Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Is there is any proof that the "Concerned LastPass User" who wrote this isn't just the creator of BitWarden?

I normally don't assume astroturfing without concrete evidence, but there is no information in the post that explains why the author is anonymous and the creator of BitWarden has previously made comments without disclosing their affiliation (https://news.ycombinator.com/item?id=12754396).



Does it matter? If the claim is true, then it's a serious problem. If it's untrue, then the article is wrong. Neither one is changed if the author is a particular person.


> Does it matter?

Yes, as this seems to be an initial marketing attempt by Kyle Spearrin (the creator of Bitwarden) to unveil his own LastPass alternative while simultaneous making LastPass seem untrustworthy. Regardless of whether the issue detailed in this article is true, the following timeline cannot be ignored:

1. Bitwarden.com was registered on Nov. 16, 2015

2. The initial commit to bitwarden/core was on Dec. 8, 2015

3. Release v1.3.0 of Bitwarden is issued on Jan 16, 2017

4. A quick fix release v1.3.1 is issued on Jan 17, 2017

5. Bitwarden.com gains an SSL certificate on Jan. 17, 2017

6. This article arrives touting an unknown LastPass alternative on Jan. 18, 2017

Suspicious? I am. Especially since Kyle is the only contributor to the project, as well.


I don't see how any of that makes it matter. Given that timeline, what difference does it make whether 6 is a coincidence or written by Mr. Spearrin?


It matters because now in reality there needs to be an unaffiliated third party to confirm the issue as the current reporter may be an unreliable source.


Don't you need that anyway?


For others (LastPass for instance) to take action on it, yes. For anyone reading this, because we could be looking at an unreliable source, they might as well treat it as if they never read it at all.


It's either this guy or it's somebody else whose identity we don't know. It's an unreliable source either way.


This seems pretty thin, as evidence. It is a little bit odd that the author comments on HN about Bitwarden referring to himself in the third person and sometimes not disclosing affiliation when his product is being discussed. But he's also on this thread so we can just ask him.


Where is he on this thread?


He's posting as xxkylexx.


I see you've already asked, as well pvg. Thanks.


And it seems he is posting only a single response when he isn't ignoring important questions altogether.


It matters a little bit since, if the thing does happen to be written by someone affiliated with Bitwarden, you have a good reason to avoid both LastPass and Bitwarden.


I really don't see how this is a "serious problem".

The only thing unencrypted is the site's domain name. Who cares? Site domains are public anyways.

Definitely two opinions on this matter, I suppose. But for me, I really don't care that they don't encrypt the domain names for the sites.


Metadata matters. The NSA revelations have shown this.

For a really simple example, I guess there are quite a few people with a pornhub account in their vault. I'd guess a significant portion of those users don't want that fact to become public.


It's not just the domain name, it's the full URL. Which could contain embedded username, organizational and/or sensitive information.

FTA, which is clearly more than a domain name:

https://accounts.google.com/ServiceLogin


Domain names are public, what should not be public is the set of domain names you have accounts for.


It's fine you don't care about these things. Are you also suggesting you would prefer to be oblivious to the security of your passwords? Are you also unable to see why other people would very much care about this issue?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: