Security Firm Keeper Sues News Reporter Over Vulnerability Story

Zack Whittaker, writing for ZDNet: Keeper, a password manager software maker, has filed a lawsuit against a news reporter and its publication after a story was posted reporting a vulnerability disclosure. Dan Goodin, security editor at Ars Technica, was named defendant in a suit filed Tuesday by Chicago-based Keeper Security, which accused Goodin of "false and misleading statements" about the company's password manager. Goodin's story, posted December 15, cited Google security researcher Tavis Ormandy, who said in a vulnerability disclosure report he posted a day earlier that a security flaw in Keeper allowed "any website to steal any password" through the password manager's browser extension.

Paging Ms Streisand...

[Harold Halloway]

Is there a B. Streisand in the house?

Re:Paging Ms Streisand...

[someone1234]

It looks like these Keeper guys got a record for suing experts or reporters. They should spend more on programmers and less on lawyers.

Re:

[DigitAl56K]

Yep. Was not aware of Keeper before today, but now I'm making a mental note to never use their products. And not because they might have had a vulnerability, but because of the law suit. Vendors who welcome security discourse and can be seen taking prompt steps to address issues are going to win my loyalty.

Re:

[Martin Blank]

LastPass handled their vulnerabilities correctly by not only engaging the researcher, but by also explaining publicly how they were fixing it, providing the timelines, and thanking Tavis Ormandy for his work.

Re:

[slashrio]

They won't give a damn how you think about them.
You're only 0.01% of their target audience, if ever you're part of it at all.
The other 99.99% have no clue.

Re:

[Anonymous Coward]

That's alot of what-ifs. He didn't do any of that.

Why don't you read it for yourself:

https://arstechnica.com/information-technology/2017/12/microsoft-is-forcing-users-to-install-a-critically-flawed-password-manager/

Re:

[mccrew]

Did they take it down? Your link just ends up on the Dec 2017 summary of articles for me.

Re:

[yakatz]

I couldn't copy/paste that link, but the story is definitely still there: For 8 days Windows bundled a password manager with a critical plugin flaw [arstechnica.com]

Re:

[SirGarlon]

There's a fundamental difference between disclosing a security secret on which a system depends (such as a garage door keycode or an RSA public key) and pointing out that the system is flawed and can be exploited without knowing the secret. To extend the analogy, if every garage door opener from a company can be opened with keycode "1234" then in my opinion (shared by many others) the manufacturer was fraudulent when it sold the doors as if they were secure, knowing they were not.

In other words, any "securi

Re:

[Jaime2]

Assuming those were ruled to be protected speech... that would only protect the speaker from being prevented from (or punished for) saying them. An individual is still responsible for their actions. Protected speech can run afoul of contract law, civil law (such as libel), copyright law, or any number of other obligations. Your garage door example would be simple negligence and the entry code example would probably be both a violation of an employment contract and federal law.

Re:

[nasch]

Assuming those were ruled to be protected speech... that would only protect the speaker from being prevented from (or punished for) saying them. An individual is still responsible for their actions. Protected speech can run afoul of contract law, civil law (such as libel), copyright law, or any number of other obligations.

If you can be successfully sued for the speech, then in what way is it protected?

"Next, it must be determined if the speech in question is protected by the First Amendment. Certain kinds of speech have not been given constitutional protection. For example, states may allow damage suits against persons who have made slanderous or libelous statements..."

https://home.ubalt.edu/shapiro... [ubalt.edu]

Maybe you mean something else by "prot

Re:

[pr0fessor]

That may be a little off topic.. firstly they are saying that the information reported is false and misleading not that they released code that would jeopardize public safety. secondly and probably the most important they are suing a reporter instead of the security bloger who made the claims they reported.

Re:

[Anubis IV]

Except the reporter wasn't simply reporting what the Google researcher said apparently. At least not originally. Let me play Devil's Advocate for a sec.

Here's the actual complaint [documentcloud.org] Keeper is making, and if you compare some of the text they mention that was contained in the original version of the article to the twice-revised version that's currently posted [arstechnica.com], there are some differences in the phrasing and verbiage that affect the factual accuracy of the statements being made.

For instance, just look at the URL

Keeper has no case

[techdolphin]

This is an attempt by Keeper to shut down critical articles. While Ars Technica and Dan Goodin must respond, Keeper has no case. To prove libel, the plaintiffs must prove that publication or writer purposely wrote false statements or had malicious intent. Goodin quoted a security expert, and was reporting on the expert's opinion. Keeper will lose and lose big.

Re:

[alexo]

Since the US does not have a "loser pays" system, Keeper cannot "lose big" on this one.

Re:

[Anonymous Coward]

Since the US does not have a "loser pays" system, Keeper cannot "lose big" on this one.

If it's a Strategic Lawsuit Against Public Participation (SLAPP) [wikipedia.org], the judge could put the all the costs on Keeper, or worse.

Re:

[Dragonslicer]

Just because it isn't automatic that the loser pays, that doesn't mean that the judge can't award attorneys fees to the winner.

Re:

[EvilSS]

Since the US does not have a "loser pays" system, Keeper cannot "lose big" on this one.

No but Illinois has a decent Anti-SLAPP law and that's where Keeper filed.

Re:

[Anonymous Coward]

it just says that I will NEVER use any Keeper product

they have demonstrated the WRONG way to respond to a vulnerability and need to be publicly destroyed to scare any other company from attempting such a dick move

Re:

[SlaveToTheGrind]

Goodin quoted a security expert, and was reporting on the expert's opinion. Keeper will lose and lose big.

I don't think it's that clear-cut at all, for at least the reason that the current version of the Ars Technica article behind the link is not the the one that occasioned the lawsuit. Taking a look at the complaint [documentcloud.org] Keeper filed, paragraph 30 walks through a laundry list of statements that Goodin himself made in the original article. Then, paragraphs 38 and 39 detail how he incrementally walked back many of the original statements after Keeper challenged them. The multiple rounds of watering down the origi

Waaaaah!

[slick7]

So much for "Hey, thanks. We'll get right on it and make the necessary changes." Everybody has time to do it fast, but nobody has the time to do it right the first time. I love deadlines, especially when they go whooshing by. It just goes to show, the time it takes to complete a project in a timely manner is hard to estimate, unless it is a repetitive task. Programming is not a repetitive task, hence the necessity for algorithms. Follow the algorithm, if the program does not work, then you did not follow it

Re:

[HiThere]

While there's a lot of " Everybody has time to do it fast, but nobody has the time to do it right the first time." out there, it's also true that it's quite difficult to find a lot of bugs, particularly your own bugs. And this is true even if you're excruciatingly careful. If you doubt that, consider the Mars lander that failed because of a units conversion. That wasn't a matter of "doing it fast and sloppy".

The reaction to a bug being revealed, however, is significant. I wouldn't trust Keeper, or a com

No Security

[freeze128]

Unsurprisingly, looking for Keeper's security.txt [keepersecurity.com] generates a 404 - not found.

Re:No Security

[Hal_Porter]

Security.txt is basically howtospamme.txt

https://www.bleepingcomputer.c... [bleepingcomputer.com]

You could just as easily have a Contacting Us page. Make sure your email address doesn't appear in an un-obfuscated form in it so it can't be harvested. E.g. for javascript build it up from a few fragments, for noscript change the @ and . characters into an image.

security.txt is dumb because it includes your email address and phone number in form that is very easy for a script to grab.

Google doesn't have one, but then Google doesn't employ anyone the public can contact anyway

https://www.google.com/securit... [google.com]

Neither does slashdot, but then slashdot doesn't employ anything than can pass a Turing Test.

https://slashdot.org/security.... [slashdot.org]

Re:

[Hal_Porter]

This is what happens when Millennials try to invent things. Back in the old days they'd be forced to post to comp.security for a few years before they were allowed to write an RFC and they'd be properly monstered by the bitter old men that post there, probably from some sort of facility for mentally ill alcoholics. This would teach the youngsters humility.

Re:

[chrish]

That Freudian slip for "mentored" is fantastic!

And me with no mod points...

Re:

[Hal_Porter]

Monstering is actually valid British English, and means roughly the opposite of mentoring

https://www.urbandictionary.com/define.php?term=Monstering [urbandictionary.com]

The art of abusing people. Of ambushing them with questions, following them with questions, hounding them with questions, driving them to their fucking graves with questions. It's sort of being like a photographer, except no ones' killed any royalty doing it ... yet.

See also

Monster, Monster, Monster! [youtube.com]

Re:

[viperidaenz]

Can you list a website that does have one?

Re:

[freeze128]

I heard about it from Steve Gibson on his Security Now podcast. His website has one (www.grc.com). It's not anything to look at, but it exists.

Re:

[viperidaenz]

The whole thing is only months old.
The first RFC draft was submitted in September 2017. There's been two new versions since then.
The github page that hosts the drafts was created in August 2017

Interesting

[jbmartin6]

I can't get to the original complaint due to blockages at work. But as I understand it, defamation requires proof of intentionally publishing false statements. Pretty curious how they think they might establish that.

Re:

[bv728]

Your understanding is incorrect in general - 'Public Figures' need to have Malice, which normally includes knowledge of the false statement and intention to harm, but most companies do not fall under Public Figure.
For general defamation they need to have:
a) Published something false
b) Caused harm
c) Acted negligently or with malice

They didn't need to know what they were publishing is false, although that helps. They DO need to know what they were publishing things with reduced verification. Keeper cont

Tavis

[CODiNE]

Tavis seriously knows his stuff, he has an excellent reputation in the security community and quoting him in an article is the very definition of getting an expert opinion on something. This lawsuit is stupid, who are they going to ask to discount Tavis Freaking O? He's at the top of his field.

Not buying it now!

[Thruen]

I'm actually in charge of finding a new password manager for the small business I work at and Keeper was one of the few I'd narrowed my choices down to. They just knocked themselves off that list. My company is small and that's no huge loss for them, but I know I'm not the only person making that choice. Now, had they responded to this stating they're temporarily disabling the browser extension while they work on a fix, they'd still be on the list. When are companies going to learn that trying to shut down bad publicity is the worst publicity of all?

Re:

[thegarbz]

As a matter of interest what is the criteria you're using to narrow it down?

Is open source part of the selection criteria? (there are options available e.g. Keepass and Password Safe)
Is endorsement from experts part of the criteria? (e.g. Password Safe is of Bruce Schneier's fame)
Is it based on portability (mobile apps for various vendors, cross platform)
Is it based on extensible (e.g. plugins for the browser)

Personally I use Keepass but I'm interested in what criteria people apply to its selection because

Re:

[ChoGGi]

I went with Password Safe for the ease with which I could use my Fido key with it.

That said, if I'd seen this article before I would have been less inclined to try it out, but now I certainly wouldn't use it.
If you can't be bothered to fix that sort of vulnerability for 16 months till it makes headlines, and then whip out the lawyers..The assumption is a crusty surface with smegma oozing below.

Re:

[Thruen]

So to be honest, the list I've narrowed it down to is largely based on personal recommendations from the IT staff at companies we deal with. We're small to the point where we don't have any dedicated IT staff so those things just fall on my shoulders because I'm reasonably good with computers. So on password managers, the biggest things I need are ease of use for the employees who are mostly not very comfortable with computers, and easy administration which should include password distribution either to gro

Re:

[thegarbz]

Rightio, I totally get that. I was trying to figure out how my company standardised on what it had.

For reference my work (multinational in the top 20 of the Fortune 500 list) standardised on Password Safe. I personally got really used to it and while deciding on what to use I ended up with Keepass which had a similar GUI but also had ports on a wider variety of platforms. I ended up keeping the password file on my owncloud and synced on my android device so I could access passwords on the go with the Androi

Re:

[ctilsie242]

Have you thought of a self-hosted PW manager?

Thycotic Secret Server is often used and has a good rep.
Devolution's Password Vault Manager can be self-hosted.

Then, there are PW managers which piggyback off of existing cloud providers. Codebook, Enpass, and SafeInCloud are several candidates.

Then, there are PW manages which (IMHO) "strongly persuade" people to use their cloud provider (1Password, mSecure).

Then, there are dedicated cloud providers like LastPass and DashLane. LastPass has manage to withstand som

Re:

[gitano_dbs]

Keepass https://keepass.info/ [keepass.info] its what i put first on any new device, you can use your own "cloud" for store and share the database.

Re:

[ctilsie242]

I love KeePass's PW generation algorithm, especially how it can use mouse input as part of the RNG, and how it can use your Windows unique user info as part of the composite key, so a database would be useless if snarfed, even if someone shoulder-surfed your password.

However, for cross-platforms, KeePassXC is the best of breed, since it has development work and pull requests done on it all the time.

I do wish the KeePass DB format would be upgraded. It would be nice if it offered some type of locking, so mu

Hey look!

[ilsaloving]

Guess what software I'm *not* going to be using anytime soon?

It's bad enough that supposedly secure software has a vulnerability. But acting like an asshole instead of responsibly dealing with the problem completely destroys my confidence that these people have their priorities straight and cares about it's customers.

Re:

[ilsaloving]

Yeah well... Now you're getting into a whole different power dynamic.

I had never heard of them before this story

[igotmybfg]

but now they have guaranteed that I will never, ever, ever use any of their products.

Time to sell to hackers

[duke_cheetah2003]

If this is becoming the normal response to people trying to help your business by pointing out problems, then fuck them.

Sell the vulnerabilities to hackers, make some cash and sit back to watch the fun. Sick of this response to helpful hacking. Just stop helpful hacking, make it all malicious.

Does Keeper also own a hotel?

[fahrbot-bot]

From Hotel Charges Woman $350 For Negative Hotel Review [usnews.com] (and other sources):

After leaving a negative review about a hotel in Indiana following a weekend getaway with her husband, an Indiana woman was charged $350 and threatened with legal action, WTVR reported. ...

On Dec. 15 the attorney general's office filed a lawsuit alleging the hotel violated Indiana Deceptive Consumer Sales Act.