[fyodor at insecure.org: C|Net Download.Com is now bundling Nmap with malware!]
mysidia at gmail.com
Thu Dec 8 20:38:11 CST 2011
On Thu, Dec 8, 2011 at 7:00 PM, Michael Painter <tvhawaii at shaka.com> wrote:
> Sean's apology for their 'mistake' rings hollow.
> They've had almost 4 months to implement a solution to rectify these
> 'mistakes', but chose to ignore it until the uproar caused by the nmap
I would say it doesn't read 'unhollow' It's just plain inadequate
and doesn't do anything to settle the concerns, whether you accept
the apology as sincere or not. Yes, it is obviously a mistake...
but the clear mistake is not a technical one of "bundling an open
source application"; the mistake is actually a bad decision. The
decision to "bundle" anything; something they obviously haven't
admitted yet is a bad practice or failure in judgement.
Apparently they don't comprehend that, if you are a download
repository, you don't surprise your users by tampering with files,
regardless of whether the application is open source or proprietary.
Oh.. that they apologized about one thing, essentially means they
admit the existence of the other bad thing that they don't apologize
Their explanation of the problem is they don't intend to bundle open
Well, that implies there _ARE_ things they intend to tamper with the
file for by bundling in their own installer. Otherwise they wouldn't
have written the bundling system in the first place.
I'm saying... if Download.com wanted to continue to be a trusted
they shouldn't have been tampering with any author application files,
whether open source or not.
They got caught red-handed.
The de facto admission that they do ever, has one simple implication...
Download.com is simply not to be trusted, anymore, to not bundle
executables with unknown software.
In my book, nothing download.com does can redeem their trust at
this point, they destroyed their sites and CNET's status permanently;
end users need to be warned that they are no longer safe for any
download, even "known programs", period.
More information about the NANOG