Please create an account to participate in the Slashdot moderation system


Forgot your password?
Security The Courts Windows

Security Firm Keeper Sues News Reporter Over Vulnerability Story ( 73

Zack Whittaker, writing for ZDNet: Keeper, a password manager software maker, has filed a lawsuit against a news reporter and its publication after a story was posted reporting a vulnerability disclosure. Dan Goodin, security editor at Ars Technica, was named defendant in a suit filed Tuesday by Chicago-based Keeper Security, which accused Goodin of "false and misleading statements" about the company's password manager. Goodin's story, posted December 15, cited Google security researcher Tavis Ormandy, who said in a vulnerability disclosure report he posted a day earlier that a security flaw in Keeper allowed "any website to steal any password" through the password manager's browser extension.
This discussion has been archived. No new comments can be posted.

Security Firm Keeper Sues News Reporter Over Vulnerability Story

Comments Filter:
  • by Harold Halloway ( 1047486 ) on Thursday December 21, 2017 @11:26AM (#55783119)

    Is there a B. Streisand in the house?

    • by someone1234 ( 830754 ) on Thursday December 21, 2017 @12:19PM (#55783499)

      It looks like these Keeper guys got a record for suing experts or reporters. They should spend more on programmers and less on lawyers.

    • Yep. Was not aware of Keeper before today, but now I'm making a mental note to never use their products. And not because they might have had a vulnerability, but because of the law suit. Vendors who welcome security discourse and can be seen taking prompt steps to address issues are going to win my loyalty.

      • LastPass handled their vulnerabilities correctly by not only engaging the researcher, but by also explaining publicly how they were fixing it, providing the timelines, and thanking Tavis Ormandy for his work.

      • They won't give a damn how you think about them.
        You're only 0.01% of their target audience, if ever you're part of it at all.
        The other 99.99% have no clue.
  • Keeper has no case (Score:5, Insightful)

    by techdolphin ( 1263510 ) on Thursday December 21, 2017 @11:37AM (#55783197)
    This is an attempt by Keeper to shut down critical articles. While Ars Technica and Dan Goodin must respond, Keeper has no case. To prove libel, the plaintiffs must prove that publication or writer purposely wrote false statements or had malicious intent. Goodin quoted a security expert, and was reporting on the expert's opinion. Keeper will lose and lose big.
    • by alexo ( 9335 )

      Since the US does not have a "loser pays" system, Keeper cannot "lose big" on this one.

      • Re: (Score:2, Informative)

        by Anonymous Coward

        Since the US does not have a "loser pays" system, Keeper cannot "lose big" on this one.

        If it's a Strategic Lawsuit Against Public Participation (SLAPP) [], the judge could put the all the costs on Keeper, or worse.

      • Just because it isn't automatic that the loser pays, that doesn't mean that the judge can't award attorneys fees to the winner.
      • by EvilSS ( 557649 )

        Since the US does not have a "loser pays" system, Keeper cannot "lose big" on this one.

        No but Illinois has a decent Anti-SLAPP law and that's where Keeper filed.

    • by Anonymous Coward

      it just says that I will NEVER use any Keeper product

      they have demonstrated the WRONG way to respond to a vulnerability and need to be publicly destroyed to scare any other company from attempting such a dick move

    • Goodin quoted a security expert, and was reporting on the expert's opinion. Keeper will lose and lose big.

      I don't think it's that clear-cut at all, for at least the reason that the current version of the Ars Technica article behind the link is not the the one that occasioned the lawsuit. Taking a look at the complaint [] Keeper filed, paragraph 30 walks through a laundry list of statements that Goodin himself made in the original article. Then, paragraphs 38 and 39 detail how he incrementally walked back many of the original statements after Keeper challenged them. The multiple rounds of watering down the origi

  • So much for "Hey, thanks. We'll get right on it and make the necessary changes." Everybody has time to do it fast, but nobody has the time to do it right the first time. I love deadlines, especially when they go whooshing by. It just goes to show, the time it takes to complete a project in a timely manner is hard to estimate, unless it is a repetitive task. Programming is not a repetitive task, hence the necessity for algorithms. Follow the algorithm, if the program does not work, then you did not follow it
    • by HiThere ( 15173 )

      While there's a lot of " Everybody has time to do it fast, but nobody has the time to do it right the first time." out there, it's also true that it's quite difficult to find a lot of bugs, particularly your own bugs. And this is true even if you're excruciatingly careful. If you doubt that, consider the Mars lander that failed because of a units conversion. That wasn't a matter of "doing it fast and sloppy".

      The reaction to a bug being revealed, however, is significant. I wouldn't trust Keeper, or a com

  • Unsurprisingly, looking for Keeper's security.txt [] generates a 404 - not found.
    • by Hal_Porter ( 817932 ) on Thursday December 21, 2017 @12:05PM (#55783385)

      Security.txt is basically howtospamme.txt

      https://www.bleepingcomputer.c... []

      You could just as easily have a Contacting Us page. Make sure your email address doesn't appear in an un-obfuscated form in it so it can't be harvested. E.g. for javascript build it up from a few fragments, for noscript change the @ and . characters into an image.

      security.txt is dumb because it includes your email address and phone number in form that is very easy for a script to grab.

      Google doesn't have one, but then Google doesn't employ anyone the public can contact anyway []

      Neither does slashdot, but then slashdot doesn't employ anything than can pass a Turing Test. []

    • Can you list a website that does have one?

      • I heard about it from Steve Gibson on his Security Now podcast. His website has one ( It's not anything to look at, but it exists.
        • The whole thing is only months old.
          The first RFC draft was submitted in September 2017. There's been two new versions since then.
          The github page that hosts the drafts was created in August 2017

  • I can't get to the original complaint due to blockages at work. But as I understand it, defamation requires proof of intentionally publishing false statements. Pretty curious how they think they might establish that.
    • by bv728 ( 943505 )
      Your understanding is incorrect in general - 'Public Figures' need to have Malice, which normally includes knowledge of the false statement and intention to harm, but most companies do not fall under Public Figure.
      For general defamation they need to have:
      a) Published something false
      b) Caused harm
      c) Acted negligently or with malice

      They didn't need to know what they were publishing is false, although that helps. They DO need to know what they were publishing things with reduced verification. Keeper cont
  • Tavis seriously knows his stuff, he has an excellent reputation in the security community and quoting him in an article is the very definition of getting an expert opinion on something. This lawsuit is stupid, who are they going to ask to discount Tavis Freaking O? He's at the top of his field.

  • Not buying it now! (Score:5, Insightful)

    by Thruen ( 753567 ) on Thursday December 21, 2017 @12:25PM (#55783547)
    I'm actually in charge of finding a new password manager for the small business I work at and Keeper was one of the few I'd narrowed my choices down to. They just knocked themselves off that list. My company is small and that's no huge loss for them, but I know I'm not the only person making that choice. Now, had they responded to this stating they're temporarily disabling the browser extension while they work on a fix, they'd still be on the list. When are companies going to learn that trying to shut down bad publicity is the worst publicity of all?
    • As a matter of interest what is the criteria you're using to narrow it down?

      Is open source part of the selection criteria? (there are options available e.g. Keepass and Password Safe)
      Is endorsement from experts part of the criteria? (e.g. Password Safe is of Bruce Schneier's fame)
      Is it based on portability (mobile apps for various vendors, cross platform)
      Is it based on extensible (e.g. plugins for the browser)

      Personally I use Keepass but I'm interested in what criteria people apply to its selection because

      • by ChoGGi ( 522069 )

        I went with Password Safe for the ease with which I could use my Fido key with it.

        That said, if I'd seen this article before I would have been less inclined to try it out, but now I certainly wouldn't use it.
        If you can't be bothered to fix that sort of vulnerability for 16 months till it makes headlines, and then whip out the lawyers..The assumption is a crusty surface with smegma oozing below.

      • by Thruen ( 753567 )
        So to be honest, the list I've narrowed it down to is largely based on personal recommendations from the IT staff at companies we deal with. We're small to the point where we don't have any dedicated IT staff so those things just fall on my shoulders because I'm reasonably good with computers. So on password managers, the biggest things I need are ease of use for the employees who are mostly not very comfortable with computers, and easy administration which should include password distribution either to gro
        • Rightio, I totally get that. I was trying to figure out how my company standardised on what it had.

          For reference my work (multinational in the top 20 of the Fortune 500 list) standardised on Password Safe. I personally got really used to it and while deciding on what to use I ended up with Keepass which had a similar GUI but also had ports on a wider variety of platforms. I ended up keeping the password file on my owncloud and synced on my android device so I could access passwords on the go with the Androi

    • Have you thought of a self-hosted PW manager?

      Thycotic Secret Server is often used and has a good rep.
      Devolution's Password Vault Manager can be self-hosted.

      Then, there are PW managers which piggyback off of existing cloud providers. Codebook, Enpass, and SafeInCloud are several candidates.

      Then, there are PW manages which (IMHO) "strongly persuade" people to use their cloud provider (1Password, mSecure).

      Then, there are dedicated cloud providers like LastPass and DashLane. LastPass has manage to withstand som

    • Keepass [] its what i put first on any new device, you can use your own "cloud" for store and share the database.

      • I love KeePass's PW generation algorithm, especially how it can use mouse input as part of the RNG, and how it can use your Windows unique user info as part of the composite key, so a database would be useless if snarfed, even if someone shoulder-surfed your password.

        However, for cross-platforms, KeePassXC is the best of breed, since it has development work and pull requests done on it all the time.

        I do wish the KeePass DB format would be upgraded. It would be nice if it offered some type of locking, so mu

  • Guess what software I'm *not* going to be using anytime soon?

    It's bad enough that supposedly secure software has a vulnerability. But acting like an asshole instead of responsibly dealing with the problem completely destroys my confidence that these people have their priorities straight and cares about it's customers.

  • but now they have guaranteed that I will never, ever, ever use any of their products.
  • If this is becoming the normal response to people trying to help your business by pointing out problems, then fuck them.

    Sell the vulnerabilities to hackers, make some cash and sit back to watch the fun. Sick of this response to helpful hacking. Just stop helpful hacking, make it all malicious.

  • From Hotel Charges Woman $350 For Negative Hotel Review [] (and other sources):

    After leaving a negative review about a hotel in Indiana following a weekend getaway with her husband, an Indiana woman was charged $350 and threatened with legal action, WTVR reported. ...

    On Dec. 15 the attorney general's office filed a lawsuit alleging the hotel violated Indiana Deceptive Consumer Sales Act.

"If it's not loud, it doesn't work!" -- Blank Reg, from "Max Headroom"