
Filezilla at SourceForge is malware - Sami_Lehtinen
http://sourceforge.net/projects/filezilla/reviews
======
Someone1234
Just want to be clear about something:

\- This program (bundling) is opt in for the project (Filezilla) and
SourceForge ("the pimp") pays Filezilla ("the whore") for each download.

\- This isn't recent. In fact it started well over a year ago and was well
publicized.

\- Even a year ago it was all very malware-y.

\- A lot of people were super dismissive about this issue a year ago (see
Reddit threads and here). In fact many supported the practice.

\- Those same people are now whining about it.

\- Suggesting that "but Github exists!" as a solution entirely misses the
point. Sourceforge pays the project money, and both Sourceforge and the
project profit. So unless Github can match that (hint: it cannot) then that is
a non-starter.

~~~
drzaiusapelord
This is why I have high hopes for integration with the Microsoft store in
Windows 10. I'd be pretty happy giving the Filezilla people .99 cents,
assuming no 3rd party installer tricks. MS would store my credit card, it
would be a one-click process, take the onus of hosting from
Sourceforge/Filezilla, and pay a nice little chunk of change on the side
directly to the Filezilla people.

Of course, anyone is free to fork it and host it for free. There are a lot of
little things that drive me crazy about Filezilla. I imagine others have the
same issues. I could see a fork with good management being very successful.

~~~
lsaferite
I think this is a point a lot of open source projects miss. They can, and
probably should, sell the software even though it is open source.

Trademark (?) protection would prevent a third party from using their name
even though it was open source (at least I think so based on the whole
Iceweasel event).

Personally, I'd also gladly pay Filezilla a small amount even though it's open
source.

~~~
dec0dedab0de
It's 4 in the open source definition.

[http://opensource.org/osd-annotated](http://opensource.org/osd-annotated)

------
jayess
If you read through this thread [1] on the filezilla forums, you'll see that
the administrator defends the use of SourceForge over and over. My guess is
that they're receiving kickbacks of some sort for the installation of said
malware.

[1] [https://forum.filezilla-
project.org/viewtopic.php?f=1&t=3294...](https://forum.filezilla-
project.org/viewtopic.php?f=1&t=32945)

~~~
danielweber
Someone has to pay the bills.

I think the world would be better if people just expected to pay a small
amount for software, but we don't live in that world, and so we get "free"
software you can download "for free" that installs a bunch of crap so the
developers can get paid.

~~~
nine_k
Up until rather recently, it was hard to pay or receive sub-dollar amounts.
This problem is solved on the two mobile platforms (though Apple still takes a
much larger cut from payments). Paypal / Stripe / Square sort of solve it in
the web space.

But we still lack a nice software store (or several) where you could pay a
piece of software and pay a nominal amount (or more if you choose to donate),
knowing that you won't receive any malware / nagware in exchange, and that a
large cut of your payment goes to the authors and maintainers.

Similar things seem to happen around indie musical tracks, so _probably_ the
model could survive in the "indie" software area.

~~~
reitanqild
Yep, I love it when I find good music on youtube abd a link to bandcamp where
I can pay a small minimum amount (or more). They seem to have done something
right as me and others typically pay well over the minimum price

------
NKCSS
Just make sure to add ?nowrap to the end of the url and you'll download the
orignal package without that crapware installer sourceforge adds.

~~~
userbinator
Sounds like a job for a userscript.

...and someone has already made one for SF and a few other sites:
[http://userscripts-mirror.org/scripts/review/417459](http://userscripts-
mirror.org/scripts/review/417459)

------
jpmonette
It sounds more like a SourceForge issue than FileZilla. SourceForge used to
provide clean binaries, but I guess they changed that process in the past year
or two to bundle apps in the installer wrapper. You need to be extremely
careful during the installation process to make sure that you do not
accidentally install some extra software. The same happen to uTorrent - they
also added tricky question during the install process to include
advertisement, change default browser and such. That's a sad way to earn money
- the end-users will definitely move on because of that.

~~~
Cthulhu_
FileZilla could choose to move away from SourceForge, to be honest - any party
staying with SF after stunts like this (and this isn't the first one) are as
corrupt as SF themselves are IMO

~~~
JetSpiegel
par0xyzm is hellbanned, but this is interesting:
[http://gonullyourself.org/ezines/exp/exp02.txt](http://gonullyourself.org/ezines/exp/exp02.txt)

is hosted at Sourceforge, so they share a server with thousands of other
customers. Every single customer is able to execute commands and access the
other project directories. Pretty stupid, eh? You only need to find one hole
in one hosted site and you can access ALL the project databases

------
leni536
Open source software really should abandon SourceForge. You can't even
download any binaries through HTTPS from them. Even if you log in the download
links redirect to plain HTTP.

------
_cpancake
There's really no reason to use SourceForge anymore. GitHub can do almost
everything SourceForge can do, aside from app reviews I guess. GitHub also
doesn't make you feel like you're in 2004.

~~~
Pxtl
I don't know, GitHub isn't quite as easy to navigate as a layman if you're
just looking for a synopsis and downloads.

~~~
TazeTSchnitzel
There's no big "Download" button but you can easily add one yourself.

~~~
higherpurpose
There should be one.

------
RubyPinch
isn't this more, the SourceForge wrapper is acting unsafely?

regardless, this has been happening for the entire last year with the consent
of the developers: [https://forum.filezilla-
project.org/viewforum.php?f=1&sid=13...](https://forum.filezilla-
project.org/viewforum.php?f=1&sid=13d72227c55b2204476060d348e64d37)

I would be very doubtful they will listen to their users any further about the
harm it does.

I'll probably avoid FZ from now on, I don't exactly enjoy using software that
is openly hostile towards me

~~~
davb
I've heard similar things about FileZilla and it's creator. Do you have any
recommendations for an open source, GUI-based, Linux FTP client?

Most of the time I simply scp or rsync files as neccessary, however I use
FileZilla to manage files on my phone and tablets via FTP. I've never found
the FTP/SFTP/SMB support in Thunar to be all that reliable...

~~~
TazeTSchnitzel
IIRC GNOME has FTP and SFTP support, so you should be able to just use
Nautilus.

~~~
davb
I'm not using GNOME. I'm using XFCE, and unfortunately in my experience Thunar
(the XFCE file manager) doesn't handle those sorts of connections too well. I
think it's more to do with the FUSE layer beneath it (possibly the same driver
that's used by GNOME).

------
Pxtl
I wonder if Mozilla could argue that Filezilla is infringing on their
trademark and damaging their reputation because of this.

I mean, it's an open-source client for a common internet protocol that ends in
"zilla". It would be easy for users to assume that Filezilla is affiliated
with Mozilla.

And up until the move to Sourceforge's adware downloader system, that would
have been fine for everybody - they're both good products.

But now? Now filezilla is riding on mozilla's coattails with the confusion and
profiting from it, to the detriment of mozilla's reputation.

------
jmuguy
We've been sending Windows clients to
[https://ninite.com/filezilla/](https://ninite.com/filezilla/) to download it
but perhaps we ought to start avoiding it completely. I don't particularly
like any other FTP client I've used in Windows, but its been a while since I
looked.

~~~
freehunter
Have you tried WinSCP? Since I found it, I haven't touched FileZilla.

~~~
jackmaney
Agreed. WinSCP is not only easy to use with a fairly "native" Windows feel
(just drag and drop stuff from one half of the window to the other), but it's
also not bundled with malware.

------
smrtinsert
It works really well unfortunately. I would prefer my installations without
the potential for malware, but I don't see another sftp client as mature as
filezilla. There used to be a ton and then it emerged as the best. fwiw it
seems the auto updates are malware free.

~~~
trurl42
WinSCP is a nice alternative.

[http://winscp.net/](http://winscp.net/)

~~~
arca_vorago
WinSCP is far superior to filezilla. At my last job stuck using a Windows
machine for some things, I ended up using it quite extensively. Every bug I
submitted to the author was fixed within months. He is also active on the
forums, though has a bit of a Linus Torvalds style... which can be offputting
for some.

Filezilla use will drop down because most admins I know that hear about this
will immediately write it off as too dangerous to even try to get around. Sure
you can dig into the sourceforge files and maybe find a clean version, or
maybe find a checksumed mirror, but would you really trust it?

------
debacle
SourceForce itself pushes a lot of malware these days. If your software comes
in an installer, I wouldn't trust it.

------
Sami_Lehtinen
[https://www.virustotal.com/fi/file/d0d418efb07df4378b24bccac...](https://www.virustotal.com/fi/file/d0d418efb07df4378b24bccaced697bf34745de33ad1521beffa18565d9f2e1c/analysis/1420630836/)
If you download the package, it will be unique malware packet for you. So if
you check it with virus total, it's not the same file.

~~~
loosescrews
As usual, Avira is right on the money with "Adware/InstallC.buzg." ESET is
pretty good too with "a variant of Win32/InstallCore.UQ." None of the other
providers clearly identified it.

------
ghantila
If you really need FileZilla, you can directly download the portable version
with this workaround.

Visit
[http://downloads.sourceforge.net/project/filezilla/FileZilla...](http://downloads.sourceforge.net/project/filezilla/FileZilla_Client/3.10.0/FileZilla_3.10.0_win32.zip)
to directly start downloading

Or, switch to someother FTP client.

References:

List of FTP __Server __Software
-[https://en.wikipedia.org/wiki/List_of_FTP_server_software](https://en.wikipedia.org/wiki/List_of_FTP_server_software)

Comparision of FTP __Client __Software
-[https://en.wikipedia.org/wiki/Comparison_of_FTP_client_softw...](https://en.wikipedia.org/wiki/Comparison_of_FTP_client_software)

~~~
Buge
Or click the direct download link on the front page.

[https://i.imgur.com/o7sE9aP.png](https://i.imgur.com/o7sE9aP.png)

------
jackmaney
As time marched on, I've found myself more and more hesitant to use
SourceForge at all, even to download things. If a project isn't available on
GitHub, BitBucket, or through a package manager, then I'm very unlikely to
download the source.

------
gojomo
Separate from any particular issue with Filezilla: all Sourceforge downloads
are via insecure HTTP, so could be redirected elsewhere, or corrupted in
transit, to deliver malware.

Even if you try to use an HTTPS link, Sourceforge redirects to a plain HTTP
download.

~~~
AlyssaRowan
And if you ask them about this, you get no reply. Which is interesting.

Yes, they should be regarded as a malware site these days. It's a shame,
really. Some other site should probably mirror the projects that aren't
anywhere else and host them properly.

------
robert_tweed
Just an FYI for those cases when you need to download something that isn't
available anywhere other than SourceForge: there's a small, plain-text "direct
download" link under the big download button.

They tend to move this around a bit to make it harder to spot, but it's always
been there since the malware-infested download manager was introduced. The
malware & crapware is entirely limited to SF's download manager. The
application binaries themselves are totally clean.

------
zuck9
This is not about SourceForge or FileZilla. This is an issue that plagues most
Windows freewares, everyone is integrating offers to the installer. Even
FileHippo started this recently.

The download manager (wrapper) of these 2 companies are provided by the same
Israeli company InstallCore.

------
nikolak
As far as I remember this is an opt-in feature for developers who host their
projects on sourceforge that makes the installer offer additional software, by
3rd parties, to be installed. That additional software may be malicious.

------
cordite
Ever since 2007-2008, Source Forge and places like CNET really started to lose
trust for me. When I noticed something from source forge had some sort of
downloading tool I put my hands down and refused to continue with that sort of
thing.

We have enough Ask Tool bar kind of crap from Oracle Java installers, and when
useful tools step to doing similar things, it really makes me lose respect and
find alternatives.

As a developer, I need to have a work environment that is robust and
dependable. Additional promotional packages that can slip through will disrupt
or degrade my work. That is not something I can take and feel sane.

------
irishjohn
What about doing a Fork of it? Clean build. Call it Forkzilla.

------
nyar
I haven't paid for the program and have not installed any adware on my
machine, I am happy with the product and have no qualm with someone who has
spent their time making something to try to profit from it. I'm not the sort
of person who opts-in to install malware so its not an issue to me. If I
wanted to be upset about something I would buy a commercial, ad-free, program
and complain that it does not have features of filezilla.

------
DunningKE
I've had a similar experience trying to install OpenCV.

I use windows, and I couldn't figure out why something like OpenCV could
possibly have malware with it. When I downloaded it, chrome said "Stop! This
is malware!" I thought that there was no way there could be a problem with the
file unless Sorceforge was having issues.

What fixed the issue for me was downloading from a different mirror. So
perhaps some of the mirrors are compromised?

------
smilepet_26
I faced the same problem. This is a total mess and I could not believe that a
most reputed web program like Filezilla hosted at Sourceforge is a malicious
software. The best thing should be that Filezilla should be available for
download from [https://filezilla-project.org](https://filezilla-project.org)
firsthand.

------
abandonliberty
Solution: Use the zip version. It's portable. Avoid sourceforge where
possible. The download page even says:

>This installer may include bundled offers. Check below for more options.

Yes, it's a bit dirty. Valid discussion here is how to make open source
viable, otherwise pimps like sourceforge will exist.

Now get off my lawn with your fancy installers :)

------
eridal
Can we file a report against SF? Then when users attempt to enter the site
browsers will warn about the dangers.

------
kefs
I haven't trusted anything from SourceForge since they were compromised 4
years ago, regardless of their 'data validation'.

[https://sourceforge.net/blog/sourceforge-attack-full-
report/](https://sourceforge.net/blog/sourceforge-attack-full-report/)

------
jdlyga
What happened to you Sourceforge? I hope the same thing doesn't happen to
Github in 10 years.

------
yellowapple
I've been a long-time user of WinSCP anyway, regardless of FileZilla's antics.
Seems to work better, for me at least.

Unfortunately, this is a reminder that free software isn't a guarantee of
software freedom or safety.

------
jongalloway2
This is a solved problem:
[https://chocolatey.org/packages/filezilla](https://chocolatey.org/packages/filezilla)

Chocolatey packages include silent, malware free installers

------
yAnonymous
Is there a good cross-platform alternative to FileZilla?

Or seeing as it's licensed under GPLv2, maybe we should just setup a GitHub
repo with the latest source and links to pre-compiled binaries.

------
krzrak
I think Google should mark SourceForge as malware site.

------
zer01
Also let's not forget that Filezilla will silently cache all your credentials
in plaintext without telling you :(

------
blueskin_
Sourceforge has been doing this for years. I would never download anything
from there these days.

------
bborud
Nobody should use Sourceforge. I rarely take projects seriously when hosted on
Sourceforge.

------
ChrisArchitect
so easy to avoid by just toggling the Direct Download Link option at top of
file list to On

------
codegeek
i m an idiot but does this impact the linux version ? I use Filezilla on my
ubuntu that I downloaded around September'2014 and not sure if I downloaded
from Sourceforge. I am guessing this issue is only for Windows, right ?

~~~
towelguy
If you used `apt-get install filezilla` then no. Does anyone know if
sourceforge include malware for their Linux binaries?

~~~
primaryobjects
I installed via the Linux Mint package manager and found no issues of malware.

------
AlyssaRowan
Wow. They even wrap the _source_ packages, and the portable ones.

Bastards.

------
Cthulhu_
For Windows and my own servers I don't even bother with FTP anymore, it's just
another possible entry into my servers. WinSCP / SCP itself works fine, no FTP
server required.

------
otikik
Is there a fork without the malware?

------
aleem
The worst thing about FileZilla is clear text password files. The developer
refuses to fix it I am not sure why.

~~~
DanBC
What's the alternative? It's a good thing that the developer does not give you
a false sense of security.

[http://security.stackexchange.com/questions/39321/should-
i-u...](http://security.stackexchange.com/questions/39321/should-i-use-
filezilla)

~~~
electrotype
A master password, no?

~~~
DanBC
No.

See the acres of discussion about Google Chrome not having a master password.
The fact that they caved in and no provide a master password does not mean
it's a good idea.

~~~
pb2au
The argument that I recall for Chrome not having an optional master password
was that it was often less secure than using the system's encrypted data store
for their account, if available.

Requiring a master password to decrypt the network passwords is a perfectly
fine idea if you want to maintain portability and reduce the chance that your
network passwords are accidentally exposed. An attacker has to both have the
password file _and_ either figure out the master password or have code
execution privileges on the user's account to gain the network passwords. This
is more secure than trying to ensure the password file doesn't get "misplaced"
(e.g. on an unencrypted drive, in unencrypted backups, unintentionally through
a fileserver, etc).

------
ExpiredLink
Someone tries to monetize his GPLd software in an unfriendly way.

------
ro-mx
sadly it is true

------
ro-mx
sadly it is very true

------
gavreh
Seems to me like there's a market for a reasonably priced, excellent, simple,
Windows FTP client. (cross-platform bonus points)

