
Sourceforge Hijacks the Nmap Sourceforge Account - netw0rksec
http://seclists.org/nmap-dev/2015/q2/194
======
ghshephard
This is the sort of behavior you get from a company that's lost, and is now
trying to extract every penny they can from whatever shenanigans they can get
away with.

If they have no future brand value to be concerned about, then, from a game-
theoretic approach, it's actually a pretty rational profit seeking move. (As
long as they don't incur any downstream liabilities from outright illegal
activity for which they might be fined, or successfully sued - if there is any
entity left to sue)

Of course, the game-theoretic response from the entire internet community is
to make sure they never, ever, for any reasons whatsoever, ever click on a
link that starts with "sourceforge.net"

~~~
mapt
Has Archiveteam, Internet Archive or anyone else taken a shot at mirroring
Sourceforge, including binaries? Since its founding there have been a _hell_
of a lot of small projects hosted there whose sites have gone down since.
430,000 projects have been hosted on SourceForge at some point. At least a few
tens of thousands of them represent the only remaining copy of a program
needed to read a certain sort of data. Maintaining that capability in the face
of a company circling the drain represents an _extreme_ historical utility.

Even if you now need a VM to handle the crapware, that's better than losing
the apps entirely. If somebody maintained a time-diffed mirror of SourceForge,
they could pinpoint the last version before the bundling event occurred in an
automated fashion, as well.

EDIT: It seems there's a project to begin this -
[http://archiveteam.org/index.php?title=SourceForge](http://archiveteam.org/index.php?title=SourceForge)
and an IRC channel, EFNet #coldstorage

~~~
TazeTSchnitzel
Archiving SourceForge is indeed important. Just recently I needed it to hook
up a printer: [http://sourceforge.net/projects/gimp-
print/files/usbtb%20-%2...](http://sourceforge.net/projects/gimp-
print/files/usbtb%20-%20Mac%20OS%20X%20ONLY%20usb/)

------
luso_brazilian
Just submitted the story to Slashdot [1].

Sharing the same owner as Sourceforge let's see if it gets "buried" [2] (or
"late released due to an editor vacation" [3] as it was their explanation) or
if they publish it in a timely manner and within the spirit of the submission.

[1] [http://slashdot.org/submission/4487045/sourceforge-
hijacks-t...](http://slashdot.org/submission/4487045/sourceforge-hijacks-the-
nmap-sourceforge-account)

[2]
[http://www.reddit.com/r/linux/comments/381q6r/slashdot_buryi...](http://www.reddit.com/r/linux/comments/381q6r/slashdot_burying_stories_about_slashdotmedia/)

[3]
[http://tech.slashdot.org/story/15/06/01/1241231/sourceforge-...](http://tech.slashdot.org/story/15/06/01/1241231/sourceforge-
and-gimp-updated)

~~~
vermooten
This is all such a shame. GitHub is to Sourceforge what HN is to Slashdot.

~~~
spacemanmatt
That is unfair to GitHub.

------
chinathrow
If your old account is listed here, you getting fuxxored:

[http://sourceforge.net/u/sf-editor1/profile/](http://sourceforge.net/u/sf-
editor1/profile/)

[http://sourceforge.net/u/sf-editor2/profile/](http://sourceforge.net/u/sf-
editor2/profile/)

[http://sourceforge.net/u/sf-editor3/profile/](http://sourceforge.net/u/sf-
editor3/profile/)

Edit: added [http://sourceforge.net/u/sf-
editor/profile/](http://sourceforge.net/u/sf-editor/profile/) which includes
MySQL and a few other high profile projects.

~~~
simias
I didn't know they did this at this scale. I'm suprised by all the big names
in the projects they've highjacked: I see apache, drupal, firefox,
libreoffice, mysql, postgresql, redmine, sqlite, thunderbird, vlc, virtualbox
and many, many others.

They're really going all in with that.

~~~
bad_user
From what I remember, even though Firefox is open-source, you can't use the
Firefox name on distributing it without getting approval from Mozilla. This is
why Debian went at some point with the Iceweasel name. So Mozilla controls
what gets distributed with the Firefox name and they could sue for trademark
violations if they want to.

IMHO, all open-source projects should protect their name. For example last
time I tried, VLC for iOS was banned from the iTunes Store, yet there were
dozens of obscure apps using VLC's name or logo on iTunes Store (this was
happening in January). Especially given that there is such a thing as an
unregistered trademark, that is valid through usage. Even if you fork it, then
authors should have the courtesy to use a different name.

~~~
robin_reala
(VLC is back: [https://itunes.apple.com/us/app/vlc-for-
ios/id650377962](https://itunes.apple.com/us/app/vlc-for-ios/id650377962))

------
dm2
SourceForge was sold in 2012 to a conglomerate company named "DHI GROUP INC"
or "Dice Holdings Inc" that owns the following companies:

    
    
      Dice
      Open Web
      The IT Job Board
      ClearanceJobs
      eFinancialCareers
      Rigzone
      HEALTHeCAREERS
      BioSpace
      Hcareers
      SourceForge
      Slashdot
      WorkDigital

~~~
Bill_Dimm
I remember thinking "I guess they want to get more of the tech community's
mindshare to promote their job board" when Dice bought Slashdot. With the way
they've alienated the tech community by trashing Slashdot and SourceForge, I
wonder how many tech people will use their job board now.

~~~
dm2
One problem is that people looking for jobs are usually inexperienced with it,
so there is constantly an unusually large supply of "fresh meat".

There should be more regulation on the jobs market. It's a data-mining
goldmine and fake job postings aren't illegal as far as I'm aware of.

------
mattmanser
If you didn't know sourceforge have back-pedalled 2 days ago and said they'll
stop bundling the crapware in the mirrored projects:

[http://sourceforge.net/blog/third-party-offers-will-be-
prese...](http://sourceforge.net/blog/third-party-offers-will-be-presented-
with-opt-in-projects-only/)

The author, and a lot of the commentators here, don't seem to have seen that
announcement.

~~~
embik
We saw it, but why does it matter? They also claimed to never add adware
without consent before. Even considering to bundle up malware with FOSS
projects is offensive to me. They lost my trust and a simple blog post won't
win it back.

The policy of taking over "abandoned" projects is super shady as well. That's
what this mailing list post is about, isn't it?

~~~
mattmanser
Not "we" as the author of the post doesn't know about this announcement from
sourceforge, as they say:

 _we haven 't caught them trojaning Nmap the way they did with GIMP_

So stop trying to speak for 100s of thousands of people at once.

~~~
embik
This very mail also says

 _PPS: Sourceforge now claims they will stop trojaning software without the
developer 's permission, but they've broken that exact promise before._

He _does_ know about the announcement, but he does not trust them anymore.
That's fully understandable. Fool me twice, etc.

Additionally, _you_ addressed people posting in this thread. The Sourceforge
announcement was all over HN and reddit and a lot of people following the
whole issue knew about it. It's simply not enough to win back user's trust.
But I already addressed that - Yet you chose to critize my way of wording, not
the very content.

------
etix
The VLC account has also been hijacked but without wrapping the installer:
[https://blog.l0cal.com/2015/06/02/what-happened-to-
sourcefor...](https://blog.l0cal.com/2015/06/02/what-happened-to-sourceforge/)

------
spacefight
One should sue for trademark violation. I'll chip in if anyone is fundraising.

~~~
bigiain
I suspect pointing Oracle's lawyers at their MySQL account that sf-editor
"owns" might be worth more than collecting donations...

------
maxst
What about all the other websites?

[http://filehippo.com/download_nmap](http://filehippo.com/download_nmap)

[http://www.softpedia.com/get/Network-Tools/Misc-
Networking-T...](http://www.softpedia.com/get/Network-Tools/Misc-Networking-
Tools/Nmap.shtml)

[http://www.majorgeeks.com/files/details/nmap_security_scanne...](http://www.majorgeeks.com/files/details/nmap_security_scanner.html)

[http://www.chip.de/downloads/Nmap_13013407.html](http://www.chip.de/downloads/Nmap_13013407.html)

~~~
mintplant
It feels a bit different here, at least to me. Nmap _had_ a Sourceforge
account, but now it's been taken away from them -- "hijacked", as the post
describes it. And Sourceforge at least used to be a reputable site and has
(had?) some lingering aura of trust around it.

~~~
maxst
They had this "You Can Take Over Abandoned Projects" policy for years:

[https://sourceforge.net/p/forge/documentation/Abandoned%20Pr...](https://sourceforge.net/p/forge/documentation/Abandoned%20Projects/)

I took over APNG project in 2011, nice short name, it was really abandoned,
and I don't feel bad about it:

[https://sourceforge.net/projects/apng/](https://sourceforge.net/projects/apng/)

~~~
mintplant
Sure, but this is Sourceforge itself doing the taking over, and they're
offering the same downloads (plus their wrappers and what-not) rather than
reusing the name for a different project.

------
ExpiredLink
>> _SourceForge.net is owned and operated by Slashdot Media. Slashdot Media is
a DHI Group, Inc. company._

~~~
xavel
That explains why these kind of news have been entirely absent from slashdot
(with the exception of that _one_ heavily castrated entry).

------
jdiez17
Good job, Sourceforge.

    
    
      echo "127.0.0.1 sourceforge.net" >> /etc/hosts

------
heyalexej
I just scraped Google for the indexed mirrors.

    
    
      site:sourceforge.net/projects/ inurl:mirror -inurl:files -inurl:reviews -inurl:compare -inurl:support
    

Gave me these[0] 253 indexed projects. Would be interesting to crawl the
entire website to see if there's more.

[0] [http://git.io/vkb3N](http://git.io/vkb3N)

------
neslinesli93
In spite of account hijacking, GIMP was still downloaded by almost 15k people
this week. Six days ago they took over Audacity project as well, which was
downloaded by more than 150k this week[0].

[0]
[http://sourceforge.net/projects/audacity/](http://sourceforge.net/projects/audacity/)

~~~
omegafail
What will happen if I run Audacity installer from sourceforge?

I have done that an hour ago. Should I be concerned?

~~~
Qantourisc
Well assume you now have some malware/spyware/adware on your pc now, and
assume you need to clean it off. Or check the hash of the installer with some
reference bin from a trusted source.

~~~
omegafail
The hash matched the official installer. I doubt they are crazy enough to
deliberately hide malware without prompting.

------
LunaSea
Hijacking the account of one of the security community's most loved and used
tool. Yeah ... that seems to be a smart idea.

~~~
mauricemir
Yep how to fuckoff both the Black , Grey and White Hat communities.

~~~
bigiain
I wonder how many copies of nmap are running against Sourceforge's servers
right now?

------
vaceletm
The only viable long term way for any open source project is to selfhost[1]

[1] [https://www.enalean.com/en/Open-source-community-host-
yourse...](https://www.enalean.com/en/Open-source-community-host-yourself)

~~~
ohitsdom
A site like Github that hosts open source projects brings a lot of value to
the community. Great search, and the same UI when going from project to
project. This would be much more cumbersome and time consuming if every
project was on a different site with a different interface.

Also, many open source projects don't have the money to afford bandwidth costs
of providing large software downloads.

~~~
vaceletm
I'm not saying GitHub doesn't help. SourceForge did help at time. But if you
value your freedom, you need to understand that, if you don't have the keys of
your infrastructure, you are locked to the good will of the provider (and its
stakeholders).

I don't buy the money argument. If you have the chance to be a successful
enough open source project, you will find hosting companies ready to help you
with free VMs.

If you are not that successful, you can use github & co without fear, nobody
will try to insert crapware in your packages. And if you want to selfhost,
even a raspberry pi will have enough power to serve your site.

------
heavenlyhash
This is incredible.

We need end to end security without this https insanity as a bandage more than
ever. Ubiquitous signing and audit logs more than ever. Tools that, for normal
end users, refuse to work if integrity is broken. What sourceforge is doing
should be universally seen as damage and systematized intolerance should make
the attempt pancake so hard and so fast that nobody ever even tries it.

It's excellent that the nmap people distribute gpg sigs. Now we need socialize
the fact that "https does not mean I'm getting want I wanted from the original
authors", and start building (yes, we need to get past the
[http://www.thoughtcrime.org/blog/gpg-and-
me/](http://www.thoughtcrime.org/blog/gpg-and-me/) problems) and using tools
that do better.

------
nadams
I think this is the time to remind people some projects (ie filezilla) are
willingly distributing the malware with their projects. The developers
reaction is basically "there is nothing wrong with it"[1].

I feel like there is a niche service to provide installers that have been
decrapified. I'm not talking about ninite (which is private/commercial) but an
open source repository of installers that you can "apt-get" for Windows. I
know people have tried that in the past - but the problem is that the builds
that are posted manually go out of date pretty quickly so I think this process
would have to be automated.

[1] [https://forum.filezilla-
project.org/viewtopic.php?t=31127](https://forum.filezilla-
project.org/viewtopic.php?t=31127)

------
aswanson
Yeah, sad that I at one point thougthey were trustworthy. Hell, at one point I
thought CNET was safe...until I downloaded and installed a "BestMp4ToMp3
converter" from there that infected the corporate network. Scumbag city, those
sites. That's a major reason I support FOSS like VLC financially.

~~~
gnoway
"BestMp4ToMp3 converter" didn't give it away?

~~~
aswanson
Right. Hopefully momentary iq lapse. :)

------
rip747
What I don't understand about any of this is why anyone wouldn't just either
move their project to Github or self host. Why would you even still have your
project hosted on SourceForge?

I understand the author's grief and anger. I feel bad for them really as this
will hurt the NMap brand, but come on, avoid the whole situation and just
remove the project from SourceForge completely.

~~~
maxst
>What I don't understand about any of this is why anyone wouldn't just either
move their project to Github or self host.

Personally, I like their download stats:

[https://sourceforge.net/projects/apng/files/libpng/stats/tim...](https://sourceforge.net/projects/apng/files/libpng/stats/timeline)

But generally, why would I move if I never had problems with the service?

~~~
jackmaney
Because perhaps--just fucking perhaps--you don't want malware injected into
any of your projects when they're downloaded?

~~~
maxst
I keep complete control over my projects, and I'll make sure it won't happen.

~~~
jackmaney
> I keep complete control over my projects

Until they take that control from you.

> I'll make sure it won't happen

 _How_?

~~~
maxst
> Until they take that control from you.

They won't because I'm not abandoning my projects.

People who complain have one thing in common - they abandoned their projects
on SF. It's kinda like letting the domain name expired and then complaining
that somebody took over. Always keep an eye on your hosting and your domain
names, folks.

~~~
jackmaney
> They won't because I'm not abandoning my projects.

What makes you think that will make a difference? They'll hijack whatever they
want that's hosted on their servers whenever they want to hijack it.

~~~
maxst
Devs who never abandoned their projects are doing fine. Not one of them
complained about "hostile takeover".

~~~
jackmaney
And what makes you think that this couldn't change at literally any time?

------
davb
Should Sourceforge perhaps be added to Google's Safe Browsing blacklist?

------
nononononono
So what decent release tarball storage services are there today if github's
autogenerated release tarballs don't do it for you?

~~~
ghshephard
Given that a VPS like Digital Ocean will give you 1 Terabyte/month for
$5/month, isn't it straightforward to hose your own tarball now?

I see the nmap tarball is 20 Megabytes = 50,000 downloads.

The cost of hosting should be easily covered by your user base.

~~~
corobo
The problem isn't really in the overall bandwidth usage though, it's the
concurrency.

Would the $5/month droplet stand up to a surge of people coming in for a
latest release, or a bit of press coverage? Would there be enough bandwidth
that everyone gets the file fast or would they all slow to a crawl

~~~
leojfc
What about providing a BitTorrent link? The main server could provide a
backstop seed, and presumably enough other people would seed too for any
decent-sized project.

~~~
swhipple
P2P downloads would help cover some of the costs, but popular projects
probably need a direct download link with load balancing as well.

If the project doesn't want to manage their own infrastructure, they're
probably going to want a CDN or object storage provider. The most cost-
friendly I've seen is OVH's RunAbove object storage, but I'd be interested to
know if there is anything else comparable.

------
DanBC
I'm surprised the nmap.mirror site doesn't have hundreds of reviews telling
people to not use it, and pointing them to the official site.

I'd be interested to see how sourceforge respond to DMCA requests.

~~~
DanBC
MOZILLA:
[http://sourceforge.net/projects/firefox](http://sourceforge.net/projects/firefox)
points to "personal builds of Firefox";
[http://sourceforge.net/projects/firefox.mirror/](http://sourceforge.net/projects/firefox.mirror/)
seems to describe legit Firefox. I haven't tried to download it to see what I
get.

FEDORA:
[http://sourceforge.net/projects/fedora/](http://sourceforge.net/projects/fedora/)
points to some random software.
[http://sourceforge.net/projects/fedora.mirror](http://sourceforge.net/projects/fedora.mirror)
describes Fedora the OS.

Not only scummy, but semi-competant too.

~~~
embik
278 downloads for Fedora 17 32bit this week? Those poor souls trying to get
into Linux ...

------
mc808
If I submit my resume to Dice.com, I fully expect them to mail me a baggie of
white powder and a coupon for 25% off anthrax vaccines.

------
hinkley
Is it time to start publicly shaming their mirror partners?

I think it's pretty clear that DHI has no shame, but what about the mirrors?

------
vortico
How to literally kill your company:

1\. this

~~~
dagw
The company is already dead. This is simply looting the corps.

~~~
grkvlt
Nice, hopefully intentional, typo ;)

However, are SF really making money from these mirrors? As I understand it
from other comments here, you can still download the tarballs, and they seem
more 'official' that the non mirror-suffixed accounts? When does mirroring
become bad practice, what is the line you need to cross?

------
DigitalSea
Sourceforge needs to call it a day. Its day of relevancy is over, once upon a
time it filled a need but we have Github, Bitbucket and much better choices
now. What we are seeing is a site that is lost and will never be able to earn
back the respect that it once had.

~~~
dspillett
_> Sourceforge needs to call it a day_

The world is calling it a day on Sourceforge - they are just hanging around to
milk what they can out of past glories.

Of course they can't just turn off anyway: there would be outcry from people
because their currently idle project that hasn't moved to being hosted
elsewhere suddenly became unavailable.

------
the_why_of_y
This bit is inaccurate:

"Of course this goes directly against Sourceforge CEO Michael Schumacher's
promise less than two years ago:"

Michael Schumacher is not SourceForge's CEO, but a GIMP developer. The article
quoted in the mail was written by Roberto Galoppini.

------
jakejake
This is not hijacking at all. They created a new account, the old one remains
blank as the author says. Sure it's morally questionable and leads to having a
very bad reputation. But it's not hijacking. GPL code can be forked, mirrored,
bundled and distributed. As long as the terms of GPL are obeyed there's
nothing technically wrong with what SF is doing.

Of course they've completely blown all trust and squandered their reputation.

~~~
Kim_Bruning
They may well be GPL2/3 section 2a/5a (prominent notice that they have
modified the program... in this case the installer) , and likely 2b/5b,c also
(are they also providing the source code for the crapware?). If these are
found not to apply (because the court finds it to be mere aggregation ) we may
need a minor GPL update :-)

Alternately one could look into trademark law, perhaps?

------
smegel
Sourceforge is now on my personal blocklist for Google search results. Along
with expertsexchange which I added years ago, and Quora which may surprise
some.

~~~
danieltillett
What is wrong with Quora. You may not like their business model, but I don't
think they are doing anything terrible like source forge.

~~~
smegel
Unless it changed recently, but I used to click there through Google search
results and still get some blurred out page, or only one answer, or a timeout
that tried to make me register.

And quite frankly, I prefer the rather diverse universe of stackexchange
sites.

~~~
omegafail
I wouldn't mind hitting Quora through Google on occasion, but sometimes they
actually have just a stub page, where the question isn't answered at all, so
it shouldn't rank so high.

------
Poiesis
I might be asking too late, but what's stopping someone from: 1\. Identifiying
hijacked accounts 2\. Forking to GitHub 3\. Waiting for the inevitable ranking
change 4\. Handing over the project to the owner when/if they are identified.

I realize there's a good deal of handwaving here--particularly at 3 and
especially 4. But, is this a bad idea? Seems like 4 can be replaced simply by
the owner reforking, too.

------
mpdehaan2
The original nmap page in the article is back live now.

As much as I hate malware, can we confirm it was sourceforge that got rid of
the old page? Maybe someone set up the mirror after a data problem or error
rendered the old page blank and just wanted to get it up, or that person was
nefarious? (Occasionally people can be "too helpful" on community sites by
registering other people's projects).

I guess the question is really who owns sf-editor1/2/3/4.

The reason being I can't see a lot of bonus for someone doing it this way. I'd
just put adware in the margins. The site looks sketchy anyway these days so
it's not doing them a lot of good...

------
Puts
Maybe we should all learn something from this and also the thing about
RadioShack selling of all their customer data. What will Google do when it
gets shaky?

------
userbinator
A reminder that this is just one of the consequences of open-source, free (as
in libre) license software: It wouldn't be truly free otherwise.

I'm not saying I condone Sourceforge's actions, and this does deserve to be
known widely, but what one person would consider privacy-invading malware
could be another person's "helpful offers assistant" (or whatever)...

------
paromi
average pay per install rates are around 0.2 - 0.5 $ per install. i wont be
surprised if they make 10k-20k + / day

------
alfiedotwtf
> If you don't trust SSL by itself (and we don't blame you), you can also
> check the GPG signatures: [https://nmap.org/book/install.html#inst-
> integrity](https://nmap.org/book/install.html#inst-integrity)

Ironically linking to a page served via SSL

~~~
jessaustin
_Ironically..._

Not really. It's just a quick guide to using _gpg_ to verify a software
distribution. Many people already know how to do this, or you could look at
the manpage if you prefer.

------
arc_of_descent
I just wish they'd give up their domain name to someone worthy. Source Forge.
Conjures up Gandalf for me.

------
aaron695
I went to GIMP to get the latest version for Windows (Mine was 2+ years old)

Strange, it seems newer but the Windows version was the same as mine.

Google what up, randomly saw the Sourceforge controversy for GIMP in the news.

Went to straight to SourceForge and got my update. Because they could be
bothered.

If you want Sourceforge to be evil, get your shit together GIMP. (Windows
users are people too, plus appreciate all the work, but it'd be nice if you
remembered us)

PS And remember that if you're GPL or whatever then don't complain when
someone follows the rules but doesn't do what you want. Is it GPL or not?

You can't say you're anti censorship, as long as it's what you want. You can't
say you're GPL as long as it's what you want.

People are free to add malware to the product. Account hijacking not so much.

~~~
TazeTSchnitzel
If I go to GIMP.org and click Downloads, I see this:

[http://www.gimp.org/downloads/](http://www.gimp.org/downloads/)

> GIMP for Windows

> Via HTTP (.exe)

> Download GIMP 2.8.14

If I go to SourceForge.org (clicking first SF link on Google for "GIMP
download"), I see this:

[http://sourceforge.net/projects/gimp-
win/](http://sourceforge.net/projects/gimp-win/)

> Download

> gimp-2.8.6-setup.exe

> Browse All Files

SourceForge has 2.8.6, GIMP.org has 2.8.14.

SourceForge has an _older_ version. Where the hell did you go to?

(In fairness, SourceForge also has 2.8.14, but you have to go look at the file
list rather than clicking the big green button. OTOH, GIMP.org's big button
goes straight to the latest version.)

------
jaboutboul
Sourceforge is looking more like a goner every day.

It's time for github to step up and start offering projects download hosting
and the whole slew of other things that sourceforge gives a project.

~~~
FreakyT
Github does have download hosting, though. Their "releases" feature has worked
fine for my projects, at least:

[https://github.com/blog/1547-release-your-
software](https://github.com/blog/1547-release-your-software)

------
moe
For me the real question would be, why was/is anyone still using sourceforge?
Inertia?

I hope everybody still hosting there will take this reminder to finally move
their stuff to a different host.

~~~
abstractbeliefs
For many there are many projects that were hosted here before dying, and
because of that, SF is both the official place to download and also SF sees it
as fair game to take over and wrap with malware.

------
jshb
Why would they care about something that had 150 downloads since 2014? Seems
like it may just have expired due to inactivity on the account.

~~~
dspillett
Hoovering up the inactive accounts is probably in automated process. There
would be little point putting in extra code to exclude less trafficked areas.

------
RattCatcher
You deserve all the ads and then some. Bunch of freeloaders...

------
mverwijs
The BOFH in me is more upset with the software projects that abandonded those
accounts without properly closing them.

~~~
dagw
The problem is that it is basically impossible to completely close and remove
a software project from Sourceforge. The best you can do is tag it as
"inactive" or "relocated" and provide a link to the new site, but the project
site will still exist.

~~~
maxst
Let's say it becomes possible. Then what? If your project is popular, it would
be on softpedia, filehippo, majorgeeks and many other "free software"
aggregators. If your project license allows others to distribute your
software, you can't stop them.

