Slashdot Mirror

← Back to Stories (view on slashdot.org)

Download.com Bundling Adware With Free Software

Posted by Unknown on from the install-our-useful-toolbar dept.

Zocalo writes "In a post to the Nmap Hackers list Nmap author Fyodor accuses Download.com of wrapping a trojan installer (as detected by various AV applications when submitted to VirusTotal) around software including Nmap and VLC Media Player. The C|Net installer bundles a toolbar, changes browser settings, and, potentially, performs other shenanigans — all under the logo of the application the user thought they might have been downloading. Apparently, this isn't the first time they have done this, either."

40 of 228 comments (clear)

  1. This is news? by Anonymous Coward · · Score: 5, Insightful

    Download.com have always done this... I thought this was how they funded the site.

    1. Re:This is news? by geekmux · · Score: 5, Interesting

      Download.com have always done this... I thought this was how they funded the site.

      This may be true, but doesn't shadow the efforts of those irritated enough to stand up and say something. Hats off to Fyodor for bringing it to light in hopes that things change.

      And as knowledgeable as the average user has (been forced to) become about spyware and malware, Download.com should listen, because it's obviously not just those uploading content that keeps them in business. Let's hope they don't react and generate that stench of arrogance around themselves, not unlike many large businesses today that think they're "too big to fail", and could care less what their customers think.

    2. Re:This is news? by sosume · · Score: 4, Informative

      You can always choose not to offer your downloads through download.com.

    3. Re:This is news? by Anonymous Coward · · Score: 5, Interesting

      Yes it is news for me.
      I submitted something I wrote a while back and it used to offer the file the way I uploaded it. I just checked and sure enough my download is now wrapped in a Cnet installer. Now I need to dig out my account info and remove my software listing because this is fucking BULLSHIT!

      Thanks Slashdot for pointing this out.

    4. Re:This is news? by Zocalo · · Score: 5, Informative

      Yes, they have, or at least it seems like it. The difference this time is that in addition to an abuse of the registered Nmap trademark Fyodor also has them in a clear breach of the NMAP licensing Ts&Cs and it appears he's willing to try and pursue the matter through the courts. I did have a strapline on the original submission to the effect that he was looking for a good US based copyright lawyer, but it appears that the Slashdot editors decided that wasn't an important part of the story.

      --
      UNIX? They're not even circumcised! Savages!
    5. Re:This is news? by hairyfeet · · Score: 5, Informative

      Sorry but this is old new and why most of us builders have been avoiding CNet like the clap for awhile. I'd loved to see their before and after website visits stats because i wouldn't be surprised if many are doing like me and the instant they see the article is on CNet closing the tab.

      For those that need that "80%" software, the stuff you pretty much install on every system? Let old Hairy introduce to a really nice place with a weird name...Ninite. it has all the latest versions of the software everyone installs, your flash, codec packs, VLC, LibreOffice, several AV and antimal to choose from, and NO TOOLBARS are allowed, no crapware, just the program you want pre-packaged as an unattended installer that's as simple as "clicky clicky" and let her run. great for not only new builds but when you need to help someone who lives a good distance away who is having trouble or doesn't know where to find the above basics.

      I used to swing by CNet all the time back in the day but since i don't support spammers and spyware pushers they can go pound sand. With ninite all the basics are covered and if you can think of others you'd like just drop their name in the suggestion box and they'll add the most popular choices to the list. I suggested Klite with MPC and voila! There it is, and more popular apps are being added all the time. Enjoy folks!

      --
      ACs don't waste your time replying, your posts are never seen by me.
    6. Re:This is news? by Anonymous Coward · · Score: 5, Informative

      If anybody else wants to remove their software as well then you need to contact support to delist from Download.com/Upload.com
      They will respond with something like:

      Thank you for contacting CNET Upload.com. There are several ways to opt-out:

      - Premium subscription
      - PPD

      But if you insist they will remove your listing. Fucking scammers!

    7. Re:This is news? by xaxa · · Score: 4, Insightful

      You can always choose not to offer your downloads through download.com.

      Can you? Even if it's under a copyleft license, or in the public domain?

    8. Re:This is news? by buchner.johannes · · Score: 5, Informative

      If your logo or name is a trademark, yes. That's why no distribution can redistribute a modified Firefox with the same name & logo.

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    9. Re:This is news? by InsightIn140Bytes · · Score: 4, Insightful

      It's even more stupid that Google has started offering Chrome just the same way like every other adware vendor - by offering freeware and shareware authors, and the likes of Download.com, money per install they get. This leads to software authors and download sites bundling it with unrelated software and pushing it to users since they get paid for it. They always used to do this with their toolbar, but of course now they switched it to Chrome. I've seen people using Chrome and when asked why they changed, they had no idea. Either it came with some other software or "Google said on internet that you need to download this to make your browsing better" and they thought fine. No wonder they gained that 25% market share so quickly...

    10. Re:This is news? by Entropy98 · · Score: 5, Informative

      Cnet is only bundling their adware with programs uploaded since they started bundling.

      I've got a program listed there, its not bundled.

      If I upload a new version they are going to bundle it with their crapware.

      So I'm not uploading a new version, ever.

      They told uploaders what they were going to do with their program, they don't agree to your terms and conditions, you agree to theirs.

      Remove your program from their site and go elsewhere.

    11. Re:This is news? by subreality · · Score: 5, Informative

      Thank you for Ninite. It will unsuck my life considerably.

    12. Re:This is news? by kvvbassboy · · Score: 5, Informative

      I like FileHippo more. It has a bigger collection than ninite, and it tracks both stable and beta versions of most free software and freeware on Windows. They also have a useful (and a completely optional download) update utility that checks if there are any updates available for software on your computer. If yes, you can let it update from their website. It's pretty awesome, all in all.

    13. Re:This is news? by Anonymous Coward · · Score: 5, Informative

      The new installer is a "derivative work", and you can specify that derivative works must not use the original trademarks. Mozilla and RedHat are both very strict about this: the source is open and free and all but you keep their name out of your modified stuff.

    14. Re:This is news? by Kadagan+AU · · Score: 4, Informative

      Seems like we had this discussion already..

      --
      This space for rent, inquire within.
    15. Re:This is news? by datavirtue · · Score: 4, Informative

      No, they have not always done this. It just started this year. As a software author who publishes on CNet in addition to many other sites and my own, I was horrified to be notified this year that this was going to take place. They completely repackage the software, wrapping it with their adware crap. I immediately fired off a vehement email telling them not to do this with my software, but CNet does what they want to do and getting them to do anything without giving them money is a process that usually takes about 6 to 12 months (they pissed me off years ago and it took FOREVER to get de-listed). They are essentially abusing their power they have over software authors who need to publish on CNet (by far the most high traffic DL site on the net). I don't really need to publish on CNet but it used to be a badge of honor and a sign of credibility to be published there. I don't consider it as such any more.

      --
      I object to power without constructive purpose. --Spock
    16. Re:This is news? by icebraining · · Score: 5, Interesting

      Just send them a DMCA takedown notice. If the system exists you might as well use it.

      --
      Dilbert RSS feed
    17. Re:This is news? by rilian4 · · Score: 3, Informative

      In the case of nmap, the license forbids such wrappers. It is *NOT* a GPL license that nmap is under, even though it *is* an open source license. Fyodor's letter explains the details...

      --

      ...quicker, easier, more seductive the darkside is...but more powerful, it is not.
    18. Re:This is news? by Cederic · · Score: 5, Insightful

      Honestly, the whole story is nonsense created an a very ignorant person. Free software was never intended to keep programmers from making a living

      Sorry but no. The whole story is a very real warning to a user community that a large company is acting in an unethical and immoral manner by trading on the name and reputation of someone else.

      Making money through advertising on the download site isn't causing any problem. Pretending to offer Fyodor's downloader while in fact seeking to install other software is a trojan attack and bad behaviour no matter how you look at it.

      Calling this nonsense fails to understand the key issue and misrepresents both the complaint, and the complainant.

    19. Re:This is news? by RobertLTux · · Score: 4, Insightful

      the problem is folks now blaming the original software writer for
      1 mucking about with browser settings
      2 installing adware
      3 installing who knows what else??

      How would you like it if you wrote a program (lets say its a conversion calculator) and then hosted your downloads on download.com
      and THEY WITHOUT TELLING YOU decided to bundle Diapered Dolls Slideshow 2012 (4-7 edition) and then made that the default screensaver (and locked the settings)???

      --
      Any person using FTFY or editing my postings agrees to a US$50.00 charge
    20. Re:This is news? by Kalriath · · Score: 3, Informative

      If you're on Brothersoft as well, you'd best contact them to "unwrap" your software too - unlike download.com they won't charge you to do that though, and will do it for you.

      --
      For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
  2. Nothing new. by RoFLKOPTr · · Score: 3, Interesting

    Download.com has been funded by bullshit third-party software addons for as long as I can remember. AFAIK, they only recently started this practice of causing the user to download a downloader which would first go through the third-party addons before downloading the actual installer... but it's not like it's any different than before. Yeah, lots of people will just click through and accept everything and that's their fault for not reading things before agreeing to them. Don't blame a free service operated by a for-profit corporation for wanting to make money. Host the Nmap installer yourself if you think it's so easy.

    1. Re:Nothing new. by WoodSmoke · · Score: 5, Informative

      Fyodor actually *DOES* host the installer. He never gave them permission to repackage it. In fact, the software license prohibits this explicitly. From the article: "This is exactly why Nmap isn't under the plain GPL. Our license (http://nmap.org/book/man-legal.html) specifically adds a clause forbidding software which "integrates/includes/aggregates Nmap into a proprietary executable installer" unless that software itself conforms to various GPL requirements (this proprietary C|Net download.com software and the toolbar don't)." So yeah, I can blame them. If you read the fucking article you would know this. p.s. Yes, I said that the parent should have read the article. No, I am not new here, but that doesn't mean that I, or anyone else, should tolerate willfully uninformed bullshit spouting.

    2. Re:Nothing new. by GuldKalle · · Score: 3, Insightful

      How do you know he uploaded it, and not some anon schmuck?

      --
      What?
  3. Go to the software producer's site by mirix · · Score: 5, Insightful

    It's rather mindboggling that a decade into the 21st century, people are still going to third party download outfits like this.

    Maybe someone wants to enlighten me as to why... I'm not coming up with much.

    --
    Sent from my PDP-11
    1. Re:Go to the software producer's site by fsckmnky · · Score: 5, Insightful

      There are a few reasons software repositories are popular that I can think of off the top of my head.

      Much like an "app store" for smart phone apps, its convenient to have 1 place to go to look for an app, when you have general requirements or a specific type of app in mind, and not so much a specific app.

      People are creatures of habit, and once they learn how to use the download.com ( or some other site like freshmeat.net ) interface, they just return to it out of habit, and the fact that they already know how to search and navigate the site.

      As for why developers use sites like this, the visibility factor comes into play. Since the repositories have a returning user base, the app becomes that much more visible, as opposed to getting lost in search engine results.

      Another incentive for small developers, is the bandwidth. They dont have to manage the large amount of bandwidth required to deliver apps, the repository does this. They also don't have to pay for a commercial ISP account that allows them to run servers, as most residential account agreements forbid the operation of servers ( although only in agreement, not necessarily technically prevented. )

    2. Re:Go to the software producer's site by Neil+Boekend · · Score: 5, Interesting

      I liked it years ago. They made it easy to search for a function and get a list of windows software that did it. Back then I usually couldn't find who made software that did what I needed done. I coudn't go to the software producer's site, because I didn't know who he was. Now I just google around a bit, search some forums and hope for the best.
      In my eyes they already screwed up when they allowed sw developers to promote the features of the full (paid) version in the description of the free version without any indication the free version didn't include the feature.

      --
      Well, I might have a way, but it only works on a semi spherical planet in a vacuum.
    3. Re:Go to the software producer's site by SuricouRaven · · Score: 4, Insightful

      The standard nontechies approach to getting software is as follows:
      1. Enter name of software into browser search box*
      2. Go to first link
      3. Click 'download.' Repeat until a download starts.
      4. Click 'next' until installation complete.

      They go to download.com because for some programs, it actually comes higher in the listings than the program's main site. Espicially if they add 'download' to the search query, as many do.

      *They don't quite get the concept of a search engine yet, so they'll go with the default. Theres a one-in-two chance they'll just type it in the address bar.

    4. Re:Go to the software producer's site by Luckyo · · Score: 4, Informative

      Pick mediafire then. Zero wait, over 1MB/sec download speed.

      Megaupload usually saturates my 2.2MB/sec download bandwidth, but it has wait time.

  4. Download.com?? Really?? by rodrigoandrade · · Score: 3, Insightful

    1999 just called. It wants its flagship shareware download repository back.

    Seriously, today there are so many better sources to get free stuff (legal or otherwise) than Download.com

    Why even bother?

    1. Re:Download.com?? Really?? by wierd_w · · Score: 3, Informative

      1) if they actually do something, it means the many worlds hypothesis is true, and the divergent timeline occurs in a different quantum universe.

      2) if the get the message, and do nothing, then you could have created a closed timelike curve, and doomed your own universe to experience the exact timeline you are reporting on. This closed timelike curve would be an indelible part of that universe's history, both present, past and future. (The time after the event creates the preceeding event, which causes the event to happen. Rinse, repeate until dizzy.) (It could also simply be another instance of the many worlds hypothesis being true though.)

      3) attempts at bidirectional communication would be systematically prevented by quantum collapse. All attempts to talk to 1999 on the other end of the call would mysteriously fail 100% of the time, even if the theory behind such a transmission seems sound.

      4) 1999 calls us using a one way temporal transmission device. (Like an ordinary metal time capsule.) Communication is received, but no reply can be sent.

      Of these 4 options, 4 and 3 are the most likely scenarios for "1999 called, they want...." happening. #4 being the most likely.

      Causality, it's a bitch.

  5. easy way to bypass by sdnoob · · Score: 5, Informative

    add &dlm=0 to the end of the 'your download is starting' page url..

    1 go to a program's page
    2. click download now
    3. do not download the file that starts cnet_ or cnet2_ (if it doesn't start with cnet it's ok)
    4. add the &dlm=0 to the url in the address bar after the spi=whatever junk

    enjoy the direct download.. and go to the source next time..or try filehippo or softpedia (either one with your adblocker running)

  6. It's a shame by crash123 · · Score: 4, Insightful

    It's a shame, cnet and download.com used to be moderately safe ways of downloading new trial and freeware software. In my opinion shareware is now an outdated practice, with it now possible to find an open source equivalent for just commercial piece of software.

  7. Rapidshare by sakdoctor · · Score: 5, Interesting

    Rapidshare, for that authentic 90s warez feel.

    Not hosting your own files, or torrents for larger stuff, looks about as professional as a hotmail address on a business card.

  8. remove download by TheSHAD0W · · Score: 4, Interesting

    That's what I finally had to do, when some entity (might've been download.com, might've been someone else) offered an alternative download location for my software - which bundled some sort of malware installer onto my software. After one attempt to remove them as an alternate, I was told I could request my software be removed, and that's what I did. This occurred back in 2004.

  9. Bundling / wrapping is old news by billcopc · · Score: 4, Interesting

    This extremely common practice of bundling garbage with every download is the cancer that is killing Windows freeware, and no, it's not limited to Download.com.

    A while ago, when I was in-between jobs and looking for some freelance work, I stumbled upon an entire "community" of scammers known as PPI : Pay-Pay-Install. This forum was all about participating in these shady bundling practices, discussing the advertisers that were most tolerant to things like silent installs, home page swaps, BHO's that redirect your Google searches through a proxy (to hijack ad revenue), Vista sidebar widgets, toolbars, bookmarks, and start-up items, along with uploading deceptively named and heavily trojaned stuff via P2P. This is why, with every goddamned Windows utility you get these days, you get prompted to installt he Ask.com toolbar, BonziBuddy, free trials for McAfee's swiss cheese, and a laundry list of other standards.

    CNet should indeed be made an example of, and burned to the ground, but they didn't start this gangbang, the advertisers did. Follow the money... There is no reason why users should tolerate this aberrant behaviour.

    --
    -Billco, Fnarg.com
    1. Re:Bundling / wrapping is old news by TheThiefMaster · · Score: 3, Informative

      It's full of errors. Especially the spiel about alignment. In 64-bit mode you don't have to align everything to 64-bits for best performance, only 64-bit-sized values (including memory pointers). The example 16-bit value actually only needs 16-bit alignment for best performance, which is no different to the 32-bit version of the program.

      2: The increase in the memory use of pointers doesn't explain Windows x64's extra 300MB of memory use. My bet is on it loading both 64-bit and 32-bit versions of a bunch of libraries in order to support various components of Windows that are still 32-bit (as well as any 32-bit software you run).

      3: Saying that a 64-bit version of a program won't be faster... Two things are actually in favour of it being faster: 64-bit mode exposes more and larger registers to use, and also guarantees certain instruction set enhancements exist (SSE2). The latter especially is a huge speedup if you take advantage of it.

  10. Re:Downloading free software is theft by phrostie · · Score: 5, Funny

    but are they required now to gpl the virus and adware?

  11. This came up in the ScummVM group recently by DreamMaster · · Score: 4, Informative

    I'm part of the ScummVM group, a cross platform software for playing various classic adventure games, and the question of Download.com came up when we released the next version of our software. There were some arguments for including it on such sites, such as giving greater visibility to the project. However, the issue of the bundled 'crapware' was considered too big a downside. We weren't that desperate for wider coverage of our software, and we certainly didn't want people to adversely associate our software with malware.

    These days I wouldn't touch download.com even if you paid me.

  12. Happened to me with 7-zip by apcullen · · Score: 4, Informative

    Needed to install 7-zip on a windows computer, and was in a hurry, so I went to the first Google result instead of sourceforge. I aborted the install when I saw the "install this great toolbar" button. Still, I almost messed up my friend's computer. Important safety tip #1: Google doesn't always produce the result you really want anymore. Important safety tip #2: when installing open source software, Sourceforge is probably where you want to look.