Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Sourceforge Hijacks the Nmap Sourceforge Account

From: Rodrigo Ramos <rodbramos75 () gmail com>
Date: Wed, 3 Jun 2015 16:11:46 -0300
Hi all!

Thank you very much for telling us this story, Fyodor!

I believe that Sourceforge must be erased from our brains and from the Internet.


Best regards,
Rodrigo Ramos


Em 03/06/2015, às 04:56, Fyodor <fyodor () nmap org> escreveu:


Hi Folks!  You may have already read the recent news about Sourceforge.net hijacking the GIMP project account to 
distribute adware/malware.  Previously GIMP used this Sourceforge account to distribute their Windows installer, but 
they quit after Sourceforge started tricking users with fake download buttons which lead to malware rather than GIMP. 
 Then Sourceforge took over GIMP's account and began distributing a trojan installer which tries to trick users into 
installing various malware and adware before actually installing GIMP.  Of course this goes directly against 
Sourceforge CEO Michael Schumacher's promise less than two years ago:

"we want to reassure you that we will NEVER bundle offers with any project without the developers consent"
--http://sourceforge.net/blog/advertising-bundling-community-and-criticism/

So much for that promise!  Anyway, the bad news is that Sourceforge has also hijacked the Nmap account from me.  The 
old Nmap project page is now blank:

http://sourceforge.net/projects/nmap/

Meanwhile they have moved all the Nmap content to their new page which only they control:

http://sourceforge.net/projects/nmap.mirror/

You can see at the top that the owners of the Nmap page are now 'sf-editor1', and 'sf-editor3'.  You can click on 
those to see other projects they have hijacked.

So far they seem to be providing just the official Nmap files (as long as you don't click on the fake download 
buttons) and we haven't caught them trojaning Nmap the way they did with GIMP.  But we certainly don't trust them one 
bit!  Sourceforge is pulling the same scheme that CNet Download.com tried back when they started circling the drain:

http://insecure.org/news/download-com-fiasco.html

We will ask Sourceforge to remove the hijacked Nmap page, but more importantly we want to reiterate that you should 
only download Nmap from our official SSL Nmap site:

https://nmap.org/download.html

If you don't trust SSL by itself (and we don't blame you), you can also check the GPG signatures: 
https://nmap.org/book/install.html#inst-integrity

Cheers,
Fyodor

PS: Ars Technica has a good article about the Sourceforge/GIMP fiasco: http://arstechnica.com/?p=673477

PPS: Sourceforge now claims they will stop trojaning software without the developer's permission, but they've broken 
that exact promise before.


_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: