Boycott C/Net and Download.Com, CISO Group says

My friends at the CISO Group want you to take a stand against C/Net’s practices concerning Download.com.

Alan Shimel, a managing partner at The CISO Group, wrote a blistering critique of C/Net’s practices, which I wrote about here last week.

Gordon Lyon, more commonly known on the Internet as Fyodor, runs the Internet security resource sites Insecure.Org, Nmap.Org, SecLists.Org, and SecTools.Org and maintains the Nmap Security Scanner. Last week on Seclists.org, he wrote of what he sees as a growing cesspool on the popular Download.com site:

I’ve just discovered that C|Net’s Download.Com site has

started wrapping their Nmap downloads (as well as other free software

like VLC) in a trojan installer which does things like installing a

sketchy “StartNow” toolbar, changing the user’s default search engine

to Microsoft Bing, and changing their home page to Microsoft’s MSN.

The way it works is that C|Net’s download page (screenshot attached)

offers what they claim to be Nmap’s Windows installer. They even

provide the correct file size for our official installer. But users

actually get a Cnet-created trojan installer. That program does the

dirty work before downloading and executing Nmap’s real installer.

In Shimel’s opinion, it’s time to declare was on C/Net over this. He writes:

It is even more loathsome to include these 3rd party potential security threats when people are downloading security software. But that is exactly what is happening at Download.com. Many in the security industry have raised the alarms about this practice. Everyone from HD Moore of Metasploit to Fyodor of NMap and more. InfoWorld and other main stream media outlets have blown the whistle as well. It has certainly come to the attention of C/Net and they have responded:

[Cnet issued a statement saying it had mistakenly made NMap — and other open-source software — part of its program, but planned to continue the bundling of third-party software, with some changes. “All third-party offers are clearly identified as such, and there is no requirement for the user to download and install the offer; rather, a user has the option to Accept or Decline,” Sean Murphy, CBS Interactive’s vice president and general manager]

So it was one thing to not know you are making a mistake, it is quite another to know what you are doing is wrong and still do it. If this is going to be the position of C/Net the position of the tech community should be clear. Stop going to C/Net, stop downloading anything from Download.com and if you are a developer don’t give them permission to list your software.

Alan is pretty ticked off. I think his anger is justified. If you tell your customers you’re going to keep giving them garbage they don’t want despite all their protests, there’s clearly a screw loose somewhere.

It’s also a security threat, so take my advice and heed Alan’s suggestion.

–Bill Brenner

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO’s Daily Dashboard gives you a