Fyodor of the nmap project at insecure.org announced this week that C|NET has been wrapping the proper nmap software installer in a malware-installing application that in turn downloads and installs nmap. The collateral effects of what users download from C|NET include all sorts of adware/spyware toolbars, and the suspicious point is not only that users download something other than what they expect and have expressly requested, but the C|NET download is crafted so as to have the same file size as the legitimate installer, which would be verifiable elsewhere for vigilant users.
This is an outrage to the open source community, which is built on trust and openness, and severely undermines the reputations of security software vendors, whose products may be misunderstood by more novice users as being "viruses" or the like. What it amounts to is a man-in-the-middle attack (though not in the cryptological sense of the phrase), which may or may not be perceived as such by ordinary users.
What is more disheartening is that this is a blanket policy - that C|NET actually wraps all software downloads with this malware.
Let's make some noise and rally for integrity of values and for those who have tremendous influence as distributors of software to stand up for praiseworthy computing practices at a time in our collective history that is so very much necessary.
Find Fyodor's email and the Nmap project's Download.com Fiasco page on www.insecure.org.
Registered Linux User #370740 (http://linuxcounter.net)
Post a Comment