Botg site admin
"The hash doesn't match because the filename doesn't match."
A fully descriptive answer is that they don't have a checksum for the bundled package but botg doesn't want to say this.
" Dangerously ignorant user. Not matching filename = the checksum is NOT for that file. Checksums can only be provided for the non-bundled packages, because they're static. Bundled installers are not."
Dangerously ignorant person here what they are actually saying is that they have no way on earth to be sure what's even IN the bundled packages nor what it will do to the users computer.
They have decided that tricking people into downloading malware is a reasonable alternative to charging money for their software or soliciting donations.
Its truly amazing to me that installing windows software is still like this.
The obvious and immediate solution is to abandon vendors who behave like this. This is challenging because you have to track the reputation of each individual vendor and users have proven unable to even consistently download the software from the right page let alone judge individuals vendors track record.
The long term solution is to get off the platform.
> The long term solution is to get off the platform.
Ug. Running untrusted executables on any platform can be trouble. The problem is that by blaming the platform, people keep putting the onus on these OS's, distros, etc to build walls around carefully curated gardens. Gotta take the good with the bad. Either you accept that people can run untrusted executables or you give up the flexibility to build/use/distribute untrusted executables yourself. Sadly it seems as devs grow into larger companies and prefer the latter, they forget their indie beginnings enabled by the former. "What's $100?" they say. "Getting a cert is easy" they say. "If you aren't building anything dangerous, why do you have a problem with curation?" they say. The same anti-freedom arguments are always there in the name of safety.
If you downloaded untrusted Filezilla and executed it raw on any platform it could be an issue. If users required Filezilla to be distributed in the Windows app store, it could be less of an issue. One could argue the fact that installing Windows software is sometimes still like this is because of the lack of restrictions against it. But as users keep complaining and devs stay silent, all platforms including Windows will continue to reduce liberty in the name of safety and you'll feel better.
>they don't have a checksum for the bundled package but botg doesn't want to say this
Well, it shouldn't really be called "bundled". It's more a "drive-by download". What is bundled is only a downloader (so the checksum remains the same). And it offers and downloads what the other party sees more profitable today.
In this sense they really don't know what they bundle.
I think the long term solution would be to forbid deceiving users by software vendors. Users should know exactly what they are paying with.
Now the vendors who sell software that doesn't have hidden functionality lose competition to such "free" products monetized with adware, data collection or other shady behaviours. It is easy to see in mobile game market.
Well, botg does come pretty close to admitting that:
#9 Post by botg » 2018-01-05 09:11
The connections are for fetching offers and, if the user
accepts the offer, the offered file. What the file is
for is written in the offer text. The network requests
to fetch offers are done only after the user has agreed
to it by accepting the privacy policy.
Right, the user has agreed to install some random thing.
#10 Post by TigheW » 2018-01-05 16:55
Sorry man, this isn't "bundled software that people
want" and no amount of repeating it will make it true.
This is a malware downloader bundled with your software
and hosted on your page and you're intentionally
misleading the users who are here directly asking you
if it's safe to run this bundle on their machines. ...
>This is challenging because you have to track the reputation of each individual vendor and users have proven unable to even consistently download the software from the right page let alone judge individuals vendors track record.
There was a pattern where articles about nasty android apps would always include some idiotic line about "Security experts say do not install apps you don't trust."
Who the hell knows anything about the apps they even trust, for all you know they sold out to malware companies yesterday.... there's no way to know.
Let alone that would also mean you never try any new software...
> Its truly amazing to me that installing windows software is still like this
It doesn't have to be that way, since there is a Windows/Microsoft Store since plenty of years now.
But then you have gamers and game devs spreading FUD about UWP and the the MS Store, while they praise 3rd party platforms like Steam and GoG that actively refuse UWP apps in their store, while allowing Spyware like this.
> The long term solution is to get off the platform.
No, the long term solution is to embrace the MS Store, or at the very least modern platforms like WinRT/UWP that would prevent most types of malware attacks.
Why do we still accept the violation of the principle of least privilege in this day and age?
Getting off platforms is usually quite hard with most trying to be as sticky as possible. The common reason why people tend to stick to Windows is games, even if the situation has gotten better.
Personally I have come to the conclusion that the best solution is virtual machines with a linux base system. Put every game that is sticky to windows into its own little container and just have hardware passed through. That way every form of sticky platform only exist in a small pocket of virtual space. The tricky part is getting all this working as smoothly as if it was just one system that just happen to have really good sandboxing for untrustworthy platforms.
Vendors who have partaken in the "bundled crapware" model of distribution - Google, Amazon, Yahoo, Microsoft, Adobe, Oracle, etc, etc.
>They have decided that tricking people into downloading malware is a reasonable alternative to charging money for their software or soliciting donations.
If you would be so kind enough as to show them how to make money perhaps they'll stop doing it.
>Its truly amazing to me that installing windows software is still like this.
Eh? Which OS platform are you using that does not allow a user to execute binaries?
If what you say is true a more productive approach is to make a derivative of the last known non-malware release of FileZilla with a new name. FileZilla's code respects your software freedom (FileZilla is licensed under the GNU GPL v2, last I knew), so there's no reason not to use that freedom to make a derivative which doesn't come with a tricky installer. Rejecting free software when improvements can be had is an overreaction that could lead to a reduction in software freedom which would obviously be bad. Free software is the path to being able to trust the software you run.
It's sad that FileZilla remains so popular long after the creator has chosen to monetize it with adware. I highly recommend any FileZilla user reading this should switch to WinSCP. It's free, open source, and not bundled with any crapware.
I posted this further down the thread but may as well say it here too.
Cyberduck[1] was what I moved to after the FileZilla installer on Sourceforge forced me to wipe & reinstall Windows a few years back. It's available for MacOS and Windows, GPL3 licensed[2] and worked great for me at the time. I've since moved to Linux so I haven't been able to play around with any of the newer features/versions but it would be the first thing I tried if I switched back today. Definitely recommend taking a look.
If you do not require a GUI, FarManager[0] is great, too. It allows access to remote folders over ftp, sftp, smb (and probably others), is very light on resources, free software (BSD license), and all around a joy to use.
Outside the filehash thing there isn't anything wrong with his responses. The project chose to get third party products from sources outside their control. There is nothing "technically" wrong with it. The thread is littered with poor security practices, but I see TightW's response as more painful. The admin is already clearly aware of the concern and is stating why it is setup that way. I would much rather see somebody state the practices are wrong rather than just calling this guy out since it is really counter-productive.
Sophisticated users will know to download the unbundled installer, and maybe even go so far as to verify the hash.
But that sideskirts the question of whether to continue using software where the authors are willing to put their users at risk by monetizing with what is apparently malware bundles.
FileZilla is by all accounts a fantastic piece of software. I’ve used it for years, both the client and the server, and it’s no doubt provided significant value to me over the years.
And yet I’ve never paid the FileZilla authors a penny for their services.
So while I didn’t force the FileZilla authors down this dark path that they’ve chosen to use for monetization, I accept that I am part of the problem.
I don't really see the problem. If the developers want to get paid for they work they can just sell their software. The problem is when someone tries to monetize their product by deceiving users. This is the case: they prevent user from knowing what is happening on their computer, download and run suspicious binaries and use EULA as an excuse. And I suspect, they themselves don't even know for sure what is bundled into the installer.
User should know exactly what they are offered. Hiding a clause like "you allow us to do anything we want" in EULA should not work.
When I read "You get AV flags for business reasons on the AV vendor's behalf, not because of malware." I pretty much became convinced they have gone to the dark side. I've seen enough shady business that this pattern really jumps out - as soon as people start claiming everybody is conspiring against them for monetary reasons, or out of envy, etc. with no proof - it is a very strong sign that the person is not to be trusted. There are false positives but the sign is very strong.
« The connections are for fetching offers and, if the user accepts the offer, the offered file. What the file is for is written in the offer text. The network requests to fetch offers are done only after the user has agreed to it by accepting the privacy policy. »
Translation:
« Our installer fetches random crapware once you click past the giant wall of text. »
If you've decided to do something dirty, sneaky, or underhanded, then the dialog on this forum should be required reading on how not to handle user questions. Any large software company experienced in being routinely evil would have done the following:
- shut down that thread at the first opportunity (it's their own forum so they are able to do that)
- as a corollary to the above, always run your own forums for questions, support, fandom, etc. so you can kill threads, guide the conversation, ban users, or redesign the site giving cover for losing history that you don't want remembered
- ban that particular user who was giving the best analysis; a real reason is not necessary -- just allege that he violated the terms & conditions
- have someone preview all questions and comments before they get posted in your forum; you know how some sites say, "Your comment is awaiting moderation"? -- you need to do that
- never give official answers to any questions (the founder and original developer was replying in his own name); instead, always reply as a fellow user, knowledgeable and helpful, but allowing the company a way to disown any replies given out
- don't even bother to reply to questions you don't want to answer; just ignore them (the current thread would surely have died out if the founder had not given those silly obfuscating answers); you can compose a crafty reply only if it becomes a big problem
- have a bunch of fake users (employees, PR department, outsourced agents) ready to pounce on, rebut, or ridicule the user providing the good analysis; similarly, have those fake users guide the discussion or completely change the topic
Some large software companies get away with far worse tricks and shenanigans, affecting millions of users, by following the principles above.
I doubt the legal system that the publisher reside in would accept the excuse that giving control over to a third-party will protect them from liability if malware get installed from the installer. No amount of eula, disclaimer, or calling it "bundle" can do that, and now that there is a public documented discussion that the developer knowingly allowed it. That sound like some significant risk, one which I would never bet my own personal life on.
It will only take a security researcher that identify one of those unsigned processes, in the past or future, as malware and people who is infected by the same malware can check if they also has filezilla installed, and boom. A lawsuit is born.
Since I haven't seen it mentioned here, note that the first post in this thread was on 13 December 2017, with most of the back and forth between botg and TigheW taking place in early January 2018.
Post #14 revived the thread 11 days ago and the last seven or eight posts are from the last 24 hours or so.
Looks like the thread has since been "locked" to prevent further discussion.
I install filezilla (amongst other things) from ninite.com. In general ninite.com installation is equivalent to normal installation without having to carefully uncheck obviously horrid and unwanted optional "extras".
I wasn't sure which version Ninite were using or if they were aware of the suspicious installer, so I wrote them a mail referencing this thread. They wrote back a couple hours later (and I'm not even a Pro user!):
> Apparently FileZilla has more than one installer package. The discussion in the [HN] forum link is about their "bundled" installer. We use the one without the junk-ware bundled. Below are links to the virustotal results for the packages we use.
WinSCP seems to be a popular recommendation. When I was a Windows user after the FileZilla/Sourceforge incident I switched to Cyberduck[1]. I really enjoyed it at the time and it seems it's gained many more features since.
Just for information it seem that only the installer from their website first download page[0] is bundled (it has "bundled" in the name). When in the same page there is a link that says "Show additional download options"[1], in that page you have access to "clean" installers.
Does anyone have suggestions for alternatives to FileZilla, both for Windows and for Mac, that I can recommend to non-technical friends. In other words, something with a GUI.
Basically, when pointing out security problems, I find that people are much more likely to actually listen if you present an alternative action. I will probably just use sftp from the command-line, but that won't fly for some.
I don't know whether it is really malware, or they just collect information from PC like browser history and cookies or just avoid being blocked by AV, anyway the real purpose is that developers don't want users to be able to control what is happening on their PC and to know what is really happening. I don't see any other explanation.
Just reading the exchange with "botg" is really all the information you'll ever need to know about Filezilla, using it (bundled or not) would just be gross negligence after that.
This has always been the case. Filezilla offers two versions for Windows and macOS on their website: Bundled and non-bunbled. You get the bundled version when you click "Download FileZilla Client" and then the big green "Download FileZilla Client" button (assuming you're visiting the website from a Windows or macOS client): "This installer may include bundled offers." makes this also very clear. In order to get the clean version, you have to click "Show additional download options" and then pick the version you want. For anyone saying that Filezilla can't be trusted anymore due to doing this, it's still open source and you can check out and build the code yourself: https://filezilla-project.org/sourcecode.php
[+] [-] michaelmrose|7 years ago|reply
A fully descriptive answer is that they don't have a checksum for the bundled package but botg doesn't want to say this.
" Dangerously ignorant user. Not matching filename = the checksum is NOT for that file. Checksums can only be provided for the non-bundled packages, because they're static. Bundled installers are not."
Dangerously ignorant person here what they are actually saying is that they have no way on earth to be sure what's even IN the bundled packages nor what it will do to the users computer.
They have decided that tricking people into downloading malware is a reasonable alternative to charging money for their software or soliciting donations.
Its truly amazing to me that installing windows software is still like this.
The obvious and immediate solution is to abandon vendors who behave like this. This is challenging because you have to track the reputation of each individual vendor and users have proven unable to even consistently download the software from the right page let alone judge individuals vendors track record.
The long term solution is to get off the platform.
[+] [-] kodablah|7 years ago|reply
Ug. Running untrusted executables on any platform can be trouble. The problem is that by blaming the platform, people keep putting the onus on these OS's, distros, etc to build walls around carefully curated gardens. Gotta take the good with the bad. Either you accept that people can run untrusted executables or you give up the flexibility to build/use/distribute untrusted executables yourself. Sadly it seems as devs grow into larger companies and prefer the latter, they forget their indie beginnings enabled by the former. "What's $100?" they say. "Getting a cert is easy" they say. "If you aren't building anything dangerous, why do you have a problem with curation?" they say. The same anti-freedom arguments are always there in the name of safety.
If you downloaded untrusted Filezilla and executed it raw on any platform it could be an issue. If users required Filezilla to be distributed in the Windows app store, it could be less of an issue. One could argue the fact that installing Windows software is sometimes still like this is because of the lack of restrictions against it. But as users keep complaining and devs stay silent, all platforms including Windows will continue to reduce liberty in the name of safety and you'll feel better.
[+] [-] ComodoHacker|7 years ago|reply
Well, it shouldn't really be called "bundled". It's more a "drive-by download". What is bundled is only a downloader (so the checksum remains the same). And it offers and downloads what the other party sees more profitable today.
In this sense they really don't know what they bundle.
[+] [-] ourmandave|7 years ago|reply
You think this is bad, you should try the Windows 10 auto updater.
Disclaimer: It's broken on my brand new PC and no helpful on-line fix has worked so far. So I might hold hate in my heart.
[+] [-] codedokode|7 years ago|reply
Now the vendors who sell software that doesn't have hidden functionality lose competition to such "free" products monetized with adware, data collection or other shady behaviours. It is easy to see in mobile game market.
[+] [-] mirimir|7 years ago|reply
[+] [-] duxup|7 years ago|reply
There was a pattern where articles about nasty android apps would always include some idiotic line about "Security experts say do not install apps you don't trust."
Who the hell knows anything about the apps they even trust, for all you know they sold out to malware companies yesterday.... there's no way to know.
Let alone that would also mean you never try any new software...
I HATE that line.
[+] [-] mkonecny|7 years ago|reply
[+] [-] gaius|7 years ago|reply
Never any malware on other platforms? Do you not remember Sourceforge?
And let’s not forget that so much Linux software installs these days via curl|sh...
[+] [-] tytytytytytytyt|7 years ago|reply
[deleted]
[+] [-] NiveaGeForce|7 years ago|reply
It doesn't have to be that way, since there is a Windows/Microsoft Store since plenty of years now.
But then you have gamers and game devs spreading FUD about UWP and the the MS Store, while they praise 3rd party platforms like Steam and GoG that actively refuse UWP apps in their store, while allowing Spyware like this.
https://www.reddit.com/r/Steam/comments/8pud8b/psa_red_shell...
Yet, nobody dares to hold those platforms responsible.
https://www.reddit.com/r/Games/comments/8sg294/16_studios_re...
> The long term solution is to get off the platform.
No, the long term solution is to embrace the MS Store, or at the very least modern platforms like WinRT/UWP that would prevent most types of malware attacks.
Why do we still accept the violation of the principle of least privilege in this day and age?
[+] [-] belorn|7 years ago|reply
Personally I have come to the conclusion that the best solution is virtual machines with a linux base system. Put every game that is sticky to windows into its own little container and just have hardware passed through. That way every form of sticky platform only exist in a small pocket of virtual space. The tricky part is getting all this working as smoothly as if it was just one system that just happen to have really good sandboxing for untrustworthy platforms.
[+] [-] ksk|7 years ago|reply
>They have decided that tricking people into downloading malware is a reasonable alternative to charging money for their software or soliciting donations.
If you would be so kind enough as to show them how to make money perhaps they'll stop doing it.
>Its truly amazing to me that installing windows software is still like this.
Eh? Which OS platform are you using that does not allow a user to execute binaries?
[+] [-] st3fan|7 years ago|reply
Let’s call this what it really is: The FileZilla owners are actively encouraging users to install malware as a way to monetize. That is very clear.
Avoid FileZilla by all means.
[+] [-] Digital-Citizen|7 years ago|reply
[+] [-] kjrose|7 years ago|reply
In every circumstance I immediately ceased using anything made by them.
[+] [-] AdmiralAsshat|7 years ago|reply
[+] [-] dabber|7 years ago|reply
Cyberduck[1] was what I moved to after the FileZilla installer on Sourceforge forced me to wipe & reinstall Windows a few years back. It's available for MacOS and Windows, GPL3 licensed[2] and worked great for me at the time. I've since moved to Linux so I haven't been able to play around with any of the newer features/versions but it would be the first thing I tried if I switched back today. Definitely recommend taking a look.
[1]: https://cyberduck.io/
[2]: https://github.com/iterate-ch/cyberduck
[+] [-] blibble|7 years ago|reply
https://en.wikipedia.org/wiki/WinSCP#Advertisements_in_insta...
[+] [-] krylon|7 years ago|reply
[0] https://www.farmanager.com/
[+] [-] jokoon|7 years ago|reply
[+] [-] kaskavalci|7 years ago|reply
[+] [-] mkane848|7 years ago|reply
[+] [-] ksk|7 years ago|reply
[+] [-] qjighap|7 years ago|reply
[+] [-] zaroth|7 years ago|reply
But that sideskirts the question of whether to continue using software where the authors are willing to put their users at risk by monetizing with what is apparently malware bundles.
FileZilla is by all accounts a fantastic piece of software. I’ve used it for years, both the client and the server, and it’s no doubt provided significant value to me over the years.
And yet I’ve never paid the FileZilla authors a penny for their services.
So while I didn’t force the FileZilla authors down this dark path that they’ve chosen to use for monetization, I accept that I am part of the problem.
[+] [-] codedokode|7 years ago|reply
User should know exactly what they are offered. Hiding a clause like "you allow us to do anything we want" in EULA should not work.
[+] [-] smsm42|7 years ago|reply
[+] [-] phyzome|7 years ago|reply
Translation:
« Our installer fetches random crapware once you click past the giant wall of text. »
[+] [-] Fnoord|7 years ago|reply
[+] [-] modzu|7 years ago|reply
its 2018. f* filezilla.
winscp is a decent alternative
[+] [-] mysterypie|7 years ago|reply
- shut down that thread at the first opportunity (it's their own forum so they are able to do that)
- as a corollary to the above, always run your own forums for questions, support, fandom, etc. so you can kill threads, guide the conversation, ban users, or redesign the site giving cover for losing history that you don't want remembered
- ban that particular user who was giving the best analysis; a real reason is not necessary -- just allege that he violated the terms & conditions
- have someone preview all questions and comments before they get posted in your forum; you know how some sites say, "Your comment is awaiting moderation"? -- you need to do that
- never give official answers to any questions (the founder and original developer was replying in his own name); instead, always reply as a fellow user, knowledgeable and helpful, but allowing the company a way to disown any replies given out
- don't even bother to reply to questions you don't want to answer; just ignore them (the current thread would surely have died out if the founder had not given those silly obfuscating answers); you can compose a crafty reply only if it becomes a big problem
- have a bunch of fake users (employees, PR department, outsourced agents) ready to pounce on, rebut, or ridicule the user providing the good analysis; similarly, have those fake users guide the discussion or completely change the topic
Some large software companies get away with far worse tricks and shenanigans, affecting millions of users, by following the principles above.
[+] [-] belorn|7 years ago|reply
It will only take a security researcher that identify one of those unsigned processes, in the past or future, as malware and people who is infected by the same malware can check if they also has filezilla installed, and boom. A lawsuit is born.
[+] [-] qiqitori|7 years ago|reply
[+] [-] jlgaddis|7 years ago|reply
Post #14 revived the thread 11 days ago and the last seven or eight posts are from the last 24 hours or so.
Looks like the thread has since been "locked" to prevent further discussion.
[+] [-] billforsternz|7 years ago|reply
[+] [-] glenneroo|7 years ago|reply
> Apparently FileZilla has more than one installer package. The discussion in the [HN] forum link is about their "bundled" installer. We use the one without the junk-ware bundled. Below are links to the virustotal results for the packages we use.
https://www.virustotal.com/#/file/92aa946d4127eeef30b428e86b...
https://www.virustotal.com/#/file/a86a836888e9894215e15da49e...
[+] [-] faitswulff|7 years ago|reply
What are good alternatives?
[+] [-] dabber|7 years ago|reply
[1]https://cyberduck.io/
[+] [-] unknown|7 years ago|reply
[deleted]
[+] [-] DmenshunlAnlsis|7 years ago|reply
https://winscp.net/eng/index.php
https://en.m.wikipedia.org/wiki/WinSCP
[+] [-] RandyRanderson|7 years ago|reply
https://alternativeto.net/software/filezilla/
WinSCP looks to be my new default.
[+] [-] zouhair|7 years ago|reply
The way they did it is quite shady.
[0]: https://filezilla-project.org/download.php?type=client [1]: https://filezilla-project.org/download.php?show_all=1
[+] [-] paulie_a|7 years ago|reply
[+] [-] jonnytran|7 years ago|reply
Basically, when pointing out security problems, I find that people are much more likely to actually listen if you present an alternative action. I will probably just use sftp from the command-line, but that won't fly for some.
[+] [-] codedokode|7 years ago|reply
[+] [-] zorkw4rg|7 years ago|reply
Here is an alternative: https://winscp.net/eng/index.php
[+] [-] fusl|7 years ago|reply
[+] [-] justinclift|7 years ago|reply
https://web.archive.org/web/20140816230250/http://blog.glust...
Instead, it looks like they've taken up with the malware creators directly.
Wonder what the most appropriate solution would be?
If Google were to "ban" FileZilla from its results (due to pushing malware), it sounds to me like that would work.