[fyodor@insecure.org: C|Net Download.Com is now bundling Nmap with malware!]
With permission.... ----- Forwarded message from Fyodor <fyodor@insecure.org> ----- Date: Mon, 5 Dec 2011 14:35:30 -0800 Hi Folks. I've just discovered that C|Net's Download.Com site has started wrapping their Nmap downloads (as well as other free software like VLC) in a trojan installer which does things like installing a sketchy "StartNow" toolbar, changing the user's default search engine to Microsoft Bing, and changing their home page to Microsoft's MSN. The way it works is that C|Net's download page (screenshot attached) offers what they claim to be Nmap's Windows installer. They even provide the correct file size for our official installer. But users actually get a Cnet-created trojan installer. That program does the dirty work before downloading and executing Nmap's real installer. Of course the problem is that users often just click through installer screens, trusting that download.com gave them the real installer and knowing that the Nmap project wouldn't put malicious code in our installer. Then the next time the user opens their browser, they find that their computer is hosed with crappy toolbars, Bing searches, Microsoft as their home page, and whatever other shenanigans the software performs! The worst thing is that users will think we (Nmap Project) did this to them! I took and attached a screen shot of the C|Net trojan Nmap installer in action. Note how they use our registered "Nmap" trademark in big letters right above the malware "special offer" as if we somehow endorsed or allowed this. Of course they also violated our trademark by claiming this download is an Nmap installer when we have nothing to do with the proprietary trojan installer. In addition to the deception and trademark violation, and potential violation of the Computer Fraud and Abuse Act, this clearly violates Nmap's copyright. This is exactly why Nmap isn't under the plain GPL. Our license (http://nmap.org/book/man-legal.html) specifically adds a clause forbidding software which "integrates/includes/aggregates Nmap into a proprietary executable installer" unless that software itself conforms to various GPL requirements (this proprietary C|Net download.com software and the toolbar don't). We've long known that malicious parties might try to distribute a trojan Nmap installer, but we never thought it would be C|Net's Download.com, which is owned by CBS! And we never thought Microsoft would be sponsoring this activity! It is worth noting that C|Net's exact schemes vary. Here is a story about their shenanigans: http://www.extremetech.com/computing/93504-download-com-wraps-downloads-in-b... It is interesting to compare the trojaned VLC screenshot in that article with the Nmap one I've attached. In that case, the user just clicks "Next step" to have their machine infected. And they wrote "SAFE, TRUSTED, AND SPYWARE FREE" in the trojan-VLC title bar. It is telling that they decided to remove that statement in their newer trojan installer. In fact, if we UPX-unpack the Trojan CNet executable and send it to VirusTotal.com, it is detected as malware by Panda, McAfee, F-Secure, etc: http://bit.ly/cnet-nmap-vt According to Download.com's own stats, hundreds of people download the trojan Nmap installer every week! So the first order of business is to notify the community so that nobody else falls for this scheme. Please help spread the word. Of course the next step is to go after C|Net until they stop doing this for ALL of the software they distribute. So far, the most they have offered is: "If you would like to opt out of the Download.com Installer you can submit a request to cnet-installer@cbsinteractive.com. All opt-out requests are carefully reviewed on a case-by-case basis." In other words, "we'll violate your trademarks and copyright and squandering your goodwill until you tell us to stop, and then we'll consider your request 'on a case-by-case basis' depending on how much money we make from infecting your users and how scary your legal threat is. F*ck them! If anyone knows a great copyright attorney in the U.S., please send me the details or ask them to get in touch with me. Also, shame on Microsoft for paying C|Net to trojan open source software! Cheers, Fyodor ----- End forwarded message -----
F*ck them! If anyone knows a great copyright attorney in the U.S., please send me the details or ask them to get in touch with me.
Hmm -- did you say "copyright"? I wonder what would happen if you sent them a DMCA takedown notice. To quote Salvor Hardin, "It's a poor atom blaster that doesn't point both ways." (And there's another Hardin quote that seems particularly apt when talking about wielding the DMCA: "Never let your sense of morals prevent you from doing what is right.") --Steve Bellovin, https://www.cs.columbia.edu/~smb
Fyodor:
F*ck them! If anyone knows a great copyright attorney in the U.S., please send me the details or ask them to get in touch with me.
Larry Lessig? Mike Godwin? Might as well start at the top, dude. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
Using fruitful language and acting like a child isn't going to see you taken seriously. Andrew
----- Forwarded message from Fyodor <fyodor@insecure.org> ----- F*ck them! If anyone knows a great copyright attorney in the U.S., please send me the details or ask them to get in touch with me.
Also, shame on Microsoft for paying C|Net to trojan open source software!
Cheers, Fyodor
----- End forwarded message -----
On Mon, 05 Dec 2011 22:14:48 PST, "andrew.wallace" said:
Using fruitful language and acting like a child isn't going to see you taken seriously.
No, he *does* want fruitful language - one that produces results. I think you meant some other word instead. As far as "acting like a child", I'm reasonably sure that if CNet was doing the same thing to the good name of your consulting company, you'd react similarly.
----- Forwarded message from Fyodor <fyodor@insecure.org>
On the other hand, just being Fyodor is sufficient to get him taken seriously.
Not that anyone cares but personally, I'm happy fyodor posted this and I'm forwarding it to anyone that I think might use download.com. I think it's crap anyone changes anyone's code like that -----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Tuesday, December 06, 2011 11:48 AM To: andrew.wallace Cc: fyodor@insecure.org; nanog@nanog.org Subject: Re: [fyodor@insecure.org: C|Net Download.Com is now bundling Nmap with malware!] On Mon, 05 Dec 2011 22:14:48 PST, "andrew.wallace" said:
Using fruitful language and acting like a child isn't going to see you taken seriously.
No, he *does* want fruitful language - one that produces results. I think you meant some other word instead. As far as "acting like a child", I'm reasonably sure that if CNet was doing the same thing to the good name of your consulting company, you'd react similarly.
----- Forwarded message from Fyodor <fyodor@insecure.org>
On the other hand, just being Fyodor is sufficient to get him taken seriously.
Maybe it's just me, but I would think that simply getting them listed on stopbadware.org and other similar sites would probably have much more of an effect. The bad publicity can cause them to change tactics, but it takes some time. I've seen much quicker results from blacklisting on Google and other search engines. Sincerely, Eric Tykwinski TrueNet, Inc. P: 610-429-8300 F: 610-429-3222 -----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Tuesday, December 06, 2011 11:48 AM To: andrew.wallace Cc: fyodor@insecure.org; nanog@nanog.org Subject: Re: [fyodor@insecure.org: C|Net Download.Com is now bundling Nmapwith malware!] On Mon, 05 Dec 2011 22:14:48 PST, "andrew.wallace" said:
Using fruitful language and acting like a child isn't going to see you taken seriously.
No, he *does* want fruitful language - one that produces results. I think you meant some other word instead. As far as "acting like a child", I'm reasonably sure that if CNet was doing the same thing to the good name of your consulting company, you'd react similarly.
----- Forwarded message from Fyodor <fyodor@insecure.org>
On the other hand, just being Fyodor is sufficient to get him taken seriously.
http://krebsonsecurity.com/2011/12/download-com-bundling-toolbars-trojans/ Its already getting some press... He could always send them a Cease and Desist letter like Wireshark had to do.... -Kyle On Tue, Dec 6, 2011 at 9:00 AM, Eric Tykwinski <eric-list@truenet.com>wrote:
Maybe it's just me, but I would think that simply getting them listed on stopbadware.org and other similar sites would probably have much more of an effect. The bad publicity can cause them to change tactics, but it takes some time. I've seen much quicker results from blacklisting on Google and other search engines.
Sincerely,
Eric Tykwinski TrueNet, Inc. P: 610-429-8300 F: 610-429-3222
-----Original Message----- From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu] Sent: Tuesday, December 06, 2011 11:48 AM To: andrew.wallace Cc: fyodor@insecure.org; nanog@nanog.org Subject: Re: [fyodor@insecure.org: C|Net Download.Com is now bundling Nmapwith malware!]
On Mon, 05 Dec 2011 22:14:48 PST, "andrew.wallace" said:
Using fruitful language and acting like a child isn't going to see you taken seriously.
No, he *does* want fruitful language - one that produces results. I think you meant some other word instead.
As far as "acting like a child", I'm reasonably sure that if CNet was doing the same thing to the good name of your consulting company, you'd react similarly.
----- Forwarded message from Fyodor <fyodor@insecure.org>
On the other hand, just being Fyodor is sufficient to get him taken seriously.
On 12/6/11 12:00 PM, Eric Tykwinski wrote:
Maybe it's just me, but I would think that simply getting them listed on stopbadware.org and other similar sites would probably have much more of an effect. The bad publicity can cause them to change tactics, but it takes some time. I've seen much quicker results from blacklisting on Google and other search engines.
I've reported it as a malware site via Firefox. Have you? But the whole site should be scanned for other/similar malware, and blocked accordingly. Probably a harder problem, as it gives different downloads depending on browser and OS.
On Dec 6, 2011, at 12:34 31PM, William Allen Simpson wrote:
On 12/6/11 12:00 PM, Eric Tykwinski wrote:
Maybe it's just me, but I would think that simply getting them listed on stopbadware.org and other similar sites would probably have much more of an effect. The bad publicity can cause them to change tactics, but it takes some time. I've seen much quicker results from blacklisting on Google and other search engines.
I've reported it as a malware site via Firefox. Have you?
But the whole site should be scanned for other/similar malware, and blocked accordingly. Probably a harder problem, as it gives different downloads depending on browser and OS.
Per the Krebs on Security link that Kyle just posted (and beat me to it), the installer is already flagged as malware by a number of different scanners. --Steve Bellovin, https://www.cs.columbia.edu/~smb
On Tue, Dec 6, 2011 at 4:48 PM, <Valdis.Kletnieks@vt.edu> wrote:
On the other hand, just being Fyodor is sufficient to get him taken seriously.
It could be argued that Nmap is malware, and such software has already been called to be made illegal. If I was Cnet, I would stop distributing his software altogether. Link: http://nmap.org/book/legal-issues.html Andrew
On Dec 6, 2011, at 10:30 AM, andrew.wallace wrote:
On Tue, Dec 6, 2011 at 4:48 PM, <Valdis.Kletnieks@vt.edu> wrote:
On the other hand, just being Fyodor is sufficient to get him taken seriously.
It could be argued that Nmap is malware, and such software has already been called to be made illegal.
If I was Cnet, I would stop distributing his software altogether.
Link: http://nmap.org/book/legal-issues.html
Andrew
That's a stretch. Malware generally, IMHO, means software which does something other than what it claims to do. I don't believe that nmap does anything other than what it claims. I understand you may not like the idea of having such a tool available to users of your network. Personally, I'd rather that the users had access to such a tool than live without it myself. Kind of a double-edged sword, I know, but, nmap is a tool. In and of itself, neither bad nor good. Malice is in the intent of the user. This distinguishes it from malware in that with malware, malice is in the intent of the author and not the user. Malware, once installed, does what its author wants it to do regardless of the intent of the user. Sure, you can do things with nmap that are at best antisocial and at worst potentially illegal. I can do things with a Bowie Knife that are as well. However, used properly in the right context, both can be very useful tools. I don't think we should outlaw either one. Then again, I'm rather liberal in that regard. I believe that we should not ban something if it has both legitimate and nefarious uses, but, rather, should only ban those things which pose a public hazard and have no legitimate use. I suspect that he would rather Cnet stop distributing his software altogether than do what they are doing. I appreciate the warning and have stopped using CNET as a result. Owen
It could be argued that Nmap is malware, and such software has already been called to be made illegal.
If I was Cnet, I would stop distributing his software altogether.
It could. But making such an argument calls the arguer's grasp of reality into question. Nmap is a tool, like any other. It has no more ethical value than a nail gun or a hammer. In the hands of an engineer, it is a valuable addition to a toolkit. In the hands of an attacker, it can become a weapon. If it could be argued that Nmap is malware, then it could be argued that hammers are weapons; therefore, we should call on Home Depot to stop carrying these deadly instruments with all due alacrity - or at least have governments step in and create licensing programs for hand tools. Nathan Eisenberg
Having seen the previous owner of my house's cabinet building skills, and living with them, I'm all for licensing! -----Original Message----- From: Nathan Eisenberg [mailto:nathan@atlasnetworks.us] Sent: Tuesday, December 06, 2011 1:55 PM To: nanog@nanog.org Subject: RE: [fyodor@insecure.org: C|Net Download.Com is now bundling Nmap with malware!]
It could be argued that Nmap is malware, and such software has already been called to be made illegal.
If I was Cnet, I would stop distributing his software altogether.
It could. But making such an argument calls the arguer's grasp of reality into question. Nmap is a tool, like any other. It has no more ethical value than a nail gun or a hammer. In the hands of an engineer, it is a valuable addition to a toolkit. In the hands of an attacker, it can become a weapon. If it could be argued that Nmap is malware, then it could be argued that hammers are weapons; therefore, we should call on Home Depot to stop carrying these deadly instruments with all due alacrity - or at least have governments step in and create licensing programs for hand tools. Nathan Eisenberg
I'm pretty sure nmap is the exact opposite of Malware. It's an essential information security tool. Fyodor, Reach out to the Free Software Foundation and EFF. They may not be able to help directly, but I'm sure that they could put you in touch with some pro bono legal experts that could give you the right advice on how to act. As mentioned, both Lessig, and Eben Moglen, would be good starting points. On Tue, Dec 6, 2011 at 1:30 PM, andrew.wallace <andrew.wallace@rocketmail.com> wrote:
On Tue, Dec 6, 2011 at 4:48 PM, <Valdis.Kletnieks@vt.edu> wrote:
On the other hand, just being Fyodor is sufficient to get him taken seriously.
It could be argued that Nmap is malware, and such software has already been called to be made illegal.
If I was Cnet, I would stop distributing his software altogether.
Link: http://nmap.org/book/legal-issues.html
Andrew
-- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/
On Tue, Dec 6, 2011 at 4:45 PM, <Valdis.Kletnieks@vt.edu> wrote:
On Tue, 06 Dec 2011 10:30:20 PST, "andrew.wallace" said:
It could be argued that Nmap is malware, and such software has already been called to be made illegal.
Called by whom, other than yourself?
Germany? http://www.schneier.com/blog/archives/2007/08/new_german_hack.html -- Dan Collins
On 6 Dec 2011, at 22:07, Dan Collins wrote:
On Tue, Dec 6, 2011 at 4:45 PM, <Valdis.Kletnieks@vt.edu> wrote:
On Tue, 06 Dec 2011 10:30:20 PST, "andrew.wallace" said:
It could be argued that Nmap is malware, and such software has already been called to be made illegal.
Called by whom, other than yourself?
Germany?
http://www.schneier.com/blog/archives/2007/08/new_german_hack.html
-- Dan Collins
There's a big difference between "hacking tools" and malware. Edward Dore Freethought Internet
On Tue, 06 Dec 2011 17:07:47 EST, Dan Collins said:
On Tue, Dec 6, 2011 at 4:45 PM, <Valdis.Kletnieks@vt.edu> wrote:
On Tue, 06 Dec 2011 10:30:20 PST, "andrew.wallace" said:
It could be argued that Nmap is malware, and such software has already been called to be made illegal.
Called by whom, other than yourself?
Germany?
http://www.schneier.com/blog/archives/2007/08/new_german_hack.html
I rest my case. ;) Anybody know if they ever fixed their law?
Hi, Valdis.Kletnieks@vt.edu wrote on Mi, 2011-12-07 at 00:59+0100:
On Tue, 06 Dec 2011 17:07:47 EST, Dan Collins said:
On Tue, Dec 6, 2011 at 4:45 PM, <Valdis.Kletnieks@vt.edu> wrote:
On Tue, 06 Dec 2011 10:30:20 PST, "andrew.wallace" said:
It could be argued that Nmap is malware, and such software has already been called to be made illegal.
Called by whom, other than yourself?
Germany?
http://www.schneier.com/blog/archives/2007/08/new_german_hack.html
I rest my case. ;)
Anybody know if they ever fixed their law?
not really. There have been some highest court decisions regarding this law saying the criminal liability depends on the intention someone produces or owns such tools - German jurisprudence is much more than the wording of the written law (though we have a lot of written laws, including many very strange ones). ;-) De facto, everybody in the industry continues to use "dual use" tools without fear of punishment and I am not aware of any dubious court decisions - the law was created for clearly illegal uses of such tools. Nontheless, as said by others, "hacker tools" != "malware". Regards, Malte -- Malte von dem Hagen Head of Network Engineering & Operations ----------------------------------------------------------------------- Host Europe GmbH - http://www.hosteurope.de Welserstraße 14 - 51149 Köln - Germany Telefon: 0800 467 8387 - Fax: +49 180 5 66 3233 (*) HRB 28495 Amtsgericht Köln - USt-IdNr.: DE187370678 Geschäftsführer: Patrick Pulvermüller, Thomas Vollrath (*) 0,14 EUR/Min. aus dem dt. Festnetz; maximal 0,42 EUR/Min. aus den dt. Mobilfunknetzen
Isn't it a little early for Whacky Weekend? ----- Original Message -----
From: "Dan Collins" <enwpst47@gmail.com>
On Tue, Dec 6, 2011 at 4:45 PM, <Valdis.Kletnieks@vt.edu> wrote:
On Tue, 06 Dec 2011 10:30:20 PST, "andrew.wallace" said:
It could be argued that Nmap is malware, and such software has already been called to be made illegal.
Called by whom, other than yourself?
Germany?
http://www.schneier.com/blog/archives/2007/08/new_german_hack.html
Perhaps. But Valdis and you both misinterpreted what Andrew said: he said that "malware" has already been called to be made illegal -- he really only invited you to infer that he was in fact *making* the argument that nmap was indeed malware, and you both bit beautifully. Now PDFTT, people. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
On 12/6/2011 13:30, andrew.wallace wrote:
It could be argued that Nmap is malware, and such software has already been called to be made illegal.
If I was Cnet, I would stop distributing his software altogether.
If this is not trolling and you actually believe this, just wow..... Nmap is just a tool, and any tool can be misused by people for criminal acts. It's really no different than a gun in that regard. Both are incredibly useful things in the right hands, mere tools to further security. However in the wrong hands they can be used to commit crimes and break other peoples security. -- Bryan Fields 727-409-1194 - Voice 727-214-2508 - Fax http://bryanfields.net
A trojan can be used for good if in the right hands as a remote access tool for business use. Andrew ________________________________ From: Bryan Fields <Bryan@bryanfields.net> To: "nanog@nanog.org" <nanog@nanog.org> Sent: Tuesday, December 6, 2011 11:24 PM Subject: Re: [fyodor@insecure.org: C|Net Download.Com is now bundling Nmap with malware!] On 12/6/2011 13:30, andrew.wallace wrote:
It could be argued that Nmap is malware, and such software has already been called to be made illegal.
If I was Cnet, I would stop distributing his software altogether.
If this is not trolling and you actually believe this, just wow..... Nmap is just a tool, and any tool can be misused by people for criminal acts. It's really no different than a gun in that regard. Both are incredibly useful things in the right hands, mere tools to further security. However in the wrong hands they can be used to commit crimes and break other peoples security. -- Bryan Fields 727-409-1194 - Voice 727-214-2508 - Fax http://bryanfields.net
I can't believe this... Andrew, please check the dictionary second definition of Trojan before proceeding. A "remote access tool" is ssh, VNC and others and these are definitely not trojans. Get a grip. Trojan Horse noun noun Greek Mythology a hollow wooden statue of a horse in which the Greeks concealed themselves in order to enter Troy. • (also Trojan horse) figurative a person or thing intended secretly to undermine or bring about the downfall of an enemy or opponent : the rebels may use this peace accord as a Trojan horse to try and take over. • (also Trojan horse) Computing a program designed to breach the security of a computer system while ostensibly performing some innocuous function. Tom On Dec 6, 2011, at 6:49 PM, andrew.wallace wrote:
A trojan can be used for good if in the right hands as a remote access tool for business use.
Andrew
________________________________ From: Bryan Fields <Bryan@bryanfields.net> To: "nanog@nanog.org" <nanog@nanog.org> Sent: Tuesday, December 6, 2011 11:24 PM Subject: Re: [fyodor@insecure.org: C|Net Download.Com is now bundling Nmap with malware!]
On 12/6/2011 13:30, andrew.wallace wrote:
It could be argued that Nmap is malware, and such software has already been called to be made illegal.
If I was Cnet, I would stop distributing his software altogether.
If this is not trolling and you actually believe this, just wow.....
Nmap is just a tool, and any tool can be misused by people for criminal acts. It's really no different than a gun in that regard. Both are incredibly useful things in the right hands, mere tools to further security. However in the wrong hands they can be used to commit crimes and break other peoples security.
-- Bryan Fields
727-409-1194 - Voice 727-214-2508 - Fax http://bryanfields.net
On 12/06/2011 05:03 PM, Valdis.Kletnieks@vt.edu wrote:
On Tue, 06 Dec 2011 15:49:29 PST, "andrew.wallace" said:
A trojan can be used for good if in the right hands as a remote access tool for business use. Best troll line since n3td3v got banned from full-disclosure. Well played, I've been outclassed, I'm outta here.
I had assumed that he meant this in terms of red light districts. Mike
On Tue, 06 Dec 2011 17:09:54 PST, Michael Thomas said:
On 12/06/2011 05:03 PM, Valdis.Kletnieks@vt.edu wrote:
On Tue, 06 Dec 2011 15:49:29 PST, "andrew.wallace" said:
A trojan can be used for good if in the right hands as a remote access tool for business use.
I had assumed that he meant this in terms of red light districts.
But then it's not exactly remote access, is it?
----- Original Message ----- From: <Valdis.Kletnieks@vt.edu> To: <nanog@nanog.org> Sent: Tuesday, December 06, 2011 3:03 PM Subject: Re: [fyodor@insecure.org: C|Net Download.Com is now bundling Nmap with malware!] On Tue, 06 Dec 2011 15:49:29 PST, "andrew.wallace" said:
A trojan can be used for good if in the right hands as a remote access tool for business use.
Best troll line since n3td3v got banned from full-disclosure. Well played, I've been outclassed, I'm outta here.
Maybe andrew's been reading http://wikileaks.org/the-spyfiles.html ?
Carrier IQ does not qualify as a good use of a Trojan and comes about as close to your definition as I can think of. No, a Trojan is malware. Any software which operates without the knowledge or consent of the user to engage in operations the user would not reasonably expect is not being used for good, no matter how well intentioned. Owen On Dec 6, 2011, at 3:49 PM, andrew.wallace wrote:
A trojan can be used for good if in the right hands as a remote access tool for business use.
Andrew
________________________________ From: Bryan Fields <Bryan@bryanfields.net> To: "nanog@nanog.org" <nanog@nanog.org> Sent: Tuesday, December 6, 2011 11:24 PM Subject: Re: [fyodor@insecure.org: C|Net Download.Com is now bundling Nmap with malware!]
On 12/6/2011 13:30, andrew.wallace wrote:
It could be argued that Nmap is malware, and such software has already been called to be made illegal.
If I was Cnet, I would stop distributing his software altogether.
If this is not trolling and you actually believe this, just wow.....
Nmap is just a tool, and any tool can be misused by people for criminal acts. It's really no different than a gun in that regard. Both are incredibly useful things in the right hands, mere tools to further security. However in the wrong hands they can be used to commit crimes and break other peoples security.
-- Bryan Fields
727-409-1194 - Voice 727-214-2508 - Fax http://bryanfields.net
On Tue, 06 Dec 2011 18:10:14 PST, Owen DeLong said:
No, a Trojan is malware. Any software which operates without the knowledge or consent of the user to engage in operations the user would not reasonably expect is not being used for good, no matter how well intentioned.
Strictly speaking, it's "without the knowledge or consent of the *owner*". Especially in corporate environments, "owner" != "user".
On Dec 6, 2011, at 6:20 PM, <Valdis.Kletnieks@vt.edu> <Valdis.Kletnieks@vt.edu> wrote:
On Tue, 06 Dec 2011 18:10:14 PST, Owen DeLong said:
No, a Trojan is malware. Any software which operates without the knowledge or consent of the user to engage in operations the user would not reasonably expect is not being used for good, no matter how well intentioned.
Strictly speaking, it's "without the knowledge or consent of the *owner*". Especially in corporate environments, "owner" != "user".
I would argue that the superset applies in a proper definition here. Software which operates with the knowledge and consent of the owner, but, not the knowledge or consent of the end-user is still, IMHO, nefarious at best. Owen
On Tue, 06 Dec 2011 23:35:06 PST, Owen DeLong said:
Software which operates with the knowledge and consent of the owner, but, not the knowledge or consent of the end-user is still, IMHO, nefarious at best.
Yeah well... that horse left the barn once this company in Redmon released an operating system that allows the AD admins to push GPO policy. ;)
On Dec 7, 2011, at 4:37 AM, Valdis.Kletnieks@vt.edu wrote:
On Tue, 06 Dec 2011 23:35:06 PST, Owen DeLong said:
Software which operates with the knowledge and consent of the owner, but, not the knowledge or consent of the end-user is still, IMHO, nefarious at best.
Yeah well... that horse left the barn once this company in Redmon released an operating system that allows the AD admins to push GPO policy. ;)
What makes you think I don't consider Windows to be malware? Owen
On Mon, Dec 05, 2011 at 10:14:48PM -0800, andrew.wallace wrote:
Using fruitful language and acting like a child isn't going to see you taken seriously.
I'm sorry that my language offended you. But if you ever spend more than 14 years creating free software as a gift to the community, only to have it used as bait by a giant corporation to infect your users with malware, then you may understand my rage. The good news is that many users are sick and tired of having their machines hijacked by malware. Especially by CNET Download.Com, which still says on their own adware policy page: "In your letters, user reviews, and polls, you told us bundled adware was unacceptable--no matter how harmless it might be. We want you to know what you're getting when you download from CNET Download.com, and no other download site can promise that." --http://www.cnet.com/2723-13403_1-461-16.html Um, what people WANT when they download Nmap is Nmap itself. Not to have their searches redirected to Bing and their home page changed to Microsoft's MSN. Speaking of which, Microsoft emailed me today. They said that they didn't know they were sponsoring CNET to trojan open source software, and that they have stopped doing it. But the trojan installer uses your Internet connection to obtain more "special offers" from CNET, and they immediately switched to installing a "Babylon toolbar" and search engine redirect instead. Then CNET removed that and are now promoting their own "techtracker" tool. Apparently the heat is so high that even malware vendors are refusing to have any more part in CNET's antics! But if CNET isn't stopped, the malware vendors will come crawling back eventually and CNET will be there to receive them. There have been dozens of news articles in the last day and hundreds of outraged comments on blogs, Twitter, Facebook, etc. In the midst of all this terrible PR, Download.com went in last night and quietly switched their Nmap downloads back to our real installer. At least for now. But that isn't enough--they are still infecting the installers for thousands of other packages! For example, they have currently infected the installer for a children's coloring book app: http://download.cnet.com/Kea-Coloring-Book/3000-2102_4-10360620.html Have they no shame at all??! I've created a page with the situation background, links to the news articles, and the latest updates: http://insecure.org/news/download-com-fiasco.html Feel free to share it. Together, I hope we can get Download.Com to apologize and cease this reprehensible behavior! Cheers, Fyodor
Fyodor wrote:
On Mon, Dec 05, 2011 at 10:14:48PM -0800, andrew.wallace wrote:
Using fruitful language and acting like a child isn't going to see you taken seriously.
I'm sorry that my language offended you. But if you ever spend more than 14 years creating free software as a gift to the community, only to have it used as bait by a giant corporation to infect your users with malware, then you may understand my rage.
The good news is that many users are sick and tired of having their machines hijacked by malware. Especially by CNET Download.Com, which still says on their own adware policy page:
"In your letters, user reviews, and polls, you told us bundled adware was unacceptable--no matter how harmless it might be. We want you to know what you're getting when you download from CNET Download.com, and no other download site can promise that." --http://www.cnet.com/2723-13403_1-461-16.html
Um, what people WANT when they download Nmap is Nmap itself. Not to have their searches redirected to Bing and their home page changed to Microsoft's MSN.
Speaking of which, Microsoft emailed me today. They said that they didn't know they were sponsoring CNET to trojan open source software, and that they have stopped doing it. But the trojan installer uses your Internet connection to obtain more "special offers" from CNET, and they immediately switched to installing a "Babylon toolbar" and search engine redirect instead. Then CNET removed that and are now promoting their own "techtracker" tool. Apparently the heat is so high that even malware vendors are refusing to have any more part in CNET's antics! But if CNET isn't stopped, the malware vendors will come crawling back eventually and CNET will be there to receive them.
There have been dozens of news articles in the last day and hundreds of outraged comments on blogs, Twitter, Facebook, etc. In the midst of all this terrible PR, Download.com went in last night and quietly switched their Nmap downloads back to our real installer. At least for now. But that isn't enough--they are still infecting the installers for thousands of other packages! For example, they have currently infected the installer for a children's coloring book app:
http://download.cnet.com/Kea-Coloring-Book/3000-2102_4-10360620.html
Have they no shame at all??!
I've created a page with the situation background, links to the news articles, and the latest updates:
http://insecure.org/news/download-com-fiasco.html
Feel free to share it. Together, I hope we can get Download.Com to apologize and cease this reprehensible behavior!
Cheers, Fyodor
No, there's no shame when money's involved. Do Unto Others as they would do unto you...sue the fsck out of them. --Michael
<Amused thought, may have no basis in law> Could he send their hosting company a take-down order for the download.com site? </Amused thought> On Dec 6, 2011, at 8:53 PM, Michael Painter wrote:
Fyodor wrote:
Using fruitful language and acting like a child isn't going to see you taken seriously. I'm sorry that my language offended you. But if you ever spend more
On Mon, Dec 05, 2011 at 10:14:48PM -0800, andrew.wallace wrote: than 14 years creating free software as a gift to the community, only to have it used as bait by a giant corporation to infect your users with malware, then you may understand my rage. The good news is that many users are sick and tired of having their machines hijacked by malware. Especially by CNET Download.Com, which still says on their own adware policy page: "In your letters, user reviews, and polls, you told us bundled adware was unacceptable--no matter how harmless it might be. We want you to know what you're getting when you download from CNET Download.com, and no other download site can promise that." --http://www.cnet.com/2723-13403_1-461-16.html Um, what people WANT when they download Nmap is Nmap itself. Not to have their searches redirected to Bing and their home page changed to Microsoft's MSN. Speaking of which, Microsoft emailed me today. They said that they didn't know they were sponsoring CNET to trojan open source software, and that they have stopped doing it. But the trojan installer uses your Internet connection to obtain more "special offers" from CNET, and they immediately switched to installing a "Babylon toolbar" and search engine redirect instead. Then CNET removed that and are now promoting their own "techtracker" tool. Apparently the heat is so high that even malware vendors are refusing to have any more part in CNET's antics! But if CNET isn't stopped, the malware vendors will come crawling back eventually and CNET will be there to receive them. There have been dozens of news articles in the last day and hundreds of outraged comments on blogs, Twitter, Facebook, etc. In the midst of all this terrible PR, Download.com went in last night and quietly switched their Nmap downloads back to our real installer. At least for now. But that isn't enough--they are still infecting the installers for thousands of other packages! For example, they have currently infected the installer for a children's coloring book app: http://download.cnet.com/Kea-Coloring-Book/3000-2102_4-10360620.html Have they no shame at all??! I've created a page with the situation background, links to the news articles, and the latest updates: http://insecure.org/news/download-com-fiasco.html Feel free to share it. Together, I hope we can get Download.Com to apologize and cease this reprehensible behavior! Cheers, Fyodor
No, there's no shame when money's involved. Do Unto Others as they would do unto you...sue the fsck out of them. --Michael
On Dec 7, 2011, at 2:47 AM, Owen DeLong wrote:
<Amused thought, may have no basis in law>
Could he send their hosting company a take-down order for the download.com site?
</Amused thought>
Might be feasible to take over the domain if SOPA were passed :) I am glad that CBS Interactive/CNET has started to see the light, here is hoping there will be subsequent corrective actions taken. - Jared
Fyodor, Thanks for taking the fight to them. A simple fan of nmap, Aaron Smith Ursinus College
Fyodor wrote:
switched their Nmap downloads back to our real installer. At least for now. But that isn't enough--they are still infecting the installers for thousands of other packages!
I am sorry about these problems, it is unacceptable. Sourceforge, at least a year or 2 ago, did something that was only slightly less unacceptable. They had (or still have?) ads that would display when you click a donwload link at some site, say http://www.clamwin.com/content/view/18/46/ In this example (and clamwin had no part in that) the redirect of the download link would show an add for another virus scanner (but in fact it was malware, or, so broken it'd behave like malware). I know of actual cases where someone accidentally downloaded the software from the add, and messed up their computer. So much for pointing them to a free virus scanner... -- Earthquake Magnitude: 3.1 Date: Wednesday, December 7, 2011 15:57:44 UTC Location: northern Alaska Latitude: 65.9462; Longitude: -148.7381 Depth: 30.90 km
Fyodor wrote:
switched their Nmap downloads back to our real installer. At least for now. But that isn't enough--they are still infecting the installers for thousands of other packages!
I am sorry about these problems, it is unacceptable. Sourceforge, at least a year or 2 ago, did something that was only slightly less unacceptable. They had (or still have?) ads that would display when you click a donwload link at some site, say http://www.clamwin.com/content/view/18/46/ In this example (and clamwin had no part in that) the redirect of the download link would show an add for another virus scanner (but in fact it was malware, or, so broken it'd behave like malware). I know of actual cases where someone accidentally downloaded the software from the add, and messed up their computer. So much for pointing them to a free virus scanner... -- Earthquake Magnitude: 3.1 Date: Wednesday, December 7, 2011 15:57:44 UTC Location: northern Alaska Latitude: 65.9462; Longitude: -148.7381 Depth: 30.90 km
Fyodor wrote:
switched their Nmap downloads back to our real installer. At least for now. But that isn't enough--they are still infecting the installers for thousands of other packages!
I am sorry about these problems, it is unacceptable. Sourceforge, at least a year or 2 ago, did something that was only slightly less unacceptable. They had (or still have?) ads that would display when you click a donwload link at some site, say http://www.clamwin.com/content/view/18/46/ In this example (and clamwin had no part in that) the redirect of the download link would show an add for another virus scanner (but in fact it was malware, or, so broken it'd behave like malware). I know of actual cases where someone accidentally downloaded the software from the add, and messed up their computer. So much for pointing them to a free virus scanner... -- Earthquake Magnitude: 3.1 Date: Wednesday, December 7, 2011 15:57:44 UTC Location: northern Alaska Latitude: 65.9462; Longitude: -148.7381 Depth: 30.90 km
participants (23)
-
andrew.wallace -
bmanning@vacation.karoshi.com -
Bryan Fields -
Dan Collins -
Edward Dore -
Eric Tykwinski -
Fyodor -
Jared Mauch -
Jay Ashworth -
Jeroen van Aart -
Kain, Rebecca (.) -
Kyle Duren -
Malte von dem Hagen -
Michael Painter -
Michael Thomas -
Nathan Eisenberg -
Owen DeLong -
Ray Soucy -
Smith, C. Aaron -
Steven Bellovin -
TR Shaw -
Valdis.Kletnieks@vt.edu -
William Allen Simpson