Hacker News new | comments | show | ask | jobs | submit login
Filezilla at SourceForge is malware (sourceforge.net)
283 points by Sami_Lehtinen on Jan 7, 2015 | hide | past | web | favorite | 147 comments

Just want to be clear about something:

- This program (bundling) is opt in for the project (Filezilla) and SourceForge ("the pimp") pays Filezilla ("the whore") for each download.

- This isn't recent. In fact it started well over a year ago and was well publicized.

- Even a year ago it was all very malware-y.

- A lot of people were super dismissive about this issue a year ago (see Reddit threads and here). In fact many supported the practice.

- Those same people are now whining about it.

- Suggesting that "but Github exists!" as a solution entirely misses the point. Sourceforge pays the project money, and both Sourceforge and the project profit. So unless Github can match that (hint: it cannot) then that is a non-starter.

This is why I have high hopes for integration with the Microsoft store in Windows 10. I'd be pretty happy giving the Filezilla people .99 cents, assuming no 3rd party installer tricks. MS would store my credit card, it would be a one-click process, take the onus of hosting from Sourceforge/Filezilla, and pay a nice little chunk of change on the side directly to the Filezilla people.

Of course, anyone is free to fork it and host it for free. There are a lot of little things that drive me crazy about Filezilla. I imagine others have the same issues. I could see a fork with good management being very successful.

Ha! The Windows Store is a scum-ridden wasteland. The second top result for Facebook is a fake scam app, claiming to be official. There is a fake Facebook app, paid, that claims to be published by "@Microsoft Corporation". Contacting Store support results in them telling you the app " works as designed ", and if you have a problem with the fake publisher, MS suggests " leave a review ".

Even Netflix had a hard time preventing fakes from being published. Over a month or two, Netflix had to contact MS several times, and MS didn't suspend or remove the publisher. They resubmitted and got listed again. Try searching for HBO, xfinity, etc.

MS is not interested in fixing this problem. Probably some folks have their bonus tied to " number of apps published " and that's that.

I emailed Satya and the manager of the Store, to book effect. The Store is a joke.

For this particular case, if FileZilla is popular, you'll have several fake paid apps. If you're lucky there may be av official app, with no way to verify it's the right one. For most users, they'll be rolling the dice just as much as they are now. Only if FileZilla is extremely diligent would it work. Disney, for example, is a top publisher for the Store, yet all sorts of fake Disney content is on there. I called Disney about this, and after about 15 minutes they figured out "don't go there" (referring to the Store). Even top publishers have a hard time dealing with it. BBC is another case, where top "official" results aren't.

I think this is a point a lot of open source projects miss. They can, and probably should, sell the software even though it is open source.

Trademark (?) protection would prevent a third party from using their name even though it was open source (at least I think so based on the whole Iceweasel event).

Personally, I'd also gladly pay Filezilla a small amount even though it's open source.

It's 4 in the open source definition.


You can protect your name even while being open source and free.

This is why I use the zlib license.

Main problem with that is it depends on if MS are still pushing metro. If it can't install proper desktop programs, it's worthless.

Also, if it silently autoupdates, it's worthless.


Fun fact: Everyone calls it "Nye-Nite", but it is pronounced as it is spelled: "Nin-Ite".


Ninite Ninite Ninite.

Why are these links to Ninite.com flag-killed? It's a tremendously useful program, IMO. Is there some secret danger about this tool I'm missing here?

I'd post my one-click-install-all-the-useful-things Ninite link (which preselects a custom selection of software into one installer) that I use for quickly setting up clean Windows machines at the kids' technology centre I work at. But I fear it might get flagkilled too. (ah doesn't matter anyway, I'm sure the average HNer is smart enough to make their own selection, and currently looking at my selection, some of the tools seem a bit out-of-date, wouldn't pick those today anymore).

> Everyone calls it "Nye-Nite"

I have never pronounced Ninite as "Nye-Nite" or heard anyone else pronounce it that way in the UK.

I'm guessing you are American?

This is correct. I actually contacted Filezilla's developer (Tim Kosse) regarding this several months ago, and he let me know that this bundling was intentional on the part of Filezilla.

>- Those same people are now whining about it.

I tend to doubt that. HN commenters in one thread are not the same as HN commenters in another thread.

Even if HN threads are not comprised of the same people, it is still remarkable how entirely different sets of people show up depending on which way the wind is blowing.

Well, I didn't know this, and I'm glad I know now. I'll be looking for an alternative GUI SFTP client for Windows.

I was a bit confused though, I'm pretty sure I installed FileZilla on some Windows machine less than a year ago and would've noticed any malware. But now that I think about it, I used Ninite.com, a multi-install tool for free Windows software, which automatically opts out of any nasty toolbars and such, so I just didn't see it at the time (I'm assuming the malware is at least opt-out, right?).

Doesn't matter though, bundling toolbars/malware is a no-go for me. I know I can (usually) get rid of such pests if they get on my system, but I know so many people who would have a much harder time. Those people are being taken advantage of, they're not "choosing" to have this malware. I can't recommend this type of software to such people because they might get malware if they install it themselves, so they need alternatives without malware. Therefore I won't use the malware-bundled software myself either, because I want to check out the alternatives and see which ones are any good (and I don't really need FileZilla, anyway).

You can get it without the downloader, but it is non-obvious as you have to choose the other download options. To me that implies downloads for different platforms.

The installer is horrible, and I think that the last I looked at it, the options were all opt-out, they hugely abused anti-patterns to make that process all but impossible.

GitHub also does not host simple binary downloads.

If you read through this thread [1] on the filezilla forums, you'll see that the administrator defends the use of SourceForge over and over. My guess is that they're receiving kickbacks of some sort for the installation of said malware.

[1] https://forum.filezilla-project.org/viewtopic.php?f=1&t=3294...

Yes, SourceForge give you money, I believe.

Someone has to pay the bills.

I think the world would be better if people just expected to pay a small amount for software, but we don't live in that world, and so we get "free" software you can download "for free" that installs a bunch of crap so the developers can get paid.

Up until rather recently, it was hard to pay or receive sub-dollar amounts. This problem is solved on the two mobile platforms (though Apple still takes a much larger cut from payments). Paypal / Stripe / Square sort of solve it in the web space.

But we still lack a nice software store (or several) where you could pay a piece of software and pay a nominal amount (or more if you choose to donate), knowing that you won't receive any malware / nagware in exchange, and that a large cut of your payment goes to the authors and maintainers.

Similar things seem to happen around indie musical tracks, so probably the model could survive in the "indie" software area.

Yep, I love it when I find good music on youtube abd a link to bandcamp where I can pay a small minimum amount (or more). They seem to have done something right as me and others typically pay well over the minimum price

Just make sure to add ?nowrap to the end of the url and you'll download the orignal package without that crapware installer sourceforge adds.

Sounds like a job for a userscript.

...and someone has already made one for SF and a few other sites: http://userscripts-mirror.org/scripts/review/417459

If that is indeed that easy - everyone should be aware of this.

Assuming sourceforge will not get rid of that feature after too many people start using it.

It sounds more like a SourceForge issue than FileZilla. SourceForge used to provide clean binaries, but I guess they changed that process in the past year or two to bundle apps in the installer wrapper. You need to be extremely careful during the installation process to make sure that you do not accidentally install some extra software. The same happen to uTorrent - they also added tricky question during the install process to include advertisement, change default browser and such. That's a sad way to earn money - the end-users will definitely move on because of that.

FileZilla could choose to move away from SourceForge, to be honest - any party staying with SF after stunts like this (and this isn't the first one) are as corrupt as SF themselves are IMO

par0xyzm is hellbanned, but this is interesting: http://gonullyourself.org/ezines/exp/exp02.txt

is hosted at Sourceforge, so they share a server with thousands of other customers. Every single customer is able to execute commands and access the other project directories. Pretty stupid, eh? You only need to find one hole in one hosted site and you can access ALL the project databases

> [...] are as corrupt as SF themselves [...]

Or they are just dangerously lazy.

Unfortunately it must work because people keep doing it. If it didn't increase revenue companies would stop doing it.

It's the same with those timed modal windows on blogs. They piss a lot of people off. But they also increase email capture rates, and sites with large audiences usually see revenue increase as a result.

> Unfortunately it must work because people keep doing it. If it didn't increase revenue companies would stop doing it.

Unless it's a desperate attempt at saving a sinking ship.

If SourceForge want to stay afloat, they should reinvent themselves as a decent GitHub alternative or pivot. Bundling malware for kickbacks and keeping the old site design won't take them anywhere good.

Open source software really should abandon SourceForge. You can't even download any binaries through HTTPS from them. Even if you log in the download links redirect to plain HTTP.

There's really no reason to use SourceForge anymore. GitHub can do almost everything SourceForge can do, aside from app reviews I guess. GitHub also doesn't make you feel like you're in 2004.

I don't know, GitHub isn't quite as easy to navigate as a layman if you're just looking for a synopsis and downloads.

That's a very important point if you're distributing your software to non-technical users, but a download button in either the README.md should do the job. You could also use a GitHub site and host a simple download site for your repo.

It seems to me that if a project on GitHub is interested in making it easy for lay-people to download, then a little dose of

should do the trick? (Personally I found SF's interface confusing and incredibly "busy" -- I don't think lay-people would fare much better, but I could be wrong.)

There's no big "Download" button but you can easily add one yourself.

There should be one.

Don't diss 2004. SourceForge looked dated even back then.

I don't think GitHub hosts regular binary downloads like this, it's just for source mainly.

They do. I don't think they did at first. I think that is a major reason why you see a lot of code hosted on GitHub and the binaries hosted elsewhere.

github doesn't host mailing lists

some people want that 2004 feel. Also some people don't like github, __even the creator of git doesn't like github__

> __even the creator of git doesn't like github__

That's like saying "even the creator of baked beans doesn't like Tesco". So what?

If the creator of a software critiques your SaaS that uses his software maybe you should pay more attention to it? I am sure Linus knows git a lot better than most of us.

But does he know website development better than most of us?

he doesn't complain about the website design he is complaining about the functionality. In fact he's stated in interviews he doesn't wish to ponder in web development.

I am not surprised someone who's career has been writing the lowest of low-level software. kernels and device drivers, isn't interested the total opposite end of the spectrum, web development.

Linus's problems with GitHub are mostly with how it handles pull requests, IIRC.

As well as commit messages, he said it's fine as a mirror

Indeed, but how is any of this relevant to the OP?

isn't this more, the SourceForge wrapper is acting unsafely?

regardless, this has been happening for the entire last year with the consent of the developers: https://forum.filezilla-project.org/viewforum.php?f=1&sid=13...

I would be very doubtful they will listen to their users any further about the harm it does.

I'll probably avoid FZ from now on, I don't exactly enjoy using software that is openly hostile towards me

Wow, yeah, this thread: https://forum.filezilla-project.org/viewtopic.php?f=1&t=3294...

I think it is best to avoid these guys.

While I initially thought this as well, at some point the site admin (botg) posts this:

""MalSign.Generic.F84". Looks like a typical false-positive generated by a heuristic.

There is no malware in the SourceForge Downloader, you can safely use it to install FileZilla. While the SourceForge Installer may present third-party offers, they are clearly labeled as such. All third-party offers can easily be declined. Nothing unwanted is being installed without your consent. Declining offers does not prevent nor otherwise disturb the installation of FileZilla.

If you do not wish to use the SourceForge installer, have a look at the additional download options listed on the FileZilla website."

His stance seems to be that it's not malware, rather a false positive (I have no proof to claim he's wrong and if he is, it could be a honest mistake; he's trusting SF, which I understand), and he mentions that you can also download Filezilla from their own website, without the SF installer.

That seems pretty reasonable to me, but again: at first I got the impression they (FileZilla's owners) simply didn't care.

I hate what SF has been doing, and I refuse to use their installers (although I'm primarily a Linux-user so I don't have to worry about these installers, thankfully), but I don't really feel like the FileZilla owners should be avoided as it looks like they're simply trusting SourceForge, nothing more. I hope I'm right. ;)

my main issue is that, the offers only exist to either affect the people who don't know any better (and would probably chose the opposite if they were more educated about such practices), or those that mis-click.

Most people, when presented with a) a logo (of a group they trust), and b) accept or decline, they are going to make assumptions and not read the middle.

Which ends up affecting a lot of users: every bad review relating to the installer and every complaint in the forums (once again, in relation to the installer), is a person who has been deceived and had a negative experience, because of a decision of the FZ developers (and the installer is choose-able by the project developer, last I inquired)

Filezilla's community is toxic and the projects creator can be aptly described as tyrannical.

If you use Mac check out Transmit by Panic. It's the best FTP client I've ever used.

If you don't need anything fancy, Finder's own ”Go -> Connect to Server” menu option can open FTP sites.

I'll second the Transmit recommendation. As a bonus, it nicely supports AWS S3 and S3-compatible object stores.

Filezilla is free and cross-platform. That was a lot of the appeal to me.

I use CyberDuck which has free edition and is open source too. It doesn’t support Linux although.

I don't think you can count it as free if it comes loaded with malware.

To be clear though, it's the SF installer not FZ itself. You can most certainly go and compile it yourself.

Filezilla isn't malware. The SF installer is malware

How does Transmit compare to Cyberduck?

I've heard similar things about FileZilla and it's creator. Do you have any recommendations for an open source, GUI-based, Linux FTP client?

Most of the time I simply scp or rsync files as neccessary, however I use FileZilla to manage files on my phone and tablets via FTP. I've never found the FTP/SFTP/SMB support in Thunar to be all that reliable...

Maybe Midnight Commander? It can open FTP-connections (and shell connections, too, allowing secure copying of files over SSH rather than FTP), has that well-known dual pane layout, and, while not a GUI application, can be controlled the same way a GUI application can without even needing X. :)

IIRC GNOME has FTP and SFTP support, so you should be able to just use Nautilus.

I'm not using GNOME. I'm using XFCE, and unfortunately in my experience Thunar (the XFCE file manager) doesn't handle those sorts of connections too well. I think it's more to do with the FUSE layer beneath it (possibly the same driver that's used by GNOME).

unfortunately I haven't. For the most part, I'm a Windows user, so I've been using Explorer for plain FTP to my phone (which, while not great, does do the job more-than-well-enough for my uses)

For sftp, you can just mount it locally with sshfs and then use $FILE_MANAGER

Unfortunately, like I say, I've tried that (using Thunar - the otherwise fantastic file manager in XFCE). I'm not sure if it's Thunar's fault, or it's the FUSE layer beneath it, but I've always found it to be a little unreliable. Plus I like to be able to see connection logs and manage the activity queue in the same way I do with FileZilla.

Here's a recommendation: stop using FTP.

I wonder if Mozilla could argue that Filezilla is infringing on their trademark and damaging their reputation because of this.

I mean, it's an open-source client for a common internet protocol that ends in "zilla". It would be easy for users to assume that Filezilla is affiliated with Mozilla.

And up until the move to Sourceforge's adware downloader system, that would have been fine for everybody - they're both good products.

But now? Now filezilla is riding on mozilla's coattails with the confusion and profiting from it, to the detriment of mozilla's reputation.

We've been sending Windows clients to https://ninite.com/filezilla/ to download it but perhaps we ought to start avoiding it completely. I don't particularly like any other FTP client I've used in Windows, but its been a while since I looked.

Have you tried WinSCP? Since I found it, I haven't touched FileZilla.

Agreed. WinSCP is not only easy to use with a fairly "native" Windows feel (just drag and drop stuff from one half of the window to the other), but it's also not bundled with malware.

Yep, same here. I can highly recommend WinSCP.

I haven't, thanks for the tip!

I've been a fan of Cyberduck for quite some time now.

I like Cyberduck for quickly creating expiring S3 download links.

hmm I did not know there was a windows version.

That's a neat website and product. I've often wanted a quasi-package manager for Windows. Now I use Linux almost exclusively however :/.

For something a bit less "quasi" there is https://chocolatey.org/.

If you're on Windows, it's a great site. I just had to provision a new laptop, and it saved me a ton of time, since I was able to install about a third of my checklist with a single download.

A friend of mine uses this: http://portableapps.com/ (I use Linux.)

WinSCP has always been my go to FTP client for windows.

Simply entering the ftp address into an Explorer window has always worked for me. Is there any extra functionality that Explorer doesn't provide?


Queueing, setting how many files can be copied at a time, etc are all valid features.

SFTP. Changing UNIX modes. Choosing active vs passive per-server. Choose text or binary transfer. Resume transfers. Copy only changed files based on time or size.

SFTP transfers mostly. Also the ability to store bookmarked servers seem to be the big issues.

Yeah, no self respecting IT person uses explorer to connect to an FTP.

It works really well unfortunately. I would prefer my installations without the potential for malware, but I don't see another sftp client as mature as filezilla. There used to be a ton and then it emerged as the best. fwiw it seems the auto updates are malware free.

I always install FileZilla through Ninite or apt-get, so I know my installation is clean, but I'd like to stop using and recommending FileZilla out of principle because of this (and reading the responses on the filezilla forum). Everyone else in my office uses FileZilla as well, and I'm sure many of them used the sourceforge installer and didn't fully read the options.

But you're right, I don't know any other decent FTP clients that I would recommend. Maybe someone on HN knows of a good alternative?

> I don't know any other decent FTP clients that I would recommend.

I use a paid version of SmartFTP & like it. Combines Filezilla with Putty.

WinSCP is a nice alternative.


WinSCP is far superior to filezilla. At my last job stuck using a Windows machine for some things, I ended up using it quite extensively. Every bug I submitted to the author was fixed within months. He is also active on the forums, though has a bit of a Linus Torvalds style... which can be offputting for some.

Filezilla use will drop down because most admins I know that hear about this will immediately write it off as too dangerous to even try to get around. Sure you can dig into the sourceforge files and maybe find a clean version, or maybe find a checksumed mirror, but would you really trust it?

That is true. I like the fact that it runs perfectly on Wine.

lftp is a really nice command line ftp client. It's scriptable too.

EDIT: I missed the 's' in 'sftp'. But as for that, there's commandline sftp, from openssh. But I realize it's apples and orange juice.

lftp supports sftp just fine:

    $ lftp
    lftp :~> open sftp://example.com
    lftp example.com:~> ls
    (...lists files...)
I'm not sure if you have to be running a key-agent, but I was.

SourceForce itself pushes a lot of malware these days. If your software comes in an installer, I wouldn't trust it.

https://www.virustotal.com/fi/file/d0d418efb07df4378b24bccac... If you download the package, it will be unique malware packet for you. So if you check it with virus total, it's not the same file.

As usual, Avira is right on the money with "Adware/InstallC.buzg." ESET is pretty good too with "a variant of Win32/InstallCore.UQ." None of the other providers clearly identified it.

If you really need FileZilla, you can directly download the portable version with this workaround.

Visit http://downloads.sourceforge.net/project/filezilla/FileZilla... to directly start downloading

Or, switch to someother FTP client.


List of FTP Server Software - https://en.wikipedia.org/wiki/List_of_FTP_server_software

Comparision of FTP Client Software - https://en.wikipedia.org/wiki/Comparison_of_FTP_client_softw...

Or click the direct download link on the front page.


Or just download via ninite.com & auto installs w/o the crapware.

Or get the PortableApps.com version.

As time marched on, I've found myself more and more hesitant to use SourceForge at all, even to download things. If a project isn't available on GitHub, BitBucket, or through a package manager, then I'm very unlikely to download the source.

Separate from any particular issue with Filezilla: all Sourceforge downloads are via insecure HTTP, so could be redirected elsewhere, or corrupted in transit, to deliver malware.

Even if you try to use an HTTPS link, Sourceforge redirects to a plain HTTP download.

And if you ask them about this, you get no reply. Which is interesting.

Yes, they should be regarded as a malware site these days. It's a shame, really. Some other site should probably mirror the projects that aren't anywhere else and host them properly.

Just an FYI for those cases when you need to download something that isn't available anywhere other than SourceForge: there's a small, plain-text "direct download" link under the big download button.

They tend to move this around a bit to make it harder to spot, but it's always been there since the malware-infested download manager was introduced. The malware & crapware is entirely limited to SF's download manager. The application binaries themselves are totally clean.

This is not about SourceForge or FileZilla. This is an issue that plagues most Windows freewares, everyone is integrating offers to the installer. Even FileHippo started this recently.

The download manager (wrapper) of these 2 companies are provided by the same Israeli company InstallCore.

As far as I remember this is an opt-in feature for developers who host their projects on sourceforge that makes the installer offer additional software, by 3rd parties, to be installed. That additional software may be malicious.

Ever since 2007-2008, Source Forge and places like CNET really started to lose trust for me. When I noticed something from source forge had some sort of downloading tool I put my hands down and refused to continue with that sort of thing.

We have enough Ask Tool bar kind of crap from Oracle Java installers, and when useful tools step to doing similar things, it really makes me lose respect and find alternatives.

As a developer, I need to have a work environment that is robust and dependable. Additional promotional packages that can slip through will disrupt or degrade my work. That is not something I can take and feel sane.

What about doing a Fork of it? Clean build. Call it Forkzilla.

I haven't paid for the program and have not installed any adware on my machine, I am happy with the product and have no qualm with someone who has spent their time making something to try to profit from it. I'm not the sort of person who opts-in to install malware so its not an issue to me. If I wanted to be upset about something I would buy a commercial, ad-free, program and complain that it does not have features of filezilla.

I've had a similar experience trying to install OpenCV.

I use windows, and I couldn't figure out why something like OpenCV could possibly have malware with it. When I downloaded it, chrome said "Stop! This is malware!" I thought that there was no way there could be a problem with the file unless Sorceforge was having issues.

What fixed the issue for me was downloading from a different mirror. So perhaps some of the mirrors are compromised?

I faced the same problem. This is a total mess and I could not believe that a most reputed web program like Filezilla hosted at Sourceforge is a malicious software. The best thing should be that Filezilla should be available for download from https://filezilla-project.org firsthand.

Solution: Use the zip version. It's portable. Avoid sourceforge where possible. The download page even says:

>This installer may include bundled offers. Check below for more options.

Yes, it's a bit dirty. Valid discussion here is how to make open source viable, otherwise pimps like sourceforge will exist.

Now get off my lawn with your fancy installers :)

Can we file a report against SF? Then when users attempt to enter the site browsers will warn about the dangers.

I haven't trusted anything from SourceForge since they were compromised 4 years ago, regardless of their 'data validation'.


What happened to you Sourceforge? I hope the same thing doesn't happen to Github in 10 years.

I've been a long-time user of WinSCP anyway, regardless of FileZilla's antics. Seems to work better, for me at least.

Unfortunately, this is a reminder that free software isn't a guarantee of software freedom or safety.

This is a solved problem: https://chocolatey.org/packages/filezilla

Chocolatey packages include silent, malware free installers

Is there a good cross-platform alternative to FileZilla?

Or seeing as it's licensed under GPLv2, maybe we should just setup a GitHub repo with the latest source and links to pre-compiled binaries.

I think Google should mark SourceForge as malware site.

Also let's not forget that Filezilla will silently cache all your credentials in plaintext without telling you :(

Sourceforge has been doing this for years. I would never download anything from there these days.

Nobody should use Sourceforge. I rarely take projects seriously when hosted on Sourceforge.

so easy to avoid by just toggling the Direct Download Link option at top of file list to On

i m an idiot but does this impact the linux version ? I use Filezilla on my ubuntu that I downloaded around September'2014 and not sure if I downloaded from Sourceforge. I am guessing this issue is only for Windows, right ?

If you used `apt-get install filezilla` then no. Does anyone know if sourceforge include malware for their Linux binaries?

I installed via the Linux Mint package manager and found no issues of malware.

Wow. They even wrap the source packages, and the portable ones.


For Windows and my own servers I don't even bother with FTP anymore, it's just another possible entry into my servers. WinSCP / SCP itself works fine, no FTP server required.

Is there a fork without the malware?

The worst thing about FileZilla is clear text password files. The developer refuses to fix it I am not sure why.

What's the alternative? It's a good thing that the developer does not give you a false sense of security.


A master password, no?


See the acres of discussion about Google Chrome not having a master password. The fact that they caved in and no provide a master password does not mean it's a good idea.

The argument that I recall for Chrome not having an optional master password was that it was often less secure than using the system's encrypted data store for their account, if available.

Requiring a master password to decrypt the network passwords is a perfectly fine idea if you want to maintain portability and reduce the chance that your network passwords are accidentally exposed. An attacker has to both have the password file and either figure out the master password or have code execution privileges on the user's account to gain the network passwords. This is more secure than trying to ensure the password file doesn't get "misplaced" (e.g. on an unencrypted drive, in unencrypted backups, unintentionally through a fileserver, etc).

Someone tries to monetize his GPLd software in an unfriendly way.

sadly it is true

sadly it is very true

Seems to me like there's a market for a reasonably priced, excellent, simple, Windows FTP client. (cross-platform bonus points)

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact