Ideally the publisher should be banned. I also think its easier to blame microsoft, on the other hand isnt that the job of a store ?
I feel conflicted here about the responsibility.
Since I am a happy keePassXC user I would definitely donate time/money/both to push a proper release for the store if someone is interested
The blame is obviously on microsoft. They peddle the appstore as a much safer alternative, and they keep a bunch of the cash - it's a service, that is being sold as a service.
Microsoft makes no effort to indicate that evidently the buyer must beware entirely, and that appearance in the appstore means absolutely nothing in regards to it being spam, spyware, or legally 'counterfeit'. This is likely legally speaking risky - they're selling illegal goods, assuming this is a copyright violation which it probably is. Microsoft is guilty of the crime of fencing by doing this. I know that in The Netherlands, that crime (in dutch, 'heling') is a criminal offense. You need to be doing it intentionally, but given that they have now been notified, give it a few days and I'm pretty sure you really could just get em criminally sanctioned.
"Oh but I did not know" as a defense only gets you so far in court. It should get you absolutely nowhere in the court of public opinion, especially given that microsoft is marketing their app store as the opposite.
Apple and google are also guilty of this stuff; wanting all the cash and harping on and on about how much value they add by being the guardian of it all, and then doing an epically horrible job on guarding it.
It's so depressing that the obvious problem (the operators of these app stores are natural monopolists within that context - and monopolists tend not to focus on actually doing a good job because no competition) and that it then almost immediately goes that badly.
Its even worse when you consider how many innocent developers get their accounts banned on their stores while these obviously fake apps skate on by without consequences.
I posted a free app I wrote on the Microsoft store, and the process to get it there was a nightmare. I'm surprised they let the fake app from TFA through, considering the multiple weeks of chop-busting and paperwork inspection they did to me just to put a free app up
The KeePassXC team has also been trying to get their app into the store while this has happened. While this is nothing new in general, it's yet another "counterfeit" app proliferating in what's supposed to be considered a trusted source to be able to get your applications from.
This is a good example of how "app stores" tend to provide a false sense of security about what you're really downloading. There are clearly failures in terms of vetting what's there and towards ensuring that the user is actually getting what they think they're supposed to be getting.
Perhaps the "app store" model is still generally better than downloading executable code from completely random sources (nobody should be doing that), but I'm not sure there's anything more reliable (and also "secure") here than downloading a piece of software from its official source (such as from a server under the domain of the known publisher), verifying hashes/signatures, and leaving out as many intermediaries as possible who often have motives not fully aligned with the software user. Of course, this would require users to possess and be willing to use some knowledge of basic software and data hygiene, but it seems that along the way we have somewhat given up on that and so now we're stuck trusting these intermediaries usually much more than they ought to be trusted.
I was trying to mirror my Android smartphone to my Samsung TV to show a webpage to someone. This feature is called "Smart View" in the TV's menu, but I didn't know how to connect, so I searched that name in the Google Play store. There are dozens of results, only one of them is the official app that has any chance of working. There are two apps[1][2] that actually appear to be the same app just with slightly different names presumably so they appear twice in the search results. One app[3] has some very suspicious ratings and I can't help but notice that the publisher's name is "SmartThings.net" which appears to add more credibility until you see the domain has nothing to do with the app. I understand it can be hard for Google to vet these apps but some of these failures (like verifying you actually own the domain you are pretending to be affiliated with) seem like they could be automated.
The publisher name one is a silly social engineering hack: Google does validate publisher name, but it validates it as a Legal Name, a Company Name. Those are handled by various political registries (State Tax Organizations, for instance). They don't know or care about domain names and "SmartThings.net, LLC" is silly looking to them but acceptable. They often generally try to avoid name clashes in a region (state), but generally they don't even work that hard at it because true name clashes are the territory of trademark/small mark/service mark laws.
It was one of the failure cases in EV certificates back when browsers briefly thought "maybe it would be a good idea to highlight the website's legal name in the URL bar". Find the right jurisdiction and you can get any sort of "legal name" you want, including things that should have been "obviously" counterfeit like a "Facebook.com, LLC" and were perfectly good for phishing.
It is kind of annoying how often when using winget there might be two options the winget version which is the app and a msstore version that is from an unknown publisher just using the same name for the app.
If only there was a way to have quality repositories of packages curated by the OS team itself... alas, such a thing is probably not possible in the operating systems space for another few decades at least ...
I think we ought to be able to have a model that suits the Windows model better which doesn't require centralisation. A piece of software running on the desktop that provides update capabilities but where each piece of software is picked up from its original site and the location is set to that site. Somewhat like the Ubuntu repository model but without the multiple steps just an installer that installs the common updater tool if needed, registers itself and then this works for all over software too that buys into the model. It should be fairly cheap to run such a tool since the bandwidth is for all the different software tools and completely common features are available to everything. Its just the updater with some standards for implementing software updates without a store.
winget does almost exactly this. It detects apps that are already installed on your machine and if it can find a match in its catalog, it can upgrade it. (Of course you can install/uninstall via the tool if you have a fresh box).
`winget upgrade —-all` from a command line (assuming your Windows is reasonably up-to-date, otherwise, https://github.com/microsoft/winget-cli to get the latest release manually)
And it suffers from the same limitations as any other attempts at filesystem sandboxing – it only caters for the simple "open/save one file" respectively "open/save within one folder (plus subfolders)" use cases and ignores (and breaks) the existence of any other workflows.
Fantastic usability if you can get a good story around syncing your passwords in place. Most people use Dropbox or some other cloud storage as the location for their password vault and it sync's everywhere for you automatically.
- browser plugin is okay and I have no problems with it, but when it comes to password manager hostile login setups it isn't quite as good as some commercial solutions
- in some HiDPI setups with fractal scaling there had been buggy behaviour, probably fixed by now, probably had not been problem with most HiDPI setups either
- I haven't tried some of the integrations (e.g. SSH Agent).
I used it for a long time and eventually quit because sync isn't good enough -- it just writes to an opaque binary file you have to sync yourself (with Syncthing, Dropbox, Onedrive, etc.). I had my password database on multiple devices (phone, several computers) and wound up with conflicts once or twice a month.
This was my feeling. I use bitwarden now, because I can run it myself if I want to (honestly I trust them to secure things more than me, as my copy would be mixed in with a bunch of other services on the same machine).
I think for some people it's probably pretty great, or for storing not-website-passwords it's probably also good, though there are probably simpler to manage tools for "terminal/server" use like `pass`.
mainline keepass includes a "force synchronize instead of overwrite on save" option, if you have a shared drive you can throw it on, that pretty much solves conflicts.
strongbox has pretty intelligent support for maintaining a cached copy, and the sync support has always worked as expected for me there. The keepass format does store last-changed date so it is relatively trivially possible to synchronize a database (assuming you can decrypt/open it ofc).
if you need it on the go, VPN tunnel back, or again, Strongbox has good native support for dropbox sync or onedrive etc, can't specifically vouch for it but Strongbox seems pretty competent.
Can I ask what sync solution you were using that caused problems? About to implement a KeePassXC/Syncthing setup and would love to know if I should expect issues...
As a long time keepass _format_ user, I find it the "best" client for me in terms of UX and user QOL. Mainly the autosaving and auto-re-reading (since I use a p2p syncthing to keep my db in sync across machines) features.
I use KeepassXC (I started using KeepassX after a controversy around LastPass) and I'm very much a fan.
There is a Firefox add-on that works quite well and for other applications copy-paste with automatic clipboard clearing is good enough. It can't be scripted like Pass can be, but for regular use it's fine.
Yes. I started using KeePass almost 10 years ago, then switched to XC about 4 years ago because it had features built-in that I needed plugins with KeePass for:
TOTP
SSH agent
browser integration
Switching to XC made managing, updating, and installing things much easier.
The desktop app is ok, but the browser extension takes a lot of maintenance to keep using autofill. Each install is usually only good for a couple days before it can't find the desktop app anymore and there's no way to fix it without reinstalling and manually setting up sane keyboard shortcuts.
I've generally found app stores aside from the Apple App Store and Google Play to be undesirable essentially for this reason. They don't seem to adequately scrutinise whether someone should be permitted to publish a particular app. It's particularly concerning to see free programs being sold by a third-party.
That's a "problem" with GPL, it's immoral but it's not illegal, since the license grant you permission to distribute and charge. Quite concerning though...
GPL does not include trademark permissions. I realize from a practical perspective it's difficult for a small organization to enforce trademarks on this scale, but trademarks are a rare area where business and consumer interests align.
I've been in the same situation, filled in their contact form multiple times and I got exactly zero feedback, not even an acknowledgement. The app listing by a third party is still there.
I wish app stores had a rule to the effect of "if you're not the official maintainer of an open-source program, you can't upload it without changing its name".
The Microsoft Store has been trying to find the right policy for that. For a brief couple of months policy 10.8.7 accidentally forbid charging for any open source, in the hopes to counteract some of the people profiting from open source that were not official maintainers, but that policy change was rolled back because there are several legitimate open source projects that the official maintainers use store sales as a useful donation stream.
Meanwhile there is a bullet point in policy 10.1.1 that is almost directly what you are asking for, it is currently: "Your product must not claim to be from a company, government body, or other entity if you do not have permission to make that representation."
I certainly believe that "other entity" covers most open source organizations that aren't specifically companies already (or wrapped in a Foundation/Conservancy that acts as a "corporate parent").
The problem can't be solved with just policies though, the real key is enforcement: the fake listings from non-maintainers of open source need to be reported to be enforced. That likely means review time by staff. Tweets like the one linked here today can be calls to arms to submit user reports to help Microsoft know there's a possible problem here. Hopefully policies get enforced (eventually).
Is KeePassXC a registered trademark? I haven't found any confirmation of it on KeePassXC's website, nor on Wikipedia, so I guess the answer is no. A shame really. Trademarks would be so useful in such situations, which seem to recur in the open source world with some regularity.
I don't think that's connected at all. I'm guessing a trademark would only be relevant if KeePassXC went to court against Microsoft, which is far-fetched.
Has anyone tried looking into how this "unofficial" program was uploaded without any policy violations? Are they using some sort of code obfuscation or UPX to bypass automatic checks?
You need to specify that you are using Visual C++ Redistributable? That's wild. I thought MS Store should take care of such dependency and install it automatically.
It wouldn't install it automatically, the installer is supposed to take care of dependencies, as dependencies are packaged alongside the application, it kind of shows how they didn't use any of the packaging tools from Microsoft.
Has anyone done any analysys on the bogus keepass? Describe what nefarious thing it is doing(I assume stealing passwords) and who it is sending them to?
Recently I had to use windows. As a linux user for 2 years my first instinct is to install WSL and make the entire thing somewhat more palatable.
I Google the docs, install Debian through `wsl` command, start it through windows terminal.
It's still debian stretch aka "oldoldstable", that's the only version wsl command lists.
I googled the issue and apparently you can install the same thing through MS store to get latest stable. This has to be a Stack Overflow answer with 5 votes, not MS docs website.
So I search debian again, there are one or two 'app' listings, but no checkmark or verification on publisher. All apps look alike.
It doesn't help they show reviews, but there will be max 20-30 reviews even for legitimate apps. These reviews are probably written by people like me whose first language isn't English. But at the first sight they make the app seem even more suspicious.
If I recall correctly, unlike Google Play Store, MS store doesn't list the download count either. Not that it would help much in this case of a relatively obscure installation, but would at least help against copycats.
VS code is also from MS, Store is also from MS, what a difference!
61 comments
[ 22.2 ms ] story [ 1061 ms ] threadSeems the publisher probably skates on a few other free software projects like filezilla & vnc. I assume the free apps are simply spyware.
Since I am a happy keePassXC user I would definitely donate time/money/both to push a proper release for the store if someone is interested
Microsoft makes no effort to indicate that evidently the buyer must beware entirely, and that appearance in the appstore means absolutely nothing in regards to it being spam, spyware, or legally 'counterfeit'. This is likely legally speaking risky - they're selling illegal goods, assuming this is a copyright violation which it probably is. Microsoft is guilty of the crime of fencing by doing this. I know that in The Netherlands, that crime (in dutch, 'heling') is a criminal offense. You need to be doing it intentionally, but given that they have now been notified, give it a few days and I'm pretty sure you really could just get em criminally sanctioned.
"Oh but I did not know" as a defense only gets you so far in court. It should get you absolutely nowhere in the court of public opinion, especially given that microsoft is marketing their app store as the opposite.
Apple and google are also guilty of this stuff; wanting all the cash and harping on and on about how much value they add by being the guardian of it all, and then doing an epically horrible job on guarding it.
It's so depressing that the obvious problem (the operators of these app stores are natural monopolists within that context - and monopolists tend not to focus on actually doing a good job because no competition) and that it then almost immediately goes that badly.
This is a good example of how "app stores" tend to provide a false sense of security about what you're really downloading. There are clearly failures in terms of vetting what's there and towards ensuring that the user is actually getting what they think they're supposed to be getting.
Perhaps the "app store" model is still generally better than downloading executable code from completely random sources (nobody should be doing that), but I'm not sure there's anything more reliable (and also "secure") here than downloading a piece of software from its official source (such as from a server under the domain of the known publisher), verifying hashes/signatures, and leaving out as many intermediaries as possible who often have motives not fully aligned with the software user. Of course, this would require users to possess and be willing to use some knowledge of basic software and data hygiene, but it seems that along the way we have somewhat given up on that and so now we're stuck trusting these intermediaries usually much more than they ought to be trusted.
Edit: spelling
It was one of the failure cases in EV certificates back when browsers briefly thought "maybe it would be a good idea to highlight the website's legal name in the URL bar". Find the right jurisdiction and you can get any sort of "legal name" you want, including things that should have been "obviously" counterfeit like a "Facebook.com, LLC" and were perfectly good for phishing.
/s
`winget upgrade —-all` from a command line (assuming your Windows is reasonably up-to-date, otherwise, https://github.com/microsoft/winget-cli to get the latest release manually)
This is a result of the failed strategy to explicitly not curate it and get as many apps as possible, no matter how bad they are.
I'd like to know what goes on inside of Microsoft for them to keep following strategies that appear doomed to fail from the start.
1. https://en.wikipedia.org/wiki/Universal_Windows_Platform_app...
- browser plugin is okay and I have no problems with it, but when it comes to password manager hostile login setups it isn't quite as good as some commercial solutions
- in some HiDPI setups with fractal scaling there had been buggy behaviour, probably fixed by now, probably had not been problem with most HiDPI setups either
- I haven't tried some of the integrations (e.g. SSH Agent).
Anyway I'm quite happy with it.
I think for some people it's probably pretty great, or for storing not-website-passwords it's probably also good, though there are probably simpler to manage tools for "terminal/server" use like `pass`.
strongbox has pretty intelligent support for maintaining a cached copy, and the sync support has always worked as expected for me there. The keepass format does store last-changed date so it is relatively trivially possible to synchronize a database (assuming you can decrypt/open it ofc).
if you need it on the go, VPN tunnel back, or again, Strongbox has good native support for dropbox sync or onedrive etc, can't specifically vouch for it but Strongbox seems pretty competent.
Guess modifying the database on 2 different machines simultaneously might cause a conflict, never tested it though.
I use it on windows, linux, and mac.
There is a Firefox add-on that works quite well and for other applications copy-paste with automatic clipboard clearing is good enough. It can't be scripted like Pass can be, but for regular use it's fine.
TOTP
SSH agent
browser integration
Switching to XC made managing, updating, and installing things much easier.
The browser plugin is good too. It rarely malfunctions, and when it does it is on user-hostile websites, like the Office365 login pages.
But it's good practice to find the publisher website / repo and then click on Play Store link.
Of course they could still just put it up as `KeePassSX` or something, but it gives the creators a bit of ground to stand on?
Meanwhile there is a bullet point in policy 10.1.1 that is almost directly what you are asking for, it is currently: "Your product must not claim to be from a company, government body, or other entity if you do not have permission to make that representation."
I certainly believe that "other entity" covers most open source organizations that aren't specifically companies already (or wrapped in a Foundation/Conservancy that acts as a "corporate parent").
The problem can't be solved with just policies though, the real key is enforcement: the fake listings from non-maintainers of open source need to be reported to be enforced. That likely means review time by staff. Tweets like the one linked here today can be calls to arms to submit user reports to help Microsoft know there's a possible problem here. Hopefully policies get enforced (eventually).
You need to specify that you are using Visual C++ Redistributable? That's wild. I thought MS Store should take care of such dependency and install it automatically.
Recently I had to use windows. As a linux user for 2 years my first instinct is to install WSL and make the entire thing somewhat more palatable.
I Google the docs, install Debian through `wsl` command, start it through windows terminal.
It's still debian stretch aka "oldoldstable", that's the only version wsl command lists.
I googled the issue and apparently you can install the same thing through MS store to get latest stable. This has to be a Stack Overflow answer with 5 votes, not MS docs website.
So I search debian again, there are one or two 'app' listings, but no checkmark or verification on publisher. All apps look alike.
It doesn't help they show reviews, but there will be max 20-30 reviews even for legitimate apps. These reviews are probably written by people like me whose first language isn't English. But at the first sight they make the app seem even more suspicious.
If I recall correctly, unlike Google Play Store, MS store doesn't list the download count either. Not that it would help much in this case of a relatively obscure installation, but would at least help against copycats.
VS code is also from MS, Store is also from MS, what a difference!