Cnet Apologizes For Nmap Adware Mess

Trailrunner7 writes "Officials at Cnet's Download.com site have issued a statement apologizing for bundling the popular open source Nmap security audit application with adware that installed a toolbar and changed users' search engine to Microsoft properties. Fyodor, the author of Nmap, raised the issue earlier this week, saying that his app was being wrapped in malware on Download.com. It's not unusual for download sites to bundle free applications with some kind of adware or toolbar, but the creators of open-source applications take a dim view of this practice, given the nature and ethic of open source projects. Nmap is a venerable and widely used tool for mapping networks and performing security audits and Fyodor wrote in a message to an Nmap mailing list earlier this week that Download.com, which is part of Cnet, a subsidiary of CBS Interactive, was bundling the application with its installer, which, if a user agreed, would install a search toolbar and change the user's search engine to Bing."

It's Legal

[Bruce Perens]

It is entirely within the license terms of any OSI-approved Open Source license to aggregate any software, regardless of its nature, on the same medium as Open Source software and to install it with the same installer that installs the Open Source. Even software that is harmful. Only if the software is a derivative work of the Open Source will the license apply to it.

Sure, CNet shouldn't do this, and if they keep doing it we'll eventually start using new licenses that make them copyright infringers. But right now it's legal.

Re:It's Legal

[Midnight_Falcon]

NMap is not licensed under the GPL -- it has its own license that specifically prohibits this type of bundling/installing a wrapper around the executable. This is not legal under NMap's license terms, I'm afraid you're mistaken.

Re:It's Legal

[Midnight_Falcon]

Bruce: This is taken directly from Fyodor's email to nmap-hackers: In addition to the deception and trademark violation, and potential violation of the Computer Fraud and Abuse Act, this clearly violates Nmap's copyright. This is exactly why Nmap isn't under the plain GPL. Our license (http://nmap.org/book/man-legal.html) specifically adds a clause forbidding software which "integrates/includes/aggregates Nmap into a proprietary executable installer" unless that software itself conforms to various GPL requirements (this proprietary C|Net download.com software and the toolbar don't). We've long known that malicious parties might try to distribute a trojan Nmap installer, but we never thought it would be C|Net's Download.com, which is owned by CBS! And we never thought Microsoft would be sponsoring this activity!

Re:It's Legal

[Bruce Perens]

I see what you mean, the line that says "Integrates/includes/aggregates Nmap into a proprietary executable installer, such as those produced by InstallShield."

It's nice to know what they consider a derivative work, but it has no legal effect. That would not be a derivative work under copyright law no matter what they think.

Re:It's Legal

[Bruce Perens]

Sorry, but when Fyodor crosses out some of the GPL terms and writes in new ones in crayon (meaning without the assistance of a lawyer or in a manner contrary to existing law), it doesn't really have the effect he desires.

The GPL explicitly does not define terms such as "derivative work" because these terms are defined in copyright law or case law. Case law is most important here, and in general case law is strongly against Fyodor's interpretation. Go read Judge Walker's finding in CAI v. Altai and tell me that just installing the software makes it a derivative work.

I am also dubious that anything in 18 U.S.C. 1030 (the Computer Fraud and Abuse Act) can really be used to prosecute this particular incident. Can you show me the words that you think would?

Re:precisely that

[EdIII]

Aptly put.

I never argued that there should be more liability and less protections for executives in corporations. Quit the contrary actually. The landlord analogy is insane because you are holding them strictly liable for all actions of the tenant. For a landlord to be truly negligent they would need to know. Murder is ridiculous, but crack house or meth lab.... might not be so much. Bimonthly inspections that just involve a cursory look through the property would not be unreasonable and are permissible in every rental/lease contract I have seen.

As for the executives and board members I absolutely agree that corporate person hood should not shield executives that meet your standards for negligence, gross negligence, knowledge required, and intentional. Treat them like everybody else. They still performed the act, only used the corporation as a vehicle for their actions. Ironically enough, we have laws for vehicular homicide and negligence for literal vehicles too.

My objection is providing strict liability to the investors. That is unreasonable period. Intentional and knowledge required indicates a conspiracy or aiding & abetting. No excuse for that. Gross negligence does not sound possible in an investor/stock holder context.

Negligence and Knowledge required are where it gets unreasonable to the investors because then it requires investors, even accredited investors, to perform ongoing audits that would be too resource intensive and impractical. It might not even be possible if the executives are actively attempting to hide their activities and falsifying records.

Especially so for somebody that owns a minuscule amount of stock in Exxon. Somebody needs to explain to me how Ma & Pa Johnson on a farm in Kansas could really know that the Valdez incident was about to happen or could have prevented it. Billing them for cleanup and reparations does not sound like a logical and reasoned position to take.