[HN Gopher] KeePassXC: Beware of unofficial Microsoft Store listing
___________________________________________________________________
KeePassXC: Beware of unofficial Microsoft Store listing
Author : nixcraft
Score : 222 points
Date : 2022-09-28 11:29 UTC (11 hours ago)
(HTM) web link (twitter.com)
(TXT) w3m dump (twitter.com)
| YPPH wrote:
| I've generally found app stores aside from the Apple App Store
| and Google Play to be undesirable essentially for this reason.
| They don't seem to adequately scrutinise whether someone should
| be permitted to publish a particular app. It's particularly
| concerning to see free programs being sold by a third-party.
| yakubin wrote:
| Is KeePassXC a registered trademark? I haven't found any
| confirmation of it on KeePassXC's website, nor on Wikipedia, so I
| guess the answer is no. A shame really. Trademarks would be so
| useful in such situations, which seem to recur in the open source
| world with some regularity.
| nsajko wrote:
| I don't think that's connected at all. I'm guessing a trademark
| would only be relevant if KeePassXC went to court against
| Microsoft, which is far-fetched.
| solarkraft wrote:
| I wouldn't download anything from the Microsoft App store since
| it's hard to verify the source.
|
| This is a result of the failed strategy to explicitly _not_
| curate it and get as many apps as possible, no matter how bad
| they are.
|
| I'd like to know what goes on inside of Microsoft for them to
| keep following strategies that appear doomed to fail from the
| start.
| mox1 wrote:
| On the other hand, apps downloaded from there are given far
| fewer permissions on your PC. They are sandboxed to some extent
| [1].
|
| 1.
| https://en.wikipedia.org/wiki/Universal_Windows_Platform_app...
| elcomet wrote:
| Yeah but I'd say the main thread for KeePassXC is not the app
| accessing your system, it's more about the fake app accessing
| all your passwords
| izacus wrote:
| No, not all apps are UWP apps on Microsoft store. They allow
| normal installers as well these days.
| desindol wrote:
| "This App is provided and updated by X." I don't know what
| more you expect them to do.
| iggldiggl wrote:
| And it suffers from the same limitations as any other
| attempts at filesystem sandboxing - it only caters for the
| simple "open/save one file" respectively "open/save within
| one folder (plus subfolders)" use cases and ignores (and
| breaks) the existence of any other workflows.
| stygiansonic wrote:
| Wow, the fake listing even links to the official GitHub repo
| giving the impression it's from the same org/people.
| charles_f wrote:
| That's a "problem" with GPL, it's immoral but it's not illegal,
| since the license grant you permission to distribute and charge.
| Quite concerning though...
| stinkytaco wrote:
| GPL does not include trademark permissions. I realize from a
| practical perspective it's difficult for a small organization
| to enforce trademarks on this scale, but trademarks are a rare
| area where business and consumer interests align.
| bongobingo1 wrote:
| Probably adds some credence to trademarking terms like
| Wireguard, Debian, etc. You could probably hit the store with
| an unlicensed use of the mark?
|
| Of course they could still just put it up as `KeePassSX` or
| something, but it gives the creators a bit of ground to stand
| on?
| nyuszika7h wrote:
| It could still be technically considered a license violation if
| they're not making the source code the counterfeit version was
| built from available.
| yjftsjthsd-h wrote:
| It would be a really hilarious to find a backdoored app and
| demand the source code for the backdoors in accordance with
| the license.
| winnie_ua wrote:
| WTF, Microsoft?
|
| You need to specify that you are using Visual C++
| Redistributable? That's wild. I thought MS Store should take care
| of such dependency and install it automatically.
| butz wrote:
| Has anyone tried looking into how this "unofficial" program was
| uploaded without any policy violations? Are they using some sort
| of code obfuscation or UPX to bypass automatic checks?
| TonyTrapp wrote:
| I've been in the same situation, filled in their contact form
| multiple times and I got exactly zero feedback, not even an
| acknowledgement. The app listing by a third party is still there.
| nyuszika7h wrote:
| A DMCA notice might be faster, assuming they're violating your
| license in some way.
| TonyTrapp wrote:
| "Unfortunately" they don't. It's BSD 3-clause and I don't
| think the 3rd clause of the license regarding endorsement
| applies to this case.
| kelnos wrote:
| I wonder if the KeePassXC team has a trademark on their name.
| If so, they'd have legal grounds to get it taken down. Not
| via DMCA, but still...
| neves wrote:
| Are you happy with KeePassXC? How is the usability?
| nixcraft wrote:
| Yes, I am 100% happy with this app on my Ubuntu Linux desktop.
| I don't want cloud hosting for my password.
| jmcphers wrote:
| I used it for a long time and eventually quit because sync
| isn't good enough -- it just writes to an opaque binary file
| you have to sync yourself (with Syncthing, Dropbox, Onedrive,
| etc.). I had my password database on multiple devices (phone,
| several computers) and wound up with conflicts once or twice a
| month.
| bongobingo1 wrote:
| This was my feeling. I use bitwarden now, because I can run
| it myself if I want to (honestly I trust them to secure
| things more than me, as my copy would be mixed in with a
| bunch of other services on the same machine).
|
| I think for some people it's probably pretty great, or for
| storing not-website-passwords it's probably also good, though
| there are probably simpler to manage tools for
| "terminal/server" use like `pass`.
| OrwellianChild wrote:
| Can I ask what sync solution you were using that caused
| problems? About to implement a KeePassXC/Syncthing setup and
| would love to know if I should expect issues...
| jmcphers wrote:
| I was using Dropbox to sync the KeePass database (also
| tried OneDrive).
| paulmd wrote:
| mainline keepass includes a "force synchronize instead of
| overwrite on save" option, if you have a shared drive you can
| throw it on, that pretty much solves conflicts.
|
| strongbox has pretty intelligent support for maintaining a
| cached copy, and the sync support has always worked as
| expected for me there. The keepass format does store last-
| changed date so it is relatively trivially possible to
| synchronize a database (assuming you can decrypt/open it
| ofc).
|
| if you need it on the go, VPN tunnel back, or again,
| Strongbox has good native support for dropbox sync or
| onedrive etc, can't specifically vouch for it but Strongbox
| seems pretty competent.
| lotsofpulp wrote:
| I use both KeepassXC and Strongbox on various machines
| synced via iCloud and have not experienced any problems.
| tmtvl wrote:
| I use KeepassXC (I started using KeepassX after a controversy
| around LastPass) and I'm very much a fan.
|
| There is a Firefox add-on that works quite well and for other
| applications copy-paste with automatic clipboard clearing is
| good enough. It can't be scripted like Pass can be, but for
| regular use it's fine.
| farisjarrah wrote:
| Fantastic usability if you can get a good story around syncing
| your passwords in place. Most people use Dropbox or some other
| cloud storage as the location for their password vault and it
| sync's everywhere for you automatically.
| michaelcampbell wrote:
| As a long time keepass _format_ user, I find it the "best"
| client for me in terms of UX and user QOL. Mainly the
| autosaving and auto-re-reading (since I use a p2p syncthing to
| keep my db in sync across machines) features.
|
| I use it on windows, linux, and mac.
| abdullahkhalids wrote:
| I am very satisfied with it. In addition to passwords, I also
| use it to manage my ssh keys, which works great.
|
| The browser plugin is good too. It rarely malfunctions, and
| when it does it is on user-hostile websites, like the Office365
| login pages.
| PascLeRasc wrote:
| The desktop app is ok, but the browser extension takes a lot of
| maintenance to keep using autofill. Each install is usually
| only good for a couple days before it can't find the desktop
| app anymore and there's no way to fix it without reinstalling
| and manually setting up sane keyboard shortcuts.
| dathinab wrote:
| Decent. But can depend on usage a bit.
|
| - browser plugin is okay and I have no problems with it, but
| when it comes to password manager hostile login setups it isn't
| quite as good as some commercial solutions
|
| - in some HiDPI setups with fractal scaling there had been
| buggy behaviour, probably fixed by now, probably had not been
| problem with most HiDPI setups either
|
| - I haven't tried some of the integrations (e.g. SSH Agent).
|
| Anyway I'm quite happy with it.
| sigzero wrote:
| I am just waiting on the default templates to be added
| (credit cards, etc.) and I will be moving to it.
| tkuraku wrote:
| I use keepassxc on windows and linux and it is awesome.
| theandrewbailey wrote:
| Yes. I started using KeePass almost 10 years ago, then switched
| to XC about 4 years ago because it had features built-in that I
| needed plugins with KeePass for:
|
| TOTP
|
| SSH agent
|
| browser integration
|
| Switching to XC made managing, updating, and installing things
| much easier.
| josephcsible wrote:
| I wish app stores had a rule to the effect of "if you're not the
| official maintainer of an open-source program, you can't upload
| it without changing its name".
| WorldMaker wrote:
| The Microsoft Store has been trying to find the right policy
| for that. For a brief couple of months policy 10.8.7
| accidentally forbid charging for _any_ open source, in the
| hopes to counteract some of the people profiting from open
| source that were not official maintainers, but that policy
| change was rolled back because there are several legitimate
| open source projects that the official maintainers use store
| sales as a useful donation stream.
|
| Meanwhile there is a bullet point in policy 10.1.1 that is
| almost directly what you are asking for, it is currently: "Your
| product must not claim to be from a company, government body,
| or other entity if you do not have permission to make that
| representation."
|
| I certainly believe that "other entity" covers most open source
| organizations that aren't specifically companies already (or
| wrapped in a Foundation/Conservancy that acts as a "corporate
| parent").
|
| The problem can't be solved with just policies though, the real
| key is enforcement: the fake listings from non-maintainers of
| open source need to be reported to be enforced. That likely
| means review time by staff. Tweets like the one linked here
| today can be calls to arms to submit user reports to help
| Microsoft know there's a possible problem here. Hopefully
| policies get enforced (eventually).
| bongobingo1 wrote:
| https://apps.microsoft.com/store/search?hl=en-gb&gl=gb&icid=...
|
| Seems the publisher probably skates on a few other free software
| projects like filezilla & vnc. I assume the free apps are simply
| spyware.
| nominusllc wrote:
| or it could be from someone outside the nerd community thinking
| that they're 'helping' or that it's an easy way to accrue
| admiration or favor.
| mnadkvlb wrote:
| Ideally the publisher should be banned. I also think its easier
| to blame microsoft, on the other hand isnt that the job of a
| store ? I feel conflicted here about the responsibility.
|
| Since I am a happy keePassXC user I would definitely donate
| time/money/both to push a proper release for the store if
| someone is interested
| rzwitserloot wrote:
| The blame is obviously on microsoft. They peddle the appstore
| as a much safer alternative, and they keep a bunch of the
| cash - it's a service, that is being sold as a service.
|
| Microsoft makes no effort to indicate that evidently the
| buyer must beware entirely, and that appearance in the
| appstore means absolutely nothing in regards to it being
| spam, spyware, or legally 'counterfeit'. This is likely
| legally speaking risky - they're selling illegal goods,
| assuming this is a copyright violation which it probably is.
| Microsoft is guilty of the crime of fencing by doing this. I
| know that in The Netherlands, that crime (in dutch, 'heling')
| is a criminal offense. You need to be doing it intentionally,
| but given that they have now been notified, give it a few
| days and I'm pretty sure you really could just get em
| criminally sanctioned.
|
| "Oh but I did not know" as a defense only gets you so far in
| court. It should get you absolutely nowhere in the court of
| public opinion, especially given that microsoft is marketing
| their app store as the opposite.
|
| Apple and google are also guilty of this stuff; wanting all
| the cash and harping on and on about how much value they add
| by being the guardian of it all, and then doing an epically
| horrible job on guarding it.
|
| It's so depressing that the obvious problem (the operators of
| these app stores are natural monopolists within that context
| - and monopolists tend not to focus on actually doing a good
| job because no competition) and that it then almost
| immediately goes that badly.
| robotnikman wrote:
| Its even worse when you consider how many innocent
| developers get their accounts banned on their stores while
| these obviously fake apps skate on by without consequences.
| Firmwarrior wrote:
| I posted a free app I wrote on the Microsoft store, and
| the process to get it there was a nightmare. I'm
| surprised they let the fake app from TFA through,
| considering the multiple weeks of chop-busting and
| paperwork inspection they did to me just to put a free
| app up
| ls65536 wrote:
| The KeePassXC team has also been trying to get their app into the
| store while this has happened. While this is nothing new in
| general, it's yet another "counterfeit" app proliferating in
| what's supposed to be considered a trusted source to be able to
| get your applications from.
|
| This is a good example of how "app stores" tend to provide a
| false sense of security about what you're really downloading.
| There are clearly failures in terms of vetting what's there and
| towards ensuring that the user is actually getting what they
| think they're supposed to be getting.
|
| Perhaps the "app store" model is still generally better than
| downloading executable code from completely random sources
| (nobody should be doing that), but I'm not sure there's anything
| more reliable (and also "secure") here than downloading a piece
| of software from its official source (such as from a server under
| the domain of the known publisher), verifying hashes/signatures,
| and leaving out as many intermediaries as possible who often have
| motives not fully aligned with the software user. Of course, this
| would require users to possess and be willing to use some
| knowledge of basic software and data hygiene, but it seems that
| along the way we have somewhat given up on that and so now we're
| stuck trusting these intermediaries usually much more than they
| ought to be trusted.
| ultraforce wrote:
| It is kind of annoying how often when using winget there might
| be two options the winget version which is the app and a
| msstore version that is from an unknown publisher just using
| the same name for the app.
| gurchik wrote:
| I was trying to mirror my Android smartphone to my Samsung TV
| to show a webpage to someone. This feature is called "Smart
| View" in the TV's menu, but I didn't know how to connect, so I
| searched that name in the Google Play store. There are dozens
| of results, only one of them is the official app that has any
| chance of working. There are two apps[1][2] that actually
| appear to be the same app just with slightly different names
| presumably so they appear twice in the search results. One
| app[3] has some very suspicious ratings and I can't help but
| notice that the publisher's name is "SmartThings.net" which
| appears to add more credibility until you see the domain has
| nothing to do with the app. I understand it can be hard for
| Google to vet these apps but some of these failures (like
| verifying you actually own the domain you are pretending to be
| affiliated with) seem like they could be automated.
|
| Edit: spelling 1. https://play.google.com/sto
| re/apps/details?id=com.screenmirror.forvizio.smarttv.screenshar
| e 2. https://play.google.com/store/apps/details?id=com.
| smartview.castto.screenmirror.appfor.miracast 3. https:
| //play.google.com/store/apps/details?id=com.smartview.screen.mi
| rroring
| WorldMaker wrote:
| The publisher name one is a silly social engineering hack:
| Google _does_ validate publisher name, but it validates it as
| a Legal Name, a Company Name. Those are handled by various
| political registries (State Tax Organizations, for instance).
| They don 't know or care about domain names and
| "SmartThings.net, LLC" is silly looking to them but
| acceptable. They often generally try to avoid name clashes in
| a region (state), but generally they don't even work that
| hard at it because true name clashes are the territory of
| trademark/small mark/service mark laws.
|
| It was one of the failure cases in EV certificates back when
| browsers briefly thought "maybe it would be a good idea to
| highlight the website's legal name in the URL bar". Find the
| right jurisdiction and you can get any sort of "legal name"
| you want, including things that should have been "obviously"
| counterfeit like a "Facebook.com, LLC" and were perfectly
| good for phishing.
| PaulKeeble wrote:
| I think we ought to be able to have a model that suits the
| Windows model better which doesn't require centralisation. A
| piece of software running on the desktop that provides update
| capabilities but where each piece of software is picked up from
| its original site and the location is set to that site.
| Somewhat like the Ubuntu repository model but without the
| multiple steps just an installer that installs the common
| updater tool if needed, registers itself and then this works
| for all over software too that buys into the model. It should
| be fairly cheap to run such a tool since the bandwidth is for
| all the different software tools and completely common features
| are available to everything. Its just the updater with some
| standards for implementing software updates without a store.
| easton wrote:
| winget does almost exactly this. It detects apps that are
| already installed on your machine and if it can find a match
| in its catalog, it can upgrade it. (Of course you can
| install/uninstall via the tool if you have a fresh box).
|
| `winget upgrade ---all` from a command line (assuming your
| Windows is reasonably up-to-date, otherwise,
| https://github.com/microsoft/winget-cli to get the latest
| release manually)
| tpoacher wrote:
| If only there was a way to have quality repositories of
| packages curated by the OS team itself... alas, such a thing is
| probably not possible in the operating systems space for
| another few decades at least ...
|
| /s
| winnie_ua wrote:
| Nice irony :D
___________________________________________________________________
(page generated 2022-09-28 23:02 UTC)