
Don't download software from SourceForge if you can help it - ub
http://www.howtogeek.com/218764/warning-don%E2%80%99t-download-software-from-sourceforge-if-you-can-help-it/
======
gamache
_In our testing, we’ve found that SourceForge’s downloader behaves more nicely
in a virtual machine. If you want to see what it actually does, be sure to
test it in a real Windows system on a physical machine, not a virtual
machine._

 _This is the same sort of behavior that malicious applications are
increasingly using to avoid detection and analysis._

Very interesting! I'd be interested to hear the corporate-speak rationale for
this. Kind of interested, anyway.

~~~
throwaway498982
this is unbelievably malicious! In our earlier discussion there was some
discussion about the installer asking for permission to install crapware. in
fact if you're going to do malware stuff like this, why even ask?

On a technical level - how come you can detect VM's? with something like BOCHS
and if you lie about wall time inside your OS, can't it emulate a PC
perfectly? How does crapware know whether it's in a VM or not?

~~~
MiddleEndian
>in fact if you're going to do malware stuff like this, why even ask?

Just a guess, but probably plausible deniability reasons for when they're
inevitably brought to court.

~~~
throwaway498982
there is no plausable deniability if it does something different in a VM. that
takes active coding to set up, there is no reason anyone would ever have any
code that has this effect.

~~~
wernercd
There are PLENTY of reasons to code your application to act differently based
on environment... while many of them may be bad, not all of them are.

Some abuse this to make speed tools run faster, ala Graphic Card tests that
run faster when it detects NVidia/AMD... some abuse it to skirt protections in
VMs...

Do we need to ban torrents because a lot of torrents are illicit materials?
Ban bitcoins, because some people use it for drugs? Ban tor?

------
prajjwal
_" In truth, the man was an oathbreaker, a deserter from the Night’s Watch. No
man is more dangerous. The deserter knows his life is forfeit if he is taken,
so he will not flinch from any crime, no matter how vile."_

~ Ned Stark, A Game of Thrones.

I think that pathetic blog post where they tried to justify their actions made
one thing clear - SourceForge knows how dead they are. No amount of internet
outrage is going to help, they don't think they've got anything to lose at
this point.

The best thing to do at this point would be to speed up their demise. If
you're a developer that still hosts with them, delete your project and move to
Github or Bitbucket.

Also, start reporting these malicious pages to Google so they don't show up in
search results.
[https://www.google.com/safebrowsing/report_badware/](https://www.google.com/safebrowsing/report_badware/)

~~~
M2Ys4U
Also contact the people who provide mirroring services for them.

Take away their free bandwidth and they'll collapse even quicker.

~~~
ytdht
perhaps someone should mirror sourceforge and rebuild binaries and take
sourceforge out of the equation?

------
bramgg
I wonder how many people outraged here know YC funded a company that bundles
malware with installers and continues to justify it publically on HN.

~~~
withinrafael
InstallMonetizer?

~~~
bramgg
Yes

------
god_bless_texas
This makes me so mad and sad at the same time. For years, it would bring me
immense pleasure to just browse projects on sourceforge to see what the world
was up to. Now this is just another case of corporations ruining a good thing.
I'm glad there are links to Filezilla and Gimp - two products I use
frequently.

~~~
whoisthemachine
I kind of view it as a consequence of the market falling out from under their
feet - it's cheap enough to host your own files now, and with package managers
(even on Windows!) the power users that used to be the target audience of
Source Forge have been vanishing.

~~~
toyg
IMHO it's more a function of their inability to compete with Github and
Bitbucket. They were slow to react to the rise of distributed VCS, failed to
exploit their social network features, and probably had already accumulated
too much technical debt to effectively change course by the time overall
trends became clear. Once developers shifted, power users had to follow suit.

------
jimrandomh
> Click through to a project’s official website and you’ll find actual
> download links. For example, Audacity’s homepage redirects you to FOSSHUB to
> download Audacity, not SourceForge. But searching for “Audacity” on Google
> still brings up the SourceForge page as the top result.

This is an error on Google's part. For everyone's sake, they need to apply
some serious ranking penalties to malware distributing sites like SourceForge,
as well as click-through warnings that you are going to a site other than the
original authors'.

------
toyg
I've tweeted someone close to the Pywin32 project (hosted on SF) asking to
move it, but didn't get a reply. For long-established projects, it's not an
easy migration. Please keep prodding any critical project you know of.

~~~
WorldWideWayne
Some people just don't care or they're profiting from it like Tim Kosse of
Filezilla - [https://forum.filezilla-
project.org/viewtopic.php?t=35221](https://forum.filezilla-
project.org/viewtopic.php?t=35221) and [https://forum.filezilla-
project.org/viewtopic.php?t=30240](https://forum.filezilla-
project.org/viewtopic.php?t=30240)

------
brokentone
At least for Mac, there is a TINY "direct download" link next to the SF
Installer button. Using this link will provide the non-junkware, original
install files.

------
khaki54
If you download from Sourceforge try unzipping the installer which will
usually defeat the spyware installer that they have been bundling with it.

------
oblio
So sad. Especially for Windows tons of valuable stuff is there, especially
smaller utilities like DDMM and similar :(

------
zamalek
Just today I had to get Boost for the first time since the whole gimp-win
debacle - their tars and zips are hosted on SourceForge. Guess I'll be
building from Git until they fix it :/

~~~
userbinator
It's only .exe installers that are affected, and probably only ones that they
can easily wrap; I doubt they're actually modifying any source code.

------
icpmacdo
Can someone provide a link to filezilla thats not through sourceforge? I just
posted an Ask HN about this.

~~~
andyjohnson0
Two trusted packages available at
[https://chocolatey.org/packages?q=filezilla](https://chocolatey.org/packages?q=filezilla)

Also available from [https://ninite.com/](https://ninite.com/)

~~~
b101010
Why are the packages from chocolatey trusted?

I am not familiar with chocolatey but the powershell script on
[https://chocolatey.org/packages/filezilla](https://chocolatey.org/packages/filezilla)
(click show files) contains the following

    
    
      $url = "http://sourceforge.net/projects/filezilla/files/FileZilla_Client/${version}/FileZilla_${version}_win32-setup.exe/download"
      $url64bit = "http://sourceforge.net/projects/filezilla/files/FileZilla_Client/${version}/FileZilla_${version}_win64-setup.exe/download"
    

So its still fetching executables from sourceforge using plain http with no
checksums or signatures in sight. On the assumption that executable does
include the sourceforge malware, The silent install argument ("/S") passed to
the executable by chocolatey seems to be the only reason its not installed
along with filezilla.

Is there any reason to believe ninite does anything different?

~~~
swies
We should play this up more on our site, but Ninite (I'm a co-founder and
we're YC W08) does this stuff right.

All our .exes are signed, app config information comes over https, and
downloads are all checked for hashes that match our testing before being
automated. We're not just naively adding silent switches either, we'll
automate clicks to get through less well-behaved installers when needed.

Why can you trust Ninite? Money. Thousands of businesses pay us for Ninite Pro
and the free version is our marketing department. We're extremely careful to
make sure our updates come out on time and junk free.

------
jarnix
I never use the "downloader", either from Akamai, Sourceforge, etc. I
downloaded a few programs recently on sourceforge and never had to use their
software.

------
lioeters
Just realized the double meaning of "forge" in SourceForge:

1) to form or make by concentrated effort

2) to imitate fraudulently; fabricate a forgery

They're certainly living up to definition #2..

------
Negative1
tldr; don't download from SourceForge it uses its own installer bundled with
garbage. Do download using ninite.com
([https://ninite.com/](https://ninite.com/)), the "only trusted" downloader
according to these guys.

------
dimino
This is why we need some kind of trade organization -- the developers who
wrote this stuff need to be kicked out, or disciplined in some way...

~~~
noarchy
There would have to be a lot of careful discussion about such an organization.
I would hate to see it end up being little more than a vector for rent-
seeking, and shutting people out of our industry for a host of arbitrary
reasons (immigrants, people with the "wrong" education, etc).

~~~
dimino
Yeah, I'm just saying that fields like engineering and law have recourse for
bad industry behavior. I wish software had the same or a similar path.

------
clean88clean88
Is BOTH Sourceforge and Github -other-verted or per-verted? or sub-verted? The
attack on the clean code-base continues.

Advice. Unix Linux - separate user. low privilege. configure, make, but make
install with ROOT PRIVILEGE. check files.

all source code should have search engine keywords for vulnerabilies, updates,
etc. for even BSD is somewhat broken, IMHO.

make it easier for the NOT C expert and ASM expert to install reasonably clean
software, PLEASE.

Thank U. Thank U. Thank U. ... 1000 times

------
clean88clean88
ARE BOTH Sourceforge and Github other-verted or perverted-like? What are the
alternatives?

Thank you. Thank you. the attack on code repo and the infiltration of the
clean database continues, perhaps.

