As usual, Avira is right on the money with "Adware/InstallC.buzg." ESET is pretty good too with "a variant of Win32/InstallCore.UQ." None of the other providers clearly identified it.
While I initially thought this as well, at some point the site admin (botg) posts this:
""MalSign.Generic.F84". Looks like a typical false-positive generated by a heuristic.
There is no malware in the SourceForge Downloader, you can safely use it to install FileZilla. While the SourceForge Installer may present third-party offers, they are
clearly labeled as such. All third-party offers can easily be declined. Nothing unwanted is being installed without your consent. Declining offers does not prevent nor otherwise disturb the installation of FileZilla.
If you do not wish to use the SourceForge installer, have a look at the additional download options listed on the FileZilla website."
His stance seems to be that it's not malware, rather a false positive (I have no proof to claim he's wrong and if he is, it could be a honest mistake; he's trusting SF, which I understand), and he mentions that you can also download Filezilla from their own website, without the SF installer.
That seems pretty reasonable to me, but again: at first I got the impression they (FileZilla's owners) simply didn't care.
I hate what SF has been doing, and I refuse to use their installers (although I'm primarily a Linux-user so I don't have to worry about these installers, thankfully), but I don't really feel like the FileZilla owners should be avoided as it looks like they're simply trusting SourceForge, nothing more. I hope I'm right. ;)
my main issue is that, the offers only exist to either affect the people who don't know any better (and would probably chose the opposite if they were more educated about such practices), or those that mis-click.
Most people, when presented with a) a logo (of a group they trust), and b) accept or decline, they are going to make assumptions and not read the middle.
Which ends up affecting a lot of users: every bad review relating to the installer and every complaint in the forums (once again, in relation to the installer), is a person who has been deceived and had a negative experience, because of a decision of the FZ developers (and the installer is choose-able by the project developer, last I inquired)
I've heard similar things about FileZilla and it's creator. Do you have any recommendations for an open source, GUI-based, Linux FTP client?
Most of the time I simply scp or rsync files as neccessary, however I use FileZilla to manage files on my phone and tablets via FTP. I've never found the FTP/SFTP/SMB support in Thunar to be all that reliable...
unfortunately I haven't. For the most part, I'm a Windows user, so I've been using Explorer for plain FTP to my phone (which, while not great, does do the job more-than-well-enough for my uses)
I'm not using GNOME. I'm using XFCE, and unfortunately in my experience Thunar (the XFCE file manager) doesn't handle those sorts of connections too well. I think it's more to do with the FUSE layer beneath it (possibly the same driver that's used by GNOME).
Maybe Midnight Commander? It can open FTP-connections (and shell connections, too, allowing secure copying of files over SSH rather than FTP), has that well-known dual pane layout, and, while not a GUI application, can be controlled the same way a GUI application can without even needing X. :)
Unfortunately, like I say, I've tried that (using Thunar - the otherwise fantastic file manager in XFCE). I'm not sure if it's Thunar's fault, or it's the FUSE layer beneath it, but I've always found it to be a little unreliable. Plus I like to be able to see connection logs and manage the activity queue in the same way I do with FileZilla.
Open source software really should abandon SourceForge. You can't even download any binaries through HTTPS from them. Even if you log in the download links redirect to plain HTTP.
We've been sending Windows clients to https://ninite.com/filezilla/ to download it but perhaps we ought to start avoiding it completely. I don't particularly like any other FTP client I've used in Windows, but its been a while since I looked.
If you're on Windows, it's a great site. I just had to provision a new laptop, and it saved me a ton of time, since I was able to install about a third of my checklist with a single download.
SFTP. Changing UNIX modes. Choosing active vs passive per-server. Choose text or binary transfer. Resume transfers. Copy only changed files based on time or size.
Agreed. WinSCP is not only easy to use with a fairly "native" Windows feel (just drag and drop stuff from one half of the window to the other), but it's also not bundled with malware.
It sounds more like a SourceForge issue than FileZilla. SourceForge used to provide clean binaries, but I guess they changed that process in the past year or two to bundle apps in the installer wrapper. You need to be extremely careful during the installation process to make sure that you do not accidentally install some extra software. The same happen to uTorrent - they also added tricky question during the install process to include advertisement, change default browser and such. That's a sad way to earn money - the end-users will definitely move on because of that.
Unfortunately it must work because people keep doing it. If it didn't increase revenue companies would stop doing it.
It's the same with those timed modal windows on blogs. They piss a lot of people off. But they also increase email capture rates, and sites with large audiences usually see revenue increase as a result.
If SourceForge want to stay afloat, they should reinvent themselves as a decent GitHub alternative or pivot. Bundling malware for kickbacks and keeping the old site design won't take them anywhere good.
FileZilla could choose to move away from SourceForge, to be honest - any party staying with SF after stunts like this (and this isn't the first one) are as corrupt as SF themselves are IMO
is hosted at Sourceforge, so they share a server with thousands of other customers. Every single customer is able to execute commands and access the other project directories. Pretty stupid, eh? You only need to find one hole in one hosted site and you can access ALL the project databases
There's really no reason to use SourceForge anymore. GitHub can do almost everything SourceForge can do, aside from app reviews I guess. GitHub also doesn't make you feel like you're in 2004.
If the creator of a software critiques your SaaS that uses his software maybe you should pay more attention to it? I am sure Linus knows git a lot better than most of us.
he doesn't complain about the website design he is complaining about the functionality. In fact he's stated in interviews he doesn't wish to ponder in web development.
I am not surprised someone who's career has been writing the lowest of low-level software. kernels and device drivers, isn't interested the total opposite end of the spectrum, web development.
That's a very important point if you're distributing your software to non-technical users, but a download button in either the README.md should do the job. You could also use a GitHub site and host a simple download site for your repo.
It seems to me that if a project on GitHub is interested in making it easy for lay-people to download, then a little dose of
https://pages.github.com/
should do the trick? (Personally I found SF's interface confusing and incredibly "busy" -- I don't think lay-people would fare much better, but I could be wrong.)
This is not about SourceForge or FileZilla. This is an issue that plagues most Windows freewares, everyone is integrating offers to the installer. Even FileHippo started this recently.
The download manager (wrapper) of these 2 companies are provided by the same Israeli company InstallCore.
For Windows and my own servers I don't even bother with FTP anymore, it's just another possible entry into my servers. WinSCP / SCP itself works fine, no FTP server required.
As far as I remember this is an opt-in feature for developers who host their projects on sourceforge that makes the installer offer additional software, by 3rd parties, to be installed. That additional software may be malicious.
If you read through this thread [1] on the filezilla forums, you'll see that the administrator defends the use of SourceForge over and over. My guess is that they're receiving kickbacks of some sort for the installation of said malware.
I think the world would be better if people just expected to pay a small amount for software, but we don't live in that world, and so we get "free" software you can download "for free" that installs a bunch of crap so the developers can get paid.
Up until rather recently, it was hard to pay or receive sub-dollar amounts. This problem is solved on the two mobile platforms (though Apple still takes a much larger cut from payments). Paypal / Stripe / Square sort of solve it in the web space.
But we still lack a nice software store (or several) where you could pay a piece of software and pay a nominal amount (or more if you choose to donate), knowing that you won't receive any malware / nagware in exchange, and that a large cut of your payment goes to the authors and maintainers.
Similar things seem to happen around indie musical tracks, so probably the model could survive in the "indie" software area.
Yep, I love it when I find good music on youtube abd a link to bandcamp where I can pay a small minimum amount (or more). They seem to have done something right as me and others typically pay well over the minimum price
- This program (bundling) is opt in for the project (Filezilla) and SourceForge ("the pimp") pays Filezilla ("the whore") for each download.
- This isn't recent. In fact it started well over a year ago and was well publicized.
- Even a year ago it was all very malware-y.
- A lot of people were super dismissive about this issue a year ago (see Reddit threads and here). In fact many supported the practice.
- Those same people are now whining about it.
- Suggesting that "but Github exists!" as a solution entirely misses the point. Sourceforge pays the project money, and both Sourceforge and the project profit. So unless Github can match that (hint: it cannot) then that is a non-starter.
This is why I have high hopes for integration with the Microsoft store in Windows 10. I'd be pretty happy giving the Filezilla people .99 cents, assuming no 3rd party installer tricks. MS would store my credit card, it would be a one-click process, take the onus of hosting from Sourceforge/Filezilla, and pay a nice little chunk of change on the side directly to the Filezilla people.
Of course, anyone is free to fork it and host it for free. There are a lot of little things that drive me crazy about Filezilla. I imagine others have the same issues. I could see a fork with good management being very successful.
I think this is a point a lot of open source projects miss. They can, and probably should, sell the software even though it is open source.
Trademark (?) protection would prevent a third party from using their name even though it was open source (at least I think so based on the whole Iceweasel event).
Personally, I'd also gladly pay Filezilla a small amount even though it's open source.
Ninite has filezilla. I switched to WinSCP years ago, had less problems than filezilla.
App stores have their benefits, but ninite exists now. Theres really no reason to download filezilla from sourceforge when you can from ninite. The "problem" is not everyone uses ninite. Ninite.
Why are these links to Ninite.com flag-killed? It's a tremendously useful program, IMO. Is there some secret danger about this tool I'm missing here?
I'd post my one-click-install-all-the-useful-things Ninite link (which preselects a custom selection of software into one installer) that I use for quickly setting up clean Windows machines at the kids' technology centre I work at. But I fear it might get flagkilled too. (ah doesn't matter anyway, I'm sure the average HNer is smart enough to make their own selection, and currently looking at my selection, some of the tools seem a bit out-of-date, wouldn't pick those today anymore).
Ha! The Windows Store is a scum-ridden wasteland. The second top result for Facebook is a fake scam app, claiming to be official. There is a fake Facebook app, paid, that claims to be published by "@Microsoft Corporation". Contacting Store support results in them telling you the app " works as designed ", and if you have a problem with the fake publisher, MS suggests " leave a review ".
Even Netflix had a hard time preventing fakes from being published. Over a month or two, Netflix had to contact MS several times, and MS didn't suspend or remove the publisher. They resubmitted and got listed again. Try searching for HBO, xfinity, etc.
MS is not interested in fixing this problem. Probably some folks have their bonus tied to " number of apps published " and that's that.
I emailed Satya and the manager of the Store, to book effect. The Store is a joke.
For this particular case, if FileZilla is popular, you'll have several fake paid apps. If you're lucky there may be av official app, with no way to verify it's the right one. For most users, they'll be rolling the dice just as much as they are now. Only if FileZilla is extremely diligent would it work. Disney, for example, is a top publisher for the Store, yet all sorts of fake Disney content is on there. I called Disney about this, and after about 15 minutes they figured out "don't go there" (referring to the Store). Even top publishers have a hard time dealing with it. BBC is another case, where top "official" results aren't.
This is correct. I actually contacted Filezilla's developer (Tim Kosse) regarding this several months ago, and he let me know that this bundling was intentional on the part of Filezilla.
Even if HN threads are not comprised of the same people, it is still remarkable how entirely different sets of people show up depending on which way the wind is blowing.
You can get it without the downloader, but it is non-obvious as you have to choose the other download options. To me that implies downloads for different platforms.
The installer is horrible, and I think that the last I looked at it, the options were all opt-out, they hugely abused anti-patterns to make that process all but impossible.
Well, I didn't know this, and I'm glad I know now. I'll be looking for an alternative GUI SFTP client for Windows.
I was a bit confused though, I'm pretty sure I installed FileZilla on some Windows machine less than a year ago and would've noticed any malware. But now that I think about it, I used Ninite.com, a multi-install tool for free Windows software, which automatically opts out of any nasty toolbars and such, so I just didn't see it at the time (I'm assuming the malware is at least opt-out, right?).
Doesn't matter though, bundling toolbars/malware is a no-go for me. I know I can (usually) get rid of such pests if they get on my system, but I know so many people who would have a much harder time. Those people are being taken advantage of, they're not "choosing" to have this malware. I can't recommend this type of software to such people because they might get malware if they install it themselves, so they need alternatives without malware. Therefore I won't use the malware-bundled software myself either, because I want to check out the alternatives and see which ones are any good (and I don't really need FileZilla, anyway).
Separate from any particular issue with Filezilla: all Sourceforge downloads are via insecure HTTP, so could be redirected elsewhere, or corrupted in transit, to deliver malware.
Even if you try to use an HTTPS link, Sourceforge redirects to a plain HTTP download.
And if you ask them about this, you get no reply. Which is interesting.
Yes, they should be regarded as a malware site these days. It's a shame, really. Some other site should probably mirror the projects that aren't anywhere else and host them properly.
It works really well unfortunately. I would prefer my installations without the potential for malware, but I don't see another sftp client as mature as filezilla. There used to be a ton and then it emerged as the best. fwiw it seems the auto updates are malware free.
I always install FileZilla through Ninite or apt-get, so I know my installation is clean, but I'd like to stop using and recommending FileZilla out of principle because of this (and reading the responses on the filezilla forum). Everyone else in my office uses FileZilla as well, and I'm sure many of them used the sourceforge installer and didn't fully read the options.
But you're right, I don't know any other decent FTP clients that I would recommend. Maybe someone on HN knows of a good alternative?
WinSCP is far superior to filezilla. At my last job stuck using a Windows machine for some things, I ended up using it quite extensively. Every bug I submitted to the author was fixed within months. He is also active on the forums, though has a bit of a Linus Torvalds style... which can be offputting for some.
Filezilla use will drop down because most admins I know that hear about this will immediately write it off as too dangerous to even try to get around. Sure you can dig into the sourceforge files and maybe find a clean version, or maybe find a checksumed mirror, but would you really trust it?
i m an idiot but does this impact the linux version ? I use Filezilla on my ubuntu that I downloaded around September'2014 and not sure if I downloaded from Sourceforge. I am guessing this issue is only for Windows, right ?
160 comments
[ 3.5 ms ] story [ 216 ms ] threadregardless, this has been happening for the entire last year with the consent of the developers: https://forum.filezilla-project.org/viewforum.php?f=1&sid=13...
I would be very doubtful they will listen to their users any further about the harm it does.
I'll probably avoid FZ from now on, I don't exactly enjoy using software that is openly hostile towards me
I think it is best to avoid these guys.
""MalSign.Generic.F84". Looks like a typical false-positive generated by a heuristic.
There is no malware in the SourceForge Downloader, you can safely use it to install FileZilla. While the SourceForge Installer may present third-party offers, they are clearly labeled as such. All third-party offers can easily be declined. Nothing unwanted is being installed without your consent. Declining offers does not prevent nor otherwise disturb the installation of FileZilla.
If you do not wish to use the SourceForge installer, have a look at the additional download options listed on the FileZilla website."
His stance seems to be that it's not malware, rather a false positive (I have no proof to claim he's wrong and if he is, it could be a honest mistake; he's trusting SF, which I understand), and he mentions that you can also download Filezilla from their own website, without the SF installer.
That seems pretty reasonable to me, but again: at first I got the impression they (FileZilla's owners) simply didn't care.
I hate what SF has been doing, and I refuse to use their installers (although I'm primarily a Linux-user so I don't have to worry about these installers, thankfully), but I don't really feel like the FileZilla owners should be avoided as it looks like they're simply trusting SourceForge, nothing more. I hope I'm right. ;)
Most people, when presented with a) a logo (of a group they trust), and b) accept or decline, they are going to make assumptions and not read the middle.
Which ends up affecting a lot of users: every bad review relating to the installer and every complaint in the forums (once again, in relation to the installer), is a person who has been deceived and had a negative experience, because of a decision of the FZ developers (and the installer is choose-able by the project developer, last I inquired)
If you use Mac check out Transmit by Panic. It's the best FTP client I've ever used.
Most of the time I simply scp or rsync files as neccessary, however I use FileZilla to manage files on my phone and tablets via FTP. I've never found the FTP/SFTP/SMB support in Thunar to be all that reliable...
http://support.hostgator.com/articles/ftp/how-to-use-ftp-via...
It's the same with those timed modal windows on blogs. They piss a lot of people off. But they also increase email capture rates, and sites with large audiences usually see revenue increase as a result.
Unless it's a desperate attempt at saving a sinking ship.
Ctrl+F for ettercap for a rant about Sourceforge and security, written by blackhats
Or they are just dangerously lazy.
is hosted at Sourceforge, so they share a server with thousands of other customers. Every single customer is able to execute commands and access the other project directories. Pretty stupid, eh? You only need to find one hole in one hosted site and you can access ALL the project databases
That's like saying "even the creator of baked beans doesn't like Tesco". So what?
The download manager (wrapper) of these 2 companies are provided by the same Israeli company InstallCore.
Visit http://downloads.sourceforge.net/project/filezilla/FileZilla... to directly start downloading
Or, switch to someother FTP client.
References:
List of FTP Server Software - https://en.wikipedia.org/wiki/List_of_FTP_server_software
Comparision of FTP Client Software - https://en.wikipedia.org/wiki/Comparison_of_FTP_client_softw...
https://i.imgur.com/o7sE9aP.png
[1] https://forum.filezilla-project.org/viewtopic.php?f=1&t=3294...
I think the world would be better if people just expected to pay a small amount for software, but we don't live in that world, and so we get "free" software you can download "for free" that installs a bunch of crap so the developers can get paid.
But we still lack a nice software store (or several) where you could pay a piece of software and pay a nominal amount (or more if you choose to donate), knowing that you won't receive any malware / nagware in exchange, and that a large cut of your payment goes to the authors and maintainers.
Similar things seem to happen around indie musical tracks, so probably the model could survive in the "indie" software area.
- This program (bundling) is opt in for the project (Filezilla) and SourceForge ("the pimp") pays Filezilla ("the whore") for each download.
- This isn't recent. In fact it started well over a year ago and was well publicized.
- Even a year ago it was all very malware-y.
- A lot of people were super dismissive about this issue a year ago (see Reddit threads and here). In fact many supported the practice.
- Those same people are now whining about it.
- Suggesting that "but Github exists!" as a solution entirely misses the point. Sourceforge pays the project money, and both Sourceforge and the project profit. So unless Github can match that (hint: it cannot) then that is a non-starter.
Of course, anyone is free to fork it and host it for free. There are a lot of little things that drive me crazy about Filezilla. I imagine others have the same issues. I could see a fork with good management being very successful.
http://verizonmath.blogspot.com/2006/12/verizon-doesnt-know-...
Trademark (?) protection would prevent a third party from using their name even though it was open source (at least I think so based on the whole Iceweasel event).
Personally, I'd also gladly pay Filezilla a small amount even though it's open source.
http://opensource.org/osd-annotated
This is why I use the zlib license.
App stores have their benefits, but ninite exists now. Theres really no reason to download filezilla from sourceforge when you can from ninite. The "problem" is not everyone uses ninite. Ninite.
https://ninite.com/winscp/ninite.exe https://ninite.com/filezilla/ninite.exe https://ninite.com/filezilla-winscp/ninite.exe
https://ninite.com/help/home/pronunciation.html
Ninite Ninite Ninite.
I have never pronounced Ninite as "Nye-Nite" or heard anyone else pronounce it that way in the UK.
I'm guessing you are American?
I'd post my one-click-install-all-the-useful-things Ninite link (which preselects a custom selection of software into one installer) that I use for quickly setting up clean Windows machines at the kids' technology centre I work at. But I fear it might get flagkilled too. (ah doesn't matter anyway, I'm sure the average HNer is smart enough to make their own selection, and currently looking at my selection, some of the tools seem a bit out-of-date, wouldn't pick those today anymore).
Even Netflix had a hard time preventing fakes from being published. Over a month or two, Netflix had to contact MS several times, and MS didn't suspend or remove the publisher. They resubmitted and got listed again. Try searching for HBO, xfinity, etc.
MS is not interested in fixing this problem. Probably some folks have their bonus tied to " number of apps published " and that's that.
I emailed Satya and the manager of the Store, to book effect. The Store is a joke.
For this particular case, if FileZilla is popular, you'll have several fake paid apps. If you're lucky there may be av official app, with no way to verify it's the right one. For most users, they'll be rolling the dice just as much as they are now. Only if FileZilla is extremely diligent would it work. Disney, for example, is a top publisher for the Store, yet all sorts of fake Disney content is on there. I called Disney about this, and after about 15 minutes they figured out "don't go there" (referring to the Store). Even top publishers have a hard time dealing with it. BBC is another case, where top "official" results aren't.
Also, if it silently autoupdates, it's worthless.
I tend to doubt that. HN commenters in one thread are not the same as HN commenters in another thread.
The installer is horrible, and I think that the last I looked at it, the options were all opt-out, they hugely abused anti-patterns to make that process all but impossible.
https://ninite.com/filezilla/ninite.exe
https://github.com/blog/1547-release-your-software
https://help.github.com/articles/creating-releases/
I was a bit confused though, I'm pretty sure I installed FileZilla on some Windows machine less than a year ago and would've noticed any malware. But now that I think about it, I used Ninite.com, a multi-install tool for free Windows software, which automatically opts out of any nasty toolbars and such, so I just didn't see it at the time (I'm assuming the malware is at least opt-out, right?).
Doesn't matter though, bundling toolbars/malware is a no-go for me. I know I can (usually) get rid of such pests if they get on my system, but I know so many people who would have a much harder time. Those people are being taken advantage of, they're not "choosing" to have this malware. I can't recommend this type of software to such people because they might get malware if they install it themselves, so they need alternatives without malware. Therefore I won't use the malware-bundled software myself either, because I want to check out the alternatives and see which ones are any good (and I don't really need FileZilla, anyway).
Even if you try to use an HTTPS link, Sourceforge redirects to a plain HTTP download.
Yes, they should be regarded as a malware site these days. It's a shame, really. Some other site should probably mirror the projects that aren't anywhere else and host them properly.
...and someone has already made one for SF and a few other sites: http://userscripts-mirror.org/scripts/review/417459
Assuming sourceforge will not get rid of that feature after too many people start using it.
But you're right, I don't know any other decent FTP clients that I would recommend. Maybe someone on HN knows of a good alternative?
I use a paid version of SmartFTP & like it. Combines Filezilla with Putty.
http://winscp.net/
Filezilla use will drop down because most admins I know that hear about this will immediately write it off as too dangerous to even try to get around. Sure you can dig into the sourceforge files and maybe find a clean version, or maybe find a checksumed mirror, but would you really trust it?
EDIT: I missed the 's' in 'sftp'. But as for that, there's commandline sftp, from openssh. But I realize it's apples and orange juice.
https://sourceforge.net/blog/sourceforge-attack-full-report/