SourceForge hijacking projects and adding malware to downloads

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

SourceForge hijacking projects and adding malware to downloads

David Gerard-2
https://plus.google.com/+gimp/posts/cxhB1PScFpe

They just took the GIMP for Windows project, locked out the maintainer
and started serving a malwared .exe.

Nonapology for malware:
https://sourceforge.net/blog/gimp-win-project-wasnt-hijacked-just-abandoned/

I see LMMS has all .exe files off there at last, so ... just in time?

How movable are the remaining functions, e.g. this list?


- d.

------------------------------------------------------------------------------
_______________________________________________
LMMS-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lmms-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SourceForge hijacking projects and adding malware to downloads

Tres Finocchiaro
I'd kindly ask everyone to report abuse using the support page:


Those Gimp binaries are downloaded over 1,000 times a day.

In regards to blaming sourceforge for this, we don't know that for sure, so be careful to blame them for this without knowing all of the information.

-Tres


On Thu, May 28, 2015 at 6:33 AM, David Gerard <[hidden email]> wrote:
https://plus.google.com/+gimp/posts/cxhB1PScFpe

They just took the GIMP for Windows project, locked out the maintainer
and started serving a malwared .exe.

Nonapology for malware:
https://sourceforge.net/blog/gimp-win-project-wasnt-hijacked-just-abandoned/

I see LMMS has all .exe files off there at last, so ... just in time?

How movable are the remaining functions, e.g. this list?


- d.

------------------------------------------------------------------------------
_______________________________________________
LMMS-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lmms-devel


------------------------------------------------------------------------------

_______________________________________________
LMMS-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lmms-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SourceForge hijacking projects and adding malware to downloads

Tres Finocchiaro
Nevermind, just read the response from sourceforge (sorry, it's me not knowing all of the information). They suck.


Well, our page still links to GitHub, so we should be in the clear.  Good work Toby for getting the remaining releases off of SF and on to GitHub.


On Thu, May 28, 2015 at 9:31 AM, Tres Finocchiaro <[hidden email]> wrote:
I'd kindly ask everyone to report abuse using the support page:


Those Gimp binaries are downloaded over 1,000 times a day.

In regards to blaming sourceforge for this, we don't know that for sure, so be careful to blame them for this without knowing all of the information.

-Tres


On Thu, May 28, 2015 at 6:33 AM, David Gerard <[hidden email]> wrote:
https://plus.google.com/+gimp/posts/cxhB1PScFpe

They just took the GIMP for Windows project, locked out the maintainer
and started serving a malwared .exe.

Nonapology for malware:
https://sourceforge.net/blog/gimp-win-project-wasnt-hijacked-just-abandoned/

I see LMMS has all .exe files off there at last, so ... just in time?

How movable are the remaining functions, e.g. this list?


- d.

------------------------------------------------------------------------------
_______________________________________________
LMMS-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lmms-devel



------------------------------------------------------------------------------

_______________________________________________
LMMS-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lmms-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SourceForge hijacking projects and adding malware to downloads

David Gerard-2
Yeah, nobody could quite believe SF would be this brazen. See Ars Technica:

http://arstechnica.com/information-technology/2015/05/sourceforge-grabs-gimp-for-windows-account-wraps-installer-in-bundle-pushing-adware/

Note that this is not a case of a project adding adware for some
supporting income (as Filezilla does, and LMMS used to do this) - this
is SF just hijacking a pile of projects' good names.

On 28 May 2015 at 14:33, Tres Finocchiaro <[hidden email]> wrote:

> Nevermind, just read the response from sourceforge (sorry, it's me not
> knowing all of the information). They suck.
>
> https://sourceforge.net/blog/gimp-win-project-wasnt-hijacked-just-abandoned/j
>
> Well, our page still links to GitHub, so we should be in the clear.  Good
> work Toby for getting the remaining releases off of SF and on to GitHub.
>
> - [hidden email]
>
> On Thu, May 28, 2015 at 9:31 AM, Tres Finocchiaro
> <[hidden email]> wrote:
>>
>> I'd kindly ask everyone to report abuse using the support page:
>>
>> http://sourceforge.net/support
>>
>> Those Gimp binaries are downloaded over 1,000 times a day.
>>
>> In regards to blaming sourceforge for this, we don't know that for sure,
>> so be careful to blame them for this without knowing all of the information.
>>
>> -Tres
>>
>> - [hidden email]
>>
>> On Thu, May 28, 2015 at 6:33 AM, David Gerard <[hidden email]> wrote:
>>>
>>> https://plus.google.com/+gimp/posts/cxhB1PScFpe
>>>
>>> They just took the GIMP for Windows project, locked out the maintainer
>>> and started serving a malwared .exe.
>>>
>>> Nonapology for malware:
>>>
>>> https://sourceforge.net/blog/gimp-win-project-wasnt-hijacked-just-abandoned/
>>>
>>> I see LMMS has all .exe files off there at last, so ... just in time?
>>>
>>> How movable are the remaining functions, e.g. this list?
>>>
>>>
>>> - d.
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> _______________________________________________
>>> LMMS-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/lmms-devel
>>
>>
>

------------------------------------------------------------------------------
_______________________________________________
LMMS-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lmms-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SourceForge hijacking projects and adding malware to downloads

Tres Finocchiaro
I registered for Slashdot and created an article on it.  If you feel it is newsworthy, please vote it up.



On Thu, May 28, 2015 at 9:42 AM, David Gerard <[hidden email]> wrote:
Yeah, nobody could quite believe SF would be this brazen. See Ars Technica:

http://arstechnica.com/information-technology/2015/05/sourceforge-grabs-gimp-for-windows-account-wraps-installer-in-bundle-pushing-adware/

Note that this is not a case of a project adding adware for some
supporting income (as Filezilla does, and LMMS used to do this) - this
is SF just hijacking a pile of projects' good names.

On 28 May 2015 at 14:33, Tres Finocchiaro <[hidden email]> wrote:
> Nevermind, just read the response from sourceforge (sorry, it's me not
> knowing all of the information). They suck.
>
> https://sourceforge.net/blog/gimp-win-project-wasnt-hijacked-just-abandoned/j
>
> Well, our page still links to GitHub, so we should be in the clear.  Good
> work Toby for getting the remaining releases off of SF and on to GitHub.
>
> - [hidden email]
>
> On Thu, May 28, 2015 at 9:31 AM, Tres Finocchiaro
> <[hidden email]> wrote:
>>
>> I'd kindly ask everyone to report abuse using the support page:
>>
>> http://sourceforge.net/support
>>
>> Those Gimp binaries are downloaded over 1,000 times a day.
>>
>> In regards to blaming sourceforge for this, we don't know that for sure,
>> so be careful to blame them for this without knowing all of the information.
>>
>> -Tres
>>
>> - [hidden email]
>>
>> On Thu, May 28, 2015 at 6:33 AM, David Gerard <[hidden email]> wrote:
>>>
>>> https://plus.google.com/+gimp/posts/cxhB1PScFpe
>>>
>>> They just took the GIMP for Windows project, locked out the maintainer
>>> and started serving a malwared .exe.
>>>
>>> Nonapology for malware:
>>>
>>> https://sourceforge.net/blog/gimp-win-project-wasnt-hijacked-just-abandoned/
>>>
>>> I see LMMS has all .exe files off there at last, so ... just in time?
>>>
>>> How movable are the remaining functions, e.g. this list?
>>>
>>>
>>> - d.
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> _______________________________________________
>>> LMMS-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/lmms-devel
>>
>>
>


------------------------------------------------------------------------------

_______________________________________________
LMMS-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lmms-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SourceForge hijacking projects and adding malware to downloads

Spekular R

Wouldn't it be safer to completely remove LMMS's files? This is incredibly sleazy to do, especially from a company that seems to try to appear as a supporter of open source.


------------------------------------------------------------------------------

_______________________________________________
LMMS-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lmms-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SourceForge hijacking projects and adding malware to downloads

David Gerard-2
What they've been doing with many projects is taking the binaries and
putting them up under the open source licence ... with adware in the
downloader. This is not technically illegal, just incredibly sleazy.

On 28 May 2015 at 21:58, Spekular R <[hidden email]> wrote:
> Wouldn't it be safer to completely remove LMMS's files? This is incredibly
> sleazy to do, especially from a company that seems to try to appear as a
> supporter of open source.

------------------------------------------------------------------------------
_______________________________________________
LMMS-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lmms-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SourceForge hijacking projects and adding malware to downloads

Tres Finocchiaro

> This is not technically illegal

Yeah, I'm not sure about that.  They claiming to offer one thing and giving you something else.  This bait and switch is more than sleazy, it violates most ethical practices, which civil law tends to frown upon.

They are liable for damages rendered from this malware and adware and they are falsifying known, good products to do so.  This is about as close to illegal as it gets.


------------------------------------------------------------------------------

_______________________________________________
LMMS-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lmms-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SourceForge hijacking projects and adding malware to downloads

David Gerard-2
yeah, that's trademark, not copyright. How lawyered-up is LMMS? (my
guess: not very.)

On 28 May 2015 at 22:30, Tres Finocchiaro <[hidden email]> wrote:
>> This is not technically illegal
>
> Yeah, I'm not sure about that.  They claiming to offer one thing and giving
> you something else.  This bait and switch is more than sleazy, it violates
> most ethical practices, which civil law tends to frown upon.
>
> They are liable for damages rendered from this malware and adware and they
> are falsifying known, good products to do so.  This is about as close to
> illegal as it gets.

------------------------------------------------------------------------------
_______________________________________________
LMMS-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lmms-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SourceForge hijacking projects and adding malware to downloads

Tobiasz Karoń
I they must be doing this for profit. I think if enough noise is generated around this practice, SourceForge is sure to note less and less visitors, downloads and income, this might make them change their behavior. So I think "advertising" SF's nasty moves is a good way to go.

2015-05-28 23:37 GMT+02:00 David Gerard <[hidden email]>:
yeah, that's trademark, not copyright. How lawyered-up is LMMS? (my
guess: not very.)

On 28 May 2015 at 22:30, Tres Finocchiaro <[hidden email]> wrote:
>> This is not technically illegal
>
> Yeah, I'm not sure about that.  They claiming to offer one thing and giving
> you something else.  This bait and switch is more than sleazy, it violates
> most ethical practices, which civil law tends to frown upon.
>
> They are liable for damages rendered from this malware and adware and they
> are falsifying known, good products to do so.  This is about as close to
> illegal as it gets.

------------------------------------------------------------------------------
_______________________________________________
LMMS-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lmms-devel



--
- Tobiasz 'unfa' Karoń


------------------------------------------------------------------------------

_______________________________________________
LMMS-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lmms-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SourceForge hijacking projects and adding malware to downloads

Tres Finocchiaro

http://tech.slashdot.org/story/15/06/01/1241231/sourceforge-and-gimp-updated


------------------------------------------------------------------------------

_______________________________________________
LMMS-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lmms-devel
Loading...