Feeds

Download.com sorry for bundling Nmap with crapware

Open source freed from toolbar

Internet Security Threat Report 2014

Download.com has apologised for bundling open-source packages, including Namp and VLC, with crudware toolbar installers.

But Sean Murphy, the vice-president and general manager of CNet's Download.com, defended the policy of bundling more generally and fell short of endorsing an opt-in policy for software extras.

A row kicked off on Monday after it emerged that users who have downloaded Nmap, a popular network auditing and penetration testing tool, from Download.com found the Babylon Toolbar included by default.

Gordon Lyon (aka Fyodor), the developer of Nmap, cried foul over the way the toolbar was foisted on users. The toolbar - which changes users' browsing experience, sets the browser's home page to MSN and makes Bing the default search engine - was also offered to consumers downloading the popular VLC media player software. Fyodor also alleged that Download.com's installer violates Nmap's copyright.

Within hours of venting his anger online, Microsoft got in touch with Fyodor saying, as he puts it, that they "didn't know they were sponsoring Cnet to trojan open-source software, and that they have stopped doing it". At around the same time the Nmap installer available from Download.com switched to punting "special offers" from Cnet, and after various other changes it eventually offered a clean install, at least in the case of Nmap.

In a statement (extract below), Murphy said that bundling the toolbar with the open-source package was a mistake:

The bundling of this software was a mistake on our part and we apologize to the user and developer communities for the unrest it caused. In addition to immediately taking Nmap out of the download manager, we reviewed all open source files in our catalog to ensure none are being bundled. It is a Download.com policy not to bundle open source software and we will continue to take pains to ensure this does not happen again.

Cnet's Nmap installer was initially detected as a Trojan by BitDefender and F-Secure, and as a potentially unwanted program by Panda, McAfee and others, according to an initial report by VirusTotal on Monday. However by Wednesday, of all the major suppliers of anti-virus software, only McAfee reported anything amiss.

Murphy said warnings that the installer might be malware were all false alarms. Download.com is removing the registration requirement for directly fetching files from developers' websites rather than via its download manager.

It's unclear whether the apology will be enough to draw a line under the controversy. Proprietary freeware and trial software available from Download.com will still be offered in conjunction with Download.com's installer packaging. Users can opt-out but many are likely to just follow the default option and accept what they are fed. All this falls far short of an opt-in policy that critics would like Download.com to adopt.

Fyodor has created a webpage with background on the controversy, links to the news articles, and the latest updates here.

Unwrapping the wrapper costs extra

The initial controversy sparked condemnation from security firm Sophos (here) and struck a chord with other developers, who also objected to CNet's wrapper bundling business practices, albeit for slightly different reasons.

"I pay $79 a year to list my application 'Chit Chat for Facebook' on the website, with which I fund development through a toolbar app," programmer Daniel Offer told El Reg.

"That said, I've noted that Cnet have 'wrapped' it in a downloader application without notice, which is shameful given that I pay to list my software on their website. Cnet is not the first download site to do this, but it's eating away at genuine developers' funds to pay for new development," he added.

Chit Chat for Facebook is not open source and developers like Offer have the option of getting rid of the wrapper, but only for a price.

"I spoke with Cnet and they told me that I could get rid of their wrapper by 'opting out by paying $99 a month for their premium service, or by paying for the pay per download'. Everyone is suffering with the recession, but they're helping to kill the little ISVs which produce so much great software," he concluded.

A contrasting view comes from Reg reader Charles, who argues download.com was doing nothing untoward (at least in the case of Nmap) and that it's up to users to check what they are downloading.

"Adding default opt-ins to software is one of the most common practices among vendors, especially where 'freeware' is concerned," he writes. "How do you think the bills get paid? When end users download or install software it is their responsibility, and a very simple one at that, to watch what they are doing. New applications whether from the internet, a CD or DVD should always be inspected or scanned for malware prior to installation, regardless the source."

"When I buy an automobile should I expect the dealer to drive it for me? Just how lazy and irresponsible are folks becoming that they cannot watch what they are doing even when it may involve great pain and effort such as opening their eyes or clicking a mouse button or two. These whiners need to wake up and smell the reality," he concludes. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
Netscape Navigator - the browser that started it all - turns 20
It was 20 years ago today, Marc Andreeesen taught the band to play
Sway: Microsoft's new Office app doesn't have an Undo function
Content aggregation, meet the workplace ... oh
Sign off my IT project or I’ll PHONE your MUM
Honestly, it’s a piece of piss
Return of the Jedi – Apache reclaims web server crown
.london, .hamburg and .公司 - that's .com in Chinese - storm the web server charts
NetWare sales revive in China thanks to that man Snowden
If it ain't Microsoft, it's in fashion behind the Great Firewall
Chrome 38's new HTML tag support makes fatties FIT and SKINNIER
First browser to protect networks' bandwith using official spec
Admins! Never mind POODLE, there're NEW OpenSSL bugs to splat
Four new patches for open-source crypto libraries
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.