Keepass.com spreading malware acting as the official password manager site (opens in new tab)

I have the same issue with Putty. I was helping a client debug an issue with an appliance they bought from my company (me on their computer, them watching over my shoulder) and asked if I could download Putty on their machine. They said yes, so I went to "https://www.chiark.greenend.org.uk/~sgtatham/putty/" and clicked the download link and they flipped out. It's too fishy, they said, must be a malicious site. I went to putty.org instead (not affiliated with Putty), and clicked the "download putty" link and it redirected back to the other site, and from that point they refused to let me download Putty.

We then spent 3 hours getting approvals for me to get my own laptop on their internal network so I could use ssh from my Macbook. I felt bad because my company charges like $300/hr for our consulting services, so we wasted nearly $1000 because the main Putty download site seemed too suspicious for the client to be comfortable with.

I know Putty is legitimate and I know it's a free product, but appearances do matter. Presentation does matter. Although I do blame Microsoft a bit for not shipping an SSH client for so long.

When I used to install Keepass on a new computer, I would Google "keepass" and then hesitate a moment before clicking the .info domain. The best solution I could come up with was to start using KeePassXC instead.

Blocked for me by uBlock

Let this stand as a reminder that paying that extra 17$ for a more legit looking TLD may just be the right thing to do.

I have my browser that I use for logging into sites behind three layers of security:

- Google Safe Browsing

- Pihole including a couple of regularly updated malware lists

- uBlock Origin

It looks like Safe Browsing and pihole do not yet have this on the blacklist.

Caught it for me also - looks like keepass.fr is also taken.

Kinda surprised the badware list only contains 100 or so URL's!

Further proves the obvious: it's dangerous to use the Internet without uBlock Origin.

oof, .info and .biz are almost always red flags

And this is why you buy the .com domain for your company, instead of some weird one like .info, .io, or .pizza: most people assume that's where they'll find your company. If someone's squatting it, you can buy it from them, or just come up with a new nonsense word for your company.

Maybe developers are getting used to the `getQwerpy.io` convention, but I don't see it catching on more broadly.

> Literally they could just supply a password manager that also sends all the passwords to a third party.

Could have taken the source, added the backup to 3rd party server, and released binaries.

> but I feel like if you take the steps of getting into a such a security heavy space, then you have to be able to keep up your end of the bargain.

Why, if you don't earn enough money?

Quoting part of your original posting here:

I have been working on a fork of TrueCrypt/VeraCrypt and wanted to be sure that before releasing the code that I am following all the license terms and giving proper attribution, as TrueCrypt has a somewhat non-standard open source license.

TrueCrypt has an old trademark issued back in 2007 but which expired after 10 years in 2017. As part of the licensing review, I discovered there is a new trademark application filed August 25, 2018 by Julien Clairet under a company named "DATA ACCESS" based in Paris, France.

I discovered [that] "keepass.com" is also apparently registered to Julien / DATA ACCESS.

There is a publication period when new Trademarks are announced and an opportunity to contest the validity of the claim. The new "TrueCrypt" trademark was published on February 20, 2019, and you have 30 days from the time that the mark is published to file any opposition.

I am preparing to file a response to USPTO.

First of all, a huge thank you from everyone that loves TrueCrypt for doing this.

How long will it be before you know if they issued or rejected the trademark? Is there anything else that can be done now that the 30-day deadline has passed? Would you mind posting a link to the trademark application?

This only really works if you have an ad-blocker, or at least know to ignore the ads. Otherwise google will frequently end up frequently serving ads for a malicious product (most commonly seen for crypto products)

I don't know if it helps to have multiple reports, but Google's Report malicious software form is here:

https://safebrowsing.google.com/safebrowsing/report_badware/...

Can we not submit to Google to shut down for spreading malware or get the domain registrar involved?

Well, it tells you who wrote the laws. DMCA, sure as hell wasn't written by Clinton, he just championed it.

counterpoints:

* private space missions were financed from the sale of a predatory business (paypal)

* government space missions originated from the cold war arms races (that continue to this day)

* a few diseases are curable, many aren't. pharmaceuticals profit more from treatment than cure, however. Some ailments such as anaphalaxis and diabetes that are mostly treatable have been receding into "uncured/undertreated" territory because phama keeps raising the prices of insulin or epi pens.

* much of hunger, say in Africa, can be easily treated if we could find a way to keep warlords and corrupt gov's from stealing the aid, but our technology isn't helping us very much (not saying we shouldn't keep trying, but tech is of no use for this problem)

* synthetic organs sound great (if you need one). maybe this I concede is a victory for (bio)tech.

* trading money is really just trading information. Once the infrastructure is in place, it's a trivial matter.

deciding who gets to post content online is a much harder problem to solve. If you could make one call to google to have them de-listed from search, every company/political faction would be doing this to thier competitors/rivals.