Feeds

Download.com sorry for bundling Nmap with crapware

Open source freed from toolbar

Choosing a cloud hosting partner with confidence

Download.com has apologised for bundling open-source packages, including Namp and VLC, with crudware toolbar installers.

But Sean Murphy, the vice-president and general manager of CNet's Download.com, defended the policy of bundling more generally and fell short of endorsing an opt-in policy for software extras.

A row kicked off on Monday after it emerged that users who have downloaded Nmap, a popular network auditing and penetration testing tool, from Download.com found the Babylon Toolbar included by default.

Gordon Lyon (aka Fyodor), the developer of Nmap, cried foul over the way the toolbar was foisted on users. The toolbar - which changes users' browsing experience, sets the browser's home page to MSN and makes Bing the default search engine - was also offered to consumers downloading the popular VLC media player software. Fyodor also alleged that Download.com's installer violates Nmap's copyright.

Within hours of venting his anger online, Microsoft got in touch with Fyodor saying, as he puts it, that they "didn't know they were sponsoring Cnet to trojan open-source software, and that they have stopped doing it". At around the same time the Nmap installer available from Download.com switched to punting "special offers" from Cnet, and after various other changes it eventually offered a clean install, at least in the case of Nmap.

In a statement (extract below), Murphy said that bundling the toolbar with the open-source package was a mistake:

The bundling of this software was a mistake on our part and we apologize to the user and developer communities for the unrest it caused. In addition to immediately taking Nmap out of the download manager, we reviewed all open source files in our catalog to ensure none are being bundled. It is a Download.com policy not to bundle open source software and we will continue to take pains to ensure this does not happen again.

Cnet's Nmap installer was initially detected as a Trojan by BitDefender and F-Secure, and as a potentially unwanted program by Panda, McAfee and others, according to an initial report by VirusTotal on Monday. However by Wednesday, of all the major suppliers of anti-virus software, only McAfee reported anything amiss.

Murphy said warnings that the installer might be malware were all false alarms. Download.com is removing the registration requirement for directly fetching files from developers' websites rather than via its download manager.

It's unclear whether the apology will be enough to draw a line under the controversy. Proprietary freeware and trial software available from Download.com will still be offered in conjunction with Download.com's installer packaging. Users can opt-out but many are likely to just follow the default option and accept what they are fed. All this falls far short of an opt-in policy that critics would like Download.com to adopt.

Fyodor has created a webpage with background on the controversy, links to the news articles, and the latest updates here.

Unwrapping the wrapper costs extra

The initial controversy sparked condemnation from security firm Sophos (here) and struck a chord with other developers, who also objected to CNet's wrapper bundling business practices, albeit for slightly different reasons.

"I pay $79 a year to list my application 'Chit Chat for Facebook' on the website, with which I fund development through a toolbar app," programmer Daniel Offer told El Reg.

"That said, I've noted that Cnet have 'wrapped' it in a downloader application without notice, which is shameful given that I pay to list my software on their website. Cnet is not the first download site to do this, but it's eating away at genuine developers' funds to pay for new development," he added.

Chit Chat for Facebook is not open source and developers like Offer have the option of getting rid of the wrapper, but only for a price.

"I spoke with Cnet and they told me that I could get rid of their wrapper by 'opting out by paying $99 a month for their premium service, or by paying for the pay per download'. Everyone is suffering with the recession, but they're helping to kill the little ISVs which produce so much great software," he concluded.

A contrasting view comes from Reg reader Charles, who argues download.com was doing nothing untoward (at least in the case of Nmap) and that it's up to users to check what they are downloading.

"Adding default opt-ins to software is one of the most common practices among vendors, especially where 'freeware' is concerned," he writes. "How do you think the bills get paid? When end users download or install software it is their responsibility, and a very simple one at that, to watch what they are doing. New applications whether from the internet, a CD or DVD should always be inspected or scanned for malware prior to installation, regardless the source."

"When I buy an automobile should I expect the dealer to drive it for me? Just how lazy and irresponsible are folks becoming that they cannot watch what they are doing even when it may involve great pain and effort such as opening their eyes or clicking a mouse button or two. These whiners need to wake up and smell the reality," he concludes. ®

Business security measures using SSL

More from The Register

next story
'Windows 9' LEAK: Microsoft's playing catchup with Linux
Multiple desktops and live tiles in restored Start button star in new vids
Not appy with your Chromebook? Well now it can run Android apps
Google offers beta of tricky OS-inside-OS tech
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
SUSE Linux owner Attachmate gobbled by Micro Focus for $2.3bn
Merger will lead to mainframe and COBOL powerhouse
iOS 8 release: WebGL now runs everywhere. Hurrah for 3D graphics!
HTML 5's pretty neat ... when your browser supports it
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
NHS grows a NoSQL backbone and rips out its Oracle Spine
Open source? In the government? Ha ha! What, wait ...?
Google extends app refund window to two hours
You now have 120 minutes to finish that game instead of 15
Intel: Hey, enterprises, drop everything and DO HADOOP
Big Data analytics projected to run on more servers than any other app
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.