Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Firm Keeper Sues News Reporter Over Vulnerability Story (zdnet.com)

Posted by msmash on from the when-in-a-hole,-stop-digging dept.

Zack Whittaker, writing for ZDNet: Keeper, a password manager software maker, has filed a lawsuit against a news reporter and its publication after a story was posted reporting a vulnerability disclosure. Dan Goodin, security editor at Ars Technica, was named defendant in a suit filed Tuesday by Chicago-based Keeper Security, which accused Goodin of "false and misleading statements" about the company's password manager. Goodin's story, posted December 15, cited Google security researcher Tavis Ormandy, who said in a vulnerability disclosure report he posted a day earlier that a security flaw in Keeper allowed "any website to steal any password" through the password manager's browser extension.

9 of 73 comments (clear)

  1. Paging Ms Streisand... by Harold+Halloway · · Score: 4, Insightful

    Is there a B. Streisand in the house?

    1. Re:Paging Ms Streisand... by someone1234 · · Score: 3, Insightful

      It looks like these Keeper guys got a record for suing experts or reporters. They should spend more on programmers and less on lawyers.

      --
      Patents Drive Free Software as Hurricanes Drive Construction Industry
  2. Keeper has no case by techdolphin · · Score: 5, Insightful

    This is an attempt by Keeper to shut down critical articles. While Ars Technica and Dan Goodin must respond, Keeper has no case. To prove libel, the plaintiffs must prove that publication or writer purposely wrote false statements or had malicious intent. Goodin quoted a security expert, and was reporting on the expert's opinion. Keeper will lose and lose big.

    1. Re:Keeper has no case by Anonymous Coward · · Score: 2, Informative

      Since the US does not have a "loser pays" system, Keeper cannot "lose big" on this one.

      If it's a Strategic Lawsuit Against Public Participation (SLAPP), the judge could put the all the costs on Keeper, or worse.

  3. Re:No Security by Hal_Porter · · Score: 3, Funny

    Security.txt is basically howtospamme.txt

    https://www.bleepingcomputer.c...

    You could just as easily have a Contacting Us page. Make sure your email address doesn't appear in an un-obfuscated form in it so it can't be harvested. E.g. for javascript build it up from a few fragments, for noscript change the @ and . characters into an image.

    security.txt is dumb because it includes your email address and phone number in form that is very easy for a script to grab.

    Google doesn't have one, but then Google doesn't employ anyone the public can contact anyway

    https://www.google.com/securit...

    Neither does slashdot, but then slashdot doesn't employ anything than can pass a Turing Test.

    https://slashdot.org/security....

    --
    echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
  4. Not buying it now! by Thruen · · Score: 4, Insightful

    I'm actually in charge of finding a new password manager for the small business I work at and Keeper was one of the few I'd narrowed my choices down to. They just knocked themselves off that list. My company is small and that's no huge loss for them, but I know I'm not the only person making that choice. Now, had they responded to this stating they're temporarily disabling the browser extension while they work on a fix, they'd still be on the list. When are companies going to learn that trying to shut down bad publicity is the worst publicity of all?

    1. Re:Not buying it now! by thegarbz · · Score: 2

      As a matter of interest what is the criteria you're using to narrow it down?

      Is open source part of the selection criteria? (there are options available e.g. Keepass and Password Safe)
      Is endorsement from experts part of the criteria? (e.g. Password Safe is of Bruce Schneier's fame)
      Is it based on portability (mobile apps for various vendors, cross platform)
      Is it based on extensible (e.g. plugins for the browser)

      Personally I use Keepass but I'm interested in what criteria people apply to its selection because frankly I can't comment on why anyone should pick Keepass over one of the other options.

  5. Re:He's reporting what Google said by Anubis+IV · · Score: 2, Insightful

    Except the reporter wasn't simply reporting what the Google researcher said apparently. At least not originally. Let me play Devil's Advocate for a sec.

    Here's the actual complaint Keeper is making, and if you compare some of the text they mention that was contained in the original version of the article to the twice-revised version that's currently posted, there are some differences in the phrasing and verbiage that affect the factual accuracy of the statements being made.

    For instance, just look at the URL for the article and you can see that the headline has changed. It currently reads:

    For 8 days Windows bundled a password manager with a critical plugin flaw: Plugin for Win 10 version of Keeper had bug allowing sites to steal passwords

    which, from what I can tell, seems to be an accurate statement (though Keeper disputes it on a technicality). But note the differences from the original headline:

    Microsoft is forcing users to install a critically flawed password manager: Win 10 version of Keeper has a 16-month old bug allowing sites to steal passwords

    which was false at the time of publication since the bug has been fixed prior to publication and the new bug wasn't the same as the previous one (though it was very similar). The complaint goes on to list dozens of other statements across the various iterations of the article, each of which they've taken issue with.

    That said, let me take my Devil's Advocate cap off and say that I don't really think that the Keeper case has much merit, since most of the "false" statements seem to be minor technicalities at best. As an example, they contend that "Keeper" didn't have any bugs, since it was the Keeper browser extension that was buggy, not the Keeper app itself. They also contend that the buggy extension wasn't "bundled", which is technically correct, but it's installed via the bundled app, so to an end user it would have seemed no different than if it had been bundled. So, yay for being technically correct?

    Really, I think they're taking issue with the connotations of the original headline and the bad press it created, and they're just trying to prop up their case with as many slight inaccuracies as they can find, no matter how slight.

  6. Re:Interesting by bv728 · · Score: 2

    Your understanding is incorrect in general - 'Public Figures' need to have Malice, which normally includes knowledge of the false statement and intention to harm, but most companies do not fall under Public Figure.
    For general defamation they need to have:
    a) Published something false
    b) Caused harm
    c) Acted negligently or with malice

    They didn't need to know what they were publishing is false, although that helps. They DO need to know what they were publishing things with reduced verification. Keeper contacted them repeatedly, and they updated the article repeatedly, so I'm guessing their argument is basically going to be 'They knew after our first contact that they had falsehoods up, and did not modify them'.