Popular network tool Nmap in CNET security brouhaha

Gordon Lyon is a popular, successful and charismatic open-source software maker. Right now, he’s not a happy man.

You probably know him better by his nickname, Fyodor (after Fyodor Dostoyevsky, author of Notes From Undergound). He is the creator and maintainer of the widely-used network auditing and penetration-testing tool Nmap.

You probably know Nmap. If you’ve ever done any network troubleshooting or security assessment, you’ve probably used it.

It can help you locate rogue PCs and servers, spot services which shouldn’t be running, identify firewalls and routers on your network, and much more.

(I have a particular fondness for Nmap because it’s liberally extensible with a scripting engine which uses Lua, my favourite programming language. I even went all the way to Las Vegas to give Fyodor a 2010 Sophos DECODEME T-shirt because its design and layout was automated using a Lua program.)

So, what’s all the fuss about?

The problem is to be found on download.com, the well-known file repository operated by technology media company CNET.

CNET offers you a free download of Nmap, but not from Fyodor’s own site. Instead, CNET has wrapped the Nmap installer with a program of its own. On your way to the Nmap download, you’re rather pushily offered the Babylon Toolbar first. (At least, it’s the Babylon Toolbar at the moment. The foistware chosen by CNET and apparently endorsed by Nmap could be changed at any time.)

You can decline to install the toolbar, but the layout and the logical progression of CNET’s wrapper software makes it all-too-easy to accept Babylon’s software by default.

The wrapper pops up a dialog headlined “Nmap”, with a bright green default “Accept” button. But accepting only means you accept the “special offer” of the toolbar. Accepting Nmap comes later. And once you have the Babylon Toolbar, your browser experience is very different indeed.

No wonder Fyodor is unhappy. As he pointed out recently in a post to the North American Network Operators’ Group (Nanog) mailing list:

The problem is that users often just click through installer screens, trusting that download.com gave them the real installer and knowing that the Nmap project wouldn't put malicious code in our installer. Then the next time the user opens their browser, they find that their computer is hosed with crappy toolbars, Bing searches, Microsoft as their home page, and whatever other shenanigans the software performs! The worst thing is that users will think we (Nmap Project) did this to them!

So the first order of business is to notify the community so that nobody else falls for this scheme. Please help spread the word.

I’m with Fyodor on this one. Let me list the reasons why:

* Taking someone else’s work, even if it is open source and free, and using it as a drawcard for your own unrelated commercial purposes, is just plain unfair.

* Getting people into the habit of installing software in an unofficial way from an unofficial source is poor security practice. Official download repositories typically include advice and guidelines – including how to verify the correctness of your download – which are missing on unofficial sites.

* Open-source software may be free, but unless it’s public domain, it’s not free-for-all. Always abide by the both the letter and the spirit of the licence.

* A software installation for product X which attempts to foist an unrelated product Y onto your computer by default is poor security practice. Anything outside the obvious remit of the installer should be clearly and unequivocally opt-in, not opt-out.

Furthermore, before wrapping any software in a foistware downloader, CNET should require the software developer to opt in. But CNET’s logic appears to be back-to-front on this score, too.

According to its own FAQs:

Can I opt out of the CNET Download.com Installer?

Yes. If you would like to opt out of the Download.com Installer you can submit a request to cnet-installer@cbsinteractive.com. All opt-out requests are carefully reviewed on a case-by-case basis.

Here at Naked Security we feel pretty strongly about opt-out.

We think that opt-in should always be the default. You should, too. Write to your Privacy Commissioner and say so.