Keeper Security Files Bullshit SLAPP Suit Against Ars Technica, Letting Many More People Know Not To Use Its Software

from the fuck-that dept

If you're a security software company and you want to know the best way to make sure that no security professional ever recommends your software ever again, you should do what Keeper Security did and sue a respected security journalist for reporting on your security flaws. As first reported by Zack Whittaker (link above), Keeper Security has filed a totally bullshit SLAPP lawsuit against Ars Technica and its widely respected security reporter Dan Goodin. Last week Goodin published a story about a major flaw in the browser extension for Keeper's password manager, that was bundled with Windows.

The flaw was actually discovered by Google's Tavis Ormandy, who has a long history of discovering fairly high profile bugs -- especially in password managers (he famously found a big flaw in LastPass, earlier this year). Notice how LastPass responded, though. It worked with Tavis on fixing the problem and rushing out a solution. Compare that to how Keeper responded. It fixed the bug... but it's also filed a lawsuit -- but not against Ormandy. Instead, it's suing Ars and Goodin. And, let's be clear: the lawsuit is bullshit.

The crux of the complaint from Keeper is that it wasn't Keeper's main software that had the vulnerability, but rather its browser extension plugin. This is a meaningless and silly distinction. Almost anyone using a software password manager (as you should) will install the browser plugins to go with the software. The software without the browser plugins is almost useless. The fact that Goodin didn't initially note the very trivial detail that the browser plugin wasn't included in the initial bundle, but would only be installed later once someone started using Keeper is meaningless, and not even close to defamatory.

Here's how Keeper describes it in their own lawsuit:

Before any such “vulnerability” could have any chance to impact a user, the user would have to be subject to specific conditions and take the following steps: (1) the user would have to separately install the Keeper Browser Extension; then (2) sign into the Keeper Browser Extension (which requires the user to first have a registered Keeper account); then (3) create and store (or have existing and previously created) website login credentials inside their Keeper Vault; then (4) visit a malicious website set up to steal a user’s website login credentials; then (5) the malicious website would have to inject a specific type of malware into the Keeper Browser Extension. This omission from all versions of the Article was material because without this relevant information, readers were misled to believe that their computers were infected simply by having Keeper software installed on their devices.

Whether or not it is "material" or even whether or not it is good reporting, is not meaningful when it comes to the question of defamation.Basically all of the statements that Goodin made that Keeper claims are defamatory are statements of opinion, in which Goodin laid out the facts on which he based his statements. Providing the underlying facts and stating an opinion is not defamatory. For example, among the statements that Keeper claims are defamatory are the following:

1) “For 8 days Windows bundled a password manager with a critical plugin flaw.”

2) “plugin for Win 10 Version of Keeper had bug allowing sites to steal passwords.”

3) “For about eight days, some versions of Windows 10 quietly bundled a password manager that contained a critical vulnerability in its browser plug in, a researcher said Friday.”

4) “If an outsider can find a bug similar to the 16-month-old vulnerability so quickly and easily, it stands to reason people inside the software company should have found it first.”

5) “It’s also possible third-party apps don’t come with the same security assurances of other Microsoft software.”

None of those are even close to defamatory. They are a mix of statements based on disclosed facts and opinion. Even more ridiculously, Keeper claims that Goodin and Ars published this story "knowing and intending that the Article would cause injury to Keeper." That's bullshit. There is no way that Goodin would be publishing a story with knowing falsehoods or one "intending" to cause harm to a company like Keeper. He was just reporting on the facts of the story, which Keeper itself does not dispute.

The lawsuit was filed in Illinois, where Keeper is based, and Keeper and its lawyers probably should have noticed that Illinois has an Anti-SLAPP law, which says they'll have to pay Ars and Goodin's attorneys' fees if the case is determined to be a SLAPP suit, which it almost certainly should be. Either way, the lawsuit has made many more people (a) aware that Keeper's software had a bug in it and (b) that it is not software worth using. Lots of people in the security world are now making sure that lots of people know to stay away from Keeper. There are better products on the market, offered up by companies who don't try to abuse the judicial system to stop reporters from commenting on their flaws. Use those products instead.

Next time, maybe fix the flaw and apologize without suing reporters for writing about it.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: ars technica, censorial thug, dan goodin, defamation, keeper, password manager, security, slapp
Companies: conde nast, keeper security


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    dysmey (profile), 21 Dec 2017 @ 9:35am

    Missing paragraph

    Part of the paragraph starting with "The lawsuit was filed in Illinois" is missing.

    link to this | view in thread ]

  2. icon
    ralph_the_bus_driver (profile), 21 Dec 2017 @ 9:54am

    Ars Technica is a California based company. I suspect they will ask a California Court to hear it as they have no presence in Illinois.

    And as if MicroSoft didn't have enough bad publicity about Windows 10. Suing reporters that report their problems won't get them many brownie points.

    link to this | view in thread ]

  3. icon
    Stephen T. Stone (profile), 21 Dec 2017 @ 10:02am

    Re:

    Microsoft isn’t part of this lawsuit.

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 21 Dec 2017 @ 10:04am

    Streisand effect at work...

    I'd never heard of this company before, now I will be sure to avoid them....

    link to this | view in thread ]

  5. icon
    Mike Masnick (profile), 21 Dec 2017 @ 10:13am

    Re: Missing paragraph

    Yikes. Should be fixed now.

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 21 Dec 2017 @ 10:14am

    Note that the law firm representing the Keeper is a descendant of an infamous patent troll, which was mentioned by Ars a year ago.

    Given that this law firm acted against their client’s best interest (to put it mildly: more like a deliberate infliction of damage), could it be that this lawsuit is at least in part a petty revenge over the Ars’s coverage?

    link to this | view in thread ]

  7. icon
    Mike Masnick (profile), 21 Dec 2017 @ 10:14am

    Re:

    Ars Technica is a California based company. I suspect they will ask a California Court to hear it as they have no presence in Illinois.

    Keeper is based in Illinois, so they'll claim jurisdiction. It would be surprising if they were able to transfer the case -- so surprising that I doubt Ars would even try. Besides, as I note in the post, Illinois has a decent anti-SLAPP law, so they can just make use of that.

    link to this | view in thread ]

  8. icon
    AnodeCathode (profile), 21 Dec 2017 @ 11:50am

    The software without the browser plugins is almost useless.

    I have to take issue with this comment. I don't use the browser plugin for KeePass. I'm happy to copy and paste my U/P data into the forms. It's not an important point, but I just thought I'd put that out there while I do my laundry.

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 21 Dec 2017 @ 12:25pm

    Re: The software without the browser plugins is almost useless.

    I use a different password manager and I am also fine with the copy and paste method. It helps keep the attack surface smaller because there is less code and the clipboard is very easy to clear.

    I can see why people would like the browser extension but I feel it is a negligible feature.

    link to this | view in thread ]

  10. icon
    Chryss (profile), 21 Dec 2017 @ 1:00pm

    Re: The software without the browser plugins is almost useless.

    I also go with the c/p method. A plugin just adds another point of vulnerability, especially with the way Firefox has now hobbled extensions.

    link to this | view in thread ]

  11. identicon
    Machin Shin, 21 Dec 2017 @ 1:47pm

    Re: The software without the browser plugins is almost useless.

    Still doesn't make this any less of a security problem. Many people would have installed the plugin and opened themselves up to this security issue.

    Also it is about like someone coming to your house and getting food poisoning. Then when they complain about how the meatloaf poisoned them you sue saying "No it was NOT my meatloaf. It was my salad!"

    link to this | view in thread ]

  12. icon
    KeillRandor (profile), 21 Dec 2017 @ 6:13pm

    Hmmm...

    So I was scrolling past this story pretty quickly and mis? read what was written in one particular line, which made me scroll back up to make sure - (tis a shame it wasn't right):

    "Here's how Keeper describes it in their own bullshit:"

    Well, it made me laugh anyway...

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 21 Dec 2017 @ 7:03pm

    I don't do the software, I don't do Ars.

    link to this | view in thread ]

  14. identicon
    Thad, 21 Dec 2017 @ 8:12pm

    Re: Re: The software without the browser plugins is almost useless.

    Indeed. Given the number of vulnerabilities we've seen in password-storing browser plugins, I can't imagine why anybody would use one. Copying and pasting from an external app adds a couple of steps, sure, but you can rest assured that the external app's not going to be pwned through your browser.

    link to this | view in thread ]

  15. identicon
    Anonymous Coward, 21 Dec 2017 @ 8:55pm

    Re:

    Good, sorry to hear that.

    link to this | view in thread ]

  16. identicon
    Anonymous Coward, 22 Dec 2017 @ 9:57am

    damage control: https://blog.keepersecurity.com/2017/12/21/keeper-ceo-offers-clarity/

    I am contacting my rep there now to inform them of my disappointment in their actions and depending on how they further handle this situation I may take our business elsewhere.

    link to this | view in thread ]

  17. icon
    Improbus (profile), 22 Dec 2017 @ 10:57am

    Re:

    ... and yet you took the time to comment on it. Fascinating, tell me more.

    link to this | view in thread ]

  18. identicon
    Anonymous Cowtard, 22 Dec 2017 @ 11:48am

    Re: Re: Re: The software without the browser plugins is almost useless.

    "Copying and pasting from an external app adds a couple of steps, sure, but you can rest assured that the external app's not going to be pwned through your browser."

    Sure, but then the clipboard can be read from the browser if you have javascript enabled.

    If c/p works, it also works to just select and drop the password in the textfield. Saving the extra steps and foils clipboard snooping.

    link to this | view in thread ]

  19. identicon
    Anonymous Coward, 22 Dec 2017 @ 12:21pm

    I really need to invest in the Streisand Effect Reputation Management company.

    Seems like a sure fire way to make money.

    link to this | view in thread ]

  20. identicon
    Anonymous Coward, 23 Dec 2017 @ 8:21am

    How to shoot yourself in the foot by Keeper (in)Security.

    link to this | view in thread ]

  21. identicon
    ⴷⵍⵀⵍⴷⵖⲘⵁⵡⲊ ⵎⴲⲰⴷⴽⲆ, 23 Dec 2017 @ 7:13pm

    Keeper Way

    from this idiocy.

    link to this | view in thread ]

  22. identicon
    Thad, 27 Dec 2017 @ 9:04am

    Re: Re: Re: Re: The software without the browser plugins is almost useless.

    Sure, but then the clipboard can be read from the browser if you have javascript enabled.

    I'm not aware of any modern browser that gives JS unrestricted access to the clipboard. (IE used to, but it's been disabled by default since IE8.) JS can only read the clipboard on a Paste event.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.