I mean, she spelled my name wrong to. She spelled her own email address differently in two places. Attention to detail does not appear to be this person's strong suit.
I've been poking the internet bear for over 30 years. That's quite obvious if you read the other articles on my blog. I'm not one to back down from a fight when I think someone is in the wrong. And yes, sometimes I've paid for that, such as when a Usenet kook tried to get me fired from my job for having the temerity to disagree with him. But overall I'd rather be the guy who stood up for what I believed was right than the guy who didn't. As always, YMMV.
I mean, "mark as spam" is basically "burn before read," which is what I did to him. The difference, I guess, is that I told him I was doing it, because, like I said before, I think ghosting people is rude. YMMV.
Regarding quoting a ridiculously large number to add a requested feature, yes, sometimes I do that, and sometimes people even take me up on it and I end up both adding useful functionality to the software that everyone gets to benefit from, and making some money out of it as well. But I won't do that when the feature being requested isn't actually the right way to solve the problem. I've explained in another comment why it wasn't in this case. I'm not going to let someone pay me to make my software worse, and if you quote a price to scare someone off, sometimes they surprise you and say yes.
The user's suggestion wouldn't actually solve the problem the user wanted solved.
If there are scheduled messages queued to be sent when Thunderbird starts up, then Send Later sends them immediately, before the user has a chance to click any "Stop" button. The only way to prevent that is to delete the message when you no longer want it sent, which is what I explained to the user.
There's also a preference the user could have enabled in the Send Later preferences to tell it not to send messages that are past due by more than x minutes when Thunderbird starts up. So there are actually _two_ different ways already in the extension for solving the problem the user wanted solved.
It's FOSS, I don't have unlimited time to work on it, there are a lot of other more important features I'd be working on if I had time rather than adding a third solution to a problem for which there are already two other solutions.
Wow, out of all the things I've written on my blog, _this_ makes it onto the front page of HN. How droll.
BTW, just to be clear, I wasn't the one who posted the link here. I don't think it's particular relevant to what HN is for, but shrug apparently somebody did.
This is all I'm going to have to say about the attacks on my character here...
When some stranger on the internet acts like a dick toward me in private emails, I call it out -- in private emails.
When I decide that someone has acted sufficiently like a dick toward me in private emails, I put them in my burn-before-read file, and I tell them so, because I don't believe in ghosting people.
That's usually the end of it.
When someone, having been told that they are now in my burn-before-read file, decides they're going to go out of their way to email me from a different email address and harass me some more, then that's just what it is -- harassment. If they'll do it to me, they'll do it to other people, and I believe that calling out harassers publicly is, in fact, the right thing to do. That's why I posted the reviews.
I disagree with the claim made below that it was "bad faith" to do so, because having interacted with the business owner, I was in fact in a position to know his character and how he treats people, and that is certainly an appropriate thing to tell people about who might be considering whether to patronize a business.
The last letter I got from them, asking me take down the reviews, was not "fair." It was an attempt to intimidate me into taking down my reviews. It was, in fact, a classic example of an attempt at such intimidation. If you don't recognize it as such, try reading @Popehat a bit. It is perfectly appropriate to respond with public shaming to someone trying to intimidate you into taking down content you posted about them that they don't like (again, see @Popehat). Ever heard of the Streisand effect?
Finally, as I believe I made quite clear in the blog posting, I would have taken down all of the reviews and the blog posting itself in a second if they had simply apologized. I still would, if they apologized today. There's no expiration date on that offer.
In this day in age it is common for a two-year-old SaaS startup not to have an office. I mean, I suppose it's possible that they have one, but my assumption is that the entire company is remote.
I don't see why their location is particularly important, but if you care, you can look on Kyle's LinkedIn profile, which I was able to browse my way to in about 45 seconds from a standing start from their web site.
The article I just linked to makes it perfectly clear "who's behind" Bitwarden, and you can find it out easily with a few seconds of Googling like what I just did. They're not trying to hide anything from anyone who cares to spend 30 seconds trying to find out.
I care a lot more about the fact that hundreds of vulnerabilities have been submitted to LastPass's bug bounty program and they haven't chosen to disclose any of them, whereas a much smaller number have been submitted to Bitwarden's program and they've disclosed several. P.S. I, personally have reported three different security issues to LastPass, none of which have been fixed (https://medium.com/@QuantopianCyber/hi-george-a16d88a37355).
It's clear to me that LogMeIn, which owns LastPass and has a big-deal, flashy "About" page, is much less security-focused than Bitwarden. What you're asking for feels more like security theater than anything that's actually relevant to security.
My impression is that Kyle cares more about spending time writing software than about hyping his company. ;-)
It's an unfortunate flaw in a founder, but not a fatal one if he hires people to do the communication that he doesn't want to be doing. It feels to me like he's moving in that direction.
Google and Github both built their U2F support for Firefox before WebAuthn was released, and as you've pointed out, the U2F support in Firefox is gated out by default. Presumably Google, Github, and other companies that coded to U2F will migrate to WebAuthn eventually.
We didn't use the word "comprehensive", "complete", or "thorough", and obviously we didn't include every password manager in our evaluation, so I'm not sure what reason you have to believe that we were aiming to be "comprehensive."
We were aiming to evaluate the features / issues we care about against the password managers we were most likely to want to use. We published the results of our evaluation because we thought it might be useful to some people, not because we thought or intended for it to be all things to all people.
We didn't include security audits in our evaluation because, we are skeptical of their value and do not consider them a significant differentiator.
For example, in our experience trying to keep our own application secure, our HackerOne bug-bounty program has identified far more issues than the white-box security audits we've commissioned, at far lower cost.
In 2018, we reported nine different substantive security holes to LastPass. At least two of them were security issues. All of them took far too long to fix; some of them still aren't fixed.
There's a tenth bug which impacts many of our users on a regular basis which we haven't bothered to report to them because by the time we started running into it, our users were like, "Meh, whatever, that's just LastPass being LastPass." It's not good when you stop reporting bugs to a vendor because you've become convinced that they just don't care.
They've had 12 outages of varying severities and lengths in the past six months.
Pretty much every time I reported a bug to them -- and believe me, most of my bug reports were extremely detailed and often included videos or screenshots demonstrating them -- their first response was, "Try uninstalling and reinstalling your plugin." I hate that. HATE, HATE, HATE it.
Yes, my initial evaluation was flawed because I was looking at the free version of Bitwarden, but supports neither U2F nor attachments, but the evaluation grid said that it didn't support U2F but did support attachments. I've updated the grid to fix this. It now says that YubiKey is supported for Bitwarden and has a separate pricing line for personal use without attachments or YubiKey vs. with them.
LastPass doesn't have a native app because it doesn't need one -- when the browser plugin and web vault are working properly, they provide all available functionality on every platform. The problem is that the plugin does not always work properly; see my other comment about copy/paste problems on Linux, a bug which LastPass has known about for many months and not fixed.
You're correct that the Linux support for 1Password is severely lacking, which is why I called that out in my evaluation.
LastPass, on the other hand, is in a different category. It _claims_ to have full Linux support, and for a long time they did, but more recently -- as you point out -- copy/paste in their browser plugins stopped working properly when the binary component of the plugin is enabled on Linux. Since the binary plugin component is required to work with attachments, Linux users have been forced to choose between working copy/paste and the ability to manipulate attachments. They've known about this bug for many months and have not fixed it. In fact, this is one of the unfixed bugs which drove us to finally evaluate alternatives to LastPass.
We did not set out to evaluate every single password management product. We set out to evaluate the products which where enough "in the ballpark" of what our company needed that there was a chance we would end up using them.
There was never any chance that we would use a product which required every user to set up their own cross-device synchronization. Turnkey synchronization across devices as a first-class feature is a hard requirement for us.
Also, as far as I can tell, Enpass doesn't support sharing credentials between users, another hard requirement for us.
The family of password managers like KeePass and Enpass have their place, but they aren't good solutions to password management for businesses.
It was a cosmetic, not a security-critical bug, so there's really no reason why it needed to be released right away.
Also "a few days" was just a guess. I noticed that it was a problem, then I noticed a few days later that the fix had been release. I don't actually know exactly how long it took to release the fix after it was committed.
Your "facts" may be correct, but they actually have nothing to do with the article linked above. The article linked to above isn't about voting machine hacking, it's about voting web site hacking. And the voting web site hacking at DEF CON was indeed a bogus publicity stunt.