SourceForge under fire again for Nmap page

In today's open source roundup: SourceForge takes more heat for its Nmap page. Plus: Best Chromebook for a college student? And DistroWatch reviews Fedora 22 KDE


SourceForge and Nmap again

SourceForge is under fire yet again for its Nmap page. The page on SourceForge has irked the Nmap developer and redditors alike, and they pulled no punches sharing their thoughts on Seclists and on the Linux subreddit.

Fyodor shared his thoughts about the Nmap page on SourceForge:

1) Despite all this attention on the Sourceforge's fake Nmap page in particular, the largest green download button STILL gives users a spyware program called "FileOpenerPro" rather than Nmap. A quick Google search shows that this spyware collects your "browsing habits" among other information and may "sometimes redirect you to third-party sponsored webpages without your permission" and "may alter your browsing settings and default home page." I've attached a screenshot of the current fake SF Nmap page. Note that the big green button just says "START DOWNLOAD" while the fact that this is spyware rather than Nmap is hidden in the text well below the button. This is not an accident and goes against Sourceforge's 2013 promise to stop using fake download buttons:

2) SF makes a big deal about how they weren't actually inserting malware into the Nmap project installer, but that's only because they were caught in the early stages of their "trial" where they did this to other projects such as GIMP. We just got lucky that they hadn't added the malware to Nmap installer yet. Adding the malware to projects like GIMP broke Sourceforge's 2013 promise to never bundle malware/adware into project installers without consent:

3) The SF fake Nmap page has a big "Keep Me Updated" box for people to insert their email address, hoping to get real Nmap project updates. But Sourceforge never even gives us the email addresses collected. Instead the users are added to a spam list of "sponsored content from our selected partners, and more".

4) Their fake Nmap page (which I have no control over) currently uses the Nmap logo and trademark and copyrighted description text and such without authorization. See the screenshot attached. This gives users the wrong impression that this fake site is somehow authorized or controlled by the Nmap project. So they might not be as careful about checking for spyware, etc. We have asked Sourceforge to remove our copyrighted/trademarked content and also to remove the whole fake page, but they have not done either.

5) Sourceforge's response makes a big deal about how we didn't use their "File Release System", but that's because the system sucks and is just a pretext to add interstitial ads and try to redirect potential users to more of their malware/spyware/adware offerings. We used their web service instead and had 584 megabytes of files there according to the disk quota messages they sent us in 2006.

6) Their Internet Archive screenshots showing "Project was empty" are because they are showing an SF interface for the project that we didn't use much if at all. Again, we used the Sourceforge web service interface to serve the content from our account there. We had millions of Nmap downloads through Sourceforge during the (long ago) period where we used them.

It's true that a careful and sophisticated user could avoid the malware and spam minefield of Sourceforge's fake Nmap page, but they shouldn't have to. And the fact that Sourceforge makes money doing this shows that many users do fall for it and have their systems infected. And when the user has their system infected after installing what they thought was an Nmap installer, who do you think they blame? Us!

I've spent 18 years trying to build Nmap as a useful and trusted free software program, so of course I get mad when companies try to abuse that trust and tarnish our name with these sleazy and greedy tactics!

More at Seclists

Linux redditors responded with their thoughts about SourceForge's behavior:

Modelturd: "Wtf happened to Sourceforge? They were Good Guys at one time. Isn't Slashdot somehow tied up with them?"

Jarfil: "It got sold...Then, the new owners realized that GitHub was becoming the go-to site for free software, and decided to monetize any way they could. Even if it meant running SourceForge into the ground."

Endur: "Yea, the owners had the choice to either watch it die or quickly squeeze the remaining cash out of it and kill it earlier. Since they probably bought it as an investment, they probably just measured how much money they would get from ads vs (ad revenue scenario 2 - monetized cost of annoying customers). I doubt they predicted this amount of backlash and I wonder if it had had an effect."

Altered_Equine: "Sourceforge is evil now. They've gone 100% malvertizing and adware to cash in on open source projects."

Starks: "Even 10 years ago, Sourceforge felt archaic and sketchy."

More at Reddit

Best Chromebook for a college student?

Chromebooks have proven to be quite popular over the last few years, with many models getting high star ratings on Amazon. But which one would be best for a college student? A redditor recently asked that question and got some helpful answers.

JS24 asked his question about Chromebooks and college:

I'm looking to get a laptop for college and I was thinking of getting a chromebook and i was wondering which one would work best for me.

I was thinking of using the chromebook for stuff like watching netflix and listening to music and facebook and taking notes. Also I was thinking putting linux on it and maybe playing a couple of steam games like civ and maybe Kerbal.

Anyways I was kind of considering this[1] one or the touchscreen version but im not sure if a touchscreen will be necessary.

More at Reddit

1 2 Page 1
From CIO: 8 Free Online Courses to Grow Your Tech Skills
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies