Security Firm Keeper Sues News Reporter Over Vulnerability Story

Zack Whittaker, writing for ZDNet: Keeper, a password manager software maker, has filed a lawsuit against a news reporter and its publication after a story was posted reporting a vulnerability disclosure. Dan Goodin, security editor at Ars Technica, was named defendant in a suit filed Tuesday by Chicago-based Keeper Security, which accused Goodin of "false and misleading statements" about the company's password manager. Goodin's story, posted December 15, cited Google security researcher Tavis Ormandy, who said in a vulnerability disclosure report he posted a day earlier that a security flaw in Keeper allowed "any website to steal any password" through the password manager's browser extension.

Paging Ms Streisand...

[Harold+Halloway]

Is there a B. Streisand in the house?

Re:Paging Ms Streisand...

[someone1234]

It looks like these Keeper guys got a record for suing experts or reporters. They should spend more on programmers and less on lawyers.

Re:Paging Ms Streisand...

[DigitAl56K]

Yep. Was not aware of Keeper before today, but now I'm making a mental note to never use their products. And not because they might have had a vulnerability, but because of the law suit. Vendors who welcome security discourse and can be seen taking prompt steps to address issues are going to win my loyalty.

Re:Paging Ms Streisand...

[Martin+Blank]

LastPass handled their vulnerabilities correctly by not only engaging the researcher, but by also explaining publicly how they were fixing it, providing the timelines, and thanking Tavis Ormandy for his work.

Re:Paging Ms Streisand...

It looks like these Keeper guys got a record for suing experts or reporters. They should spend more on programmers and less on lawyers.

Like the others, their business is bounty hunting, not managing passwords.

Re:Paging Ms Streisand...

Even more funny, this tool signed up for that website, using his email as his username.

Pretty good stuff from a security company's CEO ;)

Re:Paging Ms Streisand...

[slashrio]

They won't give a damn how you think about them.
You're only 0.01% of their target audience, if ever you're part of it at all.
The other 99.99% have no clue.

He's reporting what Google said

They should go after Google instead if they think they reported false information.

Re:He's reporting what Google said

[Anubis+IV]

Except the reporter wasn't simply reporting what the Google researcher said apparently. At least not originally. Let me play Devil's Advocate for a sec.

Here's the actual complaint Keeper is making, and if you compare some of the text they mention that was contained in the original version of the article to the twice-revised version that's currently posted, there are some differences in the phrasing and verbiage that affect the factual accuracy of the statements being made.

For instance, just look at the URL for the article and you can see that the headline has changed. It currently reads:

For 8 days Windows bundled a password manager with a critical plugin flaw: Plugin for Win 10 version of Keeper had bug allowing sites to steal passwords

which, from what I can tell, seems to be an accurate statement (though Keeper disputes it on a technicality). But note the differences from the original headline:

Microsoft is forcing users to install a critically flawed password manager: Win 10 version of Keeper has a 16-month old bug allowing sites to steal passwords

which was false at the time of publication since the bug has been fixed prior to publication and the new bug wasn't the same as the previous one (though it was very similar). The complaint goes on to list dozens of other statements across the various iterations of the article, each of which they've taken issue with.

That said, let me take my Devil's Advocate cap off and say that I don't really think that the Keeper case has much merit, since most of the "false" statements seem to be minor technicalities at best. As an example, they contend that "Keeper" didn't have any bugs, since it was the Keeper browser extension that was buggy, not the Keeper app itself. They also contend that the buggy extension wasn't "bundled", which is technically correct, but it's installed via the bundled app, so to an end user it would have seemed no different than if it had been bundled. So, yay for being technically correct?

Really, I think they're taking issue with the connotations of the original headline and the bad press it created, and they're just trying to prop up their case with as many slight inaccuracies as they can find, no matter how slight.

Keeper has no case

[techdolphin]

This is an attempt by Keeper to shut down critical articles. While Ars Technica and Dan Goodin must respond, Keeper has no case. To prove libel, the plaintiffs must prove that publication or writer purposely wrote false statements or had malicious intent. Goodin quoted a security expert, and was reporting on the expert's opinion. Keeper will lose and lose big.

Re:Keeper has no case

[alexo]

Since the US does not have a "loser pays" system, Keeper cannot "lose big" on this one.

Re:Keeper has no case

it just says that I will NEVER use any Keeper product

they have demonstrated the WRONG way to respond to a vulnerability and need to be publicly destroyed to scare any other company from attempting such a dick move

Re:Keeper has no case

Since the US does not have a "loser pays" system, Keeper cannot "lose big" on this one.

If it's a Strategic Lawsuit Against Public Participation (SLAPP), the judge could put the all the costs on Keeper, or worse.

Re:Keeper has no case

[SlaveToTheGrind]

Goodin quoted a security expert, and was reporting on the expert's opinion. Keeper will lose and lose big.

I don't think it's that clear-cut at all, for at least the reason that the current version of the Ars Technica article behind the link is not the the one that occasioned the lawsuit. Taking a look at the complaint Keeper filed, paragraph 30 walks through a laundry list of statements that Goodin himself made in the original article. Then, paragraphs 38 and 39 detail how he incrementally walked back many of the original statements after Keeper challenged them. The multiple rounds of watering down the original statements (coupled with the fact that, according to the complaint, Goodin didn't even talk to Keeper before publishing) could themselves suggest the original article was published with reckless disregard for the truth.

Re:Keeper has no case

It doesn't need to be a SLAPP, it just has to be shown that the lawsuit was known to be unlikely to win in the first place and just done for harassment.

Of course, according to the ABA, the lawyer should also be punished, but funny thing - lawyers somehow always find a reason not to punish other lawyers no matter how bad the behavior.

Re:Keeper has no case

[Dragonslicer]

Just because it isn't automatic that the loser pays, that doesn't mean that the judge can't award attorneys fees to the winner.

Re:Keeper has no case

[EvilSS]

Since the US does not have a "loser pays" system, Keeper cannot "lose big" on this one.

No but Illinois has a decent Anti-SLAPP law and that's where Keeper filed.

Re:Keeper has no case

To prove libel, the plaintiffs must prove that publication or writer purposely wrote false statements or had malicious intent.

Just a nitpick, but a slight correction to that:

To prove libel, the plaintiff must prove the writer purposely wrote false statements AND had a malicious intent that caused demonstrable harm

Specifically, just one or the other of those is not enough, it requires both.

Also a claim of harm won't be taken at face value, nor are "potential" forms of harm (IE to reputation) acceptable claims.
They must produce documents proving the harm happened.

Saying "This harms our reputation and likely cost us business because sales are down" will be rejected.
They would need to produce something, for example, like a letter showing an investor previously having a deal with a set dollar amount, followed by another letter where the investor backs out and explicitly says the publication is what influenced their choice.

I'm not claiming Keeper has no case or anything, just how such cases work in general.

Re:Keeper has no case

Not will lose and lose big, but has lost and lost big. The judge will look at the article and throw it out, so no money gained that way, and readers will look at the article and dump them like water through a screen door on a submarine. Streisand effect losses is what the balance sheet will read.

Re:Just for Aurgument's Sake

That's alot of what-ifs. He didn't do any of that.

Why don't you read it for yourself:

https://arstechnica.com/information-technology/2017/12/microsoft-is-forcing-users-to-install-a-critically-flawed-password-manager/

Re:Just for Aurgument's Sake

Poor analogy. If you happen on someone's passcode then it's a dick move to disclose it without good reason. If you find a security firm has failed to fix a vulnerability they knew about, then it's legit to shame them and scare their customers to get them to take action.

Waaaaah!

[slick7]

So much for "Hey, thanks. We'll get right on it and make the necessary changes." Everybody has time to do it fast, but nobody has the time to do it right the first time. I love deadlines, especially when they go whooshing by. It just goes to show, the time it takes to complete a project in a timely manner is hard to estimate, unless it is a repetitive task. Programming is not a repetitive task, hence the necessity for algorithms. Follow the algorithm, if the program does not work, then you did not follow it or the algorithm is wrong. Back to square one.

Re:Waaaaah!

[HiThere]

While there's a lot of " Everybody has time to do it fast, but nobody has the time to do it right the first time." out there, it's also true that it's quite difficult to find a lot of bugs, particularly your own bugs. And this is true even if you're excruciatingly careful. If you doubt that, consider the Mars lander that failed because of a units conversion. That wasn't a matter of "doing it fast and sloppy".

The reaction to a bug being revealed, however, is significant. I wouldn't trust Keeper, or a company closely associated with it, for anything at this point.

Ironic

Keeper's blog acknowledges that Google's Ormandy identified a security flaw, but then they insist that they issued a patch within 24 hours and therefore, there was no harm, no foul.

Shouldn't they extend the same criteria to press coverage? If a report is promptly corrected after it's been called to their attention, there is no foul, right?

No Security

[freeze128]

Unsurprisingly, looking for Keeper's security.txt generates a 404 - not found.

Re:No Security

[Hal_Porter]

Security.txt is basically howtospamme.txt

https://www.bleepingcomputer.c...

You could just as easily have a Contacting Us page. Make sure your email address doesn't appear in an un-obfuscated form in it so it can't be harvested. E.g. for javascript build it up from a few fragments, for noscript change the @ and . characters into an image.

security.txt is dumb because it includes your email address and phone number in form that is very easy for a script to grab.

Google doesn't have one, but then Google doesn't employ anyone the public can contact anyway

https://www.google.com/securit...

Neither does slashdot, but then slashdot doesn't employ anything than can pass a Turing Test.

https://slashdot.org/security....

Re:No Security

real talk I never even heard of this thing until now
not to mention it's not even an rfc yet

Re:No Security

[Hal_Porter]

This is what happens when Millennials try to invent things. Back in the old days they'd be forced to post to comp.security for a few years before they were allowed to write an RFC and they'd be properly monstered by the bitter old men that post there, probably from some sort of facility for mentally ill alcoholics. This would teach the youngsters humility.

Re:No Security

[viperidaenz]

Can you list a website that does have one?

Re:No Security

[freeze128]

I heard about it from Steve Gibson on his Security Now podcast. His website has one (www.grc.com). It's not anything to look at, but it exists.

Re:No Security

[chrish]

That Freudian slip for "mentored" is fantastic!

And me with no mod points...

Re:No Security

[Hal_Porter]

Monstering is actually valid British English, and means roughly the opposite of mentoring

https://www.urbandictionary.com/define.php?term=Monstering

The art of abusing people. Of ambushing them with questions, following them with questions, hounding them with questions, driving them to their fucking graves with questions. It's sort of being like a photographer, except no ones' killed any royalty doing it ... yet.

See also

Monster, Monster, Monster!

Re:No Security

[viperidaenz]

The whole thing is only months old.
The first RFC draft was submitted in September 2017. There's been two new versions since then.
The github page that hosts the drafts was created in August 2017

Re:Just for Aurgument's Sake

[SirGarlon]

There's a fundamental difference between disclosing a security secret on which a system depends (such as a garage door keycode or an RSA public key) and pointing out that the system is flawed and can be exploited without knowing the secret. To extend the analogy, if every garage door opener from a company can be opened with keycode "1234" then in my opinion (shared by many others) the manufacturer was fraudulent when it sold the doors as if they were secure, knowing they were not.

In other words, any "security" system with a back door is a fraud. Full stop.

Re:Just for Aurgument's Sake

[Jaime2]

Assuming those were ruled to be protected speech... that would only protect the speaker from being prevented from (or punished for) saying them. An individual is still responsible for their actions. Protected speech can run afoul of contract law, civil law (such as libel), copyright law, or any number of other obligations. Your garage door example would be simple negligence and the entry code example would probably be both a violation of an employment contract and federal law.

Interesting

[jbmartin6]

I can't get to the original complaint due to blockages at work. But as I understand it, defamation requires proof of intentionally publishing false statements. Pretty curious how they think they might establish that.

Re:Interesting

[bv728]

Your understanding is incorrect in general - 'Public Figures' need to have Malice, which normally includes knowledge of the false statement and intention to harm, but most companies do not fall under Public Figure.
For general defamation they need to have:
a) Published something false
b) Caused harm
c) Acted negligently or with malice

They didn't need to know what they were publishing is false, although that helps. They DO need to know what they were publishing things with reduced verification. Keeper contacted them repeatedly, and they updated the article repeatedly, so I'm guessing their argument is basically going to be 'They knew after our first contact that they had falsehoods up, and did not modify them'.

Re:Just for Aurgument's Sake

Are you a lawyer? Didn't think so.

This makes me lose all trust in Keeper

If a security company has to retaliate by the legal system, it makes me have zero trust in the product. Keeper would have been a lot better off by either showing the allegation was false, or that it was fixed.

Plus, the other guys have had vulnerabilities found, and either have apologized and fixed them, or even have given bounties. What gave me trust in LastPass was the fact that they did get hacked... but the damage was mitigated by their endpoint system.

Recently, a lot of password apps have moved from syncing via Google Drive or Dropbox to their own clouds. However, it seems none of them have put much thought in security. Few have two factor authentication. Few have any compliancy agreements (CJIA, HIPAA, FERPA, SOX, PCI-DSS, GDPR), and most just have a blurb similar to "we use encryption, trust us." For something this security sensitive, there are only a very few apps that are trustworthy.

Re:Just for Aurgument's Sake

Yes, absolutely. Why is this even a question?

Now don't get me wrong, I'm not saying it is morally ok, only that it is legally ok. Also, I am not saying that the person cannot be prosecuted for how they acquired that information, only that they cannot be prosecuted for the simple act of saying the information. Though if they signed an agreement to not share the information, I suppose that would also be prosecutable. But I would call that prosecuting for breach of contract to avoid opening up any loopholes regarding future prosecution of unpopular speech.

Tavis

[CODiNE]

Tavis seriously knows his stuff, he has an excellent reputation in the security community and quoting him in an article is the very definition of getting an expert opinion on something. This lawsuit is stupid, who are they going to ask to discount Tavis Freaking O? He's at the top of his field.

Apple did the same thing a number of years ago...

... when some security researchers found easily exploitable flaws in wifi on mac computers.

Don't use Keeper, might as well send PWs to NSA

If you think Keeper, being developed by an American software house, are not immune to NSA court orders, you're lying to yourself. You might as well just send your credentials directly to the NSA or whatever.

Not buying it now!

[Thruen]

I'm actually in charge of finding a new password manager for the small business I work at and Keeper was one of the few I'd narrowed my choices down to. They just knocked themselves off that list. My company is small and that's no huge loss for them, but I know I'm not the only person making that choice. Now, had they responded to this stating they're temporarily disabling the browser extension while they work on a fix, they'd still be on the list. When are companies going to learn that trying to shut down bad publicity is the worst publicity of all?

Re:Not buying it now!

[thegarbz]

As a matter of interest what is the criteria you're using to narrow it down?

Is open source part of the selection criteria? (there are options available e.g. Keepass and Password Safe)
Is endorsement from experts part of the criteria? (e.g. Password Safe is of Bruce Schneier's fame)
Is it based on portability (mobile apps for various vendors, cross platform)
Is it based on extensible (e.g. plugins for the browser)

Personally I use Keepass but I'm interested in what criteria people apply to its selection because frankly I can't comment on why anyone should pick Keepass over one of the other options.

Re:Not buying it now!

[ChoGGi]

I went with Password Safe for the ease with which I could use my Fido key with it.

That said, if I'd seen this article before I would have been less inclined to try it out, but now I certainly wouldn't use it.
If you can't be bothered to fix that sort of vulnerability for 16 months till it makes headlines, and then whip out the lawyers..The assumption is a crusty surface with smegma oozing below.

Re:Not buying it now!

[ctilsie242]

Have you thought of a self-hosted PW manager?

Thycotic Secret Server is often used and has a good rep.
Devolution's Password Vault Manager can be self-hosted.

Then, there are PW managers which piggyback off of existing cloud providers. Codebook, Enpass, and SafeInCloud are several candidates.

Then, there are PW manages which (IMHO) "strongly persuade" people to use their cloud provider (1Password, mSecure).

Then, there are dedicated cloud providers like LastPass and DashLane. LastPass has manage to withstand some pretty heavy hacking attempts and keep data sound, and they seem quite open about what issues they have. DashLane, I don't know that much about, but I've not read any horror stories.

I would also look at compliance. Does the company even mention CJIS, FERPA, HIPAA, SOX, PCI-DSS, or other regs? If they have details on how they are compliant, that is a big plus, especially for CYA reasons.

If access is needed just inside the company, I'd look at Thycotic Secret Server.

Re:Not buying it now!

[gitano_dbs]

Keepass https://keepass.info/ its what i put first on any new device, you can use your own "cloud" for store and share the database.

Re:Not buying it now!

[ctilsie242]

I love KeePass's PW generation algorithm, especially how it can use mouse input as part of the RNG, and how it can use your Windows unique user info as part of the composite key, so a database would be useless if snarfed, even if someone shoulder-surfed your password.

However, for cross-platforms, KeePassXC is the best of breed, since it has development work and pull requests done on it all the time.

I do wish the KeePass DB format would be upgraded. It would be nice if it offered some type of locking, so multiple processes could access the DB at the same time.

Re:Not buying it now!

[Thruen]

So to be honest, the list I've narrowed it down to is largely based on personal recommendations from the IT staff at companies we deal with. We're small to the point where we don't have any dedicated IT staff so those things just fall on my shoulders because I'm reasonably good with computers. So on password managers, the biggest things I need are ease of use for the employees who are mostly not very comfortable with computers, and easy administration which should include password distribution either to groups or individual users and I'd like the ability to mass-reset passwords as folks leave the company, and if I can find something that we run on our own server instead of on that company's servers it would be preferred. We don't actually need any mobile app access, and all our PCs run Windows so that's the only thing it needs to work on. Endorsement from experts is always a plus but it's not a dealbreaker as long as nobody has outright said they are bad. Open source would be a perk in my mind because of pricing and availability, but also I'd want to make sure it's a project that has been around a while and looks like it will stay around for a while. I'm really just winging it, which is what most of my IT work is, so we'll see where I land. Keepass is actually on my list as someone recommended it to me but I haven't looked into it too deeply yet. This whole project of finding a password manager is actually sort of my own deal so I can only work on it in my free time, which barely exists. But I really need to get us past word documents with passwords in them, it's physically painful for me to see that all the time.

Re:Not buying it now!

Check out 1Password - it's got some pretty good setups for exactly your type of business. Never used it, but last time I looked for one (before the company requesting it got distracted) it was the best mix of ease-of-use out there.

Re:Not buying it now!

[thegarbz]

Rightio, I totally get that. I was trying to figure out how my company standardised on what it had.

For reference my work (multinational in the top 20 of the Fortune 500 list) standardised on Password Safe. I personally got really used to it and while deciding on what to use I ended up with Keepass which had a similar GUI but also had ports on a wider variety of platforms. I ended up keeping the password file on my owncloud and synced on my android device so I could access passwords on the go with the Android version. It also supports a wider range of ciphers if that is an important metric.

I eventually though settled on Keepass XC for the PCs and traded a bit of security for convenience of browser integration. Keepass and Password safe only integrate via autotyping and I have found one day at work the autotype function managed to dump my password in plaintext on the screen mid presentation. KeepassXC has an interface and plugins for Firefox and Chrome. This also was a good boost since now my passwords are synced between the two browsers too.

Anyway do with that little personal opinion what you will :-)

Re:Just for Aurgument's Sake

What if this reporter included the code to someone's Garage Door Keypad.

Is that protected speech?

What if it was the code to gain entry into a government facility?

Protected?

It depends how the reporter obtained these things.

If the reporter signed Non-Disclosure Agreements, was given access to company secrets, and then turned around to leak and/or publish them, then that is definitely not protected.

If I paint the code to my garage door keypad in big red numbers on my garage door, and then the reporter takes a clear broad daylight picture of it while standing on a public sidewalk, and then publishes the picture, that's definitely protected. (The fact that I'm dumb enough to paint my code on my garage door doesn't take away anybody's constitutional rights.)

Re:Just for Aurgument's Sake

[pr0fessor]

That may be a little off topic.. firstly they are saying that the information reported is false and misleading not that they released code that would jeopardize public safety. secondly and probably the most important they are suing a reporter instead of the security bloger who made the claims they reported.

Ha ha, land of the free!

Enjoy your corporate slavery yah stupid fucks.

Re:Just for Aurgument's Sake

[mccrew]

Did they take it down? Your link just ends up on the Dec 2017 summary of articles for me.

Keeper has no case-truth in a digital age.

That's the digital age for you. At least with physical print take-backs aren't possible so one is much more careful about what one says.

Is it...?

Fake News!!!

heres a version of that story

https://arstechnica.com/information-technology/2017/12/microsoft-is-forcing-users-to-install-a-critically-flawed-password-manager/

IF true, why sue? Frivolous lawsuit??

IF it's true, why sue? Frivolous lawsuit?? HOWEVER - If Tavis Ormandy's wrong then by all means do file suit. Facts will show who's right & who's wrong in the end!

(Hopefully, as hopefully there is STILL factually based justice - not on "the letter of the law" ALONE either but in the SPIRIT OF THE LAW too).

* I feel bad for the maker of this password keeper program but IF you fuckup? You fuckup & get exposed (so then shutup & fix it - period (yes, it can be a 'holy-terror' to find out possibly there IS NO FIX too, or, that your foundations you built on blow which is WHY I avoid 3rd party libs/dlls + toolkts that aren't PROVEN))!

(IF not & this password keeper program's RIGHT? Hey - then tear the bastards falsely accusing you apart & save your good name...)

I do however, see a LOT of these password storage programs f'ing up - a LOT!

APK

P.S.=> I don't trust ANY story that only shows 1 side of an argument & I don't see anything in the summary @ least that shows the password keeper's defense (IF it exists @ all that is)... apk

SLAPP suit?

Sounds very close to a SLAPP suit (alternate link: https://www.google.com/search?safe=active&q=slapp+suit

Very stupid suing a high profile journalist at a large organization though. Are they that stupid or is there another angle?

Re:Just for Aurgument's Sake

[yakatz]

I couldn't copy/paste that link, but the story is definitely still there: For 8 days Windows bundled a password manager with a critical plugin flaw

Addendum in defense of T. Ormandy... apk

See subject: Travis Ormandy has found TONS of security issues in antivirus programs so his trackrecord's solid (but there IS always a "1st time" screwing up too)...

* We'll see how this all "pans out" eventually.

APK

P.S.=> Had to add that in for "justice's sake" (others are noting it on this page as well)... apk

Hey look!

[ilsaloving]

Guess what software I'm *not* going to be using anytime soon?

It's bad enough that supposedly secure software has a vulnerability. But acting like an asshole instead of responsibly dealing with the problem completely destroys my confidence that these people have their priorities straight and cares about it's customers.

Re:Hey look!

I guess....Windows.

Re:Hey look!

[ilsaloving]

Yeah well... Now you're getting into a whole different power dynamic.

I had never heard of them before this story

[igotmybfg]

but now they have guaranteed that I will never, ever, ever use any of their products.

Time to sell to hackers

[duke_cheetah2003]

If this is becoming the normal response to people trying to help your business by pointing out problems, then fuck them.

Sell the vulnerabilities to hackers, make some cash and sit back to watch the fun. Sick of this response to helpful hacking. Just stop helpful hacking, make it all malicious.

Does Keeper also own a hotel?

[fahrbot-bot]

From Hotel Charges Woman $350 For Negative Hotel Review (and other sources):

After leaving a negative review about a hotel in Indiana following a weekend getaway with her husband, an Indiana woman was charged $350 and threatened with legal action, WTVR reported. ...

On Dec. 15 the attorney general's office filed a lawsuit alleging the hotel violated Indiana Deceptive Consumer Sales Act.

50% chance they have a point

Dan Goodin has edited that post to make it a little less critical. I saw it originally a few hours after it was posted. He had included a line like, "company did not immediately respond to a request for comment," Which made it sound like he had sent them an email very soon before posting.

Re:Just for Aurgument's Sake

[nasch]

Assuming those were ruled to be protected speech... that would only protect the speaker from being prevented from (or punished for) saying them. An individual is still responsible for their actions. Protected speech can run afoul of contract law, civil law (such as libel), copyright law, or any number of other obligations.

If you can be successfully sued for the speech, then in what way is it protected?

                        "Next, it must be determined if the speech in question is protected by the First Amendment. Certain kinds of speech have not been given constitutional protection. For example, states may allow damage suits against persons who have made slanderous or libelous statements..."

https://home.ubalt.edu/shapiro...

Maybe you mean something else by "protected speech"?