SourceForge seizes the Nmap account
SourceForge recently got into a lot of hot water over the old GIMP account on the SourceForge site. Now it looks like the Nmap account is getting the same treatment.
Fyodor posted on Seclists.org:
You may have already read the recent news about Sourceforge.net hijacking the GIMP project account to distribute adware/malware. Previously GIMP used this Sourceforge account to distribute their Windows installer, but they quit after Sourceforge started tricking users with fake download buttons which lead to malware rather than GIMP. Then Sourceforge took over GIMP's account and began distributing a trojan installer which tries to trick users into installing various malware and adware before actually installing GIMP. Of course this goes directly against Sourceforge's promise less than two years ago:
"we want to reassure you that we will NEVER bundle offers with any project without the developers consent" --http://sourceforge.net/blog/advertising-bundling-community-and-criticism/
So much for that promise! Anyway, the bad news is that Sourceforge has also hijacked the Nmap account from me. The old Nmap project page is now blank:
Meanwhile they have moved all the Nmap content to their new page which only they control:
You can see at the top that the owners of the Nmap page are now 'sf-editor1', and 'sf-editor3'. You can click on those to see other projects they have hijacked.
So far they seem to be providing just the official Nmap files (as long as you don't click on the fake download buttons) and we haven't caught them trojaning Nmap the way they did with GIMP. But we certainly don't trust them one bit!
We will ask Sourceforge to remove the hijacked Nmap page, but more importantly we want to reiterate that you should only download Nmap from our official SSL Nmap site:
PS: Ars Technica has a good article about the Sourceforge/GIMP fiasco: http://arstechnica.com/?p=673477
PPS: Sourceforge now claims they will stop trojaning software without the developer's permission, but they've broken that exact promise before.
CORRECTION: I initially had Michael Schumacher listed as CEO of Sourceforge, but that was a big mistake! He's actually one of the good guys (from GIMP). I apologize for that.
Linux redditors wasted no time sharing their thoughts about the Nmap situation at SourceForge:
Ventomareiro: "That is why Free SW projects need to trademark their names: so if you don't agree with how somebody is redistributing your code, you can force them to at least not do it in your name."
Draco1200: "Even if they did not register their mark, the person who owns and distributes the product may still have Common Law trademark rights in jurisdictions where they distributed the software.
So it's still conceivable, that they could sue SourceForge over trademark misappropriation.
Letmefixthatforyouyo: "It's worse than that. The Sourceforges TOS states that they may opt to "mirror" your code regardless if you want it removed. GIMP has very muxh asked for it to be removed from the site."
lsc: "What they are doing isn't stealing - it's more like getting a fake ID and disguising themselves as someone you trust so that you let them into your house, then pasting up advertisements for random crap on the ceiling of your bedroom.
In a lot of ways, it's lower than stealing, if you ask me. Especially since the only certain way to keep someone out who has gotten in to your house before, in this case, is to demolish the thing and put up a new one."
Wolftune: "If they are distributing unmodified software (I believe they are, just bundling it in an installer package), there is no trademark violation. It would be the same as if I bought a bunch of Coca Cola and then sold it to you in a box that had Twizzlers in it as well. Coca Cola can't stop me from saying that I'm selling you Coca Cola."
MartenBE: "Mirroring is fine, but according to me getting highjacked by sf-editor1 is not. Maybe these accounts are still accessable by the original owners (in that case, my bad for jumping to the wrong conclusion), but I am doubting it."
R0ck0: "Angering all the heavy users of nmap. Great idea. That can only end well.
Lakechfoma: "Mass exodus of both developers and consumers would likely mean death of Sourceforge. BS like this encourages that and I would assume they're only doing it because they need the $ or are having trouble making good decisions, not because they just felt like pissing people off."
MaTachi: "Nice way to do damage control—generate even more bad publicity! I wonder what they are thinking at SourceForge."
Silverlight42: "So what you're saying is what when i'm looking to download software... don't ever download anything from sourceforge? Okay.