Gordon Lyon is a popular, successful and charismatic open-source software maker. Right now, he’s not a happy man.
You probably know him better by his nickname, Fyodor (after Fyodor Dostoyevsky, author of Notes From Undergound). He is the creator and maintainer of the widely-used network auditing and penetration-testing tool Nmap.
You probably know Nmap. If you’ve ever done any network troubleshooting or security assessment, you’ve probably used it.
It can help you locate rogue PCs and servers, spot services which shouldn’t be running, identify firewalls and routers on your network, and much more.
(I have a particular fondness for Nmap because it’s liberally extensible with a scripting engine which uses Lua, my favourite programming language. I even went all the way to Las Vegas to give Fyodor a 2010 Sophos DECODEME T-shirt because its design and layout was automated using a Lua program.)
So, what’s all the fuss about?
The problem is to be found on download.com, the well-known file repository operated by technology media company CNET.
CNET offers you a free download of Nmap, but not from Fyodor’s own site. Instead, CNET has wrapped the Nmap installer with a program of its own. On your way to the Nmap download, you’re rather pushily offered the Babylon Toolbar first. (At least, it’s the Babylon Toolbar at the moment. The foistware chosen by CNET and apparently endorsed by Nmap could be changed at any time.)
You can decline to install the toolbar, but the layout and the logical progression of CNET’s wrapper software makes it all-too-easy to accept Babylon’s software by default.
The wrapper pops up a dialog headlined “Nmap”, with a bright green default “Accept” button. But accepting only means you accept the “special offer” of the toolbar. Accepting Nmap comes later. And once you have the Babylon Toolbar, your browser experience is very different indeed.
No wonder Fyodor is unhappy. As he pointed out recently in a post to the North American Network Operators’ Group (Nanog) mailing list:
The problem is that users often just click through installer screens, trusting that download.com gave them the real installer and knowing that the Nmap project wouldn't put malicious code in our installer. Then the next time the user opens their browser, they find that their computer is hosed with crappy toolbars, Bing searches, Microsoft as their home page, and whatever other shenanigans the software performs! The worst thing is that users will think we (Nmap Project) did this to them!
So the first order of business is to notify the community so that nobody else falls for this scheme. Please help spread the word.
I’m with Fyodor on this one. Let me list the reasons why:
* Taking someone else’s work, even if it is open source and free, and using it as a drawcard for your own unrelated commercial purposes, is just plain unfair.
* Getting people into the habit of installing software in an unofficial way from an unofficial source is poor security practice. Official download repositories typically include advice and guidelines – including how to verify the correctness of your download – which are missing on unofficial sites.
* Open-source software may be free, but unless it’s public domain, it’s not free-for-all. Always abide by the both the letter and the spirit of the licence.
* A software installation for product X which attempts to foist an unrelated product Y onto your computer by default is poor security practice. Anything outside the obvious remit of the installer should be clearly and unequivocally opt-in, not opt-out.
Furthermore, before wrapping any software in a foistware downloader, CNET should require the software developer to opt in. But CNET’s logic appears to be back-to-front on this score, too.
According to its own FAQs:
Can I opt out of the CNET Download.com Installer?
Yes. If you would like to opt out of the Download.com Installer you can submit a request to firstname.lastname@example.org. All opt-out requests are carefully reviewed on a case-by-case basis.
Here at Naked Security we feel pretty strongly about opt-out.
We think that opt-in should always be the default. You should, too. Write to your Privacy Commissioner and say so.
20 comments on “Popular network tool Nmap in CNET security brouhaha”
I'd like to note that the ESET antivirus software flags the CNET installer as a Potentially Unwanted Application. I've contacted at least one other developer to let them know that their software was being wrapped by an installer that was being flagged and they were quite eager to opt-out.
Since CNET is pushing their installer down the throat of the public without any apparent notification to the authors of the software being wrapped, it would be great if they were told by the developers, in no uncertain terms, that it's not acceptable. Send in your opt-out request.
Based on this information, I will no longer use CNet to download software. If I have to, I will contact the developer directly.
i’ll mark it as adware. they can make it torrent sit it will be better.
Thank you Paul. I could not agree more with Fyodor's frustrations and your own summary of these kids of practices.
To say that end users are tired of being constantly barraged by malware, spyware, tracking tools, marketing and everything else is an understatement. To then have it look like some of the most responsible and well-respected luminaries in the IT field are somehow involved or endorsing such tripe is reprehensible.
Adobe And Apple are guilty of bundling additional apps the user has not requested. Just try to download Flash, Reader, Quicktime… Of course, if more users paid attention I suppose it wouldn't be as much of a problem.
In the Adobe case – whether you approve or not – the vendor is at least bundling third party software _into its own installer for its own software_.
CNET is taking someone else's product, which already has its own, perfectly good, official installer, and wrapping it in an unrelated foistware downloader.
I let CNET go late 2010 because of their deceptive way of handling the DL of free programs. CNET had programs listed as free, but they were crippled trials. Many were difficult to completely uninstall and some had registry entries that brought up purchase nag screens post install. Far too many other trusted DL sites for me to use CNET.
Absolutely agree with you guys. More than a month ago I tried to download the Glary Utilities free software from C/Net site. It said that the software is scanned and guaranteed against malware. Thanks to my Kaspesrky Antivirus 2012 which captured Trojan horse, which was wrapped in C/Net's downloader. Since this moment I am using Filehippo to download software, because there are no hidden stuff in their installers.
Why don't you just downoad free software from the official download sites?
That way you know you have the latest, official version; you know where to go for official announcements, updates, help and whatnot; and you give your "click juice" and ad revenue to the people who actually did the work in making ther product.
Why not the official download sites?
Because keeping track of all the official sites can sometimes be very time consuming and frequently involves doing web searches… and at that point, sooner or later, typos occur, and you're taken down a poisoned path. Visiting multiple sites is less efficient and can be vulnerable to human error.
Sites such as FileHippo make for easy one stop updating. FileHippo even offers a free Update Checker application which makes it easy to keep all of your downloads up to date (and therefore, more secure!).
Piriform, a small company, has a direct download link, but places FileHippo above theirs on their own site. I suppose they don't mind giving FH the “click juice”, as you put it, because FH absorbs the bandwidth costs.
Brace yourselves, This practice is just the beginning, I have come across more and more sites that try to force their "download manager" on you. I am with you in protesting these methods of forcing you into software that you don't want, generally to "improve" you web experience or safety.
This is why I recommend Majorgeeks.com to my clients. they don't alter the files, and they are official mirror servers for many many fine free and NON-ADWARE based products.
CNET is a technical web publisher and should be held accountable for actions like this. They KNOW BETTER. Whoever is responsible for doing stuff like this should be fired.
Apparently they are willing to sacrifice their reputation for money.
Encountered this problem with one of thier downloads yesterday, when I refused whatever tool bar they were foisting, the download stalled out.
As was suggested by this articles author, I simply went to the developers website for the download.
Also noticed the not really free issue last year, the download was free but a subscription was required…
Goodbye CNet…you're fired 🙂
CNET have been wrapping all downloads in their own installer for months. Universal condemnation of CNET’s behavior has been published all over the net and they show no signs of remorse nor of changing their policy.
I published the story back in August: http://www.davescomputertips.com/2011/08/beware-d…
I would also point out that CNET continues to host downloads from vendors/developers with poor reputations – they appear to have no sort of safety/security checks in place at all.
Simply submit your software and CNET lists it.
Apparently, CNET places far more importance on revenue than the safety, security and welfare of users.
@Paul Ducklin: Paul, it is not always possible to download from the official site. Developers/venders strike a deal with CNET granting them exclusivity and the only source that then appears on the product home page are links to download from CNET.
CNET…the same people who bought VersionTracker.com and then proceeded to destroy the entire data base. Years of software reviews, vaporized. And then they replaced the clean, open, user-friendly, easy-to-read VT interface with the dark, ugly site they now have.
They have made it abundantly clear that they are not just out of tune with their users' sensibilities; they actually don't give a rip about them. This is just one more data point of evidence confirming that I was right to fire them.
Good grief, I just ran into this today trying to get an MD5 checker. The toolbar wrapper was a surprise and a real disappointment and somehow I was awake enough to not opt-in to installing it. But everyone has already said plenty about the installer wrapper already, I don't think I can add much more.
What confused me in the experience was when I got to the download page, there are ads that have big, green, prominent "Start Download" buttons on them, meaning of course to start a download of the software featured in the ad. I nearly clicked on the button in the top banner ad to start my download. Once I realized that wasn't the right button, I had to look over the page _carefully_ to find the correct button to push. This is just as devious as having the name of the program at the top of the screen and the green "Accept" button to accept the toolbar install.
I notice now on reviewing the page (checked it again before writing this comment) there is an understated link under the "Download Now" button that says you can login or register to use a direct download link. So I guess if I was a C|Net member, I wouldn't have to put up with their install wrapper? Nice. Real nice.
Thank you Paul. I have the same problem with the new version of my product, listed on download.com and have been receiving angry emails from users thinking that somehow we bundled malware along with the product that they intended to install. I wrote to CNET some weeks ago requesting to opt-out of their installer but have not heard from them yet. To make things worse, the upload.com account through which you submit the software does not even talk about how to unlist your software if you choose to.
Apparently C|NET / download.com haven't changed their practices a bit. This CBS-owned outfit is now wrapping a simple MPEG4 player (and other programs, I assume) in an "AVG Security 2012" program that is utterly invasive, and my attempt to remove it rendered my home machine inoperable with a "Can't find vprot.dll" error message at boot-up.
How can anyone stop this blatant malware distribution practice?
I'm sending my machine to an expert to see if I can recover priceless data.
Download.com used to be a trustworthy site.
I trusted CNET for news and download for many years. When I accidentally installed CutePDF from them which installed all these garbage spamware, I will no longer use download.com nor CNET anymore. This is outrageous how they make legitimate look bad with their bloatware.