Hacker News new | past | comments | ask | show | jobs | submit login
Filezilla installer is suspicious again (filezilla-project.org)
383 points by stevekemp on June 23, 2018 | hide | past | web | favorite | 241 comments



Botg site admin "The hash doesn't match because the filename doesn't match."

A fully descriptive answer is that they don't have a checksum for the bundled package but botg doesn't want to say this.

" Dangerously ignorant user. Not matching filename = the checksum is NOT for that file. Checksums can only be provided for the non-bundled packages, because they're static. Bundled installers are not."

Dangerously ignorant person here what they are actually saying is that they have no way on earth to be sure what's even IN the bundled packages nor what it will do to the users computer.

They have decided that tricking people into downloading malware is a reasonable alternative to charging money for their software or soliciting donations.

Its truly amazing to me that installing windows software is still like this.

The obvious and immediate solution is to abandon vendors who behave like this. This is challenging because you have to track the reputation of each individual vendor and users have proven unable to even consistently download the software from the right page let alone judge individuals vendors track record.

The long term solution is to get off the platform.


> The long term solution is to get off the platform.

Ug. Running untrusted executables on any platform can be trouble. The problem is that by blaming the platform, people keep putting the onus on these OS's, distros, etc to build walls around carefully curated gardens. Gotta take the good with the bad. Either you accept that people can run untrusted executables or you give up the flexibility to build/use/distribute untrusted executables yourself. Sadly it seems as devs grow into larger companies and prefer the latter, they forget their indie beginnings enabled by the former. "What's $100?" they say. "Getting a cert is easy" they say. "If you aren't building anything dangerous, why do you have a problem with curation?" they say. The same anti-freedom arguments are always there in the name of safety.

If you downloaded untrusted Filezilla and executed it raw on any platform it could be an issue. If users required Filezilla to be distributed in the Windows app store, it could be less of an issue. One could argue the fact that installing Windows software is sometimes still like this is because of the lack of restrictions against it. But as users keep complaining and devs stay silent, all platforms including Windows will continue to reduce liberty in the name of safety and you'll feel better.


It sounds like you have a lot more experience with windows than other platforms.

Many who have mainly used windows haven't experienced what typical software installation is like on systems like Linux. One hardly ever needs to run on trusted executables, for any reason. If you do, they come from one or two trusted sources, not one of hundreds of private websites. That is just not how Linux software is distributed. It doesn't abridge freedom, either - if you want to run I trusted executables, nothing is trying to stop you, either.

Then, if you do have an executable to install from, the installation process is more likely to be one command run in a terminal then a GUI 'wizard' that takes 10 minutes, frequent attention and 20 clicks, and tries to convince/trick you to install a bunch of other software.


My experience ranges across platforms which is why I call out this ridiculous bias when I see it, especially when it uses dumb examples like Filezilla to represent the whole. Look at the other options for Filezilla downloads. The default Mac one is the same bundled crap from the same source. The Linux one is from the same source too. Of course I would be unreasonable to criticize the other platforms if the forum post was about those instead.

> One hardly ever needs to run on trusted executables, for any reason. If you do, they come from one or two trusted sources, not one of hundreds of private websites

That's just not true if you want up to date software. I can list a ton of software to the contrary and lots of installing that includes just extracting tarballs, or installing their deb/rpm you download, or if they use the distro package manager, they just have you add their server and cert.

> GUI 'wizard' that takes 10 minutes, frequent attention and 20 clicks

Well if you're just gonna give false impressions with hyperbole, a rational discussion can't be had.

Regardless, the issues with installation are primarily the choice of the devs, not the OS. These days they more look like the installation of Nodejs, Go, PgAdmin, VSCode, etc (i.e. minimal MSI's or just zip extracts) than complicated adware of yore. That this is not clear and you think 10 minute wizards with 20 clicks is normal makes it seem like you are not familiar with the platforms you talk about.


> The Linux one is from the same source too.

Not in practise. The Linux version of Filezilla will usually be sourced from a package manager:

  $ apt show filezilla
  Package: filezilla
  Version: 3.28.0-1
  …
  Description: Full-featured graphical FTP/FTPS/SFTP client
Even Filezilla's own website says "It is highly recommended to use the package management system of your distribution".

A huge portion of the software a typical user requires is available in the standard repository of a Linux distribution. I have one extra Apt repository configured that would be reasonable for a normal user to install: Skype.


Meh, they don't keep versions up to date. That version in the apt repo is several versions behind (not to mention how far behind they are on 16.04 repos), not something you usually want to do with network software like Filezilla. My comment listed just 4 pieces of software off the top of my head I installed on a fresh desktop recently, and I wouldn't get any of them from default apt install.


Repos of major distributions tend to keep security updates current. I can go to the source repo if I want the latest-and-greatest. And running a couple of releases behind is something I quite like to do, because bugs.


Honorable providers, for example the Tor and MPTCP projects, run their own repositories, with GnuPG-authenticated packages. You get up-to-date builds, with no crap.


So long as the provider remains honorable. If they decided to bundle malicious programs -- or someone who took control if their domain and private key did -- they easily could.

They could publish updates to the program, publish new dependencies, or even publish updates to packages you normally get from your main distro repository. If you're doing apt-get update (or equivalent) how closely do you scrutinize the list of changes?


Yes. You gotta trust the provider.


But this negates the advantage of having a small number of trusted repos if you need to add third-party repos for every project.


Sure. And it's a tradeoff. The Tor and MPTCP projects came to mind, because I trust them. And there aren't many others that I trust.

My problem is that I prefer Debian stable, which is very conservative about package updates. But sometimes I end up using Ubuntu, because its repo includes newer packages.

Also, my core systems do not include anything except stable Debian. I only use third-party repos in project-specific VMs. I even use Oracle's MySQL Workbench in an Ubuntu VM. And even Windows 10 VMs, when I need Excel or other Windows-only apps. That is, compartmentalization.


Just because the version is older doesn't mean it's insecure. Distros do backport patches, esp. if you run LTS versions.


I certainly would use my package manager to install this. Having the latest version isn't critical, and if it was, I would compile from source. Apt likely protects you from exactly what's being discussed here, as well as from the need to compile from source.

I don't think the comparison of the "wizard" to installing from apt or similar is hyperbole. I'm familiar with the typical Windows apps install process, and I do indeed warrant that that is a realistic comparison. GUI software is more difficult to automate and presents information in a way that's difficult to absorb at a glance, for me.

The 'wizard' does not require a steady 10 minutes of attention, but I don't think 20 clicks is an exaggeration. How many sounds right to you? If you want, I can write an essay contrasting software installation on these platforms because what I wrote sounds right on to me. The fact is that standard procedure to install software on Windows involves clicking "next" over and over again after downloading a binary from some random website.


macOS has a good solution to this, where attempting to open an unsigned binary will fail and warn the user, but can be overridden in the file's context menu.


https://en.m.wikipedia.org/wiki/Microsoft_SmartScreen

And this is considerably better than the “this app was downloaded from the internet do you want to open it” message that OSX provides which Windows provides by default also to all files downloaded from the internet.


The message you mention is not what was meant.


It’s exactly what was meant as you need to do shift+open to install unsigned apps which doesn’t add much if anything.


Windows has the same thing (well, unsigned downloaded binaries that aren't otherwise vetted/popular).


>they don't have a checksum for the bundled package but botg doesn't want to say this

Well, it shouldn't really be called "bundled". It's more a "drive-by download". What is bundled is only a downloader (so the checksum remains the same). And it offers and downloads what the other party sees more profitable today.

In this sense they really don't know what they bundle.


Its truly amazing to me that installing windows software is still like this.

You think this is bad, you should try the Windows 10 auto updater.

Disclaimer: It's broken on my brand new PC and no helpful on-line fix has worked so far. So I might hold hate in my heart.


Similar experience here; Windows Update has been completely broken since shortly after I upgraded from Win7 to Win10.

It tries to update -- it downloads several GB of patches, reboots and spends about 20 minutes installing -- then it tells me something along the lines of my system being "incompatible" with Windows (I forget the details, it's been a while) and rolls everything back.

Every six months or so I let it try again, in vain hope that the latest version will have fixed the problem. At some point I should get around to doing a clean reinstall, but that means taking the risk that my old Win7 product key would no longer validate.


Risk should be minimal. If you installed Windows 10 and it's activated, it should work after reinstall, you don't even need to type product key, MS servers remember that your hardware is authorized to run Windows 10.


Hey, mine too! I actually had that, reformatted, it was fixed for a while, and it's back to doing it again.

The worst part is when windows will start ignoring my request to delay updates to the weekend, and will begin restarting my computer during the week whenever I walk away from it for too long.


One of the most frustrating parts of Win10 is the update scheduling. You can request that an update be delayed, but the OS does not always honor the request as specified (settings - update & security - windows update - active hours).

In Win10 Pro, you can postpone an update for max 35 days (windows update - advanced options - pause updates), but never indefinitely. If a pending update will break your machine (and you know because you already had to uninstall it), there's nothing you can do; it will install in five weeks no matter what. It's a timebomb.

Adding insult to injury is that these are primarily "feature" updates, and the features are for Microsoft's benefit. The April 2018 update enabled "Timeline" in the Task View (Win + Tab). All session activity is now shared with Microsoft by default. It must be disabled in Settings - Security & Privacy - Activity Sharing... so I disable all the new less-privacy things I don't want, and there are a lot of them... a week later, they are all switched on again, without notification or consent, after a subsequent Tuesday update.

And this is the reboot I can't postpone, on the OS I purchased. It's part Heller, part Kafka.


Best advice for your situation: Assign the Windows Update service to an account (which doesn't have to exist in your Windows install [like ".\FFFFFFFFF"] ) and it will never succeed with updates again. You can remove the account and let it run as System if you want to restore Windows Updates functionality.


Are there no registry entries or system scheduler tasks that one can disable to stop the updates altogether?


I'm positive if it was a regedit away there would be wide spread dissemination of all relevant information and likely a very simple process for nuking it.


Flash backs to the Win XP restart dialog that popped up every 20 minutes until you couldn't take it anymore.


At least you could kill or permanently disable the updater service via services.msc and it would honor your request. Sometimes an update for that service would come out and reactivate it but that was a rare occurrence.


>rolls everything back

Even better with mine. It rolls the updates back one at a time, rebooting and failing each time then rolling back another in a process which takes several hours to complete


Well, botg does come pretty close to admitting that:

    #9 Post by botg » 2018-01-05 09:11
    The connections are for fetching offers and, if the user
    accepts the offer, the offered file. What the file is
    for is written in the offer text. The network requests
    to fetch offers are done only after the user has agreed
    to it by accepting the privacy policy.
Right, the user has agreed to install some random thing.

    #10 Post by TigheW » 2018-01-05 16:55
    Sorry man, this isn't "bundled software that people
    want" and no amount of repeating it will make it true.
    This is a malware downloader bundled with your software
    and hosted on your page and you're intentionally
    misleading the users who are here directly asking you
    if it's safe to run this bundle on their machines. ...
Damn.


I think the long term solution would be to forbid deceiving users by software vendors. Users should know exactly what they are paying with.

Now the vendors who sell software that doesn't have hidden functionality lose competition to such "free" products monetized with adware, data collection or other shady behaviours. It is easy to see in mobile game market.


The long term solution is to get off the platform.

Never any malware on other platforms? Do you not remember Sourceforge?

And let’s not forget that so much Linux software installs these days via curl|sh...


"And let’s not forget that so much Linux software installs these days via curl|sh... "

Actually virtually everything is packaged for at least the major linux platforms an exhortation on a web site saying you can install foo via curl |sh can in fact normally be reasonably followed by apt install foo or insert gui/cli package manager of your choice.


When I use apt-get I am downloading from debian.org, where at least there will be a record of what was executed. Further, I trust debian.org more than some random github repo.

When I use curl|sh, I could execute hidden text, e.g. through a Javascript command, which automatically executes the code and then deletes it from my history. At a future date, there is no way for me to know whether something malicious was executed, since the website may remove the malicious code when they get called out.


You're agreeing.


FYI the SourceForge version of FileZilla is clean, and has been since 2016. The official FileZilla installer has been doing this for some time now though. In case people don’t know, a lot has changed at SourceForge since my company acquired them in 2016. All projects are scanned for malware. We covered the improvements again here https://sourceforge.net/blog/brief-history-sourceforge-look-...


That is awesome and I'm glad you are working to clean up the Sourceforge reputation. However, the issue (at least for me) is one of shattered trust. Even though you can affirm the Filezilla downloads you host don't have malicious payloads in the installer, I no longer trust the creator of Filezilla. If he's scummy enough to fill up his "bundled" installer with known malware and viruses, and then lie to his users about it on his forum, he's scummy enough to put something potentially harmful in the program itself.

It would be trivial to integrate a hidden Monero or other coin miner in the source of the main Filezilla program that only runs when the program itself is running. I know I often leave my FTP going overnight for uploading big files (I have really fast downstream but painfully slow upstream) and that's a lot of time for my machine to be surreptitiously mining for someone else. Multiply that by the hundred of thousands if not millions of Filezilla users across all platforms, and you have the potential for a ton of illicitly gained virtual money at your users' expense.


Thank you for the rescue of Sourceforge. It still has a lot of goodwill, and the rescue is restoring more.


That's why I use my distro's package manager and review external scripts before running them.


Same here. PyPI and NPM are the Wild West too. Github makes no effort to combat typosquatting either.

People in glasshouses shouldn’t throw stones...


>This is challenging because you have to track the reputation of each individual vendor and users have proven unable to even consistently download the software from the right page let alone judge individuals vendors track record.

There was a pattern where articles about nasty android apps would always include some idiotic line about "Security experts say do not install apps you don't trust."

Who the hell knows anything about the apps they even trust, for all you know they sold out to malware companies yesterday.... there's no way to know.

Let alone that would also mean you never try any new software...

I HATE that line.


Hashes never take the filename into account anyway. He knows this, and is trying to throw users off track.


> Its truly amazing to me that installing windows software is still like this

It doesn't have to be that way, since there is a Windows/Microsoft Store since plenty of years now.

But then you have gamers and game devs spreading FUD about UWP and the the MS Store, while they praise 3rd party platforms like Steam and GoG that actively refuse UWP apps in their store, while allowing Spyware like this.

https://www.reddit.com/r/Steam/comments/8pud8b/psa_red_shell...

Yet, nobody dares to hold those platforms responsible.

https://www.reddit.com/r/Games/comments/8sg294/16_studios_re...

> The long term solution is to get off the platform.

No, the long term solution is to embrace the MS Store, or at the very least modern platforms like WinRT/UWP that would prevent most types of malware attacks.

Why do we still accept the violation of the principle of least privilege in this day and age?


This account has been using HN exclusively to promote a pro-Microsoft agenda for a long time. That's a serious abuse of this site and I've banned it.

All: Agenda-driven and single-purpose accounts aren't allowed on Hacker News because they're incompatible with the intellectual curiosity this site exists for. Double that when the agenda or single purpose is advancing corporate interests. It doesn't matter what corp it is, btw; the last time we banned an account for doing this it was a different one.


This is a serious false accusation. Am I not allowed to prefer Windows? All I did was correct the rampant misinformation and bias against Windows that rarely gets challenged.

And do you really think someone working for Microsoft would post something like this? https://www.reddit.com/r/Surface/comments/7of68m/surface_pro...


I didn't say you work for Microsoft. I have no way of knowing that, and it doesn't seem likely. But you can't use HN exclusively to promote one company over others. The reasons ought to be obvious.


Here is more proof that I'm not promoting for MS https://www.google.com/search?q=niveageforge+pen+issue+site:...

I'm the most vocal about this pen issue, that could potentially cost MS billions of dollars if they need to recall those devices. I once posted a pen issue thread that got banned from /r/Microsoft once. https://www.reddit.com/r/microsoft/comments/82ilso/the_worka...


I don't disbelieve you but from our point of view it is beside the point. The point is that you've used HN primarily to argue for one company, and that's a serious abuse of this site. And we don't allow agenda-driven accounts or single-purpose accounts in general.


Also, double standards, since plenty of people post only about Linux, Android, ChromeOS, OSX or iOS and they never get flagged. And yes, genuine non-paid Windows enthusiasts like me do exist, and I shouldn't feel ashamed of it.

There is a perpetual hostility towards Windows users on this site, maybe you should address that first.


Microsoft itself is collecting a lot of telemetry even in Basic configuration [1], for example, if you use UAC (privileges elevation popup) they collect "the full command line arguments being used to elevate.". Also they collect a lot of hardware identifiers (including IMEI - unique phone identifier that allows to track it) so later they can reliably prove that some user was using this computer at this time. What a nice feature.

They also collect information on files that are " part of an app and either have a block in the compatibility database or are part of an anti-virus program.".

How can we trust Microsoft after this?

[1] https://docs.microsoft.com/en-us/windows/privacy/basic-level...


Do you rather trust arbitrary 3rd party Win32 apps, that have free reign to crawl your whole user profile and mess with the integrity of your system?

If you're already on Windows 10, at the very least embrace UWP to get some control over your privacy.


> If you're already on Windows 10, at the very least embrace UWP to get some control over your privacy.

This is reasonable. And, at this point it's important to note that the first comment in the chain advocated for moving off the platform.


The long term solution CAN'T be the MS store. It requires asking Microsoft for permission to compete with them. It gives MS permission to bar entire categories of software globally or in your particular market.

Giving the party running the store 30% of all revenue is a hard sale to start with.

More importantly it gives MS the position to impose whatever dictates it or even more likely every government in existence the right to impose whatever restrictions they like on any app maker in existence with the threat of instant non existence.

Want a social media platform to ban anyone who disagrees with the king no problem do it or you can't do business. Want your browser to censor whatever your locality wants? No problem if it doesn't it doesn't get distributed. Want your OS to refuse to install apps that don't follow the store rules? No problem its in the governments interests and the companies.

Linux package management works like an app store with an official source and the ability to add whichever sources you choose. A search of available packages shows results giving sources the priority set by the user. Updating the system updates packages from 3rd party sources same as others. The major limitation is the labour required to create packages for all the different platforms users prefer not artificial limits or money paid to the platform "owner".

On windows nothing much is on the store mostly because people don't want to give Microsoft 30% on Linux charging 30% is downright impossible because people would trivially publish an alternative source instead.

Basically your cure is worse than the disease and since Microsoft wont fix the situation in a reasonable fashion so the only solution is to move off their platform.


What is your ideal solution? Which platform should we move to? On Linux I can download Filezilla and it run it untrusted too. So obviously there is no Linux distro that satisfies your requirements because this exact same issue can happen there. Same on Mac. Heck, even Windows is willing to warn you. iOS and the like give Apple similar permissions that you are against, so "the long term solution CAN'T be" the Apple app store.


I agree with you about the control aspect, but.

> On windows nothing much is on the store mostly because people don't want to give Microsoft 30% on Linux charging 30% is downright impossible because people would trivially publish an alternative source instead.

Most package managers on Linux do not provide any sort of revenue stream. The comparison only holds when the software is free, at which point '30%' is $0.

The main exception I'm aware of, the elementaryOS app center, provides a worse deal. Same 70/30 split for $2 charges, but it's 50/50 on a $1 charge.


> It requires asking Microsoft for permission to compete with them

On that note, Apple now distributes iTunes for Windows through the Microsoft Store.


I wonder if MS would have been on board with that around the time they were launching the Zune.


> Giving the party running the store 30% of all revenue is a hard sale to start with.

Very soon it won't be 30% anymore.

https://blogs.windows.com/buildingapps/2018/05/07/a-new-micr...

> Linux package management works like an app store with an official source and the ability to add whichever sources you choose. A search of available packages shows results giving sources the priority set by the user. Updating the system updates packages from 3rd party sources same as others.

There exist 3rd party package repositories on Windows too.

> On windows nothing much is on the store mostly because people don't want to give Microsoft 30%

There is plenty of stuff in the MS Store. https://youtu.be/GCVhmKVRkk0

All my software, except for some dev tools and some games are from the MS Store.

> on Linux charging 30% is downright impossible because people would trivially publish an alternative source instead.

Steam is on Linux and charges 30%.

> Basically your cure is worse than the disease and since Microsoft wont fix the situation in a reasonable fashion so the only solution is to move off their platform.

Microsoft already provided a fix, called UWP.


"There exist 3rd party package repositories on Windows too."

The MS store does NOT have user configurable repos for consumer versions of windows.


You don't need the MS Store for 3rd party repositories.


You: "No, the long term solution is to embrace the MS Store"

Me: No solution which gives a single party absolute control over what software a user is allowed to run is a long term solution.


There is also e.g. Chocolatey[0], which IIRC is the closest thing to a GNU/Linux package manager for Windows.

I install and update from Chocolatey whenever possible.

[0] https://chocolatey.org/


Getting off platforms is usually quite hard with most trying to be as sticky as possible. The common reason why people tend to stick to Windows is games, even if the situation has gotten better.

Personally I have come to the conclusion that the best solution is virtual machines with a linux base system. Put every game that is sticky to windows into its own little container and just have hardware passed through. That way every form of sticky platform only exist in a small pocket of virtual space. The tricky part is getting all this working as smoothly as if it was just one system that just happen to have really good sandboxing for untrustworthy platforms.


> The common reason why people tend to stick to Windows is games

For home users perhaps. Enterprise users are often locked into ERP clients, for instance, that are Windows only.

But the real killer reason enterprises use Windows is Active Directory. Simple GUI SSO and policy based management. For instance I could have a white-list that didn't have this adware on it and could apply it by group-policy...


Active Directory is just a fancy name for LDAP, Kerberos, and DNS (often in combination with CIFS). There's no reason why you cannot use an equiv in a partly or pure Linux/UNIX environment. And indeed, there are many partly Linux/UNIX environments where the servers are running on Linux/UNIX yet the clients are running on Windows. The killer feature of Windows is that people are used to running it as desktop, meaning a less steep learning curve. Another one to add to the list of features is Exchange, but even that has *NIX alternatives.


> Active Directory is just a fancy name for LDAP, Kerberos, and DNS (often in combination with CIFS).

I don't quite agree, Active Directory is an easy to learn and deploy implementation of LDAP, Kerberos, and DNS (often in combination with CIFS) with a friendly GUI interface. It also adds Group Policy, which is less simple to replicate on Linux. Then it adds a huge pool of admins which have been through the vendor supplied training process. I can show people how to create a user and add them to my company defaults in minutes, and not just because they are familiar with Windows, but because they are familiar with the desktop metaphor

I am a keen Linux user, I am typing this on Linux in fact. We have lots of processes running on Linux in fact. But I cannot replace the ease of AD in Linux. And more than that, our ERP client only runs on Windows...


I've found that FreeIPA tends to be a fantastic replacement: https://www.freeipa.org/

If you're using Red Hat/Fedora GNOME desktops, you can pair that with Fleet Commander to set up desktop policy: https://fleet-commander.org/

At some point soon, I expect it to work for SUSE and Mageia systems, too.

I currently run this on a Fedora Server setup to pair with some Fedora Workstations I manage.


Except AD lets you do an awful lot more than this with Group Policy - you can configure and enforce endless amounts of settings on client machines from the simple - wallpaper for example - to software installs to executable restrictions...

This is a big plus for locking down mostly untrusted users (eg average employees in a larger enterprise).

Edited to fix stupid autocorrect.


Group Policy (which is really a mostly-unrelated thing propagated through AD) is probably the hardest-to-replace part of the equation.


> Personally I have come to the conclusion that the best solution is virtual machines with a linux base system. Put every game that is sticky to windows into its own little container and just have hardware passed through.

Is there a Windows license available to consumers that allows simultaneous installation on multiple VMs under a non-Windows-based hypervisor?


Not really no. I recall that linus tech tips had same question when they made a similar setup.

The question about "how many installations does one license allow" does not seem to be much explored by the courts, so I am not that worried for personal setup like this. One could argue that multiple VM is just technical details for what is in practical terms a single user and a single machine.


The opposite is true for my purposes... I run linux and then use virtualbox to run windows 10 for the only app i'm using windows for, which is QuickBooks. I gave up on closed source software decades ago. With Windows, every six months you have to reinstall your machine because of malware and of course the hour(s) of lost productivity per day compared to linux. Good luck with that.


> With Windows, every six months you have to reinstall your machine because of malware and of course the hour(s) of lost productivity per day compared to linux. Good luck with that.

This stopped being true from like Windows 7. Please stop spreading FUD.


At work, I have been using my laptop for ~3.5 years now, running Windows 7, without reinstalling once. If you take some care, don't just install any random piece of software you run across, only download software from trustworthy sources, etc., it is possible to keep a system free of malware.

Just to be clear, at home, I run GNU/Linux, too. But it's not like catching a virus is inevitable fate on Windows.


> With Windows, every six months you have to reinstall your machine because of malware

This is only true if you're careless or technically inept.

> of course the hour(s) of lost productivity per day compared to linux

I don't lose any productivity by using Windows. Not sure where you're getting this from.


Vendors who have partaken in the "bundled crapware" model of distribution - Google, Amazon, Yahoo, Microsoft, Adobe, Oracle, etc, etc.

>They have decided that tricking people into downloading malware is a reasonable alternative to charging money for their software or soliciting donations.

If you would be so kind enough as to show them how to make money perhaps they'll stop doing it.

>Its truly amazing to me that installing windows software is still like this.

Eh? Which OS platform are you using that does not allow a user to execute binaries?


I would rather they go out of business if they can't figure out another way to make money.

You CAN install binaries on other platforms but on for example linux distros their is a curated platform of packages where you can get most/all software.

The fact that this is the default way to install software and regular users don't need to look beyond the official repos is why installing software on linux isn't this kind of shit show.


Well, I do think there is some hypocrisy on the part of people (including myself) enjoying free software and services, when the revenue of those is generated by unaware people clicking on ads or accidentally installing crapware.

>You CAN install binaries on other platforms but on for example linux distros their is a curated platform of packages where you can get most/all software.

Sure, but things often work better when you pay people upfront rather than get something for free and let them fend for themselves. In the case of Linux packaging, there is no mechanism for monetization or advertising, so the point doesn't come up.

>The fact that this is the default way to install software and regular users don't need to look beyond the official repos is why installing software on linux isn't this kind of shit show.

I'd use Linux if it had the software that I want to use. So a bit of apples-oranges here...


"things often work better when you pay people upfront rather than get something for free and let them fend for themselves"...

Whoah, for a second I thought this was 1999.


Looking at the official numbers of desktop Linux installed systems looks like it.


Why would we take that one, narrow specific segment of software taken as an example of the success or value of open source as a whole? It would be as useful as comparing web server software market share as an indicator of whether Microsoft has succeeded as a company.


Moving goal posts here? I thought the subject was desktop software.

Yes, Linux won the server side, it is hard to fight against free beer.

Now getting desktop software companies to invest in such market is another story.

ksk on June 24, 2018 [flagged]

I guess I must have fallen into a time machine since I just purchased Photoshop last month.


That would be which logical fallacy? Something where you take something I said to a nonsensical extreme? I certainly never asserted that people did not pay for software. My point is that free software is very proven as a development, distribution, whatever method by now.


>My point is that free software is very proven as a development, distribution, whatever method by now.

Yes, it is indeed proven that when you pay people to develop software, it works great. (Linux, FF, Chrome, Photoshop, Windows, etc, etc). The license doesn't seem to make much of a difference.

When you don't - (your typical freeware on download.com) - they have to figure out a revenue stream after the fact, and the choices they end up making cause them to be on the front page of HN where people line up to call them "scum".

Obviously this is not about hobbyist/part-time developers with a github repo, who are already getting paid through an external job, etc.


> In the case of Linux packaging, there is no mechanism for monetization or advertising, so the point doesn't come up.

Just to point out, there are commercial versions of Linux (Red Hat, SUSE Linux, likely others). Both with workstation and server variants.


> I would rather they go out of business if they can't figure out another way to make money.

Only for some other unscrupulous company to replace them? Ideally, the most profitable method should be ethical by nature, unlike the current situation in software (and games, of course) where the most profitable methods are among the least ethical.


Ideally we can support good software by donating to it but this is challenging to. Perhaps a software store for various platforms that defaults to charging money for open source software you haven't already paid for. Let the user set a multiplier that effects the price so it is reasonable for that user and let the user also change the price if they desire. They CAN pay zero for insert filezilla competitor here but the default is 3.99. This is probably already more than for example filezilla makes for selling out their users.


I got tricked into installing adware as part of a java install, and took me many hours to get it back off my system.

I don’t get why microsoft isn’t pushing all these vendors really hard to distribute through the windows store. The windows store is a graveyard compared to the mac app store, despite having a head start and a bigger target audience, and it’s basically impossible to use windows without sideloading apps. Microsoft is pushing windows S at people, where you can’t sideload software, but the windows store just isn’t ready for that and all it will do is push people to the mac when they inevitably have a bad experience.


Because nobody really wants to give the AppStore 30% of their revenue. Having it be a percentage of the revenue instead of just a flat fee means its just a money-grab IMHO. Ironically Apple is arguing in court that Qualcomm is doing the same thing to them (charging a percentage based on retail pricing) and that the price is unfair.


lol you're out here arguing that the people who are (without FULLY disclosing it) bundling malware that downloads and compiles DATs/unsigned binaries from anon domains are in the right, but you have a problem with Apple's revenue model for the App Store?


>lol you're out here arguing that the people who are (without FULLY disclosing it) bundling malware that downloads and compiles DATs/unsigned binaries from anon domains are in the right,

No, that is a false statement.


You literally posted this elsewhere:

> I'm not going to tell someone how they should make their living

Be consistent. Don't tell apple how to make their living.


> Don't tell apple how to make their living.

I didn't.



:o Nice..


Suspicious?

Let’s call this what it really is: The FileZilla owners are actively encouraging users to install malware as a way to monetize. That is very clear.

Avoid FileZilla by all means.


If what you say is true a more productive approach is to make a derivative of the last known non-malware release of FileZilla with a new name. FileZilla's code respects your software freedom (FileZilla is licensed under the GNU GPL v2, last I knew), so there's no reason not to use that freedom to make a derivative which doesn't come with a tricky installer. Rejecting free software when improvements can be had is an overreaction that could lead to a reduction in software freedom which would obviously be bad. Free software is the path to being able to trust the software you run.


the statement you're replying to was probably intended for users (ie the people who use ftp in some capacity all the time). they should absolutely stop using filezilla. sure, in the general sense there's no reason the project couldn't be productively forked, but the immediate concern is the fact that FZ presents itself as a modern open source client when in fact its stuck in 1998 and bundles f*ing popups


The hard part is search engine ranking.


And that little issue with trademarks: https://filezilla-project.org/trademark_policy.php


This is also a non-issue as long demonstrated by Debian and GNU when they distributed Firefox and Thunderbird derivatives under different names with different logos. The section of that page under "Modifications" is quite clear on what needs to be done. Please don't try to invent non-existing difficulties. I realize HN is demonstrably averse to any serious discussion which centers on the importance of software freedom for its own sake but that's no reason to reject leveraging software freedom to improve one's own lot or help others.


That's a non-sequitur and not difficult: make the derivative, publish the derivative, and continue to publish the derivative without malware. You'll establish a history people can trust and earn users and search engine rankings in time.


Yep. This matches behavior I've seen many times before from other software companies.

In every circumstance I immediately ceased using anything made by them.


They did this before. Used to have Binkiland included in the installer from Soureceforge. They stopped, but obviously they're right back at it again.


Yeah. But I always blamed that more on sourceforge than filezilla.


It's sad that FileZilla remains so popular long after the creator has chosen to monetize it with adware. I highly recommend any FileZilla user reading this should switch to WinSCP. It's free, open source, and not bundled with any crapware.


I posted this further down the thread but may as well say it here too.

Cyberduck[1] was what I moved to after the FileZilla installer on Sourceforge forced me to wipe & reinstall Windows a few years back. It's available for MacOS and Windows, GPL3 licensed[2] and worked great for me at the time. I've since moved to Linux so I haven't been able to play around with any of the newer features/versions but it would be the first thing I tried if I switched back today. Definitely recommend taking a look.

[1]: https://cyberduck.io/

[2]: https://github.com/iterate-ch/cyberduck


I've been using Cyberduck for the past year and it is great. It was my replacement for Filezilla.


winscp has also previously bundled crapware (OpenCandy)

https://en.wikipedia.org/wiki/WinSCP#Advertisements_in_insta...


Now you gonna tell me lftp was also bundled with crap?


Four years ago, with no incidents since.


It’s funny to see defense of a program that intentionally included adware in a previous version.


I’m defending the four years of good behavior, not the bad behavior back then. People and companies make mistakes and bad decisions, and I don’t mind supporting them if they prove over time that they’ve changed. Four years of good behavior is long enough for me. If your response to a company doing something you don’t like is an eternal blacklist, even years after they respond to their customers and change their behavior, think about what you’re really encouraging. For one thing, never admitting anything, for another, coverups.


why? do you believe in no second chances?


When it comes to software security, second chances are for accidents.


And the author pinky swears he won't reach into the cookie jar again.


If you do not require a GUI, FarManager[0] is great, too. It allows access to remote folders over ftp, sftp, smb (and probably others), is very light on resources, free software (BSD license), and all around a joy to use.

[0] https://www.farmanager.com/


I considered using winscp until I discovered it cannot limit itself to 1 connection.


This should go higher in the thread. I personally didn't know this behavior.


I can't believe those are real admin responses. TigheW was far more patient than they needed to be, that was painful.


What factual information do you dispute from their responses?


I dispute "The hash doesn't match because the filename doesn't match." He did backpedal and say he really meant they don't match because the files are different. (Well, duh.)

I also dispute "It's a tautological false-positive, by the very definition of the term, _everything_ is potentially unwanted."

That's not the definition. Here is a definition in line with what just about everyone means by the term:

"A potentially unwanted program (PUP) is a piece of software that is also downloaded when a user downloads a specific program or application. PUP is similar to malware in that it will cause problems when it is downloaded and installed."[0]

Or my own shorter definition: "Software that nobody would want on their computer if they knew what it is and does."

It sounds like that's exactly what was detected.

I don't dispute, but I'm curious about his claim that AV vendors maliciously flag their competitors' legitimate software. I wouldn't be the least bit surprised if that's true, but it's the first time I've heard of it.

[0] https://www.techopedia.com/definition/4061/potentially-unwan...


Well, the central question in my mind anyway, is whether FileZilla distributes malware. I don't see any data on that yet.. maybe it will come. Meanwhile I'm not going to join other HN members in calling people I don't know "scum".


FileZilla doing this has been known for at least a few years:

https://web.archive.org/web/20140816230250/http://blog.glust...

Back then, they were doing it as part of the (previous incarnation of) SourceForge's "DevShare" offering. eg malware authors got SourceForge to bundle crapware with popular Win installers, and gave the developers a cut of the take.

It seems like the FileZilla people didn't like that revenue stream being cut off, and went to the source directly afterwards. :(


I'd dispute the whole "we are shipping this extra software, we don't really know what it does, but they are paying us so I don't see what the problem is ¯\_(ツ)_/¯" (paraphrasing)


A) The hash/filename comments, that's ridiculous and obviously meant to mislead (yes, the BOTG person tries to walk it back, but it was still bullshit) 2) The lack of actual rebuttal — a tonne of valid points were made about the bundled binary, the dats, the phoning home, the unsigned executables, etc. None of them were addressed. 3) the nonsense about digital signatures

Do you really truly think they did an adequate job responding to the complaints/criticisms/questions? Seriously?


OK I just re-read the thread. What did they walk back? Someone posted hashes of different files and asked why they don't match.

>The lack of actual rebuttal — a tonne of valid points were made about the bundled binary, the dats, the phoning home, the unsigned executables, etc. None of them were addressed.

https://forum.filezilla-project.org/viewtopic.php?p=161493#p...

Maybe the dude didn't go into excruciating detail but I understood the reply. Which part of the reply was factually incorrect?

>3) the nonsense about digital signatures

Could you link to the comment ?

>Do you really truly think they did an adequate job responding to the complaints/criticisms/questions? Seriously?

I don't know which complaints you're referring to. Some are reasonable, and others are just wild accusations. But just to give you an answer that you will be happy with, No, they didn't.


Outside the filehash thing there isn't anything wrong with his responses. The project chose to get third party products from sources outside their control. There is nothing "technically" wrong with it. The thread is littered with poor security practices, but I see TightW's response as more painful. The admin is already clearly aware of the concern and is stating why it is setup that way. I would much rather see somebody state the practices are wrong rather than just calling this guy out since it is really counter-productive.


If your software installer bundles crapware for any reason then you've completely lost the plot and nobody should trust your software ever again.


Admin of FileZilla,

Your reactions to this post deeply concern me. I do believe this is a serious problem you should at least entertain investigating whomever you have an agreement with in regards to bundling their stuff into your installer.

Those domains its communicating with have several hits on known malware/RATs reports. For instance, https://www.maltiverse.com/sample/a98b1 ... 38233c50b7.

Here is another that spawns the same type of .exe which turns out to be NJRAT malware -> https://www.hybrid-analysis.com/sample/ ... mentId=120

Your defensive attitude is what alarms me the most. Almost as if you might care more about your bundle agreement profits than your users security/safety.

Hole in one. I wouldn’t trust those admins to make me a cup of tea, and I agree that their attitude reeks of deception for selfish reasons. Nobody should ever trust their software again, full stop.


I don't support crapware but I'm not going to tell someone how they should make their living. That post looks like rabble rousing to me. I have yet to see any factual information except a whole lot of "it seems" "it appears" "I believe". I'd rather reserve judgement till the facts emerge.


If I see someone being immoral I'm going to tell them "how to make their living" not because I hope they are going to be so inspired as to change for the better because you and I both know that's not going to work.

I do so because I hope other people will listen and stop doing business with them leading to a decrease in profit and THEN changed behaviour from the culprit.

There is lots of factual information. They are factually doing a lot of malware like behaviour in their installer and bundling software from questionable sources they have no control over. At best they are putting their customers at risk.

The only facts that can possible emerge is that its actually worse and customers are getting their identities stolen or some such.

Rabble rousing is literally the only way anything gets fixed.


Okay, but malware "like" is not actually malware. If it turns out that it is, then ofcource why would anyone support a malware distributor.

>They are factually doing a lot of malware like behaviour in their installer and bundling software from questionable sources they have no control over.

Their explanation was that AV vendors flag their competitors, so now in the 'arms race', competitors have resorted to downloading individual bits from random URLs and then merging them together. While this would be a technique that malware software would use to possibly defeat security software, but hey, its also how torrents work. Tools can be used for good or bad.


Their explanation is obviously a lie they are getting around Antivirus software flagging it as adware.


If it were the first instance of this with Filezilla, and the admin response wasn't dismissive, I'd agree with you.

They earned their reputation as untrustworthy.


Which facts did they dismiss? I just saw a lot of rabble rousing..


The admin's replies are clever smokescreens: they stay neatly of the periphery of the matter and avoid giving actual answers to the questions being posed.

Whoever wrote these replies would probably do well in politics.


Dude you are all over these comments defending indefensible behavior. What they are doing is wrong. Full Stop. You seriously sound like the admins in the forums.


I'm wagering he has some kind of connection or relationship with the software or developers. There's just no way someone would espouse the views KSK holds without some kind of external factor / ulterior motive.


I'll take you up on that wager. $10,000? I'm dead serious..

ksk on June 24, 2018 [flagged]

Huh? I am not defending them. You are either willfully or otherwise twisting my words.


Personally, I abandoned FileZilla after the prior incidents and would never consider installing it again.


There is pretty much no freeware download site that doesn't bundle crapware. I guess all freeware is untrustworthy by your logic.

https://www.howtogeek.com/207692/yes-every-freeware-download...


Oh my god. You're talking to competent computer users on Hacker News, not people who use crapware download sites and need to be warned away from them by "HowToGeek".

Of course there is trustworthy freeware. You can get it using Apt, Yum, Ninite, Chocolatey, Homebrew, or just by going to the actual site of a trustworthy software product.

The fact that the people who run most download sites are scum isn't a problem with the software. It's a problem with those sites.


[flagged]


HN readers are capable of not using FileZilla, because its admin is actively trying to mislead its users into running malware.

Are you associated with FileZilla? Why are you here bringing out the "everyone is doing it" defense?


>HN readers are capable of not using FileZilla, because its admin is actively trying to mislead its users into running malware.

Then your prior comment makes no sense to me.

>Of course there is trustworthy freeware. You can get it using Apt, Yum, Ninite, Chocolatey, Homebrew, or just by going to the actual site of a trustworthy software product.

If you don't use the crapware downloader, then the vendor doesn't get any money. I noted that pretty much all freeware is bundled like so, including your "trustworthy" software, on various other download sites.

Then the only way the vendor can stay in business is if enough people download the crapware version.

>Are you associated with FileZilla?

Huh? Why are you asking, and why would it matter?

>Why are you here bringing out the "everyone is doing it" defense?

I am not. Its your interpretation that's flawed.


What doesn't make sense? FileZilla is a bad actor who is trying to infect people's computers with malware. Download sites are bad actors who are trying to infect people's computers with malware.

People should have all the information they need to avoid malware, so they can make good decisions, such as installing WinSCP from Ninite instead of installing FileZilla by any method.

You keep denying that trustworthy free software exists, and yet when anyone points out that it does, you change the topic to something fraud-ridden like download sites. People who cheat on tests believe everyone is cheating on tests.

I do not care one bit for your business model. Please go out of business ASAP.


[flagged]


It would have been a bad idea to use WinSCP in 2014 also. Yet you'll notice they backed off and have had years to repair their reputation, instead of getting caught a second time and trying to cover it up like FileZilla is doing.

I understand how your kind of free software makes money perfectly well. It's not trustworthy in the slightest.

You don't need to make money to make a program that copies files. And if you bundle your free software with a scam, you're not making money as a software developer anyway, you're making money as a scammer.

ksk on June 23, 2018 [flagged]

You seem very confused. FileZilla wasn't "caught". They openly say that they bundle crapware. Sorry, this is not a productive conversation. Goodbye.


You've crossed into incivility in this thread. That's not allowed on HN, regardless of how wrong someone else (or everyone else) may be. If you could please (re-)read https://news.ycombinator.com/newsguidelines.html and not do it again, we'd appreciate that.


While its obvious that I have done no such thing, I find it rather interesting that people calling other people "scum" are not reminded of "civility".


The simplest explanation for that is nearly always the correct one: we didn't see it. Obviously, though, breaking the rules isn't justified by other people breaking the rules. It always feels like someone else started it, so one could use that to justify anything.

Re your comments, personal swipes like "you seem very confused", "you are unable to understand", "rather than wild accusations and hysteria, I'd recommend calm collected analytical thinking" are certainly uncivil and violate the site guidelines. We ban accounts that make a habit of this, so please (re-)read the rules and use the site as intended from now on: https://news.ycombinator.com/newsguidelines.html


I don't expect you to look at 100% of the comments, but its a bit like citing someone for jaywalking but letting the murder escape. Sure cite the jaywalker, but after you've found the murder.

>Re your comments, personal swipes like "you seem very confused", "you are unable to understand", "rather than wild accusations and hysteria, I'd recommend calm collected analytical thinking" are certainly uncivil and violate the site guidelines.

There are several flaws in your interpretation, but I don't wish to convince you otherwise.


Please just go out of your way to be civil. It's not that hard.


The post which you've replied to raised a question which you've chosen not to answer. Are you at all connected to the FileZilla project?


[flagged]


Even way down here where the core of the conversation isn't happening? How would a "no" derail it?


Its the same reason that I don't think I can force you to answer any question I want. Its a point of principle.


It's a point of you dishonestly misrepresenting your own interest in FileZilla installing malware for any users still foolish enough to download it.


this guys is trolling, seriously, just stop responding to them.

ksk - many hn readers build using free software for places like google, amazon etc, that are trusted all the way up to places like the CIA. Seriously, please troll somewhere else. Basically no one working in almost any open source project wants to be working with an author that bundles in crapware, ESPECIALLY if the author doesn't actually even control the crapware. If you don't get why this is a bad idea you'll have to trust folks who use open source software regularly that this is a bad thing.


PortableApps (https://portableapps.com) seems pretty good. :)


Yes, that would logically follow.


It's threads like these that remind me, quite clearly, that not everyone shares the same ethics that I do.


Sophisticated users will know to download the unbundled installer, and maybe even go so far as to verify the hash.

But that sideskirts the question of whether to continue using software where the authors are willing to put their users at risk by monetizing with what is apparently malware bundles.

FileZilla is by all accounts a fantastic piece of software. I’ve used it for years, both the client and the server, and it’s no doubt provided significant value to me over the years.

And yet I’ve never paid the FileZilla authors a penny for their services.

So while I didn’t force the FileZilla authors down this dark path that they’ve chosen to use for monetization, I accept that I am part of the problem.


I don't really see the problem. If the developers want to get paid for they work they can just sell their software. The problem is when someone tries to monetize their product by deceiving users. This is the case: they prevent user from knowing what is happening on their computer, download and run suspicious binaries and use EULA as an excuse. And I suspect, they themselves don't even know for sure what is bundled into the installer.

User should know exactly what they are offered. Hiding a clause like "you allow us to do anything we want" in EULA should not work.


Imagine if Google charged $5 per month for a subscription to their search engine. We're kind of seeing this with Youtube Red.......


When I read "You get AV flags for business reasons on the AV vendor's behalf, not because of malware." I pretty much became convinced they have gone to the dark side. I've seen enough shady business that this pattern really jumps out - as soon as people start claiming everybody is conspiring against them for monetary reasons, or out of envy, etc. with no proof - it is a very strong sign that the person is not to be trusted. There are false positives but the sign is very strong.


« The connections are for fetching offers and, if the user accepts the offer, the offered file. What the file is for is written in the offer text. The network requests to fetch offers are done only after the user has agreed to it by accepting the privacy policy. »

Translation:

« Our installer fetches random crapware once you click past the giant wall of text. »


This is allowed under GDPR? Doesn't this constitute breaking into computers?


Even if it did (but that’s rubish), it would have nothing to do with GDPR - which isn’t your personal magic bullet against anything you might not like.


Those two laws are, actually, my personal bullet against virtually everything I don't like happening to my own computer -as well as those owned by others (though that is not within my responsibility)-.

I feel like you missed the point though. There's no obvious question to the computer user that this is going to happen; ie. there is no consent. Which is important with regards to GDPR.

Next, what happens is the question. Either the security of the computer is breached (which I'll just call "malware" from hereon), or PII is being send (spyware).

Malware seems obvious to me. That's breaching computer security, been illegal for quite a while now. Not worth the discussion though recently the government of The Netherlands made it legal for the police to hack its civilians.

Spyware's legal status seems to have changed since GDPR though. Sure, a lot of spyware is shady, makers of it don't care. But the spyware being bundled with software was done by someone. And in this case, it appears to be within FileZilla's responsibility.

You may not be from EU; I saw FileZilla developers being obviously from the EU and I am from the EU as well. So the GDPR does apply for me, for sure.


yup, its been going on for years.

its 2018. f* filezilla.

winscp is a decent alternative


If you've decided to do something dirty, sneaky, or underhanded, then the dialog on this forum should be required reading on how not to handle user questions. Any large software company experienced in being routinely evil would have done the following:

- shut down that thread at the first opportunity (it's their own forum so they are able to do that)

- as a corollary to the above, always run your own forums for questions, support, fandom, etc. so you can kill threads, guide the conversation, ban users, or redesign the site giving cover for losing history that you don't want remembered

- ban that particular user who was giving the best analysis; a real reason is not necessary -- just allege that he violated the terms & conditions

- have someone preview all questions and comments before they get posted in your forum; you know how some sites say, "Your comment is awaiting moderation"? -- you need to do that

- never give official answers to any questions (the founder and original developer was replying in his own name); instead, always reply as a fellow user, knowledgeable and helpful, but allowing the company a way to disown any replies given out

- don't even bother to reply to questions you don't want to answer; just ignore them (the current thread would surely have died out if the founder had not given those silly obfuscating answers); you can compose a crafty reply only if it becomes a big problem

- have a bunch of fake users (employees, PR department, outsourced agents) ready to pounce on, rebut, or ridicule the user providing the good analysis; similarly, have those fake users guide the discussion or completely change the topic

Some large software companies get away with far worse tricks and shenanigans, affecting millions of users, by following the principles above.


I doubt the legal system that the publisher reside in would accept the excuse that giving control over to a third-party will protect them from liability if malware get installed from the installer. No amount of eula, disclaimer, or calling it "bundle" can do that, and now that there is a public documented discussion that the developer knowingly allowed it. That sound like some significant risk, one which I would never bet my own personal life on.

It will only take a security researcher that identify one of those unsigned processes, in the past or future, as malware and people who is infected by the same malware can check if they also has filezilla installed, and boom. A lawsuit is born.


Hmm? I don't think I've ever heard of any lawsuits about bundled adware. (Read: I doubt it's illegal.)


Since I haven't seen it mentioned here, note that the first post in this thread was on 13 December 2017, with most of the back and forth between botg and TigheW taking place in early January 2018.

Post #14 revived the thread 11 days ago and the last seven or eight posts are from the last 24 hours or so.

Looks like the thread has since been "locked" to prevent further discussion.


I install filezilla (amongst other things) from ninite.com. In general ninite.com installation is equivalent to normal installation without having to carefully uncheck obviously horrid and unwanted optional "extras".


I wasn't sure which version Ninite were using or if they were aware of the suspicious installer, so I wrote them a mail referencing this thread. They wrote back a couple hours later (and I'm not even a Pro user!):

> Apparently FileZilla has more than one installer package. The discussion in the [HN] forum link is about their "bundled" installer. We use the one without the junk-ware bundled. Below are links to the virustotal results for the packages we use.

https://www.virustotal.com/#/file/92aa946d4127eeef30b428e86b...

https://www.virustotal.com/#/file/a86a836888e9894215e15da49e...


Well, damn. I didn't even know there were prior incidents. Ugh. I've used Filezilla within the last year.

What are good alternatives?


WinSCP seems to be a popular recommendation. When I was a Windows user after the FileZilla/Sourceforge incident I switched to Cyberduck[1]. I really enjoyed it at the time and it seems it's gained many more features since.

[1]https://cyberduck.io/



They also have a history of doing this crap:

https://en.wikipedia.org/wiki/WinSCP#Advertisements_in_insta...


Sad to see such a formerly great app now at best guilty of bundling dodgy add-ons for pay in their installer. Here's some alternatives:

https://alternativeto.net/software/filezilla/

WinSCP looks to be my new default.


Just for information it seem that only the installer from their website first download page[0] is bundled (it has "bundled" in the name). When in the same page there is a link that says "Show additional download options"[1], in that page you have access to "clean" installers.

The way they did it is quite shady.

[0]: https://filezilla-project.org/download.php?type=client [1]: https://filezilla-project.org/download.php?show_all=1


Filezilla should simply never be trusted ever again and that is not a new thing.


Does anyone have suggestions for alternatives to FileZilla, both for Windows and for Mac, that I can recommend to non-technical friends. In other words, something with a GUI.

Basically, when pointing out security problems, I find that people are much more likely to actually listen if you present an alternative action. I will probably just use sftp from the command-line, but that won't fly for some.


I don't know whether it is really malware, or they just collect information from PC like browser history and cookies or just avoid being blocked by AV, anyway the real purpose is that developers don't want users to be able to control what is happening on their PC and to know what is really happening. I don't see any other explanation.


Just reading the exchange with "botg" is really all the information you'll ever need to know about Filezilla, using it (bundled or not) would just be gross negligence after that.

Here is an alternative: https://winscp.net/eng/index.php


This has always been the case. Filezilla offers two versions for Windows and macOS on their website: Bundled and non-bunbled. You get the bundled version when you click "Download FileZilla Client" and then the big green "Download FileZilla Client" button (assuming you're visiting the website from a Windows or macOS client): "This installer may include bundled offers." makes this also very clear. In order to get the clean version, you have to click "Show additional download options" and then pick the version you want. For anyone saying that Filezilla can't be trusted anymore due to doing this, it's still open source and you can check out and build the code yourself: https://filezilla-project.org/sourcecode.php


>You get the bundled version when you click "Download FileZilla Client" and then the big green "Download FileZilla Client" button (assuming you're visiting the website from a Windows or macOS client)... In order to get the clean version, you have to click "Show additional download options" and then pick the version you want.

Right, nothing shady about this UI pattern at all.

>"This installer may include bundled offers." makes this also very clear.

It makes nothing clear. It's purposely vague language used to disguise the fact that these "bundled offers" consist of software no person would actually chose to install on their machine.

>For anyone saying that Filezilla can't be trusted anymore due to doing this, it's still open source and you can check out and build the code yourself: https://filezilla-project.org/sourcecode.php

What would that accomplish? The issue is that the dev doesn't even know what the hell comes across the wire when you chose to install this crap. How is reading the FileZilla source helpful?


and then the big green "Download FileZilla Client" button

It's funny, I've been using the Internet long enough that I almost instinctively ignore such buttons and look for the actual link. The bigger and more lurid they are, the more easily I ignore them --- just like automatically scrolling past banner ads and such, I suppose it comes with experience.

Of course sometimes the "too obvious" button is the right one, but that's been a minority.


Damn. Personally I'd hoped the FileZilla team had discontinued their bundling of malware since the SourceForge episode, which I wrote about here:

https://web.archive.org/web/20140816230250/http://blog.glust...

Instead, it looks like they've taken up with the malware creators directly.

Wonder what the most appropriate solution would be?

If Google were to "ban" FileZilla from its results (due to pushing malware), it sounds to me like that would work.


Anyone know what tool is being used by TigheW to create that process tree graph?


Carbon Black: https://www.carbonblack.com/products/cb-response/ (2nd screenshot shows the same screen)


FYI the SourceForge version of FileZilla is clean, and has been since 2016. The official FileZilla installer has been doing this for some time now though. In case people don’t know, a lot has changed at SourceForge since my company acquired them in 2016. All projects are scanned for malware. We covered the improvements again here https://sourceforge.net/blog/brief-history-sourceforge-look-...


The fact that a clean installer exists is not really the point, nor should you take it as an opportunity to plug your company.


Yet this happened with your company at the helm:

https://medium.com/@jonykatz/sourceforge-hiding-fact-that-th...


This blog post is not accurate at all.


So what's your side of the story, then?


We lost a few hours of commits and notified everyone affected. That's it.


And the disappearing tickets?


Regardless of that we can no longer trust the developers of FileZilla.

If they need money, they should ask for donations instead. Patreon was suggested elsewhere in this thread.


Am I right in guessing that this affects the filezilla client only (at least on Windows)? Virustotal gives the server a clean bill of health.

It gives the client a detection score of 7/67. This raises the question for me of what's considered an acceptable detection score on virustotal.

Before this I'd have looked at a score of 7 and concluded that as the great preponderance of opinion is that this file is fine, it's fine, probably.


Can't we just fork and fix?


If you have skills, time and motivation to do this, why not?


I'd honestly like to just see new alternatives altogether, crazy there's like no other GUI alternatives that are open source and comparable.


Cyberduck? https://cyberduck.io/

Seems like a good alternative with a modern UI.


Thanks for that, I've run into cyberduck but never was sure if it was open source or what till now.


let's do it.



Is this doing assembly in the installer and getting window handles directly, then calling old school offsets into Win32 structs with DLL'd functions I don't see the source to?

Am I reading this right? It sets off my "malicious stuff" alarm but I'm not a security wonk.

https://github.com/rain-1/filezilla-ng/blob/master/data/offe...

We need to cut all that trash out.


The guy should just run a Patreon, instead of doing this. They're ruining FileZilla's reputation.


Notwithstanding the rest, being suspicious just because of VirusTotal output is paranoid. It’s a cesspool out there, most AV is total crap (and some, like Bitdefender or F-Secure, are truly something) and false positives from them is every release problem for many developers.


Crazy how 20 years ago you could open an .EXE sent to you by email and it was just a silly Flash game.


Looks like botg is trying the "offers" crap again. I suggest using WinSCP instead.


It is still possible to get non bundled versions of filezilla by clicking "Show additional download options" rather than clicking the big download button. Whether or not to continue to use filezilla or to trust that that software is really clean is another matter.


Let's be honest a lot of people wont suspect the main recommended download to be sketchy until it's too late in some cases.


I guess "This installer may include bundled offers." as a warning is not clear enough because it's not written in 72px red-colored bold text? Don't get me wrong, but, in my honest opinion, they make it clear on their own website that it includes bundled offers. I know many other open source projects that offer builds of their software for free, including "bundled offers", without any hint.


Let's try to imagine what his thought processes were. And to do that I would try to put myself in his shoes and imagine what my thought processes would be: "I have this popular software, but I'm not getting rich out of it. What if I put crap adware with it. But that'd be dishonest and I would be helping the scammy/scummy side of the internet (1). Well, if I put a disclaimer on the download page, then it'd be the users' own damn fault if they miss it. And I'll make the download button extra big so they'll think 'I know what I need to do in this page, click' and miss the warning.".

(1) This is what I think about that section of the Internet, remember this is me putting myself in his shoes.

And at first I would feel guilty about scamming my users, but later on I would probably blame them for being stupid. And when others ask questions in the forum I would just reply tersely and arrogantly and say "It's all correct because I wrote a disclaimer.".

So, when you say "They make it clear", IMO that is very arguable. He (is the author of the software the same guy as the forum moderator, I'm getting the impression it's a one-man show) did the least he needed to do to be able to get away with installing crapware on their trusting clients' machines, because his aim is to make money, and he can make more money if less people notice the warning. I'm betting his lawyer told him he should write the warning on the download page, if I were him I would've thought about just putting a "By downloading you agree to the terms and conditions of the software being offered" with a link to a page with a wall of text, but probably his lawyer told him "that might be iffy."

This is a bit like Facebook saying they made it clear that they will copy SMSes and call logs from your phone...


The worst part is if he put that it's not to be used for commercial use (Windows version or something) and just sell commercial licenses he'd be rich and not have to deal with the crummy income he's getting from malvertisement. Let's be real, corporations will pay good money for convenience. Lots of companies still pay for Visual Studio and MSDN accounts even though they can get .NET Core and Visual Studio Code for free.


And what are these "offers" exactly? Are they applications someone will update actually want to install on their machine if they knew what they were? You can't actually be this obtuse.


I agree with you, and honestly if you were used to FileZilla just working and not having malware on it like I was you wouldnt even think about reading before downloading cause you've downloaded it a million times prior... Now I just don't bother with FileZilla, rather use SCP on a terminal.


Well. I guess my firm isn't going to use filezilla anymore.

Too bad really.


I assume the copies in Debian and other Apt mirrors are safe?


This is the best argument yet against the execute this script off the internet


Any impact on the Linux versions of filezilla?


I just scanned the latest version of the client from their homepage at https://filezilla-project.org and so far doesn't appear to be infected.

https://www.virustotal.com/#/file/c08edaa899838d18f3e15b2597...


I don't see why, being on Linux, you would prefer to use FileZilla to transfer files to a remote machine over an insecure protocol when there are plenty of alternatives with better security. Rsync, for example, allows you to specify an SSH key. Or SCP, which also offers the same functionality.


Familiarity and consistency across platforms are two obvious reasons that come to mind. Another is that it's easier for those unfamiliar with a terminal.


Most, if not all, Linux distributions allow you to FTP into a remote machine using the file manager.

Nautilus, Gnome's file manager, have offered this functionality for several years.

> Another is that it's easier for those unfamiliar with a terminal

That's a weird thought considering that the parent comment is using Linux.


Not sure why you are modded down for that comment.

It is also ridiculous that people on other platforms do not have a bullet proof file transfer tool baked into the operating system. Even VAX/VMS had better built in file transfer tools than what Windows has today.


Filezilla does not just speak plain FTP, and you don't always get a choice.


Filezilla has a very convenient GUI...


This is a really toxic attitude in the open source community where when asked a question the answer is: "you're doing it wrong, just do it right".

If I had a choice I would, but unless you have a few million dollars to give us to refactor 30 years of technical debt, please answer the question.


Are you a developer of filezilla?


> you're doing it wrong, just do it right

That's not how I wrote my comment above, I gave you alternatives.

> If I had a choice I would

You have choices, many.

> unless you have a few million dollars to give us to refactor 30 years of technical debt

How is using FileZilla a technical debt? What are you requiring from FileZilla that you need a few million of dollars to refactor code? What kind of code depends on an external FTP client to work? If you give more details about why your company has such a weird technical debt, maybe I or other can give you more options to switch.

> please answer the question

I did, you asked for alternatives, I gave you Rsync and SCP.


FileZilla is a program that supports multiple file transfer protocols (ftp and sftp), sftp, allows you to transfer files over the ssh protocol. https://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol


> I did, you asked for alternatives, I gave you Rsync and SCP.

afaict, they asked about the impact to the linux build of filezilla (not about alternatives).

are rsync and scp strict supersets of filezilla's features?


>You have choices, many.

Would you like the email of my cto to explain to them why I have those choices?

>What kind of code depends on an external FTP client to work?

The type that invests your 401k's. Filezilla called from Excel macros.

>I did, you asked for alternatives, I gave you Rsync and SCP.

I didn't. You just told me I was doing it wrong and need to change it to do it right.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: