Slashdot Mirror

An anonymous reader quotes this report from Engadget: Think it's bad when companies take their time fixing security vulnerabilities? Imagine what happens when they avoid fixing those holes in the name of a little cash. KeePass 2 developer Dominik Reichl has declined to patch a flaw in the password manager's update check as the 'indirect costs' of the upgrade (which would encrypt web traffic) are too high -- namely, it'd lose ad revenue...

To his credit, Reichl notes that he'd like to move to encryption as soon as he believes it's possible. You can also verify that you're getting a signed download, if you're worried. However, it's still contradictory to develop a security-centric app and decide that security should take a back seat.
An update on the site says the software's version information file is now digitally signed, adding that KeePass "neither downloads nor installs any new version automatically. Users have to do this manually... users should check whether the file is digitally signed... HTTPS cannot prevent a compromise of the download server; checking the digital signature does."

New submitter schklerg writes: Like many, I am tired of being the product of the corporate "cloud" overlords. To that end, I've got my own Linux server running Tiny Tiny RSS (RSS — Feedly replacement), OwnCloud (Storage / phone backup / Keepass sync / notes — Google Drive replacement), Coppermine Gallery (picture library), Dokuwiki (quick reference), and Shaarli (bookmarks manager — Foxmarks / Sync replacement). Crashplan lets me pick the keys for my backups, and the only thing Google Drive ever sees is a pgp encrypted file of various items. Next up is moving from gmail with iRedMail. Yes, the NSA may have it all anyway, but being under less corporate control is a nice feeling. What have you done to maintain control of your own data?