Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Firm Keeper Sues News Reporter Over Vulnerability Story (zdnet.com)

Posted by msmash on from the when-in-a-hole,-stop-digging dept.

Zack Whittaker, writing for ZDNet: Keeper, a password manager software maker, has filed a lawsuit against a news reporter and its publication after a story was posted reporting a vulnerability disclosure. Dan Goodin, security editor at Ars Technica, was named defendant in a suit filed Tuesday by Chicago-based Keeper Security, which accused Goodin of "false and misleading statements" about the company's password manager. Goodin's story, posted December 15, cited Google security researcher Tavis Ormandy, who said in a vulnerability disclosure report he posted a day earlier that a security flaw in Keeper allowed "any website to steal any password" through the password manager's browser extension.

41 of 73 comments (clear)

  1. Paging Ms Streisand... by Harold+Halloway · · Score: 4, Insightful

    Is there a B. Streisand in the house?

    1. Re:Paging Ms Streisand... by someone1234 · · Score: 3, Insightful

      It looks like these Keeper guys got a record for suing experts or reporters. They should spend more on programmers and less on lawyers.

      --
      Patents Drive Free Software as Hurricanes Drive Construction Industry
    2. Re:Paging Ms Streisand... by DigitAl56K · · Score: 1

      Yep. Was not aware of Keeper before today, but now I'm making a mental note to never use their products. And not because they might have had a vulnerability, but because of the law suit. Vendors who welcome security discourse and can be seen taking prompt steps to address issues are going to win my loyalty.

    3. Re:Paging Ms Streisand... by Martin+Blank · · Score: 1

      LastPass handled their vulnerabilities correctly by not only engaging the researcher, but by also explaining publicly how they were fixing it, providing the timelines, and thanking Tavis Ormandy for his work.

      --
      You can never go home again... but I guess you can shop there.
    4. Re:Paging Ms Streisand... by slashrio · · Score: 1

      They won't give a damn how you think about them.
      You're only 0.01% of their target audience, if ever you're part of it at all.
      The other 99.99% have no clue.

      --
      "Trump!!", the new Godwin.
  2. Keeper has no case by techdolphin · · Score: 5, Insightful

    This is an attempt by Keeper to shut down critical articles. While Ars Technica and Dan Goodin must respond, Keeper has no case. To prove libel, the plaintiffs must prove that publication or writer purposely wrote false statements or had malicious intent. Goodin quoted a security expert, and was reporting on the expert's opinion. Keeper will lose and lose big.

    1. Re:Keeper has no case by alexo · · Score: 1

      Since the US does not have a "loser pays" system, Keeper cannot "lose big" on this one.

    2. Re:Keeper has no case by Anonymous Coward · · Score: 1

      it just says that I will NEVER use any Keeper product

      they have demonstrated the WRONG way to respond to a vulnerability and need to be publicly destroyed to scare any other company from attempting such a dick move

    3. Re:Keeper has no case by Anonymous Coward · · Score: 2, Informative

      Since the US does not have a "loser pays" system, Keeper cannot "lose big" on this one.

      If it's a Strategic Lawsuit Against Public Participation (SLAPP), the judge could put the all the costs on Keeper, or worse.

    4. Re:Keeper has no case by Dragonslicer · · Score: 1

      Just because it isn't automatic that the loser pays, that doesn't mean that the judge can't award attorneys fees to the winner.

    5. Re:Keeper has no case by EvilSS · · Score: 1

      Since the US does not have a "loser pays" system, Keeper cannot "lose big" on this one.

      No but Illinois has a decent Anti-SLAPP law and that's where Keeper filed.

      --
      I browse on +1 so AC's need not respond, I won't see it.
  3. Re:Just for Aurgument's Sake by Anonymous Coward · · Score: 1

    That's alot of what-ifs. He didn't do any of that.

    Why don't you read it for yourself:

    https://arstechnica.com/information-technology/2017/12/microsoft-is-forcing-users-to-install-a-critically-flawed-password-manager/

  4. No Security by freeze128 · · Score: 1

    Unsurprisingly, looking for Keeper's security.txt generates a 404 - not found.

    1. Re:No Security by Hal_Porter · · Score: 3, Funny

      Security.txt is basically howtospamme.txt

      https://www.bleepingcomputer.c...

      You could just as easily have a Contacting Us page. Make sure your email address doesn't appear in an un-obfuscated form in it so it can't be harvested. E.g. for javascript build it up from a few fragments, for noscript change the @ and . characters into an image.

      security.txt is dumb because it includes your email address and phone number in form that is very easy for a script to grab.

      Google doesn't have one, but then Google doesn't employ anyone the public can contact anyway

      https://www.google.com/securit...

      Neither does slashdot, but then slashdot doesn't employ anything than can pass a Turing Test.

      https://slashdot.org/security....

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
    2. Re:No Security by viperidaenz · · Score: 1

      Can you list a website that does have one?

    3. Re:No Security by freeze128 · · Score: 1

      I heard about it from Steve Gibson on his Security Now podcast. His website has one (www.grc.com). It's not anything to look at, but it exists.

    4. Re:No Security by chrish · · Score: 1

      That Freudian slip for "mentored" is fantastic!

      And me with no mod points...

      --
      - chrish
    5. Re:No Security by viperidaenz · · Score: 1

      The whole thing is only months old.
      The first RFC draft was submitted in September 2017. There's been two new versions since then.
      The github page that hosts the drafts was created in August 2017

  5. Re:Just for Aurgument's Sake by SirGarlon · · Score: 1

    There's a fundamental difference between disclosing a security secret on which a system depends (such as a garage door keycode or an RSA public key) and pointing out that the system is flawed and can be exploited without knowing the secret. To extend the analogy, if every garage door opener from a company can be opened with keycode "1234" then in my opinion (shared by many others) the manufacturer was fraudulent when it sold the doors as if they were secure, knowing they were not.

    In other words, any "security" system with a back door is a fraud. Full stop.

    --
    [Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
  6. Re:Just for Aurgument's Sake by Jaime2 · · Score: 1

    Assuming those were ruled to be protected speech... that would only protect the speaker from being prevented from (or punished for) saying them. An individual is still responsible for their actions. Protected speech can run afoul of contract law, civil law (such as libel), copyright law, or any number of other obligations. Your garage door example would be simple negligence and the entry code example would probably be both a violation of an employment contract and federal law.

  7. Interesting by jbmartin6 · · Score: 1

    I can't get to the original complaint due to blockages at work. But as I understand it, defamation requires proof of intentionally publishing false statements. Pretty curious how they think they might establish that.

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    1. Re:Interesting by bv728 · · Score: 2

      Your understanding is incorrect in general - 'Public Figures' need to have Malice, which normally includes knowledge of the false statement and intention to harm, but most companies do not fall under Public Figure.
      For general defamation they need to have:
      a) Published something false
      b) Caused harm
      c) Acted negligently or with malice

      They didn't need to know what they were publishing is false, although that helps. They DO need to know what they were publishing things with reduced verification. Keeper contacted them repeatedly, and they updated the article repeatedly, so I'm guessing their argument is basically going to be 'They knew after our first contact that they had falsehoods up, and did not modify them'.

  8. Tavis by CODiNE · · Score: 1

    Tavis seriously knows his stuff, he has an excellent reputation in the security community and quoting him in an article is the very definition of getting an expert opinion on something. This lawsuit is stupid, who are they going to ask to discount Tavis Freaking O? He's at the top of his field.

    --
    Cwm, fjord-bank glyphs vext quiz
  9. Not buying it now! by Thruen · · Score: 4, Insightful

    I'm actually in charge of finding a new password manager for the small business I work at and Keeper was one of the few I'd narrowed my choices down to. They just knocked themselves off that list. My company is small and that's no huge loss for them, but I know I'm not the only person making that choice. Now, had they responded to this stating they're temporarily disabling the browser extension while they work on a fix, they'd still be on the list. When are companies going to learn that trying to shut down bad publicity is the worst publicity of all?

    1. Re:Not buying it now! by thegarbz · · Score: 2

      As a matter of interest what is the criteria you're using to narrow it down?

      Is open source part of the selection criteria? (there are options available e.g. Keepass and Password Safe)
      Is endorsement from experts part of the criteria? (e.g. Password Safe is of Bruce Schneier's fame)
      Is it based on portability (mobile apps for various vendors, cross platform)
      Is it based on extensible (e.g. plugins for the browser)

      Personally I use Keepass but I'm interested in what criteria people apply to its selection because frankly I can't comment on why anyone should pick Keepass over one of the other options.

    2. Re:Not buying it now! by ChoGGi · · Score: 1

      I went with Password Safe for the ease with which I could use my Fido key with it.

      That said, if I'd seen this article before I would have been less inclined to try it out, but now I certainly wouldn't use it.
      If you can't be bothered to fix that sort of vulnerability for 16 months till it makes headlines, and then whip out the lawyers..The assumption is a crusty surface with smegma oozing below.

    3. Re:Not buying it now! by ctilsie242 · · Score: 1

      Have you thought of a self-hosted PW manager?

      Thycotic Secret Server is often used and has a good rep.
      Devolution's Password Vault Manager can be self-hosted.

      Then, there are PW managers which piggyback off of existing cloud providers. Codebook, Enpass, and SafeInCloud are several candidates.

      Then, there are PW manages which (IMHO) "strongly persuade" people to use their cloud provider (1Password, mSecure).

      Then, there are dedicated cloud providers like LastPass and DashLane. LastPass has manage to withstand some pretty heavy hacking attempts and keep data sound, and they seem quite open about what issues they have. DashLane, I don't know that much about, but I've not read any horror stories.

      I would also look at compliance. Does the company even mention CJIS, FERPA, HIPAA, SOX, PCI-DSS, or other regs? If they have details on how they are compliant, that is a big plus, especially for CYA reasons.

      If access is needed just inside the company, I'd look at Thycotic Secret Server.

    4. Re:Not buying it now! by gitano_dbs · · Score: 1

      Keepass https://keepass.info/ its what i put first on any new device, you can use your own "cloud" for store and share the database.

    5. Re:Not buying it now! by ctilsie242 · · Score: 1

      I love KeePass's PW generation algorithm, especially how it can use mouse input as part of the RNG, and how it can use your Windows unique user info as part of the composite key, so a database would be useless if snarfed, even if someone shoulder-surfed your password.

      However, for cross-platforms, KeePassXC is the best of breed, since it has development work and pull requests done on it all the time.

      I do wish the KeePass DB format would be upgraded. It would be nice if it offered some type of locking, so multiple processes could access the DB at the same time.

    6. Re:Not buying it now! by Thruen · · Score: 1

      So to be honest, the list I've narrowed it down to is largely based on personal recommendations from the IT staff at companies we deal with. We're small to the point where we don't have any dedicated IT staff so those things just fall on my shoulders because I'm reasonably good with computers. So on password managers, the biggest things I need are ease of use for the employees who are mostly not very comfortable with computers, and easy administration which should include password distribution either to groups or individual users and I'd like the ability to mass-reset passwords as folks leave the company, and if I can find something that we run on our own server instead of on that company's servers it would be preferred. We don't actually need any mobile app access, and all our PCs run Windows so that's the only thing it needs to work on. Endorsement from experts is always a plus but it's not a dealbreaker as long as nobody has outright said they are bad. Open source would be a perk in my mind because of pricing and availability, but also I'd want to make sure it's a project that has been around a while and looks like it will stay around for a while. I'm really just winging it, which is what most of my IT work is, so we'll see where I land. Keepass is actually on my list as someone recommended it to me but I haven't looked into it too deeply yet. This whole project of finding a password manager is actually sort of my own deal so I can only work on it in my free time, which barely exists. But I really need to get us past word documents with passwords in them, it's physically painful for me to see that all the time.

    7. Re:Not buying it now! by thegarbz · · Score: 1

      Rightio, I totally get that. I was trying to figure out how my company standardised on what it had.

      For reference my work (multinational in the top 20 of the Fortune 500 list) standardised on Password Safe. I personally got really used to it and while deciding on what to use I ended up with Keepass which had a similar GUI but also had ports on a wider variety of platforms. I ended up keeping the password file on my owncloud and synced on my android device so I could access passwords on the go with the Android version. It also supports a wider range of ciphers if that is an important metric.

      I eventually though settled on Keepass XC for the PCs and traded a bit of security for convenience of browser integration. Keepass and Password safe only integrate via autotyping and I have found one day at work the autotype function managed to dump my password in plaintext on the screen mid presentation. KeepassXC has an interface and plugins for Firefox and Chrome. This also was a good boost since now my passwords are synced between the two browsers too.

      Anyway do with that little personal opinion what you will :-)

  10. Re:Just for Aurgument's Sake by pr0fessor · · Score: 1

    That may be a little off topic.. firstly they are saying that the information reported is false and misleading not that they released code that would jeopardize public safety. secondly and probably the most important they are suing a reporter instead of the security bloger who made the claims they reported.

  11. Re:He's reporting what Google said by Anubis+IV · · Score: 2, Insightful

    Except the reporter wasn't simply reporting what the Google researcher said apparently. At least not originally. Let me play Devil's Advocate for a sec.

    Here's the actual complaint Keeper is making, and if you compare some of the text they mention that was contained in the original version of the article to the twice-revised version that's currently posted, there are some differences in the phrasing and verbiage that affect the factual accuracy of the statements being made.

    For instance, just look at the URL for the article and you can see that the headline has changed. It currently reads:

    For 8 days Windows bundled a password manager with a critical plugin flaw: Plugin for Win 10 version of Keeper had bug allowing sites to steal passwords

    which, from what I can tell, seems to be an accurate statement (though Keeper disputes it on a technicality). But note the differences from the original headline:

    Microsoft is forcing users to install a critically flawed password manager: Win 10 version of Keeper has a 16-month old bug allowing sites to steal passwords

    which was false at the time of publication since the bug has been fixed prior to publication and the new bug wasn't the same as the previous one (though it was very similar). The complaint goes on to list dozens of other statements across the various iterations of the article, each of which they've taken issue with.

    That said, let me take my Devil's Advocate cap off and say that I don't really think that the Keeper case has much merit, since most of the "false" statements seem to be minor technicalities at best. As an example, they contend that "Keeper" didn't have any bugs, since it was the Keeper browser extension that was buggy, not the Keeper app itself. They also contend that the buggy extension wasn't "bundled", which is technically correct, but it's installed via the bundled app, so to an end user it would have seemed no different than if it had been bundled. So, yay for being technically correct?

    Really, I think they're taking issue with the connotations of the original headline and the bad press it created, and they're just trying to prop up their case with as many slight inaccuracies as they can find, no matter how slight.

  12. Re:Just for Aurgument's Sake by yakatz · · Score: 1

    I couldn't copy/paste that link, but the story is definitely still there: For 8 days Windows bundled a password manager with a critical plugin flaw

  13. Hey look! by ilsaloving · · Score: 1

    Guess what software I'm *not* going to be using anytime soon?

    It's bad enough that supposedly secure software has a vulnerability. But acting like an asshole instead of responsibly dealing with the problem completely destroys my confidence that these people have their priorities straight and cares about it's customers.

    1. Re:Hey look! by ilsaloving · · Score: 1

      Yeah well... Now you're getting into a whole different power dynamic.

  14. I had never heard of them before this story by igotmybfg · · Score: 1

    but now they have guaranteed that I will never, ever, ever use any of their products.

  15. Time to sell to hackers by duke_cheetah2003 · · Score: 1

    If this is becoming the normal response to people trying to help your business by pointing out problems, then fuck them.

    Sell the vulnerabilities to hackers, make some cash and sit back to watch the fun. Sick of this response to helpful hacking. Just stop helpful hacking, make it all malicious.

  16. Does Keeper also own a hotel? by fahrbot-bot · · Score: 1
    From Hotel Charges Woman $350 For Negative Hotel Review (and other sources):

    After leaving a negative review about a hotel in Indiana following a weekend getaway with her husband, an Indiana woman was charged $350 and threatened with legal action, WTVR reported. ...

    On Dec. 15 the attorney general's office filed a lawsuit alleging the hotel violated Indiana Deceptive Consumer Sales Act.

    --
    It must have been something you assimilated. . . .
  17. Re:Waaaaah! by HiThere · · Score: 1

    While there's a lot of " Everybody has time to do it fast, but nobody has the time to do it right the first time." out there, it's also true that it's quite difficult to find a lot of bugs, particularly your own bugs. And this is true even if you're excruciatingly careful. If you doubt that, consider the Mars lander that failed because of a units conversion. That wasn't a matter of "doing it fast and sloppy".

    The reaction to a bug being revealed, however, is significant. I wouldn't trust Keeper, or a company closely associated with it, for anything at this point.

    --

    I think we've pushed this "anyone can grow up to be president" thing too far.
  18. Re:Just for Aurgument's Sake by nasch · · Score: 1

    Assuming those were ruled to be protected speech... that would only protect the speaker from being prevented from (or punished for) saying them. An individual is still responsible for their actions. Protected speech can run afoul of contract law, civil law (such as libel), copyright law, or any number of other obligations.

    If you can be successfully sued for the speech, then in what way is it protected?

                            "Next, it must be determined if the speech in question is protected by the First Amendment. Certain kinds of speech have not been given constitutional protection. For example, states may allow damage suits against persons who have made slanderous or libelous statements..."

    https://home.ubalt.edu/shapiro...

    Maybe you mean something else by "protected speech"?