Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
PostgreSQL 9.3 beta: Federated databases and more
LWN.net Weekly Edition for May 9, 2013
(Nearly) full tickless operation in 3.10
Software from some random unofficial site could be laden with whatever rootkits and trojans you can think of. It really could have been much worse than it was in this article.
Posted Dec 6, 2011 19:41 UTC (Tue) by cesarb (subscriber, #6266)
I do this all the time. For instance, I often download gcc from Fedora, instead of from the official GNU site. The same for a lot of other software.
Posted Dec 6, 2011 21:30 UTC (Tue) by job (guest, #670)
Somehow I doubt it would be worth the trouble to trojanize Linux installers on random web pages...
Posted Dec 6, 2011 22:11 UTC (Tue) by cesarb (subscriber, #6266)
Even then, some of the reasons are the same. I could get Eclipse from the official site, and even get a newer version that way, but it is still more convenient for me to get it (and almost everything else) from Fedora (or whichever Linux distribution I am using that day), and it would still be the case even without package management.
The comment below by rgmoore makes the same point I was trying to make, perhaps more eloquently.
For Windows, there is the added benefit that these large download aggregator sites are supposed to scan for malware, so it should be safer for nontechnical users than looking for the original site (yes, I am aware of the irony here). This same rationale applies to downloading Firefox extensions only from Mozilla's addons site, even when they are available elsewhere.
Re: But... Why?
Posted Dec 7, 2011 2:12 UTC (Wed) by ldo (subscriber, #40946)
For Windows, there is the added benefit that these large download aggregator sites are supposed to scan for malware, so it should be safer for nontechnical users than looking for the original site (yes, I am aware of the irony here).
The irony is that all these attempts to offer add-on security for Windows only seem to lead to more opportunities for security holes and, as in this case, downright deception by the parties supposedly providing the security.
Tell me there isnt something fundamentally wrong with Windows...
Posted Dec 7, 2011 9:48 UTC (Wed) by trasz (guest, #45786)
Posted Dec 7, 2011 21:26 UTC (Wed) by ldo (subscriber, #40946)
Not with Windows - with the users.
Youre trying to blame Windows users for what CNET is doing?
Posted Dec 8, 2011 13:29 UTC (Thu) by trasz (guest, #45786)
Posted Dec 8, 2011 17:58 UTC (Thu) by clugstj (subscriber, #4020)
Posted Dec 6, 2011 20:41 UTC (Tue) by pflugstad (subscriber, #224)
I expect this is mostly done to cut the site hosting costs for the main site. If everyone downloaded it directly, that's a significant bandwidth bill - but by farming it out to a number of other download sites, those sites pay for the bandwidth. This also lets the you leverage regional mirroring, again saving bandwidth costs.
So - it's a common thing.
People are aware of the issue with unofficial download site, which is why Download.com and others often advertise "trojan/spyware/crapware free" or some variation of that.
And up until recently, I've never had any trouble with these sites. I do recall the change when Download.com switched to the silly installer a few months ago (August time frame I think) - I just selected a different download mirror.
Download.com is now officially on my DO NOT GO THERE list...
Posted Dec 6, 2011 20:42 UTC (Tue) by ikm (subscriber, #493)
Posted Dec 6, 2011 21:32 UTC (Tue) by job (guest, #670)
Posted Dec 7, 2011 8:39 UTC (Wed) by eduperez (guest, #11232)
It isn't in the first page when you search for it; remember that Google tailors search results to each user.
Posted Dec 6, 2011 21:56 UTC (Tue) by rgmoore (✭ supporter ✭, #75)
Why do people download software from unofficial distribution sites, especially when the global Internet makes the official very easy to both find and reach?
I would assume it's for some of the same reasons Free Software users tend to get their software from a distribution rather than directly from upstream. If you're dealing with more than a few packages, it's a lot easier to have a single site that finds all the software you want and puts it in one big archive, rather than having to track down each upstream project individually and deal with their different packaging and downloading standards. Obviously C|Net isn't doing the same kind of QC that a good Linux distro does- including malware seems like anti-QC- but aggregating the software is a big convenience.
Posted Dec 6, 2011 22:02 UTC (Tue) by josh (subscriber, #17465)
Posted Dec 8, 2011 8:49 UTC (Thu) by Comet (subscriber, #11646)
If I'm a casual computer user, who has figured out that something hinky is going on and looking for a way to figure out what's happening and if I need to pay someone to clean my system, I'm not likely to know the names of all the tools in this problem space. I wouldn't know "nmap" from "apple juice".
But if there's a repository of software which has had some basic checks done and only includes legitimate, non-pirated, malware-scanned software, and I know the repository and use it repeatedly then I can build up trust in it. If I find software which seems interesting, I can check the trusted site for it. If they provide an index, I can even check there first, for software that can solve my problems.
I mean, why use Google's Android Market, when I can just enable installing from non-market sources and install .APK files from websites I've never heard of before? Why install the Amazon market, instead of just going direct?
There is clearly a place in the software distribution ecosystem for marketplace intermediaries who can build up reputation and trust in their own right, so that end-users do not need to become subject domain experts to know who to trust as a source of software to run on their computer/phone/tablet/brain-implant/...
And just as clearly, trust can be abused and the marketplace can react accordingly to the betrayal.
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds