Programmers have a strong sense of ownership for the software they create. No wonder then that CBS Interactive subsidiary Cnet ran into problems when security researchers found that unwanted toolbars and thinly veiled marketing utilities were being pushed on people who downloaded popular open source tools and other software.
Last week, well-known security researcher Gordon "Fyodor" Lyon, creator of the popular NMap port-scanning tool, took Cnet to task for wrapping the installation of the tool in an installer that would also place a sponsored utility on the user's systems. During the week, security professionals found that other open source security tools received similar treatment, including the wireless-scanning tool Wireshark and the penetration-testing tool Metasploit.
"Many people assumed that a major site like this wouldn't resort to unethical monetization schemes like adding spyware and other malware to their downloads," Lyon wrote in a blog post. "Unfortunately, those people were wrong."
For security professionals, Cnet's bundling of software is particularly egregious because privacy is highly valued and the addition of third-party software can undermine the security of system. Moreover, Cnet did not give adequate notice, argues HD Moore, chief security officer for Rapid7 and the creator of the Metasploit Framework, an open source security tool.
"This behavior was not clearly identified during the signup process and this wrapper introduces software that many antivirus products flag as malware," Moore says. "Download.com was actually the largest third-party download source for our software, but this traffic was not worth the cost to our users' privacy."
On Wednesday, Cnet issued a statement saying it had mistakenly made NMap -- and other open source software -- part of its program, but planned to continue the bundling of third-party software, with some changes.