[HN Gopher] Hijacking Trust? Bitvise Under Fire for Controlling ...
___________________________________________________________________
Hijacking Trust? Bitvise Under Fire for Controlling Domain of FOSS
Project PuTTY
Author : ColinWright
Score : 68 points
Date : 2025-07-16 06:22 UTC (16 hours ago)
(HTM) web link (blog.pupred.com)
(TXT) w3m dump (blog.pupred.com)
| andreareina wrote:
| Related: https://news.ycombinator.com/item?id=44558328 "putty.org
| is not run by PuTTY developers"
| greatgib wrote:
| Here they think that what is doing Bitvise is legal but I think
| that it might not be the case in the law of a number of countries
| and even possibly in domain names "regulation"?
|
| This is parasitism, or deceptive practice to hold the domain name
| of a competitor claiming your are to be associated with the other
| project.
| lmz wrote:
| Certainly it's one basis for dispute (but only if it is
| trademarked): https://www.wipo.int/amc/en/domains/
| mieses wrote:
| extremely subjective. the damage of allowing schoolmarm types
| to determine laws based on what they think is parasitic or
| deceptive is more dangerous than the unambiguous and coherent
| concept of property. PuTTY owns
| https://www.chiark.greenend.org.uk/~sgtatham/putty/ There are a
| number of strings in this domain that cause me great distress.
| Should I be allowed to seize their property?
| brabel wrote:
| What a ridiculous argument. Every project and company that
| has a trademark should be allowed to protect that, including
| by claiming domains clearly intended to appear associated
| with their trademark. Being offended by strings has nothing
| to do with that and it's childish to try to derail the
| conversation like that.
| fanf2 wrote:
| Bitvise are "passing off" which is a tort in English law
| https://harperjames.co.uk/article/passing-off/
| charcircuit wrote:
| Under fire from who? That "journalist"?
|
| It's best to just ignore them instead of trying to play their
| games.
| udev4096 wrote:
| Who uses putty anyway? Doesn't winblows have a native ssh client?
| thyristan wrote:
| Yes, but an outdated and broken version usually. You'd have to
| install mingw or cygwin for a proper one, or use a Linux VM
| like w4lv2.
| msgodel wrote:
| Putty isn't just ssh, it's also the VTE and serial terminal.
| Also it has its own keys/configs/shortcuts people are almost
| certainly used to. I don't think there's even an easy way to
| migrate putty shortcuts (I can't remember what they're called)
| to OpenSSH.
| udev4096 wrote:
| I forgot. Windows users are so inefficient that they require
| a GUI for doing just about anything. Have fun being
| inefficient!
| msgodel wrote:
| It's a different paradigm. I think just like they do
| sometimes we get lost in our own world. They had CUA and
| portable apps before malware became a big deal and got
| really used to that.
|
| I think people should respect that try harder to meet users
| where they are.
| udev4096 wrote:
| Modern malware tries to infect all the systems. Long gone
| are the days where linux or macos malware didn't exist.
| Stop bringing up utterly useless arguments just so you
| can justify your usage of winblows
| 112233 wrote:
| I use putty on linux. now what?
| mrweasel wrote:
| I hope you do, that would be pretty funny. Like using
| PowerShell as your shell on Linux.
| udev4096 wrote:
| No one in their right mind would use powershell core. zsh,
| fish and plenty of other shells are way mature and doesn't
| have Microshit behind it
| mrweasel wrote:
| Not going to comment on the authors state of mind but:
| https://starkandwayne.com/blog/i-switched-from-bash-to-
| power...
| 112233 wrote:
| I'll bite. What is your preferred way to use serial port
| console on linux? Kermit? I am really no fan of minicom...
|
| Also, I'd take pterm over modern gpu electron nodejs turtle
| tower terminals. It has sane requirements and perfomance,
| behaves in a consistent, predictable manner and handles
| large scrollback very well.
|
| Why bad?
| mrweasel wrote:
| No one said bad. Putty is awesome, it's just always funny
| when the best program on Linux is a Windows program
| running in Wine.
|
| I didn't consider serial ports, only SSH, in that case I
| actually do struggle to suggest something better.
|
| As for terminals, I don't know, I just run Xterm.
| 112233 wrote:
| xterm is actually great, if you know to invoke and use
| the exotic control UI. That software is _ancient_.
|
| Using putty's plink/pscp/pftp commandline tools are
| refreshingly straightforward and also have merit, at
| least as a way of not dealing with OpenSSH maintainer
| tantrums (each release inventing wonderful ways to break
| your setup or confuse you for no good reason).
|
| It is all around small solid piece of software (like his
| puzzle collection), that is a magnet for all sorts of
| crooks that try to distribute their "spiked" versions, or
| try to charge for it...
|
| I am amazed it has not gone the way of libtomcrypt yet.
| Arrowmaster wrote:
| I don't need to use a serial com that often, but when I
| do I use picocom. I'm already on Linux and wanting to do
| cli things so I want to use my normal terminal emulator.
| The readme doesn't really cover all it does as well as
| the man page.
|
| https://gitlab.com/wsakernel/picocom
| zylent wrote:
| If you're using serial heavily,
| https://www.vandyke.com/products/securecrt/
| udev4096 wrote:
| Then you shouldn't use linux. Go back to winblows
| mnaimd wrote:
| > "The difference is not one of profit, it is one of philosophy.
| You believe software can be managed by a committee. I believe
| software requires an owner, otherwise it is dead."
|
| This justification is even worse than the domain squatting
| itself.
|
| Some of the most influential software in history (Linux, Git,
| GCC, and yes, PuTTY) thrived under community-driven development.
| The idea that software "dies" without a single corporate owner is
| not just false, it's insulting to the open-source ecosystem.
|
| If Bitvise truly believes in their philosophy, they wouldn't need
| to borrow PuTTY's reputation by holding putty.org. Maybe they
| should spend less time on branding and more time studying how
| successful open-source projects actually work.
| TrevorStepnikkk wrote:
| I see where you're coming from, but I think your examples
| actually prove the opposite point.
|
| I've always seen Linux and Git not as projects run by a
| committee, but as projects guided by a single, trusted leader.
| Linus Torvalds is the owner of the kernel's vision. He has the
| final say. That isn't community consensus; it's benevolent
| dictatorship.
|
| So while the putty.org situation is shady, I believe the core
| idea is right: great software needs a final arbiter with a
| clear vision, not just a crowd.
| goku12 wrote:
| I seriously doubt that they're talking about leadership when
| they say ownership. Otherwise it would make little sense
| because few foss projects are democracies anyway.
| arp242 wrote:
| The thing is that this was his "answer" to what was really
| the quite reasonable question of "do you think this is
| ethical?" To start talking about this sort of thing is
| completely disconnected from the actual question.
|
| Of course you can have discussion about these aspects of the
| open source ecosystem; this is a long-running discussion
| where many people have discussed and disagreed in good faith.
| I don't entirely agree with your take personally, but I also
| don't entirely disagree and can see where you're coming from,
| and it's of course an interesting thing to discus.
|
| However, in this context, as an "answer" to that question,
| it's hard to see it as anything other than just self-serving
| post-hoc rationalisation for being a selfish wanker. This is
| classic nihilism where the abuse of everything and everyone
| is justified as long as you can get away with it. Everything
| that moves the needle and you can get away with is morally
| justified because it moves the needle and you can get away
| with it.
| msgodel wrote:
| I don't think Bitvise is even doing anything wrong here? There's
| nothing wrong with running what is essentially a fan site and
| promoting your own things on it.
| SpaceNugget wrote:
| It's a company who bought the domain of the exact name of the
| largest open source project that they directly compete with and
| then advertise themselves on it? This is at the very least
| unethical. You can't just use a competitors exact name to run a
| website that tries to snipe users looking for your competitor
| and call it a "fan site".
|
| The comments on this submission are pretty strange. What are
| the chances that a bunch of non-sockpuppet HN type of people
| are in support of this kind of garbage? Generally with sort of
| abysmal behaviour like the email communication in the article,
| there's people going to bat against actually defensible actions
| purely in the name of civility on HN. These bitvise people seem
| bad from both angles and yet the of early comments are either
| ignoring the issue and redirecting (e.g. "who even uses putty")
| or outright defending their shitty behaviour?
| msgodel wrote:
| You can buy domain names with competitors names in them.
| People do this all the time. If you don't want people doing
| that you need to register the names yourself.
| ColinWright wrote:
| So someone who has written something and made it available
| for the common good, and makes no money from it, should now
| go and buy every possible domain that people might use in a
| deceptive manner.
|
| This is a great example of what drives people away from
| providing anything for free.
| msgodel wrote:
| It's a namespace problem. You can't just ban people from
| registering anything that might be confusing like that.
| If we followed your idea the internet wouldn't work.
|
| EDIT: They're not deceiving users though? The first
| section on the index page links directly to the real
| putty site. They're very clear about all of it.
|
| EDIT2: Nope. We _really_ don 't want DNS "moderators."
| All of us have seen what happens with forum moderators.
| Like I said if that were done the internet would not
| work. It's not about the cost it's about being unable to
| clearly define what should be banned.
|
| If you want to see a great example of how moderation like
| that both stops legitimate use and fails to stop malware
| go look at smartphone app stores. The result is
| borderline unusable garbage.
| mordae wrote:
| You absolutely could, though.
|
| Deceiving users? Warning, temporary ban, permanent ban!
|
| Selling mushy stuff for plumbers and kids? No problem!
|
| It takes a simple reporting system, couple moderators
| costing peanuts compared to what we pay for the names and
| a clear set of rules forbidding intentionally misleading
| users.
| whywhywhywhy wrote:
| Yes, all the ones actually worth owning are only a few
| dollars if you have a unique project name, you don't need
| "every possible domain" you just need one that looks
| legit.
|
| Unfortunately this is the world we live in where if you
| don't then someone else will and they'll abuse it so you
| have to act defensively.
|
| Either you put the time into the project and care about
| it in which case you should spend the few dollars a year
| defending it from drama like this, or you don't care even
| a few dollars worth about the project in which case just
| let whatever happens happen because you don't care, a
| .org is the price of a few coffees.
|
| Only a few parts of the world you can leave a bike
| unlocked on the street, and the internet contains the
| whole world.
| em-bee wrote:
| there are to many top level domains that look legitimate:
| https://putty.app https://putty.at
| https://putty.click https://putty.cloud
| https://putty.codes https://putty.co.uk
| https://putty.com https://putty.computer
| https://putty.dev https://putty.digital
| https://putty.domains https://putty.engineer
| https://putty.host https://putty.hosting
| https://putty.info https://putty.io
| https://putty.media https://putty.net
| https://putty.network https://putty.online
| https://putty.org https://putty.software
| https://putty.solutions https://putty.tech
| https://putty.technology https://putty.website
|
| i could not tell which one of these should be more
| legitimate than any other. registering even just a few of
| those is going to add up to a sizable yearly bill.
| Eldt wrote:
| That's a good way to lose your domain name
| whywhywhywhy wrote:
| It's definitely unethical but the creator of Putty keeps
| insisting and repeating that the Putty website is the long
| old homepage style URL and "always has been" and "if people
| search they can find it".
|
| I think if they actually have a problem with it and are not
| just repeating that to cope they need to start acting like
| they have a problem with it. Trademarks need defending and
| you come out the door with the mental model that it's yours,
| you own it, the other group are in the wrong. If you opened
| your trademark dispute with "Well our trademark has always
| been X and people know to find us at X" you're gonna lose
| your dispute.
|
| It's just hard to argue it's actually a real problem if the
| individual it's affecting keeps sort of pretending and saying
| that it's not even if deep down it is.
| fifteen1506 wrote:
| It's a free ad!
| asimops wrote:
| I don't get it. The putty website has always been
| https://www.chiark.greenend.org.uk/~sgtatham/putty/
|
| This has never changed.
|
| Just because someone likes to use short circuit routing in their
| head doesn't make putty.org the official site for putty.
|
| That is the same attitude as telling the Keepass folks that
| https://keepass.info/ is wrong...
|
| edit:
|
| Maybe also have a look at the putty FAQ, especially 9.3
|
| https://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html#...
| TonyTrapp wrote:
| How does your example relate? keepass.info is the official
| Keepass website, owned by the Keepass developer.
| asimops wrote:
| As is https://www.chiark.greenend.org.uk/~sgtatham/putty/ to
| Putty.
|
| Still there were multiple requests to the Keepass project to
| change that domain to "a proper" domain like keepass.com
| stavros wrote:
| I, too, took your comment to mean that keepass.info is to
| KeePass as putty.org is to PuTTY.
| asimops wrote:
| Well, classic sender receiver mismatch I guess :D
|
| Is my intent more clear with that second try to explain?
| If not, I'm more then welcome to talk about a better way
| to phrase it :)
| mtlynch wrote:
| I was confused as well and panicked that I'd been
| installing KeePass from a fake site all these years. But
| keepass.info is indeed the official site.
|
| Suggest: That is the same attitude as critics telling the
| Keepass maintainer to migrate the (official) keepass.info
| domain to a .com...
| GoblinSlayer wrote:
| For some reason there's no .official tld, there's .app,
| .codes, .dev, .download, .kosher
| arp242 wrote:
| It's a nice idea in principle, but one problem with that
| is that for many names, there are multiple "official"
| meanings. Apple Inc. and Apple Records is a well-known
| example. This is why Wikipedia has (sometimes lengthy)
| disambiguation pages.
| ColinWright wrote:
| Here's a framing of the problem.
|
| _There 's software called PuTTY, and non-technical or less
| technical people, or even technical people who are running on
| autopilot, might reasonably expect that it's hosted on
| putty.org._
|
| _They just need to be more careful._
|
| Here's an analogy.
|
| _Even capable programmers keep screwing up when using C and
| end up with memory leaks and security vulnerabilities. But that
| 's no reason to stop using it ... people should just be more
| careful._
|
| No analogy is perfect, every example has problems and
| loopholes, but this seems a reasonable one. Just as people
| should use programming languages that make it harder to make
| mistakes, so companies should not behave in deceptive manners,
| and when they do, they should be called out on it.
| 112233 wrote:
| It is good analogy.
|
| Similarly, telcos keep accepting and showing any cooked up
| caller ID over their SS7, and when someone gets scammed
| because they trusted the caller ID, the messaging I hear
| always actually is "people should just be more careful."
|
| Same as banks requiring only card number to give someone
| money from the account. "you shoul be more careful with your
| card number."
|
| It is sad to hear the level of victim blaming from the big
| industry.
| asimops wrote:
| I don't think the issue really stems from putty.org being
| there. It stems from a "trusted" third-party, the search
| engine, suggesting you the wrong place.
|
| Therefore I think you are missing the point with your
| analogy.
| GoblinSlayer wrote:
| Nontechnical people afraid of a scary console window use
| putty?
| meepmorp wrote:
| Yes. Unfortunately.
| sdflhasjd wrote:
| Google (not saying it's a good search engine, but people use
| it) puts putty.org at the top of search results.
|
| The results shows as: Download PuTTY - a free
| SSH and telnet client for Windows. PuTTY is an SSH and
| telnet client, developed originally by Simon Tatham for the
| Windows platform. PuTTY is open source software that is
| available with source...
| ColinWright wrote:
| Point of information.
|
| From that doc:
|
| _A.9.3 Would you like me to register you a nicer domain name?_
|
| _No, thank you. Even if you can find one (most of them seem to
| have been registered already, by people who didn 't ask whether
| we actually wanted it before they applied), we're happy with
| the PuTTY web site being exactly where it is. It's not hard to
| find (just type 'putty' into google.com and we're the first
| link returned) ..._
|
| Searching for "putty ssh" on both DDG and Google now return
| putty.org as their top result.
| whywhywhywhy wrote:
| It's not even on the screen for me when searching "putty"
|
| 1: putty.org
|
| 2: "People also ask, What is putty and why is it used?" then
| 4 other questions about the material putty taking up most of
| the page
|
| 3: Videos "How to use Putty to SSH on Windows"
|
| ----- Fold -----
|
| 4. Video "How to Use Putty?"
|
| 5: Video "How to SSH Without a Password with Putty"
|
| 6: https://www.chiark.greenend.org.uk/~sgtatham/putty/ the
| actual site
| asimops wrote:
| This is definitely something that should be raised to the
| putty team. But with how the rest of the text is worded, I
| doubt that will change their mind.
| peanut-walrus wrote:
| Huh weird, usually top 3 results are "sponsored" links
| serving malware.
| asimops wrote:
| Might be one of those weirdos using an ad blocker ;)
| GoblinSlayer wrote:
| Mojeek and brave return 1) putty.org, 2) official site; and
| additionally a snippet from wikipedia in a sidebar with a
| correct address.
| signal11 wrote:
| How do we report disappointing search results to Google?
| (Does anyone know please?)
| ozgrakkurt wrote:
| They don't care if results are disappointing for you, they
| just want you to click more ads
| richrichardsson wrote:
| Except Google, DuckDuckGo, Bing all return putty.org as the top
| result. The "official" PuTTY website appears as either the 2nd
| or 3rd result.
|
| putty.org has this on their page:
|
| > On July 13, 2025, Bitvise was contacted by a political
| interrogator posing as a journalist.
|
| They are doing a great job of making themselves look like
| assholes.
| asimops wrote:
| IMHO neither of the two showed exactly nice behavior. But I
| don't think that this is particularly relevant.
| bstsb wrote:
| both sides are at fault here (the "journalist" and Bitvise - the
| PuTTY maintainers have nothing to do with this).
|
| the Bitvise owner shouldn't have responded so unprofessionally,
| and their views on open source software are strange - but they're
| correct that the domain was never "historically associated with
| PuTTY", it just uses its name.
|
| additionally, the usage of unformatted markdown in each
| "journalist" email makes me think this story was at least
| partially assisted by an LLM (https://putty.org/20250713-MiraiF-
| Emails.txt)
|
| in short this is a nothing story
| tojumpship wrote:
| LLM written, spurring up controversy, holding a private company
| accountable like they are the government. If they - PuTTY - is
| bothered enough, they are allowed to sue or request a takedown,
| and if legal grounds are not viable I don't think Google would
| mind ranking the correct website up after request. This "issue"
| has been present for _years_ and this journalist picks up on
| it, presses on the guy as if he was in the Panama Papers or
| something and writes the article with newgen LLM no less.
| Disgraceful.
| ptx wrote:
| > _The domain, long associated by users with PuTTY [...] a domain
| name that clearly and historically signals the PuTTY project_
|
| This seems a bit misleading. The domain has never, as far as I
| know, belonged to the project, so it can only have been "long
| associated" in the minds of users mistakenly trying to guess the
| URL and "historically" navigating to the wrong website.
|
| > _"The PuTTY project never had this domain"_
|
| Right.
|
| > _Search engines treat domain names like putty.org as
| authoritative._
|
| Do they? Domain names "like" putty.org in what sense? Which
| search engines, by what mechanism?
| fifteen1506 wrote:
| Look, I understand. Excess of information leads people to start
| skimming all text. But look:
|
| "Below suggestions are independent of PuTTY. They are not
| endorsements by the PuTTY project."
|
| Above of this is a direct link to PuTTY's website.
|
| I'm afraid this is a non-issue. Sure, you are free to rant, and I
| appreciate the good intentions behind it, but count me out on
| raging.
|
| www.putty.org SHOULD be the correct address. Failing that,
| LINKING to the correct website is an acceptable measure,
| specially when such linking is on top.
|
| Want to blame someone? Blame SEO, where a decent 2000 website
| with no issues whatsoever is pushed down the results.
| TRiG_Ireland wrote:
| Has the putty.org website changed in the few hours since this was
| posted? I see nothing there about any kind of software at all. It
| appears to be about someone called Mike Yeadon, and scandals in
| the pharmaceutical industry. That's not what anyone else here is
| describing.
| kappuchino wrote:
| well, if you read about the exchange beween the author and
| owners ... add "schwurbeln" (german) to the list of whats weird
| about the domain.
| advisedwang wrote:
| On the wayback machine it does appear that putty.org recently
| changed. If you go to www.putty.org you can see the page
| everyone is talking about still present.
| TRiG_Ireland wrote:
| How odd. Having different content on the main domain and the
| www subdomain is so unusual that it's hard to believe it was
| done on purpose.
___________________________________________________________________
(page generated 2025-07-16 23:02 UTC)