Security pros slam Cnet's bundling

Prominent members of security community criticize Cnet for pairing bloatware with popular free security tools

Programmers have a strong sense of ownership for the software they create. No wonder then that CBS Interactive subsidiary Cnet ran into problems when security researchers found that unwanted toolbars and thinly veiled marketing utilities were being pushed on people who downloaded popular open source tools and other software.

Last week, well-known security researcher Gordon "Fyodor" Lyon, creator of the popular NMap port-scanning tool, took Cnet to task for wrapping the installation of the tool in an installer that would also place a sponsored utility on the user's systems. During the week, security professionals found that other open source security tools received similar treatment, including the wireless-scanning tool Wireshark and the penetration-testing tool Metasploit.

"Many people assumed that a major site like this wouldn't resort to unethical monetization schemes like adding spyware and other malware to their downloads," Lyon wrote in a blog post. "Unfortunately, those people were wrong."

For security professionals, Cnet's bundling of software is particularly egregious because privacy is highly valued and the addition of third-party software can undermine the security of system. Moreover, Cnet did not give adequate notice, argues HD Moore, chief security officer for Rapid7 and the creator of the Metasploit Framework, an open source security tool.

"This behavior was not clearly identified during the signup process and this wrapper introduces software that many antivirus products flag as malware," Moore says. " was actually the largest third-party download source for our software, but this traffic was not worth the cost to our users' privacy."

On Wednesday, Cnet issued a statement saying it had mistakenly made NMap -- and other open source software -- part of its program, but planned to continue the bundling of third-party software, with some changes.

"All third-party offers are clearly identified as such, and there is no requirement for the user to download and install the offer; rather, a user has the option to Accept or Decline," Sean Murphy, CBS Interactive's vice president and general manager says in the statement.

The statement has not mollified security professionals, however. In a post last Wednesday, eEye Digital Security argued that adding unwanted third-party software to a system can undermine security.

"The user is entirely unaware of what vulnerabilities -- or worse, spyware -- lies within some random toolbar that was bundled with their favorite ISO mounting software or with the Java installer," the company writes. "All they want is what they came for, whether that is Nmap or Adobe Reader or a My Little Pony screensaver."

This story, "Security pros slam Cnet's bundling," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2011 IDG Communications, Inc.

How to choose a low-code development platform