Hacker News new | past | comments | ask | show | jobs | submit login
CNet's Download.com now bundling Nmap with malware (seclists.org)
314 points by taylorbuley on Dec 6, 2011 | hide | past | favorite | 67 comments

Shit. I just found that my application which was updated last week and is the 10th most popular system utility app on Download.com is also being similarly bundled [1]. This was not the case last week.

I think Softpedia and FileHippo are the only big sites left not doing this ridiculous practice. I'm debating whether or not to pull the application listing. What do you guys think?

[1]: http://download.cnet.com/EasyBCD/3000-2094_4-10556865.html


The benefit of our freeware not being open source is that we retain full control over distribution and packaging. Unlike nmap and others, we actually have a legal right to demand that CNet, et. al. either host the unaltered EXE or pull their listing.

I have just sent CNet a "cease and desist"-ish open letter, which we've also published on our blog. We will be forwarding this to any and all download sites we find bundling EasyBCD with their intrusive downloaders and installers, as that goes explicitly against the products' licensing agreements, which are there to prevent exactly this type of behavior.

Link: http://neosmart.net/blog/2011/open-letter-to-cnet/

tl;dr of link: C&D bundling of EasyBCD with installers and downloaders or pull the listing.

Most people would think it was you who bundled those extra "apps", not download.com. To protect your app's brand I would remove it from download.com

You can certainly put such demands into an open source license.

Perhaps the easiest way of doing it is to actually put the restriction on the trademarked name, forcing them to distribute it under a different, likely unrecognized, name if they want to change the officially distributed package.

I'd personally pull it. People are going to download it and it will then look like YOU bundled it this way.

Either it's your app or not.

(What would Microsoft's reaction be if BestBuy modified Office to install iTunes?)

The benefit of our freeware not being open source is that we retain full control over distribution and packaging. Unlike nmap and others, we actually have a legal right to demand that CNet, et. al. either host the unaltered EXE or pull their listing.

This isn't correct. Having open source software only means that you have to provide a way to get the source (for example, a download link, or an email address to contact; note you don't have to provide the source itself directly). You can control the branding of your application so only the official bundle can be distributed under your applications's name.

If you take a look at Mozilla Firefox, it can only be branded as such if it hasn't been modified. If you do modify it, you have to turn off branding, and you get a generic globe icon with the development name. This only applies to the program itself however, not the installer. For your case you could probably mandate that distribution of a binary installer with your application name must be your official installer.

If you ask them to they'll probably remove the crapware. Paint.NET is no longer bundled with anything due to the author contacting them about it.


majorgeeks.com has been my go to download site for awhile now because of this kind of nonsense. I hope they don't go down the same road as download.com

While you're here:

The gallery link appears to 404:


Thanks. It was a absolute link missing the leading / so it went elsewhere. Should point to http://neosmart.net/gallery/album/view/neosmart/EasyBCD/Easy... now!

C|Net / download.com has been doing this a while. They're even doing it to companies that pay to have their product(s) promoted on download.com. From what I understand, a C&D isn't necessary. If you email cnet-installer@cbsinteractive.com, they will remove the wrapper from your application.

BTW, here's a discussion about this from ~three months ago:


This is one upside to using trusted repositories with signed applications in the Linux Distribution model. It's not perfect but at least this kind of sadness doesn't happen. There's no good reason this couldn't be done for Windows as well; it's just that users are conditioned to download from assorted random sites to collect the apps they want.

Would be a good community project which would likely attract the kinds of people who use nmap anyway.

More to the point: if you pick the right distribution, there's at least a stated policy of not doing crap like this.

Debian has a social contract (http://www.debian.org/social_contract ), a constitution (http://www.debian.org/devel/constitution ), and a policy (http://www.debian.org/doc/debian-policy/). Each of these serves to describe what the Debian Project does, and more importantly, doesn't do. The social contract clearly states "Our priorities are our users and free software". Software which violates this principle will, at the very least, generate rancorous debate, if not be pulled outright. Odds are very good that behavior such as that CBSi / CNET / Download.com has exhibited would NOT be tolerated.

This is among the key benefits of using Free Software (in the FSF sense). You aren't the enemy or product of your software vendor. You are the goal.

I've got very strong reasons for believing that the Microsoft Windows applications model is fundamentally and philosophically incompatible with this mode of operation.

The Mac world seems slightly better, but it's likewise got some serious conflicts of interest, though there's far less a record of useless OEM bundling (forbidden by Apple) and force / drive-by installs. Mostly due to Apple's very focused attention on the end-user experience, if not freedom.

Yes, I do have one word of caution though:

I downloaded VLC to my netbook through apt-get and ran it from the terminal. When run from the terminal it was outputting errors like the below (not actual domains): cannot reach 442g.com => skipping... cannot reach muzak.com => skipping... cannot reach 3g3.com => skipping... cannot reach gewedw.com => skipping... cannot reach ewfr.com => skipping... I've always wondered why but never really looked into it.

Perhaps it is looking for details of your music/CD/DVD. There is an option for it automatically fetch such details as a list of tracks, artist, etc, to display.

I remember the first time I found Sun bundling the Yahoo! toolbar along with the Java runtime.

I knew at that moment that Sun had lost its self respect and had no credible strategy for Java. I immediately went back to developing C++ for MS Windows and Perl for Linux.

> I remember the first time I found Sun bundling the Yahoo! toolbar along with the Java runtime.

Rest assured that they have now ceased this insane pratice.

Now the JRE installer force install the Ask Toolbar instead.

There's often a huge divide between business people and consumers on what is fair.


That's why companies trying to increase revenues are continually blind sided when their actions outrage people.

This, and preinstalled "crapware" on newly bought computers/phones happens because vendors have no incentive not to do it, except perhaps out of goodness their heart. Yes, it disgusts me too, but moral issues aside:

(a) Vendors are looking to make money (simply speaking) and bundling crapware is a low-hanging fruit to do so. They have a choice between making $X per customer and $X+30 cents. Which choice should they pick?

(b) Users are not savvy or discerning enough to notice that they are getting the said crapware. We, techies, care. Do mainstream users care? They buy a new computer (or download an app), and they get the computer or the app, as far as they are concerned. How can grandma know that the "monthly anti-virus subscription" popup is "unwanted"?

People will buy/download from $VENDOR with or without crapware. Companies want to make more money and they have no reason to be "good." They gain more than they can lose. Until these variables change (say, if users revolt, or class action suits arise, or $CONGRESS_PERSON complains, or advertising revenue somehow diminishes, etc.), this will sadly keep on happening.

See also Sony offering to sell Vaios without the bundled junk for an extra $50.


What an egregiousness abuse of user trust. I hope this destroys their brand forever.

Until this story hits mainstream, there's no hope of that happening. Even if it does hit mainstream, you need a bunch of talking heads that are able to explain to luddites what the implications are.

One can hope it destroys the brand for power-users. It's been a while since I've been using windows, but in the past I've trusted download.com when I needed some piece of freeware. I'll be more careful now.

What about all the the open source projects hosted there? A quick search shows that they offer VLC and Firefox - are they clean?

The guy in the Nmap mailing list says

    I've just discovered that C|Net's Download.Com site has started
    wrapping their Nmap downloads (as well as other free software
    like VLC)

It has in my mind. I feel sorry for all the users who would still trust them.

I feel sorry for anyone who's ever had to use download.com.

This is disgusting behavior from what could be considered the first "app store". What a shame.

First "app store"? Hello, Simtel? Tucows? and before them countless BBSes?

How about Stroud's? It's even still sort of up: http://cws.internet.com/

And to think that Microsoft is paying them for it.

O how the mighty have fallen.

Worth noting that CNet is under new owners (CBS Interactive).

Worth noting that if enough bad PR gets into the lamestream media about this it could be a death knell. CBSi doesn't exactly monetize well, and CNet has always bled money.

It's not (most likely) the case of Microsoft going to them. Microsoft (as well as google) just pays for customers that you bring to their search. Many products make living out of it. Now, CNet just wanted to make more money. It's a shady practice to do it this way, but Microsoft shouldn't be the one to blame.

I'm not buying this idea that Microsoft doesn't know what's going on.

For CNet to make money on the deal, Microsoft would need a way to attribute the increased traffic to CNet. If Microsoft is paying them significant sums and yet remaining willfully ignorant of the means, then Microsoft is no better than your bottom feeding pay-per-install malware services.

The fact that we're even discussing Microsoft's reputation in this way is what led me to say "O how the mighty have fallen." It's quite sad IMHO.

The toolbar installation is optional. It might not be nice but I don't see why it should be forbidden from Microsoft's side as that's the point behind these partnership after all (same with Google). Every other product asks you to install their toolbar. The product in this case is downloader and most importantly CNet's traffic.

Hmm. I wonder if we'd find any of Microsoft's installers being wrapped in such a manner.

Way to destroy one of the remaining strong brands from the (relatively) early days of the web, CBS. (CBS owns CNET.)

Hope it was worth it.

Not that I want to defend CBS, but CNet pretty much runs itself, and had run itself into the ground way before CBS "saved" it.

This happened to software from my company (ActiveState), and we made a request to remove the extra wrapper bits (very much not the user experience we wanted), and CNet complied. Someone just has to ask. [edit: of course, we did also find out _after_ the fact, which we didn't appreciate. We would have pulled our various bits, had they not complied ... but they did]

Their reputation is already tainted. Especially since your company is finding out after the fact.

What stops them from doing it again a month later?

Off the topic here, are there still many people download software programs from download sites, like download.com, brothersoft.com or softpedia?

Yes. Download.com is the 173rd highest traffic site in the world. They're probably pushing over 100-200k downloads a month at least. Nothing compared to the Apple or Android app stores, but still a significant number.

Assuming an average download time of 1 minute, that's merely 5 or so simultaneous downloads at any particular point in time. That is nothing.

I'm guestimating that you're off by an order of magnitude.

According to Alexa, somewhere between 0.6% and 0.8% of the entire web goes there every day.

Download.com users are probably over-represented on Alexa simply because of all the tracking crapware they have installed.

I pulled my apps from download.com years ago because the traffic was neglibile. It's probably alright if you are in the top ten for a category, otherwise there are much better ways to promote your software.

I'll often use File Hippo, but they've always seemed "cleaner" to me somehow. I even use their updater on some computers, which I wouldn't even consider doing with those other sites.

Only for Windows...

Yes, but the Venn diagram of them and serious nmap users probably looks like a figure 8.

I'm confused. Did Microsoft make a deal with Cnet to include this on every download, or did a third party do this? StartNow (startnow.com) is run by an independent company:

"The StartNow Start page is owned and operated by Zugo Ltd, a start page platform company. Our start pages are usually official operated on behalf of one of our clients or partners. Some pages may be "unofficial" and in support of/dedicated to improving the user experience for an existing product or extending a product's existing functionality."

This sounds like really bad PR for Microsoft. I wonder what they will do.

Microsoft, as well as Google, pays for searches you bring to them. That's why many free applications offer you toolbar and/or default search. They make money out of it. Similiary, browsers (Opera, Firefox, ..) make money out of it as well. So there's probably nothing wrong here done by Microsoft. It's CNET that is abusing this.

There's something gone very wrong with download sites in the last few years. Aside from this nonsense I've noticed a predominance of very misleading advertisements on download sites (attempting to misdirect you into thinking an ad is your download link). The site owners have to know about this but it seems they don't care enough to do anything about it.

Given the cheapness of s3 storage and such-like I'd say it's smart to avoid hosting on download sites in general.

I'm not saying this is right or wrong.. but there is something worth pointing out.

Technically speaking Download.com is not modifying the original EXE file as some people alleged but using an 'download manager' to intermediate the download of the file.

The bundled 'malware' comes inside this intermediary application and does not touch the original installer other than downloading it to the disk.

This seems to a phenomenon unique to Windows and growing.

No wonder everybody complains about Windows being slow and full of popups and spam, almost everything you try and install on it seems to want to also install some free trial/browser toolbar/sign up for some online service etc.

I've had good experiences with Windows, but then again, I have some idea of what to do and not to do. (Of course, some of the rampant problems are's Microsoft's fault, such as having everyone run as an administrator in XP.)

Surely this is a case for a DMCA take down notice? If they are distributing the copyrighted software outside the terms of the licence, then they are violating copyright and the DMCA can come into play?

Yes, of course, that's exactly what the takedown notice is for. But only a copyright holder can send it (or someone legally allowed to act on their behalf).

From the CBS terms of use:

"6. User Submissions

Some of the Services may allow you to submit or transmit audio, video, text, or other materials (collectively, “User Submissions”) to or through the Services. When you provide User Submissions, you grant to CBS Interactive, its parent, subsidiaries, affiliates, and partners a non-exclusive, worldwide, royalty-free, fully sublicenseable license to use, distribute, edit, display, archive, publish, sublicense, perform, reproduce, make available, transmit, broadcast, sell, translate, and create derivative works of those User Submissions, and your name, voice, likeness and other identifying information where part of a User Submission, in any form, media, software, or technology of any kind now known or developed in the future, including, without limitation, for developing, manufacturing, and marketing products. You hereby waive any moral rights you may have in your User Submissions."

People who have Symantec anti-virus will already have this flagged. No, not the malware but nmap itself!

Many anti-virus software packages flag nmap, netcat & other network utilities as malware.

Thankful for apt-get install beauty.

That is a nicely written & researched complaint. I hope he finds someone to actually sue c|net for this, and not just make them stop doing it for this particular product only.

I work for CBSi just got this response from the dowload.com team:

"We remove the installer from pretty much all publishers who request it removed, and the wrapping of nmap was an error. Fyodor has been contacted and had the issue explained. The Download.com Installer has been removed from the product, and we shouldn't be wrapping open-source software. It was a mistake and when Fyodor contacted us, we fixed it."

This should be sufficient cause for all web filters and security software to block access to CNET due to the malware. But will it actually happen, or are they treated with a special standard?

As the "malware" is only downloaded after you installed a download manager, I doubt the Cnet website will get marked as the distributor.

I believe it goes like this: - User clicks on link to download software - User is being asked to install Cnet download manager - Download manager downloads more software, including the crapware

Because the actual download does not happen on the Cnet site, it does not gets marked as a distributor.

I can be wrong though, this is just my hypothesis of what is happening.

I clicked the 'Download' link for my application and I received an exe for something else with my application name in the file name. So if a user asks to download my application they receive a confusingly-similar one instead and have no choice but to run it to find out what it does.

This is indistinguishable from malware.

This is why, generally speaking, you want to get software directly from the developers.

This top download site in spanish also use this scheme http://nmap.softonic.com/descargar

CNet's reviews are also worthless too. So little content, so many skeletal SEO keyword pages.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact