Download.com "apologises" for bundling (The H)

[Posted December 8, 2011 by jake]

The H reports that Download.com has apologized for bundling the Nmap scanner with an installer that does a lot more than just install Nmap (it changes the default search to Bing, installs toolbars, ...). "'The bundling of this software was a mistake on our part and we apologize to the user and developer communities for the unrest it caused' said [Download.com's Sean] Murphy, adding that the company had 'reviewed all open source files in our catalog to ensure none are being bundled'. Nmap has been removed from the download manager on Download.com, according to Murphy, and attempts to download it from the site will now send the user what appears to be an unmodified setup file for the network scanner." Nmap's Fyodor is maintaining a web page covering the "unrest".

Not enough!

Posted Dec 8, 2011 22:29 UTC (Thu) by fyodor (guest, #3481) [Link] (2 responses)

Download.Com General Manager Sean Murphy (who seems to be the main guy at CNET promoting the trojaning of 3rd party installers) promises to make minor changes in this article, but:

He claims that bundling malware with Nmap was a “mistake on our part” and “we reviewed all open source files in our catalog to ensure none are being bundled.” Either that is a lie, or they are totally incompetent, because tons of open source software is still being bundled. You can read the comments below his post for many examples.
Even if they had removed the malware bundling from open source software, what about all of the other free (but not open source) Windows software out there? They shouldn't infect any 3rd party software with sketchy toolbars, search engine redirectors, etc.
At the same time that Sean sent the “apology” to users, he sent this very different note to developers. He says they are working on a new expanded version of the rogue installer and “initial feedback from developers on our new model has been very positive and we are excited to bring this to the broader community as soon as possible”. He tries to mollify developers by promising to give them a cut (“revenue share”) of the proceeds from infecting their users.
You no longer need to register and log in to get the small (non-trojan) “direct download” link, but the giant green download button still exposes users to malware.
The Download.Com Adware & Spyware Notice still says “every time you download software from Download.com, you can trust that we've tested it and found it to be adware-free.” How can they say that while they are still adding their own adware? At least they removed the statement from their trojan installer that it is “SAFE, TRUSTED, AND SPYWARE FREE”.

So, in short, I'm glad they cut it out with the Nmap installer, but that's only because we made enough noise. They need to stop infecting other applications, open source or not. I'll continue to follow the issue and post updates here until CNET stops infecting ANY software. Thanks to everyone who has been so supportive through this ordeal.

-Fyodor

Not enough!

Posted Dec 9, 2011 1:22 UTC (Fri) by alan (guest, #4018) [Link] (1 responses)

I wonder what would have happened if Fyodor were a big corporation and Download.com were an individual software developer.

"Sorry we accidentally engineered malware and took pains to disguise our modifications to your installer to mask what we did. Oops!"

Not enough indeed!!! They should have to pay reparations to Fyodor and acknowledge their deception and the reasons for it to the people who they deceived.

Not enough!

Posted Dec 24, 2011 23:37 UTC (Sat) by steffen780 (guest, #68142) [Link]

Actually, they should be prosecuted under criminal law. In Germany the appropriate paragraph would probably be "Computer Sabotage". Additionally it is clearly unfair competition, slander (against the developers, whether FLOSS or not) and perhaps even fraud. Ofc, criminal prosecutions are only done against real people, not against the invented and insane concept of legal people :(
(except in truly extreme circumstances, where the legal person still does not get a punishment that is in any way, shape or form comparable to what would be done to a real person)

Download.com "apologises" for bundling (The H)

Posted Dec 8, 2011 23:28 UTC (Thu) by Los__D (guest, #15263) [Link]

From the "Download.com Adware & Spyware Notice":

...and we've maintained strict policies surrounding adware found in our download library. But in the first quarter of 2005, we launched a zero-tolerance policy toward all bundled adware.... By the developers. We can, and will, bundle all sorts of crap.

Download.com "apologises" for bundling (The H)

Posted Dec 9, 2011 1:02 UTC (Fri) by codewiz (subscriber, #63050) [Link] (1 responses)

It would be more interested to know who's paying Download.com to make Bing the default search engine and make MSN the default browser home page of so many incautious Windows users. I can't imagine who could possibly be so ignoble :-)

Not alone

Posted Dec 9, 2011 8:59 UTC (Fri) by renox (guest, #23785) [Link]

End of november I installed a tool from CNet and it was wrapped with a Google toolbar, so Microsoft is not the only one paying for this..

That said the Google toolbar seemed to uninstall without trouble which is not always the case (Norton antivirus is a nightmare).

Not only nmap

Posted Dec 9, 2011 14:14 UTC (Fri) by jmayer (guest, #595) [Link] (2 responses)

Wireshark and WinPCAP developers had to request the removal of the "installer" as well.

Not only nmap

Posted Dec 9, 2011 17:21 UTC (Fri) by dsommers (subscriber, #55274) [Link]

OpenVPN is in the same boat as well. The community is now taking action here. On the ironic side, the version download.com ships is completely outdate.

Nobody is even sure who uploaded that in early 2008, so that's also another issue. It might be projects who are not aware of being available via such places.

Not only nmap

Posted Dec 10, 2011 13:48 UTC (Sat) by welinder (guest, #4699) [Link]

But it's not everyone.

I have confirmed that the Gnumeric/win32 binary I downloaded from
download.com matches the one I produced -- modulo the fact that they
don't seem to offer source code. Hmm...

Report them!

Posted Dec 10, 2011 0:35 UTC (Sat) by job (guest, #670) [Link]

The only thing they're sorry for is that they got caught. They continue to distribute badware together with other open source software.

One thing you can do as an end user is to report badware to Google and to Stopbadware as well as other similar projects. It should at the very least put a dent in their business model of sabotaging free software for a slight profit.