0
News site Ars Technica. (Screenshot: ZDNet/CBS Interactive)
Keeper, a password manager software maker, has filed a lawsuit against a news reporter and its publication after a story was posted reporting a vulnerability disclosure.
Dan Goodin, security editor at Ars Technica, was named defendant in a suit filed Tuesday by Chicago-based Keeper Security, which accused Goodin of “false and misleading statements” about the company’s password manager.
Goodin’s story, posted December 15, cited Google security researcher Tavis Ormandy, who said in a vulnerability disclosure report he posted a day earlier that a security flaw in Keeper allowed “any website to steal any password” through the password manager’s browser extension.
Goodin was one of the first to cover news of the vulnerability disclosure. He wrote that the password manager was bundled in some versions of Windows 10. When Ormandy tested the bundled password manager, he found a password stealing bug that was nearly identical to one he previously discovered in 2016.
Ormandy also posted a proof-of-concept exploit for the new vulnerability.
The bug has since been fixed, according to Ormandy’s follow-up note, which triggered the release of the report. Goodin’s story was amended twice, which was noted in the story’s footer.
Keeper confirmed the bug was fixed in its own blog post, which said “no customers were adversely affected by this potential vulnerability.”
Keeper said in its lawsuit that Goodin and his employer, tech site Ars Technica, also named as defendant, “made false and misleading statements about the Keeper software application suggesting that it had a 16-month old bug that allowed sites to steal user passwords.”
The security firm asserts claims for defamation, and calls for a jury trial. The suit also calls for the retraction and removal of the article, and to award damages to Keeper. The full complaint can be found here.
Keeper chief executive Darren Guccione reiterated the company’s claims in an email sent to ZDNet, adding that it “vigorously defends its technology, brand, team members and customers.”
Ken Fisher, editor-in-chief for Ars Technica, did not immediately return a request for comment by email. Ormandy referred comment to Google, which declined to comment. We also reached out to Microsoft for comment but didn’t hear back. (If that changes, we will update.)
Several security experts and researchers on Twitter decried the lawsuit.
“This is bullying and Goodin is [definitely] def in the top 1 percent [of] knowledgeable journalists,” said Matthieu Suiche, founder of Comae Technologies, a Dubai-based security firm, in a tweet.
“If Keeper Security thinks this will make their software more secure, this will only irreversibly damage their reputation as a security company,” he added.
Kim Zetter, an independent security reporter, said in a tweet that the suit was “ridiculous.”
“What a bad precedent this is for a security firm to set and what a dishonorable way to treat a journalist who has covered security for years and takes great pains to get things right,” she added.
It remains unclear how successful the suit will be. Illinois, where the case is filed, is said to have “good” laws to protect against so-called strategic lawsuits against public participation, largely seen as ways to protect free speech.
Keeper threatened to sue security firm Fox-IT for finding a security flaw in one of its products.
The case is 1:17-cv-09117 in the northern district of Illinois.
Contact me securely
Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.
Read More
ZDNET INVESTIGATIONS
NSA’s Ragtime program targets Americans, leaked files show
Leaked TSA documents reveal New York airport’s wave of security lapses
US government pushed tech firms to hand over source code
At the US border: Discriminated, detained, searched, interrogated
Millions of Verizon customer records exposed in security lapse
Meet the shadowy tech brokers that deliver your data to the NSA
Inside the global terror watchlist that secretly shadows millions
FCC chairman voted to sell your browsing history — so we asked to see his
198 million Americans hit by ‘largest ever’ voter records leak
Britain has passed the ‘most extreme surveillance law ever passed in a democracy’
Microsoft says ‘no known ransomware’ runs on Windows 10 S — so we tried to hack it
Leaked document reveals UK plans for wider internet surveillance
Related Topics:
Security TV
Data Management
CXO
Data Centers
0