Feeds

Download.com sorry for bundling Nmap with crapware

Open source freed from toolbar

Internet Security Threat Report 2014

Download.com has apologised for bundling open-source packages, including Namp and VLC, with crudware toolbar installers.

But Sean Murphy, the vice-president and general manager of CNet's Download.com, defended the policy of bundling more generally and fell short of endorsing an opt-in policy for software extras.

A row kicked off on Monday after it emerged that users who have downloaded Nmap, a popular network auditing and penetration testing tool, from Download.com found the Babylon Toolbar included by default.

Gordon Lyon (aka Fyodor), the developer of Nmap, cried foul over the way the toolbar was foisted on users. The toolbar - which changes users' browsing experience, sets the browser's home page to MSN and makes Bing the default search engine - was also offered to consumers downloading the popular VLC media player software. Fyodor also alleged that Download.com's installer violates Nmap's copyright.

Within hours of venting his anger online, Microsoft got in touch with Fyodor saying, as he puts it, that they "didn't know they were sponsoring Cnet to trojan open-source software, and that they have stopped doing it". At around the same time the Nmap installer available from Download.com switched to punting "special offers" from Cnet, and after various other changes it eventually offered a clean install, at least in the case of Nmap.

In a statement (extract below), Murphy said that bundling the toolbar with the open-source package was a mistake:

The bundling of this software was a mistake on our part and we apologize to the user and developer communities for the unrest it caused. In addition to immediately taking Nmap out of the download manager, we reviewed all open source files in our catalog to ensure none are being bundled. It is a Download.com policy not to bundle open source software and we will continue to take pains to ensure this does not happen again.

Cnet's Nmap installer was initially detected as a Trojan by BitDefender and F-Secure, and as a potentially unwanted program by Panda, McAfee and others, according to an initial report by VirusTotal on Monday. However by Wednesday, of all the major suppliers of anti-virus software, only McAfee reported anything amiss.

Murphy said warnings that the installer might be malware were all false alarms. Download.com is removing the registration requirement for directly fetching files from developers' websites rather than via its download manager.

It's unclear whether the apology will be enough to draw a line under the controversy. Proprietary freeware and trial software available from Download.com will still be offered in conjunction with Download.com's installer packaging. Users can opt-out but many are likely to just follow the default option and accept what they are fed. All this falls far short of an opt-in policy that critics would like Download.com to adopt.

Fyodor has created a webpage with background on the controversy, links to the news articles, and the latest updates here.

Unwrapping the wrapper costs extra

The initial controversy sparked condemnation from security firm Sophos (here) and struck a chord with other developers, who also objected to CNet's wrapper bundling business practices, albeit for slightly different reasons.

"I pay $79 a year to list my application 'Chit Chat for Facebook' on the website, with which I fund development through a toolbar app," programmer Daniel Offer told El Reg.

"That said, I've noted that Cnet have 'wrapped' it in a downloader application without notice, which is shameful given that I pay to list my software on their website. Cnet is not the first download site to do this, but it's eating away at genuine developers' funds to pay for new development," he added.

Chit Chat for Facebook is not open source and developers like Offer have the option of getting rid of the wrapper, but only for a price.

"I spoke with Cnet and they told me that I could get rid of their wrapper by 'opting out by paying $99 a month for their premium service, or by paying for the pay per download'. Everyone is suffering with the recession, but they're helping to kill the little ISVs which produce so much great software," he concluded.

A contrasting view comes from Reg reader Charles, who argues download.com was doing nothing untoward (at least in the case of Nmap) and that it's up to users to check what they are downloading.

"Adding default opt-ins to software is one of the most common practices among vendors, especially where 'freeware' is concerned," he writes. "How do you think the bills get paid? When end users download or install software it is their responsibility, and a very simple one at that, to watch what they are doing. New applications whether from the internet, a CD or DVD should always be inspected or scanned for malware prior to installation, regardless the source."

"When I buy an automobile should I expect the dealer to drive it for me? Just how lazy and irresponsible are folks becoming that they cannot watch what they are doing even when it may involve great pain and effort such as opening their eyes or clicking a mouse button or two. These whiners need to wake up and smell the reality," he concludes. ®

Security for virtualized datacentres

More from The Register

next story
Microsoft WINDOWS 10: Seven ATE Nine. Or Eight did really
Windows NEIN skipped, tech preview due out on Wednesday
Business is back, baby! Hasta la VISTA, Win 8... Oh, yeah, Windows 9
Forget touchscreen millennials, Microsoft goes for mouse crowd
Apple: SO sorry for the iOS 8.0.1 UPDATE BUNGLE HORROR
Apple kills 'upgrade'. Hey, Microsoft. You sure you want to be like these guys?
ARM gives Internet of Things a piece of its mind – the Cortex-M7
32-bit core packs some DSP for VIP IoT CPU LOL
Microsoft on the Threshold of a new name for Windows next week
Rebranded OS reportedly set to be flung open by Redmond
Lotus Notes inventor Ozzie invents app to talk to people on your phone
Imagine that. Startup floats with voice collab app for Win iPhone
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.