LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

But... Why?

But... Why?

Posted Dec 6, 2011 19:19 UTC (Tue) by job (guest, #670)
Parent article: C|Net Download.Com accused of bundling Nmap with malware

I don't understand. Why do people download software from unofficial distribution sites, especially when the global Internet makes the official very easy to both find and reach?

Software from some random unofficial site could be laden with whatever rootkits and trojans you can think of. It really could have been much worse than it was in this article.

(Log in to post comments)

But... Why?

Posted Dec 6, 2011 19:41 UTC (Tue) by cesarb (subscriber, #6266) [Link]

> Why do people download software from unofficial distribution sites, especially when the global Internet makes the official very easy to both find and reach?

I do this all the time. For instance, I often download gcc from Fedora, instead of from the official GNU site. The same for a lot of other software.

But... Why?

Posted Dec 6, 2011 21:30 UTC (Tue) by job (guest, #670) [Link]

Of course, but I thought the Windows context here was implicit. They are not spoiled with proper package management.

Somehow I doubt it would be worth the trouble to trojanize Linux installers on random web pages...

But... Why?

Posted Dec 6, 2011 22:11 UTC (Tue) by cesarb (subscriber, #6266) [Link]

> Of course, but I thought the Windows context here was implicit. They are not spoiled with proper package management.

Even then, some of the reasons are the same. I could get Eclipse from the official site, and even get a newer version that way, but it is still more convenient for me to get it (and almost everything else) from Fedora (or whichever Linux distribution I am using that day), and it would still be the case even without package management.

The comment below by rgmoore makes the same point I was trying to make, perhaps more eloquently.

For Windows, there is the added benefit that these large download aggregator sites are supposed to scan for malware, so it should be safer for nontechnical users than looking for the original site (yes, I am aware of the irony here). This same rationale applies to downloading Firefox extensions only from Mozilla's addons site, even when they are available elsewhere.

Re: But... Why?

Posted Dec 7, 2011 2:12 UTC (Wed) by ldo (subscriber, #40946) [Link]

For Windows, there is the added benefit that these large download aggregator sites are supposed to scan for malware, so it should be safer for nontechnical users than looking for the original site (yes, I am aware of the irony here).

The irony is that all these attempts to offer add-on security for Windows only seem to lead to more opportunities for security holes and, as in this case, downright deception by the parties supposedly providing the “security”.

Tell me there isn’t something fundamentally wrong with Windows...

Re: But... Why?

Posted Dec 7, 2011 9:48 UTC (Wed) by trasz (guest, #45786) [Link]

Not with Windows - with the users. It's just that most of them use Windows.

Re: But... Why?

Posted Dec 7, 2011 21:26 UTC (Wed) by ldo (subscriber, #40946) [Link]

Not with Windows - with the users.

You’re trying to blame Windows users for what CNET is doing?

Re: But... Why?

Posted Dec 8, 2011 13:29 UTC (Thu) by trasz (guest, #45786) [Link]

You're trying to blame Microsoft for what CNET is doing? ;-)

Re: But... Why?

Posted Dec 8, 2011 17:58 UTC (Thu) by clugstj (subscriber, #4020) [Link]

Well, since they are changing your search to use Bing, it's a pretty good bet that Microsoft is paying them to do it.

But... Why?

Posted Dec 6, 2011 20:41 UTC (Tue) by pflugstad (subscriber, #224) [Link]

A good fraction of the time, the official site actually links to Download.com (or some other download site) instead of providing the link directly. For example: Irfanview (http://www.irfanview.com/) is a very good/popular image viewer/editor for Windows. If you go to their download page, they provide links to their software installer on Download.com, TUCOWS, and half a dozen other sites).

I expect this is mostly done to cut the site hosting costs for the main site. If everyone downloaded it directly, that's a significant bandwidth bill - but by farming it out to a number of other download sites, those sites pay for the bandwidth. This also lets the you leverage regional mirroring, again saving bandwidth costs.

So - it's a common thing.

People are aware of the issue with unofficial download site, which is why Download.com and others often advertise "trojan/spyware/crapware free" or some variation of that.

And up until recently, I've never had any trouble with these sites. I do recall the change when Download.com switched to the silly installer a few months ago (August time frame I think) - I just selected a different download mirror.

Download.com is now officially on my DO NOT GO THERE list...

But... Why?

Posted Dec 6, 2011 20:42 UTC (Tue) by ikm (subscriber, #493) [Link]

People tend to download from the first link the search engine gives them. Whether it's an official download place or not takes some thought not everybody is willing to take.

But... Why?

Posted Dec 6, 2011 21:32 UTC (Tue) by job (guest, #670) [Link]

That was my point. Download.com is not even in the first page of Google hits for "nmap".

But... Why?

Posted Dec 7, 2011 8:39 UTC (Wed) by eduperez (guest, #11232) [Link]

> That was my point. Download.com is not even in the first page of Google hits for "nmap".

It isn't in the first page when you search for it; remember that Google tailors search results to each user.

But... Why?

Posted Dec 6, 2011 21:56 UTC (Tue) by rgmoore (✭ supporter ✭, #75) [Link]

Why do people download software from unofficial distribution sites, especially when the global Internet makes the official very easy to both find and reach?

I would assume it's for some of the same reasons Free Software users tend to get their software from a distribution rather than directly from upstream. If you're dealing with more than a few packages, it's a lot easier to have a single site that finds all the software you want and puts it in one big archive, rather than having to track down each upstream project individually and deal with their different packaging and downloading standards. Obviously C|Net isn't doing the same kind of QC that a good Linux distro does- including malware seems like anti-QC- but aggregating the software is a big convenience.

But... Why?

Posted Dec 6, 2011 22:02 UTC (Tue) by josh (subscriber, #17465) [Link]

For a long time, CNet's download.com provided a fairly respectable place to get software for Windows. It served as a mirror network, and as mentioned in another comment, sometimes as the semi-official download site linked from the official site. It also had relatively reliable links, unlike vendor sites which reorganize their long unreliable URLs on a whim. Some of the Open Source projects I've worked on used download.com links when they needed to reference Windows programs people might need (generally the kinds of utilities that Linux users already have readily available, such as disk utilities). And until these recent incidents, it provided a safe place to download software without expecting to get something nasty along for the ride.

But... Why?

Posted Dec 8, 2011 8:49 UTC (Thu) by Comet (subscriber, #11646) [Link]

Trust.

If I'm a casual computer user, who has figured out that something hinky is going on and looking for a way to figure out what's happening and if I need to pay someone to clean my system, I'm not likely to know the names of all the tools in this problem space. I wouldn't know "nmap" from "apple juice".

But if there's a repository of software which has had some basic checks done and only includes legitimate, non-pirated, malware-scanned software, and I know the repository and use it repeatedly then I can build up trust in it. If I find software which seems interesting, I can check the trusted site for it. If they provide an index, I can even check there first, for software that can solve my problems.

I mean, why use Google's Android Market, when I can just enable installing from non-market sources and install .APK files from websites I've never heard of before? Why install the Amazon market, instead of just going direct?

There is clearly a place in the software distribution ecosystem for marketplace intermediaries who can build up reputation and trust in their own right, so that end-users do not need to become subject domain experts to know who to trust as a source of software to run on their computer/phone/tablet/brain-implant/...

And just as clearly, trust can be abused and the marketplace can react accordingly to the betrayal.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds