Hacker News new | past | comments | ask | show | jobs | submit login
Trojan found in Filezilla downloaded from SourceForge (filezilla-project.org)
332 points by yitchelle on Dec 3, 2015 | hide | past | web | favorite | 209 comments

Something came up last time Sourceforge was discussed here, namely "why are projects still using it?"...

I'm the project lead for LXQt (http://lxqt.org). We inherited some infrastructure legacy from LXDE, which was hosted on sourceforge. Today, we have moved most of the legacy to Github but we're still using Sourceforge's mailing list system.

We're moving to a self-hosted mailman3 instance but it's been excruciatingly painful. Email is not fun to deal with.

So I'm pitching this to bored devs and entrepreneurs: Help us, and many other projects, by creating a "Github for mailing lists" with a web client featuring a clean high quality UI, easily browsable/linkable archives, etc. Make it open source, make it self-hostable, stuff in enterprise support. Make it quick and easy to create new lists.

This model can work. It's not unheard of either (cf. Discourse), but it just hasn't been executed properly yet, or is forum-only and does not support email properly. Right now, the UX of mailing list software is like IRC's. Very raw. If it were made more seamless, more approachable, overall easier, it would have a similar effect as Slack has had on unthreaded-async-topical-conversation.

PS: You should change your adblocker to uBlock Origin. It blocks Sourceforge as a malware risk.

High-profile projects actually can't stop. If you attempt to stop using Sourceforge, they will consider your account "abandoned" and continue mirroring the new site and serving downloads with their malware dropper included. So if you want to keep the malware out of your releases, you need to maintain control of your project by keeping SourceForge up to date.

The GIMP project learned this the hard way: http://www.gimp.org/news/2015/05/27/gimp-projects-official-s...

Since they used to be the official source, their repository tend to have very high PageRank and they're essentially cashing in on it. Since the content they host is open-source, this is technically legal, but it's scummy as all hell.

When I had a project that I started on sf and later moved off, I kept the sf project technically alive, but removed all downloads. I updated with links to the project site.

This was a BlackBerry project, though, and it wasn't something you could install on a desktop - that may have been a contributing factor, but I never had any problems with them continuing to host the content after I deleted it.

"Since the content they host is open-source, this is technically legal, but it's scummy as all hell."

If the project is licensed under GPLv3 (or any other strong copyleft license), wouldn't they be illegally hosting it because they are bundling their malware dropper with software that isn't compatible with the license?

Simple bundling is not a GPL violation, only linking.

Is there any license that prohibits this then? If not, should one be created?

If there was, it wouldn't be open source. The Open Source Definition explicitly prohibits any license that restricts simple bundling [0]:

> The license shall not restrict any party from selling or giving away the software as a component of an aggregate software distribution containing programs from several different sources.

Same with the Debian Free Software Guidelines [1]:

> The license of a Debian component may not restrict any party from selling or giving away the software as a component of an aggregate software distribution containing programs from several different sources.

[0] https://opensource.org/osd-annotated

[1] http://www.debian.org/social_contract#guidelines

Yeah I still can't believe how scummy sourceforge is. I wonder how new oss projects can protect themselves against this type of behavior. Anyone know if any oss licenses include a restriction against this kind of repackaging or any kind of malicious use clause?

That would be contradiction of terms. Anything with such restrictions is, by definition (look it up!), not Open Source.

Sure if you want to be pedantic about it...

In reality though there's a reason there are many different OSS licenses - many devs want options around attribution and yes, around use in limited ways. A please don't use this for abject evil clause may not meet the no true open source dictionary definition, but pragmatically speaking it's not necessarily a terrible idea.

Then we should all probably point our collective fingers at google. Let's not pretend they couldn't blacklist sourceforge links for pulling this kind of BS.

D has the best mailing list interface in the world by an enormous margin.


(The forum is a front-end to the mailing lists / newsgroups.)

The cool thing about D's forums/feed is how amazingly fast they are. I wish more web apps were designed like this, with a fast backend framework.

Instead, it's all either slow, slow backend frameworks like Ruby, or even worse, these SPA applications that require extensive client-side JS processing before they show you the goods.

Node is a step in the right direction for both problems: for the first, Node-based backend applications are faster than Ruby and Python, and for the client-side rendering problem, because Node can pre-render these SPA apps (which everyone should do for a serious production app that uses a framework/library like AngularJS or React for major client-side rendering).

But a server application based on D or Rust, or even Go, is an even better solution to the slow backend framework issue. Unfortunately, no one has yet created a full-service framework like Rails or Django for any of those languages.

The language used for a server backend is far from a guarantee of efficiency and performance. It's very easy to write a D or Rust backend that doesn't optimize queries and handles caching badly; you'll get just as terrible response times from those as you would on the "typical" slow websites that you refer to.

I don't know what you mean by fast, but https://www.ruby-forum.com/ seems to load pages faster than most websites, and as fast as D's forums.

According to a quick check the forum.dlang.org initial page view takes 200ms. ruby-forum takes 738ms. If you want to talk RUM/page load metrics forum.dlang.org takes 800ms for the load event to fire, the ruby forum takes 1.6s.

The individual posts load really quickly, but the main page doesn't (well not as fast as the other one mentioned). Either way, both are fast and I wish more websites were like this, not just forums!

> Instead, it's all either slow, slow backend frameworks like Ruby, or even

Usually this is a matter of bad coding or overprovisioning of whatever is being used to host the site and the DB. Most maintained languages running on modern hardware can sustain reasonable loads without any significant performance issues. While client-side bad-performing frameworks abound, the last I looked into it, Ruby+Rails isn't that much worse or better than any other.

It depends heavily on what you are doing. Most CPU intensive Tasks are fast on everything. However on Memory intensive Applications Ruby and Python are really really aweful slow.

most slowness you are talking about is usually database and/or caching related

with that said, that forum is certainly blazing fast for page views

To be fair, the content of that forum could probably fit inside the RAM. And it's not doing anything fancy like sorting, etc.


Do tell, please.

Excessive pagination is annoying, but speed... the speed is amazing. 240 ms from initial mouse click to fully rendered page. Due to fast response, I really liked to use that site.

Very nice.

Looks nice!

The source code running it - https://github.com/CyberShadow/DFeed

I love D's community to have their forums also accessible via NNTP.

In the same vein, nim forums are written in nim and are exceptionally fast and responsive http://forum.nim-lang.org

FWIW, I find the information density of this site quite low. When I visit these archives I'll generally read with via the gmane frame interface.

Hit Settings in the top right then choose Horizontal or Vertical split.

> So I'm pitching this to bored devs and entrepreneurs: Help us, and many other projects, by creating a "Github for mailing lists"

Hi. I'm from the Discourse team, and I recently "soft-pitched" an idea that seems very much in line with what you're looking for.


Regardless of the above, we're gonna be doing a significant push for better mailing list features during the months to come, so any feedback you or any other open source projects may have, please nudge me on meta.discourse.org or send me an e-mail (my first name, erlend, at the company domain).

"So I'm pitching this to bored devs and entrepreneurs: Help us, and many other projects, by creating a "Github for mailing lists" with a web client featuring a clean high quality UI, easily browsable/linkable archives, etc. Make it open source, make it self-hostable, stuff in enterprise support. Make it quick and easy to create new lists."

Uggh ... really ?

So the simple, clean, extremely fast loading HTML indexes of mailman/majordomo[1] aren't going to do it for you anymore ?

Yes, I was getting so tired of one click getting me to a nice, clean index, ordered by year and month, and loading near-instantly. What a pain that's always been.

Get. Off. My. Lawn.

[1] https://lists.freebsd.org/pipermail/freebsd-fs/

I'm not touching your lawn. I'm not even in the same city. If what already exists does the job for you, good on you. It doesn't for us, and many other projects.

I'm not suggesting the existing software to change, I'm suggesting something new. Pitching something that doesn't exist today (the D-Lang forums linked here come quite close though). Our goal is to merge our current forums with our mailing list and not have to maintain both separately.

So I'll thank you to get off my damn lawn, you and the seven crates of entitlement you carry around.

and if you want a better UI, wait until someone upgrades it to Mailman 3 I guess?

I agree. Mailman is fantastic as it is. There's a technical brevity and image it gives off, and that's an important aspect of design. This isn't really a statement about usability or what's beautiful in design.

I design user interfaces and creating a new UI for basically what mailman does would really just be an attempt at grabbing a different target audience.

mailman has an image behind it. People associate with different images, and certain looks and feels make certain people gravitate towards them.

The type of people I would want in my mailing list are the type of people that appreciate how mailman looks as-is.

I try to practice great design where it matters most. A reskin of such software would be more aligned with the goals of junior designers and people who rehash weather apps with nice gradients on dribbble.


Personal attacks are not allowed on HN, even when someone seems arrogant. Please post civilly and substantively, or not at all.

Arrogance is telling someone they don't understand something, when they tell you "no."

> "User needs"

Do you actually design anything?

You're not telling me no, most specifically because I'm not pitching this to you. You're telling yourself no. You say you don't need it, and extrapolate your view of the world to everybody else's.

Really dangerous.

Does http://librelist.com/ match your requirements?

"It is a place for FOSS communities to discuss all the things they want without ads, censorship, signup requirements, bundled apps, or requirements that you use any particular email client or service."

Not even close. Librelist's UX does not at all match what I describe.

Does it install trojans in your binaries?


Self-hosting seems like overreaction for most open source project. I would just make regular backups/exports. Dealing with spam filters etc is a nightmare.

My project is using Google Groups just fine. Do not list your group in public directory to prevent spam.

Redis is moving from mailing list to Reddit. That seems to work for them.

Isn't this what Google Groups is used for? (what's different / lacking there? I'm of the age where I remember SourceForge as somewhere I would sometimes download things from as a young teenager but nothing more than that)

Yes, Google Groups is very close to what's needed - unfortunately, it's proprietary and Google doesn't really maintain it, it's only a matter of time it goes the way of Reader.

FWIW, Google Groups powers email distribution lists for Gmail for Work. Or at least, the two are strongly linked.

At this point, unlike Reader, there's real cash behind the functionality. It's possible they could just fold it into Gmail, I guess, but with other mail interfaces like Inbox popping up in the Google ecosystem it seems if anything they're trying not to shoehorn too much more into a flagship product.

My guess is Groups will stick around for a while yet.

As someone using Gmail for Work: This is one of the things I absolutely detest about Gmail for Work. The Groups interface is absolutely horrendous, and we don't want groups, we want simple email distribution lists.

Do you know if people can manage their subscriptions themselves? I seem to be able to add "Admins" to a group, but I don't know what that does.

That's interesting, but it doesn't reassure me much. The infrastructure behind Groups may be in use, it doesn't stop Google from shutting the UI down.

To be clear: it's not just the infrastructure; the set up a Google Apps mailing list you use the Google Groups UI.

Well, they already shut down the free tier of Google Apps, which was also used by some OSS projects.

So it’s possible.

Didn't they grandfather in those that were in before that point?

Yes! I currently still use my apps.google.com account for free.

IMHO, the UX of Groups is really annoying. I'm not really sure why, it just feels so cumbersome.

Also, Groups doesn't have the ability to import archives from my previous list. (I'm in exactly the same position of wanting to migrate away from SourceForge, and the mailing list is the last thing remaining.)

Don't forget than when they do maintain it they make the UX worse. Every damn time. Over the years it's gone from mediocre to downright horrible.

Why mailing lists are still quite massively popular in 2015?..

How would you replace them? ( Please don't say Slack. That is just _not_ a good replacement, especially for projects that needs publicly searchable archives. )

IMHO a publicly/semi-publicly logged irc channel would do just as well, but that's even more oldschool.

The alternative is pretty much only online forums. Which imo. doesn't offer a lot of advantages, and most forum software is exceptionally bad (though yes, a few new and nicer ones are coming along)

Discourse NodeBB and Vanilla comes to mind

None of them appropriately support mailing lists, though. Email-based communication is a big deal for devs which contribute on maybe 5+ projects at once and have to manage comms in one central place.

As for Discourse's mockery of a mailing list mode, let's not even talk about it.

Are you familiar with DFeed [1] used by the D-Lang forum [2]? It is, in my opinion, one of the most usable web frontends for mailing lists (as well as a few other sources).

[1] https://github.com/CyberShadow/DFeed

[2] http://forum.dlang.org/

Never heard of it. Looks quite good. I will keep an eye on it, thank you.

If you're managing 5+ projects at once, your inbox must be a train-wreck of garbage from these mailing lists.

GitHub has email notifications for issues, but you can opt out of any particular discussion if it gets too pedantic or doesn't relate to you. This helps massively reduce inbox clutter.

The thing that bugs me about mailing lists the most is you get all the email, all the time, forever.

>If you're managing 5+ projects at once, your inbox must be a train-wreck of garbage from these mailing lists.

This is a total non-issue. Mailing lists support daily digests if you want that, and email clients support folders and filters if you want that instead. Nobody managing 5+ mailing list-based projects at once is dumping all of that into an unsorted inbox.

> and email clients support folders and filters if you want that instead.

Because who doesn't like mucking around with their client's filtering?

Ever heard of Sieve? ;)

Ever heard of it's 2015 and I'd like to be able to opt-in to specific mailings if necessary.

Isn't there a decent mailing list package that hybridizes a GitHub "issue" type system with a traditional "email firehose" approach?

Mattermost is a free and open-source alternative to Slack, giving users publicly searchable archives, great for sending images, files and code in chat. http://www.mattermost.org/

I have never used mailing list so I'm probably naive, but what about github issues?

Mailing lists are not just about issue tracking (and really shouldn't be about it). There's general discussion on them, release announcements, etc. pp.

"Why mailing lists are still quite massively popular in 2015?.."

Because (your email client) is always going to be much, much faster and easier to navigate than "some dudes cute forum setup".

Replying to and managing conversations is much easier when you can do it with one or two keystrokes rather than mousey-mousing ten clicks all over the place (and oh their ad tracking js is stalling out again...)

I maintain that all web forums should have a mailing list interface so that you can use the forum without using the web at all ... but I suppose that breaks their revenue model ...

You can look at it this way: They're doing something that people want and which cannot be achieved through other means. What alternatives do you suggest?

(Personally, I use GMANE+NNTP for mailing lists, and NNTP is probably better than plain (public!) mailing lists for most purposes, but unfortunately that ship has sailed.)

> Why mailing lists are still quite massively popular in 2015?..

IRC is still an underused tool in my opinion. The ability to just talk about one issue in a Mail List and keep track of the communication is great. I can't think of another tool that manages communication as well as a mail list (Forums are just not as good in communication notifications like a mail list.)

P.S. I still hate Mail List and don't use them anymore but nothing does it as well right now.

> IRC is still an underused tool in my opinion

IRC, like other chat and IM tools is synchronous. That is useful to get an issue solved quickly. But mailing list are asynchronous. People can think before answering and don't have to be around at the same time. Also threaded nature of mail makes it better to archive discussions and referencing them later. An IRC log is full of other noise and little structure.

Why shouldn't they be?

If I want long-form messages delivered asynchronously, what other choices do I have (forums?) and why are they better than mailing lists? (everyone already has an email client.)

There's no alternative that's even close to that. For me email and IRC work for years and everything is going well.

I have to ask, is the question because you don't understand the value of the communication? There are definitely a type of greenhorn codes that don't and have never worked on anything with the scale to understand it.

Or is it because you value the communication differently than the code? We've evolved distributed revision control to handle issues or geography, connectivity, and work styles effectively allowing you to be self-contained and then collaborate (push, pull, merge someone else's stuff) when you are ready to. Email is the only generally available method of communication that works the same way.

I've always found the Sourceforge mailing list archive interface to be one of the worst out there. Sure, it's a lot prettier than the raw, unstyled HTML of the Mailman default but it's just not nearly as usable.

Savannah provides mailing lists. I don't want to advocate savannah too much, because the site isn't pretty, their interface is sometimes strange, they don't default to https, there are lots of reasons not to like it technically. But it's probably a place where you don't have to expect evils like supporting bundled Crapware. The FSF is behind it.

Hosting isn't the problem for us, UX is. We intend to self-host since we want to use @lists.lxde.org as an endpoint.

> If someone really wanted to download FileZilla and skip the malware do just that.

> Then after installation is complete install Malware bytes and Avira. Scan with both and restart the computer.

> Then run with ADWcleaner and and remove the infections and restart. should be good from there and enjoy FileZilla.

Do people really think this works? I mean, there's no-one on HN who thinks this works, right?

Even if it works, that sounds telling somebody to park their car crashing it into a wall and then scraping off the pieces.

A depressing number of my friends and family have an absolute trust in their security software and will rely on it to do exactly this.

SourceForge and Filezilla are both on their way out, hence their owners desire to monetize their remaining users while they still can.

WinSCP is a decent alternative. As is Swish:

http://www.swish-sftp.org/ https://github.com/alamaison/swish

A decent alternative to filezilla would have to be cross-platform, neither swish nor winscp are (they're win only).

An alternative to sourceforge implies not using sourceforge but swish does.

Cyberduck is for windows and Mac. They have a command line tool that is cross platform.


the windows implementation of cyberduck is horrendous, as a windows user (it was forced on me) I have been looking for alternatives for a while..

It hangs on start, randomly doesn't connect, does odd things with bookmarks (they don't work sometimes, but manually entering info does)

I don't recommend cyberduck on windows to anyone, I've been looking for an alternative for a while.

if a dev is reading my machine is:

* OS: Microsoft Windows 7 Enterprise * CPU: Intel(R) Xeon(R) CPU E5-1650 v2 @ 3.50GHz (3.00 GHz) * RAM: 32691 MB Total (16885 MB Free) * VGA: NVIDIA GeForce GTX 760 * Uptime: 123.24 Hours * Version: 4.7.3

I've found WinSCP's performance lagging quite a bit behind FileZilla, especially when it comes to up/downloading 1000s of files at a time.

Same, it's much slower.

Sure enough the official download goes straight to SourceForge ...

On Windows, you don't always need a 3rd party FTP program. Windows Explorer (not IE) already does FTP. Just open any folder and type ftp://example.com into the path bar.

That is not a reliable work tool

It does not support passive mode No queue No SFTP No FXP

Nobody supports FXP anymore on the server side - it is a security issue.

Or you type 'ftp' in the command line.

It doesn't come standard, not on all Windows flavours. It's a part of "Core networking utilities" package that used to have some really odd dependencies.

You're mis-remembering or something... There's no such thing as a "Core Networking Utilities" package on Windows (never has been) and ftp has been a command line tool since at least Windows 95.

I don't particularly like the built in FTP command line utility (even with scripts). But it has existed a very long time indeed.

Eh, yes, it is. On the Windows 7 Home Basic and Home Premium edition, it’s not pre-installed, and you have to go to System Settings -> Programs and Features -> Install or Remove Features to install it.

I have Windows 7 Home Premium on my Mac via Parallels, and just I just typed in "ftp" into cmd and it came straight up.

The only packages I have installed are "Media Features" ".Net Framework 3.5.1" "Print and Document Services" "Windows Gadget Platform" "Windows Search" and XPS Services/Viewer. All of which are default features.

Which package are you even suggesting contains the ftp.exe client? Because I don't even see one. Also why would anyone go to the trouble of putting a 47 Kb binary inside of a feature package? It makes absolutely no sense at all.

They used to put all that stuff – ftp, network utilities, etc in one package.

Granted, I haven’t used Windows in 4 years, but I remember fighting with getting ftp on Windows without admin.

Are you sure you aren't mis-remembering and were installing the Unix Services for Windows, to utilise Linux-like command line utilities?

As the person said above, ftp.exe has been in Windows since the MS Dos days, and is a core utility. I've never seen it not been available on any version in any situation.

Now an FTP server definitely needs to be installed. Always has. But we're talking about the ftp.exe client.

ftp.exe should be there, but telnet.exe is no longer installed by default. One must go to "Add/Remove Features" (or similar) and enable it first. Maybe that's what he's confusing it with.

Windows no longer installs telnet.exe by default anymore

Damn, I think you are right. Just checked on W7 and it must've been telnet and/or tftp that I was thinking about. ftp does seem to come standard.

had no idea that existed

I guess so does Firefox and Chrome. They have a FTP client if all you want is to download.

Explorer allows write access though (uploading, &c).

Swish also uses SF.

As far as the password storage goes, you are not up-to-date. They are stored base64-encoded now.

Yes, much better.

FTP passwords can't be hashed. The right solution would be to support platform keyrings but ... https://trac.filezilla-project.org/ticket/1373

Someone explained that after he got some malware on his computer and subsequently all his websites were hacked. The response?

Once you've got malware on your computer, you've lost already, game over. You need to prevent the infection in the first place.


That's correct though. Even if the passwords weren't stored at all, malware could just install a keylogger and record them when you typed them in.

The fact that there are ways to obtain passwords even when they are not stored unencrypted is not really a reason to make it as easy as possible for malware to get every password on your system.

No, you're wrong. If you've run malware on your machine then it's not your machine anymore.

This is exactly the thing that Google spent months trying to tell people when it was refusing to include password access to the password list. That extra password does nothing to increase security, and may be counter productive.

Encrypting stored passwords gives users a misleading false sense of security.

> botg: All third-party offers can easily be declined. Nothing unwanted is being installed without your consent.

Talk like that can only mean that they know about the malware bundling.

Extremely interesting in combination with that quote of yours. Essentially: "the malware we install on your machine will get access to your passwords anyway."

Looks like Filezilla will not die a hero's death.

Why can the passwords not be hashed?

FTP is inherently insecure, everything is transmitted in plaintext. Because the server cannot check a password against a hash (due to the limitations of FTP), the client needs to store the password, and can't keep only a hash.

That being said, Base64 is woefully inadequate, just google 'base64 decode'; and this response (from someone who appears to be a contributor) is just not a defence.

If the server checked against a client-provided hash, the hash would become the password, and the attacker could just use the hash as-is to login to the server. Hashing on the client solves nothing.

Except if you require hash of (password+timestamp modulo 60000)

In that case you can't just store the hash of the password, you will need to password itself.

Hmm. Yeah.

I’ve thought about it for the last few hours, and decided that the best solution is to just use RSA in client.

How would that work? If you would use a private key to authenticate to the server you would still need to protect this key with a password. Otherwise stealing the private key will get an attacker access to the server just as simple.

Well, you’d be 100% safe of MitM.

And you could use a hardware key auth.

Like the German eID, where the key is signed by the government and on a special chipcard.

The software requests the card to sign, you need to type in your PIN on the reader itself, and the request will be signed with RSA.

The public key is world-readable on the card, so you can just send that to the server.

In addition, Filezilla supports more than just FTP

The client needs them in plain text to be able to connect. "Remember password" is a feature, there. Like I said, correct solution is to use the keyring, but the dev team is incompetent, so ...

Or a master password if using the keyring is too complicated for them.

Oh, I thought we were talking about the server. Never mind, thanks.

The application needs the original password so that it can pass it on to the FTP server.

I'm confused...who said they could be hashed?

That's nowhere near sufficient for 2015. rot13 at the very least.

Was about to post the same thing. If this crap is posted by a contributer I'm moving away from it as fast as possible.

It is.

Would a "master password" (a la Firefox/Thunderbird) be the way to go (as input to an encryption routine)?

It seems like any credentials that can be automatically used after a program loads without the user authenticating are at risk for malware harvesting.

I stopped using Filezilla on Windows a while back, due to this and other issues (passwords stored in plaintext, etc.) and switched to PSFTP and PSCP, which are MIT licensed and offered directly from the developer's page[1]. However, reading this article reminded me that Filezilla was actually still installed on that box, just not in use, so I decided to uninstall it while it was on my mind. Immediately after uninstalling it, it tried to force a shutdown on my computer. The only reason I was able to stop it was because I had a process running in the background that wouldn't terminate and I was given the choice by Windows to force shutdown or cancel.

Now, I've only ever installed it from ninite.com[2], so I know it didn't initially have the Sourceforge trojan/adware junk. However, I've since allowed it to download its own updates instead of doing it manually through the Ninite downloader. I've never, ever seen a program I've uninstalled via the Windows Control Panel with the ability to force a shutdown or restart without first notifying me or giving me the option to postpone. I'm starting to think there's something nefarious in Filezilla itself, perhaps in one of those "direct from the developer" updates, not just the Sourceforge wrapper.

Another interesting thing is that the built in Filezilla updater will first uninstall the app before reinstalling the updated version, and it never tried to restart or shutdown the computer during those updates, only during uninstallation from the Control Panel.

[1] http://www.chiark.greenend.org.uk/~sgtatham/putty/download.h...

[2] Ninite strips out any malware or other crap from the installer and only installs the pure program with default settings, in the background, and sources the app directly from the developer's site when possible. It's my go-to tool for essential Windows utilities.

The linked thread is from 2015-04-20. SourceForge has been bundling adware with Filezilla since then and continues to do so. Here's a VirusTotal analysis of the current installer: https://www.virustotal.com/en/file/16e0ecda06ed98f835e449e1e...

If you want clean software you must not install directly from Sourceforge.

AFAIK this practice (and not on the FileZilla project alone) is why uBlock Origin is blocking SourceForge.

Though ublock origin can use it, it's the ublock badware risks filter list which is blocking sourceforge : https://github.com/gorhill/uBlock/wiki/Badware-risks

You are linking to uBlock Origin ("uBO") -- that filter list is specific to uBO. The other "uBlock"[1] (abandonware) does not support strict blocking, which is what blocks SourceForge.

[1] https://github.com/chrisaljoudi/uBlock

Sorry if I didn't make myself clear, what I was trying to point out is that for ublock origin to block sourceforge the badware risk filter list has to be enabled. Also I suppose this list can used with other blocking software.

Oh and gorhill, much much thanks for your time and work on this.

That's the github project for uBlock Origin.

Unfortunately Filezilla has this trojan for some years now! The trojan send all your identities to a server. This is tested 100%. We had many passwords stolen this way and we are 100% sure that it's filezilla.

Just take this test: Try to download the Filezilla and when the download page shows click on the Direct Link. Then compare the two executables, one that downloaded automatically and the one that it downloaded via the direct link. You will see that the direct download is clean but the other has the SF icon and it has a virus!

That's a pretty serious claim. Do you actually have evidence to prove it was FZ? Just because the SF executable includes spyware doesn't mean it's disclosing passwords.

You are kidding right? And what do you think that spyware does? They steal passwords! Our DC warns us of stolen passwords every time a client is using this exactly "touched" version of FZ. The DC is informed by a security firm and 100% of the situations is the Filezilla that steals them!

You're 100% sure? I would expect to see registry diffs before/after FileZilla was installed, disassembled code of the subroutine accessing your passwords in the malicious program, and a network packet capture of your data being sent over the wire.

...well not mine anymore, I uninstalled it... ;)

It's easy to blame Sourceforge. But Filezilla is not a SourceForge project and they can choose whatever hosting they want. I wonder what else they missed on.

So SourceForge has gone from terrible to (somehow) even worse than that.

It makes me wonder; why don't we have a good site for Windows programs yet?

Ideally, it'd be run by volunteers (not a company with a profit motive), would manually moderate the programs posted them (and remove any adware/spyware/bundled programs by force if necessary) and tell every malware ridden sleazy ad network to sod off.

It exists in more niche subject areas. If I look for game making resources, a lot of those sites actually do proper moderation and try and make sure viruses aren't present in uploads. Places like MFGG are pretty good about this. So why don't we have that for software in general?

I mean, there's GitHub and package managers, but it's disappointing how this market has no honest people in it.

This has been known about for some time. The Filezilla guys know about it.


Shouldn't this be a criminal offense?

It's usually hidden in the EULA. Very hidden.

It's not just Filezilla or sourceforge doing this. Lenovo do this routinely. They used to bundle something called BrowserGuard, which contains a PUP by Conduit. Conduit have since been partially acquired by another company Perion. I followed that rabbit hole last year, Lenovo point blank refuse to acknowledge it is spyware.

And it IS spyware. I created a Perion account to see what they actually had going on. They have an online form you can upload your executable to and it wraps their malware in the form of a toolbar. I tested it by uploading notepad.exe, and sure enough it works quite easily.

They capture your location and a whole bunch of data about your computer. They also have remote update facilities built into it. It's pernicious, and the company structure has been designed to make it very hard to determine who owns it. And Lenovo were very happy to use them.

Oh, and here is an article that confirms the autoupdate:


Good to know - I was almost ready to consider Lenovo again after Superfish, but no...

You should generally not trust preinstalled OSs, regardless of vendor. Most (all?) of them shovel crap in there, often because they get paid to do it. It's sad, but it's just the world we live in.

The really scary thing is when vendors put in backdoors or trojans like this at a level below the OS (in UEFI, for example).

It’s similar shit with Dell.

At least Lenovo’s business lineup wasn’t affected.

Meanwhile, 8th grader charged with felony hacking for changing teacher's digital wallpaper:


It's done intentionally to make the owners a bit of money. They have direct download links on their website (click show all on download page), avoid the green Sourceforge link.

Nope, all links direct to Sourceforge.

Yes, all the downloads are hosted on Sourceforge, but Jonnerz is pointing out that the additional links come without the Sourceforge wrapper (the links will have "?nowrap" at the end).

We all wish FileZilla would just drop Sourceforge completely, but at least the non-wrapped versions are still available.

Sorry I meant direct to the FileZilla installer rather than the Sourceforge installer. Both are hosted on Sourceforge.

No way I'm supporting this kind of behavior. Can you suggest an alternative to FileZilla ?

I use WinSCP. I cannot say much about technical differences, but it has worked well for me.

Also, PuTTY comes with a SFTP/SCP client, and unless there are strong reasons you cannot use SFTP, it is a lot better than FTP, security-wise (does not transmit passwords in plain text and allows using cryptographic keys rather than passwords; in fact, on OpenSSH you can configure the server to deny password authentication completely; and the entire connection is encrypted, of course).

It's funny I already use WinSCP but for SSH and SFTP connexions to Linux servers, it didn't even occurs to me that I could use it for regular FTP too. Thanks.


They have some issues with SSL certificate, though.

Cyberduck refuses to implement a two pane interface with a local browser.


Juggling multiple windows is really annoying. The entire UI is awful besides that also.

I don't know why you were downvoted, will check it, thanks.

FlashFXP - been using it since 1999, still love it

FlashFXP doesn't support simultaneous connections.

The problem is not FileZilla, but SourceForge. They do this to all their files.

That's not quite accurate... FileZilla has opted into the bundle-with-crapware program [1] to make some money.

[1] https://news.ycombinator.com/item?id=8849950

Not only that, but the FileZilla Admin is posting in that thread denying any claim that there is anything wrong with the installer, despite repeated reports from multiple users.

FileZilla is maintained by people who want to push spyware to you because it's how they get paid. This isn't an accident.

SourceForge are adding the malware but the FileZilla people are acting as if it's not a problem and refusing to help people / accept that there is an actual virus in the executable they link on their site.

"It's not our problem, it's SourceForge" - stop f'ing using SourceForge then!

Their ambivalence and complicity in distributing this malware is probably the behaviour GP was talking about.

I had contacted FileZilla's developer about this back in 2014.

He let me know that bundling crapware was "intentional"


His statement about alternate download links was also incorrect, because I was asking about Filezilla server, which I could not find anywhere but sourceforge.

Does it mean that I have this crap installed since at least 2014 on all computers at work and Sophos didn't detect it ?

According to this [1] Sophos can detect it:

[1] https://www.virustotal.com/en/file/16e0ecda06ed98f835e449e1e...

The problem is that Google still rank SourceForge highly.

If Google ranked them down, then they harm would be limited.

you can install Filezilla from Ninite. https://ninite.com/

Well - you are trusting that Ninite doesn't include any crapware / malware, but until now I didn't had any problems with it. Makes updating Java Runtime much nicer too.

I think you can avoid the virus by downloading the zip but as I said I don't want to support this kind of behavior, so I have uninstalled Filezilla from my computer and will uninstall it on all computers at work too.

The Filezilla forum admin in that thread obstinately blames users for "accidentally" accepting a bundeled "offer", when users are clearly warning project admins that the installer is infected with malware.

Does sourceforge share revenue from bundeled installs with projects?

If you opt-in, they do. Filezilla was one of the first to opt-in.

If you say "no, I don’t want you to bundle your installer with my project", they will do so anyway (look at GIMP), and you get nothing.

so yeah, it seems like there's kind of a conflict of interest here. if there's no way for a user to know whether the project opted in to revenue sharing, then how can they trust the project?

in other words, in my view, a project that opts in to revenue sharing with crapware bundlers who are known to sometimes distrubute malware, is behaving unethically.

so now i don't trust filezilla dev's in general, even if i get an package signed by my distro or whatever. very dissapointing. worse still, it makes projects that didn't opt in suspect in my view, simply because they are on sourceforge; if i can't find out whether they opted in, how can i know any project isn't taking kickbacks?

i really hope i'm missing something here....

For your information, currently sourceforge "usually" only bundles the crapware with projects where either the person opted in, or where sourceforge has "seized" the repo.

If it bundles crapware, and the maintainer listed on sourceforge.net is sourceforge itself, they didn’t opt in.

Otherwise they did.

Older thread about Sourceforge: https://news.ycombinator.com/item?id=9623142

Just don't use them.

Absolute money quote: "As far as the password storage goes, you are not up-to-date. They are stored base64-encoded now."

There's the argument that if someone has access to the passwords then they've already got enough control over the computer to do whatever other damage they like - like reading them out of memory after they're decrypted.

Base64 at least provides some protection against somebody looking at it with their eyes and memorizing them, which is perhaps a more likely scenario - family members, kids, etc.

Base64 provides no protection from malware that infects your machine and actively looks for this kind of stuff. Stored passwords from websites, ftp programs, key safes, etc.

"While the SourceForge Installer may present third-party offers,"

Don't worry, it's just an "offer". They're totally not distributing malware via their installer.

About two hours ago I pondered installing the Diffuse merge tool[0] on a Windows box. Then I noticed that it was hosted on Sourceforge and thought "nah, not really worth the risk". Now that I see this post I feel even more content that I avoided Sourceforge.

[0] hxxp://diffuse.sourceforge.net/

What really gets me is the glib attitude of the FileZilla maintainers to this news. Whether trojan or adware, the "just uncheck the boxes" mindset is rather insulting.

Move your stuff off Sourceforge! What the hell is wrong with your people?

Filezilla opted in to the malware wrapper. They made a concious decision to do this.

It's funny, I literally just messaged the maintainer of the Minibian project, politely asking that he move the Minibian project away from Sourceforge, when I saw this post on HN. It's too bad to see Sourceforge ending up like this, after it was so useful years back.

Slightly O/T, but has anyone experienced similar problems with downloads from PortableApps.com? They use SourceForge as well, and I am now hesitant to recommend PortableApps to friends and co-workers.

It would seem that more projects would benefit from running their own free software on their own virtual server infrastructure. A decade ago, there was GNU Mailman and it's still around - http://www.list.org.

Yes, this means that a self-contained project needs the funds for basic hosting and also someone with system admin experience. But that should not be unreachable for major projects.

Tim Kosse has really tarnished the reputation of FileZilla by ignoring the SourceForge malware problem.

Chrome and Firefox should add SourceForge to their malicious site list.

There are a few things that could happen:

a) Certainly if a site is distributing malware/virus/trojans it needs to be flagged as such -- whether it is intentional or not.

b) Sourceforge's policies indicate it they are no longer a trusted source for official files and is probably being ranked far too highly on Google and other search engines.

c) If Dice fails to promptly and adequately address the distribution of malicious files for profit the appropriate government agencies should become involved.

There is a safer way install FileZilla through ninite installer or chocolately


Chocolatey nuget is similar to Linux package managers but for Windows programs

https://chocolatey.org choco install filezilla

Please don't recommend chocolatey for this reason. While it's excellent, you should probably check the install file first: https://chocolatey.org/packages/filezilla (and click "show" on "tools\chocolateyInstall.ps1")

You don't see the installer UI, but it still downloads from sourceforge because that's where the executables are stored.

Unless ninite is building everything from source where do you think it's getting the installer binaries?

It's much easier to simply download the portable version (without malware) from FossHub.


> 2015-04-20

Clicking on the download link ws blocked by ublock origin. Weird.

After the last Sourceforge malware-bundling debacle (Can't even remember who it was at this point--someone who said Sourceforge seized their repo from them and then repackaged it with malware), gorhill added Sourceforge to the uBlock blacklists.

Good riddance, I say.

It was the GIMP guys, btw.

uBlock Origin indeed blocks the sourceforge URLs. Not a bad idea, I would say. Makes you think twice.

Refuse to download anything from SourceForge anymore. Sad too, used to be the best out there back in the day.

People are still using SourceForge? :O

you can get a clean version from fosshub

Are we still using FTP?

You might be amazed at how much FTP is still actively used -- especially by the financial industry!

Amazed and alarmed ;-)

That article is from April. Good to know about it, but is this news?

First post on the thread is indeed old, but there are some newer ones.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact