Bastards.
I am speechless.
Vic.
Cnet has come under fire for wrapping downloads of the popular Nmap network analysis tool and other open-source software packages with a toolbar of dubious utility. Nmap is a popular open-source network auditing and penetration-testing tool that allows sysadmins to run network troubleshooting and penetration tests. Over the …
If I didn't know much about nmap, then on seeing it attempt to install a dodgy toolbar program, I would immediately cancel the whole installation and look for an alternative source of security software elsewhere. I just don't trust software that comes with things like that, however optional they might be.
This post has been deleted by its author
I've almost been caught out by various crappy toolbar install options. It just takes a little common sense to not fall into the trap of "accidentally" installing one of these crappo features.
It's also quite sad that sites like C|Net insist on pushing these (usually unwanted) add ons into people's faces.
Read twice, click once and most savvy users should be able to keep this crap at bay, however it would be nice if IE and FF prompted you before allowing themselves to be added on to..
Most users are just consumers and are not interested at all in Nmap. CNet have been doing this for at least a month maybe two.
I downloaded a simple utility.... I'm too simple to remember what it was... from CNet around six weeks ago. The installer by default would have installed some toolbar until I cancelled the install.
It's not just Nmap. I think CNet want to, or are in the process of, lacing all their downloads with poison.
We are IT professionals... At least I think some of us might be, and we find it easy to see when something isn't quite right. Your average user on the other hand is just a consumer with little clue about such things. What's more they are more inclined to leave tick boxes ticked when they have the word "recommended" next to them. I know this for a fact and you would too if you ever cleaned the crud from the machine of an average user.
Surely all the cool kids just use apt-get, or whatever they're calling it these days?
Certainly, the thought of having to individually locate and download each and every useful network diagnostic tool merely to use them via some awful windows command line is not a pleasant one. Easier by far just to grab something like a VMware system image and run that instead.
They've been doing this for more than a few days. I downloaded a program on 28/11/2011 and it included this annoying toolbar installer. It almost caught me out too, but I just spotted what it was a moment before clicking "Accept" and managed to click "Decline" instead. It's not very obvious that it's an optional extra, you could think it was required to install your chosen program. Naughty C|Net
I had the email from Fyodor today, and wanted to push this over to some one at El Reg but couldn't find a link to submit (before my brain wandered on to other stuff.... : "WooHoo! Earthlike planet!!")
It's shocking to see that a 'stalwart' (loosest possible meaning of the term) of the download repositories has done this..
"Bad C|Net.. Bad!"
You'd hope that a bundled toolbar would be automatically dismissed. If not then I think NMap may not be for you!
VLC, on the other hand, is more likely to be downloaded by less tech savvy users... I can see myself uninstalling this Babylon junk frequently for a while, grrr!
Just typed "nmap" into google and the top hit was nmap.org which offers a download.
Why in the name of all things holy would anyone ever even *consider* downloading it from these "C|net" people instead?
And why do these "C|net" people bother to offer it? Isn't it obvious that the only way this can pay commecially is if C|net are slipping something into the package? In other words, the very act of offering an nmap download (if you aren't nmap or an OS vendor) screams "TROJAN!!".
Clearly we have a looong way to go before the general public can be trusted to own a computer.
Good lord, why not get it from the people who actually wrote it?
Of course if it's Adobe or Java you're still hosed.... but that's why you always take the "custom" option for install, to get rid of the useless fripperies (AVG, oh AVG, why hast thou bloated the everliving crap out of thy software?)
Glad I'm off Windows and can just find the official repo... but not everybody has that option.
I noticed this the other way with another download. I can't believe that download.com aka CNET would do some blatant, dumb, rookie move to its user populace.
If you can't handle the bandwidth concerns and trying to offset the costs with stupid TOOLBARS (so 2000) then for God's sake, sign up with Bitcasa and start acting like a technology company.
81371
If you can't dodge a toolbar installer.....too stupid to be using Nmap.
Problem with that:
Even under idea conditions: EVERYBODY is stupid sometimes. It may only be for 2 random minutes a day but if that's the 2 minutes they are downloading nmap from Cnet, they are hosed.
Multiply that smallish probability by the thousands of people downloading nmap.
Now thow in: people being tired, or being worried about a sick child and other non-ideal conditions.
Now add in: it's no fun to be a little paranoid all the time.
I think it's OK to be upset about this behavior by Cnet.
You left out: The thousands of other applications that people download from download.com that have been hijacked in this way.
My sister wouldn't know nmap from a hole in the ground, but I told her to install vlc so that she could play the videos that she recorded on her phone. I even sent her a link to videolan.org to download it. Unfortunately, they sent her back to download.com, and now it's my fault that her "google is all messed up".
> IIRC nmap is GPL
It isn't. It's explicitly *not* GPL because the author didn't want people adding crap to it and pretending it's still nmap. But it is under a licence very similar to GPL in other ways.
> and Cnet's crapware clearly has commercial purposes
So what?
GPL software is perfectly permissible in commercial offerings.
There's an oft-repeated meme that GPL code cannot be used commercially - it is completely and totally wrong.
Vic.
Anybody try to download any Adobe products lately? They bundle their software with the Google toolbar and make you opt out to avoid installing it... trick is the checkbox doesn't show up immediately upon getting to the download page. It can sometimes take 5-10 seconds for the opt out checkbox to load up, during which time many of the site's more impatient visitors have already clicked "accept" and moved on (thereby installing the piece of crap software). I doubt very much that's by accident. VERY SNEAKY!
I downloaded some crapware from Cnet a few days ago, the request to install the so called tool bar was designed to trick the user into installing it.
Of course I avoided that, then found the app was only a garbage demo with no functionality (partitioning software). I went elsewhere and found the correct FREE product.
Fortunately, the latest version of Firefox disables such addons by default, but that will never be a complete solution. Always get the download as close to the source as possible.
Developers who want to avoid upload costs should think about offering copies via BitTorrent. Relatively secure and cheap.
""A software installation for product X which attempts to foist an unrelated product Y onto your computer by default is poor security practice," Ducklin writes. "Anything outside the obvious remit of the installer should be clearly and unequivocally opt-in, not opt-out.""
Huh?
Sorry, but you want free software, it comes with a price.
C/Net makes money by sneaking these in.
Same thing happens when you buy a pre-built windows pc. Vendors are compensated by adding stuff you don't want and will end up deleting from the system. The industry excuse is that it helps lower the costs of the PCs and allows the manufacturer to still have some profit margins....
Note: I'm not saying I like the practice, but I always check to see what extra goodies someone tries to foster on me...
Nmap is an open-source project. Nmap's licence terms (http://nmap.org/svn/COPYING) state: "To avoid misunderstandings, we consider an application to constitute a "derivative work" for the purpose of this license if it does any of the following: [...] * Integrates/includes/aggregates Nmap into a proprietary executable installer, such as those produced by InstallShield."
So, c|net's proprietary executable installer is a "derived work", falls within the GPL (under which Nmap is published), and thus c|net MUST publish the installer's sources.
Oops.
No linux distro would EVER (well maybe Ubuntu) bundle aids ridden junk with a security utility...
I was amazed when I installed flash on a Windows machine and discovered that they had bundled some crap with that too.
I pity you poor bastards that know no better and are just used to this crap.
I just went to CNET (download.com) and download the lastest VLC and NMAP and the files downloaded directly. HOWEVER, when I went to get the lastest version of AxCrypt it downloaded the CNET Downloader that tries to install the Babylon toolbar-thing.
BTW: If you are a registered member, you can choose to download any file directly by using the tiny "Direct Download" link underneath the big green download button (which will also try to install Babylon).
I prefer to think of Babylon in this case in the Rastafarian sense of Babylon being the evils of the modern world.
To all the Linux comments who always go on about nothing like this ever happening on Linux systems:
You are not helping. You are not inspiring people to switch to Linux. You are not contributing to the discussion. You are not making Windows admins / users jealous of you. You are not clever. You are not interesting. You are not even original.
What you are achieving is reinforcing the opinion that Linux users are smug idiots. So... Mission Accomplished!
Look, Linux users feel smug because they have been snubbed by the "Superior" Windows Wizard Jockeys for years and when it comes to it they rather like to say "I told you so" or "We've been doing this for years" rather than, "why not try our method, it works for us"
The applications mentioned in this story are open source apps and can be obtained from the developers websites directly without the CNet bundle-ware.
If you want some constructive criticism then Linux distributions have package repositiories which work rather well and operate in a very similar method to most app-stores.
Adding default opt-ins to software is one of the most common practices among vendors, especially where "freeware" is concerned. How do you think the bills get paid? When end users download or install software it is their responsibility, and a simple one at that, to watch what they are doing. New applications weather from the Internet, a cd or dvd should always be inspected or scanned for malware prior to installation, regardless the source. Just how lazy and irresponsible are folks becoming that they cannot watch what they are doing even when it may involve great pain and effort such as opening their eyes or clicking a mouse button or two. These whiners need to wake up and smell the reality.