Keeper Security Files Bullshit SLAPP Suit Against Ars Technica, Letting Many More People Know Not To Use Its Software
from the fuck-that dept
If you’re a security software company and you want to know the best way to make sure that no security professional ever recommends your software ever again, you should do what Keeper Security did and sue a respected security journalist for reporting on your security flaws. As first reported by Zack Whittaker (link above), Keeper Security has filed a totally bullshit SLAPP lawsuit against Ars Technica and its widely respected security reporter Dan Goodin. Last week Goodin published a story about a major flaw in the browser extension for Keeper’s password manager, that was bundled with Windows.
The flaw was actually discovered by Google’s Tavis Ormandy, who has a long history of discovering fairly high profile bugs — especially in password managers (he famously found a big flaw in LastPass, earlier this year). Notice how LastPass responded, though. It worked with Tavis on fixing the problem and rushing out a solution. Compare that to how Keeper responded. It fixed the bug… but it’s also filed a lawsuit — but not against Ormandy. Instead, it’s suing Ars and Goodin. And, let’s be clear: the lawsuit is bullshit.
The crux of the complaint from Keeper is that it wasn’t Keeper’s main software that had the vulnerability, but rather its browser extension plugin. This is a meaningless and silly distinction. Almost anyone using a software password manager (as you should) will install the browser plugins to go with the software. The software without the browser plugins is almost useless. The fact that Goodin didn’t initially note the very trivial detail that the browser plugin wasn’t included in the initial bundle, but would only be installed later once someone started using Keeper is meaningless, and not even close to defamatory.
Here’s how Keeper describes it in their own lawsuit:
Before any such ?vulnerability? could have any chance to impact a user, the user would have to be subject to specific conditions and take the following steps: (1) the user would have to separately install the Keeper Browser Extension; then (2) sign into the Keeper Browser Extension (which requires the user to first have a registered Keeper account); then (3) create and store (or have existing and previously created) website login credentials inside their Keeper Vault; then (4) visit a malicious website set up to steal a user?s website login credentials; then (5) the malicious website would have to inject a specific type of malware into the Keeper Browser Extension. This omission from all versions of the Article was material because without this relevant information, readers were misled to believe that their computers were infected simply by having Keeper software installed on their devices.
Whether or not it is “material” or even whether or not it is good reporting, is not meaningful when it comes to the question of defamation.Basically all of the statements that Goodin made that Keeper claims are defamatory are statements of opinion, in which Goodin laid out the facts on which he based his statements. Providing the underlying facts and stating an opinion is not defamatory. For example, among the statements that Keeper claims are defamatory are the following:
1) ?For 8 days Windows bundled a password manager with a critical plugin flaw.?
2) ?plugin for Win 10 Version of Keeper had bug allowing sites to steal passwords.?
3) ?For about eight days, some versions of Windows 10 quietly bundled a password manager that contained a critical vulnerability in its browser plug in, a researcher said Friday.?
4) ?If an outsider can find a bug similar to the 16-month-old vulnerability so quickly and easily, it stands to reason people inside the software company should have found it first.?
5) ?It?s also possible third-party apps don?t come with the same security assurances of other Microsoft software.?
None of those are even close to defamatory. They are a mix of statements based on disclosed facts and opinion. Even more ridiculously, Keeper claims that Goodin and Ars published this story “knowing and intending that the Article would cause injury to Keeper.” That’s bullshit. There is no way that Goodin would be publishing a story with knowing falsehoods or one “intending” to cause harm to a company like Keeper. He was just reporting on the facts of the story, which Keeper itself does not dispute.
The lawsuit was filed in Illinois, where Keeper is based, and Keeper and its lawyers probably should have noticed that Illinois has an Anti-SLAPP law, which says they’ll have to pay Ars and Goodin’s attorneys’ fees if the case is determined to be a SLAPP suit, which it almost certainly should be. Either way, the lawsuit has made many more people (a) aware that Keeper’s software had a bug in it and (b) that it is not software worth using. Lots of people in the security world are now making sure that lots of people know to stay away from Keeper. There are better products on the market, offered up by companies who don’t try to abuse the judicial system to stop reporters from commenting on their flaws. Use those products instead.
In my professional opinion, suing those who discuss software vulnerabilities is itself a reliable indication of dangerously vulnerable software and incompetent security practices. For that reason, I will be avoiding Keeper Security products. https://t.co/hJVHHisTyL
— matt blaze (@mattblaze) December 20, 2017
Ars Technica's @dangoodin001 is one of the most technically knowledgeable reporters I know. Now he's being sued by Keeper Security for writing up a report of Keeper's software vulnerabilities made by a Google researcher. This is gross, litigious bullying. https://t.co/nzw1BloQfa
— Andy Greenberg (@a_greenberg) December 20, 2017
Confirmed: Dan Goodin is not simply technical, but extraordinarily interested in getting the story right. This one time he interviewed me for a story, then told me I was wrong, and he was right. https://t.co/doNVBBNq7O
— Robert Graham's naughty list???? (@ErrataRob) December 20, 2017
Let me get it straight, Keeper claims this is defamatory solely because the browser extension isn't mandatory, but a "separate program"? Who tolerates using a password manager without the corresponding browser extension?!? https://t.co/NB8pSaIjOT
— Nicholas Weaver (@ncweaver) December 20, 2017
Suing a reporter for an article about your security vulnerability is generally a bad move. https://t.co/VtIvoQVn2g
— Kurt Opsahl (@kurtopsahl) December 20, 2017
Next time, maybe fix the flaw and apologize without suing reporters for writing about it.