

CNET Injecting Malware into Downloads - skitzzo
http://insecure.org/news/download-com-fiasco.html

======
forcer
Press release from the CNET few minutes ago:

A note from Sean Download.com Developer Community,

My last communication to you was shortly after we launched the Download.com
Installer in late summer. At that time I asked for patience as we began work
to deliver a mutually beneficial model to market.

We are on the verge of fulfilling our vision of coming to market with an
installer model that delivers files faster and more efficiently to users,
while enabling developers to a) opt-in to the Installer, b) influence the
offers tied to their files, c) gain reporting insight into the download
funnel, and d) share in the revenue generated by the installer. However, due
to some press that surfaced yesterday and the potential for subsequent
misinformation, I am reaching out now to address that press and to provide a
progress report on the upcoming launch:

First, on the press that surfaced yesterday: a developer expressed anger and
frustration about our current model and how his file was being bundled. This
was a mistake on our part and we apologize to the developer and user
communities for the unrest it caused. As a rule, we do not bundle open source
software and in addition to taking this developers file out of the installer
flow, we have gone in and re-checked all open source files in our catalog. We
take feedback from our developer & user communities very seriously and take
pains to both act on it and respond in a timely manner.

With that, I want to share progress made thus far: This week we will launch
the alpha phase of our new installer. This alpha phase is intended to test the
tech and do QA, and will roll through the next few weeks to ensure that our
installer is bug free. Between this week and the end of January we will be
completing the necessary engineering and administrative work to roll out our
beta, which will include a small group of developers who've agreed to
participate in the beta launch. Our goal is to exit beta by end of February
and have the necessary systems in place to enable opt-in, influence over
advertising offers (for those offers that impact your product), download
funnel reporting and revenue share back to you, the developers. In the
weeks/months following the full release, we will continue to iterate on the
model, adding more features to the Installer and bringing greater efficiency
to our own download funnel (read: increased install conversion). The initial
feedback from developers on our new model has been very positive and we are
excited to bring this to the broader community as soon as possible. More
communication will follow as we move into Q1, and until then, thank you for
continuing to work with Download.com.

Sincerely,

\-- Sean

~~~
kermitthehermit
Dear CNET,

I hope your servers get fried, along with all your backups.

Sincerely,

kermitthehermit

------
iamandrus
I remember back in 2006 when the Download.com logo had "Safe, Trusted, and
Spyware-Free" under it.

EDIT: Picture.
[http://www.crunchbase.com/assets/images/original/0000/5821/5...](http://www.crunchbase.com/assets/images/original/0000/5821/5821v1.png)

------
jiggy2011
When it comes for Windows software I only use 2 types, Open source software
downloaded from the projects website directly or fully paid up commercial
software.

I never install anything from ad banners

------
dendory
There's three things here. First, adding a toolbar and screwing with user
settings is freaking lame, but everyone does it and it's something that's been
an accepted way to monitize software development.

However, injecting that into other people's software is low, especially if the
developers aren't aware of it. CNET should be ashame.

Lastly, the way they present it to users should be plainly criminal. There's a
way to offer additional programs, and that's with a checkbox. The screenshot
they show is CLEARLY meant to confuse users, whereas even I would have clicked
next hadn't I seen the circled text. On this point CNET should be sued for
deceptive tactics, because they put NMAP (or the name of whatever you
downloaded) as the title, and present buttons that are meant to deceive,
making it seem like it's NMAP's own EULA.

~~~
Zirro
"but everyone does it and it's something that's been an accepted way to
monitize software development"

No piece of software that I have installed during the past two years has done
so, and I sure wouldn't accept it as a way of funding development. I'd rather
pay for a product in that case.

Can you give a few examples from your list of "everyone"?

~~~
colkassad
I think the Java runtime installer asks to install a toolbar. There is
something else that I can't recall (flash runtime?) that asks to install the
Ask.com toolbar all the time as well. Some popular open source projects too
(PDFCreator).

~~~
nodata
The difference is that Sun adds the toolbar installer itself (and earns the
revenue from it).

~~~
colkassad
My comment was in response to the fact that everyone is doing it, including
software authors such as Sun.

------
rbanffy
When my mother forwards me the latest malware scare chain letter she got frm
her friends, I tell her to picture her computer as a plane flying at Mach 4,
high above in the stratosphere, confident almost nothing launched from the
ground can harm her.

That's because she doesn't use Windows.

~~~
karolist
But this is ignorant and not true.

~~~
kajecounterhack
For laymen's purposes it pretty much is, though. When was the last time anyone
on Linux/OSX got some adware / popups?

I've also never heard of antivirus for Linux. Which doesn't mean there aren't
viruses, it means it's not a concern on the most part.

~~~
maqr
<http://www.clamav.net/> if you were actually wondering. There's also a sweet
osx port: <http://www.clamxav.com/>

~~~
rbanffy
Did you ever catch something with it?

~~~
maigret
If ever, it catches Windows viruses usually. Prevent them from spraying and is
also very useful on Linux server setups.

------
DanBC
Previous post was mentioned on HN
(<http://news.ycombinator.com/item?id=3317121>)

~~~
skitzzo
Yeah, I guess I wasn't paying enough attention but this was the first I'd
heard of it.

~~~
DanBC
Sorry, I wasn't meaning to say "This is already on HN", but more "Here's some
more reading for people who are interested".

I need to practice my tone and style a bit.

~~~
skitzzo
No worries. Can't have thin skin on the interwebz :D

------
easy_rider
CNET was the top choice for me back 10-12 years ago whenever i wanted to
download a utility / piece of freeware/shareware.

Of course when their market share went down... they had to change their
business-model...This is just the next step after bloating their pages with
ads.

I'm guessing that not the same people are in charge as those who were in their
glory days:_)

~~~
Georgiy
I'm surprised software catalogs are still alive :D Especially when you can get
literally everything you need from torrents with keygens/cracks.

------
suprgeek
What good alternatives would people suggest? What should be the "goto" site we
could suggest to a novice for finding a clean copy of almost any
software...any suggestions? (Assuming that an expert user would straight to
the source website)

~~~
blub
The software producer's website is the only safe place.

~~~
waitwhat
Regular users have no way to reliably identify the software producer's
website. Advising them to "just google it" is likely to end up with them
clicking a scammy AdWords link where paying $40 to download some freeware
counts as getting off lightly.

------
potatolicious
It's funny seeing this posted so soon after "Don't be a Free User"...

------
risource
CNET was a very tested brand in its day.

------
forcer
"This is probably why CNET switch to installing the Babylon Toolbar yesterday.
This is a good and welcome move by Microsoft, but the whole process of paying
“distribution partners“ to changer user's home page to MSN and search engine
to Bing is rather sketchy"

I am puzzled by the reaction of some journalists and people here. Have you
actually thought why the toolbar is marked as malware? Usually, that's because
one guy in one of the AV companies installed the toolbar, didn't like it and
so put a flag on. Malware as a definition is something that does harm to your
computer. We could argue whether this is actually the case as most of the
toolbars, including StartNow just provide search functionality and homepage
reset - this is how they make money - there is no reason to do anything
sketchy on top of that.

I am not trying to defend toolbar companies here but the quote above that its
actually a good thing to replace StartNow with Babylon is misinforming the
public. These toolbars all do the same thing and they should either be marked
all by AV companies or not. Of course its never gonna happen because there are
some AV companies that won't flag toolbars because hey - they distribute
toolbars too!

~~~
Georgiy
Everything on CNET is being tested manually with VirusTotal. If it gets at
least 4 positives/false positives from 43 antivirus engines they don't publish
it or work with it, until developers get things settled down with anti-
virus/anti-malware companies. They get not that much profit from paid accounts
cause of small percentage of subscribers, and give away tons of traffic + man
hours even for free products. That includes manual testing, checking and
writing descriptions, reviewing, and that repeats for each update. And lots of
companies update their products like 10 times a week, just to get bumped in
search, or create like 20 versions of 1 program under different names,
especially Chinese developers. So they just monetizing traffic and stimulating
developers to get subscriptions to remove ad for their products. I personally
hate all kind of that toolbar stuff, but hey, there are not so many ways to
promote an alternative search engines that work for free.

~~~
marshray
Welcome to HN Georgiy.

Here's the deal: That still doesn't mean it's not crapware.

You mention the difficulty of funding your download site (built almost
exclusively on supplying other people's free content). I can't imagine what
the bandwidth costs must be on a site like that. I'm sure there are plenty of
other visitors on HN that are familiar with this issue and are daily
encountering similar ethical decisions about how best to fund their business.

There are many ways of resolving difficult ethical decisions.
<http://en.wikipedia.org/wiki/Normative_ethics> One useful technique is to ask
yourself: _If everyone behaved in this manner, what kind of world would
result?_

So let's imagine such a world:

* Want to view a .pdf on the web? ... receive and run an executable downloader from an unrelated party.

* Want to watch a video on YouTube? ... receive and run an executable downloader from an unrelated party.

* Want to install an application? ... receive and run an executable downloader from an unrelated party.

Do you see the problem here?

(Maybe you don't, but most everyone else on HN will and I'm doubtful that
you're even reading the responses. But if you are still interested I'm sure we
can politely explain it further for you.)

~~~
Georgiy
It's just my humble opinion as an internet marketer :) i'm not related to CNET
atm, worked there as tech for some time. And i think it's really an ingenious
idea with wrapper, maybe not so good with all that toolbars. Maybe it's
crapware and they lose like all geeks, 20% publishers and 30-40% users maximum
- they still will be like x10 profitable than before. Don't get me wrong but
Google wasted like hundreds of millions on unprofitable YouTube, and now they
airing this shitty advertisements that are so fucking annoying %) luckily
there are all theese adblock extensions out there.

~~~
marshray
But it's not an ingenious idea; malware has been doing that kind of thing
_forever_.

Downloading and installing software is an activity that is fraught with peril.
The authenticity of the app you're downloading is critical and almost all the
security properties depend on it.

If you think that breaking app authenticity is a great marketing opportunity,
well, your brand will do no business with me or those I advise.

