as if we were somehow responsible for or involved in this abomination. I've got screen shots on my Download.com fiasco page [insecure.org].

        Also, this "apology" rings hollow because they aren't fixing the problem along with it. In particular:

        1) He claims that bundling malware with Nmap was a “mistake on our part” and “we reviewed all open source files in our catalog to ensure none are being bundled.” Either that is a lie, or they are totally incompetent, because tons of open source software is still being bundled. You can read the comments below his post for many examples.

        2) Even if they had removed the malware bundling from open source software, what about all of the other free (but not open source) Windows software out there? They shouldn't infect any 3rd party software with sketchy toolbars, search engine redirectors, etc.

        3) At the same time that Sean sent the “apology” to users, he sent this very different note to developers [com.com]. He says they are working on a new expanded version of the rogue installer and “initial feedback from developers on our new model has been very positive and we are excited to bring this to the broader community as soon as possible”. He tries to mollify developers by promising to give them a cut (“revenue share”) of the proceeds from infecting their users.

        4) You no longer need to register and log in to get the small (non-trojan) “direct download” link, but the giant green download button still exposes users to malware.

        5) The Download.Com Adware & Spyware Notice [cnet.com] still says “every time you download software from Download.com, you can trust that we've tested it and found it to be adware-free.” How can they say that while they are still adding their own adware? At least they removed the statement from their trojan installer that it is “SAFE, TRUSTED, AND SPYWARE FREE”.

    • Seems like Microsoft is casting around for some way to top Sony's rootkit.

    • "Flying Coffin." Interesting nickname. In my home country it was called the Widow Maker. Erich Hartmann, the highest-scoring fighter ace in the history of air warfare, called it fundamentally flawed and unfit for service. Lockheed's money caused his superiors to force him into early retirement. 115 German pilots were killed in non-combat missions while piloting the F104.

  • It's Legal (Score:5, Informative)

    by Bruce Perens (3872) * <bruce@perens.com> on Thursday December 08, 2011 @07:28PM (#38309664) Homepage Journal

    It is entirely within the license terms of any OSI-approved Open Source license to aggregate any software, regardless of its nature, on the same medium as Open Source software and to install it with the same installer that installs the Open Source. Even software that is harmful. Only if the software is a derivative work of the Open Source will the license apply to it.

    Sure, CNet shouldn't do this, and if they keep doing it we'll eventually start using new licenses that make them copyright infringers. But right now it's legal.

    • Re:It's Legal (Score:5, Informative)

      by Midnight_Falcon (2432802) on Thursday December 08, 2011 @07:38PM (#38309764)
      NMap is not licensed under the GPL -- it has its own license that specifically prohibits this type of bundling/installing a wrapper around the executable. This is not legal under NMap's license terms, I'm afraid you're mistaken.
      • Re:It's Legal (Score:4, Interesting)

        by Bruce Perens (3872) * <bruce@perens.com> on Thursday December 08, 2011 @07:43PM (#38309806) Homepage Journal
        Over at nmap.org, there's a GPL license. See this [nmap.org]. They also offer a commercial license.
        • Re:It's Legal (Score:5, Informative)

          by Midnight_Falcon (2432802) on Thursday December 08, 2011 @07:45PM (#38309814)
          Bruce: This is taken directly from Fyodor's email to nmap-hackers: In addition to the deception and trademark violation, and potential violation of the Computer Fraud and Abuse Act, this clearly violates Nmap's copyright. This is exactly why Nmap isn't under the plain GPL. Our license (http://nmap.org/book/man-legal.html) specifically adds a clause forbidding software which "integrates/includes/aggregates Nmap into a proprietary executable installer" unless that software itself conforms to various GPL requirements (this proprietary C|Net download.com software and the toolbar don't). We've long known that malicious parties might try to distribute a trojan Nmap installer, but we never thought it would be C|Net's Download.com, which is owned by CBS! And we never thought Microsoft would be sponsoring this activity!
          • Re:It's Legal (Score:5, Informative)

            by Bruce Perens (3872) * <bruce@perens.com> on Thursday December 08, 2011 @07:57PM (#38309930) Homepage Journal

            Sorry, but when Fyodor crosses out some of the GPL terms and writes in new ones in crayon (meaning without the assistance of a lawyer or in a manner contrary to existing law), it doesn't really have the effect he desires.

            The GPL explicitly does not define terms such as "derivative work" because these terms are defined in copyright law or case law. Case law is most important here, and in general case law is strongly against Fyodor's interpretation. Go read Judge Walker's finding in CAI v. Altai and tell me that just installing the software makes it a derivative work.

            I am also dubious that anything in 18 U.S.C. 1030 (the Computer Fraud and Abuse Act) can really be used to prosecute this particular incident. Can you show me the words that you think would?

            • Sorry, but when Fyodor crosses out some of the GPL terms and writes in new ones in crayon (meaning without the assistance of a lawyer or in a manner contrary to existing law), it doesn't really have the effect he desires.

              You're not an IP lawyer either.

              Go read Judge Walker's finding in CAI v. Altai and tell me that just installing the software makes it a derivative work.

              I'm not exactly an expert in US Copyright law, but after reading (time is limited mate) the Wikipedia article on the case, I see nothing related to the issue of whether such "aggregation" is a derivative work. My gut feeling is that whether it infringes depends on how it is "aggregated", and I really can't see how one can declare it is "non-infringing" without even looking at the installer itself.

              The tricky parts of law are always in the devilry details. The "aggregation does

              • No, I am not admitted to the bar, but a good deal of my income comes from working on Open Source issues with attorneys, and I teach attorneys, with CLE credit awarded in some states, about Open Source legal issues. I am an expert witness on just the sort of issue that is being discussed.

                "Aggregation" is the word we use for the combination of software items on a medium that are not derivative works of the other software. It doesn't really make sense to say "that aggregation is a derivative work", if it were

        • Re:It's Legal (Score:4, Informative)

          by Bruce Perens (3872) * <bruce@perens.com> on Thursday December 08, 2011 @07:47PM (#38309832) Homepage Journal

          I see what you mean, the line that says "Integrates/includes/aggregates Nmap into a proprietary executable installer, such as those produced by InstallShield."

          It's nice to know what they consider a derivative work, but it has no legal effect. That would not be a derivative work under copyright law no matter what they think.

          • by Bert64 (520050) <bert@@@slashdot...firenzee...com> on Thursday December 08, 2011 @08:49PM (#38310398) Homepage

            It's not a "derivative work" for purposes of the GPL, and thus doesn't require disclosure of source code as per the GPL terms...

            On the other hand, nmap is not distributed under the pure GPL, it is distributed under the GPL with added stipulations, kind of like how the linux kernel include explicit exceptions to GPL2...

            The copyright holder is free to decide if, when and how their work will be distributed, and Fyodor has decided that in addition to the GPL requirements, he also doesn't want his code distributed as part of third party binary installers.
            These installers are not a derivative work, they are just a violation of the distribution terms, and if you don't agree to the terms offered by the copyright holder then you are not allowed to distribute a copyrighted work.

            A similar example would be a movie publisher or a tv station that is forced to implement DRM by a movie studio if they want to distribute that studio's movies. If the copyright holder doesn't agree with your terms then you can't redistribute his work.

    • by Gerald (9696)

      The stub installer conflates "CNET" with the name of the software package, both in its file name and in its installation wizard. For projects and products that that are registered trademarks, wouldn't that constitute some sort of violation?

      • Can you make a credible case that the conflation of the CNET name confuses the public regarding the origin of the NMap software? It sounds a bit thin to me.
    • It wasn't a question as to whether it's legal. The question was whether it's a kind of crappy thing to do. If the issue was legal, he would have sent a C&D - since the issue instead was CNET's being crappy, he used public shame instead, which is the effective means of attack in that instance.
  • Who? What? (Score:5, Insightful)

    by RichardJenkins (1362463) on Thursday December 08, 2011 @07:28PM (#38309666)

    Who would download a tool like nmap from download.com? What sort of person does this? How is this a thing that happens?

    • Re:Who? What? (Score:5, Interesting)

      by cavtroop (859432) on Thursday December 08, 2011 @07:35PM (#38309740)

      I work in security for my company, so we keep an eye on unauthorized software in our enterprise. We had a guy just today download PuTTY from a download site, that came bundled with all kinds of shitty toolbars and adware. This guy is a Sr. Software Manager and Developer at the company and should know better.

      I wish I could clue these supposedly 'smart' users in, but they'll download and install anything without any critical thinking at all.

      • Re:Who? What? (Score:5, Insightful)

        by Anonymous Coward on Thursday December 08, 2011 @07:58PM (#38309942)

        I work in security for my company, so we keep an eye on unauthorized software in our enterprise. We had a guy just today download PuTTY from a download site,

        PuTTY is a very bad example, almost ANY URL sounds more authoritative than the real one.

        Working in security, you should expect people to screw this one up and have your sysadmin team deploy/maintain it.

        www.chiark.greenend.org.uk/~sgtatham/putty/
        *blech*

        • Unless of course you search for it on Google, Bing, or Yahoo, or probably any other search engine, in which case it's the first result. And, unless you actually read the page you're downloading from, which states "The official PuTTY web page is still where it has always been: http://www.chiark.greenend.org.uk/~sgtatham/putty/ [greenend.org.uk]"

          Unless you don't know what PuTTY is, you'd almost have to try to download it from the wrong place.

          • by bcmm (768152)
            Just last week my dad screwed up doing just this. Searched for "download VLC", clicked the first link on Google (sponsered link, not a search result), got several toolbars.
        • by X0563511 (793323)

          Yea, the userdir really makes you feel warm and safe about the URL.

        • by guruevi (827432)

          How about putty.be

          Easy to remember and afaik always authentic

      • by ISoldat53 (977164)
        This used to be a trusted site.
    • by lucm (889690)

      What sort of person does this?

      The same persons who complain because the "desktop experience" features are disabled by default on Windows Server.

      There is no explanation, it is a personality type. I suggest you read "Zen and the art of motorcycle maintenance", it offers a lot of insight about this kind of thing.

      • by leenks (906881)

        If you mean (and I know you dont, but it can, and does, easily fall into that category in an enterprise) "being able to enter a path into Explorer and it allow you to go there" as opposed to navigating to it from "My Computer" or "Network" directly, then sure. If you mean being able to right click on an application in the taskbar so I can close it, then sure. I complain like hell at these restrictions; it makes my life a right PITA.

        Sacrificing basic usability because of some BOFH is under the impression tha

      • by X0563511 (793323)

        So, why would I read a book about motorcycle maintenance when I have little interest in motorcycles or the maintenance of internal combustion engines (and associated machinery)?

        • by lucm (889690)

          So, why would I read a book about motorcycle maintenance when I have little interest in motorcycles or the maintenance of internal combustion engines (and associated machinery)?

          If you read the book you will actually be able to answer this question...

  • trust (Score:5, Insightful)

    by Anonymous Coward on Thursday December 08, 2011 @07:30PM (#38309682)

    It takes years to earn trust. It takes only one event like this to destroy said trust for good. Up to a year ago, I used download.com where they always proclaimed "Spyware free" etc... That trust has been erased and I will never go back to that site. But really, after they began doing the indirect download using their own downloader, that turned me off right then and there and I stopped about a year ago.

    • Cnet and download.com used to be the site I trusted for downloading software, given their consistently good business practices and the number of other sites that included malware, spyware, and/or bloatware along with their downloads. Obviously I still trust Sourceforge, Ubuntu apt-get, and the download sites that various other projects provide for their own code, but for Windows software, download.com used to be the place to go.

      So are there other sites that have good collections of Windows software and ar

  • Too little. (Score:3, Insightful)

    by Capt.DrumkenBum (1173011) on Thursday December 08, 2011 @07:30PM (#38309692)
    Too late.
    They should not have done it in the first place, and I will be looking elsewhere for my downloads.
    • Re:Too little. (Score:4, Insightful)

      by DarwinSurvivor (1752106) on Thursday December 08, 2011 @07:41PM (#38309790)
      So YOU are the one that actually used that site! Of all the times not to post as AC....
      • The odd time I am dealing with windows and looking for software, a quick google search would often put them at the top of the results. Until they started this crap at least you knew it wasn't virused.
        Shear lazyness I admit.
        I will from now on taking the extra few moments to fine the original authors site and download from there.

        PS: I apologize to geeks everywhere for my lazyness. :)
        • by fafaforza (248976)

          bleah, even autors' sites can be traps. Take imgburn for example. Might not be the case right now, but the last time I was downloading, there were no less than 3 download links in various banners to unrelated crapware, some of it going through doubleclick. Windows software has become a complete cesspool.

  • by davegaramond (632107) on Thursday December 08, 2011 @07:42PM (#38309800)
    Waiting for their tagline to change to "Safe, Trusted, and We Apologize For Spyware"
  • by koan (80826) on Thursday December 08, 2011 @08:00PM (#38309962)

    Should you be using Nmap if you can't pay enough attention to opt out of installing a toolbar?

  • by TSHTF (953742)
    What a half assed apology. They didn't apologize for fucking up, but instead the unrest they caused.

    The bundling of this software was a mistake on our part and we apologize to the user and developer communities for the unrest it caused.

  • If it's optional, what's the problem?

    • The Nmap-License specifically disallows bundling Nmap into a proprietary installer. So Download.com violated the Nmap-License.
  • by Animats (122034) on Thursday December 08, 2011 @08:32PM (#38310262) Homepage

    This is where he should sue CNet for slander of trademark, and tortious interference with business relations.

  • by Hamsterdan (815291) on Thursday December 08, 2011 @08:43PM (#38310350)

    They're not sorry about the bundled *extras*, they're sorry they *got caught*...

  • nmap on Windows?

    remember that scene in Scanners?
    .
    .
    .

  • by Ark42 (522144)

    Glad I removed all my downloads from cnet a few years back. I was really getting pissed at them for hosting my files, after explicitly telling them they were not authorized to, and could only link to the download on my website. Yet they kept changing the links back and distributing my software with no rights to do so.

    They're largely irrelevant now thanks to Google, so I didn't miss much. They like to think they're important and matter, but they're really no different than any other PAD-file-generated spam s

  • by Stumbles (602007) on Friday December 09, 2011 @05:47AM (#38312930)
    Scroll down to the update section: http://insecure.org/news/download-com-fiasco.html [insecure.org]

"Only the hypocrite is really rotten to the core." -- Hannah Arendt.

Working...