Don't download software from SourceForge if you can help it (opens in new tab)

(howtogeek.com)

161 pointsub11y ago48 comments

48 comments

44 comments · 17 top-level

gamache11y ago· 9 in thread

In our testing, we’ve found that SourceForge’s downloader behaves more nicely in a virtual machine. If you want to see what it actually does, be sure to test it in a real Windows system on a physical machine, not a virtual machine.

This is the same sort of behavior that malicious applications are increasingly using to avoid detection and analysis.

Very interesting! I'd be interested to hear the corporate-speak rationale for this. Kind of interested, anyway.

jackmaney11y ago

> Very interesting! I'd be interested to hear the corporate-speak rationale for this.

I'm not affiliated with Sourceforge in any way, shape, or form--thank the fucking gods--but I suspect it would be something along the lines of "our downloader and associated offers are optimized to automatically use fewer resources in an environment, such as a VM, where computing resources are scarce."

ytdht11y ago

resources are also always limited on a single computer but most companies usually don't care because it is cheaper to use a higher level language

throwaway49898211y ago

this is unbelievably malicious! In our earlier discussion there was some discussion about the installer asking for permission to install crapware. in fact if you're going to do malware stuff like this, why even ask?

On a technical level - how come you can detect VM's? with something like BOCHS and if you lie about wall time inside your OS, can't it emulate a PC perfectly? How does crapware know whether it's in a VM or not?

jaysh11y ago

This is a nice article on the matter: http://web.archive.org/web/20110929075510/http://invisibleth.... It doesn't appear to work reliably anymore, but the principle is the same.

Even if we reached the point where VMs never technically revealed they were VMs, I think the human element might still play a part. When I spin up a VM for a quick test, I might leave it on 512MB or 1GB RAM - but this could be a giveaway that it's a VM (not 100% of the time, granted) given how unlikely a fresh installation of Windows is to have that small amount of memory.

stephengillie11y ago

Well, there are a couple things - For one, the hypervisor presents different "hardware" than you would get in a standard HP or Dell box. And often the hypervisor has a driver package to install, to facilitate communication between the OS and hypervisor - this is used mostly to manage memory overcommit with things like a memory bubble.

As the hypervisor gets low on RAM, it tells its driver in the VM OS to use more RAM, which steals some away from that system. Then the hypervisor swaps that RAM or puts it out of play in another way, and gets to reclaim the underlying physical RAM. At least, this is the VMWare way of doing it, not too sure about MS or Citrix or RH or others.

toyg11y ago

Well, on a Windows VM in VMWare products, you can just ask the OS and it will happily report the manufacturer as "VMWare, Inc" for example. I would expect other virtualizers to do something similar, if not there in some other places (like drivers etc).

mikeash11y ago

You can emulate a PC perfectly. But in practice there's a tradeoff between perfect emulation and performance, and since a VM's goal is typically to run cooperative software quickly, they aim for performance.

For example, for best performance you want to run the instructions in the VM directly on the hardware CPU so that they run as fast as they would outside the VM. But not all instructions can be run safely this way, so the VM will trap some and emulate them. This is necessarily slower, so a program can detect the presence of a VM by noticing that some instructions are much slower than they ought to be. You can lie about the time, but the bookkeeping needed to do so accurately imposes a lot of overhead.

theandrewbailey11y ago

I've heard that it's mostly searching for VM addon software used in VMs, like VirutalBox Guest Additions.

MiddleEndian11y ago

>in fact if you're going to do malware stuff like this, why even ask?

Just a guess, but probably plausible deniability reasons for when they're inevitably brought to court.

1 more reply

icpmacdo11y ago· 6 in thread

Can someone provide a link to filezilla thats not through sourceforge? I just posted an Ask HN about this.

andyjohnson011y ago

Two trusted packages available at https://chocolatey.org/packages?q=filezilla

Also available from https://ninite.com/

b10101011y ago

Why are the packages from chocolatey trusted?

I am not familiar with chocolatey but the powershell script on https://chocolatey.org/packages/filezilla (click show files) contains the following

  $url = "http://sourceforge.net/projects/filezilla/files/FileZilla_Client/${version}/FileZilla_${version}_win32-setup.exe/download"
  $url64bit = "http://sourceforge.net/projects/filezilla/files/FileZilla_Client/${version}/FileZilla_${version}_win64-setup.exe/download"

So its still fetching executables from sourceforge using plain http with no checksums or signatures in sight. On the assumption that executable does include the sourceforge malware, The silent install argument ("/S") passed to the executable by chocolatey seems to be the only reason its not installed along with filezilla.

Is there any reason to believe ninite does anything different?

1 more reply

wernercd11y ago

for the real lazy: https://ninite.com/?select=filezilla

I hadn't thought of choco, but good call on that.

skrowl11y ago

If you're on Windows, consider upgrading to WinSCP (http://winscp.net/eng/docs/free_sftp_client_for_windows). Not only is it a nicer UI and updated more often, but they have direct downloads with no crapware.

bhayden11y ago

I would recommend not using Filezilla at all, honestly. The creator was entirely unapologetic about bundling malware.

kpcyrd11y ago

http://ftp.debian.org/debian/pool/main/f/filezilla/filezilla...

I know, this isn't very helpful, but if you don't like how software is distributed for your system there's still the option to use a system that solved this during the '90s.

god_bless_texas11y ago· 3 in thread

This makes me so mad and sad at the same time. For years, it would bring me immense pleasure to just browse projects on sourceforge to see what the world was up to. Now this is just another case of corporations ruining a good thing. I'm glad there are links to Filezilla and Gimp - two products I use frequently.

whoisthemachine11y ago

I kind of view it as a consequence of the market falling out from under their feet - it's cheap enough to host your own files now, and with package managers (even on Windows!) the power users that used to be the target audience of Source Forge have been vanishing.

toyg11y ago

IMHO it's more a function of their inability to compete with Github and Bitbucket. They were slow to react to the rise of distributed VCS, failed to exploit their social network features, and probably had already accumulated too much technical debt to effectively change course by the time overall trends became clear. Once developers shifted, power users had to follow suit.

dare_you11y ago

I was just remembering when sourceforge first appeared and how awesome it was. I slowly started browsing projects on there instead of freshmeat. It is just sad, and frankly a little weird.

dimino11y ago· 3 in thread

This is why we need some kind of trade organization -- the developers who wrote this stuff need to be kicked out, or disciplined in some way...

noarchy11y ago

There would have to be a lot of careful discussion about such an organization. I would hate to see it end up being little more than a vector for rent-seeking, and shutting people out of our industry for a host of arbitrary reasons (immigrants, people with the "wrong" education, etc).

dimino11y ago

Yeah, I'm just saying that fields like engineering and law have recourse for bad industry behavior. I wish software had the same or a similar path.

bargl11y ago

This has been brought up multiple times and I couldn't agree more. It'd be great to have a trade organization for software developers where they can be evaluated by a board and loose their "license" to write code. There are some SERIOUS down sides to that, but that'd have to be flushed out in another forum.

prajjwal11y ago· 2 in thread

"In truth, the man was an oathbreaker, a deserter from the Night’s Watch. No man is more dangerous. The deserter knows his life is forfeit if he is taken, so he will not flinch from any crime, no matter how vile."

~ Ned Stark, A Game of Thrones.

I think that pathetic blog post where they tried to justify their actions made one thing clear - SourceForge knows how dead they are. No amount of internet outrage is going to help, they don't think they've got anything to lose at this point.

The best thing to do at this point would be to speed up their demise. If you're a developer that still hosts with them, delete your project and move to Github or Bitbucket.

Also, start reporting these malicious pages to Google so they don't show up in search results. https://www.google.com/safebrowsing/report_badware/

M2Ys4U11y ago

Also contact the people who provide mirroring services for them.

Take away their free bandwidth and they'll collapse even quicker.

ytdht11y ago

perhaps someone should mirror sourceforge and rebuild binaries and take sourceforge out of the equation?

bramgg11y ago· 2 in thread

I wonder how many people outraged here know YC funded a company that bundles malware with installers and continues to justify it publically on HN.

withinrafael11y ago

InstallMonetizer?

bramgg11y ago

Yes

toyg11y ago· 1 in thread

I've tweeted someone close to the Pywin32 project (hosted on SF) asking to move it, but didn't get a reply. For long-established projects, it's not an easy migration. Please keep prodding any critical project you know of.

WorldWideWayne11y ago

Some people just don't care or they're profiting from it like Tim Kosse of Filezilla - https://forum.filezilla-project.org/viewtopic.php?t=35221 and https://forum.filezilla-project.org/viewtopic.php?t=30240

zamalek11y ago· 1 in thread

Just today I had to get Boost for the first time since the whole gimp-win debacle - their tars and zips are hosted on SourceForge. Guess I'll be building from Git until they fix it :/

userbinator11y ago

It's only .exe installers that are affected, and probably only ones that they can easily wrap; I doubt they're actually modifying any source code.

jimrandomh11y ago

> Click through to a project’s official website and you’ll find actual download links. For example, Audacity’s homepage redirects you to FOSSHUB to download Audacity, not SourceForge. But searching for “Audacity” on Google still brings up the SourceForge page as the top result.

This is an error on Google's part. For everyone's sake, they need to apply some serious ranking penalties to malware distributing sites like SourceForge, as well as click-through warnings that you are going to a site other than the original authors'.

brokentone11y ago

At least for Mac, there is a TINY "direct download" link next to the SF Installer button. Using this link will provide the non-junkware, original install files.

khaki5411y ago

If you download from Sourceforge try unzipping the installer which will usually defeat the spyware installer that they have been bundling with it.

oblio11y ago

So sad. Especially for Windows tons of valuable stuff is there, especially smaller utilities like DDMM and similar :(

jarnix11y ago

I never use the "downloader", either from Akamai, Sourceforge, etc. I downloaded a few programs recently on sourceforge and never had to use their software.

lioeters11y ago

Just realized the double meaning of "forge" in SourceForge:

1) to form or make by concentrated effort

2) to imitate fraudulently; fabricate a forgery

They're certainly living up to definition #2..

Negative111y ago

tldr; don't download from SourceForge it uses its own installer bundled with garbage. Do download using ninite.com (https://ninite.com/), the "only trusted" downloader according to these guys.

clean88clean8811y ago

Is BOTH Sourceforge and Github -other-verted or per-verted? or sub-verted? The attack on the clean code-base continues.

Advice. Unix Linux - separate user. low privilege. configure, make, but make install with ROOT PRIVILEGE. check files.

all source code should have search engine keywords for vulnerabilies, updates, etc. for even BSD is somewhat broken, IMHO.

make it easier for the NOT C expert and ASM expert to install reasonably clean software, PLEASE.

Thank U. Thank U. Thank U. ... 1000 times

clean88clean8811y ago

ARE BOTH Sourceforge and Github other-verted or perverted-like? What are the alternatives?

Thank you. Thank you. the attack on code repo and the infiltration of the clean database continues, perhaps.

j / k navigate · click thread line to collapse

48 comments

44 comments · 17 top-level

gamache11y ago· 9 in thread

This is the same sort of behavior that malicious applications are increasingly using to avoid detection and analysis.

Very interesting! I'd be interested to hear the corporate-speak rationale for this. Kind of interested, anyway.

jackmaney11y ago

> Very interesting! I'd be interested to hear the corporate-speak rationale for this.

ytdht11y ago

resources are also always limited on a single computer but most companies usually don't care because it is cheaper to use a higher level language

throwaway49898211y ago

jaysh11y ago

This is a nice article on the matter: http://web.archive.org/web/20110929075510/http://invisibleth.... It doesn't appear to work reliably anymore, but the principle is the same.

stephengillie11y ago

toyg11y ago

mikeash11y ago

theandrewbailey11y ago

I've heard that it's mostly searching for VM addon software used in VMs, like VirutalBox Guest Additions.

MiddleEndian11y ago

>in fact if you're going to do malware stuff like this, why even ask?

Just a guess, but probably plausible deniability reasons for when they're inevitably brought to court.

1 more reply

icpmacdo11y ago· 6 in thread

Can someone provide a link to filezilla thats not through sourceforge? I just posted an Ask HN about this.

andyjohnson011y ago

Two trusted packages available at https://chocolatey.org/packages?q=filezilla

Also available from https://ninite.com/

b10101011y ago

Why are the packages from chocolatey trusted?

I am not familiar with chocolatey but the powershell script on https://chocolatey.org/packages/filezilla (click show files) contains the following

  $url = "http://sourceforge.net/projects/filezilla/files/FileZilla_Client/${version}/FileZilla_${version}_win32-setup.exe/download"
  $url64bit = "http://sourceforge.net/projects/filezilla/files/FileZilla_Client/${version}/FileZilla_${version}_win64-setup.exe/download"

Is there any reason to believe ninite does anything different?

1 more reply

wernercd11y ago

for the real lazy: https://ninite.com/?select=filezilla

I hadn't thought of choco, but good call on that.

skrowl11y ago

bhayden11y ago

I would recommend not using Filezilla at all, honestly. The creator was entirely unapologetic about bundling malware.

kpcyrd11y ago

http://ftp.debian.org/debian/pool/main/f/filezilla/filezilla...

I know, this isn't very helpful, but if you don't like how software is distributed for your system there's still the option to use a system that solved this during the '90s.

god_bless_texas11y ago· 3 in thread

whoisthemachine11y ago

toyg11y ago

dare_you11y ago

I was just remembering when sourceforge first appeared and how awesome it was. I slowly started browsing projects on there instead of freshmeat. It is just sad, and frankly a little weird.

dimino11y ago· 3 in thread

This is why we need some kind of trade organization -- the developers who wrote this stuff need to be kicked out, or disciplined in some way...

noarchy11y ago

dimino11y ago

Yeah, I'm just saying that fields like engineering and law have recourse for bad industry behavior. I wish software had the same or a similar path.

bargl11y ago

prajjwal11y ago· 2 in thread

~ Ned Stark, A Game of Thrones.

The best thing to do at this point would be to speed up their demise. If you're a developer that still hosts with them, delete your project and move to Github or Bitbucket.

Also, start reporting these malicious pages to Google so they don't show up in search results. https://www.google.com/safebrowsing/report_badware/

M2Ys4U11y ago

Also contact the people who provide mirroring services for them.

Take away their free bandwidth and they'll collapse even quicker.

ytdht11y ago

perhaps someone should mirror sourceforge and rebuild binaries and take sourceforge out of the equation?

bramgg11y ago· 2 in thread

I wonder how many people outraged here know YC funded a company that bundles malware with installers and continues to justify it publically on HN.

withinrafael11y ago

InstallMonetizer?

bramgg11y ago

Yes

toyg11y ago· 1 in thread

WorldWideWayne11y ago

zamalek11y ago· 1 in thread

Just today I had to get Boost for the first time since the whole gimp-win debacle - their tars and zips are hosted on SourceForge. Guess I'll be building from Git until they fix it :/

userbinator11y ago

It's only .exe installers that are affected, and probably only ones that they can easily wrap; I doubt they're actually modifying any source code.

jimrandomh11y ago

brokentone11y ago

At least for Mac, there is a TINY "direct download" link next to the SF Installer button. Using this link will provide the non-junkware, original install files.

khaki5411y ago

If you download from Sourceforge try unzipping the installer which will usually defeat the spyware installer that they have been bundling with it.

oblio11y ago

So sad. Especially for Windows tons of valuable stuff is there, especially smaller utilities like DDMM and similar :(

jarnix11y ago

I never use the "downloader", either from Akamai, Sourceforge, etc. I downloaded a few programs recently on sourceforge and never had to use their software.

lioeters11y ago

Just realized the double meaning of "forge" in SourceForge:

1) to form or make by concentrated effort

2) to imitate fraudulently; fabricate a forgery

They're certainly living up to definition #2..

Negative111y ago

tldr; don't download from SourceForge it uses its own installer bundled with garbage. Do download using ninite.com (https://ninite.com/), the "only trusted" downloader according to these guys.

clean88clean8811y ago

Is BOTH Sourceforge and Github -other-verted or per-verted? or sub-verted? The attack on the clean code-base continues.

Advice. Unix Linux - separate user. low privilege. configure, make, but make install with ROOT PRIVILEGE. check files.

all source code should have search engine keywords for vulnerabilies, updates, etc. for even BSD is somewhat broken, IMHO.

make it easier for the NOT C expert and ASM expert to install reasonably clean software, PLEASE.

Thank U. Thank U. Thank U. ... 1000 times

clean88clean8811y ago

ARE BOTH Sourceforge and Github other-verted or perverted-like? What are the alternatives?

Thank you. Thank you. the attack on code repo and the infiltration of the clean database continues, perhaps.

j / k navigate · click thread line to collapse