[Infowarrior] - Fyodor responds to Sourceforge analysis

Richard Forno rforno at infowarrior.org
Tue Jun 9 17:25:53 CDT 2015 

http://seclists.org/nmap-dev/2015/q2/248

From: Fyodor <fyodor () nmap org>
Date: Tue, 9 Jun 2015 15:02:16 -0700
On Fri, Jun 5, 2015 at 2:53 AM, Fabio Pietrosanti (naif) - lists <
lists () infosecurity ch> wrote:


Hello,

i'm sharing the SourceForge's nmap project analysis regarding the
recently discussed issues:

http://sourceforge.net/blog/analysis-of-nmap-project-and-data/

Even by Sourceforge standards, this is a load of BS! Problems:

1) Despite all this attention on the Sourceforge's fake Nmap page in
particular, the largest green download button STILL gives users a spyware
program called "FileOpenerPro" rather than Nmap.  A quick Google search
shows that this spyware collects your "browsing habits" among other
information and may "sometimes redirect you to third-party sponsored
webpages without your permission" and "may alter your browsing settings and
default home page."  I've attached a screenshot of the current fake SF Nmap
page.  Note that the big green button just says "START DOWNLOAD" while the
fact that this is spyware rather than Nmap is hidden in the text well below
the button.  This is not an accident and goes against Sourceforge's 2013
promise to stop using fake download buttons:

https://sourceforge.net/blog/?s=blockthis


2) SF makes a big deal about how they weren't actually inserting malware
into the Nmap project installer, but that's only because they were caught
in the early stages of their "trial" where they did this to other projects
such as GIMP.  We just got lucky that they hadn't added the malware to Nmap
installer yet.  Adding the malware to projects like GIMP broke
Sourceforge's 2013 promise to never bundle malware/adware into project
installers without consent:

http://sourceforge.net/blog/advertising-bundling-community-and-criticism/


3) The SF fake Nmap page has a big "Keep Me Updated" box for people to
insert their email address, hoping to get real Nmap project updates.  But
Sourceforge never even gives us the email addresses collected.  Instead the
users are added to a spam list of "sponsored content from our selected
partners, and more".

4) Their fake Nmap page (which I have no control over) currently uses the
Nmap logo and trademark and copyrighted description text and such without
authorization.  See the screenshot attached. This gives users the wrong
impression that this fake site is somehow authorized or controlled by the
Nmap project.  So they might not be as careful about checking for spyware,
etc.  We have asked Sourceforge to remove our copyrighted/trademarked
content and also to remove the whole fake page, but they have not done
either.

5) Sourceforge's response makes a big deal about how we didn't use their
"File Release System", but that's because the system sucks and is just a
pretext to add interstitial ads and try to redirect potential users to more
of their malware/spyware/adware offerings.  We used their web service
instead and had 584 megabytes of files there according to the disk quota
messages they sent us in 2006.

6) Their Internet Archive screenshots showing "Project was empty" are
because they are showing an SF interface for the project that we didn't use
much if at all.  Again, we used the Sourceforge web service interface to
serve the content from our account there.  We had millions of Nmap
downloads through Sourceforge during the (long ago) period where we used
them.

It's true that a careful and sophisticated user could avoid the malware and
spam minefield of Sourceforge's fake Nmap page, but they shouldn't have
to.  And the fact that Sourceforge makes money doing this shows that many
users do fall for it and have their systems infected.  And when the user
has their system infected after installing what they thought was an Nmap
installer, who do you think they blame?  Us!

I've spent 18 years trying to build Nmap as a useful and trusted free
software program, so of course I get mad when companies try to abuse that
trust and tarnish our name with these sleazy and greedy tactics!

Cheers,
Fyodor



--
It's better to burn out than fade away.

More information about the Infowarrior mailing list