Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Cnet Apologizes For Nmap Adware Mess

samzenpus posted more than 2 years ago | from the careful-how-you-click dept.

Privacy 231

Trailrunner7 writes "Officials at Cnet's Download.com site have issued a statement apologizing for bundling the popular open source Nmap security audit application with adware that installed a toolbar and changed users' search engine to Microsoft properties. Fyodor, the author of Nmap, raised the issue earlier this week, saying that his app was being wrapped in malware on Download.com. It's not unusual for download sites to bundle free applications with some kind of adware or toolbar, but the creators of open-source applications take a dim view of this practice, given the nature and ethic of open source projects. Nmap is a venerable and widely used tool for mapping networks and performing security audits and Fyodor wrote in a message to an Nmap mailing list earlier this week that Download.com, which is part of Cnet, a subsidiary of CBS Interactive, was bundling the application with its installer, which, if a user agreed, would install a search toolbar and change the user's search engine to Bing."

cancel ×

231 comments

Perfect american corporate business practice (5, Insightful)

unity100 (970058) | more than 2 years ago | (#38309620)

Do some shady/shitty dealing and make big money. Then apologize for the mess you have caused. IF thats not enough and you get sued, pay some reparations which is ridiculously low compared to your profits.

This cycle is what is driving the society down under. What BP did, what Lockheed did, what intel did. im sure you know about what bp did last year - killed an entire ecosystem. you may also know about intel's bribery case with pc manufacturers. but you probably dont know what lockheed did - they have bribed nato country defense ministers to buy f104s over more capable aircraft. as a result numerous things happened, including, approx 600 nato pilots dying due to design deficiencies (it had a tendency to maul its tail on landing and take off - hence nicknamed flying coffin) over the years, british and other european aerospace industries died.

what happened ? lockheed was sued, then admitted to bribery, apologized, paid pathetic sums.

unless people running corporations AND their shareholders start being held responsible for their doings, these will continue.

Re:Perfect american corporate business practice (-1)

Anonymous Coward | more than 2 years ago | (#38309640)

I want the entire corp and the shareholders directly responsible at minimum financially. If a corp is executed for committing murder at least the CEO need's chopped to bits and every fucking dime of value the company has drained.

Re:Perfect american corporate business practice (5, Insightful)

InsightIn140Bytes (2522112) | more than 2 years ago | (#38309658)

Companies can't murder people. People can. And they're already prosecuted under current laws.

Re:Perfect american corporate business practice (4, Insightful)

MightyMartian (840721) | more than 2 years ago | (#38309748)

Still, I'm thinking that in cases of gross negligence, stripping away corporate personhood and limited liability and making shareholders pay directly would certainly increase shareholder vigilance over the going's on of companies they're investing in. Imagine if BP's shareholders were directly sent a bill in proportion to the size of the Gulf cleanup. I'm thinking BP shareholders would probably be a bit more proactive in assuring the company management behaved themselves.

Re:Perfect american corporate business practice (5, Insightful)

EdIII (1114411) | more than 2 years ago | (#38310428)

You can't go after shareholders in a public company. Not all of them. It would kill day trading for one, not that I mind that one bit.

It would make investments nearly impossible. All that would end up happening is they would bypass it with strategic revenue sharing agreements and legal clauses preventing the company from funneling assets and revenue out to other companies.

Making a farmer or teacher responsible for their share in a company they invested partly in for retirement is going too far. They lack the sophistication and access to resources to truly assess risk. Most of that is just long term investment in a big well known company.

Going after mutual funds and pension managers probably won't work well either. How could you ever really know what is going on in a company if it is fraud?

I think it would be more reasonable to strip corporate person hood and limited liability for the executives and any shareholder that is an accredited investor. The accredited investor part is really really iffy for me.

Unless you can really define just how shareholder vigilance is supposed to work without an absolute *ton* of micromanaging and audits on a constant basis. Most companies don't want that. So unless the investor is actively involved on the board of directors I just don't see how it is reasonable for you to assume, "they should have known". All they know is what is in the offering and disclosed. They know their risk, not ongoing operations.

Nail the executives and leave it at that.

Re:Perfect american corporate business practice (1)

Forbman (794277) | more than 2 years ago | (#38310504)

Nail the executives and the Board members.

Re:Perfect american corporate business practice (2, Insightful)

Requiem18th (742389) | more than 2 years ago | (#38310726)

Where does this psychopathic idea that corporate efficiency must be maintained at all cost come from?

work without an absolute *ton* of micromanaging and audits on a constant basis. Most companies don't want that.

Companies don't want that? OH NOES we can't have that!

Of course these same companies want to monitor all of our forms of communication and behaviour to (enhance their marketing and) make sure we don't touch their oh so precious IP.But we can't have companies watching what they are doing, that would be inefficient.

precisely that (1, Insightful)

unity100 (970058) | more than 2 years ago | (#38310730)

Making a farmer or teacher responsible for their share in a company they invested partly in for retirement is going too far. They lack the sophistication and access to resources to truly assess risk.

we are allowing people to reap benefits from things they cannot understand, fathom or use. and naturally, we are not holding them responsible from what they can not comprehend.

waiver of responsibility. no different from having to slap warnings against putting your cat in the oven on appliances. people dumber than the minimum requirement of systems and technologies we have in our modern day are using them.

long story short - whomever invests in something should be responsible with their investment. this may kill capitalism ? oh well.

Re:precisely that (4, Insightful)

EdIII (1114411) | more than 2 years ago | (#38310820)

Your position is not reasonable.

It's like holding the landlord responsible if the tenant murders somebody on the property. Is it reasonable to assume that the landlord would have known about the murder to take place, assuming it is premeditated? Is it reasonable to assume responsibility for crimes of passion?

No small unaccredited investor purchases stock in a company expecting it to perform fraud, and you cannot reasonably hold them accountable for actions that are essentially unknowable.

Your solution raises the barrier to entry for stock ownership so high that only accredited investors and investment gateways (Wall Street investment firms) could meet them.

It will kill capitalism, which is your intent.

Either provide a reasonable solution, like holding the executives and board members personally and criminally liable for fraud, or just admit you want to replace capitalism and the stock market entirely.

Sorry, your position is just not reasonable in any way, shape, or form. Your analogies are false. There is a difference between personal responsibility with a hot coffee cup and indirect fraudulent actions that you have no way of knowing. If the average person did, then so would the authorities, and it would be stopped.

   

Re:Perfect american corporate business practice (0)

dhall (1252) | more than 2 years ago | (#38309970)

Until I see a Corporation executed by the state of Texas, I refuse to acknowledge that Corporations are truly liable for their actions.

Re:Perfect american corporate business practice (1)

Sulphur (1548251) | more than 2 years ago | (#38310444)

Until I see a Corporation executed by the state of Texas, I refuse to acknowledge that Corporations are truly liable for their actions.

Does that mean that corporations are not people?

Re:Perfect american corporate business practice (1)

Mr. Freeman (933986) | more than 2 years ago | (#38310022)

This argument comes up a lot. The problem is that whenever a company does something wrong it's always "victim v. the company" and NEVER "victim v. a specific employee(s) of the company". If only people can commit crimes, then why are companies held to account and people never are?

Re:Perfect american corporate business practice (0)

Anonymous Coward | more than 2 years ago | (#38310148)

Oh really? Corps that have dumped toxic waste have had their employees jailed for causing people cancer?

Re:Perfect american corporate business practice (1)

Jibekn (1975348) | more than 2 years ago | (#38310178)

Corporations are people. According to the USA anyway.

Re:Perfect american corporate business practice (3, Interesting)

InsightIn140Bytes (2522112) | more than 2 years ago | (#38309646)

But they didn't do anything illegal. They're basically just using their own download application that comes with extra stuff. In fact, Google does exactly the same with Chrome, so you should blame them too.

Re:Perfect american corporate business practice (0)

Anonymous Coward | more than 2 years ago | (#38309714)

True, nothing illegal. But being shitty with someone elses code is just a shitty thing to do.

Maybe if the public at large would just stop using Cnet/download.com/CBS Interactive , that would help drive the point home.

But, as unity100 has pointed out, profit for the sake of profit will drive this out of the public eye within hours.

And they will do it again.

Why do we even try......

Re:Perfect american corporate business practice (0)

unity100 (970058) | more than 2 years ago | (#38309730)

today, legal but unethical. tomorrow, barely legal and immoral. the day after, dodgeable illegal and bastardly.

this is the sequence of events once you start allowing/rationalizing/accepting what they do.

Re:Perfect american corporate business practice (4, Insightful)

Hatta (162192) | more than 2 years ago | (#38309780)

They distributed nmap in a manner inconsistent with its licensing, running afoul of copyright law. They should be forced to pay applicable statutory damages.

DMCA Takedown anyone? (4, Interesting)

sconeu (64226) | more than 2 years ago | (#38310034)

Or if PIPA or SPA were law, he could have tried to seize the domain "download.com"

Re:Perfect american corporate business practice (0)

Anonymous Coward | more than 2 years ago | (#38310248)

No they didn't. There is absolutely nothing in the GPL that forbids bundling other software in an archive or installer, free or not.

Re:Perfect american corporate business practice (5, Interesting)

Hatta (162192) | more than 2 years ago | (#38310608)

Nmap is distributed with clarifications to the GPL that explicitly define bundling the software as a "derivative work". Since the bundled software was not also GPL licensed, this was in fact contrary to the license.

Re:Perfect american corporate business practice (1)

Anonymous Coward | more than 2 years ago | (#38309850)

Illegal? Not sure. Nmap's licence specifically forbids this kind of crap.

Re:Perfect american corporate business practice (-1, Troll)

Caerdwyn (829058) | more than 2 years ago | (#38310008)

Illegal? Not sure. Nmap's licence specifically forbids this kind of crap.

Music, movies and commercial software all are subject to license, but those are ignored at the whim of anyone with a "download" button. Why should a corporate entity obey copyright law and licenses when their customers don't? Funny how the same people who completely ignore copyright when they want something try to enforce it when it's their own.

Copyright laws and licenses apply equally to music and software. Suck it up.

Re:Perfect american corporate business practice (1)

boxxertrumps (1124859) | more than 2 years ago | (#38310440)

No one was talking about music or movies.

Re:Perfect american corporate business practice (1)

X0563511 (793323) | more than 2 years ago | (#38310724)

Because you can hold a single company accountable, something that is very difficult to do to thousands upon thousands of individuals? (just ask the MPAA/RIAA and friends how 'easy' it is)

Re:Perfect american corporate business practice (0)

Anonymous Coward | more than 2 years ago | (#38309988)

Actually it may be illegal in several countries. Download.com is depriving third party developers of an undisclosed amount of revenue simply by flashing some sort of ToS. This license agreement may or may not be fair (or binding for that matter). It would be reasonable for them to get a fair fee for hosting the file, but the revenue they are getting may exceed a reasonable fee by a huge amount, in which case this ToS of theirs would not hold up in a lot of courtrooms around the world, as an unfair and unclear deal. Thus it would in fact be unlawful.

Please point out a download site that wraps google software/default search engine/homepage or they are doing anything remotely similar.

Re:Perfect american corporate business practice (1)

InsightIn140Bytes (2522112) | more than 2 years ago | (#38310058)

You could make the same argument for advertising on websites. Is Slashdot depriving me of an undisclosed amount of revenue when I make interesting content for them (post comments) and they pay nothing to me? Would it be reasonable if Slashdot only took their fair share for hosting and paid off rest of the revenue to people who post comments?

Re:Perfect american corporate business practice (0)

Anonymous Coward | more than 2 years ago | (#38310446)

Actually you could not. Slashdot is advertising on their website. You are posting on slashdot having wavered any right of income from slashdot. As you have to cnet. They can advertise on their website however they want on a page that displays your copyrighted material (your application, or your post). However in this case they are incorporating advertisement in _your_ installer. The binary that actually goes to the end user. This is your intellectual property, not cnet's. The rights to profit from this are exclusively yours.

Re:Perfect american corporate business practice (2)

InsightIn140Bytes (2522112) | more than 2 years ago | (#38310594)

They didn't incorporate the advertising in anyones installer. They only made application that downloads the installer for user, and before that gives the option to install their additional software (toolbar). After user chooses if he wants it or not, the cnet's installer downloads your installer and runs it. They didn't modify the original installer in any way.

Re:Perfect american corporate business practice (0)

Anonymous Coward | more than 2 years ago | (#38310824)

Cnet's installer made use of the nmap logo, and gave no indication that it was not the offical installer provided by fyodor.

They may not have modified the original installer, but they were implying that there installer WAS the original.

Re:Perfect american corporate business practice (0)

Anonymous Coward | more than 2 years ago | (#38310618)

Btw, regardless, you have yet to answer how Google does anything remotely sketchy as to agree to bundle a wrapper for software/default search/homepage from the repository of a download site. Google actually wont bundle with just any software. For sure not without agreeing with the actual developer of the software. So saying Google does something similar needs a citation desperately imho.

Re:Perfect american corporate business practice (1)

stephanruby (542433) | more than 2 years ago | (#38310016)

But they didn't do anything illegal. They're basically just using their own download application that comes with extra stuff. In fact, Google does exactly the same with Chrome, so you should blame them too.

No, they didn't. So what?

There are plenty of things that are perfectly legal that people don't like.

In this case, the author of the open source security software should just make his own software blacklist the download.com site for malware/shadyware, which is also completely legal to do. And then hopefully, download.com would retaliate by blacklisting his software, so then everybody is happy. The author is happy. The consumer is happy. And download.com is relieved not to have to his software listed on their site anymore.

Re:Perfect american corporate business practice (0)

Anonymous Coward | more than 2 years ago | (#38310302)

I tend to look at your statement as part of a big problem with Americans. You can rationalize any number of clearly unethical or immoral situations by either stating, "...it's not illegal..." or "...XXXXXX does the same thing so why shouldn't YYYYYYY". In both cases, it's a matter of justifying whatever you can get away with by using arguments based on a loose foundation of self-serving needs.

Re:Perfect american corporate business practice (1)

cjcela (1539859) | more than 2 years ago | (#38310390)

The thing is, when talking about what is right and what is wrong, "illegal" should not be the boundary, but a far extreme towards "bad", which most companies should avoid by far. As I see it, the fact that a company does anything that is "legal" and in its power to generate profit, in real life means that the company is driven by greedy individuals and often ethically questionable practices. And if a company does something illegal, somebody somewhere has to go to jail. Period. I know, I know, there is the free market idea, too, and all that argument - if that worked so well, our economy would be in a different place. But you choose whatever you want to believe in, and live the consequences; I think that companies that have some sort of ethical self-regulation are healthier to society as a whole than the ones that just "follow the law". Think about the banking industry for a bad example of legal theft.

Re:Perfect american corporate business practice (0)

Anonymous Coward | more than 2 years ago | (#38309796)

Corporations are Psychopaths [wikipedia.org] .

They do not respond to trivial things like human suffering or death.
The only thing they respond to is profit (or the lack thereof).

Ergo, the policy should be that all fines levied on corporations are multiplied by 1000.
An act performed by a natural citizen that would incur a $1,000 fine, should cost a corporation $1,000,000.
An act performed by a natural citizen that would incur a $1,000,000 fine, should cost a corporation $1,000,000,000.

When it is no longer profitable to break the law, then corporations will immediately cease doing so.

Re:Perfect american corporate business practice (0)

Anonymous Coward | more than 2 years ago | (#38309944)

This cycle is what is driving the society down under.

Keep such american corporate business practices away from Australia, please (to my distaste, it seems they're quite invasive).

Re:Perfect american corporate business practice (1)

Caerdwyn (829058) | more than 2 years ago | (#38310060)

You DO realize that "American" corporate practices are pretty much identical to Australian, Canadian, European, etc. corporate practices, as they all come from English practices? That there is just as much (if not more) corruption in other nations... government, business, individual... as America? That you and your nation are in no way superior to America?

Don't like it? Defend yourself without American help or American military equipment. Hope you like being Indonesian, because they're crowded, resource-hungry, have ten times your population and a military much larger than your own, and not a whole lot of love for you.

Re:Perfect american corporate business practice (1)

Daniel Phillips (238627) | more than 2 years ago | (#38310312)

Seems like Microsoft is casting around for some way to top Sony's rootkit.

Re:Perfect american corporate business practice (0)

Anonymous Coward | more than 2 years ago | (#38310676)

unless people running corporations AND their shareholders start being held responsible for their doings, these will continue.

People should start demanding proper regulation of businesses through legislation. That's all.

Business is there to make money within the boundaries of the law. If the law says "you can pollute all you want", then that's what you will get. If the laws says "don't pollute or we'll make you pay $10/offense", then you'll get pollution too. If the laws says "don't pollute or we'll throw executives and responsible party in jail and/or charge the company 10x cost of cleanup, then you'll get clean much less pollution.

So start demanding real penalties not some absolute values in law that are meaningless a year after they are instituted.

Glad I haven't.... (1)

CheshireDragon (1183095) | more than 2 years ago | (#38309656)

...downloaded from download sites since the late 90's. My paranoia has finally paid off!

Re:Glad I haven't.... Sorry I had... (1)

moichido (1120561) | more than 2 years ago | (#38309782)

... downloaded from CNet for my first time ever. I got the blasted toolbar, converted to Bing and had random background audio advertising to me.

I used them because I had a good impression of CNet. Bad choice.

Re:Glad I haven't.... Sorry I had... (0)

Anonymous Coward | more than 2 years ago | (#38309818)

I used them because I had a good impression of CNet. Bad choice.

The giveaway as to their true nature is the fact that their name is an anagram of.... oh, er, actually it's only an anagram of "cent". Sorry about that folks

Near enough, though.

Plus, I don't want them changing their name to CNut to make my poor joke fit, as someone else already has that name [wikipedia.org] . Anyway- CNet....What a bunch of 'King Cnuts.

It's Legal (5, Informative)

Bruce Perens (3872) | more than 2 years ago | (#38309664)

It is entirely within the license terms of any OSI-approved Open Source license to aggregate any software, regardless of its nature, on the same medium as Open Source software and to install it with the same installer that installs the Open Source. Even software that is harmful. Only if the software is a derivative work of the Open Source will the license apply to it.

Sure, CNet shouldn't do this, and if they keep doing it we'll eventually start using new licenses that make them copyright infringers. But right now it's legal.

Re:It's Legal (5, Informative)

Midnight_Falcon (2432802) | more than 2 years ago | (#38309764)

NMap is not licensed under the GPL -- it has its own license that specifically prohibits this type of bundling/installing a wrapper around the executable. This is not legal under NMap's license terms, I'm afraid you're mistaken.

Re:It's Legal (3, Interesting)

Bruce Perens (3872) | more than 2 years ago | (#38309806)

Over at nmap.org, there's a GPL license. See this [nmap.org] . They also offer a commercial license.

Re:It's Legal (5, Informative)

Midnight_Falcon (2432802) | more than 2 years ago | (#38309814)

Bruce: This is taken directly from Fyodor's email to nmap-hackers: In addition to the deception and trademark violation, and potential violation of the Computer Fraud and Abuse Act, this clearly violates Nmap's copyright. This is exactly why Nmap isn't under the plain GPL. Our license (http://nmap.org/book/man-legal.html) specifically adds a clause forbidding software which "integrates/includes/aggregates Nmap into a proprietary executable installer" unless that software itself conforms to various GPL requirements (this proprietary C|Net download.com software and the toolbar don't). We've long known that malicious parties might try to distribute a trojan Nmap installer, but we never thought it would be C|Net's Download.com, which is owned by CBS! And we never thought Microsoft would be sponsoring this activity!

Re:It's Legal (4, Informative)

Bruce Perens (3872) | more than 2 years ago | (#38309930)

Sorry, but when Fyodor crosses out some of the GPL terms and writes in new ones in crayon (meaning without the assistance of a lawyer or in a manner contrary to existing law), it doesn't really have the effect he desires.

The GPL explicitly does not define terms such as "derivative work" because these terms are defined in copyright law or case law. Case law is most important here, and in general case law is strongly against Fyodor's interpretation. Go read Judge Walker's finding in CAI v. Altai and tell me that just installing the software makes it a derivative work.

I am also dubious that anything in 18 U.S.C. 1030 (the Computer Fraud and Abuse Act) can really be used to prosecute this particular incident. Can you show me the words that you think would?

Re:It's Legal (1)

Midnight_Falcon (2432802) | more than 2 years ago | (#38310108)

As far as contracts go, as long as the terms aren't illegal and you have proper meeting of the minds, assent, etc; you can write whatever you want in crayon. I don't see anything wrong with his terms that would make it unenforceable in court or otherwise illegal. I don't think Fyodor's case hinges on it being a "derivative work." I think that definition is not germane to the fact he included the line about "Nmap into proprietary installer...". Then there's the whole other issue as to whether he agreed to C|Net's terms. On the Computer Fraud and Abuse Act, Note that I was quoting Fyodor and I personally do not think this act can be used in this context, and Fyodor did say "potentially." In the end, I think a reasonably prudent person, and the average jury, would side with Fyodor's interpretation. However the average lawyer or judge would probably not. However, take Stephen Colbert's poll on the South Carolina ballot....are corporations people? The average person would vote "People are people" but the lawyer would say "Corporations are people." It's these systemic shenanigans that are being pointed out by this issue, and C|Net doing such a thing but being legally protected is nothing short of the same shenanigans.

Re:It's Legal (1)

Bruce Perens (3872) | more than 2 years ago | (#38310230)

It's not a contract. No proper consent, etc. It's a license. It unilaterally conveys rights without removing any rights you already have. This is what RMS intended with GPL2 and he'd testify to that effect. It wouldn't look so good to a jury as you think.

Re:It's Legal (1)

Midnight_Falcon (2432802) | more than 2 years ago | (#38310260)

So when you click "I agree", you're agreeing to a principle, not a contract? Sounds a bit unreasonable. I think the moral of my comments is that you can debate whether or not it is technically legal all day, but this is a very distasteful act and Fyodor had taken measures to prevent it from happening. The fact someone found a legal loophole to get around enforcement of something clearly stated by Fyodor in his license is patently offensive, if not an actual criminal act or tort.

Re:It's Legal (1)

Bruce Perens (3872) | more than 2 years ago | (#38310728)

Click "I Agree" where? On the CNET site? Show me the page, please.

I have NMap on my Debian system, and I never had to click "I Agree" to get it or anything else in Debian.

Yes, it's a repulsive act that CNet did, no argument with that. But why are people getting software from Download.com? What mistakes does our community make that lead to that?

Re:It's Legal (0)

Anonymous Coward | more than 2 years ago | (#38310380)

California has a specific law that makes this unlawful, assuming there was no clear right for the individual downloading the software to reject it.

        Cal. Bus. & Prof. Code 22947.2 provides in part:
A person or entity that is not an authorized user, as defined in Section 22947.1, shall not, with actual knowledge, with conscious avoidance of actual knowledge, or willfully, cause computer software to be copied onto the computer of a consumer in this state and use the software to do any of the following:
(a) Modify, through intentionally deceptive means, any of the following settings related to the computer's access to, or use of, the Internet:
(1) The page that appears when an authorized user launches an Internet browser or similar software program used to access and navigate the Internet.
(2) The default provider or Web proxy the authorized user uses to access or search the Internet.
(3) The authorized user's list of bookmarks used to access Web pages.

Re:It's Legal (1)

Bruce Perens (3872) | more than 2 years ago | (#38310788)

"Intentionally deceptive means" is the key. Do we have screen shots, etc., that make a case that it was intentionally deceptive?

Re:It's Legal (1)

s.petry (762400) | more than 2 years ago | (#38310424)

>>We've long known that malicious parties might try to distribute a trojan Nmap installer, but we never thought it would be C|Net's Download.com, which is owned by CBS! And we never thought Microsoft would be sponsoring this activity!

Sorry, but anyone that believes Microsoft is above playing dirty... #%^#@& I'll just say that you are very ill informed. Microsoft has paid Oracle to do the same thing with the Java installer that CNET did here. Microsoft has paid countless companies to do the same thing in order to try and gain market share on Google's search engine. They play dirty, they do dirty things. Hence more than trips to the DOJ for illegal monopolist practices than any company in history.

I'm also surprised that Microsoft has not released a Powertool yet that looks and acts just like NMAP, but is patented and copyright protected by Microsoft. Maybe that will come out after Windows 8 is released...

Re:It's Legal (3, Informative)

Bruce Perens (3872) | more than 2 years ago | (#38309832)

I see what you mean, the line that says "Integrates/includes/aggregates Nmap into a proprietary executable installer, such as those produced by InstallShield."

It's nice to know what they consider a derivative work, but it has no legal effect. That would not be a derivative work under copyright law no matter what they think.

Re:It's Legal (3)

Bert64 (520050) | more than 2 years ago | (#38310398)

It's not a "derivative work" for purposes of the GPL, and thus doesn't require disclosure of source code as per the GPL terms...

On the other hand, nmap is not distributed under the pure GPL, it is distributed under the GPL with added stipulations, kind of like how the linux kernel include explicit exceptions to GPL2...

The copyright holder is free to decide if, when and how their work will be distributed, and Fyodor has decided that in addition to the GPL requirements, he also doesn't want his code distributed as part of third party binary installers.
These installers are not a derivative work, they are just a violation of the distribution terms, and if you don't agree to the terms offered by the copyright holder then you are not allowed to distribute a copyrighted work.

A similar example would be a movie publisher or a tv station that is forced to implement DRM by a movie studio if they want to distribute that studio's movies. If the copyright holder doesn't agree with your terms then you can't redistribute his work.

Re:It's Legal (3)

Bruce Perens (3872) | more than 2 years ago | (#38310750)

I think if you want it to work that way, you need to write a new, and non-Open-Source, license. The way it's stated now, as a definition of derivative works rather than a term of distribution, doesn't work.

Now, ethically, people should do what you want. But the letter of the law would not require them to do so.

Re:It's Legal (0)

Anonymous Coward | more than 2 years ago | (#38309822)

But according to CNet, Froyor uploaded the software. If he holds the copyright and agreed to their terms, it doesn't matter what some other license says.

Re:It's Legal (1)

Midnight_Falcon (2432802) | more than 2 years ago | (#38309866)

There's a concept in common law jurisdictions called a "contract of adhesion." There is substantial case law about ToS and other agreements being overruled on adhese grounds. But yes -- someone agreed to their terms. So de jure, they might have some protection, but de facto, they've angered the internet community and will face some repercussions. I've already blocked download.com through DNS redirection on many of my clients' networks.

Re:It's Legal (1)

Bruce Perens (3872) | more than 2 years ago | (#38310074)

Fyodor should not be clicking YES on anything when uploading his own software. Really bad legal practice.

I think CNet learned their lesson.

Be wary of blocking legitimate sites that you don't approve of. I have not heard of ECPA being used against spam blockers and site blockers, but I think it could be used that way.

Re:It's Legal (2)

Gerald (9696) | more than 2 years ago | (#38310068)

The stub installer conflates "CNET" with the name of the software package, both in its file name and in its installation wizard. For projects and products that that are registered trademarks, wouldn't that constitute some sort of violation?

Re:It's Legal (1)

Bruce Perens (3872) | more than 2 years ago | (#38310166)

Can you make a credible case that the conflation of the CNET name confuses the public regarding the origin of the NMap software? It sounds a bit thin to me.

Re:It's Legal (0)

Anonymous Coward | more than 2 years ago | (#38310402)

Sure, CNet shouldn't do this, and if they keep doing it we'll eventually start using new licenses that make them copyright infringers. But right now it's legal.

It may be legal under copyright law, but given that a "bundle of things" containing NMAP is not NMAP, it is a violation of NMAPs trademark... as this is pretty obviously an attempt to deceive/trick/confuse consumers. As such, its very damaging to the NMAP trademark.

If they had called there bundle the NetworkScannerDistroPack, then there would be no problem with including NMAP as long as there was no effort made to deceive folks into thinking they were only gettng NMAP though the marketing materials / download descriptions.

Re:It's Legal (2)

Mr. Underbridge (666784) | more than 2 years ago | (#38310796)

It wasn't a question as to whether it's legal. The question was whether it's a kind of crappy thing to do. If the issue was legal, he would have sent a C&D - since the issue instead was CNET's being crappy, he used public shame instead, which is the effective means of attack in that instance.

Who? What? (5, Insightful)

RichardJenkins (1362463) | more than 2 years ago | (#38309666)

Who would download a tool like nmap from download.com? What sort of person does this? How is this a thing that happens?

Re:Who? What? (5, Interesting)

cavtroop (859432) | more than 2 years ago | (#38309740)

I work in security for my company, so we keep an eye on unauthorized software in our enterprise. We had a guy just today download PuTTY from a download site, that came bundled with all kinds of shitty toolbars and adware. This guy is a Sr. Software Manager and Developer at the company and should know better.

I wish I could clue these supposedly 'smart' users in, but they'll download and install anything without any critical thinking at all.

Re:Who? What? (1)

jezwel (2451108) | more than 2 years ago | (#38309876)

I've found my own team members downloading software from these types of sites under the assumption it was 'free' as there is no purchase required up front.

It's not easy finding switched on people, especially where you can't easily remove someone that can perform fine in most areas but just doesn't really understand the implications of certain software licence T&Cs.

Re:Who? What? (5, Insightful)

Anonymous Coward | more than 2 years ago | (#38309942)

I work in security for my company, so we keep an eye on unauthorized software in our enterprise. We had a guy just today download PuTTY from a download site,

PuTTY is a very bad example, almost ANY URL sounds more authoritative than the real one.

Working in security, you should expect people to screw this one up and have your sysadmin team deploy/maintain it.

www.chiark.greenend.org.uk/~sgtatham/putty/
*blech*

Re:Who? What? (1)

19thNervousBreakdown (768619) | more than 2 years ago | (#38310436)

Unless of course you search for it on Google, Bing, or Yahoo, or probably any other search engine, in which case it's the first result. And, unless you actually read the page you're downloading from, which states "The official PuTTY web page is still where it has always been: http://www.chiark.greenend.org.uk/~sgtatham/putty/ [greenend.org.uk] "

Unless you don't know what PuTTY is, you'd almost have to try to download it from the wrong place.

Re:Who? What? (1)

ISoldat53 (977164) | more than 2 years ago | (#38310422)

This used to be a trusted site.

Re:Who? What? (0)

CheshireDragon (1183095) | more than 2 years ago | (#38309754)

Windows monkeys?

Or some dense block of lead that does not know about YUM, apt-get, wget or the slew of other download-from-repository apps

Re:Who? What? (2)

lucm (889690) | more than 2 years ago | (#38309848)

What sort of person does this?

The same persons who complain because the "desktop experience" features are disabled by default on Windows Server.

There is no explanation, it is a personality type. I suggest you read "Zen and the art of motorcycle maintenance", it offers a lot of insight about this kind of thing.

Re:Who? What? (1)

leenks (906881) | more than 2 years ago | (#38310116)

If you mean (and I know you dont, but it can, and does, easily fall into that category in an enterprise) "being able to enter a path into Explorer and it allow you to go there" as opposed to navigating to it from "My Computer" or "Network" directly, then sure. If you mean being able to right click on an application in the taskbar so I can close it, then sure. I complain like hell at these restrictions; it makes my life a right PITA.

Sacrificing basic usability because of some BOFH is under the impression that it will improve security (it wont; there are plenty of ways round these things) is a big nono and just pisses off the technically competent and confuses the incompetent even further.

trust (5, Insightful)

Anonymous Coward | more than 2 years ago | (#38309682)

It takes years to earn trust. It takes only one event like this to destroy said trust for good. Up to a year ago, I used download.com where they always proclaimed "Spyware free" etc... That trust has been erased and I will never go back to that site. But really, after they began doing the indirect download using their own downloader, that turned me off right then and there and I stopped about a year ago.

Re:trust (-1, Troll)

tomhudson (43916) | more than 2 years ago | (#38309732)

It takes years to earn trust. It takes only one event like this to destroy said trust for good.

That depends ... *cough* Sarah Palin *cough* Herman Cain *cough* Barack Obama *cough* Bill Clinton *cough* George W. Bush *cough*

Wow, cold season came early this year :-p

Re:trust (1)

leenks (906881) | more than 2 years ago | (#38310120)

Shame you started that with Sarah Palin. Nobody with a brain ever trusted that monster - at least on this side of the pond (we were actually quite scared of her in fact).

Re:trust (3, Funny)

19thNervousBreakdown (768619) | more than 2 years ago | (#38310450)

Scared of Sarah Palin? But she has to be elected to be any kind of a threat. What do you think we are, idio...

Yeah. Okay.

Agreed - Where else should we go for downloads? (1)

billstewart (78916) | more than 2 years ago | (#38310502)

Cnet and download.com used to be the site I trusted for downloading software, given their consistently good business practices and the number of other sites that included malware, spyware, and/or bloatware along with their downloads. Obviously I still trust Sourceforge, Ubuntu apt-get, and the download sites that various other projects provide for their own code, but for Windows software, download.com used to be the place to go.

So are there other sites that have good collections of Windows software and are reasonably trustable?

One option I think? (0)

Anonymous Coward | more than 2 years ago | (#38309686)

They could have donated a chunk of whatever profits they generated back into the project. Or put a big blinking sign saying this is open source software, etc.

Too little. (2, Insightful)

Capt.DrumkenBum (1173011) | more than 2 years ago | (#38309692)

Too late.
They should not have done it in the first place, and I will be looking elsewhere for my downloads.

Re:Too little. (3, Insightful)

DarwinSurvivor (1752106) | more than 2 years ago | (#38309790)

So YOU are the one that actually used that site! Of all the times not to post as AC....

Re:Too little. (1)

randy of the redwood (1565519) | more than 2 years ago | (#38309834)

Are there any good freeware / shareware download sites left that are trustworthy?

There was a time when download.com fit this bill. They were early in supporting user ratings so you could tell what was crapware. I guess we get what we pay for though.

Safe, Trusted, and Spyware-Free... (2)

davegaramond (632107) | more than 2 years ago | (#38309800)

Waiting for their tagline to change to "Safe, Trusted, and We Apologize For Spyware"

False positive and false negatives (0)

Skywings (943119) | more than 2 years ago | (#38309874)

While it is good to see a detected false positive rectified it is a situation that should not have happened in the first place. When governments tread down the dangerous road of censorship it is better to err on the side of false negatives than false positives. False negatives do not hurt anyone if the rate is low enough but a false positive can generate much notoriety for the government. It makes the government seem unusually cruel and overbearing and gives the impression they are trying to exert tight and almost claustrophobic control over the population. Erring the other way can make a government appear more benevolent and will appear to be looking out for the best interest of the people and so what if they miss a few, the government is trying its best.

They changed the search engine to Bing? (-1)

Anonymous Coward | more than 2 years ago | (#38309910)

That is so not Cuil.

Android people seem to think this is just fine. (0)

Anonymous Coward | more than 2 years ago | (#38309932)

Android people seem to think this is just fine there are so many parasites making money off the hard work of others. (So much so that basically the only clean place is FDRoid

Since it is mentioned prior to installing it (5, Insightful)

koan (80826) | more than 2 years ago | (#38309962)

Should you be using Nmap if you can't pay enough attention to opt out of installing a toolbar?

Re:Since it is mentioned prior to installing it (0)

Anonymous Coward | more than 2 years ago | (#38310146)

Should you use nmap if you don't want fyodor to hack [slashdot.org] your computer?

Re:Since it is mentioned prior to installing it (1)

Anonymous Coward | more than 2 years ago | (#38310154)

Really...

Are you saying that you NEVER post or sent an email by accident? You have never clicked a mouse reflective? Do you read all the fine print in your credit card statements and bank statements? Do you read the legalese in every piece of software that you install?

The person may not have the attention to detail that they need.... OR they made a mistake.

Half-assed apology (1, Flamebait)

TSHTF (953742) | more than 2 years ago | (#38310030)

What a half assed apology. They didn't apologize for fucking up, but instead the unrest they caused.

The bundling of this software was a mistake on our part and we apologize to the user and developer communities for the unrest it caused.

Re:Half-assed apology (0)

Anonymous Coward | more than 2 years ago | (#38310430)

they disturbed the internet eh?

Optional (1)

Hentes (2461350) | more than 2 years ago | (#38310110)

If it's optional, what's the problem?

Anything for money (-1)

Anonymous Coward | more than 2 years ago | (#38310220)

An oversight that crapware was bundled? Bullshit. And fuck you. Anything for a buck until you're caught, then beg forgiveness afterwards.

Time for litigation (2)

Animats (122034) | more than 2 years ago | (#38310262)

This is where he should sue CNet for slander of trademark, and tortious interference with business relations.

It won't happen again! (1)

s.petry (762400) | more than 2 years ago | (#38310306)

Until the next time we need a bonus anyway...

A CBS Subsidiary? (0)

Anonymous Coward | more than 2 years ago | (#38310344)

CNET is a CBS Subsidiary? I've lost all respect for them.

Typical corporate mindset... (4, Insightful)

Hamsterdan (815291) | more than 2 years ago | (#38310350)

They're not sorry about the bundled *extras*, they're sorry they *got caught*...

Do they have to use ... (1)

Anonymous Coward | more than 2 years ago | (#38310372)

... such slimy tactics to advocate for Bing? Is it that bad?

add on software (0)

Anonymous Coward | more than 2 years ago | (#38310714)

I would never download nmap from download.com but this happens all the time.
adobe reader comes with google toolbar or mcafee anti-virus
My Windows laptop came preloaded with Symantec toolbar.
WhatMeWorry!

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...