There has been a lot written recently about the despicable practice that C/Net’s Download.com has adopted of wrapping all of the software downloaded via Download.com in wrappers which install 3rd party toolbars and software. It is even more loathsome to include these 3rd party potential security threats when people are downloading security software. But that is exactly what is happening at Download.com.

Many in the security industry have raised the alarms about this practice. Everyone from HD Moore of Metasploit to Fyodor of NMap and more. InfoWorld and other main stream media outlets have blown the whistle as well.

It has certainly come to the attention of C/Net and they have responded:

“On Wednesday, Cnet issued a statement saying it had mistakenly made NMap — and other open-source software — part of its program, but planned to continue the bundling of third-party software, with some changes.

“All third-party offers are clearly identified as such, and there is no requirement for the user to download and install the offer; rather, a user has the option to Accept or Decline,” Sean Murphy, CBS Interactive’s vice president and general manager

So it was one thing to not know you are making a mistake, it is quite another to know what you are doing is wrong and still do it. If this is going to be the position of C/Net the position of the tech community should be clear. Stop going to C/Net, stop downloading anything from Download.com and if you are a developer don’t give them permission to list your software.

Until this wrapping of 3rd party software stops, boycott Cnet and Download.com!

Related articles

• Cnet slammed for wrapping Nmap downloads with cruddy toolbar (go.theregister.com)
• Security pros slam Cnet Download.com’s bundling (infoworld.com)
• Download.com sorry for bundling Nmap with crapware (go.theregister.com)
• Nmap warns Download.com bundles malware with its software (geek.com)
• Download.com Bundling Toolbars, Trojans? (krebsonsecurity.com)
• The Download.com Debacle: What CNET Needs to Do to Make it Right (eff.org)
• A note from Sean regarding the Download.com Installer (download.cnet.com)
• CNet’s Download.com now bundling Nmap with malware (seclists.org)

John Oltsik over on Network World had a good article this week about the changing roles of CISOs.  Reading it I realized he was dead on.  The role of CISO in many organizations is an impossible job.  Those of you in the role probably already know this.

The problem is that to perform the CISO role you need a rare combination of skills.  You need the technical chops of a CTO or at the least a seasoned security admin, along with the business sense and feel of a senior level executive/manager.  It is truly a rare individual who has both of these skill sets. Generally, a CISO is stronger in one or the other of these.

As Jon points out though, the job is getting harder, the challengers greater and the risks and rewards higher and more substantial.  Jon’s solution is that he sees this role breaking into two roles.  One is the CSO who handles the business end of things. He would deal with regulators, the business issues and that kind of thing.

He then sees another role he calls the Chief Information Security Technology Officer.  This is more akin to a CTO, except purely focused on security. He would be the uber-geek security guy who is hip deep in security technology.

Hey that sounds great. Who is not for more attention and resources being given to security?  The problem is that so many companies are just now starting to realize the importance of CISO. It has been a hard battle, asking the organization to now add yet another body to the mix may be more than many are willing to pay.

It seems in security we have to take our victories in small steps.   I don’t think that 2012 will be the year we move past CISOs.

Related articles

• What Does the Future Hold for CISOs? (btsecurethinking.com)
• Need a CISO Cert? Have $200? Get it while it’s hot… (securosis.com)
• The New CSO: Cyber Security Officer (lumension.com)
• Security on a Shoestring Budget (pcworld.com)