Cnet Apologizes For Nmap Adware Mess

Trailrunner7 writes "Officials at Cnet's Download.com site have issued a statement apologizing for bundling the popular open source Nmap security audit application with adware that installed a toolbar and changed users' search engine to Microsoft properties. Fyodor, the author of Nmap, raised the issue earlier this week, saying that his app was being wrapped in malware on Download.com. It's not unusual for download sites to bundle free applications with some kind of adware or toolbar, but the creators of open-source applications take a dim view of this practice, given the nature and ethic of open source projects. Nmap is a venerable and widely used tool for mapping networks and performing security audits and Fyodor wrote in a message to an Nmap mailing list earlier this week that Download.com, which is part of Cnet, a subsidiary of CBS Interactive, was bundling the application with its installer, which, if a user agreed, would install a search toolbar and change the user's search engine to Bing."

Perfect american corporate business practice

[unity100]

Do some shady/shitty dealing and make big money. Then apologize for the mess you have caused. IF thats not enough and you get sued, pay some reparations which is ridiculously low compared to your profits.

This cycle is what is driving the society down under. What BP did, what Lockheed did, what intel did. im sure you know about what bp did last year - killed an entire ecosystem. you may also know about intel's bribery case with pc manufacturers. but you probably dont know what lockheed did - they have bribed nato country defense ministers to buy f104s over more capable aircraft. as a result numerous things happened, including, approx 600 nato pilots dying due to design deficiencies (it had a tendency to maul its tail on landing and take off - hence nicknamed flying coffin) over the years, british and other european aerospace industries died.

what happened ? lockheed was sued, then admitted to bribery, apologized, paid pathetic sums.

unless people running corporations AND their shareholders start being held responsible for their doings, these will continue.

Re:Perfect american corporate business practice

[InsightIn140Bytes]

Companies can't murder people. People can. And they're already prosecuted under current laws.

Re:Perfect american corporate business practice

[EdIII]

You can't go after shareholders in a public company. Not all of them. It would kill day trading for one, not that I mind that one bit.

It would make investments nearly impossible. All that would end up happening is they would bypass it with strategic revenue sharing agreements and legal clauses preventing the company from funneling assets and revenue out to other companies.

Making a farmer or teacher responsible for their share in a company they invested partly in for retirement is going too far. They lack the sophistication and access to resources to truly assess risk. Most of that is just long term investment in a big well known company.

Going after mutual funds and pension managers probably won't work well either. How could you ever really know what is going on in a company if it is fraud?

I think it would be more reasonable to strip corporate person hood and limited liability for the executives and any shareholder that is an accredited investor. The accredited investor part is really really iffy for me.

Unless you can really define just how shareholder vigilance is supposed to work without an absolute *ton* of micromanaging and audits on a constant basis. Most companies don't want that. So unless the investor is actively involved on the board of directors I just don't see how it is reasonable for you to assume, "they should have known". All they know is what is in the offering and disclosed. They know their risk, not ongoing operations.

Nail the executives and leave it at that.

Re:Perfect american corporate business practice

[Hatta]

Nmap is distributed with clarifications to the GPL that explicitly define bundling the software as a "derivative work". Since the bundled software was not also GPL licensed, this was in fact contrary to the license.

Re:Perfect american corporate business practice

[EdIII]

Where does this psychopathic idea that corporate efficiency must be maintained at all cost come from?

You're being shortsighted and practicing reductio ad absurdum.

I never promoted the idea that corporate efficiency must be maintained at all costs. Only that efficiency at some level must be maintained otherwise the cost of the products and services would have to rise commensurately. There has to be a balance, otherwise we are just hurting ourselves.

Companies don't want that? OH NOES we can't have that!

Now you are just adding hyperbole. Companies can't have every single investor visiting the offices, or their lawyers offices, and hiring their own counsel and experts to inspect the financials and conduct audits attempting to find fraud or illegal activity.

They must hire experts. Accredited investors would not be excluded either. Just because you are an MD with a net worth of a couple million dollars meeting the current requirements for exemption under the Securities Act of 1933, does not mean you can walk into a mining company and understand what is wrong and what is right, and what is illegal .

Your hyperbole and reductio ad absurdum aside, corporations are already being monitored under current laws. Obviously, that needs to beefed up a bit, but requiring all investors (think how many that would mean for Exxon) to watch the company is just plain ludicrous. It can't work in the real world without making business so inefficient, it can't operate.

What if you own part of a mutual fund? Is it sufficient to investigate the mutual fund managers? Or must you then perform investigations and audits on the possible hundreds or thousands of investments they have? What if a mutual fund owns part of a different financial instrument?

WHAT IF... WHAT IF... (I get to do hyperbole) somebody that owned part of a mortgage backed security? Would they be required to make sure no lending laws were broken on each loan origination? Would they need to physically inspect each security to verify the possession of the note?

Of course these same companies want to monitor all of our forms of communication and behaviour to (enhance their marketing and) make sure we don't touch their oh so precious IP

More hyperbole. Of course things are not balanced. Not even close. However, this has nothing to do with the specific question at hand......

But we can't have companies watching what they are doing, that would be inefficient.

No. We can have increased regulations, penalties, and monitoring of corporate activities. What we can't have is thousands upon thousands of independent parties doing it at the same time. That would be grossly inefficient to the point that it is no longer possible to operate a viable business.

That's why you can't go after the small investor. What I did say was put the executives (and I implied the board of directors) in prison for long sentences. I have a hard time seeing how proposing that, and sparing the small investor makes me a corporate apologist, which is what your raving character assassination seems to be trying to accomplish.

Is this just for public companies or private?

I got some news for you... every company (with few exceptions) needed an IPO to go public. Before that, they had to raise capital. The proposal to make investors liable would raise the bar so high, that new businesses and small business would have a significant and oft insurmountable barrier to entry.

You have a +5 insightful. That means that your hyperbole has sentiments that many can get behind (including myself) but you need to take a couple of deep breaths and realize that you have to be smart, clear headed, and forward thinking when you come up with better ways to regulate corporations and curtail their sociopathic behaviors that we all hate so much.

Re:Perfect american corporate business practice

[EdIII]

I would ban day trading, and I will tell you why.

It's that mentality for short gains that has lead to our economic collapse. If it was illegal from the start to securitize mortgages, or that it would require very very well documented and physical transfers of the mortgage note from one owner to the other, we would not be in this situation.

It was the intense building greed of Wall Street that made the packaging and reselling of mortgage backed securities go faster and faster and faster, and eventually, the demand was so great that loans were originated that anybody with a brain new could not be repaid and would default within 4 years.

Subprime? Subprime my ass. Guaranteed 99.99% Loss Financial Loans is what I would have called them at the end.

The need to trade faster and faster only encourages this bullshit, and I don't buy for one second, that it is beneficial to the stock market by blah blah blah economist reasoning inserted here.

It also introduces arbitrage . Do you think they are building a multi-billion dollar fiber optical trans-Atlantic cable to reduce latency for shits and giggles? No. It is so they can link the stock exchanges and game the system even more. It won't be Call of Duty packets going across that pipe, but it will be warfare.

Why is it that in a certain building in New York that colocation of a server costs 50-100x that of the going rate?

Why is that some people are trying to make microsecond trading and "stock exchange on a chip"?

It's called unfair advantages far worse than insider trading and it is bullshit. So yes, screw day trading.

I want to see a federal tax on all trades based on the time the stock was held. 1 microsecond? 99.99% tax rate. 1 year? .01% tax rate.

That would start people thinking again about what the company will look like in two years instead of two minutes. That's a culture we need to get back to in this country desperately.

Even the executives that didn't know anything ? If bribery and corruption are the problem, then the solution would be to punish the people responsible, which is not necessarily, all of the executives.

Never said that or implied it. Only the executives directly responsible, or had knowledge, would be prosecuted and sent away. At some level, a board member claiming they had no knowledge is unreasonable. BP had a long history of disregarding safety for profit and even if the board member did not specifically know about the decisions around the blow out presenter, he damn well knew everyone had a corporate culture of having such disregard.

In any case, all executives would be innocent until proven guilty. Let the investigators determine who was really at fault and who knew what.

It's Legal

[Bruce+Perens]

It is entirely within the license terms of any OSI-approved Open Source license to aggregate any software, regardless of its nature, on the same medium as Open Source software and to install it with the same installer that installs the Open Source. Even software that is harmful. Only if the software is a derivative work of the Open Source will the license apply to it.

Sure, CNet shouldn't do this, and if they keep doing it we'll eventually start using new licenses that make them copyright infringers. But right now it's legal.

Re:It's Legal

[Midnight_Falcon]

NMap is not licensed under the GPL -- it has its own license that specifically prohibits this type of bundling/installing a wrapper around the executable. This is not legal under NMap's license terms, I'm afraid you're mistaken.

Re:It's Legal

[Midnight_Falcon]

Bruce: This is taken directly from Fyodor's email to nmap-hackers: In addition to the deception and trademark violation, and potential violation of the Computer Fraud and Abuse Act, this clearly violates Nmap's copyright. This is exactly why Nmap isn't under the plain GPL. Our license (http://nmap.org/book/man-legal.html) specifically adds a clause forbidding software which "integrates/includes/aggregates Nmap into a proprietary executable installer" unless that software itself conforms to various GPL requirements (this proprietary C|Net download.com software and the toolbar don't). We've long known that malicious parties might try to distribute a trojan Nmap installer, but we never thought it would be C|Net's Download.com, which is owned by CBS! And we never thought Microsoft would be sponsoring this activity!

Who? What?

[RichardJenkins]

Who would download a tool like nmap from download.com? What sort of person does this? How is this a thing that happens?

Re:Who? What?

[cavtroop]

I work in security for my company, so we keep an eye on unauthorized software in our enterprise. We had a guy just today download PuTTY from a download site, that came bundled with all kinds of shitty toolbars and adware. This guy is a Sr. Software Manager and Developer at the company and should know better.

I wish I could clue these supposedly 'smart' users in, but they'll download and install anything without any critical thinking at all.

Re:Who? What?

I work in security for my company, so we keep an eye on unauthorized software in our enterprise. We had a guy just today download PuTTY from a download site,

PuTTY is a very bad example, almost ANY URL sounds more authoritative than the real one.

Working in security, you should expect people to screw this one up and have your sysadmin team deploy/maintain it.

www.chiark.greenend.org.uk/~sgtatham/putty/
*blech*

trust

It takes years to earn trust. It takes only one event like this to destroy said trust for good. Up to a year ago, I used download.com where they always proclaimed "Spyware free" etc... That trust has been erased and I will never go back to that site. But really, after they began doing the indirect download using their own downloader, that turned me off right then and there and I stopped about a year ago.

Since it is mentioned prior to installing it

[koan]

Should you be using Nmap if you can't pay enough attention to opt out of installing a toolbar?