In our testing, we’ve found that SourceForge’s downloader behaves more nicely in a virtual machine. If you want to see what it actually does, be sure to test it in a real Windows system on a physical machine, not a virtual machine.
This is the same sort of behavior that malicious applications are increasingly using to avoid detection and analysis.
Very interesting! I'd be interested to hear the corporate-speak rationale for this. Kind of interested, anyway.
> Very interesting! I'd be interested to hear the corporate-speak rationale for this.
I'm not affiliated with Sourceforge in any way, shape, or form--thank the fucking gods--but I suspect it would be something along the lines of "our downloader and associated offers are optimized to automatically use fewer resources in an environment, such as a VM, where computing resources are scarce."
this is unbelievably malicious! In our earlier discussion there was some discussion about the installer asking for permission to install crapware. in fact if you're going to do malware stuff like this, why even ask?
On a technical level - how come you can detect VM's? with something like BOCHS and if you lie about wall time inside your OS, can't it emulate a PC perfectly? How does crapware know whether it's in a VM or not?
Even if we reached the point where VMs never technically revealed they were VMs, I think the human element might still play a part. When I spin up a VM for a quick test, I might leave it on 512MB or 1GB RAM - but this could be a giveaway that it's a VM (not 100% of the time, granted) given how unlikely a fresh installation of Windows is to have that small amount of memory.
Well, there are a couple things - For one, the hypervisor presents different "hardware" than you would get in a standard HP or Dell box. And often the hypervisor has a driver package to install, to facilitate communication between the OS and hypervisor - this is used mostly to manage memory overcommit with things like a memory bubble.
As the hypervisor gets low on RAM, it tells its driver in the VM OS to use more RAM, which steals some away from that system. Then the hypervisor swaps that RAM or puts it out of play in another way, and gets to reclaim the underlying physical RAM. At least, this is the VMWare way of doing it, not too sure about MS or Citrix or RH or others.
Well, on a Windows VM in VMWare products, you can just ask the OS and it will happily report the manufacturer as "VMWare, Inc" for example. I would expect other virtualizers to do something similar, if not there in some other places (like drivers etc).
You can emulate a PC perfectly. But in practice there's a tradeoff between perfect emulation and performance, and since a VM's goal is typically to run cooperative software quickly, they aim for performance.
For example, for best performance you want to run the instructions in the VM directly on the hardware CPU so that they run as fast as they would outside the VM. But not all instructions can be run safely this way, so the VM will trap some and emulate them. This is necessarily slower, so a program can detect the presence of a VM by noticing that some instructions are much slower than they ought to be. You can lie about the time, but the bookkeeping needed to do so accurately imposes a lot of overhead.
there is no plausable deniability if it does something different in a VM. that takes active coding to set up, there is no reason anyone would ever have any code that has this effect.
There are PLENTY of reasons to code your application to act differently based on environment... while many of them may be bad, not all of them are.
Some abuse this to make speed tools run faster, ala Graphic Card tests that run faster when it detects NVidia/AMD... some abuse it to skirt protections in VMs...
Do we need to ban torrents because a lot of torrents are illicit materials? Ban bitcoins, because some people use it for drugs? Ban tor?
"In truth, the man was an oathbreaker, a deserter from the Night’s Watch. No man is more dangerous. The deserter knows his life is forfeit if he is taken, so he will not flinch from any crime, no matter how vile."
~ Ned Stark, A Game of Thrones.
I think that pathetic blog post where they tried to justify their actions made one thing clear - SourceForge knows how dead they are. No amount of internet outrage is going to help, they don't think they've got anything to lose at this point.
The best thing to do at this point would be to speed up their demise. If you're a developer that still hosts with them, delete your project and move to Github or Bitbucket.
This makes me so mad and sad at the same time. For years, it would bring me immense pleasure to just browse projects on sourceforge to see what the world was up to. Now this is just another case of corporations ruining a good thing. I'm glad there are links to Filezilla and Gimp - two products I use frequently.
I kind of view it as a consequence of the market falling out from under their feet - it's cheap enough to host your own files now, and with package managers (even on Windows!) the power users that used to be the target audience of Source Forge have been vanishing.
IMHO it's more a function of their inability to compete with Github and Bitbucket. They were slow to react to the rise of distributed VCS, failed to exploit their social network features, and probably had already accumulated too much technical debt to effectively change course by the time overall trends became clear. Once developers shifted, power users had to follow suit.
I was just remembering when sourceforge first appeared and how awesome it was. I slowly started browsing projects on there instead of freshmeat. It is just sad, and frankly a little weird.
> Click through to a project’s official website and you’ll find actual download links. For example, Audacity’s homepage redirects you to FOSSHUB to download Audacity, not SourceForge. But searching for “Audacity” on Google still brings up the SourceForge page as the top result.
This is an error on Google's part. For everyone's sake, they need to apply some serious ranking penalties to malware distributing sites like SourceForge, as well as click-through warnings that you are going to a site other than the original authors'.
I've tweeted someone close to the Pywin32 project (hosted on SF) asking to move it, but didn't get a reply. For long-established projects, it's not an easy migration. Please keep prodding any critical project you know of.
At least for Mac, there is a TINY "direct download" link next to the SF Installer button. Using this link will provide the non-junkware, original install files.
Just today I had to get Boost for the first time since the whole gimp-win debacle - their tars and zips are hosted on SourceForge. Guess I'll be building from Git until they fix it :/
So its still fetching executables from sourceforge using plain http with no checksums or signatures in sight. On the assumption that executable does include the sourceforge malware, The silent install argument ("/S") passed to the executable by chocolatey seems to be the only reason its not installed along with filezilla.
Is there any reason to believe ninite does anything different?
We should play this up more on our site, but Ninite (I'm a co-founder and we're YC W08) does this stuff right.
All our .exes are signed, app config information comes over https, and downloads are all checked for hashes that match our testing before being automated. We're not just naively adding silent switches either, we'll automate clicks to get through less well-behaved installers when needed.
Why can you trust Ninite? Money. Thousands of businesses pay us for Ninite Pro and the free version is our marketing department. We're extremely careful to make sure our updates come out on time and junk free.
I know, this isn't very helpful, but if you don't like how software is distributed for your system there's still the option to use a system that solved this during the '90s.
I never use the "downloader", either from Akamai, Sourceforge, etc. I downloaded a few programs recently on sourceforge and never had to use their software.
tldr; don't download from SourceForge it uses its own installer bundled with garbage. Do download using ninite.com (https://ninite.com/), the "only trusted" downloader according to these guys.
There would have to be a lot of careful discussion about such an organization. I would hate to see it end up being little more than a vector for rent-seeking, and shutting people out of our industry for a host of arbitrary reasons (immigrants, people with the "wrong" education, etc).
This has been brought up multiple times and I couldn't agree more. It'd be great to have a trade organization for software developers where they can be evaluated by a board and loose their "license" to write code. There are some SERIOUS down sides to that, but that'd have to be flushed out in another forum.
This is the same sort of behavior that malicious applications are increasingly using to avoid detection and analysis.
Very interesting! I'd be interested to hear the corporate-speak rationale for this. Kind of interested, anyway.