A fully descriptive answer is that they don't have a checksum for the bundled package but botg doesn't want to say this.
" Dangerously ignorant user. Not matching filename = the checksum is NOT for that file. Checksums can only be provided for the non-bundled packages, because they're static. Bundled installers are not."
Dangerously ignorant person here what they are actually saying is that they have no way on earth to be sure what's even IN the bundled packages nor what it will do to the users computer.
They have decided that tricking people into downloading malware is a reasonable alternative to charging money for their software or soliciting donations.
Its truly amazing to me that installing windows software is still like this.
The obvious and immediate solution is to abandon vendors who behave like this. This is challenging because you have to track the reputation of each individual vendor and users have proven unable to even consistently download the software from the right page let alone judge individuals vendors track record.
The long term solution is to get off the platform.
Ug. Running untrusted executables on any platform can be trouble. The problem is that by blaming the platform, people keep putting the onus on these OS's, distros, etc to build walls around carefully curated gardens. Gotta take the good with the bad. Either you accept that people can run untrusted executables or you give up the flexibility to build/use/distribute untrusted executables yourself. Sadly it seems as devs grow into larger companies and prefer the latter, they forget their indie beginnings enabled by the former. "What's $100?" they say. "Getting a cert is easy" they say. "If you aren't building anything dangerous, why do you have a problem with curation?" they say. The same anti-freedom arguments are always there in the name of safety.
If you downloaded untrusted Filezilla and executed it raw on any platform it could be an issue. If users required Filezilla to be distributed in the Windows app store, it could be less of an issue. One could argue the fact that installing Windows software is sometimes still like this is because of the lack of restrictions against it. But as users keep complaining and devs stay silent, all platforms including Windows will continue to reduce liberty in the name of safety and you'll feel better.
Many who have mainly used windows haven't experienced what typical software installation is like on systems like Linux. One hardly ever needs to run on trusted executables, for any reason. If you do, they come from one or two trusted sources, not one of hundreds of private websites. That is just not how Linux software is distributed. It doesn't abridge freedom, either - if you want to run I trusted executables, nothing is trying to stop you, either.
Then, if you do have an executable to install from, the installation process is more likely to be one command run in a terminal then a GUI 'wizard' that takes 10 minutes, frequent attention and 20 clicks, and tries to convince/trick you to install a bunch of other software.
> One hardly ever needs to run on trusted executables, for any reason. If you do, they come from one or two trusted sources, not one of hundreds of private websites
That's just not true if you want up to date software. I can list a ton of software to the contrary and lots of installing that includes just extracting tarballs, or installing their deb/rpm you download, or if they use the distro package manager, they just have you add their server and cert.
> GUI 'wizard' that takes 10 minutes, frequent attention and 20 clicks
Well if you're just gonna give false impressions with hyperbole, a rational discussion can't be had.
Regardless, the issues with installation are primarily the choice of the devs, not the OS. These days they more look like the installation of Nodejs, Go, PgAdmin, VSCode, etc (i.e. minimal MSI's or just zip extracts) than complicated adware of yore. That this is not clear and you think 10 minute wizards with 20 clicks is normal makes it seem like you are not familiar with the platforms you talk about.
Not in practise. The Linux version of Filezilla will usually be sourced from a package manager:
$ apt show filezilla
Description: Full-featured graphical FTP/FTPS/SFTP client
A huge portion of the software a typical user requires is available in the standard repository of a Linux distribution. I have one extra Apt repository configured that would be reasonable for a normal user to install: Skype.
They could publish updates to the program, publish new dependencies, or even publish updates to packages you normally get from your main distro repository. If you're doing apt-get update (or equivalent) how closely do you scrutinize the list of changes?
My problem is that I prefer Debian stable, which is very conservative about package updates. But sometimes I end up using Ubuntu, because its repo includes newer packages.
Also, my core systems do not include anything except stable Debian. I only use third-party repos in project-specific VMs. I even use Oracle's MySQL Workbench in an Ubuntu VM. And even Windows 10 VMs, when I need Excel or other Windows-only apps. That is, compartmentalization.
I don't think the comparison of the "wizard" to installing from apt or similar is hyperbole. I'm familiar with the typical Windows apps install process, and I do indeed warrant that that is a realistic comparison. GUI software is more difficult to automate and presents information in a way that's difficult to absorb at a glance, for me.
The 'wizard' does not require a steady 10 minutes of attention, but I don't think 20 clicks is an exaggeration. How many sounds right to you? If you want, I can write an essay contrasting software installation on these platforms because what I wrote sounds right on to me. The fact is that standard procedure to install software on Windows involves clicking "next" over and over again after downloading a binary from some random website.
And this is considerably better than the “this app was downloaded from the internet do you want to open it” message that OSX provides which Windows provides by default also to all files downloaded from the internet.
Well, it shouldn't really be called "bundled". It's more a "drive-by download". What is bundled is only a downloader (so the checksum remains the same). And it offers and downloads what the other party sees more profitable today.
In this sense they really don't know what they bundle.
You think this is bad, you should try the Windows 10 auto updater.
Disclaimer: It's broken on my brand new PC and no helpful on-line fix has worked so far. So I might hold hate in my heart.
It tries to update -- it downloads several GB of patches, reboots and spends about 20 minutes installing -- then it tells me something along the lines of my system being "incompatible" with Windows (I forget the details, it's been a while) and rolls everything back.
Every six months or so I let it try again, in vain hope that the latest version will have fixed the problem. At some point I should get around to doing a clean reinstall, but that means taking the risk that my old Win7 product key would no longer validate.
The worst part is when windows will start ignoring my request to delay updates to the weekend, and will begin restarting my computer during the week whenever I walk away from it for too long.
In Win10 Pro, you can postpone an update for max 35 days (windows update - advanced options - pause updates), but never indefinitely. If a pending update will break your machine (and you know because you already had to uninstall it), there's nothing you can do; it will install in five weeks no matter what. It's a timebomb.
Adding insult to injury is that these are primarily "feature" updates, and the features are for Microsoft's benefit. The April 2018 update enabled "Timeline" in the Task View (Win + Tab). All session activity is now shared with Microsoft by default. It must be disabled in Settings - Security & Privacy - Activity Sharing... so I disable all the new less-privacy things I don't want, and there are a lot of them... a week later, they are all switched on again, without notification or consent, after a subsequent Tuesday update.
And this is the reboot I can't postpone, on the OS I purchased. It's part Heller, part Kafka.
Even better with mine. It rolls the updates back one at a time, rebooting and failing each time then rolling back another in a process which takes several hours to complete
#9 Post by botg » 2018-01-05 09:11
The connections are for fetching offers and, if the user
accepts the offer, the offered file. What the file is
for is written in the offer text. The network requests
to fetch offers are done only after the user has agreed
#10 Post by TigheW » 2018-01-05 16:55
Sorry man, this isn't "bundled software that people
want" and no amount of repeating it will make it true.
This is a malware downloader bundled with your software
and hosted on your page and you're intentionally
misleading the users who are here directly asking you
if it's safe to run this bundle on their machines. ...
Now the vendors who sell software that doesn't have hidden functionality lose competition to such "free" products monetized with adware, data collection or other shady behaviours. It is easy to see in mobile game market.
Never any malware on other platforms? Do you not remember Sourceforge?
And let’s not forget that so much Linux software installs these days via curl|sh...
Actually virtually everything is packaged for at least the major linux platforms an exhortation on a web site saying you can install foo via curl |sh can in fact normally be reasonably followed by apt install foo or insert gui/cli package manager of your choice.
It would be trivial to integrate a hidden Monero or other coin miner in the source of the main Filezilla program that only runs when the program itself is running. I know I often leave my FTP going overnight for uploading big files (I have really fast downstream but painfully slow upstream) and that's a lot of time for my machine to be surreptitiously mining for someone else. Multiply that by the hundred of thousands if not millions of Filezilla users across all platforms, and you have the potential for a ton of illicitly gained virtual money at your users' expense.
People in glasshouses shouldn’t throw stones...
There was a pattern where articles about nasty android apps would always include some idiotic line about "Security experts say do not install apps you don't trust."
Who the hell knows anything about the apps they even trust, for all you know they sold out to malware companies yesterday.... there's no way to know.
Let alone that would also mean you never try any new software...
I HATE that line.
It doesn't have to be that way, since there is a Windows/Microsoft Store since plenty of years now.
But then you have gamers and game devs spreading FUD about UWP and the the MS Store, while they praise 3rd party platforms like Steam and GoG that actively refuse UWP apps in their store, while allowing Spyware like this.
Yet, nobody dares to hold those platforms responsible.
> The long term solution is to get off the platform.
No, the long term solution is to embrace the MS Store, or at the very least modern platforms like WinRT/UWP that would prevent most types of malware attacks.
Why do we still accept the violation of the principle of least privilege in this day and age?
All: Agenda-driven and single-purpose accounts aren't allowed on Hacker News because they're incompatible with the intellectual curiosity this site exists for. Double that when the agenda or single purpose is advancing corporate interests. It doesn't matter what corp it is, btw; the last time we banned an account for doing this it was a different one.
And do you really think someone working for Microsoft would post something like this? https://www.reddit.com/r/Surface/comments/7of68m/surface_pro...
I'm the most vocal about this pen issue, that could potentially cost MS billions of dollars if they need to recall those devices. I once posted a pen issue thread that got banned from /r/Microsoft once. https://www.reddit.com/r/microsoft/comments/82ilso/the_worka...
There is a perpetual hostility towards Windows users on this site, maybe you should address that first.
They also collect information on files that are " part of an app and either have a block in the compatibility database or are part of an anti-virus program.".
How can we trust Microsoft after this?
If you're already on Windows 10, at the very least embrace UWP to get some control over your privacy.
This is reasonable. And, at this point it's important to note that the first comment in the chain advocated for moving off the platform.
Giving the party running the store 30% of all revenue is a hard sale to start with.
More importantly it gives MS the position to impose whatever dictates it or even more likely every government in existence the right to impose whatever restrictions they like on any app maker in existence with the threat of instant non existence.
Want a social media platform to ban anyone who disagrees with the king no problem do it or you can't do business. Want your browser to censor whatever your locality wants? No problem if it doesn't it doesn't get distributed. Want your OS to refuse to install apps that don't follow the store rules? No problem its in the governments interests and the companies.
Linux package management works like an app store with an official source and the ability to add whichever sources you choose. A search of available packages shows results giving sources the priority set by the user. Updating the system updates packages from 3rd party sources same as others. The major limitation is the labour required to create packages for all the different platforms users prefer not artificial limits or money paid to the platform "owner".
On windows nothing much is on the store mostly because people don't want to give Microsoft 30% on Linux charging 30% is downright impossible because people would trivially publish an alternative source instead.
Basically your cure is worse than the disease and since Microsoft wont fix the situation in a reasonable fashion so the only solution is to move off their platform.
> On windows nothing much is on the store mostly because people don't want to give Microsoft 30% on Linux charging 30% is downright impossible because people would trivially publish an alternative source instead.
Most package managers on Linux do not provide any sort of revenue stream. The comparison only holds when the software is free, at which point '30%' is $0.
The main exception I'm aware of, the elementaryOS app center, provides a worse deal. Same 70/30 split for $2 charges, but it's 50/50 on a $1 charge.
On that note, Apple now distributes iTunes for Windows through the Microsoft Store.
Very soon it won't be 30% anymore.
> Linux package management works like an app store with an official source and the ability to add whichever sources you choose. A search of available packages shows results giving sources the priority set by the user. Updating the system updates packages from 3rd party sources same as others.
There exist 3rd party package repositories on Windows too.
> On windows nothing much is on the store mostly because people don't want to give Microsoft 30%
There is plenty of stuff in the MS Store. https://youtu.be/GCVhmKVRkk0
All my software, except for some dev tools and some games are from the MS Store.
> on Linux charging 30% is downright impossible because people would trivially publish an alternative source instead.
Steam is on Linux and charges 30%.
> Basically your cure is worse than the disease and since Microsoft wont fix the situation in a reasonable fashion so the only solution is to move off their platform.
Microsoft already provided a fix, called UWP.
The MS store does NOT have user configurable repos for consumer versions of windows.
Me: No solution which gives a single party absolute control over what software a user is allowed to run is a long term solution.
I install and update from Chocolatey whenever possible.
Personally I have come to the conclusion that the best solution is virtual machines with a linux base system. Put every game that is sticky to windows into its own little container and just have hardware passed through. That way every form of sticky platform only exist in a small pocket of virtual space. The tricky part is getting all this working as smoothly as if it was just one system that just happen to have really good sandboxing for untrustworthy platforms.
For home users perhaps. Enterprise users are often locked into ERP clients, for instance, that are Windows only.
But the real killer reason enterprises use Windows is Active Directory. Simple GUI SSO and policy based management. For instance I could have a white-list that didn't have this adware on it and could apply it by group-policy...
I don't quite agree, Active Directory is an easy to learn and deploy implementation of LDAP, Kerberos, and DNS (often in combination with CIFS) with a friendly GUI interface. It also adds Group Policy, which is less simple to replicate on Linux. Then it adds a huge pool of admins which have been through the vendor supplied training process. I can show people how to create a user and add them to my company defaults in minutes, and not just because they are familiar with Windows, but because they are familiar with the desktop metaphor
I am a keen Linux user, I am typing this on Linux in fact. We have lots of processes running on Linux in fact. But I cannot replace the ease of AD in Linux. And more than that, our ERP client only runs on Windows...
If you're using Red Hat/Fedora GNOME desktops, you can pair that with Fleet Commander to set up desktop policy: https://fleet-commander.org/
At some point soon, I expect it to work for SUSE and Mageia systems, too.
I currently run this on a Fedora Server setup to pair with some Fedora Workstations I manage.
This is a big plus for locking down mostly untrusted users (eg average employees in a larger enterprise).
Edited to fix stupid autocorrect.
Is there a Windows license available to consumers that allows simultaneous installation on multiple VMs under a non-Windows-based hypervisor?
The question about "how many installations does one license allow" does not seem to be much explored by the courts, so I am not that worried for personal setup like this. One could argue that multiple VM is just technical details for what is in practical terms a single user and a single machine.
This stopped being true from like Windows 7. Please stop spreading FUD.
Just to be clear, at home, I run GNU/Linux, too. But it's not like catching a virus is inevitable fate on Windows.
This is only true if you're careless or technically inept.
> of course the hour(s) of lost productivity per day compared to linux
I don't lose any productivity by using Windows. Not sure where you're getting this from.
>They have decided that tricking people into downloading malware is a reasonable alternative to charging money for their software or soliciting donations.
If you would be so kind enough as to show them how to make money perhaps they'll stop doing it.
>Its truly amazing to me that installing windows software is still like this.
Eh? Which OS platform are you using that does not allow a user to execute binaries?
You CAN install binaries on other platforms but on for example linux distros their is a curated platform of packages where you can get most/all software.
The fact that this is the default way to install software and regular users don't need to look beyond the official repos is why installing software on linux isn't this kind of shit show.
>You CAN install binaries on other platforms but on for example linux distros their is a curated platform of packages where you can get most/all software.
Sure, but things often work better when you pay people upfront rather than get something for free and let them fend for themselves. In the case of Linux packaging, there is no mechanism for monetization or advertising, so the point doesn't come up.
>The fact that this is the default way to install software and regular users don't need to look beyond the official repos is why installing software on linux isn't this kind of shit show.
I'd use Linux if it had the software that I want to use. So a bit of apples-oranges here...
Whoah, for a second I thought this was 1999.
Yes, Linux won the server side, it is hard to fight against free beer.
Now getting desktop software companies to invest in such market is another story.
Yes, it is indeed proven that when you pay people to develop software, it works great. (Linux, FF, Chrome, Photoshop, Windows, etc, etc). The license doesn't seem to make much of a difference.
When you don't - (your typical freeware on download.com) - they have to figure out a revenue stream after the fact, and the choices they end up making cause them to be on the front page of HN where people line up to call them "scum".
Obviously this is not about hobbyist/part-time developers with a github repo, who are already getting paid through an external job, etc.
Just to point out, there are commercial versions of Linux (Red Hat, SUSE Linux, likely others). Both with workstation and server variants.
Only for some other unscrupulous company to replace them? Ideally, the most profitable method should be ethical by nature, unlike the current situation in software (and games, of course) where the most profitable methods are among the least ethical.
I don’t get why microsoft isn’t pushing all these vendors really hard to distribute through the windows store. The windows store is a graveyard compared to the mac app store, despite having a head start and a bigger target audience, and it’s basically impossible to use windows without sideloading apps. Microsoft is pushing windows S at people, where you can’t sideload software, but the windows store just isn’t ready for that and all it will do is push people to the mac when they inevitably have a bad experience.
No, that is a false statement.
> I'm not going to tell someone how they should make their living
Be consistent. Don't tell apple how to make their living.
Let’s call this what it really is: The FileZilla owners are actively encouraging users to install malware as a way to monetize. That is very clear.
Avoid FileZilla by all means.
In every circumstance I immediately ceased using anything made by them.
Cyberduck was what I moved to after the FileZilla installer on Sourceforge forced me to wipe & reinstall Windows a few years back. It's available for MacOS and Windows, GPL3 licensed and worked great for me at the time. I've since moved to Linux so I haven't been able to play around with any of the newer features/versions but it would be the first thing I tried if I switched back today. Definitely recommend taking a look.
I also dispute "It's a tautological false-positive, by the very definition of the term, _everything_ is potentially unwanted."
That's not the definition. Here is a definition in line with what just about everyone means by the term:
"A potentially unwanted program (PUP) is a piece of software that is also downloaded when a user downloads a specific program or application. PUP is similar to malware in that it will cause problems when it is downloaded and installed."
Or my own shorter definition: "Software that nobody would want on their computer if they knew what it is and does."
It sounds like that's exactly what was detected.
I don't dispute, but I'm curious about his claim that AV vendors maliciously flag their competitors' legitimate software. I wouldn't be the least bit surprised if that's true, but it's the first time I've heard of it.
Back then, they were doing it as part of the (previous incarnation of) SourceForge's "DevShare" offering. eg malware authors got SourceForge to bundle crapware with popular Win installers, and gave the developers a cut of the take.
It seems like the FileZilla people didn't like that revenue stream being cut off, and went to the source directly afterwards. :(
Do you really truly think they did an adequate job responding to the complaints/criticisms/questions? Seriously?
>The lack of actual rebuttal — a tonne of valid points were made about the bundled binary, the dats, the phoning home, the unsigned executables, etc. None of them were addressed.
Maybe the dude didn't go into excruciating detail but I understood the reply. Which part of the reply was factually incorrect?
>3) the nonsense about digital signatures
Could you link to the comment ?
>Do you really truly think they did an adequate job responding to the complaints/criticisms/questions? Seriously?
I don't know which complaints you're referring to. Some are reasonable, and others are just wild accusations. But just to give you an answer that you will be happy with, No, they didn't.
Your reactions to this post deeply concern me. I do believe this is a serious problem you should at least entertain investigating whomever you have an agreement with in regards to bundling their stuff into your installer.
Those domains its communicating with have several hits on known malware/RATs reports. For instance, https://www.maltiverse.com/sample/a98b1 ... 38233c50b7.
Here is another that spawns the same type of .exe which turns out to be NJRAT malware -> https://www.hybrid-analysis.com/sample/ ... mentId=120
Your defensive attitude is what alarms me the most. Almost as if you might care more about your bundle agreement profits than your users security/safety.
Hole in one. I wouldn’t trust those admins to make me a cup of tea, and I agree that their attitude reeks of deception for selfish reasons. Nobody should ever trust their software again, full stop.
I do so because I hope other people will listen and stop doing business with them leading to a decrease in profit and THEN changed behaviour from the culprit.
There is lots of factual information. They are factually doing a lot of malware like behaviour in their installer and bundling software from questionable sources they have no control over. At best they are putting their customers at risk.
The only facts that can possible emerge is that its actually worse and customers are getting their identities stolen or some such.
Rabble rousing is literally the only way anything gets fixed.
>They are factually doing a lot of malware like behaviour in their installer and bundling software from questionable sources they have no control over.
Their explanation was that AV vendors flag their competitors, so now in the 'arms race', competitors have resorted to downloading individual bits from random URLs and then merging them together. While this would be a technique that malware software would use to possibly defeat security software, but hey, its also how torrents work. Tools can be used for good or bad.
They earned their reputation as untrustworthy.
Whoever wrote these replies would probably do well in politics.
Of course there is trustworthy freeware. You can get it using Apt, Yum, Ninite, Chocolatey, Homebrew, or just by going to the actual site of a trustworthy software product.
The fact that the people who run most download sites are scum isn't a problem with the software. It's a problem with those sites.
Are you associated with FileZilla? Why are you here bringing out the "everyone is doing it" defense?
Then your prior comment makes no sense to me.
>Of course there is trustworthy freeware. You can get it using Apt, Yum, Ninite, Chocolatey, Homebrew, or just by going to the actual site of a trustworthy software product.
If you don't use the crapware downloader, then the vendor doesn't get any money. I noted that pretty much all freeware is bundled like so, including your "trustworthy" software, on various other download sites.
Then the only way the vendor can stay in business is if enough people download the crapware version.
>Are you associated with FileZilla?
Huh? Why are you asking, and why would it matter?
>Why are you here bringing out the "everyone is doing it" defense?
I am not. Its your interpretation that's flawed.
People should have all the information they need to avoid malware, so they can make good decisions, such as installing WinSCP from Ninite instead of installing FileZilla by any method.
You keep denying that trustworthy free software exists, and yet when anyone points out that it does, you change the topic to something fraud-ridden like download sites. People who cheat on tests believe everyone is cheating on tests.
I do not care one bit for your business model. Please go out of business ASAP.
I understand how your kind of free software makes money perfectly well. It's not trustworthy in the slightest.
You don't need to make money to make a program that copies files. And if you bundle your free software with a scam, you're not making money as a software developer anyway, you're making money as a scammer.
Re your comments, personal swipes like "you seem very confused", "you are unable to understand", "rather than wild accusations and hysteria, I'd recommend calm collected analytical thinking" are certainly uncivil and violate the site guidelines. We ban accounts that make a habit of this, so please (re-)read the rules and use the site as intended from now on: https://news.ycombinator.com/newsguidelines.html
>Re your comments, personal swipes like "you seem very confused", "you are unable to understand", "rather than wild accusations and hysteria, I'd recommend calm collected analytical thinking" are certainly uncivil and violate the site guidelines.
There are several flaws in your interpretation, but I don't wish to convince you otherwise.
ksk - many hn readers build using free software for places like google, amazon etc, that are trusted all the way up to places like the CIA. Seriously, please troll somewhere else. Basically no one working in almost any open source project wants to be working with an author that bundles in crapware, ESPECIALLY if the author doesn't actually even control the crapware. If you don't get why this is a bad idea you'll have to trust folks who use open source software regularly that this is a bad thing.
But that sideskirts the question of whether to continue using software where the authors are willing to put their users at risk by monetizing with what is apparently malware bundles.
FileZilla is by all accounts a fantastic piece of software. I’ve used it for years, both the client and the server, and it’s no doubt provided significant value to me over the years.
And yet I’ve never paid the FileZilla authors a penny for their services.
So while I didn’t force the FileZilla authors down this dark path that they’ve chosen to use for monetization, I accept that I am part of the problem.
User should know exactly what they are offered. Hiding a clause like "you allow us to do anything we want" in EULA should not work.
« Our installer fetches random crapware once you click past the giant wall of text. »
I feel like you missed the point though. There's no obvious question to the computer user that this is going to happen; ie. there is no consent. Which is important with regards to GDPR.
Next, what happens is the question. Either the security of the computer is breached (which I'll just call "malware" from hereon), or PII is being send (spyware).
Malware seems obvious to me. That's breaching computer security, been illegal for quite a while now. Not worth the discussion though recently the government of The Netherlands made it legal for the police to hack its civilians.
Spyware's legal status seems to have changed since GDPR though. Sure, a lot of spyware is shady, makers of it don't care. But the spyware being bundled with software was done by someone. And in this case, it appears to be within FileZilla's responsibility.
You may not be from EU; I saw FileZilla developers being obviously from the EU and I am from the EU as well. So the GDPR does apply for me, for sure.
its 2018. f* filezilla.
winscp is a decent alternative
- shut down that thread at the first opportunity (it's their own forum so they are able to do that)
- as a corollary to the above, always run your own forums for questions, support, fandom, etc. so you can kill threads, guide the conversation, ban users, or redesign the site giving cover for losing history that you don't want remembered
- ban that particular user who was giving the best analysis; a real reason is not necessary -- just allege that he violated the terms & conditions
- have someone preview all questions and comments before they get posted in your forum; you know how some sites say, "Your comment is awaiting moderation"? -- you need to do that
- never give official answers to any questions (the founder and original developer was replying in his own name); instead, always reply as a fellow user, knowledgeable and helpful, but allowing the company a way to disown any replies given out
- don't even bother to reply to questions you don't want to answer; just ignore them (the current thread would surely have died out if the founder had not given those silly obfuscating answers); you can compose a crafty reply only if it becomes a big problem
- have a bunch of fake users (employees, PR department, outsourced agents) ready to pounce on, rebut, or ridicule the user providing the good analysis; similarly, have those fake users guide the discussion or completely change the topic
Some large software companies get away with far worse tricks and shenanigans, affecting millions of users, by following the principles above.
It will only take a security researcher that identify one of those unsigned processes, in the past or future, as malware and people who is infected by the same malware can check if they also has filezilla installed, and boom. A lawsuit is born.
Post #14 revived the thread 11 days ago and the last seven or eight posts are from the last 24 hours or so.
Looks like the thread has since been "locked" to prevent further discussion.
> Apparently FileZilla has more than one installer package. The discussion in the [HN] forum link is about their "bundled" installer. We use the one without the junk-ware bundled. Below are links to the virustotal results for the packages we use.
What are good alternatives?
WinSCP looks to be my new default.
The way they did it is quite shady.
Basically, when pointing out security problems, I find that people are much more likely to actually listen if you present an alternative action. I will probably just use sftp from the command-line, but that won't fly for some.
Here is an alternative: https://winscp.net/eng/index.php
Right, nothing shady about this UI pattern at all.
>"This installer may include bundled offers." makes this also very clear.
It makes nothing clear. It's purposely vague language used to disguise the fact that these "bundled offers" consist of software no person would actually chose to install on their machine.
>For anyone saying that Filezilla can't be trusted anymore due to doing this, it's still open source and you can check out and build the code yourself: https://filezilla-project.org/sourcecode.php
What would that accomplish? The issue is that the dev doesn't even know what the hell comes across the wire when you chose to install this crap. How is reading the FileZilla source helpful?
It's funny, I've been using the Internet long enough that I almost instinctively ignore such buttons and look for the actual link. The bigger and more lurid they are, the more easily I ignore them --- just like automatically scrolling past banner ads and such, I suppose it comes with experience.
Of course sometimes the "too obvious" button is the right one, but that's been a minority.
Instead, it looks like they've taken up with the malware creators directly.
Wonder what the most appropriate solution would be?
If Google were to "ban" FileZilla from its results (due to pushing malware), it sounds to me like that would work.
If they need money, they should ask for donations instead. Patreon was suggested elsewhere in this thread.
It gives the client a detection score of 7/67. This raises the question for me of what's considered an acceptable detection score on virustotal.
Before this I'd have looked at a score of 7 and concluded that as the great preponderance of opinion is that this file is fine, it's fine, probably.
Seems like a good alternative with a modern UI.
Am I reading this right? It sets off my "malicious stuff" alarm but I'm not a security wonk.
We need to cut all that trash out.
(1) This is what I think about that section of the Internet, remember this is me putting myself in his shoes.
And at first I would feel guilty about scamming my users, but later on I would probably blame them for being stupid. And when others ask questions in the forum I would just reply tersely and arrogantly and say "It's all correct because I wrote a disclaimer.".
So, when you say "They make it clear", IMO that is very arguable. He (is the author of the software the same guy as the forum moderator, I'm getting the impression it's a one-man show) did the least he needed to do to be able to get away with installing crapware on their trusting clients' machines, because his aim is to make money, and he can make more money if less people notice the warning. I'm betting his lawyer told him he should write the warning on the download page, if I were him I would've thought about just putting a "By downloading you agree to the terms and conditions of the software being offered" with a link to a page with a wall of text, but probably his lawyer told him "that might be iffy."
This is a bit like Facebook saying they made it clear that they will copy SMSes and call logs from your phone...
Too bad really.
Nautilus, Gnome's file manager, have offered this functionality for several years.
> Another is that it's easier for those unfamiliar with a terminal
That's a weird thought considering that the parent comment is using Linux.
It is also ridiculous that people on other platforms do not have a bullet proof file transfer tool baked into the operating system. Even VAX/VMS had better built in file transfer tools than what Windows has today.
If I had a choice I would, but unless you have a few million dollars to give us to refactor 30 years of technical debt, please answer the question.
That's not how I wrote my comment above, I gave you alternatives.
> If I had a choice I would
You have choices, many.
> unless you have a few million dollars to give us to refactor 30 years of technical debt
How is using FileZilla a technical debt? What are you requiring from FileZilla that you need a few million of dollars to refactor code? What kind of code depends on an external FTP client to work? If you give more details about why your company has such a weird technical debt, maybe I or other can give you more options to switch.
> please answer the question
I did, you asked for alternatives, I gave you Rsync and SCP.
afaict, they asked about the impact to the linux build of filezilla (not about alternatives).
are rsync and scp strict supersets of filezilla's features?
Would you like the email of my cto to explain to them why I have those choices?
>What kind of code depends on an external FTP client to work?
The type that invests your 401k's. Filezilla called from Excel macros.
>I did, you asked for alternatives, I gave you Rsync and SCP.
I didn't. You just told me I was doing it wrong and need to change it to do it right.