Nmap Development mailing list archives



Re: SourceForge nmap project analysis

On Fri, Jun 5, 2015 at 2:53 AM, Fabio Pietrosanti (naif) - lists < lists () infosecurity ch> wrote:

Hello, i'm sharing the SourceForge's nmap project analysis regarding the recently discussed issues: http://sourceforge.net/blog/analysis-of-nmap-project-and-data/

Even by Sourceforge standards, this is a load of BS! Problems: 1) Despite all this attention on the Sourceforge's fake Nmap page in particular, the largest green download button STILL gives users a spyware program called "FileOpenerPro" rather than Nmap. A quick Google search shows that this spyware collects your "browsing habits" among other information and may "sometimes redirect you to third-party sponsored webpages without your permission" and "may alter your browsing settings and default home page." I've attached a screenshot of the current fake SF Nmap page. Note that the big green button just says "START DOWNLOAD" while the fact that this is spyware rather than Nmap is hidden in the text well below the button. This is not an accident and goes against Sourceforge's 2013 promise to stop using fake download buttons: https://sourceforge.net/blog/?s=blockthis 2) SF makes a big deal about how they weren't actually inserting malware into the Nmap project installer, but that's only because they were caught in the early stages of their "trial" where they did this to other projects such as GIMP. We just got lucky that they hadn't added the malware to Nmap installer yet. Adding the malware to projects like GIMP broke Sourceforge's 2013 promise to never bundle malware/adware into project installers without consent: http://sourceforge.net/blog/advertising-bundling-community-and-criticism/ 3) The SF fake Nmap page has a big "Keep Me Updated" box for people to insert their email address, hoping to get real Nmap project updates. But Sourceforge never even gives us the email addresses collected. Instead the users are added to a spam list of "sponsored content from our selected partners, and more". 4) Their fake Nmap page (which I have no control over) currently uses the Nmap logo and trademark and copyrighted description text and such without authorization. See the screenshot attached. This gives users the wrong impression that this fake site is somehow authorized or controlled by the Nmap project. So they might not be as careful about checking for spyware, etc. We have asked Sourceforge to remove our copyrighted/trademarked content and also to remove the whole fake page, but they have not done either. 5) Sourceforge's response makes a big deal about how we didn't use their "File Release System", but that's because the system sucks and is just a pretext to add interstitial ads and try to redirect potential users to more of their malware/spyware/adware offerings. We used their web service instead and had 584 megabytes of files there according to the disk quota messages they sent us in 2006. 6) Their Internet Archive screenshots showing "Project was empty" are because they are showing an SF interface for the project that we didn't use much if at all. Again, we used the Sourceforge web service interface to serve the content from our account there. We had millions of Nmap downloads through Sourceforge during the (long ago) period where we used them. It's true that a careful and sophisticated user could avoid the malware and spam minefield of Sourceforge's fake Nmap page, but they shouldn't have to. And the fact that Sourceforge makes money doing this shows that many users do fall for it and have their systems infected. And when the user has their system infected after installing what they thought was an Nmap installer, who do you think they blame? Us! I've spent 18 years trying to build Nmap as a useful and trusted free software program, so of course I get mad when companies try to abuse that trust and tarnish our name with these sleazy and greedy tactics! Cheers, Fyodor

_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/

By Date By Thread

Current thread: