LWN: Comments on "C|Net Download.Com accused of bundling Nmap with malware"

Re: But... Why?

clugstj — Thu, 08 Dec 2011 17:58:14 +0000

Well, since they are changing your search to use Bing, it's a pretty good bet that Microsoft is paying them to do it.

Re: But... Why?

trasz — Thu, 08 Dec 2011 13:29:18 +0000

You're trying to blame Microsoft for what CNET is doing? ;-)

But... Why?

Comet — Thu, 08 Dec 2011 08:49:13 +0000

Trust.

If I'm a casual computer user, who has figured out that something hinky is going on and looking for a way to figure out what's happening and if I need to pay someone to clean my system, I'm not likely to know the names of all the tools in this problem space. I wouldn't know "nmap" from "apple juice".

But if there's a repository of software which has had some basic checks done and only includes legitimate, non-pirated, malware-scanned software, and I know the repository and use it repeatedly then I can build up trust in it. If I find software which seems interesting, I can check the trusted site for it. If they provide an index, I can even check there first, for software that can solve my problems.

I mean, why use Google's Android Market, when I can just enable installing from non-market sources and install .APK files from websites I've never heard of before? Why install the Amazon market, instead of just going direct?

There is clearly a place in the software distribution ecosystem for marketplace intermediaries who can build up reputation and trust in their own right, so that end-users do not need to become subject domain experts to know who to trust as a source of software to run on their computer/phone/tablet/brain-implant/...

And just as clearly, trust can be abused and the marketplace can react accordingly to the betrayal.

DMCA

tialaramex — Wed, 07 Dec 2011 22:25:14 +0000

Sure, people shouldn't do it, but this is just exploiting a trust relationship.

The more certain you are that organisation (or person) X won't abuse your trust of them, the more valuable it is for X to sell you out to the bad guys, or if X won't sell, the more valuable it is to impersonate X by any means necessary.

Re: But... Why?

ldo — Wed, 07 Dec 2011 21:26:34 +0000

Not with Windows - with the users.

Youre trying to blame Windows users for what CNET is doing?

DMCA

cmccabe — Wed, 07 Dec 2011 19:12:39 +0000

> > I mean technically, when you run nmap on Windows, the Windows kernel
> > is loading the nmap binary, which is an nmap-copyrighted file, and
> > executing that binary.

> You can run GPLv2 software on a proprietary OS - standard OS components
> are specifically exempted.

Good point.

Clearly the malware needs to patch the OS somehow during the install, so that they can legally be in the clear. Microsoft toolbar / nmap parser kernel module, anyone?

People really have to learn to stop downloading from shady third-party repositories... just don't do it.

DMCA

fuhchee — Wed, 07 Dec 2011 14:45:46 +0000

"we consider an application to constitute a derivative work"

That's fine, but the concept of "derivative work" is not up to the fashions of the developer, but up to law.

C|Net Download.Com accused of bundling Nmap with malware

robbe — Wed, 07 Dec 2011 12:33:53 +0000

JoeBuck suggested using the DMCA. But as this is also a trademark violation, I am more reminded of this:
http://arstechnica.com/tech-policy/news/2011/11/us-judge-...
Wouldn't it be nice if download.com was handed over to the nmap team? The ad revenues of one month should cover any legal fees, plus fund nmap development for a couple of years.

DMCA

ewan — Wed, 07 Dec 2011 11:35:59 +0000

Interesting, but I'd have thought the plain GPL did that just fine - the installer binary is clearly a derived work of nmap since it includes the whole thing, and can't reasonably be considered 'mere aggregation [...] on a volume of a storage or distribution medium', so the GPL would prohibit redistribution of the whole unless the other components were available under the GPL as well, which seems to be exactly what Fyodor suggests is the intended behaviour of the licence.

DMCA

Wol — Wed, 07 Dec 2011 11:03:25 +0000

The problem is that "derivative work" is NOT a legally clear term.

So this "clarification" may not stand up in a court of law, but it places distributors on clear notice as to the copyright holder's understanding of the law.

If a term is legally ambiguous, but the defendant knew up-front the interpretation the plaintiff placed on it, then the defendant cannot argue "innocent mistake". They *have* to argue "plaintiff is wrong", which is a lot harder. The "as I understand the law" defence is a lot harder if the plaintiff says "but I told you that's not the way I understand it".

Cheers,
Wol

DMCA

Los__D — Wed, 07 Dec 2011 10:14:27 +0000

No, it GPLv2 plus one exception for OpenSSL. The 'clarifications' are just information about how the authors interpret the phrase 'derived work'. Their interpretation may or may not be correct, but they're not saying that you have to accept their interpretation to get a licence, they're just telling you what it is.

Fyodor doesn't agree with you (even though I do):
This is exactly why Nmap isn't under the plain GPL. Our license (http://nmap.org/book/man-legal.html) specifically adds a clause forbidding software which "integrates/includes/aggregates Nmap into a proprietary executable installer" unless that software itself conforms to various GPL requirements (this proprietary C|Net download.com software and the toolbar don't).

DMCA

gidoca — Wed, 07 Dec 2011 09:59:57 +0000

I think it's quite clear that what the Windows kernel does is analogous in nature to the "typical shell or execution-menu apps", which they explicitly exclude.

Re: But... Why?

trasz — Wed, 07 Dec 2011 09:48:20 +0000

Not with Windows - with the users. It's just that most of them use Windows.

But... Why?

eduperez — Wed, 07 Dec 2011 08:39:10 +0000

> That was my point. Download.com is not even in the first page of Google hits for "nmap".

It isn't in the first page when you search for it; remember that Google tailors search results to each user.

DMCA

jku — Wed, 07 Dec 2011 07:18:12 +0000

Fyodor doesn't seem to agree with you. I have no idea how that would work but he quite clearly believes the clarifications are part of the license.

Re: But... Why?

ldo — Wed, 07 Dec 2011 02:12:36 +0000

For Windows, there is the added benefit that these large download aggregator sites are supposed to scan for malware, so it should be safer for nontechnical users than looking for the original site (yes, I am aware of the irony here).

The irony is that all these attempts to offer add-on security for Windows only seem to lead to more opportunities for security holes and, as in this case, downright deception by the parties supposedly providing the security.

Tell me there isnt something fundamentally wrong with Windows...

DMCA

ewan — Wed, 07 Dec 2011 01:09:57 +0000

It's GPLv2, but with some additional provisions:

I mean technically, when you run nmap on Windows, the Windows kernel is loading the nmap binary, which is an nmap-copyrighted file, and executing that binary.

You can run GPLv2 software on a proprietary OS - standard OS components are specifically exempted.

I don't think it's even possible to redefine what a "derived work" is inside your license. Isn't that a fundamental part of copyright law, defined in 17 U.S.C. § 101?

US law doesn't hold everywhere, of course, but you're right - the term means what it means, it cannot be redefined, and isn't being.

I'd have thought that the obvious GPL claim here would be that the file that CNet are distributing is clearly a derived work ('interesting' interpretations of that term not withstanding), and so they cannot distribute it unless they make the source to their malware available under the GPL as well.

DMCA

cmccabe — Tue, 06 Dec 2011 23:18:09 +0000

The nmap copyright license looks "interesting." http://nmap.org/book/man-legal.html

It's GPLv2, but with some additional provisions:

> To avoid misunderstandings, we consider an application to constitute a
> derivative work for the purpose of this license if it does any of
> the following:
>
> Integrates source code from Nmap
>
> Reads or includes Nmap copyrighted data files, such as nmap-os-db or
> nmap-service-probes.
>
> Executes Nmap and parses the results (as opposed to typical shell or
> execution-menu apps, which simply display raw Nmap output and so are not
> derivative works.)
>
> Integrates/includes/aggregates Nmap into a proprietary executable
> installer, such as those produced by InstallShield.
>
> Links to a library or executes a program that does any of the above.

I mean technically, when you run nmap on Windows, the Windows kernel is loading the nmap binary, which is an nmap-copyrighted file, and executing that binary. "Parsing the results" is a poorly defined term, but it seems clear that there is a back and forth flow of data between the kernel and nmap. Does that mean using nmap on Windows in the first place is a copyright violation? Or if you run nmap in a non-GPLv2 shell and pipe it to grep, is that a license violation? Also, arguably this is an "additional restriction" which the GPL forbids.

I don't think it's even possible to redefine what a "derived work" is inside your license. Isn't that a fundamental part of copyright law, defined in 17 U.S.C. § 101?

These guys sure do know security inside and out, but I'm not optimistic about how well this particular license would hold up in court.

The trademark violation, on the other hand, seems a lot more clear-cut. They should just enforce their trademark. Of course, then Debian will declare it non-free and come out with IceWeaselMap... but that's ok :)

But... Why?

cesarb — Tue, 06 Dec 2011 22:11:06 +0000

> Of course, but I thought the Windows context here was implicit. They are not spoiled with proper package management.

Even then, some of the reasons are the same. I could get Eclipse from the official site, and even get a newer version that way, but it is still more convenient for me to get it (and almost everything else) from Fedora (or whichever Linux distribution I am using that day), and it would still be the case even without package management.

The comment below by rgmoore makes the same point I was trying to make, perhaps more eloquently.

For Windows, there is the added benefit that these large download aggregator sites are supposed to scan for malware, so it should be safer for nontechnical users than looking for the original site (yes, I am aware of the irony here). This same rationale applies to downloading Firefox extensions only from Mozilla's addons site, even when they are available elsewhere.

But... Why?

josh — Tue, 06 Dec 2011 22:02:18 +0000

For a long time, CNet's download.com provided a fairly respectable place to get software for Windows. It served as a mirror network, and as mentioned in another comment, sometimes as the semi-official download site linked from the official site. It also had relatively reliable links, unlike vendor sites which reorganize their long unreliable URLs on a whim. Some of the Open Source projects I've worked on used download.com links when they needed to reference Windows programs people might need (generally the kinds of utilities that Linux users already have readily available, such as disk utilities). And until these recent incidents, it provided a safe place to download software without expecting to get something nasty along for the ride.

But... Why?

rgmoore — Tue, 06 Dec 2011 21:56:06 +0000

Why do people download software from unofficial distribution sites, especially when the global Internet makes the official very easy to both find and reach?

I would assume it's for some of the same reasons Free Software users tend to get their software from a distribution rather than directly from upstream. If you're dealing with more than a few packages, it's a lot easier to have a single site that finds all the software you want and puts it in one big archive, rather than having to track down each upstream project individually and deal with their different packaging and downloading standards. Obviously C|Net isn't doing the same kind of QC that a good Linux distro does- including malware seems like anti-QC- but aggregating the software is a big convenience.

DMCA

job — Tue, 06 Dec 2011 21:35:43 +0000

I believe you're not even allowed to link to web pages that distribute infringing software (from what I remember of the DeCSS case). Considering the amount of links to this particular site, that's a whole lot of money up for grabs for someone with the necessary legal skills. Any takers? ;-)

But... Why?

job — Tue, 06 Dec 2011 21:32:25 +0000

That was my point. Download.com is not even in the first page of Google hits for "nmap".

But... Why?

job — Tue, 06 Dec 2011 21:30:41 +0000

Of course, but I thought the Windows context here was implicit. They are not spoiled with proper package management.

Somehow I doubt it would be worth the trouble to trojanize Linux installers on random web pages...

DMCA

corbet — Tue, 06 Dec 2011 21:03:32 +0000

Anti-circumvention is only one part of the DMCA. There's also a lot of rules regarding hosting of content that violates copyright or trademark rights and the ways to get that content taken down.

C|Net Download.Com accused of bundling Nmap with malware

ikm — Tue, 06 Dec 2011 20:47:07 +0000

I wonder how is this related to DMCA exactly? I've always thought DMCA was about preventing protection circumvention.

But... Why?

ikm — Tue, 06 Dec 2011 20:42:06 +0000

People tend to download from the first link the search engine gives them. Whether it's an official download place or not takes some thought not everybody is willing to take.

But... Why?

pflugstad — Tue, 06 Dec 2011 20:41:05 +0000

A good fraction of the time, the official site actually links to Download.com (or some other download site) instead of providing the link directly. For example: Irfanview (http://www.irfanview.com/) is a very good/popular image viewer/editor for Windows. If you go to their download page, they provide links to their software installer on Download.com, TUCOWS, and half a dozen other sites).

I expect this is mostly done to cut the site hosting costs for the main site. If everyone downloaded it directly, that's a significant bandwidth bill - but by farming it out to a number of other download sites, those sites pay for the bandwidth. This also lets the you leverage regional mirroring, again saving bandwidth costs.

So - it's a common thing.

People are aware of the issue with unofficial download site, which is why Download.com and others often advertise "trojan/spyware/crapware free" or some variation of that.

And up until recently, I've never had any trouble with these sites. I do recall the change when Download.com switched to the silly installer a few months ago (August time frame I think) - I just selected a different download mirror.

Download.com is now officially on my DO NOT GO THERE list...

But... Why?

cesarb — Tue, 06 Dec 2011 19:41:20 +0000

> Why do people download software from unofficial distribution sites, especially when the global Internet makes the official very easy to both find and reach?

I do this all the time. For instance, I often download gcc from Fedora, instead of from the official GNU site. The same for a lot of other software.

C|Net Download.Com accused of bundling Nmap with malware

JoeBuck — Tue, 06 Dec 2011 19:37:40 +0000

A DMCA takedown notice could be filed by the copyright holder.

C|Net Download.Com accused of bundling Nmap with malware

s0f4r — Tue, 06 Dec 2011 19:20:13 +0000

Microsoft has money, so, any lawyer should be jumping to file suit for you. Cheers.

But... Why?

job — Tue, 06 Dec 2011 19:19:40 +0000

I don't understand. Why do people download software from unofficial distribution sites, especially when the global Internet makes the official very easy to both find and reach?

Software from some random unofficial site could be laden with whatever rootkits and trojans you can think of. It really could have been much worse than it was in this article.

C|Net Download.Com accused of bundling Nmap with malware

yokem_55 — Tue, 06 Dec 2011 17:20:37 +0000

I ran into this the other day with a cnet download of a free-beer-ware utility for windows. It took me a couple of seconds to read through what was happening, and I barely caught it before clicking through too fast.

As for Nmap, I'm thinking a strongly worded C&D to the CNet Legal department is in order for trademark and license violations. This "your request will be reviewed on a case by case basis" is a load of bull hockey.

C|Net Download.Com accused of bundling Nmap with malware

clugstj — Tue, 06 Dec 2011 17:06:25 +0000

"shame on Microsoft for paying C|Net to trojan open source software".

It's just business as usual for Microsoft - they've been operating this way for at least the last 25 years.

C|Net Download.Com accused of bundling Nmap with malware

dashesy — Tue, 06 Dec 2011 17:06:24 +0000

Apparently they have been doing this for some time (here and here). Shame on Microsoft true, but there are more to blame.

C|Net Download.Com accused of bundling Nmap with malware

briangmaddox — Tue, 06 Dec 2011 16:57:36 +0000

I wonder if this is a result of the CBS purchase or something CNET has been planning for a while. Waiting to see if any of the ex-CNETters out there say anything.

Curious: not the same toolbar

renox — Tue, 06 Dec 2011 15:26:36 +0000

I used C|Net recently (shame on me) and it installed google's toolbar, not the same toolbar curiously, in fact it warned about it before the download (but I didn't understand the warning because the webpage was in a foreign language).
But I could uninstall google's toolbar without trouble.

C|Net Download.Com accused of bundling Nmap with malware

hpro — Tue, 06 Dec 2011 15:15:29 +0000

Wouldn't it be funny to modify the real Nmap-installer to pop up a warning if it notices it was called from an external installer, such as C|Net's ..

I guess that would only lead to them completely repackaging the entire thing tough..