CNet’s Nmap Debacle: When Good Software Comes Bundled With Junk

There’s a big debacle going on in the tech world. It seems that CNet aka, purveyors of downloadable software, took a very popular geek tool called Nmap and wrapped their version of the free installer with the installer for some junky browser toolbar. Two of my favorite tech sites, The Register and Sophos Naked Security, have good descriptions of the situation.

The author of Nmap is a well-known Net.denizen named Fyodor, who is justifiably steamed. His response:

“The problem is that users often just click through installer screens, trusting that gave them the real installer and knowing that the Nmap project wouldn’t put malicious code in our installer. Then the next time the user opens their browser, they find that their computer is hosed with crappy toolbars, Bing searches, Microsoft as their home page, and whatever other shenanigans the software performs! The worst thing is that users will think we (Nmap Project) did this to them!”

He has an excellent point. I can tell you that any customer I’ve ever worked with would be irate indeed to have their computer messed up by a stupid junky toolbar they never wanted. But what should you, as a consumer, do about good software that comes bundled with junk?

Go to the original download source
Don’t rely on aggregate sites like CNet for your software. Instead, go directly to the web site of the program’s developers. You’ll often find a more recent version there, as well as better support options. This also eliminates the problem of poisoned search engine results when searching for programs (links that look legit but lead to virus-laden sites).

Look at the window before you click
In the Nmap case, the installer for the Babylon browser bar makes it look like you have to install it before you can install Nmap. When installing software, look very carefully for obscure checkboxes and buttons. Most of these installers stealthily install their junk by either making the opt-out checkbox hard to find, or by making the junk look like a necessary part of the install.

In the Nmap case, if you click Accept you’re only accepting the junk because this is the wrapper; you haven’t even gotten to the real installer yet. As Fyodor said, most people will click this then wonder why their Web browser isn’t working. Then they’ll have to find somebody who knows how to remove this kind of junk, because you have to remove ALL of it or it will continue to mess up your computer.

Make your voice heard
If you spot software that is bundled with junk, let the manufacturer know how disgusted you are. Keep your friends and colleagues informed by sending them a link to this article and letting them know about the menace of stealthy junk software.

You should not ever have to install a piece of junk to install the program you want – and if the program you want won’t let you do it any other way, find a different program. Shame on you, CNet. And kudos to developers like Fyodor who actually care about the end users.

(Photo of awesome Tron “I Fight For The Users” shirt from ThinkGeek. And no, I’m not getting any affiliate rewards for telling you that. I just like both the shirt and the store.)


Speak Your Mind