
CNet's Download.com now bundling Nmap with malware - taylorbuley
http://seclists.org/nmap-hackers/2011/5
======
ComputerGuru
Shit. I just found that my application which was updated last week and is the
10th most popular system utility app on Download.com is also being similarly
bundled [1]. This was not the case last week.

I think Softpedia and FileHippo are the only big sites left not doing this
ridiculous practice. I'm debating whether or not to pull the application
listing. What do you guys think?

[1]: <http://download.cnet.com/EasyBCD/3000-2094_4-10556865.html>

EDIT

The benefit of our freeware not being open source is that we retain full
control over distribution and packaging. Unlike nmap and others, we actually
have a legal right to demand that CNet, et. al. either host the unaltered EXE
or pull their listing.

I have just sent CNet a "cease and desist"-ish open letter, which we've also
published on our blog. We will be forwarding this to any and all download
sites we find bundling EasyBCD with their intrusive downloaders and
installers, as that goes explicitly against the products' licensing
agreements, which are there to prevent exactly this type of behavior.

Link: <http://neosmart.net/blog/2011/open-letter-to-cnet/>

tl;dr of link: C&D bundling of EasyBCD with installers and downloaders or pull
the listing.

~~~
DanBC
While you're here:

The gallery link appears to 404:

([http://neosmart.net/EasyBCD/gallery/album/view/neosmart/Easy...](http://neosmart.net/EasyBCD/gallery/album/view/neosmart/EasyBCD/EasyBCD+2.0/))

~~~
ComputerGuru
Thanks. It was a absolute link missing the leading / so it went elsewhere.
Should point to
[http://neosmart.net/gallery/album/view/neosmart/EasyBCD/Easy...](http://neosmart.net/gallery/album/view/neosmart/EasyBCD/EasyBCD+2.0/)
now!

------
nhebb
C|Net / download.com has been doing this a while. They're even doing it to
companies that _pay_ to have their product(s) promoted on download.com. From
what I understand, a C&D isn't necessary. If you email cnet-
installer@cbsinteractive.com, they will remove the wrapper from your
application.

BTW, here's a discussion about this from ~three months ago:

<http://news.ycombinator.com/item?id=2910554>

------
tux1968
This is one upside to using trusted repositories with signed applications in
the Linux Distribution model. It's not perfect but at least this kind of
sadness doesn't happen. There's no good reason this couldn't be done for
Windows as well; it's just that users are conditioned to download from
assorted random sites to collect the apps they want.

Would be a good community project which would likely attract the kinds of
people who use nmap anyway.

~~~
3pt14159
Yes, I do have one word of caution though:

I downloaded VLC to my netbook through apt-get and ran it from the terminal.
When run from the terminal it was outputting errors like the below (not actual
domains): cannot reach 442g.com => skipping... cannot reach muzak.com =>
skipping... cannot reach 3g3.com => skipping... cannot reach gewedw.com =>
skipping... cannot reach ewfr.com => skipping... I've always wondered _why_
but never really looked into it.

~~~
Nick_C
Perhaps it is looking for details of your music/CD/DVD. There is an option for
it automatically fetch such details as a list of tracks, artist, etc, to
display.

------
marshray
I remember the first time I found Sun bundling the Yahoo! toolbar along with
the Java runtime.

I knew at that moment that Sun had lost its self respect and had no credible
strategy for Java. I immediately went back to developing C++ for MS Windows
and Perl for Linux.

~~~
Deestan
> I remember the first time I found Sun bundling the Yahoo! toolbar along with
> the Java runtime.

Rest assured that they have now ceased this insane pratice.

Now the JRE installer force install the Ask Toolbar instead.

------
rmason
There's often a huge divide between business people and consumers on what is
fair.

[http://www.nytimes.com/2011/11/20/business/when-business-
can...](http://www.nytimes.com/2011/11/20/business/when-business-cant-foresee-
consumer-outrage-economic-view.html)

That's why companies trying to increase revenues are continually blind sided
when their actions outrage people.

------
d_r
This, and preinstalled "crapware" on newly bought computers/phones happens
because vendors have no incentive _not_ to do it, except perhaps out of
goodness their heart. Yes, it disgusts me too, but moral issues aside:

(a) Vendors are looking to make money (simply speaking) and bundling crapware
is a low-hanging fruit to do so. They have a choice between making $X per
customer and $X+30 cents. Which choice should they pick?

(b) Users are not savvy or discerning enough to notice that they are getting
the said crapware. We, techies, care. Do mainstream users care? They buy a new
computer (or download an app), and they get the computer or the app, as far as
they are concerned. How can grandma know that the "monthly anti-virus
subscription" popup is "unwanted"?

People will buy/download from $VENDOR _with or without_ crapware. Companies
want to make more money and they have no reason to be "good." They gain more
than they can lose. Until these variables change (say, if users revolt, or
class action suits arise, or $CONGRESS_PERSON complains, or advertising
revenue somehow diminishes, etc.), this will sadly keep on happening.

~~~
DanBC
See also Sony offering to sell Vaios without the bundled junk for an extra
$50.

([http://www.pcworld.com/article/143677/sony_removes_bloatware...](http://www.pcworld.com/article/143677/sony_removes_bloatwarefor_a_fee.html))

------
resnamen
What an egregiousness abuse of user trust. I hope this destroys their brand
forever.

~~~
PakG1
Until this story hits mainstream, there's no hope of that happening. Even if
it does hit mainstream, you need a bunch of talking heads that are able to
explain to luddites what the implications are.

~~~
VMG
One can hope it destroys the brand for power-users. It's been a while since
I've been using windows, but in the past I've trusted download.com when I
needed some piece of freeware. I'll be more careful now.

What about all the the open source projects hosted there? A quick search shows
that they offer VLC and Firefox - are they clean?

~~~
icebraining
The guy in the Nmap mailing list says

    
    
        I've just discovered that C|Net's Download.Com site has started
        wrapping their Nmap downloads (as well as other free software
        like VLC)

------
asadotzler
This is disgusting behavior from what could be considered the first "app
store". What a shame.

~~~
marshray
And to think that Microsoft is paying them for it.

O how the mighty have fallen.

~~~
taylorbuley
Worth noting that CNet is under new owners (CBS Interactive).

~~~
peterwwillis
Worth noting that if enough bad PR gets into the lamestream media about this
it could be a death knell. CBSi doesn't exactly monetize well, and CNet has
always bled money.

------
davidmurphy
Way to destroy one of the remaining strong brands from the (relatively) early
days of the web, CBS. (CBS owns CNET.)

Hope it was worth it.

~~~
peterwwillis
Not that I want to defend CBS, but CNet pretty much runs itself, and had run
itself into the ground way before CBS "saved" it.

------
jeffh
This happened to software from my company (ActiveState), and we made a request
to remove the extra wrapper bits (very much not the user experience we
wanted), and CNet complied. Someone just has to ask. [edit: of course, we did
also find out _after_ the fact, which we didn't appreciate. We would have
pulled our various bits, had they not complied ... but they did]

~~~
Joakal
Their reputation is already tainted. Especially since your company is finding
out after the fact.

What stops them from doing it again a month later?

------
feir
Off the topic here, are there still many people download software programs
from download sites, like download.com, brothersoft.com or softpedia?

~~~
dangrossman
Yes. Download.com is the 173rd highest traffic site in the world. They're
probably pushing over 100-200k downloads a month at least. Nothing compared to
the Apple or Android app stores, but still a significant number.

~~~
peteforde
I'm guestimating that you're off by an order of magnitude.

According to Alexa, somewhere between 0.6% and 0.8% of the entire web goes
there every day.

~~~
jiggy2011
Download.com users are probably over-represented on Alexa simply because of
all the tracking crapware they have installed.

------
orijing
I'm confused. Did Microsoft make a deal with Cnet to include this on every
download, or did a third party do this? StartNow (startnow.com) is run by an
independent company:

"The StartNow Start page is owned and operated by Zugo Ltd, a start page
platform company. Our start pages are usually official operated on behalf of
one of our clients or partners. Some pages may be "unofficial" and in support
of/dedicated to improving the user experience for an existing product or
extending a product's existing functionality."

This sounds like really bad PR for Microsoft. I wonder what they will do.

~~~
rplnt
Microsoft, as well as Google, pays for searches you bring to them. That's why
many free applications offer you toolbar and/or default search. They make
money out of it. Similiary, browsers (Opera, Firefox, ..) make money out of it
as well. So there's probably nothing wrong here done by Microsoft. It's CNET
that is abusing this.

------
InclinedPlane
There's something gone very wrong with download sites in the last few years.
Aside from this nonsense I've noticed a predominance of very misleading
advertisements on download sites (attempting to misdirect you into thinking an
ad is your download link). The site owners _have_ to know about this but it
seems they don't care enough to do anything about it.

Given the cheapness of s3 storage and such-like I'd say it's smart to avoid
hosting on download sites in general.

------
titel
I'm not saying this is right or wrong.. but there is something worth pointing
out.

Technically speaking Download.com is not modifying the original EXE file as
some people alleged but using an 'download manager' to intermediate the
download of the file.

The bundled 'malware' comes inside this intermediary application and does not
touch the original installer other than downloading it to the disk.

------
jiggy2011
This seems to a phenomenon unique to Windows and growing.

No wonder everybody complains about Windows being slow and full of popups and
spam, almost everything you try and install on it seems to want to also
install some free trial/browser toolbar/sign up for some online service etc.

~~~
RexRollman
I've had good experiences with Windows, but then again, I have some idea of
what to do and not to do. (Of course, some of the rampant problems are's
Microsoft's fault, such as having everyone run as an administrator in XP.)

------
rmc
Surely this is a case for a DMCA take down notice? If they are distributing
the copyrighted software outside the terms of the licence, then they are
violating copyright and the DMCA can come into play?

~~~
icebraining
Yes, of course, that's exactly what the takedown notice is for. But only a
copyright holder can send it (or someone legally allowed to act on their
behalf).

------
mahmud
People who have Symantec anti-virus will already have this flagged. No, not
the malware but nmap itself!

Many anti-virus software packages flag nmap, netcat & other network utilities
as malware.

Thankful for apt-get install beauty.

------
monkeypizza
That is a nicely written & researched complaint. I hope he finds someone to
actually sue c|net for this, and not just make them stop doing it for this
particular product only.

------
bigethan
I work for CBSi just got this response from the dowload.com team:

"We remove the installer from pretty much all publishers who request it
removed, and the wrapping of nmap was an error. Fyodor has been contacted and
had the issue explained. The Download.com Installer has been removed from the
product, and we shouldn't be wrapping open-source software. It was a mistake
and when Fyodor contacted us, we fixed it."

------
rlpb
This should be sufficient cause for all web filters and security software to
block access to CNET due to the malware. But will it actually happen, or are
they treated with a special standard?

~~~
thenextcorner
As the "malware" is only downloaded after you installed a download manager, I
doubt the Cnet website will get marked as the distributor.

I believe it goes like this: \- User clicks on link to download software \-
User is being asked to install Cnet download manager \- Download manager
downloads more software, including the crapware

Because the actual download does not happen on the Cnet site, it does not gets
marked as a distributor.

I can be wrong though, this is just my hypothesis of what is happening.

~~~
marshray
I clicked the 'Download' link for my application and I received an exe for
something else with my application name in the file name. So if a user asks to
download my application they receive a confusingly-similar one instead and
have no choice but to run it to find out what it does.

This is indistinguishable from malware.

------
RexRollman
This is why, generally speaking, you want to get software directly from the
developers.

------
hmart
This top download site in spanish also use this scheme
<http://nmap.softonic.com/descargar>

------
laconian
CNet's reviews are also worthless too. So little content, so many skeletal SEO
keyword pages.

