Download Wrappers Are Wrong, Doubly Wrong With Open Source
C/Net's Download.com is wrong to do this and should stop now
By Alan Shimel on Mon, 12/12/11 - 5:24pm.How many times have you downloaded software over the net and while it was installing it asked you if you would like to use this terrific new toolbar or some other software? Worse yet, how many times did you install software you downloaded over the net only to find out that it installed other software without even asking you? No matter how many times it has happened to me, I always feel violated afterwards. I always thought it was a sleazy way of sneaking software or applications onto someones computer who otherwise would not want it. But that is exactly what it turns out C/Net's Download.com has been doing for some time. Now many in the industry are taking umbrage with that practice.
It started with my friends in the security industry. Gordon "Fyodor" Lyon, the developer of Nmap, wrote about it last week on Insecure.org. Other open source and free security tool developers including my friend HD Moore of Metasploit and Rapid7 and the makers of WiredShark chimed in. They called what C/net was doing a potential security threat and the wrapper a Trojan. Another friend of mine from the security industry, Rob Lemos has a good write up on it over on InfoWorld.
For those of you not familiar with the term "wrapper" let me explain. What Download.com is doing is that when you click to download software from their site (which is software developed by others), they are "wrapping" it in their own installers. This C/Net installer will either ask you (if they are polite) or in some cases not so obviously install other 3rd party software on your computer. Things like web toolbars, alternate search engines and other programs that usually pay money for every copy that gets installed.
If C/Net was the developer of the software you were installing, it is their right to bundle whatever else they want with their own software. But when they bundle software with other people's software, that is crossing the line. Doing it with open source software is even more wrong in my opinion. It flies against the whole concept of open source software. Free as in free, not bundled with other software that isn't open.
The security industry was up in arms because they are even more sensitive to privacy and installing software than others. Who knows what this software is and what it does. It is just one more vector that something bad can happen from.
Another angle is as a software developer. The idea of someone taking your software and profiting from it by bundling other software without your permission or knowledge just rubs them the wrong way, as it should.
From my own personal point of view, how many of you have to play IT support for your friends and relatives. How many times have you logged on to thier computers and asked "where the heck did all of this junk come from?". All of those ask.com, about.com and other toolbars. How about the ones that don't uninstall so easy. I am still trying to get something called mp3.tubebar off of one computer in our house. Most of that adware, malware and stuff is installed when you download "legit" software and just click yes on the installer questions.
I almost never pick the general install anymore and always opt for the "custom" install which gives me more control over what is going on my machine.
Worst of all though is that when confronted with this C/Net still refuses to budge. According to Lemos,
On Wednesday, Cnet issued a statement saying it had mistakenly made NMap -- and other open-source software -- part of its program, but planned to continue the bundling of third-party software, with some changes.
This just screams insensitive to me. What will it take for them to realize that they have to find another way to make money on people downloading free and open source software. Until they do, I will tell you that I am not downloading any software from Download.com
For you reading this, let this be a lesson, if you download software be aware of what else you are getting with that free download!
- About Open Source Fact and Fiction
As co-founder and Managing Partner at The CISO Group, Alan Shimel is responsible for driving the vision and mission of the company. The CISO Group offers security consulting and PCI compliance management for the payment card industry. Prior to The CISO Group, Alan was the Chief Strategy Officer at StillSecure. Shimel was the public persona of StillSecure as it grew from start up to helping defend some of the largest and most sensitive networks in the world.
Shimel is an often-cited personality in the technology community and is a sought-after speaker at industry and government conferences and events. His commentary about the state of security, open source and life is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years" (www.ashimmy.com). Alan is now also a regular contributor to The CISO Group’s security.exe blog and podcast.
Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. His legal background, long experience in the field, and New York street smarts combine to form a unique personality.
Disclosure: The CISO Group sells a software-as-a-service PCI compliance application called SAQPro. The company is independent and does not represent any other vendor's products as a reseller.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited.
Most Discussed Posts
- Blog Roll
-
Network World, Inc
The Connected Enterprise