Slashdot Mirror

← Back to Stories (view on slashdot.org)

nmap Maintainer Warns He Doesn't Control nmap SourceForge Mirror

Posted by Soulskill on from the shorter-weekend dept.

vivaoporto writes: Gordon Lyon (better known as Fyodor, author of nmap and maintainer of the internet security resource sites insecure.org, nmap.org, seclists.org, and sectools.org) warns on the nmap development mailing list that he does not control the SourceForge nmap project.

According to him the old Nmap project page (located at http://sourceforge.net/projects/nmap/, screenshot) was changed to a blank page and its contents were moved to a new page (http://sourceforge.net/projects/nmap.mirror/, screenshot) which is controlled by sf-editor1 and sf-editor3, in a pattern mirroring the much discussed takeover of the GIMP-Win page discussed last week on Ars Technica, IT World and eventually this week on Slashdot.

On Monday, Sourceforge promised to stop "presenting third party offers for unmaintained SourceForge projects," and to their credit Fyodor states, "So far they seem to be providing just the official Nmap files," but reiterates "that you should only download Nmap from our official SSL Nmap site: https://nmap.org/download.html." To browse the projects and mirrors currently controlled by SourceForge, you can look at these account pages: sf-editor1, sf-editor2, and sf-editor3.

41 of 145 comments (clear)

  1. Fuck Sourceforge by weilawei · · Score: 5, Insightful

    They are dead to me.

    1. Re:Fuck Sourceforge by TWX · · Score: 3, Insightful

      Probably because Soylent News has a godawful colorscheme that drives users away?

      --
      Do not look into laser with remaining eye.
    2. Re:Fuck Sourceforge by Anonymous Coward · · Score: 4, Informative

      Changeable from preferences if I am not mistaken.

    3. Re:Fuck Sourceforge by 0100010001010011 · · Score: 5, Informative

      Some well known projects they've taken:

      Your comment has too few characters per line (currently 11.7).

      Lorem ipsum dolor sit amet, consectetur adipiscing elit. Integer nec odio. Praesent libero. Sed cursus ante dapibus diam. Sed nisi. Nulla quis sem at nibh elementum imperdiet. Duis sagittis ipsum. Praesent mauris. Fusce nec tellus sed augue semper porta. Mauris massa. Vestibulum lacinia arcu eget nulla. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos.

    4. Re:Fuck Sourceforge by weilawei · · Score: 2

      I like to think that most other websites would censor me for swearing at the top of their comments section about one of their sibling companies. Luckily, Slashdot is better than that. Slashdot is not Sourceforge, despite the relation (unless timothy or soulskill are behind all of this nonsense).

    5. Re:Fuck Sourceforge by gnunick · · Score: 2

      The best way to crack down on this is to use the "Report inappropriate content" on every page that Sourceforge has that provides contaminated content.

      Which will help ensure that... the folks at Sourceforge know that they're a bunch of despicable assholes?

      --
      I have no special gift, I am only passionately curious. --Albert Einstein
    6. Re:Fuck Sourceforge by DescX · · Score: 4, Insightful

      Holy crap. You're not kidding. I'm just about ready to run screaming back to IRC. I'm getting rather sick of this experiment we call the world wide web and all the trappings of advertising that fuel the beast. ...but I also recall running into all sorts of unpalatable crap before the WWW made it big. Mainly, square eyed nerds with small minded evil streaks. "Will this program attempt to burn out my CPU, or will it sort my email?" is a question I haven't had to worry about realistically for years. As much as I dislike the power "clouds" give to businesses, I will say that such models have made it a lot harder for some depressed person to reason that they can be ruinous. And mistakes actually get noticed... a step in the right direction.

      I think we just need to be more stringent about policing our own kind, and the type of ownership problem SF has spurred will fix itself. Specifically, I mean growing a pair as an employee to stop poor management internally, insisting on having competent help, etc. I disagree with a comment below saying we should click buttons to report content. All that does is drive participation numbers. Want change? Spend 20 bucks on an old PC, 10 on a domain, and roll your own SVN/git/etc. Then, treat SF as though they never existed. Problem solved... ...or have I missed something crucial & worthy of an ethical crusade??? ;)

  2. People still use that? by Lazere · · Score: 4, Insightful

    Honestly, using SorceForge right now is kind of like using Download.com. Sure, you might not get something nasty, but why take the chance?

    1. Re:People still use that? by gstoddart · · Score: 5, Insightful

      You know, it probably still shows up in a lot of searches.

      There's quite possibly people out there who have known it long enough that they still trust it.

      If you're following this stuff, you know about it. But it's surprising how long it can take from when a company starts being shady and when everybody stops trusting them.

      From the sounds of it, Sourceforge will be able to coast on their reputation for some time before they go away, if at all.

      --
      Lost at C:>. Found at C.
    2. Re:People still use that? by Lazere · · Score: 2

      Fair (and depressing) point.

    3. Re:People still use that? by Anonymous Coward · · Score: 2, Insightful

      I am one of those people who have used it occasionally in the past and have grown to trust it. I appreciate the effort that /.'ers have made to make the issue public. At first I thought it was some kind of spam or APK or Golden Girls type thing, but then I saw it getting modded up. I easily could have been an unwitting vector in telling other people how great SourceForge is.

    4. Re:People still use that? by AmiMoJo · · Score: 4, Interesting

      You know, it probably still shows up in a lot of searches.

      Sounds like a problem with search engines. They should push sites carrying malware down the rankings, or off the list entirely. Has anyone reported Sourceforge to Google and other malware site list maintainers?

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    5. Re:People still use that? by penguinoid · · Score: 2

      You know, it probably still shows up in a lot of searches.

      Sounds like a problem with search engines. They should push sites carrying malware down the rankings, or off the list entirely. Has anyone reported Sourceforge to Google and other malware site list maintainers?

      Yeah, and I changed my sig in case other people are too lazy to look up where to do said reporting.

      --
      Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
    6. Re:People still use that? by aitikin · · Score: 2

      I'm actually with this AC. I haven't been on SF in probably 3-4 years. Back then I never had issues and would actually look for stuff on SF. Now I don't have as much downtime for that sort of work/play, so I haven't been on, but I'm about to have significantly more free time soon and thus this is a timely notification to stay away.

      --
      "Don't meddle in the affairs of a patent dragon, for thou art tasty and good with ketchup." ~ohcrapitssteve
  3. Damn, I trusted them by Pete+(big-pete) · · Score: 5, Insightful

    Sourceforge was always my go-to place for trusted original non-screwed files, and now I check the list of projects owned by sf-editor1, 2, and 3 and I see a lot of projects that I have used in the past.

    Sometimes (particularly for older projects) it is very difficult to find a home-page or source that I can trust...and now it just became a lot harder.

    -- Pete.

    --
    Monochrome - Probably the UK's largest internet BBS
    1. Re: Damn, I trusted them by penix1 · · Score: 2

      They alter the Eula, your selections in the installer are overriden, and malware installs.

      I wonder if the authors can bring a violation against their license if SF doesn't release the source code for an open source project they abscond with for those licenses that require reciprocity such as the GPL? Or a copyright violation for derivative works? Would be interesting to see if it happened.

      --
      This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.
  4. It's about time... by MikeRT · · Score: 5, Interesting

    To just refer this matter to law enforcement. They're putting together bundles specifically to shove spyware down people's throats. It's being done in such a way as to make uninformed users think they're the official page. I'm not normally one to say stuff like this, but sourceforge needs to have a visit from FBI and/or FTC over this.

    1. Re:It's about time... by Anonymous Coward · · Score: 2, Informative

      Oh jesus christ...

      Not only has this been gone over every fucking time this story gets posted, but any one with half a brain who has ever actually *read* the GPL knows it isn't a fucking GPL violation. The license SPECIFICALLY says you can bundle closed source stuff with downloads of GPL software. IT FUCKING CALLS OUT AGGREGATION OF PROGRAMS AS A SPECIFIC EXEMPTION.

      . . . In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.

      Fucking christ, you people are morons.

  5. Just Remove The Product by KermodeBear · · Score: 4, Insightful

    Re-packaging the product as your own is bad enough, but another bad part is that older projects may have security vulnerabilities as well. It seems like it would be far more ethical to me to simply mark the project as "abandoned", then after a while remove it completely. If the project is alive somewhere else, then contact those folks, let them know what is up, give them a chance to close it all down themselves or revive the proejct on SF.

    But taking it over? No, that is not cool.

    --
    Love sees no species.
  6. slashdot is still slashdot by Ilgaz · · Score: 5, Interesting

    I really admire slashdot editors freely accepting SF stories no matter how damaging they are.

    Did you see a single newspiece/editorial on CNET news.com about the junk download.com bundles?

    1. Re:slashdot is still slashdot by Anonymous Coward · · Score: 2, Informative

      The cat is out of the bag since the Gimp story finally appeared.

      They did, however, suppress that story for several days, until Slashdot started becoming associated with the whole fiasco too.

    2. Re:slashdot is still slashdot by vivaoporto · · Score: 4, Informative

      No, it's not. See the difference between the original submission and how it was changed below.

      To summarize, it was changed from "Fyodor accuses Sourceforge of hijacking nmap account" to "Fyodor warns that he doesn't control Sourceforge nmap mirror", among other things.

  7. Goodbye Sourceforge by Stephen+Chadfield · · Score: 5, Insightful

    A good reputation is hard to earn but easily lost.

  8. This problem by koan · · Score: 2

    This business with SF is troubling, and reinforces my concern about someone malicious gaining control over other items, like Linux repositories, updates, etc.

    Anyone from "Russian hackers" to the NSA.

    --
    "If any question why we died, Tell them because our fathers lied."
  9. Sourceforge can go White Hat on this by davidwr · · Score: 5, Interesting

    All they have to do is:

    1) post a prominent disclaimer along with a link to an officially maintained source, if any.

    2) only provide true read-only mirrors or, for truly-abandoned projects or projects with "political squabbles" that make it hard to know the "real, official" maintainter, true historical mirrors in an explicitly frozen state along with a stayement explaining why the code is old.

    3) prominently display an invitation to "official maintainers" to reclaim control of the repository or have the mirror deactivated once they prove who they are.

    They can go one step further by pro-actively reaching out to currently affected projects and to projects they later identify as "abandoned on Sourceforge but still alive elsewhere."

    They also need to apologize to affected developers and maintainers.

    Why should they even bother?
    1) They can still make money on web-site ads.

    2) It will help boost their reputation and that of their corporate overlords, which will eventually translate into revenue.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:Sourceforge can go White Hat on this by houghi · · Score: 3, Insightful

      It will EVENTUALLY translate into revenue? But the CxO needs a new boat NOW. The numbers of this quarter are due in less than 3 months, so we need it now.

      Get the golden eggs out of the goose NOW, because there will be at least one in there. Fcuk tomorrow.

      --
      Don't fight for your country, if your country does not fight for you.
  10. Confusion with names and roles in his announcement by Simon+Budig · · Score: 4, Informative

    Hi all.

    Just a quick service announcement since Fyodor erred with regard of the role of Michael Schuhmacher.

    Michael is *not* the CEO of Sourceforge. He is Office Wrangler for the GIMP project and very much on the other side of the dispute...

    Bye,
                  Simon

  11. Project Removal? by Rob+Riggs · · Score: 4, Interesting

    How does one permanently remove a project from SourceForge that has been transferred elsewhere so this does not occur?

    --
    the growth in cynicism and rebellion has not been without cause
    1. Re:Project Removal? by davidleelambert · · Score: 5, Informative

      You can't. In particular,

      • "Has the project released files? If not, we will honor the removal request."
      • "Projects which have moved to another hosting provider are typically retained at SourceForge.net (though you can make a note on the project web site and project summary page directing users to the new home) for sake of retaining materials of historical value."
      • "Projects that are moving to closed source do not qualify for removal."
      --
      note: I have at least one, possibly two other, Slashdot accounts because OpenID creds can't be merged with an older acco
  12. Look at the bright side. by idontgno · · Score: 4, Insightful

    We slashdotters complain vociferously about the (lack of) quality of the editors here at Slashdot. But it could always be worse. We could have editors like the ones at that other Dice holding, who steal people's contributions and put their own labels on them, and then wrap them in malware.

    It'd be like Timothy personally claiming every +1-or-higher comment made in one of the articles he "edited", leaving only Goatse and GNAA trollage for us plebians.

    --
    Welcome to the Panopticon. Used to be a prison, now it's your home.
  13. Re:There is a little hope by Anonymous Coward · · Score: 2, Insightful

    Why would they do that, this was done by directive, not by some rogue employee.

    Ransoms is my captcha.

  14. I want my old /. With BlackJack and Hookers. by 0100010001010011 · · Score: 5, Insightful

    Eh, forget the ./

    Dice you've successfully figured out how to run one of the most best 'news' and opensource websites and run them into the ground for profit. /. and Fark were the only 2 places that could handle 9/11 traffic. I rode out that entire day on both sites when CNN was crumbling.

    I'm glad I had Slashdot over Reddit when I was an angsty tenager. I took pride in trying to get +5 comments and put effort into doing so. Honestly slashdot made me a better writer. Reddit is nice for short terse communication but sometimes I want to "talk with adults".

    Slashdot didn't need much. Unicode support. Newer HTML5 support. CSS3. Make a decent mobile app, move away from HTML for Markdown. Moderation made sense and was much better than a simple +- system. Voting was randomly enabled and you couldn't both vote and comment on the same article. -2 to 5 also limited band wagoning. It's easier to recover from a bunch of early 'down votes'. Instead you drove everyone away to other sites (which still don't quite scratch the /. itch). You shoe horn in what ever fucking agenda is "big in IT". Looking back at all the news I got from /. I can't ever remember thinking "I wonder if a woman did this" or "Too bad a woman didn't do this" because I didn't care. It was about the tech and news for nerds.

    On 'Gamergate', 'sexual equality', 'gender issues', we don't care "Trans-gendered" is a big thing in the news these days (and especially around tech) but a long, long time ago I remember a Mac developer made the transition. (This was in the late '90s.) I read her bio. Shrugged my shoulders went "Neat" and moved on. Why? Because she made some awesome Mac games. Most other person I know in IT or engineering think the same way. None of us care what you do with your body or who you take to the bedroom. I do care if you can cut it and get your work done or contribute to society.

    On the other side of that is Randi Harper (FreeBSD Girl) who actually write decent code. I've dug through some of her BSD commits, major props to her for doing that. But it can all be done without photoshopping traffic tickets to make it look like you got swatted, begging for money to move on twitter, (When you already earn $3k/month from Patreon), grandstanding on Twitter for no reason and bandwagoning users against anyone that disagrees isn't the way to do it.

    You had the same opportunity to fix Sourceforge all of its' convoluted download mirrors (just use a proper CDN), update to Git, and everything else that Sourceforge isn't and GitHub is. Instead you rested on your laurels and are now trying to use this as one last cash grab before the Titanic goes down.

    I don't know where I was going with this either. Just thought someone up top should know why your traffic is tanking and a lot of us are pissed off at you for what you've done.

    I still won't forget the time you broke the capslock filter, I remember BitTorrent being announced and people thinking it was useless, the iPod's lack of wifi and space compared to a Nomad, et al.

    Thanks for the fish?

  15. Changes from the original submission by vivaoporto · · Score: 5, Informative
    The edits made by Slashdot editors on my original submission (that can be read here) are very telling. Fyodor isn't warning that he doesn't control Sourceforge nmap mirror, he is accusing them of hijacking his Sourceforge nmap account, removing the content and creating a mirror that he doesn't control.

    The original title was "Sourceforge Hijacks the Nmap Sourceforge Account" and it was the same title Fyodor used on its post to the maillist. Losing the original Sourceforge original nmap account (created by nmap developers themselves) is not the same news as him not controlling "nmap SourceForge Mirror". The same expression was also changed in the submission body.

    Two other important parts from the the original submission removed by the editor:

    1. The statement by SourceForge themselves that (emphasis mine):

    At this time, we present third party offers only with a few projects where it is explicitly approved by the project developer, or if the project is already bundling third party offers.

    2. The reference by Fyodor that even if Sourceforge still isn't bundling anything on nmap, the page is designed to mislead the users with fake download buttons:

    "So far they seem to be providing just the official Nmap files (as long as you don't click on the fake download buttons) (...)

    Below I repost the original submission so you can compare:

    Sourceforge Hijacks the Nmap Sourceforge Account

    Gordon Lyon (better known as Fyodor, author of nmap and maintainer of the internet security resource sites insecure.org, nmap.org, seclists.org, and sectools.org) warns on the nmap development mailing list that the Sourceforge Nmap account was hijacked from him.

    According to him the old Nmap project page (located at http://sourceforge.net/project..., screenshot) was changed to a blank page and its contents were moved to a new page (http://sourceforge.net/projects/nmap.mirror/, screenshot) which controlled by sf-editor1 and sf-editor3, in pattern mirroring the much discussed the takeover of GIMP-Win page discussed last week on Ars Technica, IT World and eventually this week Slashdot.

    That happens after Sourceforge promises to stop "presenting third party offers for unmaintained SourceForge projects. At this time, we present third party offers only with a few projects where it is explicitly approved by the project developer, or if the project is already bundling third party offers."

    To their credit Fyodor states that "So far they seem to be providing just the official Nmap files (as long as you don't click on the fake download buttons) and we haven't caught them trojaning Nmap the way they did with GIMP" but reiterates "that you should only download Nmap from our official SSL Nmap site: https://nmap.org/download.html"

    1. Re:Changes from the original submission by Soulskill · · Score: 4, Interesting

      Hi. Thanks for the submission.

      In addition to editing your submission for brevity and minor grammatical issues, I edited it for factual accuracy as well. I'll first address your two main points.

      1) The rest of the quote from SourceForge was trimmed because it wasn't relevant to the content of the submission. SF has been bundling their "third-party offers" with projects who explicitly opt into it for a long time — it's a known thing, and has been discussed at length. Second, according to Fyodor's own post, they weren't bundling anything with nmap.

      2) The rest of the Fyodor quote was trimmed for a similar reason. It makes reference fake download buttons and catching SF "trojaning" nmap. It's fine for Fyodor to editorialize as he pleases, but the first is a separate issue and the second is a non-event, so neither really have a place on this story.

      The headline was changed for two reasons: First, Fyodor's account seems to still be under his control, and the nmap project seems to have been cloned/mirrored, so the references to hijacking the account lack clarity. Second, this is not actually new news. When the GIMP story broke, anyone with an interest could see what projects SF had taken over. Nothing actually changed for the project page Fyodor is posting about since the GIMP story broke — thus, the new information is simply that he's complaining about it. (Which is his right, of course.) I went ahead and posted the story for transparency's sake, and I added links at the bottom of the summary to the SF editor accounts, so people could easily see the full list of affected projects.

    2. Re:Changes from the original submission by gatzke · · Score: 4, Insightful

      Between /. screwing around with this SF story and them screwing around with the poll, I am about to give up.

      After nearly two decades reading /. nearly daily they are pushing me over the edge.

    3. Re:Changes from the original submission by Anonymous Coward · · Score: 2, Funny

      Change job, dude. This isn't worth it.

    4. Re:Changes from the original submission by gatzke · · Score: 4, Informative

      And the stupid video stuff. Looks like we can't turn that garbage off either. Thanks /. !!

    5. Re:Changes from the original submission by vivaoporto · · Score: 4, Informative
      Hi, and thanks for taking the time to address those points, altought they were not the main points. They were merely "other important parts (...) removed", the main point being that "Fyodor isn't warning that he doesn't control Sourceforge nmap mirror" but "is accusing them of hijacking his Sourceforge nmap account".

      Concerning to the main point:

      1. The original title stated that he lost control of "Nmap Sourceforge Account" and not his own
      and it was very clear that by having the project page erased outside his control meant that he lost control of it.

      2. The submission was not about SourceForge (as they were, as you say, pretty much similar to the what was discussed in the previous story) but about the reaction of a prominent figure of the IT world. By editing it for factual accuracy the point of the submission was lost (as what was kept after the edit was not Fyodor's reaction anymore).

      I don't agree that those other two points were satisfactorily addressed either and here is for what reason.

      1. The entire quote was copied verbatim from the update made by T on the SourceForge and GIMP article. Assuming it was relevant enough to be included there by the Slashdot staff itself I don't see why it is not relevant to be included in a similar article referring to the same subject.

      2. The rest of Fyodor quote served to illustrate his opinion that, despite not bundling the installation files with "easy to decline third party offers" (to borrow an eufemism sometimes used by the industry, referred by Fyodor as "trojaned"), it is still risky to download nmap from SourceForge mirror. There are very confusing download buttons on that page that link to those same kind of third party offers instead of to the unmodified installer (referred as "fake download buttons").

      it is very misleading to have a submission accepted, altered for factual accuracy but to kept as if it were submitted as is by the original submiter:

      vivaoporto writes:

      an edited version of what vivaoporto wrote, without any indication of what was changed, who changed and why.

      It would be better to either accept the submission as is (with the minor gramatical mistakes corrected) with a "Note of the Editor (NE)" appended or to reject the submission as factually incorrect.

    6. Re:Changes from the original submission by Nethead · · Score: 3, Funny

      Uhg! It was so much better then. Almost 20 years and I still haven't learned to preview posts!

      --
      -- I have a private email server in my basement.
  16. Is SourceForge ... by PPH · · Score: 2

    ... working its way up to replacing legitimate content with alternative and possibly corrupt stuff? In the case of GIMP for Windows, it has been sold off to an advertising provider. For nmap, the motivation could be more nefarious. As an important tool for performing network and security diagnostics, the implications of a crippled copy could be far more nefarious.

    NSA, please go away.

    --
    Have gnu, will travel.
  17. Re:Just ask to remove the project? by innocent_white_lamb · · Score: 2

    Sourceforge prevents it.

    http://webapps.stackexchange.c...

    --
    If you're a zombie and you know it, bite your friend!