Cnet has come under fire for wrapping downloads of the popular Nmap network analysis tool and other open-source software packages with a toolbar of dubious utility. Nmap is a popular open-source network auditing and penetration-testing tool that allows sysadmins to run network troubleshooting and penetration tests. Over the last …
Pretty crappy behaviour , but its the norm for most file download sites.
Anyone downloading NMap should be switched on enough to avoid the junk
re: mark 63
Anyone downloading NMap should be switched on enough to avoid Windows.
If I didn't know much about nmap, then on seeing it attempt to install a dodgy toolbar program, I would immediately cancel the whole installation and look for an alternative source of security software elsewhere. I just don't trust software that comes with things like that, however optional they might be.
I've almost been caught out by various crappy toolbar install options. It just takes a little common sense to not fall into the trap of "accidentally" installing one of these crappo features.
It's also quite sad that sites like C|Net insist on pushing these (usually unwanted) add ons into people's faces.
Read twice, click once and most savvy users should be able to keep this crap at bay, however it would be nice if IE and FF prompted you before allowing themselves to be added on to..
True but ...
"Common sense" isn't all that common unfortunately.
downloading it from C|NET?
Eh? Isn't it pre-built repository package in all real operating systems?
I am speechless.
Java is worse
I just used Java's built in updator to go from the preloaded update 22 to update 29 on a customers laptop and it attempted to put the Ask toolbar on.
And that is as part of a built in updator for a piece of software that is already installed.
Yahoo is also very bad, though it is all from the same company.
Adobe's Flash update page had checkboxes for installing McAfee pre-checked. A bit annoying, but not usually a problem; this time, however, the checkboxes loaded *after* the download button, so I started the download with the crapware included without noticing. Sneaky bastards.
That was a shocker
I really couldn't believe what I was seeing when I came across that a few months ago. I thought the installer had been compromised, so I didn't continue the upgrade.
I think they've fixed it now though. Haven't tried it since.
I'm pretty sure Java has been this way for years.
Yet another reason why I hate it.
Don't think so
I did a big rollout for update 27 not so long ago and I'm fairly sure it wasn't an issue then...
They've been doing this for more than a few days. I downloaded a program on 28/11/2011 and it included this annoying toolbar installer. It almost caught me out too, but I just spotted what it was a moment before clicking "Accept" and managed to click "Decline" instead. It's not very obvious that it's an optional extra, you could think it was required to install your chosen program. Naughty C|Net
Web downloads? eh?
Surely all the cool kids just use apt-get, or whatever they're calling it these days?
Certainly, the thought of having to individually locate and download each and every useful network diagnostic tool merely to use them via some awful windows command line is not a pleasant one. Easier by far just to grab something like a VMware system image and run that instead.
Plus, then you get the satisfaction of knowing you're a smug jerk. Win all around!
Education is the solution to your incomprehensible nonsense, get some, PLEASE.
Oh, go back to your icebergs and fish supper you smug penguin...
dork alert !
actually, the cool kids don't have this problem because their devices 'just work' ..
the latest variants of Foxit Reader have a nasty habit of doing this too.
Aye - There's a Story Here
I had the email from Fyodor today, and wanted to push this over to some one at El Reg but couldn't find a link to submit (before my brain wandered on to other stuff.... : "WooHoo! Earthlike planet!!")
It's shocking to see that a 'stalwart' (loosest possible meaning of the term) of the download repositories has done this..
"Bad C|Net.. Bad!"
If you can't dodge a toolbar installer ,which tag along with about 50% of programs these days, you're far too stupid to be using Nmap.
Easy to dodge a pompous horses ass too, but why bother, it's more fun to watch them be stupid in public.
Most users are just consumers and are not interested at all in Nmap. CNet have been doing this for at least a month maybe two.
I downloaded a simple utility.... I'm too simple to remember what it was... from CNet around six weeks ago. The installer by default would have installed some toolbar until I cancelled the install.
It's not just Nmap. I think CNet want to, or are in the process of, lacing all their downloads with poison.
We are IT professionals... At least I think some of us might be, and we find it easy to see when something isn't quite right. Your average user on the other hand is just a consumer with little clue about such things. What's more they are more inclined to leave tick boxes ticked when they have the word "recommended" next to them. I know this for a fact and you would too if you ever cleaned the crud from the machine of an average user.
Just like the Trojan's then, they were so stupid they fell for the old Greek force hidden inside a wooden horse.
Still no damage done.................
If downloading NMap...
You'd hope that a bundled toolbar would be automatically dismissed. If not then I think NMap may not be for you!
VLC, on the other hand, is more likely to be downloaded by less tech savvy users... I can see myself uninstalling this Babylon junk frequently for a while, grrr!
How is this even happening?
Just typed "nmap" into google and the top hit was nmap.org which offers a download.
Why in the name of all things holy would anyone ever even *consider* downloading it from these "C|net" people instead?
And why do these "C|net" people bother to offer it? Isn't it obvious that the only way this can pay commecially is if C|net are slipping something into the package? In other words, the very act of offering an nmap download (if you aren't nmap or an OS vendor) screams "TROJAN!!".
Clearly we have a looong way to go before the general public can be trusted to own a computer.
Good lord, why not get it from the people who actually wrote it?
Of course if it's Adobe or Java you're still hosed.... but that's why you always take the "custom" option for install, to get rid of the useless fripperies (AVG, oh AVG, why hast thou bloated the everliving crap out of thy software?)
Glad I'm off Windows and can just find the official repo... but not everybody has that option.
I stopped using download.com when they started packaging up downloads with their own download manager thing. All looks completely dodgy now...
This, I always used to go to download.com for... downloads(!). Was getting increasingly unpleasant to use and I stopped completely when, like you, they introduced a download manager.
Softpedia now is what download.com used to be about 6 years ago.
I hate toolbar installers
They make such a mess it is a nightmare.
Cleaning up after one can take ages, then the sites HAVE to be blocked at HOSTS.
All for some freebie (which never arrived) on some Facebook game.
I think me taking 1/2 hour to fully untangle was a point made
In other news...
People still download from Cnet? Honestly, I usually pull stuff like this straight from Sourceforge and the like.
Still, bad Cnet! Bad! No biscuit!
CNET should be embarrased
I noticed this the other way with another download. I can't believe that download.com aka CNET would do some blatant, dumb, rookie move to its user populace.
If you can't handle the bandwidth concerns and trying to offset the costs with stupid TOOLBARS (so 2000) then for God's sake, sign up with Bitcasa and start acting like a technology company.
Completely true, but like most smart-asses you've missed the point that they should NOT be doing it in the first place.
Dodging a Toolbar Installer
If you can't dodge a toolbar installer.....too stupid to be using Nmap.
Problem with that:
Even under idea conditions: EVERYBODY is stupid sometimes. It may only be for 2 random minutes a day but if that's the 2 minutes they are downloading nmap from Cnet, they are hosed.
Multiply that smallish probability by the thousands of people downloading nmap.
Now thow in: people being tired, or being worried about a sick child and other non-ideal conditions.
Now add in: it's no fun to be a little paranoid all the time.
I think it's OK to be upset about this behavior by Cnet.
You left out: The thousands of other applications that people download from download.com that have been hijacked in this way.
My sister wouldn't know nmap from a hole in the ground, but I told her to install vlc so that she could play the videos that she recorded on her phone. I even sent her a link to videolan.org to download it. Unfortunately, they sent her back to download.com, and now it's my fault that her "google is all messed up".
Surprised CNet still exists. Id assumed they'd loaded up with so many ads that the ship had sunk years ago.
You'll be saying tucows is still mooing next...
License violation, much?
IIRC nmap is GPL - and Cnet's crapware clearly has commercial purposes if it messes with your browser's settings or phones home.
Its news to me that GPL'd software has to be non-commercial. Last time I checked (about 20 minutes ago as a matter of fact) you're free to sell it, as long as the source code is included or available so it can be modified and re-distributed.
> IIRC nmap is GPL
It isn't. It's explicitly *not* GPL because the author didn't want people adding crap to it and pretending it's still nmap. But it is under a licence very similar to GPL in other ways.
> and Cnet's crapware clearly has commercial purposes
GPL software is perfectly permissible in commercial offerings.
There's an oft-repeated meme that GPL code cannot be used commercially - it is completely and totally wrong.
I steer clear of the majority of download sites, they are very expensive to run so they need to make money in some way.
If I can't download direct from the publishers own site I steer clear and use something else.
I downloaded VLC once...
...I saw that there were some extra worthless files, so I deleted them and kept the toolbars.
nothing new here...
Anybody try to download any Adobe products lately? They bundle their software with the Google toolbar and make you opt out to avoid installing it... trick is the checkbox doesn't show up immediately upon getting to the download page. It can sometimes take 5-10 seconds for the opt out checkbox to load up, during which time many of the site's more impatient visitors have already clicked "accept" and moved on (thereby installing the piece of crap software). I doubt very much that's by accident. VERY SNEAKY!
Not just nMap
I downloaded some crapware from Cnet a few days ago, the request to install the so called tool bar was designed to trick the user into installing it.
Of course I avoided that, then found the app was only a garbage demo with no functionality (partitioning software). I went elsewhere and found the correct FREE product.
Dear Idiots, please remember to check the project homepage for a download before using 3rd party download sites ...
To avoid man-in-the-middle attacks, avoid middlemen.
Fortunately, the latest version of Firefox disables such addons by default, but that will never be a complete solution. Always get the download as close to the source as possible.
Developers who want to avoid upload costs should think about offering copies via BitTorrent. Relatively secure and cheap.
Where have you been for the past 15 years?
""A software installation for product X which attempts to foist an unrelated product Y onto your computer by default is poor security practice," Ducklin writes. "Anything outside the obvious remit of the installer should be clearly and unequivocally opt-in, not opt-out.""
Sorry, but you want free software, it comes with a price.
C/Net makes money by sneaking these in.
Same thing happens when you buy a pre-built windows pc. Vendors are compensated by adding stuff you don't want and will end up deleting from the system. The industry excuse is that it helps lower the costs of the PCs and allows the manufacturer to still have some profit margins....
Note: I'm not saying I like the practice, but I always check to see what extra goodies someone tries to foster on me...
Dump this to ur squid / url filter rules and be done with them.
Now c|net has to publish its sources!
Nmap is an open-source project. Nmap's licence terms (http://nmap.org/svn/COPYING) state: "To avoid misunderstandings, we consider an application to constitute a "derivative work" for the purpose of this license if it does any of the following: [...] * Integrates/includes/aggregates Nmap into a proprietary executable installer, such as those produced by InstallShield."
So, c|net's proprietary executable installer is a "derived work", falls within the GPL (under which Nmap is published), and thus c|net MUST publish the installer's sources.