Slashdot Mirror
Security Firm Keeper Sues News Reporter Over Vulnerability Story (zdnet.com)
Zack Whittaker, writing for ZDNet: Keeper, a password manager software maker, has filed a lawsuit against a news reporter and its publication after a story was posted reporting a vulnerability disclosure. Dan Goodin, security editor at Ars Technica, was named defendant in a suit filed Tuesday by Chicago-based Keeper Security, which accused Goodin of "false and misleading statements" about the company's password manager. Goodin's story, posted December 15, cited Google security researcher Tavis Ormandy, who said in a vulnerability disclosure report he posted a day earlier that a security flaw in Keeper allowed "any website to steal any password" through the password manager's browser extension.
Is there a B. Streisand in the house?
This is an attempt by Keeper to shut down critical articles. While Ars Technica and Dan Goodin must respond, Keeper has no case. To prove libel, the plaintiffs must prove that publication or writer purposely wrote false statements or had malicious intent. Goodin quoted a security expert, and was reporting on the expert's opinion. Keeper will lose and lose big.
I'm actually in charge of finding a new password manager for the small business I work at and Keeper was one of the few I'd narrowed my choices down to. They just knocked themselves off that list. My company is small and that's no huge loss for them, but I know I'm not the only person making that choice. Now, had they responded to this stating they're temporarily disabling the browser extension while they work on a fix, they'd still be on the list. When are companies going to learn that trying to shut down bad publicity is the worst publicity of all?
Except the reporter wasn't simply reporting what the Google researcher said apparently. At least not originally. Let me play Devil's Advocate for a sec.
Here's the actual complaint Keeper is making, and if you compare some of the text they mention that was contained in the original version of the article to the twice-revised version that's currently posted, there are some differences in the phrasing and verbiage that affect the factual accuracy of the statements being made.
For instance, just look at the URL for the article and you can see that the headline has changed. It currently reads:
For 8 days Windows bundled a password manager with a critical plugin flaw: Plugin for Win 10 version of Keeper had bug allowing sites to steal passwords
which, from what I can tell, seems to be an accurate statement (though Keeper disputes it on a technicality). But note the differences from the original headline:
Microsoft is forcing users to install a critically flawed password manager: Win 10 version of Keeper has a 16-month old bug allowing sites to steal passwords
which was false at the time of publication since the bug has been fixed prior to publication and the new bug wasn't the same as the previous one (though it was very similar). The complaint goes on to list dozens of other statements across the various iterations of the article, each of which they've taken issue with.
That said, let me take my Devil's Advocate cap off and say that I don't really think that the Keeper case has much merit, since most of the "false" statements seem to be minor technicalities at best. As an example, they contend that "Keeper" didn't have any bugs, since it was the Keeper browser extension that was buggy, not the Keeper app itself. They also contend that the buggy extension wasn't "bundled", which is technically correct, but it's installed via the bundled app, so to an end user it would have seemed no different than if it had been bundled. So, yay for being technically correct?
Really, I think they're taking issue with the connotations of the original headline and the bad press it created, and they're just trying to prop up their case with as many slight inaccuracies as they can find, no matter how slight.