[fyodor at insecure.org: C|Net Download.Com is now bundling Nmap with malware!]

Jimmy Hess mysidia at gmail.com
Fri Dec 9 02:38:11 UTC 2011

On Thu, Dec 8, 2011 at 7:00 PM, Michael Painter <tvhawaii at shaka.com> wrote:
> Sean's apology for their 'mistake' rings hollow.
> They've had almost 4 months to implement a solution to rectify these
> 'mistakes', but chose to ignore it until the uproar caused by the nmap

I would say it doesn't read 'unhollow'   It's just plain inadequate
and doesn't do anything to settle the concerns,  whether you accept
the apology as sincere or not.  Yes, it is obviously a mistake...
but the clear  mistake is not a technical one of "bundling an open
source application";   the mistake is actually a bad decision. The
decision to "bundle" anything;  something they obviously haven't
admitted yet is a bad practice or failure in judgement.

Apparently they don't comprehend that, if you are a download
repository, you don't surprise your users by tampering with files,
regardless of whether the application is open source or proprietary.
Oh..  that they apologized about one thing, essentially means they
admit the existence of the other bad thing that they don't apologize

Their explanation of the problem is they don't intend to bundle open
source software.
Well,  that implies there _ARE_  things they intend to tamper with the
file for by bundling in their own installer.  Otherwise they wouldn't
have written the bundling system in the first place.

I'm saying...  if  Download.com  wanted to continue to be a trusted
download site,
they shouldn't have been tampering with any author application files,
whether open source or not.
They got caught red-handed.

The de facto admission that they do ever,   has one simple implication...
Download.com  is simply not to be trusted,  anymore, to not bundle
executables with unknown software.

In my book,  nothing  download.com  does can redeem their trust at
this point,  they destroyed their sites and CNET's status permanently;
  end users need to be warned that they are no longer safe for any
download,  even "known programs",  period.


More information about the NANOG mailing list