Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Open Source Software

Download.com Bundling Adware With Free Software 228

Zocalo writes "In a post to the Nmap Hackers list Nmap author Fyodor accuses Download.com of wrapping a trojan installer (as detected by various AV applications when submitted to VirusTotal) around software including Nmap and VLC Media Player. The C|Net installer bundles a toolbar, changes browser settings, and, potentially, performs other shenanigans — all under the logo of the application the user thought they might have been downloading. Apparently, this isn't the first time they have done this, either."
This discussion has been archived. No new comments can be posted.

Download.com Bundling Adware With Free Software

Comments Filter:
  • This is news? (Score:5, Insightful)

    by Anonymous Coward on Tuesday December 06, 2011 @05:18AM (#38277786)

    Download.com have always done this... I thought this was how they funded the site.

    • Re:This is news? (Score:5, Interesting)

      by geekmux ( 1040042 ) on Tuesday December 06, 2011 @05:31AM (#38277834)

      Download.com have always done this... I thought this was how they funded the site.

      This may be true, but doesn't shadow the efforts of those irritated enough to stand up and say something. Hats off to Fyodor for bringing it to light in hopes that things change.

      And as knowledgeable as the average user has (been forced to) become about spyware and malware, Download.com should listen, because it's obviously not just those uploading content that keeps them in business. Let's hope they don't react and generate that stench of arrogance around themselves, not unlike many large businesses today that think they're "too big to fail", and could care less what their customers think.

      • Re:This is news? (Score:5, Informative)

        by sosume ( 680416 ) on Tuesday December 06, 2011 @05:40AM (#38277868) Journal

        You can always choose not to offer your downloads through download.com.

        • Re:This is news? (Score:5, Insightful)

          by xaxa ( 988988 ) on Tuesday December 06, 2011 @06:29AM (#38278102)

          You can always choose not to offer your downloads through download.com.

          Can you? Even if it's under a copyleft license, or in the public domain?

          • Re:This is news? (Score:5, Informative)

            by buchner.johannes ( 1139593 ) on Tuesday December 06, 2011 @06:54AM (#38278192) Homepage Journal

            If your logo or name is a trademark, yes. That's why no distribution can redistribute a modified Firefox with the same name & logo.

            • (I am not an expert on these things so bear with me): But what I understood is that when they created a new installer to install the unmodified software (let's say firefox) with another software ( the adware) this can't be thought as an infringement... Or the software can be only installed via it's original installer ?
              • Re:This is news? (Score:5, Informative)

                by Anonymous Coward on Tuesday December 06, 2011 @08:20AM (#38278682)

                The new installer is a "derivative work", and you can specify that derivative works must not use the original trademarks. Mozilla and RedHat are both very strict about this: the source is open and free and all but you keep their name out of your modified stuff.

                • So this is my question: Is installing it via a different installer ( than the original one) is considered a derivative work? Even though the program is identical to the one installed with the default installer.
                • And/or you can insist on derivative works keeping to the original licence, so for example Download.com would be obliged to make the source code of whatever changes they made available. Doesn't stop them obfuscating it, but it does at least mean people can (with work, in theory) find out what the program does before they actually run it.
          • Re:This is news? (Score:4, Informative)

            by rilian4 ( 591569 ) on Tuesday December 06, 2011 @12:24PM (#38281900) Journal
            In the case of nmap, the license forbids such wrappers. It is *NOT* a GPL license that nmap is under, even though it *is* an open source license. Fyodor's letter explains the details...
        • remove download (Score:5, Interesting)

          by TheSHAD0W ( 258774 ) on Tuesday December 06, 2011 @06:42AM (#38278156) Homepage

          That's what I finally had to do, when some entity (might've been download.com, might've been someone else) offered an alternative download location for my software - which bundled some sort of malware installer onto my software. After one attempt to remove them as an alternate, I was told I could request my software be removed, and that's what I did. This occurred back in 2004. [degreez.net]

      • Comment removed (Score:5, Informative)

        by account_deleted ( 4530225 ) on Tuesday December 06, 2011 @06:19AM (#38278056)
        Comment removed based on user account deletion
        • Re:This is news? (Score:5, Insightful)

          by InsightIn140Bytes ( 2522112 ) on Tuesday December 06, 2011 @07:05AM (#38278238)
          It's even more stupid that Google has started offering Chrome just the same way like every other adware vendor - by offering freeware and shareware authors, and the likes of Download.com, money per install they get. This leads to software authors and download sites bundling it with unrelated software and pushing it to users since they get paid for it. They always used to do this with their toolbar, but of course now they switched it to Chrome. I've seen people using Chrome and when asked why they changed, they had no idea. Either it came with some other software or "Google said on internet that you need to download this to make your browsing better" and they thought fine. No wonder they gained that 25% market share so quickly...
        • Re:This is news? (Score:5, Informative)

          by subreality ( 157447 ) on Tuesday December 06, 2011 @07:49AM (#38278462)

          Thank you for Ninite. It will unsuck my life considerably.

        • by nstlgc ( 945418 )
          I did not know about Ninite. Thank you very much for pointing it out, it looks pretty awesome.
        • yep. This is old news. UltraVNC has been warning about this for quite some time https://forum.ultravnc.net/viewtopic.php?f=9&t=28692 [ultravnc.net]
        • Re:This is news? (Score:5, Informative)

          by kvvbassboy ( 2010962 ) on Tuesday December 06, 2011 @08:19AM (#38278676)
          I like FileHippo [filehippo.com] more. It has a bigger collection than ninite, and it tracks both stable and beta versions of most free software and freeware on Windows. They also have a useful (and a completely optional download) update utility that checks if there are any updates available for software on your computer. If yes, you can let it update from their website. It's pretty awesome, all in all.
        • Does ninite prevent developer included crapware? Specifically looking at uTorrent here which is notorius for giving you check boxes concerning crapware and then installing it anyway regardless of what you checked.

    • Re:This is news? (Score:5, Interesting)

      by Anonymous Coward on Tuesday December 06, 2011 @05:53AM (#38277942)

      Yes it is news for me.
      I submitted something I wrote a while back and it used to offer the file the way I uploaded it. I just checked and sure enough my download is now wrapped in a Cnet installer. Now I need to dig out my account info and remove my software listing because this is fucking BULLSHIT!

      Thanks Slashdot for pointing this out.

    • Re:This is news? (Score:5, Informative)

      by Zocalo ( 252965 ) on Tuesday December 06, 2011 @06:00AM (#38277988) Homepage
      Yes, they have, or at least it seems like it. The difference this time is that in addition to an abuse of the registered Nmap trademark Fyodor also has them in a clear breach of the NMAP licensing Ts&Cs and it appears he's willing to try and pursue the matter through the courts. I did have a strapline on the original submission to the effect that he was looking for a good US based copyright lawyer, but it appears that the Slashdot editors decided that wasn't an important part of the story.
      • Re: (Score:2, Interesting)

        I also find it interesting to note that it seems to be sponsored by a certain company we know too well...you know, changing Startpages/Default Searchmachines to MSN/Bing...
      • Re:This is news? (Score:5, Informative)

        by Entropy98 ( 1340659 ) on Tuesday December 06, 2011 @07:24AM (#38278340) Homepage

        Cnet is only bundling their adware with programs uploaded since they started bundling.

        I've got a program listed there, its not bundled.

        If I upload a new version they are going to bundle it with their crapware.

        So I'm not uploading a new version, ever.

        They told uploaders what they were going to do with their program, they don't agree to your terms and conditions, you agree to theirs.

        Remove your program from their site and go elsewhere.

        • Incorrect. I had software there that was uploaded prior to their bundling, and eventually they wrapped it anyway. I'd watch them if I were you.

    • Re:This is news? (Score:5, Informative)

      by Kadagan AU ( 638260 ) <kadaganNO@SPAMgmail.com> on Tuesday December 06, 2011 @08:32AM (#38278774) Journal
      Seems like we had this discussion [slashdot.org] already..
    • Of course, if they include the source code, and possibly rename the app, perfectly legal to do...

      See points 1, 2 and 4 of the Open Source Definition http://www.opensource.org/osd.html [opensource.org]

    • New to some of us? No. Honestly though, does it hurt to spread the word as much as possible though? I think not. CNet can go to hell. It's bad enough when the program makers do it but now the place offering downloads is packing this shit in? Seriously? They don't think the program makers might be a little bit pissed off at this prospect?
    • Comment removed (Score:5, Informative)

      by account_deleted ( 4530225 ) on Tuesday December 06, 2011 @09:53AM (#38279600)
      Comment removed based on user account deletion
  • by Anonymous Coward

    Can we all agree that downloading free software is stealing from poor programmers who have to live in their mother's basement because they're so poor they cannot even afford their own place? And that as we can read in TFA downloading free software supports criminal activities, and is therefore terrorism? And that this probably means you're a communist child-abusing terrorist?

    -- Yes, this was a joke, and no, I don't have a good sense of humor.

  • Nothing new. (Score:3, Interesting)

    by RoFLKOPTr ( 1294290 ) on Tuesday December 06, 2011 @05:28AM (#38277816)

    Download.com has been funded by bullshit third-party software addons for as long as I can remember. AFAIK, they only recently started this practice of causing the user to download a downloader which would first go through the third-party addons before downloading the actual installer... but it's not like it's any different than before. Yeah, lots of people will just click through and accept everything and that's their fault for not reading things before agreeing to them. Don't blame a free service operated by a for-profit corporation for wanting to make money. Host the Nmap installer yourself if you think it's so easy.

    • Re:Nothing new. (Score:5, Informative)

      by WoodSmoke ( 631754 ) on Tuesday December 06, 2011 @06:58AM (#38278214)
      Fyodor actually *DOES* host the installer. He never gave them permission to repackage it. In fact, the software license prohibits this explicitly. From the article: "This is exactly why Nmap isn't under the plain GPL. Our license (http://nmap.org/book/man-legal.html) specifically adds a clause forbidding software which "integrates/includes/aggregates Nmap into a proprietary executable installer" unless that software itself conforms to various GPL requirements (this proprietary C|Net download.com software and the toolbar don't)." So yeah, I can blame them. If you read the fucking article you would know this. p.s. Yes, I said that the parent should have read the article. No, I am not new here, but that doesn't mean that I, or anyone else, should tolerate willfully uninformed bullshit spouting.
  • by mirix ( 1649853 ) on Tuesday December 06, 2011 @05:29AM (#38277824)

    It's rather mindboggling that a decade into the 21st century, people are still going to third party download outfits like this.

    Maybe someone wants to enlighten me as to why... I'm not coming up with much.

    • Comment removed (Score:5, Insightful)

      by account_deleted ( 4530225 ) on Tuesday December 06, 2011 @05:38AM (#38277858)
      Comment removed based on user account deletion
      • by WWWWolf ( 2428 )

        People are creatures of habit, and once they learn how to use the download.com ( or some other site like freshmeat.net ) interface, they just return to it out of habit, and the fact that they already know how to search and navigate the site.

        Thought here's a small but crucial difference between download.com and freshmeat/whatevertheheckit'snowadays: Download.com hosts stuff, while freshmeat just listed and categorised software, linking to developers. The details on where to get the software are posted by the developer on freshmeat. You get the software exactly where the developer wants you to get the software. A choosy user can then download the source or official binaries or just say "hey, it looks like it's already packaged in my distro".

        In o

      • Comment removed based on user account deletion
    • by Neil Boekend ( 1854906 ) on Tuesday December 06, 2011 @05:40AM (#38277866)
      I liked it years ago. They made it easy to search for a function and get a list of windows software that did it. Back then I usually couldn't find who made software that did what I needed done. I coudn't go to the software producer's site, because I didn't know who he was. Now I just google around a bit, search some forums and hope for the best.
      In my eyes they already screwed up when they allowed sw developers to promote the features of the full (paid) version in the description of the free version without any indication the free version didn't include the feature.
    • by Yvanhoe ( 564877 )
      Free bandwidth.
      • by Luckyo ( 1726890 )

        Not much of advantage anymore. You can just host on rapidshare/megaupload/similar site.

        • Rapidshare (Score:5, Interesting)

          by sakdoctor ( 1087155 ) on Tuesday December 06, 2011 @06:12AM (#38278038) Homepage

          Rapidshare, for that authentic 90s warez feel.

          Not hosting your own files, or torrents for larger stuff, looks about as professional as a hotmail address on a business card.

          • by Luckyo ( 1726890 )

            I'm pretty sure that we didn't have such nice download sites in the 90s. Which is why we had p2p for most of the copyright infringement back then.

            Not to mention that pretty much no one "hosts their own files" anymore, except for really big companies. Outsourcing to professional hosting makes a whole lot more sense nowadays.

        • But hosting on "rapidshare/megaupload/similar site" makes it a pain for the user to download the software ("wait 60 seconds before you can download at a low speed!"), so it's not a good alternative.

          • by Luckyo ( 1726890 ) on Tuesday December 06, 2011 @07:14AM (#38278278)

            Pick mediafire then. Zero wait, over 1MB/sec download speed.

            Megaupload usually saturates my 2.2MB/sec download bandwidth, but it has wait time.

          • Not if you pay them. I'm not talking about Rapidshare Premium or anything, I mean you can actually legitimately pay them for distribution of your legitimate files. No wait screens, no slow downloads, it's like everyone who downloads your file is premium from their perspective. You just pay for hosting.

        • by mcmonkey ( 96054 )

          Not much of advantage anymore. You can just host on rapidshare/megaupload/similar site.

          And that's why people (used to) go to Download.com.

          If I'm looking for warez I might go to rapidshare/megaupload/similar site. And I'll assume anything I get from those sites has a trojan/virus/bot until I can prove otherwise.

          If I know what app or utility I need, I'll go directly to that site. If I don't have a particular name in mind, I used to go to Download.com. For example, I recently needed to get some updated codecs, but didn't know the exact package or provider I needed.

          I don't feel a Google searc

          • by Luckyo ( 1726890 )

            If you're "looking for warez", those are the last stop, not first one. They host whatever it is that you want them to host. They only offer downloads of material that other people chose to to upload to them. The main reason why anti-piracy outlets like to paint them as "omg warez" is because they are free to use, fast, and you can only get the download if you have the proper link - there is no directory.

            You sound like your typical ignorant person who just swallows whatever media tells him at face value, and

            • by Luckyo ( 1726890 )

              And by "videos", I do mean "stuff I shot with my phone". I.e. stuff that I have copyright on.

    • by Anonymous Coward

      avast anti-virus redirects you to download.com

    • by Twinbee ( 767046 )
      To have all software in one place, compare them, see how highly they're rated, and see all the user reviews is very valuable to me. But to download it? Just use Softpedia.com [softpedia.com] instead (which is almost as popular as Download.com, and avoids all the spamware).
    • by SuricouRaven ( 1897204 ) on Tuesday December 06, 2011 @06:22AM (#38278070)
      The standard nontechies approach to getting software is as follows:
      1. Enter name of software into browser search box*
      2. Go to first link
      3. Click 'download.' Repeat until a download starts.
      4. Click 'next' until installation complete.

      They go to download.com because for some programs, it actually comes higher in the listings than the program's main site. Espicially if they add 'download' to the search query, as many do.

      *They don't quite get the concept of a search engine yet, so they'll go with the default. Theres a one-in-two chance they'll just type it in the address bar.
    • by Bert64 ( 520050 )

      Because people would rather trust a single central location (eg download.com) than a multitude of different websites, any of which could be pushing malware or owned.

      This is of course primarily a windows problem, linux users can get the majority of the software they want through the built in repositories while mac users now have the app store...

      • You never see anything like this from Linux repositories simply because Linux users would never stand for it. Many (maybe most) of the Windows users I know accept malware and crapware as just the unavoidable cost of getting what they need or want in a convenient way.

        So it's a cultural thing, and it will take a lot of user education to create a higher level of expectation. The trouble is that I don't see from where the incentive to provide that education is going to come, interests in the MS ecosystem being

    • by arielCo ( 995647 )
      Out of habit (some users come from Ye Olde Tucows Tymes). Also, some small developers don't have the packages in their own website (hassle / bw cost).
    • by esocid ( 946821 )
      Isn't sourceforge also 3rd party?
  • by rodrigoandrade ( 713371 ) on Tuesday December 06, 2011 @05:30AM (#38277830)

    1999 just called. It wants its flagship shareware download repository back.

    Seriously, today there are so many better sources to get free stuff (legal or otherwise) than Download.com

    Why even bother?

    • Citation needed?
    • Can I put the 90s on my 'do not call' list?

  • easy way to bypass (Score:5, Informative)

    by sdnoob ( 917382 ) on Tuesday December 06, 2011 @05:38AM (#38277860)

    add &dlm=0 to the end of the 'your download is starting' page url..

    1 go to a program's page
    2. click download now
    3. do not download the file that starts cnet_ or cnet2_ (if it doesn't start with cnet it's ok)
    4. add the &dlm=0 to the url in the address bar after the spi=whatever junk

    enjoy the direct download.. and go to the source next time..or try filehippo or softpedia (either one with your adblocker running)

    • Actually, if you're logged in you can simply click the "Download Directly" link right below the "Download Now" button.
    • by arielCo ( 995647 )

      Shouldn't have to edit URLs to bypass their crap; either offer me both download methods or gtfo.

      As for the ad blocker, I'm making a habit of turning it off for sites that prove useful and not annoying; denying them the revenue makes me more of a leech.

    • by jimicus ( 737525 )

      I can't quite believe I'm pasting a Dilbert strip here, but it's entirely appropriate:

      http://dilbert.com/strips/comic/1994-02-01/ [dilbert.com]

  • It's a shame (Score:4, Insightful)

    by crash123 ( 2523388 ) on Tuesday December 06, 2011 @05:39AM (#38277864)
    It's a shame, cnet and download.com used to be moderately safe ways of downloading new trial and freeware software. In my opinion shareware is now an outdated practice, with it now possible to find an open source equivalent for just commercial piece of software.
    • by gl4ss ( 559668 )

      open source is the new shareware. buying expertise for configuring is the "registered" version.

  • I just downloaded nmap and vlc. Both files were identical to what I got from the source.

    Actually,it looks like cnet redirected me to the nmap.org download link (http://nmap.org/dist/nmap-5.51-setup.exe) using a 'META HTTP-EQUIV="Refresh" ...'. VLC was still from cnet.com.

    I'm not logged in; I wonder if I have a cookie that prevents the wrapper -- or if download.com changed something.

    Also, I'm using NoScript and cnet/download.com is not allowed. Perhaps this turns off the wrapper too.
  • by billcopc ( 196330 ) <vrillco@yahoo.com> on Tuesday December 06, 2011 @07:24AM (#38278336) Homepage

    This extremely common practice of bundling garbage with every download is the cancer that is killing Windows freeware, and no, it's not limited to Download.com.

    A while ago, when I was in-between jobs and looking for some freelance work, I stumbled upon an entire "community" of scammers known as PPI : Pay-Pay-Install. This forum was all about participating in these shady bundling practices, discussing the advertisers that were most tolerant to things like silent installs, home page swaps, BHO's that redirect your Google searches through a proxy (to hijack ad revenue), Vista sidebar widgets, toolbars, bookmarks, and start-up items, along with uploading deceptively named and heavily trojaned stuff via P2P. This is why, with every goddamned Windows utility you get these days, you get prompted to installt he Ask.com toolbar, BonziBuddy, free trials for McAfee's swiss cheese, and a laundry list of other standards.

    CNet should indeed be made an example of, and burned to the ground, but they didn't start this gangbang, the advertisers did. Follow the money... There is no reason why users should tolerate this aberrant behaviour.

    • by Twinbee ( 767046 )
      I like your "64-bit: facts and myths" article btw. I wish everyone would just switch to 64 bit and be done with for better compatibility like you say.
      • by TheThiefMaster ( 992038 ) on Tuesday December 06, 2011 @01:25PM (#38282706)

        It's full of errors. Especially the spiel about alignment. In 64-bit mode you don't have to align everything to 64-bits for best performance, only 64-bit-sized values (including memory pointers). The example 16-bit value actually only needs 16-bit alignment for best performance, which is no different to the 32-bit version of the program.

        2: The increase in the memory use of pointers doesn't explain Windows x64's extra 300MB of memory use. My bet is on it loading both 64-bit and 32-bit versions of a bunch of libraries in order to support various components of Windows that are still 32-bit (as well as any 32-bit software you run).

        3: Saying that a 64-bit version of a program won't be faster... Two things are actually in favour of it being faster: 64-bit mode exposes more and larger registers to use, and also guarantees certain instruction set enhancements exist (SSE2). The latter especially is a huge speedup if you take advantage of it.

  • While this has been normal practice for shady rippoff sites like the ones mentioned for almost a decade, I do wonder if appropriate extensions to FOSS licences such as the GPL could actually prevent this. Or at least make the culprits liable for damages, copyright infringement and/or fraud.

    If I were to work on a large FOSS project I would like to know that the software im contributing to doesn't legally end up on one of these fraudulent DL sites.

    My 2 cents.

  • by DreamMaster ( 175517 ) on Tuesday December 06, 2011 @08:02AM (#38278532) Homepage

    I'm part of the ScummVM group, a cross platform software for playing various classic adventure games, and the question of Download.com came up when we released the next version of our software. There were some arguments for including it on such sites, such as giving greater visibility to the project. However, the issue of the bundled 'crapware' was considered too big a downside. We weren't that desperate for wider coverage of our software, and we certainly didn't want people to adversely associate our software with malware.

    These days I wouldn't touch download.com even if you paid me.

  • It's bad enough without the malware. If you're trying to download a 40kB file, they make you download a MB of ads, and you have to navigate through half a dozen links to "Download" which just go to more advertising. Good luck finding that tiny link that actually goes to the file you want... but now even that doesn't go to the file you want. Greedy bastards.
  • by apcullen ( 2504324 ) on Tuesday December 06, 2011 @08:23AM (#38278708)
    Needed to install 7-zip on a windows computer, and was in a hurry, so I went to the first Google result instead of sourceforge. I aborted the install when I saw the "install this great toolbar" button. Still, I almost messed up my friend's computer. Important safety tip #1: Google doesn't always produce the result you really want anymore. Important safety tip #2: when installing open source software, Sourceforge is probably where you want to look.
  • by shumacher ( 199043 ) on Tuesday December 06, 2011 @10:18AM (#38279922)

    I am shocked that the number of nmap users who are also download.com users would be significant.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...