Hacker News new | past | comments | ask | show | jobs | submit login
Don't download software from SourceForge if you can help it (howtogeek.com)
161 points by ub on June 10, 2015 | hide | past | favorite | 48 comments

In our testing, we’ve found that SourceForge’s downloader behaves more nicely in a virtual machine. If you want to see what it actually does, be sure to test it in a real Windows system on a physical machine, not a virtual machine.

This is the same sort of behavior that malicious applications are increasingly using to avoid detection and analysis.

Very interesting! I'd be interested to hear the corporate-speak rationale for this. Kind of interested, anyway.

> Very interesting! I'd be interested to hear the corporate-speak rationale for this.

I'm not affiliated with Sourceforge in any way, shape, or form--thank the fucking gods--but I suspect it would be something along the lines of "our downloader and associated offers are optimized to automatically use fewer resources in an environment, such as a VM, where computing resources are scarce."

resources are also always limited on a single computer but most companies usually don't care because it is cheaper to use a higher level language

this is unbelievably malicious! In our earlier discussion there was some discussion about the installer asking for permission to install crapware. in fact if you're going to do malware stuff like this, why even ask?

On a technical level - how come you can detect VM's? with something like BOCHS and if you lie about wall time inside your OS, can't it emulate a PC perfectly? How does crapware know whether it's in a VM or not?

This is a nice article on the matter: http://web.archive.org/web/20110929075510/http://invisibleth.... It doesn't appear to work reliably anymore, but the principle is the same.

Even if we reached the point where VMs never technically revealed they were VMs, I think the human element might still play a part. When I spin up a VM for a quick test, I might leave it on 512MB or 1GB RAM - but this could be a giveaway that it's a VM (not 100% of the time, granted) given how unlikely a fresh installation of Windows is to have that small amount of memory.

Well, there are a couple things - For one, the hypervisor presents different "hardware" than you would get in a standard HP or Dell box. And often the hypervisor has a driver package to install, to facilitate communication between the OS and hypervisor - this is used mostly to manage memory overcommit with things like a memory bubble.

As the hypervisor gets low on RAM, it tells its driver in the VM OS to use more RAM, which steals some away from that system. Then the hypervisor swaps that RAM or puts it out of play in another way, and gets to reclaim the underlying physical RAM. At least, this is the VMWare way of doing it, not too sure about MS or Citrix or RH or others.

Well, on a Windows VM in VMWare products, you can just ask the OS and it will happily report the manufacturer as "VMWare, Inc" for example. I would expect other virtualizers to do something similar, if not there in some other places (like drivers etc).

You can emulate a PC perfectly. But in practice there's a tradeoff between perfect emulation and performance, and since a VM's goal is typically to run cooperative software quickly, they aim for performance.

For example, for best performance you want to run the instructions in the VM directly on the hardware CPU so that they run as fast as they would outside the VM. But not all instructions can be run safely this way, so the VM will trap some and emulate them. This is necessarily slower, so a program can detect the presence of a VM by noticing that some instructions are much slower than they ought to be. You can lie about the time, but the bookkeeping needed to do so accurately imposes a lot of overhead.

I've heard that it's mostly searching for VM addon software used in VMs, like VirutalBox Guest Additions.

>in fact if you're going to do malware stuff like this, why even ask?

Just a guess, but probably plausible deniability reasons for when they're inevitably brought to court.

there is no plausable deniability if it does something different in a VM. that takes active coding to set up, there is no reason anyone would ever have any code that has this effect.

There are PLENTY of reasons to code your application to act differently based on environment... while many of them may be bad, not all of them are.

Some abuse this to make speed tools run faster, ala Graphic Card tests that run faster when it detects NVidia/AMD... some abuse it to skirt protections in VMs...

Do we need to ban torrents because a lot of torrents are illicit materials? Ban bitcoins, because some people use it for drugs? Ban tor?

I was only referring to the "why even ask?" part of your post. They most likely ask during the installation for liability purposes.

VM behavior or not, asking or not, I've hoped they get in legal trouble for this as soon as I knew about it, but of course, IANAL.

"In truth, the man was an oathbreaker, a deserter from the Night’s Watch. No man is more dangerous. The deserter knows his life is forfeit if he is taken, so he will not flinch from any crime, no matter how vile."

~ Ned Stark, A Game of Thrones.

I think that pathetic blog post where they tried to justify their actions made one thing clear - SourceForge knows how dead they are. No amount of internet outrage is going to help, they don't think they've got anything to lose at this point.

The best thing to do at this point would be to speed up their demise. If you're a developer that still hosts with them, delete your project and move to Github or Bitbucket.

Also, start reporting these malicious pages to Google so they don't show up in search results. https://www.google.com/safebrowsing/report_badware/

Also contact the people who provide mirroring services for them.

Take away their free bandwidth and they'll collapse even quicker.

perhaps someone should mirror sourceforge and rebuild binaries and take sourceforge out of the equation?

I wonder how many people outraged here know YC funded a company that bundles malware with installers and continues to justify it publically on HN.



This makes me so mad and sad at the same time. For years, it would bring me immense pleasure to just browse projects on sourceforge to see what the world was up to. Now this is just another case of corporations ruining a good thing. I'm glad there are links to Filezilla and Gimp - two products I use frequently.

I kind of view it as a consequence of the market falling out from under their feet - it's cheap enough to host your own files now, and with package managers (even on Windows!) the power users that used to be the target audience of Source Forge have been vanishing.

IMHO it's more a function of their inability to compete with Github and Bitbucket. They were slow to react to the rise of distributed VCS, failed to exploit their social network features, and probably had already accumulated too much technical debt to effectively change course by the time overall trends became clear. Once developers shifted, power users had to follow suit.

I was just remembering when sourceforge first appeared and how awesome it was. I slowly started browsing projects on there instead of freshmeat. It is just sad, and frankly a little weird.

> Click through to a project’s official website and you’ll find actual download links. For example, Audacity’s homepage redirects you to FOSSHUB to download Audacity, not SourceForge. But searching for “Audacity” on Google still brings up the SourceForge page as the top result.

This is an error on Google's part. For everyone's sake, they need to apply some serious ranking penalties to malware distributing sites like SourceForge, as well as click-through warnings that you are going to a site other than the original authors'.

I've tweeted someone close to the Pywin32 project (hosted on SF) asking to move it, but didn't get a reply. For long-established projects, it's not an easy migration. Please keep prodding any critical project you know of.

Some people just don't care or they're profiting from it like Tim Kosse of Filezilla - https://forum.filezilla-project.org/viewtopic.php?t=35221 and https://forum.filezilla-project.org/viewtopic.php?t=30240

At least for Mac, there is a TINY "direct download" link next to the SF Installer button. Using this link will provide the non-junkware, original install files.

If you download from Sourceforge try unzipping the installer which will usually defeat the spyware installer that they have been bundling with it.

So sad. Especially for Windows tons of valuable stuff is there, especially smaller utilities like DDMM and similar :(

Just today I had to get Boost for the first time since the whole gimp-win debacle - their tars and zips are hosted on SourceForge. Guess I'll be building from Git until they fix it :/

It's only .exe installers that are affected, and probably only ones that they can easily wrap; I doubt they're actually modifying any source code.

Can someone provide a link to filezilla thats not through sourceforge? I just posted an Ask HN about this.

Two trusted packages available at https://chocolatey.org/packages?q=filezilla

Also available from https://ninite.com/

Why are the packages from chocolatey trusted?

I am not familiar with chocolatey but the powershell script on https://chocolatey.org/packages/filezilla (click show files) contains the following

  $url = "http://sourceforge.net/projects/filezilla/files/FileZilla_Client/${version}/FileZilla_${version}_win32-setup.exe/download"
  $url64bit = "http://sourceforge.net/projects/filezilla/files/FileZilla_Client/${version}/FileZilla_${version}_win64-setup.exe/download"
So its still fetching executables from sourceforge using plain http with no checksums or signatures in sight. On the assumption that executable does include the sourceforge malware, The silent install argument ("/S") passed to the executable by chocolatey seems to be the only reason its not installed along with filezilla.

Is there any reason to believe ninite does anything different?

We should play this up more on our site, but Ninite (I'm a co-founder and we're YC W08) does this stuff right.

All our .exes are signed, app config information comes over https, and downloads are all checked for hashes that match our testing before being automated. We're not just naively adding silent switches either, we'll automate clicks to get through less well-behaved installers when needed.

Why can you trust Ninite? Money. Thousands of businesses pay us for Ninite Pro and the free version is our marketing department. We're extremely careful to make sure our updates come out on time and junk free.

for the real lazy: https://ninite.com/?select=filezilla

I hadn't thought of choco, but good call on that.

If you're on Windows, consider upgrading to WinSCP (http://winscp.net/eng/docs/free_sftp_client_for_windows). Not only is it a nicer UI and updated more often, but they have direct downloads with no crapware.

I would recommend not using Filezilla at all, honestly. The creator was entirely unapologetic about bundling malware.


I know, this isn't very helpful, but if you don't like how software is distributed for your system there's still the option to use a system that solved this during the '90s.

I never use the "downloader", either from Akamai, Sourceforge, etc. I downloaded a few programs recently on sourceforge and never had to use their software.

Just realized the double meaning of "forge" in SourceForge:

1) to form or make by concentrated effort

2) to imitate fraudulently; fabricate a forgery

They're certainly living up to definition #2..

tldr; don't download from SourceForge it uses its own installer bundled with garbage. Do download using ninite.com (https://ninite.com/), the "only trusted" downloader according to these guys.

This is why we need some kind of trade organization -- the developers who wrote this stuff need to be kicked out, or disciplined in some way...

There would have to be a lot of careful discussion about such an organization. I would hate to see it end up being little more than a vector for rent-seeking, and shutting people out of our industry for a host of arbitrary reasons (immigrants, people with the "wrong" education, etc).

Yeah, I'm just saying that fields like engineering and law have recourse for bad industry behavior. I wish software had the same or a similar path.

This has been brought up multiple times and I couldn't agree more. It'd be great to have a trade organization for software developers where they can be evaluated by a board and loose their "license" to write code. There are some SERIOUS down sides to that, but that'd have to be flushed out in another forum.

Is BOTH Sourceforge and Github -other-verted or per-verted? or sub-verted? The attack on the clean code-base continues.

Advice. Unix Linux - separate user. low privilege. configure, make, but make install with ROOT PRIVILEGE. check files.

all source code should have search engine keywords for vulnerabilies, updates, etc. for even BSD is somewhat broken, IMHO.

make it easier for the NOT C expert and ASM expert to install reasonably clean software, PLEASE.

Thank U. Thank U. Thank U. ... 1000 times

ARE BOTH Sourceforge and Github other-verted or perverted-like? What are the alternatives?

Thank you. Thank you. the attack on code repo and the infiltration of the clean database continues, perhaps.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact