LWN: Comments on "Download.com "apologises" for bundling (The H)"

Not enough!

steffen780 — Sat, 24 Dec 2011 23:37:21 +0000

Actually, they should be prosecuted under criminal law. In Germany the appropriate paragraph would probably be "Computer Sabotage". Additionally it is clearly unfair competition, slander (against the developers, whether FLOSS or not) and perhaps even fraud. Ofc, criminal prosecutions are only done against real people, not against the invented and insane concept of legal people :(
(except in truly extreme circumstances, where the legal person still does not get a punishment that is in any way, shape or form comparable to what would be done to a real person)

Not only nmap

welinder — Sat, 10 Dec 2011 13:48:07 +0000

But it's not everyone.

I have confirmed that the Gnumeric/win32 binary I downloaded from
download.com matches the one I produced -- modulo the fact that they
don't seem to offer source code. Hmm...

Report them!

job — Sat, 10 Dec 2011 00:35:48 +0000

The only thing they're sorry for is that they got caught. They continue to distribute badware together with other open source software.

One thing you can do as an end user is to report badware to Google and to Stopbadware as well as other similar projects. It should at the very least put a dent in their business model of sabotaging free software for a slight profit.

Not only nmap

dsommers — Fri, 09 Dec 2011 17:21:12 +0000

OpenVPN is in the same boat as well. The community is now taking action here. On the ironic side, the version download.com ships is completely outdate.

Nobody is even sure who uploaded that in early 2008, so that's also another issue. It might be projects who are not aware of being available via such places.

Not only nmap

jmayer — Fri, 09 Dec 2011 14:14:48 +0000

Wireshark and WinPCAP developers had to request the removal of the "installer" as well.

Not alone

renox — Fri, 09 Dec 2011 08:59:34 +0000

End of november I installed a tool from CNet and it was wrapped with a Google toolbar, so Microsoft is not the only one paying for this..

That said the Google toolbar seemed to uninstall without trouble which is not always the case (Norton antivirus is a nightmare).

Not enough!

alan — Fri, 09 Dec 2011 01:22:14 +0000

I wonder what would have happened if Fyodor were a big corporation and Download.com were an individual software developer.

"Sorry we accidentally engineered malware and took pains to disguise our modifications to your installer to mask what we did. Oops!"

Not enough indeed!!! They should have to pay reparations to Fyodor and acknowledge their deception and the reasons for it to the people who they deceived.

Download.com "apologises" for bundling (The H)

codewiz — Fri, 09 Dec 2011 01:02:58 +0000

It would be more interested to know who's paying Download.com to make Bing the default search engine and make MSN the default browser home page of so many incautious Windows users. I can't imagine who could possibly be so ignoble :-)

Download.com "apologises" for bundling (The H)

Los__D — Thu, 08 Dec 2011 23:28:43 +0000

From the "Download.com Adware & Spyware Notice":

...and we've maintained strict policies surrounding adware found in our download library. But in the first quarter of 2005, we launched a zero-tolerance policy toward all bundled adware.... By the developers. We can, and will, bundle all sorts of crap.

Not enough!

fyodor — Thu, 08 Dec 2011 22:29:24 +0000

Download.Com General Manager Sean Murphy (who seems to be the main guy at CNET promoting the trojaning of 3rd party installers) promises to make minor changes in this article, but:

He claims that bundling malware with Nmap was a “mistake on our part” and “we reviewed all open source files in our catalog to ensure none are being bundled.” Either that is a lie, or they are totally incompetent, because tons of open source software is still being bundled. You can read the comments below his post for many examples.
Even if they had removed the malware bundling from open source software, what about all of the other free (but not open source) Windows software out there? They shouldn't infect any 3rd party software with sketchy toolbars, search engine redirectors, etc.
At the same time that Sean sent the “apology” to users, he sent this very different note to developers. He says they are working on a new expanded version of the rogue installer and “initial feedback from developers on our new model has been very positive and we are excited to bring this to the broader community as soon as possible”. He tries to mollify developers by promising to give them a cut (“revenue share”) of the proceeds from infecting their users.
You no longer need to register and log in to get the small (non-trojan) “direct download” link, but the giant green download button still exposes users to malware.
The Download.Com Adware & Spyware Notice still says “every time you download software from Download.com, you can trust that we've tested it and found it to be adware-free.” How can they say that while they are still adding their own adware? At least they removed the statement from their trojan installer that it is “SAFE, TRUSTED, AND SPYWARE FREE”.

So, in short, I'm glad they cut it out with the Nmap installer, but that's only because we made enough noise. They need to stop infecting other applications, open source or not. I'll continue to follow the issue and post updates here until CNET stops infecting ANY software. Thanks to everyone who has been so supportive through this ordeal.

-Fyodor