
Filezilla installer is suspicious again - stevekemp
https://forum.filezilla-project.org/viewtopic.php?f=2&t=48441
======
michaelmrose
Botg site admin "The hash doesn't match because the filename doesn't match."

A fully descriptive answer is that they don't have a checksum for the bundled
package but botg doesn't want to say this.

" Dangerously ignorant user. Not matching filename = the checksum is NOT for
that file. Checksums can only be provided for the non-bundled packages,
because they're static. Bundled installers are not."

Dangerously ignorant person here what they are actually saying is that they
have no way on earth to be sure what's even IN the bundled packages nor what
it will do to the users computer.

They have decided that tricking people into downloading malware is a
reasonable alternative to charging money for their software or soliciting
donations.

Its truly amazing to me that installing windows software is still like this.

The obvious and immediate solution is to abandon vendors who behave like this.
This is challenging because you have to track the reputation of each
individual vendor and users have proven unable to even consistently download
the software from the right page let alone judge individuals vendors track
record.

The long term solution is to get off the platform.

~~~
NiveaGeForce
> Its truly amazing to me that installing windows software is still like this

It doesn't have to be that way, since there is a Windows/Microsoft Store since
plenty of years now.

But then you have gamers and game devs spreading FUD about UWP and the the MS
Store, while they praise 3rd party platforms like Steam and GoG that actively
refuse UWP apps in their store, while allowing Spyware like this.

[https://www.reddit.com/r/Steam/comments/8pud8b/psa_red_shell...](https://www.reddit.com/r/Steam/comments/8pud8b/psa_red_shell_spyware_holy_potatoes_were_in_space/)

Yet, nobody dares to hold those platforms responsible.

[https://www.reddit.com/r/Games/comments/8sg294/16_studios_re...](https://www.reddit.com/r/Games/comments/8sg294/16_studios_removing_alleged_spyware_from_pc_games/e0zcl5y/)

> The long term solution is to get off the platform.

No, the long term solution is to embrace the MS Store, or at the very least
modern platforms like WinRT/UWP that would prevent most types of malware
attacks.

Why do we still accept the violation of the principle of least privilege in
this day and age?

~~~
michaelmrose
The long term solution CAN'T be the MS store. It requires asking Microsoft for
permission to compete with them. It gives MS permission to bar entire
categories of software globally or in your particular market.

Giving the party running the store 30% of all revenue is a hard sale to start
with.

More importantly it gives MS the position to impose whatever dictates it or
even more likely every government in existence the right to impose whatever
restrictions they like on any app maker in existence with the threat of
instant non existence.

Want a social media platform to ban anyone who disagrees with the king no
problem do it or you can't do business. Want your browser to censor whatever
your locality wants? No problem if it doesn't it doesn't get distributed. Want
your OS to refuse to install apps that don't follow the store rules? No
problem its in the governments interests and the companies.

Linux package management works like an app store with an official source and
the ability to add whichever sources you choose. A search of available
packages shows results giving sources the priority set by the user. Updating
the system updates packages from 3rd party sources same as others. The major
limitation is the labour required to create packages for all the different
platforms users prefer not artificial limits or money paid to the platform
"owner".

On windows nothing much is on the store mostly because people don't want to
give Microsoft 30% on Linux charging 30% is downright impossible because
people would trivially publish an alternative source instead.

Basically your cure is worse than the disease and since Microsoft wont fix the
situation in a reasonable fashion so the only solution is to move off their
platform.

~~~
whoopdedo
> It requires asking Microsoft for permission to compete with them

On that note, Apple now distributes iTunes for Windows through the Microsoft
Store.

~~~
code_duck
I wonder if MS would have been on board with that around the time they were
launching the Zune.

------
st3fan
Suspicious?

Let’s call this what it really is: The FileZilla owners are actively
encouraging users to install malware as a way to monetize. That is very clear.

Avoid FileZilla by all means.

~~~
Digital-Citizen
If what you say is true a more productive approach is to make a derivative of
the last known non-malware release of FileZilla with a new name. FileZilla's
code respects your software freedom (FileZilla is licensed under the GNU GPL
v2, last I knew), so there's no reason not to use that freedom to make a
derivative which doesn't come with a tricky installer. Rejecting free software
when improvements can be had is an overreaction that could lead to a reduction
in software freedom which would obviously be bad. Free software is the path to
being able to trust the software you run.

~~~
rhizome
The hard part is search engine ranking.

~~~
jlgaddis
And that little issue with trademarks: [https://filezilla-
project.org/trademark_policy.php](https://filezilla-
project.org/trademark_policy.php)

~~~
Digital-Citizen
This is also a non-issue as long demonstrated by Debian and GNU when they
distributed Firefox and Thunderbird derivatives under different names with
different logos. The section of that page under "Modifications" is quite clear
on what needs to be done. Please don't try to invent non-existing
difficulties. I realize HN is demonstrably averse to any serious discussion
which centers on the importance of software freedom for its own sake but
that's no reason to reject leveraging software freedom to improve one's own
lot or help others.

------
AdmiralAsshat
It's sad that FileZilla remains so popular long after the creator has chosen
to monetize it with adware. I highly recommend any FileZilla user reading this
should switch to WinSCP. It's free, open source, and not bundled with any
crapware.

~~~
blibble
winscp has also previously bundled crapware (OpenCandy)

[https://en.wikipedia.org/wiki/WinSCP#Advertisements_in_insta...](https://en.wikipedia.org/wiki/WinSCP#Advertisements_in_installer)

~~~
DmenshunlAnlsis
Four years ago, with no incidents since.

~~~
willio58
It’s funny to see defense of a program that intentionally included adware in a
previous version.

~~~
gruez
why? do you believe in no second chances?

~~~
JackCh
When it comes to software security, second chances are for _accidents_.

------
mkane848
I can't believe those are real admin responses. TigheW was far more patient
than they needed to be, that was painful.

~~~
ksk
What factual information do you dispute from their responses?

~~~
mcbits
I dispute "The hash doesn't match because the filename doesn't match." He did
backpedal and say he really meant they don't match because the files are
different. (Well, duh.)

I also dispute "It's a tautological false-positive, by the very definition of
the term, _everything_ is potentially unwanted."

That's not the definition. Here is a definition in line with what just about
everyone means by the term:

"A potentially unwanted program (PUP) is a piece of software that is also
downloaded when a user downloads a specific program or application. PUP is
similar to malware in that it will cause problems when it is downloaded and
installed."[0]

Or my own shorter definition: "Software that nobody would want on their
computer if they knew what it is and does."

It sounds like that's exactly what was detected.

I don't dispute, but I'm curious about his claim that AV vendors maliciously
flag their competitors' legitimate software. I wouldn't be the least bit
surprised if that's true, but it's the first time I've heard of it.

[0] [https://www.techopedia.com/definition/4061/potentially-
unwan...](https://www.techopedia.com/definition/4061/potentially-unwanted-
program-pup)

~~~
ksk
Well, the central question in my mind anyway, is whether FileZilla distributes
malware. I don't see any data on that yet.. maybe it will come. Meanwhile I'm
not going to join other HN members in calling people I don't know "scum".

~~~
justinclift
FileZilla doing this has been known for at least a few years:

[https://web.archive.org/web/20140816230250/http://blog.glust...](https://web.archive.org/web/20140816230250/http://blog.gluster.org/2013/08/how-
far-the-once-mighty-sourceforge-has-fallen/)

Back then, they were doing it as part of the (previous incarnation of)
SourceForge's "DevShare" offering. eg malware authors got SourceForge to
bundle crapware with popular Win installers, and gave the developers a cut of
the take.

It seems like the FileZilla people didn't like that revenue stream being cut
off, and went to the source directly afterwards. :(

------
zaroth
Sophisticated users will know to download the unbundled installer, and maybe
even go so far as to verify the hash.

But that sideskirts the question of whether to continue using software where
the authors are willing to put their users at risk by monetizing with what is
apparently malware bundles.

FileZilla is by all accounts a fantastic piece of software. I’ve used it for
years, both the client and the server, and it’s no doubt provided significant
value to me over the years.

And yet I’ve never paid the FileZilla authors a penny for their services.

So while I didn’t force the FileZilla authors down this dark path that they’ve
chosen to use for monetization, I accept that I am part of the problem.

~~~
codedokode
I don't really see the problem. If the developers want to get paid for they
work they can just sell their software. The problem is when someone tries to
monetize their product by deceiving users. This is the case: they prevent user
from knowing what is happening on their computer, download and run suspicious
binaries and use EULA as an excuse. And I suspect, they themselves don't even
know for sure what is bundled into the installer.

User should know exactly what they are offered. Hiding a clause like "you
allow us to do anything we want" in EULA should not work.

~~~
jensv
Imagine if Google charged $5 per month for a subscription to their search
engine. We're kind of seeing this with Youtube Red.......

------
smsm42
When I read "You get AV flags for business reasons on the AV vendor's behalf,
not because of malware." I pretty much became convinced they have gone to the
dark side. I've seen enough shady business that this pattern really jumps out
- as soon as people start claiming everybody is conspiring against them for
monetary reasons, or out of envy, etc. with no proof - it is a very strong
sign that the person is not to be trusted. There are false positives but the
sign is very strong.

------
phyzome
« The connections are for fetching offers and, if the user accepts the offer,
the offered file. What the file is for is written in the offer text. The
network requests to fetch offers are done only after the user has agreed to it
by accepting the privacy policy. »

Translation:

« Our installer fetches random crapware once you click past the giant wall of
text. »

~~~
Fnoord
This is allowed under GDPR? Doesn't this constitute breaking into computers?

~~~
vsl
Even if it did (but that’s rubish), it would have nothing to do with GDPR -
which isn’t your personal magic bullet against anything you might not like.

~~~
Fnoord
Those two laws are, actually, my personal bullet against virtually everything
I don't like happening to my own computer -as well as those owned by others
(though that is not within my responsibility)-.

I feel like you missed the point though. There's no obvious question to the
computer user that this is going to happen; ie. there is no consent. Which is
important with regards to GDPR.

Next, what happens is the question. Either the security of the computer is
breached (which I'll just call "malware" from hereon), or PII is being send
(spyware).

Malware seems obvious to me. That's breaching computer security, been illegal
for quite a while now. Not worth the discussion though recently the government
of The Netherlands made it legal for the police to hack its civilians.

Spyware's legal status seems to have changed since GDPR though. Sure, a lot of
spyware is shady, makers of it don't care. But the spyware being bundled with
software was done by _someone_. And in this case, it appears to be within
FileZilla's responsibility.

You may not be from EU; I saw FileZilla developers being obviously _from_ the
EU and I am _from_ the EU as well. So the GDPR does apply for me, for sure.

------
mysterypie
If you've decided to do something dirty, sneaky, or underhanded, then the
dialog on this forum should be required reading on how _not_ to handle user
questions. Any large software company experienced in being routinely evil
would have done the following:

\- shut down that thread at the first opportunity (it's their own forum so
they are able to do that)

\- as a corollary to the above, always run your own forums for questions,
support, fandom, etc. so you can kill threads, guide the conversation, ban
users, or redesign the site giving cover for losing history that you don't
want remembered

\- ban that particular user who was giving the best analysis; a real reason is
not necessary -- just allege that he violated the terms & conditions

\- have someone preview all questions and comments before they get posted in
your forum; you know how some sites say, "Your comment is awaiting
moderation"? -- you need to do that

\- never give official answers to any questions (the founder and original
developer was replying in his _own_ name); instead, always reply as a fellow
user, knowledgeable and helpful, but allowing the company a way to disown any
replies given out

\- don't even bother to reply to questions you don't want to answer; just
ignore them (the current thread would surely have died out if the founder had
not given those silly obfuscating answers); you can compose a crafty reply
only if it becomes a big problem

\- have a bunch of fake users (employees, PR department, outsourced agents)
ready to pounce on, rebut, or ridicule the user providing the good analysis;
similarly, have those fake users guide the discussion or completely change the
topic

Some large software companies get away with far worse tricks and shenanigans,
affecting millions of users, by following the principles above.

------
belorn
I doubt the legal system that the publisher reside in would accept the excuse
that giving control over to a third-party will protect them from liability if
malware get installed from the installer. No amount of eula, disclaimer, or
calling it "bundle" can do that, and now that there is a public documented
discussion that the developer knowingly allowed it. That sound like some
significant risk, one which I would never bet my own personal life on.

It will only take a security researcher that identify one of those unsigned
processes, in the past or future, as malware and people who is infected by the
same malware can check if they also has filezilla installed, and boom. A
lawsuit is born.

~~~
qiqitori
Hmm? I don't think I've ever heard of any lawsuits about bundled adware.
(Read: I doubt it's illegal.)

------
jlgaddis
Since I haven't seen it mentioned here, note that the first post in this
thread was on 13 December 2017, with most of the back and forth between _botg_
and _TigheW_ taking place in early January 2018.

Post #14 revived the thread 11 days ago and the last seven or eight posts are
from the last 24 hours or so.

Looks like the thread has since been "locked" to prevent further discussion.

------
billforsternz
I install filezilla (amongst other things) from ninite.com. In general
ninite.com installation is equivalent to normal installation without having to
carefully uncheck obviously horrid and unwanted optional "extras".

~~~
glenneroo
I wasn't sure which version Ninite were using or if they were aware of the
suspicious installer, so I wrote them a mail referencing this thread. They
wrote back a couple hours later (and I'm not even a Pro user!):

> Apparently FileZilla has more than one installer package. The discussion in
> the [HN] forum link is about their "bundled" installer. We use the one
> without the junk-ware bundled. Below are links to the virustotal results for
> the packages we use.

[https://www.virustotal.com/#/file/92aa946d4127eeef30b428e86b...](https://www.virustotal.com/#/file/92aa946d4127eeef30b428e86b54733a0fac2b7b22af9c00707fb827b808303e/detection)

[https://www.virustotal.com/#/file/a86a836888e9894215e15da49e...](https://www.virustotal.com/#/file/a86a836888e9894215e15da49eb7bcdc6f90bc091df23a54d51a926d63c462b6/detection)

------
faitswulff
Well, damn. I didn't even know there were prior incidents. Ugh. I've used
Filezilla within the last year.

What are good alternatives?

~~~
DmenshunlAnlsis
WinSCP is a great open alternative.

[https://winscp.net/eng/index.php](https://winscp.net/eng/index.php)

[https://en.m.wikipedia.org/wiki/WinSCP](https://en.m.wikipedia.org/wiki/WinSCP)

~~~
craftyguy
They also have a history of doing this crap:

[https://en.wikipedia.org/wiki/WinSCP#Advertisements_in_insta...](https://en.wikipedia.org/wiki/WinSCP#Advertisements_in_installer)

------
RandyRanderson
Sad to see such a formerly great app now _at best_ guilty of bundling dodgy
add-ons for pay in their installer. Here's some alternatives:

[https://alternativeto.net/software/filezilla/](https://alternativeto.net/software/filezilla/)

WinSCP looks to be my new default.

------
zouhair
Just for information it seem that only the installer from their website first
download page[0] is bundled (it has "bundled" in the name). When in the same
page there is a link that says "Show additional download options"[1], in that
page you have access to "clean" installers.

The way they did it is quite shady.

[0]: [https://filezilla-
project.org/download.php?type=client](https://filezilla-
project.org/download.php?type=client) [1]: [https://filezilla-
project.org/download.php?show_all=1](https://filezilla-
project.org/download.php?show_all=1)

------
paulie_a
Filezilla should simply never be trusted ever again and that is not a new
thing.

------
jonnytran
Does anyone have suggestions for alternatives to FileZilla, both for Windows
and for Mac, that I can recommend to non-technical friends. In other words,
something with a GUI.

Basically, when pointing out security problems, I find that people are much
more likely to actually listen if you present an alternative action. I will
probably just use sftp from the command-line, but that won't fly for some.

------
codedokode
I don't know whether it is really malware, or they just collect information
from PC like browser history and cookies or just avoid being blocked by AV,
anyway the real purpose is that developers don't want users to be able to
control what is happening on their PC and to know what is really happening. I
don't see any other explanation.

------
zorkw4rg
Just reading the exchange with "botg" is really all the information you'll
ever need to know about Filezilla, using it (bundled or not) would just be
gross negligence after that.

Here is an alternative:
[https://winscp.net/eng/index.php](https://winscp.net/eng/index.php)

------
fusl
This has always been the case. Filezilla offers two versions for Windows and
macOS on their website: Bundled and non-bunbled. You get the bundled version
when you click "Download FileZilla Client" and then the big green "Download
FileZilla Client" button (assuming you're visiting the website from a Windows
or macOS client): "This installer may include bundled offers." makes this also
very clear. In order to get the clean version, you have to click "Show
additional download options" and then pick the version you want. For anyone
saying that Filezilla can't be trusted anymore due to doing this, it's still
open source and you can check out and build the code yourself:
[https://filezilla-project.org/sourcecode.php](https://filezilla-
project.org/sourcecode.php)

~~~
EpicEng
>You get the bundled version when you click "Download FileZilla Client" and
then the big green "Download FileZilla Client" button (assuming you're
visiting the website from a Windows or macOS client)... In order to get the
clean version, you have to click "Show additional download options" and then
pick the version you want.

Right, nothing shady about this UI pattern at all.

>"This installer may include bundled offers." makes this also very clear.

It makes nothing clear. It's purposely vague language used to disguise the
fact that these "bundled offers" consist of software no person would actually
chose to install on their machine.

>For anyone saying that Filezilla can't be trusted anymore due to doing this,
it's still open source and you can check out and build the code yourself:
[https://filezilla-project.org/sourcecode.php](https://filezilla-
project.org/sourcecode.php)

What would that accomplish? The issue is that the dev doesn't even know what
the hell comes across the wire when you chose to install this crap. How is
reading the FileZilla source helpful?

------
justinclift
Damn. Personally I'd hoped the FileZilla team had discontinued their bundling
of malware since the SourceForge episode, which I wrote about here:

[https://web.archive.org/web/20140816230250/http://blog.glust...](https://web.archive.org/web/20140816230250/http://blog.gluster.org/2013/08/how-
far-the-once-mighty-sourceforge-has-fallen/)

Instead, it looks like they've taken up with the malware creators directly.

Wonder what the most appropriate solution would be?

If Google were to "ban" FileZilla from its results (due to pushing malware),
it sounds to me like that would work.

------
drexlspivey
Anyone know what tool is being used by TigheW to create that process tree
graph?

~~~
detaro
Carbon Black: [https://www.carbonblack.com/products/cb-
response/](https://www.carbonblack.com/products/cb-response/) (2nd screenshot
shows the same screen)

------
loganabbott
FYI the SourceForge version of FileZilla is clean, and has been since 2016.
The official FileZilla installer has been doing this for some time now though.
In case people don’t know, a lot has changed at SourceForge since my company
acquired them in 2016. All projects are scanned for malware. We covered the
improvements again here [https://sourceforge.net/blog/brief-history-
sourceforge-look-...](https://sourceforge.net/blog/brief-history-sourceforge-
look-to-future/)

~~~
mintplant
Yet this happened with your company at the helm:

[https://medium.com/@jonykatz/sourceforge-hiding-fact-that-
th...](https://medium.com/@jonykatz/sourceforge-hiding-fact-that-they-have-
lost-the-latest-revision-of-svn-d221f2d68285)

~~~
loganabbott
This blog post is not accurate at all.

~~~
mintplant
So what's your side of the story, then?

~~~
loganabbott
We lost a few hours of commits and notified everyone affected. That's it.

~~~
mintplant
And the disappearing tickets?

------
barking
Am I right in guessing that this affects the filezilla client only (at least
on Windows)? Virustotal gives the server a clean bill of health.

It gives the client a detection score of 7/67\. This raises the question for
me of what's considered an acceptable detection score on virustotal.

Before this I'd have looked at a score of 7 and concluded that as the great
preponderance of opinion is that this file is fine, it's fine, probably.

------
analognoise
Can't we just fork and fix?

~~~
giancarlostoro
I'd honestly like to just see new alternatives altogether, crazy there's like
no other GUI alternatives that are open source and comparable.

~~~
Rjevski
Cyberduck? [https://cyberduck.io/](https://cyberduck.io/)

Seems like a good alternative with a modern UI.

~~~
giancarlostoro
Thanks for that, I've run into cyberduck but never was sure if it was open
source or what till now.

------
AsyncAwait
The guy should just run a Patreon, instead of doing this. They're ruining
FileZilla's reputation.

------
vsl
Notwithstanding the rest, being suspicious just because of VirusTotal output
is paranoid. It’s a cesspool out there, most AV is total crap (and some, like
Bitdefender or F-Secure, are truly something) and false positives from them is
every release problem for many developers.

------
ASalazarMX
Crazy how 20 years ago you could open an .EXE sent to you by email and it was
just a silly Flash game.

------
ronsor
Looks like botg is trying the "offers" crap again. I suggest using WinSCP
instead.

------
e2e8
It is still possible to get non bundled versions of filezilla by clicking
"Show additional download options" rather than clicking the big download
button. Whether or not to continue to use filezilla or to trust that that
software is really clean is another matter.

~~~
giancarlostoro
Let's be honest a lot of people wont suspect the main recommended download to
be sketchy until it's too late in some cases.

~~~
fusl
I guess "This installer may include bundled offers." as a warning is not clear
enough because it's not written in 72px red-colored bold text? Don't get me
wrong, but, in my honest opinion, they make it clear on their own website that
it includes bundled offers. I know many other open source projects that offer
builds of their software for free, including "bundled offers", without any
hint.

~~~
netsharc
Let's try to imagine what his thought processes were. And to do that I would
try to put myself in his shoes and imagine what my thought processes would be:
"I have this popular software, but I'm not getting rich out of it. What if I
put crap adware with it. But that'd be dishonest and I would be helping the
scammy/scummy side of the internet (1). Well, if I put a disclaimer on the
download page, then it'd be the users' own damn fault if they miss it. And
I'll make the download button extra big so they'll think 'I know what I need
to do in this page, click' and miss the warning.".

(1) This is what I think about that section of the Internet, remember this is
me putting myself in his shoes.

And at first I would feel guilty about scamming my users, but later on I would
probably blame them for being stupid. And when others ask questions in the
forum I would just reply tersely and arrogantly and say "It's all correct
because I wrote a disclaimer.".

So, when you say "They make it clear", IMO that is very arguable. He (is the
author of the software the same guy as the forum moderator, I'm getting the
impression it's a one-man show) did the least he needed to do to be able to
get away with installing crapware on their trusting clients' machines, because
his aim is to make money, and he can make more money if less people notice the
warning. I'm betting his lawyer told him he should write the warning on the
download page, if I were him I would've thought about just putting a "By
downloading you agree to the terms and conditions of the software being
offered" with a link to a page with a wall of text, but probably his lawyer
told him "that might be iffy."

This is a bit like Facebook saying they made it clear that they will copy
SMSes and call logs from your phone...

~~~
giancarlostoro
The worst part is if he put that it's not to be used for commercial use
(Windows version or something) and just sell commercial licenses he'd be rich
and not have to deal with the crummy income he's getting from malvertisement.
Let's be real, corporations will pay good money for convenience. Lots of
companies still pay for Visual Studio and MSDN accounts even though they can
get .NET Core and Visual Studio Code for free.

------
kjrose
Well. I guess my firm isn't going to use filezilla anymore.

Too bad really.

------
ddtaylor
I assume the copies in Debian and other Apt mirrors are safe?

------
pacifika
This is the best argument yet against the execute this script off the internet

------
zeth___
Any impact on the Linux versions of filezilla?

~~~
guessmyname
I don't see why, being on Linux, you would prefer to use FileZilla to transfer
files to a remote machine over an insecure protocol when there are plenty of
alternatives with better security. Rsync, for example, allows you to specify
an SSH key. Or SCP, which also offers the same functionality.

~~~
zeth___
This is a really toxic attitude in the open source community where when asked
a question the answer is: "you're doing it wrong, just do it right".

If I had a choice I would, but unless you have a few million dollars to give
us to refactor 30 years of technical debt, please answer the question.

~~~
guessmyname
> you're doing it wrong, just do it right

That's not how I wrote my comment above, I gave you alternatives.

> If I had a choice I would

You have choices, many.

> unless you have a few million dollars to give us to refactor 30 years of
> technical debt

How is using FileZilla a technical debt? What are you requiring from FileZilla
that you need a few million of dollars to refactor code? What kind of code
depends on an external FTP client to work? If you give more details about why
your company has such a weird technical debt, maybe I or other can give you
more options to switch.

> please answer the question

I did, you asked for alternatives, I gave you Rsync and SCP.

~~~
nhbgujmk
FileZilla is a program that supports multiple file transfer protocols (ftp and
sftp), sftp, allows you to transfer files over the ssh protocol.
[https://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol](https://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol)

