[HN Gopher] Zoom Acquires Keybase
___________________________________________________________________
Zoom Acquires Keybase
Author : vikram7
Score : 1454 points
Date : 2020-05-07 12:58 UTC (10 hours ago)
(HTM) web link (keybase.io)
(TXT) w3m dump (keybase.io)
| rvz wrote:
| > Ultimately Keybase's future is in Zoom's hands
|
| Well, that definitely translates to uncertainty and ultimately
| the death of Keybase.
| api wrote:
| I saw that coming when they shoehorned a pointless
| cryptocurrency that nobody uses into it.
| stevekemp wrote:
| I deleted my account when the crypto-spam emails started to
| arrive.
| tobyjsullivan wrote:
| It was actually a really nice stellar wallet implementation.
| A bad bet perhaps, in hindsight. Unfortunately, this
| acquisition means I won't be using it anymore for the
| foreseeable future.
| yarrel wrote:
| It looked like a de-anonymization attack and brought
| phishing attacks to crypto groups using Keybase group chat.
|
| It was badly implemented, badly introduced, and harmful for
| both users and adoption of the platform.
| WorldMaker wrote:
| Keybase was always a de-anonymization platform, and there
| have always been spam/phishing concerns for the platform.
| The crypto wallet was a dumb way to force them to address
| some of the spam/phishing/harassment issues inherent in
| the platform as a "social media" with ties to nearly
| every other social media through its validation checks,
| but it was past time needed for spam/phishing/harassment
| control (as some minorities had said for years prior to
| the crypto wallet forcing such things).
| tobylane wrote:
| @Keybase users: Check if you uploaded your private key. I hope
| it is rare but now is the time to make that non existent.
| ocdtrekkie wrote:
| I essentially didn't have a private key prior to Keybase, and
| I think it's still the only place I use it, so I'll end up
| rolling a new one if Keybase becomes fundamentally
| untrustworthy.
| redbeard0x0a wrote:
| They are fundamentally untrustworthy. They haven't taken
| security issues in the past very seriously, they also have
| ties to China.
| ViViDboarder wrote:
| That's Zoom. Post acquisition Keybase is tied to some of
| those, but not all. Their dev team is not going to move
| to China (at least not immediately) and past security
| issues in Zoom are no indication of Keybase safety.
|
| This will possibly change over time though.
| neltnerb wrote:
| I signed up so long ago that I'm not quite sure what you
| mean. I remember posting a bunch of public keys (like on my
| profile here). I think the keybase app generated them along
| with a private key but it has been like three years.
|
| I don't remember at all uploading one or where to find it if
| I did, can you explain the issue you have in mind a little
| more?
| tobylane wrote:
| https://github.com/keybase/keybase-issues/issues/160
|
| There is still (apparently under another command name) this
| ability to upload your private key.
| OJFord wrote:
| You can optionally have Keybase (generate and) store your
| private key for you.
|
| It's designed to lower the barrier to entry, but is
| obviously less secure than managing it yourself outside of
| Keybase (e.g. in GPG keyring, or a physical OpenPGP
| smartcard such as a Yubikey) - and some consequently wish
| the storage had never even been offered.
| WorldMaker wrote:
| That optional GPG/PGP private key storage was also re-
| hidden (and almost but not quite removed) functionality
| by Keybase over the course of the application's life as
| they moved away from using traditional GPG/PGP-style keys
| to a more complicated but more secure system based on
| device-specific keys (and chains/webs of those keys and
| their derivatives), around when you needed another device
| to onboard the next device rather than just needing to
| sign in with username/password.
| jlgaddis wrote:
| The issue is a third-party having control of your private
| key.
| DyslexicAtheist wrote:
| from Zoom's twitter:
|
| _" We are excited to integrate Keybase's team into the Zoom
| family to help us build end-to-end encryption that can reach
| current Zoom scalability."_
|
| not a word about what happens to the existing technology which
| doesn't sound very reassuring to existing keybase users.
| [deleted]
| noodlesUK wrote:
| So, reading this, it's clearly an aquihire, and they don't care
| about the Keybase product. Please open source the server. We want
| our communities to still be able to run, and self hosting would
| be fine.
| wharfjumper wrote:
| I would participate in (and could provide resources to) the
| creation of an open foundation that had as one of its goals the
| writing of an open source keybase API[0] compatible server.
|
| If anyone else is interested, please contact me directly (email
| in my profile).
|
| [0]https://keybase.io/docs/api/1.0
| fossuser wrote:
| For years people have been begging Keybase to allow them to pay
| them for the service and Chris Coyne always refused.
|
| Now they've lost their independence and they're owned by a
| communication company that has [edit: the majority of] its dev
| team in China.
|
| I use Keybase to talk to my friend in China since it's one of the
| few services they don't block.
|
| This is a pretty disappointing outcome.
| tabbott wrote:
| Losing their independence was from the beginning the most
| likely outcome of building something that's hard to monetize
| like Keybase on the VC funding model. FWIW, I doubt Keybase
| offering a paid plan would have raised revenue that's
| significant compared to their burn, so Chris was probably right
| to not spend resources figuring out a paid offering. For
| raising their next round, having $5K in revenue from a paid
| plan few people buy might well have been worse than having $0.
|
| The VC funding model is terrible for most open source projects.
| With a few exceptions, you end up with an acquisition that ends
| or repurposes the project, or an Open Core project. And a VC-
| funded Open Core project will end up trying as hard as it can
| to have everyone need to buy the paid version, since that's
| clearly the way to optimize revenue and eventually the slippery
| slope will get you there. I don't blame folks for taking VC; it
| was easy to get, and there aren't a lot of alternative funding
| models that can pay the multiple fulltime staff that might be
| required to create what one wants to create.
|
| I don't think VC funding as it currently exists is consistent
| with running an open source company according to my values,
| which is why we're not taking venture funding for Zulip.
| Obviously, being scrappy, applying for NSF grants, and spending
| my own money have very real downsides both personally and for
| our growth, especially when every competitor has VC funding,
| but it also means that I can ensure Zulip continues existing as
| a real open source project for the long run.
| fossuser wrote:
| How much power do the VCs typically have?
|
| Don't founders often have the ability to overrule and make
| their own decisions?
|
| Chris is already financially independent from the OKCupid
| sale, he could have open sourced the server code and/or
| reduced the overall burn to pivot to paid accounts.
|
| Though the weird Stellar wallet addition implied some
| vision/product issues anyway.
|
| Of course it's easy and probably unfair for me to say these
| things as an outsider with limited information and no real
| stake, it's definitely possible I'm wrong about important
| details that would change my mind. It'd be interesting to
| hear from Chris, but the sale probably restricts public
| communication?
|
| This reminds me a little about the OKC sale actually, they
| had a blog post about why charging for dating sites made them
| worse that they took down after selling to match (they used
| to do cool analysis and publish them as blog posts, most of
| the details ended up in the book a different cofounder
| published called Dataclysm). That's more understandable to me
| though since I think it was their first exit.
|
| Reading about Zulip - didn't you get bought by Dropbox before
| being open source? Is your current situation a lucky outcome
| - or was it a condition of the sale?
|
| [Edit] - To clarify since there are downvotes, my questions
| aren't rhetorical - they're genuinely asking.
| tabbott wrote:
| > How much power do the VCs typically have?
|
| I think it's less about the power relationship, exactly,
| and more about the way VC-funded companies are setup to be
| run. As part of raising a round, you prepare a business
| plan that involves aggressively spending the money over a
| couple years. You're committed both internally and to your
| board to execute that plan, and it's cognitively difficult
| to do something different as there's social pressure to do
| so (and one of your VC's greatest sources of power over you
| is they're the reference for your next fundraising round).
|
| The result is that your company has planned to run out of
| money with potentially a multi-million dollar annual burn
| rate in two years. If as those two years are approaching,
| the company and/or market situation don't support raising
| more capital and the company isn't close to profitable, the
| momentum of that burn rate applies a great deal of pressure
| for a sale, destructive layoff, or total change in goals to
| "anything that improves the bottom line".
|
| Also, the search for a story to help raise your next round
| can have a big effect on companies -- my view is most of
| Dropbox's problems when I was there (2012-2014) resulted
| from the search for a totally new business bigger than
| Dropbox Business that could justify a bigger valuation than
| $10B starving more obvious investments (Carousel, the now-
| dead photo sharing app, at one point had ~10x the
| engineering resources of Dropbox Business).
|
| > Reading about Zulip - didn't you get bought by Dropbox
| before being open source? Is your current situation a lucky
| outcome - or was it a condition of the sale?
|
| It's an extremely lucky outcome. There's a combination of
| factor that made this possible:
|
| * Dropbox leadership prioritized doing the right thing by
| their users, and so we were able to get permission from
| both leadership and legal. I'm sure my personal position as
| a leader at the company who had a personal relationship
| with the people who had approve it made a difference
| (Though Luke Faraone made a big difference by asking legal
| if we could and inviting me to the meeting!). But I think
| Dropbox deserves a lot of credit, because they spend
| significant time from expensive resources (legal, etc.)
| making this happen, and I don't know of many companies that
| would ever do that. * Our users were big fans, enough so
| that 10 of them flew to Dropbox HQ for a week to help us do
| the technical work required to do an open source release
| with all 10,000 commits of history intact and with a
| scripted installation process. This was essential to Zulip
| being usable after that release.
|
| https://zulipchat.com/history/ has a bit more background on
| the early history (though it's a bit out of date).
| fossuser wrote:
| Thank you - I really appreciate the detailed answer.
|
| I think I have a better understanding of how the
| incentives to cooperate would be hard to overcome even if
| you technically have the power as a founder (and even if
| you're already financially independent).
|
| The personal experience was also interesting - thanks!
| bgee wrote:
| > communication company that has its entire dev team in China
|
| citation needed
|
| Also, what are you trying to imply by this assertion?
| aaomidi wrote:
| China is a country with even less oversight than the US.
|
| For a company that does security that's concerning.
| andoriyu wrote:
| Not even that. All encrypted traffic in china needs to be
| decryptable by CCP. Which means if your call in zoom was
| routed to one of their China servers, then CCP has access
| to it.
|
| That is on top of the fact that Zoom encryption is weak af.
| kyrra wrote:
| Another citation: https://investors.zoom.us/static-
| files/09a01665-5f33-4007-8e... (warning, PDF)
|
| > We also operate research and development centers in China,
| employing more than 700 employees as of January 31, 2020.
|
| You can find more stories from last year talking about that
| was how Zoom had such a large engineering staff, is that it
| was cheaper for them to pay for R&D in china than in the
| US[0].
|
| [0] https://www.cnbc.com/2019/03/26/zoom-key-profit-driver-
| ahead...
| bgee wrote:
| The emphasis is on entirety, please see my other reply.
| umeshunni wrote:
| > Also, what are you trying to imply by this assertion?
|
| It's just casual nativism/racism - acceptable on HN as long
| as it's about China.
| ethbro wrote:
| It's not nativism or racism to have security concerns about
| a country with a non-existent commitment to an independent
| judiciary.
|
| If China wants people to think of it as a country where
| laws matter, then they can start acting like laws matter.
|
| https://worldjusticeproject.org/sites/default/files/documen
| t...
|
| (And before we get whataboutism concerning {insert other
| country's wiretapping laws}, wiretapping through an
| independent judiciary is fundamentally different than via
| rubber stamp)
| cmelbye wrote:
| "China" isn't a race, it's a multi-ethnic state with laws
| that heavily restrict communication. It's relevant to bring
| up in a thread about building encrypted communication
| technology.
| mrtweetyhack wrote:
| China is not to be trusted, Zoom and now Keybase is not to be
| trusted
| fossuser wrote:
| "Zoom is based in California's Silicon Valley, but it owns
| three companies in China that develop its software. The
| Citizen Lab said the structure allowed the company to lower
| its development costs, but added "this arrangement may make
| Zoom responsive to pressure from Chinese authorities.""
|
| https://www.theguardian.com/uk-news/2020/apr/24/uk-
| governmen...
|
| The implication is that China is hostile and leverages their
| power to censor/collect communication information from
| companies and their people without checks on this power.
|
| They are aggressive in stealing IP from other companies and
| blocking software they can't control. They have history of
| wielding their power to pressure organizations to deny or
| ignore aspects of their history that they dislike (Taiwan,
| Cultural Revolution) and they pressure companies to hand over
| PII on people they find to be political threats without due
| process.
|
| This is not a country you want to be a steward of an
| encryption identity standard.
| Gasp0de wrote:
| Isn't the US actually at least as bad if not worse? Thanks
| to Edward Snowden we know without speculation that the US
| "is hostile and leverages their power to censor/collect
| communication information from companies and their people
| without checks on this power" (ok, supposedly there is
| secret judges that secretly check on this power, but that
| doesn't really do any good does it?). The USA also
| "pressure companies to hand over PII on people they find to
| be political threats without due process" (so called
| "National Security Letters").
| remarkEon wrote:
| The difference is that in the US we actually get to find
| out about these abuses.
| Baeocystin wrote:
| Short answer? No. Not even close.
|
| Source: have lived in both countries
| patmorgan23 wrote:
| People don't get disappeared for actively disagreeing
| with the government.
| bgee wrote:
| I don't think it's true that Zoom has its "entire dev team
| in China"; doing some research myself reveals Zoom
| definitely has engineering operations in the US[0][1].
|
| I'm not disagreeing with you on the implications of having
| engineering teams in China, I think you would like to put
| that paragraph in your original post to give some context.
|
| [0] Tech job postings in US: https://zoom.wd5.myworkdayjobs
| .com/Zoom/0/refreshFacet/318c8...
|
| [1] H1b filing on engineering positions: https://h1bdata.in
| fo/index.php?em=Zoom+Video+Communications+...
|
| edit: better formatting and grammar
| fossuser wrote:
| Thanks - I edited it to soften the language a bit.
| wutwutwutwut wrote:
| Is it called "soften the language" to fix a 100% factual
| error?
|
| Honestly I feel that if you're arguing in one direction
| or another and haven't checked the facts, maybe it's
| better not to argue about it?
| yellowapple wrote:
| If the original claim was "100% of the dev team is in
| China", and the reality is "only 80% of the dev team is
| in China", then that'd be a 20% factual error,
| mathematically speaking.
| simongr3dal wrote:
| Or would it be a 25% error, i think it would make most
| sense to calculate the error-difference in relation to
| the actual value instead of in relation to the erroneous
| value.
| yellowapple wrote:
| Good point.
| fossuser wrote:
| The vast majority of the Zoom software development team
| _is_ based out of companies in China.
|
| They do have support people in the US and a handful of
| non-support engineering which is why I said thanks and
| immediately updated the comment to say "majority" instead
| of "entire" since it's more correct.
|
| That technicality is less relevant to the main point of
| the argument.
| uoaei wrote:
| > this arrangement may make Zoom responsive to pressure
| from Chinese authorities
|
| "May" is a weasel word that doesn't offend the
| sensibilities of CCP.
|
| In reality, every single company which is incorporated in
| China must be majority-owned by the Chinese government.
| This is what makes their economic system "state capitalism"
| and not "communism". But that also means they have a
| _controlling_ share and get last word on _any_ executive
| and administrative decision within the company.
| [deleted]
| ahnick wrote:
| Fingers crossed they open source the server portion at least ->
| https://github.com/keybase/client/issues/24105
| wiggler00m wrote:
| +1
| poofyleek wrote:
| Very disappointed indeed. Keybase is one of the ones I actually
| used.
| pmorici wrote:
| There was a competitor app that got posted here a couple
| weeks ago.
|
| https://keys.pub/
| chupasaurus wrote:
| Which already did some things wrong even though Keybase is
| around for a few years.
| MrGilbert wrote:
| Care to elaborate? Just curious...
| chupasaurus wrote:
| https://news.ycombinator.com/item?id=22997245 and
| requiring gnome-keyring on Linux are issues for me.
| Spivak wrote:
| Does it actually require _GNOME Keyring_ or does it just
| use libsecret? Because libsecret is dope and has been
| nothing but a joy to work with.
| trey-jones wrote:
| I've seen some examples of GNOME keyring being required
| because it implements the freedesktop secrets standard
| (which I admit to knowing nothing of) where other secret
| managers do not. Presumably meaning there us no common
| interface, so we just pick the one that implements the
| spec. One example:
|
| https://github.com/pithos/pithos/issues/559
| chupasaurus wrote:
| https://keys.pub/docs/specs/keyring.html
| mikorym wrote:
| It is funny that Zoom was one of the companies that I flagged
| in my head as the worst (or rather, most dangerous) up-and-
| coming tech company and I considered Keybase one of the most
| promising up-and-coming tech companies.
|
| Keybase solves a (to me) nontrivial problem: How to bring
| private keys into social media. Just a silly example: You don't
| use the same private-public key exchange in Whatsapp as you
| would use for your emails, or to sign your packages. It's a bit
| of the now infamous Dropbox situation: Most people _can_ sign
| things with private keys and properly keep track of it, but
| they _don 't get around to doing it_. It's only critical cases
| where the use is common (like signing packages). It took a long
| time even for HTTPS to become standard practise, though I guess
| the situation with your browser is a bit different.
| freshhawk wrote:
| Yes, this was exactly how I mentally categorized these two
| companies as well.
|
| My first reaction was: it can't be _that_ keybase can it?
| Huh, well maybe I 'd sell my principles for that much money
| too, oh well.
|
| Maybe some keybase employee will end up being a whistleblower
| sometime soon though.
| zamalek wrote:
| > Zoom was one of the companies that I flagged in my head as
| the worst [...] Keybase one of the most promising
|
| Hear hear. It really is an absurd world we live in, and I had
| a good chuckle about that - just before I deleted my Keybase
| account.
| foobiekr wrote:
| I am curious: do they block Zoom?
| Jon_Lowtek wrote:
| Well yes but no. The block zoom.us but there is zoom.cn
|
| This is likely related to both nations having rules that
| allow only their own agencies to wiretap.
| reneberlin wrote:
| Saturation. The zoom folks had too much publicity.
| ammmir wrote:
| Keybase was almost the perfect Slack-killer for security-minded
| teams, except it had a few wiggles, including their sluggish
| client. I believe there is an opportunity for someone to capture
| the users who are about to be abandoned by this transaction, if
| they implement a subset of the Keybase client functionality like
| team chat, shared files/git repos, but get rid of the crypto
| wallet nonsense. I, and others, would gladly pay $10/mo for this.
|
| Matrix isn't the answer. That's like saying just use SMTP for
| email.
|
| The slackification of Keybase did not lead to a viable business
| model, unfortunately. In fact, it's such a no brainer, I can't
| wait for someone to build Keybase 2.0. It might not be a VC
| enterprise, but could be a great lifestyle business for a small
| team.
| albybisy wrote:
| and what about the partnership Keybase had with Stellar? What are
| destiny of all the lumens XLM they had...??
| DCKing wrote:
| People are expressing they will stop using Keybase because of
| this. That's fine, probably a good idea.
|
| But reading this, Zoom+Keybase will make sure of this themselves.
| This press release indicates that this is a 100% acquihire.
| There's only talk about what the Keybase people will be tasked to
| do, and there isn't any talk about Keybase's services in the
| first place. There's no real reason Zoom would be interested in
| keeping Keybase's services up and running anyway.
|
| Let's hope they make it a swift death. Shame about Keybase, loved
| using it so far. It's somewhat encouraging to see a change in
| direction for Zoom, too. Hope the acquihire works out.
| jrochkind1 wrote:
| From the headline, I didn't understand why Zoom, a
| videoconferencing company, would want to buy a secure
| messaging/sharing app.
|
| But after reading it, duh. It's an acqui-hire. Zoom definitely
| needs to improve it's security, because of recently publisized
| problems. These are the right people to work on that, the
| security problems are similar in keybase and zoom, and an outside
| team with an established track record will help Zoom regain
| credibility. And Zoom probably had lots of cash on hand to buy
| whatever they wanted.
|
| So that all makes sense. I wouldn't expect the keybase product to
| stick around though.
|
| Not because, as other commenters had said "Zoom doesn't care
| about security." Because they did an acqui-hire to get a team to
| help them with security, not because they wanted the product. I
| expect this _will_ result in Zoom 's own security improving, it's
| not some kind of smoke and mirrors trick. It's not that they
| don't care about security, I think they are presently
| prioritizing it. They just don't care about the keybase product.
| Obviously, why would they? It can't have revenue or profit
| anything close to what the zoom product has.
| SirensOfTitan wrote:
| This sounds like an acquihire, or am I reading it wrong? If so, I
| doubt anyone at keybase is necessarily thrilled about this.
|
| I've enjoyed keybase for many years, it made a lot of annoyances
| of encryption and key management easy. I particularly liked its
| encrypted git repo feature--now I'm struggling to think of an
| easy alternative.
| reneberlin wrote:
| Maybe they think, you understood the product so natively. You can
| reproduce it with a new domain: keybeasehasjustended.in?
| justusthane wrote:
| In case it's helpful to anyone, to uninstall on MacOS:
| # keybase uninstall
|
| And then delete the app from Applications (recommend using
| AppCleaner to delete the app, as it leaves behind almost a GB of
| stuff).
| erydo wrote:
| Congrats to the team. Though in the inevitable acquisition, I
| wish GitHub/Microsoft had been the acquirer: there are a lot of
| natural fits between that ecosystem and Keybase's model, and a
| reasonable history of successful acquisition.
|
| Hopefully Zoom avoids gutting Keybase. I found it really useful
| for bootstrapping credentials when onboarding remote team members
| and contractors. Way easier to manage than GPG: it was fairly
| painless even for non-technical people.
|
| Fingers crossed. I wonder what the infrastructure overhead cost
| is?
| mikaelf wrote:
| zoombombing just got another meaning
| m0zg wrote:
| "All your base are belong to us", Zoom CEO was quoted as saying.
| pot8n wrote:
| Keybase went from ranking 30,000 to 65,000 in 3 months. What
| happened here? It seems like Keybase has been falling in traffic
| already for the past 3 months and it's reputations has been
| tarnished in HN for months now.
|
| https://www.alexa.com/siteinfo/keybase.io
| RL_Quine wrote:
| The product is simply not good in its current form. It's a
| strange mix of instant messaging, web of trust, and
| cryptocurrency scam. It doesn't strongly give any particular
| goal. The tools are shiny, pleasant enough to look at any use,
| but isn't going in any direction.
|
| A lot of push recently has been into making it a "team chat"
| platform, which is great except that all of the participants
| are public, and tied to their name. It makes for hideously bad
| opsec if any company were to seriously use it.
| coldpie wrote:
| God, that cryptocurrency scam. If ever there was a clear
| message screaming "we have no idea how to turn this into
| something profitable/sustainable," that was it.
| kybernetikos wrote:
| Not sure why people keep saying things like this.
|
| The truth is that sharing money in the same way we share
| messages and images (i.e. chat) is a good idea, and in my
| opinion is absolutely _inevitable_.
|
| Now we don't have to do that via cryptocurrency, but the
| reason we don't already have it in the west is because it's
| a coordination problem, and there are entrenched interests
| that won't care about giving the user a good experience
| until forced to by competition. Cryptocurrency lets you
| avoid that problem, and given that it is entirely around
| managing keys, it's a very natural fit for KeyBase.
|
| I thought the integration into keybase chat was genius, and
| the user experience of transferring money in that way was
| much better than anything traditional banking has ever
| offered me.
| ValentineC wrote:
| > _It 's a strange mix of instant messaging, web of trust,
| and cryptocurrency scam._
|
| They ended their Stellar airdrop early, but I guess it didn't
| help that bots were joining the platform, and affecting the
| other parts of the Keybase community, just to get a share of
| it.
| BERTHart wrote:
| And I just started to use Keybase 3 days ago...
| hnarn wrote:
| I've used Keybase for a long time but I never quite understood
| the purpose of it. It never "just worked" for me and my
| experience was mostly chats being unreadable, my account having
| to be reset, and a lot of new functionality that seemed like it
| did what other products already did, just not as good.
|
| I always liked the idea and the people behind it seemed like good
| people, but I'm sad to say I won't miss a worse version of Slack,
| Bitcoin and Dropbox.
| urda wrote:
| Well that's it for Keybase. I can't continue to recommend them. I
| was able to look past the cryptocoin distribution to be honest,
| but teaming up with Zoom seems like the kiss of death for any
| security focus.
| brynet wrote:
| You can permanently delete your keybase.io account with the
| command-line utility: $ keybase account delete
| freakynit wrote:
| Is there a viable alternative to keybase?
| IgorPartola wrote:
| Correct me if I'm wrong here, but isn't the company behind Zoom
| owned or at least partly owned by the Chinese Communist Party? If
| so, wow, Keybase really is dead to me.
|
| https://www.politifact.com/factchecks/2020/apr/07/charlie-ki...
| mceachen wrote:
| The article you posted concludes with the statement you made as
| being mostly false.
| ShakataGaNai wrote:
| Zoom is a US Based, publicly traded company listed on the
| NASDAQ [1]. So to that first part, no, that's not correct.
|
| However they have a Chinese subsidiary that does some of their
| development work along with supporting their in-China services.
| Any tech company that operates inside of China is legally
| obligated to private the CCP access to anything and everything
| they want. This is why most companies has separate, special,
| dedicated servers for/in China (up to and including AWS [2]).
|
| The reason for the purchase of Keybase is to up Zoom's crypto
| game. They (Zoom) made a pledge to do significantly better
| around encryption and user controls, right after they became
| super popular and started getting targeted for news/abuse/etc.
|
| Sadly it probably doesn't matter what you think of Keybase as
| this looks like this was probably an Acquihire for the team and
| their knowledge. Maybe Keybase the product will be totally open
| sourced, but beyond that it's likely dead.
|
| [1] https://www.nasdaq.com/market-activity/stocks/zm/real-time
|
| [2] https://www.amazonaws.cn/en/about-aws/china/
| adadahdjej wrote:
| I am truly disappointed. But I should have known better. Big
| woop. Keybase and Zoom deserve each other.
| up2isomorphism wrote:
| Unregulated capital dominance is current at the historical peak
| in US. And funny thing is people can not do anything about it.
| Considering the time where AT&T (which is much more benevolent in
| today's term) can be broken up, today is just money game and
| money game.
| xoa wrote:
| > _" We're thrilled with the match, and we're excited to be
| working on security that affects everyone we know."_
|
| https://ourincrediblejourney.tumblr.com/
|
| Argh, yet another for the list. Certain cycles in the tech world
| are both extremely predictable and regrettable, yet for most of
| them the sting seems to fade a bit as the decades go by. But the
| acquisition-for-the-talent/IP-now-great-product-is-toast one
| somehow never, ever manages to lose its capability to be
| depressing. On the contrary new ones just make me think back on
| previous dearly departed that never got an equivalent
| replacement. It's part of what's made me particularly suspicious
| about new non-OSS "free" offerings, because that's generally just
| not sustainable. And the better it is the more I beg them to have
| some sort of decent paid tier. I guess some though just plain are
| aiming for a buyout from the start and that is in fact their
| planned profit/exit strategy, and fair enough but still ouch each
| time.
| rising-sky wrote:
| I was starting to look at the space of public trustworthy
| identities, are there any viable alternatives out there that are
| vouched for in the community?
| kemonocode wrote:
| Well, I guess that's it for Keybase. I distinctly remember
| expressing my worries about them spreading themselves too thin
| and not really having a clear monetization plan, so an acquihire
| was the easy way out.
|
| Say, anyone got any Keybase alternatives that are focused _only_
| on identity management?
| stickac wrote:
| https://keys.pub
| lanevorockz wrote:
| Would it be great to be link social media accounts to your
| professional behaviour in Zoom? So we can make sure all your
| actions are company compliant?
| grenoire wrote:
| I don't quite know how to feel about this. Perhaps it is my
| mistrust against Zoom, but I did enjoy the run Keybase had as a
| semi-independent key and ID manager.
| Latty wrote:
| Yeah, with the recent issues they had after doing the
| cryptocurrency stuff (which didn't really bother me, but it
| definitely seemed to generate some negative feelings in
| general), this feels like a poorly-timed move.
|
| Zoom is presumably going for "look, we are bringing on-board
| this team of trusted people who understand privacy", but I
| think most are just going to assume it'll work the other way
| and Zoom's culture of poor security practice will bleed into
| Keybase over time.
| bad_user wrote:
| I like Keybase's encrypted Git repos.
|
| I hope it doesn't die.
| ezoe wrote:
| "Our existing codebase sucks. So let's buy some cool companies in
| the wild and let them help fixing our codebase"
|
| Yup, it sounds like the perfect plan to me.
|
| What likely happens is this. The current codebase is too ugly to
| improve. But since they have a lot of users, it has value. So,
| the engineers from Keybase started from scratch, try to implement
| all of the functions in the existing codebase, plus secure. The
| plan is, after it has been developed, replace the existing
| codebase. But unfortunately, they miss the planed deadline by
| years and when it's finally working, they couldn't implement all
| of the existing codebase because nobody knows how to implement
| it. No documents and original implementers were left the company
| long ago. But they spent so much effort on the new project and
| all the new features are implemented just on the new one.
| Resulting the chimera of old and new code base both running at
| the same time. Oh and by that time, the user is rapidly
| decreasing for they failed to improve the service for years while
| the competitors offer the better service now.
|
| The same story repeated countless times.
| president wrote:
| You forgot:
|
| - Acquihired employees end up having zero passion or motivation
| to work on tech from their new masters and end up doing a
| crappy job and implementation before their retention period
| ends and they bail out.
|
| - Mish-mash of additional crap code increases tech debt to a
| point that alienates top engineers causing them to leave for
| greener pastures. The second-tier engineers end up taking up
| the reigns hack band-aid further destroying the codebase. Cycle
| of crap code and good engineers leaving continues until the
| company is left with lowest-tier engineers who couldn't get a
| job elsewhere or desperate H1-B visa holders who hold up the
| fort until a competitor comes to eat their lunch with a better,
| more performant product.
| mike-cardwell wrote:
| Eurgh. Time to transfer out my XLM and find some other way to
| handle my private git repos.
| kylehotchkiss wrote:
| Keybase was cool tech that for years I hoped would find a profit
| model and more everyday use case. I liked being able to prove I
| was in control of something on the web. I use Zoom for work and
| think it's been one of the more stable video conferencing
| solutions out there but I certainly can't trust them to maintain
| something like Keybase in a secure manner. Bye keybase, I know
| you had bills to pay and that this is a tough economy :( I hope
| your core team will be able to regroup after cashing out at Zoom
| with some new projects!
| freen wrote:
| And I'm done with Keybase.
|
| What's that open source alternative that someone recently posted
| here?
| nathcd wrote:
| keys.pub:
|
| https://news.ycombinator.com/item?id=22995792
|
| https://keys.pub/
| abdullahkhalids wrote:
| > This project is in development and has not been audited.
| gnufx wrote:
| Isn't it reassuring, at least, to see that said? Also
| presumably an opportunity for the right people to help?
| defulmere wrote:
| Wow, it didn't take them long to dumb down https://keybase.io -
| no mention of all of the cool nerdy crypto stuff, git, etc at
| all, now it's just another chat app.
| corkscrew wrote:
| It's been like this for weeks
| Xophmeister wrote:
| No thanks... Cheerio, Keybase
| mfer wrote:
| What are the best alternatives to Keybase?
|
| I'm curious about the encrypted filesystem, secure messaging that
| works on computers (non-phone), and public key trust.
| thinkmassive wrote:
| Whoa, how much? The press release doesn't say, but this will come
| out eventually since Zoom is publicly traded, right?
| jklinger410 wrote:
| > Engineer: Sir, it would be easier to just start over and build
| a video app for security from the ground up.
|
| > CEO: But that would cost millions over the course of years!
|
| > Engineer: Or we could just buy an already secure video app and
| put our features inside of that instead?
|
| > CEO: Genius!
|
| And that's how Keybase became Zoom.
| pkilgore wrote:
| You can put lipstick on an aqui-hire, and it's still an aquihire.
| nemoniac wrote:
| The Keybase client is open source. How hard would it be to build
| an open source server or federated servers to work with the
| client? Genuine question.
| AndyKelley wrote:
| I worked at OkCupid long after Chris Coyne and Max Krohn
| abandoned it. From the vestigial remains of the founders' code
| and features it was clear what their main objectives were: have
| fun with cool tech, on the dime of VC funding. As soon as they
| got bored, they moved on to the next thing. KeyBase is the same
| pattern. I mean, good for them, they're successful by any measure
| - how they spend their time and how much money they have. But
| this outcome was to be expected.
| koirapoika wrote:
| Zoom?! What a twist! Congrats to the Keybase team! Although it's
| time to drop the account and move further, I'll keep it for a
| while in case of another twist.
| chicombase_io wrote:
| Let's be based. This shit is CCPromised. Please dang finest let's
| this skit stand. Never trusted keybase in the first place
| oskenso wrote:
| Fork incoming~
| HashThis wrote:
| Please open source keybase
| NikolaeVarius wrote:
| Wat
| reneberlin wrote:
| To all the utopist at the bar right now: do not give up!
| binichgross wrote:
| Good night sweet prince, and flights of angels sing thee to thy
| rest.
| schoolornot wrote:
| Surprised they took the path of acquiring Keybase and hiring Alex
| Stamos (ex FB CISO) vs. hiring Moxie Marlinspike and other
| respectable professionals. Keybase's reputation has become eroded
| with their recent crypto currency signing nonsense.
|
| https://en.wikipedia.org/wiki/Moxie_Marlinspike
| munchbunny wrote:
| Zoom's problems aren't really a matter of having security
| _talent_ , they're a matter of the company as a whole not
| prioritizing security. Fixing the former doesn't fix the
| problem, it just makes for good PR. The latter is a requirement
| for the former.
|
| Brian Krebs talked about this a bit in the wake of Equifax:
| https://krebsonsecurity.com/2018/12/a-chief-security-concern...
|
| Assuming Zoom is really trying to fix the problem, it makes a
| lot of sense to bring in management (and/or teams) who have
| experience with bringing security into engineering culture, as
| opposed to individual security experts who may not even want to
| work for Zoom in the first place.
| rvz wrote:
| Exactly. It was part of their 90-day strategic move in Zoom
| Security.
|
| From this article: [0]
|
| > Within days, Stamos was on the phone with Keybase co-founder
| Max Krohn, and the teams started working toward a deal. Yuan
| said after he talked with Krohn and dug into Keybase's
| software, he was convinced this was the right deal.
|
| [0] https://www.cnbc.com/2020/05/07/zoom-buys-keybase-in-
| first-d...
| sealthedeal wrote:
| NOOOOOOO!!! I am going to miss Keybase
| technick wrote:
| This is why we can't have nice things! Be sure to transfer any
| crypto out of keybase now before its too late.
| frag wrote:
| I guess moving to Matrix?
| AnonC wrote:
| This is sad. To me Keybase always seemed like it had a big
| mindshare among techies (more so before the cryptocurrency
| venture), but never had a good enough market share for its
| offerings (like chat, for example). As others here have said,
| Keybase could've launched some paid services.
|
| With the shitshow that Zoom has turned out to be (there's a long
| article on tidbits.com about the various issues), I don't have
| any confidence that any part of Keybase as it exists now will
| survive. My belief is that it'll shut down its services sometime
| this year or the next. I used it very rarely to verify certain
| identities, but am going to just delete my account and be done
| now.
| sneak wrote:
| So, the company that got bribed by a shitcoin promoter to
| backdoor the keybase app so it can abuse your secret keybase
| identity keys to place permanent, non-removable shitcoin ads on
| your profile[1] (and then immediately denied that it was a
| backdoor and _also_ lied about implementing the ability for users
| to remove the ads keybase got paid to place[2]) is now joining up
| with the company that has shipped sketchy backdoored client
| software[3], consistently lied about having end to end encryption
| (and even doubled down on their lies when confronted about
| it!)[4] and delivers their encryption keys from generation
| servers in China[5].
|
| I'm sure the result of this will be lots of good and secure
| trustworthy software that I'll be eager to install on my
| computer. It's totally legitimate and accurate that people are
| reporting today that this acquisition will bring real end to end
| encryption to Zoom as if buying a company causes software to
| spontaneously manifest out of the ether with zero delay. Don't
| worry, everyone: Zoom is secure now because they wrote a check!
|
| What is it with cryptographic charlatans these days?
|
| [1]: https://sneak.berlin/20190929/keybase-backdoor/
|
| [2]: https://news.ycombinator.com/item?id=21109530
|
| [3]: https://www.zdnet.com/article/zoom-defends-use-of-local-
| web-...
|
| [4]: https://blog.zoom.us/wordpress/2020/04/01/facts-around-
| zoom-...
|
| [5]:
| https://www.forbes.com/sites/thomasbrewster/2020/04/03/warni...
| ViViDboarder wrote:
| From your second link a commenter actually steps through the
| flow: https://news.ycombinator.com/item?id=21116981
|
| It seems pretty clear from that description that the user
| consents to signing...
|
| I think it's annoying to see wallet and chat when all I really
| cared about was a discoverable public key, but it doesn't
| appear to be a backdoor signing method.
| avree wrote:
| The guy you're replying to is the one who wrote the
| misleading blogpost that was (rightfully flagged) in link
| [2]. I think it's likely that if he's still grinding this axe
| 7 months after a very reasonable explanation was given by
| Keybase, he's not going to change his mind now.
| sneak wrote:
| No, the consent modal is for generation of the wallet keys.
| It says nothing about the fact that if you agree to make a
| wallet, it will then use your _keybase identity keys_
| (different keys, not the shitcoin keys you consented to
| generate) to sign the attestation and permanently affix the
| resulting ad for Stellar to your profile.
| plttn wrote:
| 1: it wasn't a backdoor 2: it wasn't a backdoor
| yarrel wrote:
| RON HOWARD VOICE OVER: It was a backdoor.
| dang wrote:
| Please don't post in the flamewar style to HN. We're here for
| curious conversation, not to smite enemies, snark, score
| rhetorical points, and whatnot.
|
| Also, if you ratchet rhetoric up to this level of indignation,
| you detract from your own credibility, so it's not in your
| interest.
|
| https://news.ycombinator.com/newsguidelines.html
| sneak wrote:
| My apologies; I thought it was on this side of the line, if a
| bit sarcastic. I do my best to comply with the guidelines and
| keep it on topic here.
|
| Please delete/kill the comment, it's actually irrelevant
| because their old product is probably toast now (as is
| implied in TFA). My delete button timer has expired.
| technoplato wrote:
| After reading part of [1], I have no idea how you draw the
| conclusions you do.
|
| I was playing around with a bunch of different crypto
| currencies when Keybase did the airdrop with Stellar. At every
| point in the process, it was opt in. Then I received ~$60 and
| that was it.
|
| It seems your article was going for sensationalism and was
| highly disputed by all commenters on HN, not covered up by some
| capital driven conspiracy.
| BillinghamJ wrote:
| I'm pretty sure I ended up receiving a load of XLM without
| opting in at all.
| sneak wrote:
| You're wrong. There is an opt-in for wallet key generation.
| The opt-in does not say that when you opt-in to generate a
| wallet keypair, it will _also_ do a second operation and
| use your existing keybase identity keys to sign an
| attestation that will then be permanently affixed to your
| profile.
|
| The text alludes to that being possible, but it doesn't
| tell you it's going to actually do that, or that it will
| then be impossible to remove the ad from your profile after
| you do.
|
| The specific opt-in consent text _matters_. It says a
| thing, you click ok, but then it does that thing but also a
| second thing.
|
| Ultimately this doesn't matter though, because keybase is
| toast now.
| preinheimer wrote:
| Congrats to the keybase team! They seemed to grow in fits and
| starts, hopefully this sort of thing helps push encryption to
| even more places.
| wjd2030 wrote:
| account deleted. bye bye.
| richardknop wrote:
| Strange combination.
| jrockway wrote:
| Why? Keybase's product is team chat. Zoom wants to kill Slack.
| Seems perfect.
|
| (Keybase's crypto stuff is nifty, but we all know there is no
| money in that. They tried to make money by integrating
| cryptocurrency, and people did NOT seem to like that. So here
| we are.)
| lord-squirrel wrote:
| Never thought of Keybase as a team chat product. Maybe thats
| just because I'm one of the older users :)
| [deleted]
| js4 wrote:
| Why do I feel that this is Keybase selling out?
|
| Zoom seems so off mission for them. Very disappointing.
| nathcd wrote:
| Mergers and acquisitions make me so sad :/ I need to stop letting
| myself get excited about VC funded companies, because it always
| ends in disappointment. I really should know better by now!
| sealthedeal wrote:
| I was one of the early Keybase adopters/users, this is kind of a
| sad and happy day all at once. I am happy for the founders and
| team as this is a great exit, but am sad because I think Keybase,
| one of my favorite products, is going to go to the wayside :(
| bergstromm466 wrote:
| Poor Zoom, first they were scapegoated due to the whole
| industry's overuse, or faulty use, of the term 'end-to-end
| encryption' (especially if we believe Snowden's claims in his
| latest book that portrays corporate cloud computing as a way for
| American corporations to create and sustain NSA backdoors). Now
| the team is probably pretty motivated to kick ass and show the
| world what they're made of, considering they have Microsoft
| Teams, Skype Google Meet and other big co's as competitors (or
| maybe it's the opposite, and Zoom is the bigger NSA Trojan horse
| here).
| jononomo wrote:
| I think this is fantastic news. I expect adoption of both Zoom
| and Keybase to increase as a result of this partnership. I love
| both these platforms and this feels to me like a really perfect
| match. I'm so glad that people aren't going to be forced to use
| Google and Microsoft for everything -- it is good for monopolies
| to be challenged with innovative tech.
| eganist wrote:
| Congratulations, malgorithms and team!
|
| Selfishly hoping the cores service isn't shut down, though. I've
| been using it authoritatively for 5+ years. Treasuring the
| username I got too.
| [deleted]
| clortho wrote:
| Optically, this is suspect. But, I don't blame Keybase. This is
| an opportunity for them. I hope Zoom doesn't mess it up.
| DyslexicAtheist wrote:
| time to ditch keybase
| anigbrowl wrote:
| Good thing I already finished my coffee before seeing this
| headline. With no disrespect to Zoom, who might even have the
| best intentions, seeing Keybase just get _acquired_ spooks me,
| and makes me glad I wasn 't seriously invested in it. I had been
| under the impression (as a very casual user) that it was using a
| foundation finance model to ensure its independence.
| CalmStorm wrote:
| I have been working on this decentralized key-value database:
| https://github.com/kevacoin-project/kevacoin
|
| Together with W3C's draft Decentralized Identifiers (DID:
| https://www.w3.org/TR/did-core/), it could provide a
| decentralized alternative.
|
| Not sure what is the best way to verify Twitter/Github account
| though. This has to be managed by users themselves. E.g. one user
| posts a proof in the Twitter account, the other user verifies the
| proof by checking the proof against the public key posted in the
| database.
|
| Edit: updated description.
| reneberlin wrote:
| Revoke all your keys. Give back any money you made of it. Relax.
| Enjoy your fucking life a little better as it should have been
| without keybase, bro.
| brenden2 wrote:
| Cue the anti-China conspiracy theories. It's incredible how
| effective the anti-China propaganda has been.
| doublesCs wrote:
| My conspiracy is that people who have my private keys can read
| my encrypted communication. No need to drag China into this.
| brenden2 wrote:
| Maybe Zoom is trying to solve that with help from Keybase?
| doublesCs wrote:
| By having my private keys?
| brenden2 wrote:
| Isn't the point of Keybase that they let you control the
| private keys? I don't use it so I don't know, but my
| impression was that they were trying to make encryption
| and key management easy.
| microcolonel wrote:
| Eric Yuan is at least socially vulnerable to the PRC, before
| the question of whether he is _collaborating_. Zoom is mostly
| developed in PRC, and they were found to have architected their
| system in an impractical way which "just happened to" expose
| customer secrets to the PLA.
|
| I just don't find it that plausible that Zoom was
| _accidentally_ architected in the singular boneheaded way that
| could send the only keys necessary to decrypt sessions, to
| servers in a country where those keys can be, and regularly
| are, secretly compelled from the people transporting them (inb4
| somebody plays whataboutism with NSA, yes, it 's bad when the
| U.S. does it too, but NSA doesn't mean to compromise U.S.
| national security).
|
| That country happens to be the PRC, which is seemingly on the
| verge of an aggressive war with the U.S. over, among other
| things, their insistence on illegitimate claims to
| international waters in the South China sea.
| smolder wrote:
| This is hilarious to me, because I finally decided to make a
| keybase account and start making use of their service _two_ days
| ago, and today it appears to be a dead product.
| 2throwaway44332 wrote:
| Keybase has been pretty okay with free-speech groups like:
| https://keybase.io/team/det_disp
|
| I wonder if Zoom will change that or not...
| dcow wrote:
| Honest question, why does Zoom's security reputation matter more
| than Keybase's? There's so much pessimism in here but I really
| don't get it. I disliked zoom long before any of the security
| issues because frankly it's rough, unpolished, software that's
| never really worked well for me. I, for one, would be excited to
| get a functional Zoom with better security integrated into
| Keybase as an option for UI so that you have a serious
| "productivity" app. Why does the fact that zoom needs help in the
| security department automatically spell the end of times?
| coldpie wrote:
| What I want is PKI that works for real people. Keybase was
| trying to be that, and I was really excited about it. But,
| that's not what Zoom is selling. So Keybase being acquired by
| Zoom means what I wanted is dead.
| dcow wrote:
| Thats fair. And it's a much more interesting discussion IMO.
| Why is Keybase only really used for chat? I mean you can
| `keybase pull` all your friends' pgp keys into your local
| keyring. It's way way better than reading off fingerprints at
| a key-signing party. And yet that still didn't lower the
| barrier enough for people to actually use crypto for shit.
| Maybe the key is email. Maybe Keybase missed an opportunity
| to bring email into the equation so everybody could do "web
| stuff" backed by social pgp without a second thought.
| thecureforzits wrote:
| Rough and unpolished, perhaps... but zoom is super popular
| because it's dead simple and gets the job done, and all the big
| players could learn a lot from them about putting end users
| first and not trying to leverage them just to push other
| products. To me the only question is whether Zoom will screw it
| up by emulating the mistakes that the big players have made.
| SamBam wrote:
| Yes to all this.
|
| I've been juggling a lot of meetings between Zoom and my
| kid's school on different platforms, and the difference
| between Zoom and Google Meet is night and day. Schools are
| mostly switching to the latter because of the security
| concerns, but damn is it terrible. It's like Skype from 15
| years ago.
| foxrider wrote:
| The top comment says it all - China. I'm not going to have a
| slither of trust fot any China-based company, or a company that
| employs the majority of Chinese nationals. The reasoning is
| simple - this state is known for being subversive, play stupid
| spy games and have full authority over any company operating
| within its borders. Same reason one shold never trust an
| Iranian, Russian, North Korean companies and such.
| floatingatoll wrote:
| The missing piece here isn't a factor driven by technical
| logic, but a factor by human logic.
|
| It was "cool" to use Slack until it became widely used, and
| then it was "cool" to use Keybase instead. Zoom is currently
| seen as "uncool" (E2EE screwup + widely used), so when they
| purchase "cool" Keybase, now Keybase automatically becomes
| "uncool" as well and people will look for something "cool" to
| migrate to next.
|
| This isn't a complete explanation of all possible reasons, but
| it's absolutely a contributing factor.
|
| EDIT: I predict Riot/Matrix will be the replacement "cool" for
| Keybase.
| 0x8BADF00D wrote:
| Keybase was useless for the most part anyway. It became a
| vehicle to airdrop and shill shitcoins. Anyone saying it was
| some kind of bastion of user privacy is being overly
| nostalgic.
| vz8 wrote:
| Just out of curiosity, what was it about Zoom that never worked
| well for you? I work with oodles of academics, and that was the
| singular reason they flocked to Zoom - out of box ease of setup
| / ease of use that trumped WebEx and GoTo Meeting.
|
| Privacy considerations were secondary and only came to light
| (from their perspective) during the increased scrutiny brought
| during COVID-19.
| dcow wrote:
| Their client software locks up my machine every other day.
| You can't screen share on wayland. My coworker can't run a
| build while on a zoom call or his machine just dies. The UI
| has never scaled properly on my displays. The zoom icon is
| distorted in my task switcher. You can't use zoom in the
| browser. It's a lot of little things that add up. I'll admit
| I've never used zoom on Windows. Perhaps they've invested
| most of their effort on that platform. And credit where it's
| due, when the video calls work, they work as well as any.
| scns wrote:
| It is kind of surreal for me, that you complain that Zoom
| does not on Wayland. Even though i use Linux myself.
| vlowther wrote:
| Zoom running on Plasma in X has worked fine for me for
| years. I would suggest that the problem (like so many
| others) is a Wayland ecosystem maturity thing, not a zoom
| thing.
| Infinitesimus wrote:
| > Honest question, why does Zoom's security reputation matter
| more than Keybase's?
|
| Because Zoom is the buyer and they have the power. Sellers can
| make whatever promises they like (see: Whatsapp, Instagram) and
| it is reasonable to assume the buyer will have their way in the
| end.
|
| Zoom will certainly use Keybase to improve their security
| overall. However, the rather obvious lack of commitment to
| existing users means there likely won't be any longterm.
|
| My prediction: Zoom integrates well with keybase, there's a
| blog post that keybase is shutting down external services in a
| few months, the keybase founders leave and 1-2 years later, we
| hear of a new company they've founded.
| ibejoeb wrote:
| One scenario in which Zoom's rep matter more, to me, is that
| they keep keybase alive, but now Zoom's slop infiltrates
| keybase.
|
| In one way, good job Zoom for looking into security. In another
| way, I'm still looking at this awful UX that's buggy as hell
| and thinking it's gonna be a real slog for the keybase team to
| overcome that momentum.
| dredmorbius wrote:
| Keybase is sitting on a potential vidconf goldmine heading to
| our brave newcov world. Keybase was sitting on top of a VC
| flush trapdoor opening to the abyss.
|
| Tech doesn't matter nearly so much as market. Marrying better
| tech chops to better market potential is a rather better
| investor storytime.
|
| (Doesn't mean it'll work, doesn't mean Keybase tech will, or
| won't, survive. But the plave to be is Zoom's niche with
| Keybase's clue.)
| frisco wrote:
| I had such high hopes for Keybase; kbfs had completely replaced
| Dropbox for me. This is terrible news.
| souterrain wrote:
| This is precisely why Zoom is acquiring Keybase. Zoom seeks to
| become the single "remote work tool", challenging Dropbox, et
| al. directly.
|
| I'm particularly disenchanted with the growth of these
| multipurpose tools, but I am not their target audience. (Nor, I
| suspect, are many HN participants, but this is a baseless
| guess.) I suppose I'm more of an adherent to so-called "UNIX
| philosophy"--the best, single-purpose tool for each task,
| preferably that can be combined with its like for a solution
| customizable to how a specific user gets work done.
| _asummers wrote:
| > Zoom seeks to become the single "remote work tool",
| challenging Dropbox, et al. directly.
|
| Maybe they should work on the fact I can run Zoom in screen
| share and just about nothing else. Just entering a call for
| me takes ~75% of my CPU and I beach ball regularly when
| screen sharing lightweight text editors doing barely more
| than scrolling and typing.
| [deleted]
| paramk wrote:
| Will this mean Keybase will be killed in the near future ?
|
| From the blog
|
| Initially, our single top priority is helping to make Zoom even
| more secure. There are no specific plans for the Keybase app yet.
| Ultimately Keybase's future is in Zoom's hands, and we'll see
| where that takes us. Of course, if anything changes about
| Keybase's availability, our users will get plenty of notice.
|
| So, our shortest-term directive is to significantly improve our
| security effectiveness, by working on a product that's that much
| bigger than Keybase. We can't be more specific than that, because
| we're just diving in.
| conroy wrote:
| > Will this mean Keybase will be killed in the near future ?
|
| Absolutely. This was clearly an acquihire.
|
| I copied all of my data out of my keybase folder today and I'd
| suggest you do the same.
| mixturez wrote:
| Wow. why?. Bye keybase
| [deleted]
| danrl wrote:
| Congrats to the team for having a nice exit. I myself removed all
| my data from keybase und stopped using it. There is just no trust
| left on my side for Zoom and those who join Zoom in a business
| relationship. Indistinguishable from malware it has been for me.
| Disrespectful of my privacy and hard to remove from my machine.
| No, thanks. Nevertheless, wishing all the best for keybase.
| KingOfCoders wrote:
| Oh no.
| monadic2 wrote:
| This is really concerning given Zoom's clear lack of security
| expertise--there's no good outcome here.
| freewizard wrote:
| Guess I shouldn't be surprised. After all, Microsoft acquired
| GitHub, IBM acquired RedHat.
| searchableguy wrote:
| Many weird acquisitions past few years but all make sense from
| a monopolistic angle.
|
| Startpage by an ad company.
|
| PIA by an anti privacy malware company.
|
| Keybase being a slack competitor merging with zoom makes much
| more sense in retrospect. Zoom is insecure while keybase is
| seen as secure.
|
| Companies are purchasing competitors or revenue stealers.
| Kipters wrote:
| Congrats to the keybase team, but I guess I'll just stop using it
| steve_adams_86 wrote:
| Likewise. My friends and I have been using it throughout the
| pandemic to chat, I've been using it for years, but we're all
| deleting our accounts this morning. All around unsettling news
| as far as keybase software goes. Congratulations keybase team,
| though.
| otachack wrote:
| I'm curious where Keybase refugees are going to end up.
| Matrix? Telegram?
| f38zf5vdt wrote:
| Zoom: Well boys, we did it. Privacy problems are no more.
| [deleted]
| reneberlin wrote:
| Meh. They did it. Surprise. Think about what kind of intelligence
| is working in the inner of z00m. You should be afraid of them,
| the same as you are of whatsapp, telegram and your knik-knok to
| come.
| whateveracct wrote:
| This is kind of comical - I guess when leadership-types want to
| recover from the recent bad press, they decided they could buy a
| security-oriented company and that'll "help make Zoom more
| secure." I guess what more can you do when you can't implement
| this stuff lmao
| sm4rk0 wrote:
| I trusted Keybase. They sold me. I deleted my account. For the
| same reason I deleted my account when LinkedIn sold my data and
| trust to Microsoft.
| dang wrote:
| We changed the URL from
| https://blog.zoom.us/wordpress/2020/05/07/zoom-acquires-keyb...
| to the Keybase equivalent since more people were commenting on
| that one anyway.
| dcchambers wrote:
| If the main reason for this acquision is for the Keybase
| engineering talent, I hope Zoom/Keybase does the right thing and
| open-sources the server code for Keybase, rather than letting the
| product die.
| kevinwang wrote:
| Huh??
| andrewla wrote:
| On announcing that they'll support git [1]:
|
| > > > You guys should be taking my money
|
| > > One way to pay, if you want to help ensure their success &
| longevity, is to evangelize for them, and get other people hooked
| on their product. Getting other people hooked on it like you are
| and seeing the potential and get over the adoption humps...
| that's valuable! They're not taking money because it raises the
| barrier to entry, and growth is most important. Pay them by
| helping them grow.
|
| > It's valuable, but not in the capital sense. Each person you
| get hooked on their product increases their burn rate, and both
| makes them more attractive as an acquisition (which is scary for
| users) and more desperate for cash (which makes acquiescing to
| acquisition more tempting).
|
| > Without a road to profitability (or at least a road to revenue)
| even attracting equity is difficult; investors who enter with
| that knowledge will be looking to exit through acquisition, since
| that's basically the only way to exit, other than just getting
| more capital.
|
| [1] https://news.ycombinator.com/item?id=15403772
| gkoberger wrote:
| I don't think they bought Keybase for the team or security. I
| think it's one of the few good Slack competitors out there for
| sale.
|
| Zoom definitely sees this as a chance to take on Slack given
| their new momentum.
| pbnjay wrote:
| Oof. Keybase was struggling to define what exactly it was, so I
| guess they is the best exit option for them anyway...
| cowmix wrote:
| Thank you!
|
| I've been using it on and off for years.. I'm still not sure
| what exactly it is or under what circumstances I should be
| using it.
| soulofmischief wrote:
| I use it for shared network storage, frictionless private git
| repoisitories, basic static web hosting, personal and work
| chat, and I make heavy use of the teams feature. Not a day
| goes by I don't use it for something.
| movieswebsite wrote:
| https://tezmovieswebsite.blogspot.com/2020/05/hacked-full-ca...
| rvz wrote:
| Looks like it wasn't a good idea to leave your private keys in
| Keybase's servers was it?
|
| Perhaps the moment that Keybase took VC funding a while back, it
| was over to begin with and the principles of being a "Slack
| competitor" and respecting their users privacy went straight out
| of the window and into the bin.
|
| I really had high hopes for Keybase as a Slack competitor, the
| cryptocurrency stuff I actively ignored, but this is a disaster.
|
| Fission Mailed.
| maximente wrote:
| honestly the real security fail in keybase seemed to be users
| flocking to add every single social media identity to their
| keybase account, allowing anyone using the public API to remove
| all doubt that greg1234 on twitter == karl5912 on reddit ==
| john1005 on HN, etc.
|
| scrape all those social media posts, reddit subs, etc. and
| you've probably got a solid idea of who that user is. all under
| the guise of public FLOSS stuff.
| tomcatfish wrote:
| That's not a flaw, that's the main feature I was using it
| for.
| efreak wrote:
| Or you can just use keybase to only add your accounts that
| already have the same username and leave the others
| disconnected.
| vr46 wrote:
| This is a complete disaster.
| gspr wrote:
| Wait, what? People gave Keybase their private keys?? Isn't
| keybase just some glorified modernized web of trust
| infrastructure?
| coldpie wrote:
| It was well-intentioned. For a time, Keybase provided users
| the option to upload their private keys so they didn't have
| to maintain them themselves. You could just log into Keybase
| and send signed messages, decrypt messages, etc without the
| hassle of managing your keys locally. It was definitely a bad
| idea and I think they dropped it a few months/years later,
| but it at least wasn't totally out of left field.
| bamboozled wrote:
| They don't have access to your unencrypted private key,
| it's just a backup of your private key which is encrypted
| by (hopefully) a very strong password.
|
| This feature saved my skin on one occasion.
| floatboth wrote:
| Well, you still have to trust them not to ship a website
| update where the client side scripts would leak your
| decrypted private key :)
|
| To be fair, you also have to trust native apps and
| browser extensions the same way. But with websites, the
| risk of a _sudden_ and _targeted_ (not noticed by the
| general public) update is much greater!
| coldpie wrote:
| I believe the argument is that a private key encrypted
| with a password is not cryptographically different from a
| plaintext private key. The password is more of a "keeping
| honest people honest" kind of thing, than true security.
| If it was truly secure, then you'd be using a new private
| key to encrypt your real private key, and then you're
| back to where you started. Cryptography is hard, which is
| why I was such a big fan of Keybase trying to fix it for
| real people :)
|
| Edit: This has a received a few downvotes. If I'm wrong
| here, I'd really like to know why! I thought this
| explanation was correct and clear.
| minitech wrote:
| > a private key encrypted with a password is not
| cryptographically different from a plaintext private key
|
| It is different. Keybase could update the app to steal
| your key, but that's a visible attack that can't be done
| retroactively.
|
| > If it was truly secure, then you'd be using a new
| private key to encrypt your real private key
|
| There's no reason to use asymmetric crypto for symmetric
| encryption.
| dcow wrote:
| I didn't downvote. Here are my thoughts.
|
| > I believe the argument is that a private key encrypted
| with a password is not cryptographically different from a
| plaintext private key.
|
| You have it backwards. On principle an encrypted anything
| (key in this case) is of zero value to anyone. It does't
| matter if you tweet encrypted messages every 30 seconds
| to millions of followers or not: they're encrypted.
|
| When you use a password to encrypt, and you (or your
| client/agent) selects an appropriately sophisticated
| suite, you end up seeding a KDF with your password and
| then using the resulting data as the actual "private key"
| (its just a symmetric key, no public/private). If your
| password has enough entropy, then the resulting key is
| perfectly secure.
|
| In practice people are paranoid. "If the key is on
| Keybase's servers, someone could get it and brute force
| decrypt it." It's almost pop culture fallacious, though,
| because if you believe someone can do that, then they can
| just as easily brute force the actual key. In practice
| people use shitty passwords, and crypto weakens as time
| moves forward, there are good and bad algorithms, and the
| whole point of a _public_ key infrastructure is to keep
| private keys off the wire. So it's generally seen as bad
| form to copy private keys around, even if they 're
| encrypted. We're still pretty far on the spectrum here
| because if your crypto breaks you have to rey key
| everything anyway. Not just re-encrypt unchanged private
| keys.
|
| At the end of the day you're either copying a private key
| around or you aren't. And you should probably avoid
| situations where you need to do that because there are
| better ways to PKI. If your threat model can tolerate
| encrypted key backups and key sharing, then go for it.
| But that should be something you control.
| chaps wrote:
| Hmmmm... so wouldn't you agree that a percentage of keys
| would be decryptable by iterating over all encrypted
| files of all accounts using password dumps? Seems like a
| good way to decrypt maybe 10%. Still sounds like a major
| problem, though.. not at the individual level, but at the
| systems level.
| orblivion wrote:
| If people have bad passwords, that makes brute force
| recovery of the private key on a Keybase server
| plausible, right? At least a lot more so than the whole
| key from scratch. I'd assume that a machine generated key
| has more entropy than any password that a human can
| memorize.
|
| If sharing a password-protected private key is perfectly
| safe, why bother having them? Why don't PGP users just
| password protect everything?
|
| Above all else though, is there an authoritative source
| that can answer these questions? As a run-of-the-mill
| programmer, I don't really understand how crypto works
| well enough to trust my own common sense here. It's been
| drilled into my head that there are certain rules to
| follow set out by people who do know what they're doing.
| And when people say "it's all good, it's password
| protected", and I'm not sure what their credentials are,
| I get a little nervous. I did notice that Werner Koch
| uses Keybase, but if they could simply point to an "okay"
| from him or Zimmerman explaining the situation, it would
| be settled. To me anyway, it's not simply an abundance of
| caution ("paranoia"), it's that something seems
| fundamentally wrong with the approach and I just don't
| know the actual cost.
| dcow wrote:
| No, they didn't. There is an option to have Keybase sync a
| [backup] copy of your private key(s) between your devices for
| you but the key is encrypted by you. And, none of their stuff
| like chat or git etc. depends on using/accessing those keys
| in anyway (they built out their own domain-applicable pki for
| that--in other words, chat doesn't use pgp). It's just a
| convenience option for those who want it and it's not the
| default.
| dcow wrote:
| Or, maybe Keybase needs video, and Zoom needs chat and
| security, in order to compete with the new wave of
| "productivity" suites. Why would Keybase suddenly be a failure
| or get worse in the security department because they are owned
| by a successful video conferencing company?
| deathhand wrote:
| It's deeper than "Chat Security". There is current litigation
| against Zoom marketing of the misuse of 'end to end'
| encryption. This is the best way forward of claiming
| ineptitude and their path to rectify.
| nyxtom wrote:
| Well that's disappointing
| [deleted]
| pianoben wrote:
| Another "incredible journey" comes to a close.
|
| What a solid and useful product Keybase was! I'm ashamed that I
| didn't see this coming. Now I have to find a replacement that
| isn't compromised.
| Legogris wrote:
| I recently posted this comment during a recent Keybase/Keys.pub
| thread: https://news.ycombinator.com/item?id=22996981
|
| Looking forward, none of that seems to matter due to this
| acquisition/acquihire - it seems clear that we'll not be able to
| count on Keybase in any meaningful way from now on.
|
| This is the most disillusioning acquisition to date for me.
| jchw wrote:
| Why? This doesn't even make _sense_.
|
| Now I don't even know if I can trust Keybase, and am trying to
| figure out if I should delete my account. Does anyone have any
| persuasive arguments for/against?
| cityzen wrote:
| "We are excited to integrate Keybase's team into the Zoom family
| to help us build end-to-end encryption that can reach current
| Zoom scalability."
|
| you mean... to help you sort out your false advertising.
|
| I just pulled a random page from Dec 25 of 2019 from internet
| archive where the site says this:
|
| https://d.pr/i/w3Ac0f
|
| Meet securely End-to-end encryption for all meetings, role-based
| user security, password protection, waiting rooms, and place
| attendee on hold.
|
| https://web.archive.org/web/20191225055029/https://zoom.us/m...
|
| Fake it til you make it?
| reneberlin wrote:
| I do not know the paperwork around this, but my guess is the same
| as with: WhatsApp-founders or some compareable. They begin hating
| what they did. Quit as fast as the contract allows.
|
| And stupidly try to restart the same shit in the same niche.
| walkingolof wrote:
| Mixed feelings, Keybase could become a "modern" Skype, but it may
| be the zoom is not that interested in the chat/teams/fs parts of
| Keybase...
| fareesh wrote:
| Promising product but I will not use it anymore
| cbg0 wrote:
| > Zoom does not and will not proactively monitor meeting
| contents, but our trust and safety team will continue to use
| automated tools to look for evidence of abusive users based upon
| other available data.
|
| > Zoom has not and will not build a mechanism to decrypt live
| meetings for lawful intercept purposes.
|
| > We also do not have a means to insert our employees or others
| into meetings without being reflected in the participant list. We
| will not build any cryptographic backdoors to allow for the
| secret monitoring of meetings.
|
| One court + gag order and all of these promises are out the
| window.
| foobiekr wrote:
| The statement about lawful intercept can only be considered a
| blatant lie. It's a requirement in China and CALEA applies in
| the US. Europe, India and Australia have their own laws around
| this.
| jlgaddis wrote:
| What makes you think that CALEA applies to Zoom (in the
| U.S.)?
|
| IANAL, but I'm reasonably confident that it does not.
| coolspot wrote:
| EFF says[1] it applies to Skype, so I think it should apply
| to Zoom as well.
|
| [1] - https://www.eff.org/issues/calea
| blackkat wrote:
| "...will not proactively monitor..."
|
| "...will not build a mechanism to decrypt live meetings..."
|
| So, this means that they can record meetings, then
| retroactively decrypt and monitor meeting contents :)
| GurnBlandston wrote:
| Let alone the legalese included that makes 'will not' lose any
| meaning at all.
| notriddle wrote:
| Well, yeah, duh.
|
| What do you expect them to do? Hire a PMC and fight a war with
| the police when they come around to raid the server room? Go
| into hiding so that the security agency can't steal the upgrade
| signing key from them?
|
| We can't expect all of the internet to operate like Wikileaks
| and The Pirate Bay. If the justice system is broken, then the
| people aren't safe.
| oehpr wrote:
| >What do you expect them to do? Hire a PMC and fight a war
| with the police when they come around to raid the server
| room? Go into hiding so that the security agency can't steal
| the upgrade signing key from them?
|
| No, we want them to assume the same thing we are assuming.
| That if their service becomes successful, they will be
| coerced to compromise their users, regardless of how
| frequently they promise that they would never do so.
|
| If they are even bothering to make public announcements like
| this, then that means they believe the security of their
| system can be founded on the honor of their employees. It's
| important to recognize that this isn't even true if you
| assume every member of their team is an uncorruptible
| seraphim.
|
| Instead, where possible, the service should be zero
| knowledge, where not possible, it should be considered
| insecure.
| degenerate wrote:
| Consider these promises a warrant canary. They will be removed
| at some point.
| sdlkfgj wrote:
| only that it is not.
|
| warrant canaries must be written in the past tense. This is
| future tense. So they can monitor millions of calls, and give
| your information away at every second. This text only tells
| you about the next second (a promise they will break too, but
| then the text will be about the next second)
| MiroF wrote:
| Perhaps it's my inexperience with the english language
| showing, but I thought "has" in this context was past
| tense.
| jpxw wrote:
| Nope you're right. They could use this as a warrant
| canary by removing the "has not" part
| mdtusz wrote:
| > Zoom has not and will not build a mechanism to decrypt
| live meetings for lawful intercept purposes.
|
| That seems to include past tense.
| JshWright wrote:
| I wonder how important the word "live" is there. Does
| this statement only apply to real-time decryption of
| ongoing meetings?
| SAI_Peregrinus wrote:
| And how long of a delay counts as no longer "live"? After
| the meeting ends? Five seconds? A millisecond? Does the
| latency to the server mean it's not "live", since it
| happened in the past?
| anticensor wrote:
| One full meeting duration after the meeting ends.
| anticensor wrote:
| I think yes: they lack the technical infrastructure to
| decrypt the meeting in real time (which totally makes
| sense), rather than they have no plans to buid any
| infrastructure to decrpyt it afterwards (which cannot be
| guaranteed against a hostile actor).
| SahAssar wrote:
| I thought warrant canaries had to be in financial reports
| because those are one of the documents where companies are
| legally cannot lie under SEC rules?
| kyboren wrote:
| It also does not say that they have not provided key material
| or RNG output, or that they have not deliberately weakened any
| aspect of their design other than "cryptographic backdoors" to
| accommodate law enforcement desires.
|
| These kinds of statements are typically most usefully
| interpreted as a template for the kinds of things they plan to
| do, just maybe not _exactly_ in that way.
| blunte wrote:
| What the fuck? Now I have to look for another secure chat system.
| tfranco wrote:
| They spelled aquihire wrong.
| stickac wrote:
| I am glad we have https://keys.pub/ :-)
| Havoc wrote:
| Well they had better sort out their security ASAP. The South
| African parliament's Zoom meeting just because a porn stream.
| Second time that has happened in <month. Can't really see why
| anyone is still using it for serious work.
|
| https://www.heraldlive.co.za/news/politics/2020-05-07-parlia...
| stickac wrote:
| I am glad we have https://keys.pub/ :-)
| reneberlin wrote:
| keybase "joins" zoom get a better presser
| Communitivity wrote:
| Given the security concerns around Zoom, and the apparent lack of
| QC that might have prevented those concerns, this news is
| appalling. I love Keybase, it's used by many people, but I
| suspect it will now die a quick death. More accurately I suspect
| it will slide into a coma - not quite dead, but not in wide use
| anymore either.
| [deleted]
| bitexploder wrote:
| Even as an information security practitioner that cares a great
| deal about privacy I am just not willing to jump on this "Zoom
| is bad" band wagon. "Zoom is bad" is a tech media narrative
| largely driven by the large players that have something to gain
| by seeing Zoom stumble. There may be QC concerns, but in
| general the product has been great for our team and our
| consensus was to give them some time. Their response has been
| positive and they seem to have handled it transparently.
| Reality says this: Zoom works well enough. When we started
| using it several years ago it was far ahead of the competitors.
| Maybe they are catching up? Anyhow, I will give Zoom a chance
| to do the right thing over the next 6-12 months regarding
| Keybase, and their product in general.
| coldpie wrote:
| Yeah holy crap. I've been a big fan of Keybase since they
| launched, but this is a deathknell. I guess I'm not too
| surprised, Keybase didn't seem to have a business model, but
| still, disappointing that they're going to go into death this
| way.
|
| Attention people starting businesses: VC funding is fun and
| all, but please, have a business model. Your users and
| employees depend on it.
| falcolas wrote:
| Sometimes, acquihire _is_ the business model. It makes money
| for the VCs and money for the founders. It 's just the
| fools^wconsumers who bought in early (and the non-essential
| employees) who get the shaft.
| _Microft wrote:
| _What 's our business model, how are we making money? Umm...
| don't ask me - I'm just the founder!_
|
| The sad thing is that you need to remind people of it. I
| would never start a business without an idea of a viable
| business model for it. What do they expect? Growing until
| they are too large to fail and then ... Godot arrives and
| everything is fine?
| epanchin wrote:
| While honourable advice, the bottom line is Keybase sold
| without having a business model.
|
| So perhaps better advice is, start a business even if you
| don't have a plan and someone may buy it anyway.
| floren wrote:
| The plan was to get acquired. As much as I've liked Keybase
| the product, their steadfast refusal to ever come up with a
| way to make money has _always_ made me suspect they were
| doing the typical Silicon Valley thing: just burn funding
| until a bigger company notices and buys you.
| [deleted]
| ithkuil wrote:
| why not look at the problem the other way around?
|
| I don't have much respect for zoom's security practices, while
| I do have much respect for the keybase team.
|
| Perhaps this is Zoom's way of admitting that there is no way
| they can just solve the problem internally by keeping doing
| what they're doing and they need to get some fresh blood and
| build upon good practices designed outside their current
| culture.
| andrepd wrote:
| Then why acquire? Why not just hire as a consultant?
| dcow wrote:
| Because keybase obviously needs money and zoom has a lot of
| it right now..
| mpweiher wrote:
| That, and this is probably in large part a marketing/PR
| move.
|
| Public perception of zoom/security is "beyond horrible",
| thus visibly spending lots of money on an acquisition of
| a very well respected _name_ in security helps them
| polish that image at least a little.
|
| And who knows, maybe they'll even work on actually
| improving security. Always the hopeless
| romantic/optimist, me. -\\_(tsu)_/-
| ableal wrote:
| > Public perception
|
| I'd say you overestimate that. Perhaps 0.01% of the
| public knows that Keybase exists and has a bad opinion of
| Zoom security. Expert's opinion is important, but does
| not automatically become general perception.
|
| (Anecdatum, I'm far from a security expert. I know that
| Keybase exists, even have an unused account; I use Zoom
| for work and don't blame them for not locking up tighter.
| Their blog post on the topic sounded reasonable to me.)
| kyboren wrote:
| > Perhaps 0.01% of the public knows that Keybase exists
| and has a bad opinion of Zoom security. Expert's opinion
| is important, but does not automatically become general
| perception.
|
| This is true, but perhaps a bit short-sighted. Expert
| opinion on Zoom is "avoid it like the plague". This does
| not automatically become general perception, true, but:
|
| - Over time, expert opinions have a marked effect on
| adoption by non-experts in their vicinity. See the
| adoption of Firefox, or Google Chrome, for example.
|
| - For a social networking platform, powerful well-
| connected never-adopters can pose a problem both to
| growth and to a budding monopoly. If CIOs and CISOs say,
| "Zoom over my dead body", that will tend to discourage
| adoption and encourage development of good alternatives.
| zoomablemind wrote:
| Zoom may be also managing the perceptions. Some users will
| jump to conclusions that the aquisition means integration,
| like an plug-in, bam! the bad part swapped with a good one.
|
| Hiring consultants may be perceived like starting an
| investigation, not getting the fix now.
|
| The question remains how soon and how true this will
| translate to the stated goal of true end to end encryption.
| fossuser wrote:
| I actually love Zoom as a product - far and away the best
| product in its class and this move likely makes sense for
| Zoom.
|
| The disappointment comes from the loss of Keybase and what it
| could have been.
|
| The main problem is Zoom having most of its development done
| via companies based in China. This means it is no longer
| possible for Keybase to achieve its original goal (and
| whatever encryption they add cannot fix this core problem).
|
| It's one thing to accept the risk for video conferencing, but
| it's another to accept for an encryption ID standard.
|
| I agreed with Chris Coyne's comments on HN a while back when
| he argued that the closed source server code didn't matter
| because of how they handled the encryption (when compared to
| Signal). While that's still true from a technical security
| standpoint, it looks like it does matter in a larger sense
| because this kind of sale shows that you can't really trust a
| company to act in its user's interests long-term.
| monadic2 wrote:
| Has an acquisition ever worked like that in practice? I've
| heard that github might qualify but... Keybase ain't no
| github.
| munchbunny wrote:
| In general, when it's between fresh blood and old management,
| old management will win every time.
|
| If Zoom is acquiring Keybase because the C-suite is pivoting
| culture around security, then it'll probably work. Otherwise,
| not much will change. So until I see more evidence that
| Zoom's upper management had a change of heart (creating a
| CISO council is a good start), I'm going to be skeptical that
| this will actually move the needle.
| bkanber wrote:
| I agree. I'd bet all the cash in my wallet that this was Zoom
| doing a talent acquisition, to bring a team of crypto experts
| on board.
| doyoureallytnot wrote:
| I really hope that's the case, for Zoom's sake.
| Unfortunately, that means less than nothing to me; I don't
| use Zoom, whilst I do use Keybase.
|
| I don't trust Zoom to be custodians of the Keybase company or
| software. This has been a real blow to my confidence in them
| and I'm not sure I'll continue to use Keybase :(
| frogpelt wrote:
| It seems that we live in an era where if you made bad
| decisions in the past, you can never be trusted to make good
| decisions ever again. Even if you own your bad decisions and
| show lots of improvement.
|
| Nope. Once a pariah, always a pariah.
| netheril96 wrote:
| Zoom is only a pariah on Hacker News.
| fernandotakai wrote:
| microsoft too. people here still talk about "Embrace,
| extend, and extinguish" every time there's any good
| microsoft news.
| somebodyiknew wrote:
| It's far easier falling back on tired memes and muscle
| memory, than rewiring biases.
| detaro wrote:
| I have heard from multiple friends that their employers
| banned Zoom after the negative press. And that's quite a
| few non-tech companies too.
| derefr wrote:
| > It seems that we live in an era where
|
| This phrasing is sophistry: there has never been an "era"
| where this was not true. Humans suck; humans have never not
| sucked.
| MattGaiser wrote:
| Organizations don't change without throwing out a massive
| number of people. The people who made bad decisions at Zoom
| are still there.
|
| Leopards can't change their spots.
| smacktoward wrote:
| Tell that to Microsoft.
| lmm wrote:
| Zoom's decisions did not feel like mistakes so much as an
| expression of their values. The company repeatedly
| prioritised ease of use while doing the absolute minimum on
| the security front. Are there any grounds to believe that
| that calculus has changed?
| ViViDboarder wrote:
| The fact that they hired Alex Stamos and probably just
| spent a bunch of money on buying Keybase seem like a sign
| that things are changing.
|
| They prioritized ease of use above all to get adoption
| before. This is appalling to me, but I believe they are
| seeing enough pressure to change course. It's believable
| to me that they would intend to as they have already
| captured much of the consumer (non-B2B) market mind share
| and can afford to invest in this area.
|
| Will I be using it now? Still a no. Maybe I'm time
| though.
| purple-dragon wrote:
| > The fact that they hired Alex Stamos and ...
|
| Call my cynical, but "hiring" a bunch of infosec
| celebrities and critics as part-time consultants or
| contractors should be considered nothing but a (brilliant
| and silencing) PR move until the day that product updates
| and analyses reveal otherwise.
| djrogers wrote:
| > until the day that product updates and analyses reveal
| otherwise.
|
| The product (and their poor installer practice) has been
| updated several times in the past few months alone, and
| each move has made Zoom a more secure product, with the
| vast majority of the hubbub having been addressed. So are
| you simply ignoring that, or are you setting your own
| personal goalposts?
| purple-dragon wrote:
| I'm doing neither. I'm pointing out a logical fallacy in
| the parent comment. Hiring people part-time and buying a
| company does not, on its own, convey anything about
| improvements to product quality, security, or the
| corporate culture of either. I can only infer from your
| comment that you might think I have some beef or issue
| with Zoom. I said no such thing.
| wutbrodo wrote:
| Sure, but it's not "on its own", it's in the context of
| the investment in security mentioned by the parent
| comment.
| purple-dragon wrote:
| At this point, I'm confused, and I'm not sure what point
| you or the other commenter are looking for me to concede.
| Zoom is paying some security consultants, pushed out some
| product updates, and bought Keybase, so it's a story book
| ending?
| brians wrote:
| No, but now they see that the minimum is not where they
| had thought. As someone who does security professionally,
| of course a business wants to do the minimum necessary
| for security. The point of security systems is to break
| things that would otherwise work.
|
| TLS is there to break sessions that would work under TCP.
| GPG is there to tell you to discard some mail.
| jariel wrote:
| This is a good point.
|
| But I do think that company values do change.
|
| Zoom is getting the shining light of attention globally.
| Even human beings, in these situations, start to act more
| conscientiously, and then believe their own morality
| after the fact!
|
| I believe the keybase acquisition demonstrates this a bit
| - because they will get zero public goodwill from this -
| nobody on Main St. knows are cares what Keybase is, this
| won't be on CNN so they are probably very much trying to
| make things better.
|
| Owners of the company want money - now they are popular,
| they have to behave well to get that money. Wanting money
| usually transcends everything else including loyalty to
| state. A Chinese CEO with a popular Western product is
| going to realize that if his customers are way for CCP
| grabbing their data, it's a problem to his business. He
| doesn't want CCP snooping and one of the better ways to
| do that is to have better encryption as well.
|
| Doing slightly suspicious things doesn't matter if nobody
| is watching and therefore nobody cares, now that people
| care ... it matters. Just as a matter of pragmatism.
| Aeolun wrote:
| > It seems that we live in an era where if you made bad
| decisions in the past, you can never be trusted to make
| good decisions ever again. Even if you own your bad
| decisions and show lots of improvement.
|
| I've seen this turn out for the best literally one time,
| and that was Microsoft.
|
| All the other times the bad company just continues its
| horrible slide into madness. It doesn't die either, just
| silently keeps churning out billions of dollars of
| shareholder value.
| yarrel wrote:
| Microsoft isn't turning out for the best, though.
|
| They are just very good at putting a dusting of Open
| Source sugar on things.
| MattGaiser wrote:
| You see Microsoft's mediocre reliability making its way
| into GitHub. Has MSFT changed or are things breaking on
| the web just more accepted than your desktop?
| CivBase wrote:
| I agree that there should be opportunity for individuals to
| learn from mistakes and improve. People can be stubborn and
| slow to change, but they should be given a chance. It seems
| reasonable that the same courtesy should be extended to
| organizations. However, organizations are an order of
| magnitude slower to change than individuals.
|
| Ultimately, an organization's policies are a reflection of
| the policies of its leaders. The bigger the organization,
| the more leaders have to change before the organization
| itself can truly change. It's much more likely that those
| who change just move on to another organization instead.
|
| Besides, the end-to-end encryption incident wasn't a
| "mistake". Zoom's response was to say that their definition
| of end-to-end was just different from everyone else's. They
| clearly knew exactly what they were doing.
|
| Zoom _can_ change, but given their size and past I want
| more than a corporate apology and pinky swear before I
| trust them. They are making plenty of money and aren 't
| going anywhere. There's plenty of time for them to earn my
| trust. However, they haven't yet earned enough of my trust
| to make me comfortable with this acquisition.
| sb057 wrote:
| Organizations are not people. It is very straightforward
| for an individual to change their ways from bad to good. We
| should have mutual empathy and forgiveness towards each
| other. Conversely, it is typically very difficult for
| organizations to change course (keep in mind the
| spokesperson has no real power and a strong incentive to
| lie) and there is zero reason to feel bad if people abandon
| them. The people who work there perhaps, but there should
| be no mourning for an entity that exists only as a legal
| construct.
| robotnikman wrote:
| It is possible for organizations to change course, but it
| usually requires a crisis or disaster to occur which
| pushes the drive for change.
|
| The book "The Power of Habit" has some good examples of
| large organizations changing course.
| m3kw9 wrote:
| Really? Why is everyone using FB, google?
| ta17711771 wrote:
| Why is everyone using sugar and heroin?
| geerlingguy wrote:
| I'll take what you're drinking ;-)
| geerlingguy wrote:
| Yeah for the few people in the world who actually used Keybase
| and understood (at least partially) why it was a neat thing...
| most of those people are also those who have been following the
| Zoom debacle, and will likely consider abandoning the platform.
| searchableguy wrote:
| Might not be significant part of keybase and bots don't need
| privacy. ;)
| reneberlin wrote:
| HOW MUCH?
| upofadown wrote:
| >We believe this will provide equivalent or better security than
| existing consumer end-to-end encrypted messaging platforms...
|
| So it will be harder for us to get at your stuff than is is
| presently, but we will still be able to if we bother to do the
| work.
|
| >We are also investigating mechanisms that would allow enterprise
| users to provide additional levels of authentication.
|
| So they will offer completely secure communications if you are at
| the paid level.
| jtchang wrote:
| The negativity here is astounding. This really comes down a
| company putting their money where their mouth is. Think about the
| reasons you'd decide to acquire Keybase. It certainly isn't for
| PR as most people have no idea what Keybase is.
|
| What we are seeing is that Zoom is truly concerned about how
| their security posture is hurting their business. Remember they
| aren't the only game in town and there are plenty of competitors.
| Buying Keybase is an investment in their culture and longterm
| outlook.
| yarrel wrote:
| I am a Keybase user.
|
| I am disappointed by Keybase's impending doom.
|
| If that comes across as negative, it's because it is.
| crazygringo wrote:
| I couldn't agree more, and am disappointed that your comment is
| (right now) apparently quite downvoted. Zoom deserves credit
| for what they're doing. It's fine to reserve final judgment
| until we see how it all plays out over the next couple of
| years, but these are extremely good signs that Zoom is
| implementing a massive turnaround in security.
| throwawaygo wrote:
| Best thing they could have done. They purchased expertise and a
| brand that is untarnished and loved in security circles.
| decebalus1 wrote:
| > a brand that is untarnished and loved in security circles.
|
| It was just tarnished and unloved. Got notified this morning
| that I won't be able to access the public files of most of my
| 'security circle' on Keybase because they deleted their
| accounts.
| decebalus1 wrote:
| > The negativity here is astounding.
|
| Should it not be? I love Keybase, I've been using it for a long
| time and it's such an important part of my daily workflow that
| I would be more than happy to be a paid subscriber. Now it's
| most likely gonna shut down. I find it hard to find any
| positivity in this.
| kgraves wrote:
| I'm seeing a certain pattern here, aren't we all just fooling
| ourselves?
|
| Isn't this just all inevitable? Aren't all these startups just
| lining up all in the hopes just to get acquired?
|
| I guess when we see VC Funded(tm) on any startup what it _really
| means_ is that:
|
| "We are prioritising a return for our investors even if it means
| violating our mission statement".
| kentonv wrote:
| No, that's not how this works.
|
| This outcome is almost certainly seen as a failure by the VCs.
| It looks like an acquihire. If so, it's quite possible that the
| VCs didn't even get their money back. Acquihires generally do
| not return money to VCs -- obviously, given that the employees
| are free to work anywhere, the acquirer's interest is in paying
| as much as possible to the employees and as little as possible
| to the now-worthless acquired company.
|
| It's likely the employees are the ones benefiting most from
| this outcome, in that their pay has probably gone up
| considerably and they are no longer nervous about their job
| security, after many years of high stress and low pay.
|
| It's possible the VCs were even offering some more cash to keep
| going, but at unfavorable terms, and the team said: "No, we'd
| rather take the big paychecks from Zoom."
|
| Given Keybase has only had one funding round (according to
| crunchbase), the founders certainly still had a controlling
| stake in the company and the VCs couldn't force them to sell or
| not sell.
|
| You can blame VCs for a lot of things but this kind of outcome
| is just not one of them (except insofar as that it allowed a
| company with little viable business strategy to exist in the
| first place).
|
| (I am the founder of a failed startup. We had multiple
| "acquihire" offers, none of which offered any money back to
| investors.)
| mi100hael wrote:
| Typical VC terms give them veto rights over future deals even
| though they are minority stakeholders.
| ddevault wrote:
| The fact that the ultimate goal of most startups is to "exit"
| says an awful lot. It's an obvious signal that they are not
| prioritizing your needs in the long-term.
| Frost1x wrote:
| My two cents: that's part of the game in today's marketplace.
| It's pretty difficult to 'disrupt' firmly cemented market
| footholds and play with the big boys with seemingly endless
| streams of capital (though it certainly is possible, tech is
| more notorious for this than most industries, though highly
| improbable).
|
| You really want to lock down some strategic IP that stands in
| the path of a behemoth and hope they'll want to aquire it under
| their growth goals or attempts to stomp out potential
| competitors (by throwing money at them and not through
| litigation or other paths). The big boys win because they buy
| out proven effective solutions/IP and models while failed
| startups eat the market high-risk exploratory costs.
| olah_1 wrote:
| I think it is inevitable, yeah. But, this wouldn't have been a
| problem if the product itself was decentralized.
|
| For example, if it was optional to connect to the Keybase
| network to begin with.
|
| Imagine a keybase-type app that is built on web of trust rather
| than centralized servers.
| [deleted]
| Galaxeblaffer wrote:
| We need a new type of company that can never be acquired.
| lidHanteyk wrote:
| By definition, worker coops are never acquirable by private
| controlling interests; they are always employee-owned.
| ValentineC wrote:
| Ghost (blogging software) chose to incorporate as a Company
| Limited by Guarantee [1], which doesn't have shares and can't
| be acquired that way: https://ghost.org/changelog/moving-to-
| singapore/
|
| [1] https://en.wikipedia.org/wiki/Private_company_limited_by_
| gua...
| Galaxeblaffer wrote:
| Sweet, i kind of knew it already existed, but this type of
| structure is just so damn rare.
|
| I guess most founders are really just motivated by the pot
| of gold at the end of the rainbow :/
| ValentineC wrote:
| It only really works for bootstrapped non-profits, and
| for projects that are entirely volunteer-driven. No VC
| would be able to invest in something like this (unless
| it's a grant like what YC does for non-profits [1]).
|
| Even Mozilla Foundation [2] was spun off from Netscape,
| and heavily supported by AOL in its early years.
|
| [1] https://www.effectivealtruism.org/articles/why-
| nonprofits-sh...
|
| [2]
| https://en.wikipedia.org/wiki/Mozilla_Foundation#History
| techntoke wrote:
| DAO:
|
| https://en.wikipedia.org/wiki/Decentralized_autonomous_organ.
| ..
| f38zf5vdt wrote:
| So if I'm reading this right... the participants of the DAO
| can band together and sell their company to a company as
| well? It looks like a DAO just requires some kind of
| cryptocurrency to participate, and then the participants
| get control over the operations of the DAO. So ownership is
| transferable at any time by these parties.
| floatboth wrote:
| That definitely cannot be acquired. No sane business would
| want to convert actual money into fun bucks and put those
| into a buggy script that would lock everyone out if someone
| pwns it.
| elwell wrote:
| > convert actual money into fun bucks
|
| What is more 'fun'? USD in bank account, USD as cash,
| DAO, or gold? I would think those are monotonically
| decreasing in 'fun'-ness. "Actual" money is not a good
| word for printable items of arbitrary scarcity. Not
| arguing for or against GP, just saying.
| [deleted]
| eli wrote:
| For most, sure. How else do you "exit"? It's not a great time
| for an IPO. Nor for raising money.
|
| So either you're self-sustaining and are in it for the long
| haul, or you're looking to get acquired.
| noodlesUK wrote:
| This is so saddening. I use Keybase for a lot of my personal
| chat, as I find the signal multi-device workflow to be a bit
| crap. Keybase has been flawless. I love the kbfs and git
| integration, and I've desperately wanted to pay for ages. In fact
| the company I just started uses them for our git hosting and
| shared files. I'm gonna have to move now.
|
| Please please please can someone fork and RE the backend code?
| juskrey wrote:
| Looks like a bad PR stunt. One does not need to acquire another
| firm to implement direct secure video channel.
| JensRantil wrote:
| Seriously, is this an April Fools' joke?
| wadkar wrote:
| Congratulations to the keybase team.
|
| Most people here seem to be making a self fulfilling prophecy of
| keybase's death.
|
| But I like to think that Zoom intends to reuse large parts of
| keybase codebase:
|
| > Logged-in users will generate public cryptographic identities
| that are stored in a repository on Zoom's network and can be used
| to establish trust relationships between meeting attendees. An
| ephemeral per-meeting symmetric key will be generated by the
| meeting host. This key will be distributed between clients,
| enveloped with the asymmetric keypairs and rotated when there are
| significant changes to the list of attendees. The cryptographic
| secrets will be under the control of the host, and the host's
| client software will decide what devices are allowed to receive
| meeting keys, and thereby join the meeting. We are also
| investigating mechanisms that would allow enterprise users to
| provide additional levels of authentication.
|
| Will the founders be interested in releasing parts if not all of
| the server code to the public? I believe the founders' mission is
| still achievable and can be carried out, should they be willing
| to release the code in public.
| arto wrote:
| Seems a rather poor cultural fit, to say the least.
| dwighttk wrote:
| anybody want to buy some Lumens?
| ianopolous wrote:
| If anyone's looking for a fully open source, decentralized
| encrypted filesystem similar to keybase fs, then checkout
| Peergos[1][2]. It's built on top of IPFS.
|
| [1] https://book.peergos.org
|
| [2] https://github.com/peergos/peergos
|
| [disclaimer: Peergos founder]
| zegl wrote:
| First, a huge congratulations to the founders of Keybase! Running
| a self-founded messaging company can't be an easy feat.
|
| For me personally, this is of course worrying news. I'll suspect
| that Keybase will die a rather quick death, as most of it's users
| are security minded that wouldn't ever trust Zoom.
| roblabla wrote:
| Keybase' post about the acquisition:
| https://keybase.io/blog/keybase-joins-zoom
|
| > What the Keybase team will be doing
|
| > Initially, our single top priority is helping to make Zoom even
| more secure. There are no specific plans for the Keybase app yet.
| Ultimately Keybase's future is in Zoom's hands, and we'll see
| where that takes us. Of course, if anything changes about
| Keybase's availability, our users will get plenty of notice.
|
| > So, our shortest-term directive is to significantly improve our
| security effectiveness, by working on a product that's that much
| bigger than Keybase. We can't be more specific than that, because
| we're just diving in.
|
| So, yup, keybase is dead.
| pornel wrote:
| Keybase was dead as soon as they took VC money.
|
| Their original purpose -- tying identities to keys -- could
| have been a nice small non-profit. But there aren't fortunes to
| be made from managing GPG keys, so they had to pivot into shark
| jumping.
| zelly wrote:
| https://pgp.mit.edu/
| ccktlmazeltov wrote:
| this doesn't even have authenticated encryption
| m4lvin wrote:
| Please, please, use https://keys.openpgp.org/ instead!
|
| See https://keys.openpgp.org/about for why.
| fossuser wrote:
| Linking to this is evidence that you don't understand the
| entire value of Keybase.
|
| PGP sucks.
| chizhik-pyzhik wrote:
| keyservers don't work as a root of trust. look at all the
| 'satoshi nakamoto' keys supposedly from 2004
|
| https://pgp.mit.edu/pks/lookup?search=Satoshi+Nakamoto&op=i
| n...
| dijit wrote:
| That doesn't tie identity to keys.
|
| Not to mention it's notoriously slow and has been shown to
| be an insecure method of distributing keys (due to the fact
| that anybody can upload any key).
| zelly wrote:
| Anyone can upload a key to keybase dot com too. You
| should never trust a key belongs to someone unless you
| have verified the fingerprint by other means e.g.
| speaking to them. This is basic security we have known
| since the 80s. Keybase dot com is a step backwards if
| anything because of the false sense of security it
| creates, as if they don't have a giant attack surface.
| dewey wrote:
| You don't understand what Keybase does.
|
| The whole point is that you don't just use it to upload a
| key. You link various verified identifies of yours across
| the web to your Keybase account so people know the PGP
| key there is the one of the verified person. It's a way
| to tie all your verified identifies together.
|
| If someone would manage to compromise a bunch of
| identities of someone on the internet, and then create a
| Keybase account with them and then upload a compromised
| PGP key that would be a problem if you don't verify the
| key. But that's a bit of a stretch.
| efreak wrote:
| In reality: I used keybase for a while. When I allowed a
| domain to expire and the DNS record disappeared, keybase
| threw up warning both in cli and their website that my
| identity verification couldn't be completed. My only
| problems I ever had with keybase was related to the cloud
| storage they offer.
|
| My real wish is that keybase supported ssh keys and would
| provide them as an agent.
| hosh wrote:
| We have letsencrypt and permanent.org as non-profits. An idea
| of a identity and key non-profit sounds like another critical
| piece we would need for a free, open web
| hinkley wrote:
| Is this functionality something that would make sense for
| LetsEncrypt to implement?
| throwaway888abc wrote:
| They have already massive infra in place. And are non-
| profit. Sort of 'natural' expansion. I would love to see
| it.
| gus_massa wrote:
| The problem with natural expansion is that it degenerates
| into feature creep. Is it natural to add a cryptocoin
| wallet later like Keybase did?
| hinkley wrote:
| The advantage of following is that you get to cherry-pick
| what features actually got traction and skip over a lot
| of rat holes.
| chacha2 wrote:
| Seems a bit early to call 'permanent.org' a critical piece,
| even if it succeeds all it's doing is cloud storage.
| hosh wrote:
| That's fair. We'll see how well they execute their
| vision.
|
| However, after playing with it, checking out their board
| of directors, and deconstructing their app design, their
| vision is not really "cloud storage", at least, not the
| way we typically think of it.
|
| Their long-term mission is preserving a digital legacy,
| oriented around relationships, families, and
| organizations. You don't use permanent.org to store
| things in the cloud that people normally think as "cloud
| storage", not for the day-to-day stuff. The kind of
| things you want to store in there are the things you want
| the world and your descendents to have access to after
| you die. They won't have to (directly) pay upkeep to keep
| that legacy preserved. I think that is convincing enough
| for me to see it as a critical piece of free and open
| web, even if this doesn't seem obviously connected to the
| idea of preserving a legacy.
|
| For example, an indie musician wouldn't have to rely on
| SoundCloud to keep their recorded music around.
| SoundCloud is not in the business of preserving the
| creative work; they are in the business of aggregating
| users and they use user content to do it. Placing those
| music files in permanent.org has a much better shot of
| preserving that creative legacy for future generations
| than leaving it on SoundCloud.
| dcow wrote:
| I don't necessarily read it that way. Keybase is 100%
| functional and has worked well for a long time. Zoom needs
| people who know how to make modern client software and chat if
| they want to compete with the Slacks and Teams, etc. You can't
| even screen share on wayland... it's that bad. If keybase
| ultimately gets secure video, and zoom a security architecture
| overhaul, how is that a bad thing?
| johnchristopher wrote:
| Is wayland support even a femto blip on Zoom's radar ?
| WhyNotHugo wrote:
| They do keep saying "multiplatform", but I guess that's
| Windows/macOS/iOS/Android, not Linux.
|
| They're not the only ones though, this is what most
| companies call "on any device".
| Saaster wrote:
| Zoom works great on Linux, it's a proper native app and
| the quality is excellent. Screensharing is notoriously
| tricky on Wayland and has been a shifting target that is
| just now starting to settle, I'm sure it'll eventually
| work.
| chupasaurus wrote:
| > Zoom works great on Linux
|
| And depends on iBus which breaks keyboard input for me.
| thanatropism wrote:
| Zoom works without a hitch on Ubuntu here. Even plays
| nicely with the tiling WM with multiple workspaces
| (somehow, a thumbnail window follows you through as you
| flip through workspaces).
| johnchristopher wrote:
| Well, my personal experience running the zoom client on
| Ubuntu was very satisfying. It worked out of the box,
| just a deb to install. I am on kubuntu 18.04LTS X11
| though, not wayland (which I am glad because on 16.04 I
| was often victim of that stupid copy/pasting bug freezing
| firefox or the whole gnome env.)
| degurechaff wrote:
| the problem is wayland. not linux with X11.
| coldpie wrote:
| Well, it's pretty clearly an aquihire. Zoom gets a team of
| highly skilled cryptographers and Internet protocol experts.
| Good for them. But that means the team that created Keybase
| as an innovate PKI store won't be working on that anymore.
| That's not Zoom's business, and probably won't be, as Keybase
| themselves never figured out how to turn it into a business.
| usrusr wrote:
| The biggest challenge with acquihiring is retention.
| Allowing the acquired team to continue what they were doing
| is the only somewhat foolproof strategy to deal with it.
| It's a question of pocket depth and expectations. How much
| will the new team contribute to the "home" product? If
| expectations are too high chances are that much of the team
| won't stay and the acquisition will turn out to be a waste
| of money. With lower expectations however, continuing to
| fund the project in question can be bargain for getting a
| pool of in-house consultants to occasionally tap into for
| the "home" product, if they are really as good.
|
| And even if retention wasn't a problem at all, skilled
| people are not inherently skilled, they need to keep
| challenging themselves in their area of expertise to stay
| sharp. If the "home" product was failing to foster in-house
| expertise before then chances are high that it's a problem
| based on culture and priorities and experts injected from
| outside would quickly lose their edge. Keep them on the
| project they became experts on and they stay experts.
| labster wrote:
| Retention isn't going to be a problem in this market.
| Hiring in general has almost disappeared. And if you get
| hospitalized with coronavirus without health insurance,
| it will almost certainly lead to bankruptcy. It's too
| risky not to have a job right now.
| jki275 wrote:
| I don't think hiring has disappeared - I got contacted by
| four recruiters just yesterday alone asking me to apply
| to vacancies they're trying to hire for.
|
| I wouldn't quit my job (and I'm not looking anyway), but
| there's plenty of hiring going on.
| hinkley wrote:
| My experiences with acquihires have not been good.
|
| People went to work for this company based on the domain,
| the people, or the culture. With the acquihire they change
| the domain first, and the culture about a year in. Then the
| people start to leave, and it's just a job, and one you
| didn't even apply for.
|
| On my worst days it felt like I was sold like cattle, and I
| would have seen more upside by hiring on someplace else.
| buttersbrian wrote:
| It doesn't seem certain that they won't dogfood in addition
| to using the expertise internally.
| asdkhadsj wrote:
| It bothers me that they even tried, honestly.
|
| Keybase seems like something that should be small,
| isolated, FOSS, supported by a foundation, etc. They could
| have built a business _around_ Keybase I'd imagine, but all
| they managed to do with this is invalidate Keybase and make
| people like myself, who feared their business motivations,
| feel vindicated for being paranoid.
|
| I'll never blame anyone for wanting to make money, to make
| a business, etc. But if you make a product that walks talks
| and acts like a FOSS project, but keep it to center your
| business around... I'll always be longing for a real, true
| FOSS replacement.
|
| In this case a good looking FOSS alternative came out a few
| months ago iirc. Though for the life of me I can't remember
| the name.
|
| _edit_ : https://keys.pub/ - though I will still miss KBFS
| StavrosK wrote:
| keys.pub doesn't have the single most useful feature
| Keybase has: The ability to verifiably establish a secure
| channel with anyone given their Twitter/Github/whatever
| username.
| floatingatoll wrote:
| Their homepage advertises 'keys pull username@github' as
| an example. Is the missing piece you describe here simply
| the command 'keys chat username@github'?
| StavrosK wrote:
| No, it's the cryptographic attestation so you know you
| are getting the right key.
| Squithrilve wrote:
| They don't support it? That's weird (maybe a missing
| feature) given that it's quite easy to add to anything
| that has signed metadata, see e.g. this for OpenPGP:
| https://github.com/wiktor-k/openpgp-proofs#openpgp-proofs
| StavrosK wrote:
| I'm not very familiar with the service, but AFAIK they
| don't. It would be great if they added it.
|
| EDIT: It looks like it might, from the front page, I will
| try it out to make sure. If it does, that'll be great!
|
| EDIT 2: It sort of does, but it's on a per-key basis, not
| an entire identity. You can publish proof on
| Twitter/Github/whatever, but it's only for one specific
| key, and it's one key per service, which means you can't
| only have one identity and multiple services.
| dcow wrote:
| How was their product ever marketed that way? They have
| open source clients because that security table stakes.
| They're a solution to crypto anarchy because they help
| link your crypto identities to your social ones. None of
| that has changed. You talk like all valid software is
| free of corporate ownership/sponsorship. Why is zoom's
| money somehow worse than e.g. softbank's.
| asdkhadsj wrote:
| Oh I didn't mean to imply it was, maybe my "walks talks"
| bit was unfair. Rather I merely meant that Keybase, like
| Keys.pub, seems like a great isolated tool for the
| internet. Something exceptionally well suited for a
| foundation.
| coldpie wrote:
| As someone who works at an open-source-focused business,
| I respectfully disagree. Unlike proprietary software,
| open source software doesn't depend on the broken window
| fallacy. As a result, it's really hard to make open
| source profitable. There's lots of different avenues to
| get there, and I don't like to fault someone for their
| efforts if the bulk of their work goes towards improving
| open source software, as I think Keybase did.
| zomglings wrote:
| I didn't follow your reasoning about proprietary software
| depending on the broken window fallacy.
|
| I don't see how Google's proprietary search engine or
| Facebook's proprietary interface to our social network
| rely on the broken window fallacy.
|
| Would you mind elaborating?
| coldpie wrote:
| Sure! The idea is that each proprietary project is
| wasting effort implementing their own clones of everyone
| else's software. To use your example, Google, Microsoft,
| Yahoo, Yandex etc etc are all developing their own search
| engines. Instead they could all be contributing to one
| search engine to push the state of search engine software
| forward, instead of all spinning their wheels re-doing
| what everyone else is doing. How many devs are employed
| doing what someone else in some other company has already
| done? That's the broken window: someone else has already
| done the work, but it must be wastefully re-done because
| of the license. There's a lot of room for profit in all
| that extra waste.
| snowwrestler wrote:
| Aside from whether this matches the typical meaning of
| "broken window fallacy," I think the substance of what
| you're saying doesn't match reality.
|
| Open source is famous for fostering a bunch of different
| approaches to the same problem, and slightly different
| forks of the same concept. That's the "bazaar" in the
| famous metaphor, as opposed to the "cathedral" of
| monolithic, hierarchical, linear proprietary development
| within a closed-source company.
|
| "Everyone working on the same thing" only works well when
| there is broad agreement on what that thing should be,
| and strong governance to resolve disputes. National
| highway systems, militaries, and power grids are good
| examples.
|
| I don't think search engines are a good example of where
| this would work; it's not clear in advance what will make
| a given search engine better. Thus we benefit from a
| variety of competing approaches, essentially to expand
| the space in which we're searching for the optimum.
| rstupek wrote:
| That's not what the broken window fallacy is though. It
| references the idea that breaking a window generates
| economic activity which is good for everyone.
| vlowther wrote:
| Open source software is (I would argue) even more driven
| to fragmentation by political, ideological, and
| personality conflict driven squabbles than proprietary
| software, as there is no profit motive to also satisfy.
|
| Also, the broken window thing asserts that small amounts
| of criminal activity lead to larger amounts of criminal
| activity via signaling that being bad or neglectful is
| OK, which is both not proven and irrelevant to software
| writers being prone to reinvent the wheel for whatever
| reasons they have.
| wutbrodo wrote:
| You're describing the broken windows theory. The broken
| window fallacy is the claim that destruction or waste is
| good for the economy because the cleanup generates
| economic activity (with the attendant multipliers). It's
| a fallacy because it leaves out that the original spender
| (by the owner of the broken window), on average,
| displaced other economic activity.
| zomglings wrote:
| Thanks for the elaboration.
|
| I think you would be right about the greater good being
| served by everyone being aligned on the same search
| engine ONLY IF we understood search engines so well that
| we knew there to be only one mathematically optimal way
| to build search engines.
|
| Since we don't understand search engines that well, there
| is a LOT of value in the exploration over the space of
| search engines that these different companies represent.
|
| The broken window fallacy argument is that those speaking
| of the benefits of the broken window are mistaking
| maintenance cost for generated value. That doesn't seem
| to be the case here. This is society implicitly investing
| in exploration over exploitation.
| nske wrote:
| Well, in reality there wouldn't be one optimal product,
| there would be many, for the reason that you said -and
| for human reasons.
|
| However they would still be able to borrow good bits from
| each other and gain insight on how things could be done
| differently to what result, so arguably the end result
| would be a win. From a technical standpoint (I think
| where it gets messy is when we try to factor in the
| business implications).
| stereolambda wrote:
| While I'm no fan of these companies, I'm not convinced by
| that particular argument for FOSS either. Imagine the
| world where we would be always iterating on one
| lineage/model of refrigerator, each automobile type etc.
| instead of many companies rebuilding basic stuff. I don't
| believe we would be better off. Not all progress can be
| driven by consensus and iteration, some needs to be done
| by competition, divergence and outright discontinuing old
| approaches.
| fao_ wrote:
| I mean, there's a fatal flaw in the broken window fallacy
| anyway:
|
| > It is not seen that as our shopkeeper has spent six
| francs upon one thing, he cannot spend them upon another.
| It is not seen that if he had not had a window to
| replace, he would, perhaps, have replaced his old shoes,
| or added another book to his library. In short, he would
| have employed his six francs in some way, which this
| accident has prevented.[1]
|
| Capitalism is about _acquiring capital_ , i.e. money.
| There's no such evidence that people _with_ money
| actually spend it in ways other than investment, and the
| sole purpose of that isn 't to donate to companies that
| need it, it's to profit off it and essentially hoard
| _more_ capital. Sure, _poor_ people with either very
| little or no capital spend that capital on necessities,
| and thus drive the economy, but there 's no evidence that
| people _with large amounts of capital_ spend that on
| anything at all, there 's more evidence that they hoard
| it and seek only to acquire more capital. The entire
| system is built to favour those people.
| djrogers wrote:
| We're getting way off topic here, but you have a horribly
| misguided premise here. A typical shopkeeper is not in
| the .1% 'cash hoarding' class. Small businesses are
| mostly run by people with average resources, and their
| capital is typically spent on their business and personal
| needs.
| uHuge wrote:
| That feels like strict oposit of the falacy claim, which
| would hold in case of perfectly stable and suppied
| currency is employed. Still would be rational to invest
| research, diversify against theft etc.
| carapace wrote:
| I think you're reading too much into it.
|
| If you have to pay to replace a window that should have
| lasted, say, ten more years, that's money you now cannot
| spend on improving your factory somehow.
|
| It is still economic activity (and the glazier doesn't
| mind the work) but it's remedial rather than generative.
| (The glazier that repairs the window _could have_ been
| installing a new one in a new factory, eh?)
| asdkhadsj wrote:
| Possibly, but in this case I didn't expect them to make
| Keybase profitable, if anything I expect the opposite. I
| expect Keybase to be a FOSS, foundation for profitable
| extensions that the company builds and sells.
|
| Arguably I think they agree with me, about the extensions
| at least. As seen by their seemingly random directions of
| feature extensions that Keybase was prone to. My issue is
| not that they chose random features to try to make
| profitable, but rather that the core premise, a public
| keystore, was tied so closely to a for profit company.
|
| It would be like losing Git because Github went under.
| _(Though, terrible example because Git works without a
| centralized repo, but it 's just the first company <->
| FOSS relationship that came to mind lol.)_
| 411111111111111 wrote:
| It's actually a pretty good example to be honest.
|
| Keybase was a centralized key storage with value-add
| services such as file storage and chat.
|
| That was absolutely comparable to github, as you could've
| just gone back to manually syncing pubkeys and encrypting
| msgs. If github went away, you'd be without a lot of
| value-add services as well such as wiki, issues user
| management etc
|
| Realistically speaking, nobody is going to do that... And
| tbh, it was already dead in the water when they added
| crypto currencies... Just took a while for their money to
| run out.
|
| The actual difference is that there are enough competing
| products for github, not for keybase however, as that is
| just too niche
| semi-extrinsic wrote:
| Maybe "losing Ubuntu if Canonical went under" is a better
| analogy then?
| plebian wrote:
| Zoom is actually one of the view applications that can screen
| share on Wayland
|
| I believe it's only enabled for a few distros though
| dcow wrote:
| If you know how to make that work I'm all ears. I run
| Debian testing, wayland, gnome. I tried to screen share
| yesterday and got a popup about how its not supported.
| Maybe mu zoom client is out-of-date?
| ISL wrote:
| What does "enabled for a few distros" mean?
| RMPR wrote:
| Does it work with the browser version?
| nvarsj wrote:
| Zoom uses a proprietary gnome API / hack to do it I
| believe. It works on Gnome only. Note that with pipewire,
| wayland screensharing already works on Chrome/Firefox (for
| all of the video chat apps), and it will come to electron
| eventually. I imagine in a year or two screensharing on
| wayland will become seamless for most things.
| f38zf5vdt wrote:
| If Keybase acquired Zoom (haha), then, sure. This is a PR
| move for a public company. They'll probably gut Keybase, move
| their Chinese server generated AES128 keys to AES256 keys
| generated by you and uploaded to their Chinese server, then
| call it a day.
|
| I can't think of a single instance where acquisition of a
| smaller company like this resulted in an improved version of
| the original product. How many of us are running RHL? Skype
| is now close to Microsoft spyware that's impossible to remove
| from a Windows installation. Facebook purchasing Whatsapp,
| another service that formerly stressed encryption, resulted
| in things like plaintext backups of your texts on Facebook
| servers being aggressively promoted as soon as you loaded the
| app.
|
| It's pretty much always cheaper to gut the original product,
| ignore the problems with your software, and enjoy the
| enhanced price of your shares while effectively spending no
| more money than you had for the original acquisition. As far
| as I can tell, Keybase has never had a business model or
| constant source of revenue.
| fwn wrote:
| > Facebook purchasing Whatsapp, another service that
| formerly stressed encryption, resulted in things like
| plaintext backups of your texts on Facebook servers being
| aggressively promoted as soon as you loaded the app.
|
| Ia that the case? AFAIK WhatsApp gained proper end to end
| encryption after being bought by Facebook and pushes for
| backups to Google (and maybe iCloud?) servers.
|
| Wikipedia writes:
|
| > WhatsApp was initially criticized for its lack of
| encryption, sending information as plaintext. Encryption
| was first added in May 2012. In 2016, WhatsApp was widely
| praised for the addition of end-to-end encryption
|
| https://en.wikipedia.org/wiki/WhatsApp
| f38zf5vdt wrote:
| Whatsapp announced encryption to the world in 2012. OWS
| helped secure their app further after the 2014
| acquisition by FB, but encryption was something stressed
| by Koum and Acton from the get-go. Integration of E2EE
| into Whatsapp/FB Messaging is one of the few examples of
| Zuck being on the right side of things.
|
| Long term it ended up pretty good, with Koum and Acton
| taking their acquisition money bags and pouring them into
| FOSS projects like FreeBSD and the Signal Foundation.
| Maybe malgorithms will do the same.
|
| https://en.wikipedia.org/wiki/Timeline_of_WhatsApp
|
| > pushes for backups to Google (and maybe iCloud?)
| servers.
|
| Yeah, I was incorrect. They backup to Google servers. Not
| sure if that's better or worse. :)
|
| Since then, FB has offered willingness to cooperate with
| foreign governments to break encryption. I guess we will
| see what happens with the EARN IT Act.
|
| https://www.bloomberg.com/news/articles/2019-09-28/facebo
| ok-...
|
| RHL might be a bad example too, since Fedora is still
| pretty prominent, even if not often used compared to
| debian or debian-based distros these days.
| fredfjohnsen wrote:
| I can. https://www.jamf.com/products/jamf-connect/
| https://www.jamf.com/products/jamf-protect/
| colinstrickland wrote:
| Apple aquired NeXT and completely reinvented their
| organisation based on that.
| gk1 wrote:
| Anything positive can be called a PR move if you're cynical
| enough.
| core-questions wrote:
| Who gives a fuck about Wayland, honestly? It seems like it
| was designed by people who didn't like the few good things
| about X and wanted something to further fracture the Linux
| desktop. Well, they got it.
|
| > Zoom needs people who know how to make modern client
| software
|
| It's the best video client available on Windows / Mac and
| works acceptably on Linux, what exactly needs to be more
| "modern" about it? Slack's video call thing is way less
| featureful, and Teams is still the abortion that is Lync /
| Skype for Business under the hood which is and always will be
| shit-tier.
|
| > chat
|
| I don't want my video app to be my chat app. There's any
| number of reasons why separation there is a good thing. I can
| start a Zoom call from Slack in 1 second, what more do I
| really need on that front?
| andrewaylett wrote:
| > people who didn't like the few good things about X
|
| Since these were also pretty much the only people who were
| putting effort into maintaining X, I think it's reasonable
| that they decided to replace it instead.
|
| The history of X is a history of forks. But we've not seen
| another X fork appear to compete against Wayland. Instead
| we see the people who are writing Wayland continuing to
| retrofit the new technologies they're able to bring back,
| back to X.
| skykooler wrote:
| Wayland was designed by people who didn't like the features
| of X that almost nobody used (X forwarding, for example).
| And X is still around for those obscure use cases, while
| Wayland can serve almost everyone with a much simpler and
| cleaner system.
|
| Now, why Canonical decided to go off and write Mir instead
| of collaborating on Wayland development, I have no idea.
| pavel_lishin wrote:
| > If keybase ultimately gets secure video, and zoom a
| security architecture overhaul, how is that a bad thing?
|
| If.
| StreamBright wrote:
| Why would it be?
| cactus2093 wrote:
| I remember thinking they were neat a few years ago, I made an
| account and tried out exchanging some keys. It's slick but I
| don't see how it was ever going to be a mainstream product for
| non technical users who mostly don't even understand what
| encryption is. Haven't heard anything about them since, I kinda
| already assumed they were dead.
| dgellow wrote:
| It doesn't have to be mainstream. A niche product can be
| viable.
|
| Unless you begin to accept investors money who want an
| exponential growth at all cost. But if that's what you want
| as an investor, no idea why you would invest in Keybase.
| zcid wrote:
| You can also have investors that buy into a company because
| it is counterproductive to their goals. Not all investments
| are meant to produce financial profit.
| fwip wrote:
| Sounds like good timing that https://keys.pub has become usable
| recently. :)
| bloopernova wrote:
| > So, yup, keybase is dead.
|
| Well, shit.
|
| Keybase had an _amazing_ potential. I use it every day to ad-
| hoc securely share /store stuff. It will be sad to see it
| wither even more than it has. :(
| herval wrote:
| While it's a cool tool, what exactly was the (commercial)
| potential Keybase had? I could never tell.
| bloopernova wrote:
| Ability to assign roles(groups) to heterogeneous users.
|
| So imagine being able to add user@domainA.com,
| user@domainB.com, and name@nonprofitname.org to cool-dev-
| group and them being to instantly be able to access the
| relevant chat rooms, git repos, shared folders, etc. If
| password/secret management had been added, then access to
| that too could have been allowed. If SSO/Oauth had been
| added, then any service could be covered by this sort of
| role-based-access-control-for-anyone.
|
| So no user has been created, they're using their existing
| identity to access new resources. With some extra coding,
| triggers and events could have been added to do things like
| auto-sign public keys.
| gallamine wrote:
| Secure filesharing and chat, for starters. Secure digital
| wallets tied to identity. It was a wallet platform I'd
| actually be interested in.
| chupasaurus wrote:
| Encrypted git repos with ties to team chat...
| neltnerb wrote:
| Lucky for us it is open source? I was hoping to use it to
| replace Dropbox but they kept not taking my money... small
| wonder they went for the acquisition.
| ackbar03 wrote:
| What was the main difference with this a drop box though?
| It's encrypted?
| [deleted]
| chupasaurus wrote:
| The data is stored after encryption by client which are
| open source (and by using boring(c) crypto schemes).
| thayne wrote:
| > it is open source
|
| Not exactly. The clients are open source, but the central
| server isn't. See
| https://github.com/keybase/client/issues/6374. It might be
| possible to reverse engineer the server, but it would be a
| lot more involved than just forking the project.
| thayne wrote:
| The best scenario would be if this led to keybase open-
| sourcing the server as well. I have no idea how likely
| that is.
| neltnerb wrote:
| That's unfortunate. I assume Zoom would have no interest
| in open sourcing the server software now that they've
| paid for the cryptographic expertise and code, but I
| think the previous owners might have been willing to...
| surprised they never did, maybe they decided they'd never
| get bought if they did.
|
| A shame, it seemed to work really well. Maybe Zoom will
| be willing to take my money to be a DropBox end-to-end
| encrypted cloud sync service instead, they seem to be
| fairly on the ball with responding to complaints and that
| they decided it was worth buying Keybase to improve their
| service maybe they'll come out alright.
|
| Wishful thinking maybe =)
| dgellow wrote:
| Is the server open source? I know that the client is, but I
| haven't found sources for the backend.
| an_ko wrote:
| It's not: https://github.com/keybase/client/issues/6374
| xiphias2 wrote:
| ,,helping to make Zoom even more secure. ''
|
| Wow, this means that keybase stuff thinks that Zoom is secure
| already. Zoom should have hired people who don't think that
| way.
| dasil003 wrote:
| Keybase product and engineering do not think this way.
| Corporate PR thinks this way. Don't get it twisted.
| lgessler wrote:
| Come on, the engineers at Keybase are serious crypto nuts.
| Give them some more credit
| INTPenis wrote:
| How can they be so obvlivious though? Their own blog post
| doesn't even mention the tarnished reputation Zoom has acquired
| lately.
|
| A lot of people will stop developing integrations for Keybase
| because of this. It's sad.
| mc32 wrote:
| They're not oblivious but two things; you don't bite the hand
| that feeds and it's easier to get someone to see your side of
| things when you agree with them. Confrontation will not help
| to fix Zoom's culture of insecurity.
| tensor wrote:
| That's probably why Zoom is buying them, to double down on
| security and repair their reputation. They genuinely seem to
| be putting all their focus on improving security. Seems like
| a smart buy to me.
| [deleted]
| coldtea wrote:
| > _How can they be so obvlivious though? Their own blog post
| doesn 't even mention the tarnished reputation Zoom has
| acquired lately_
|
| I'd say, don't overestimate the tarnished reputation (= some
| news stories for a while, most didn't read or care about --
| including corporate users).
|
| And of course they wouldn't get into it in a press
| release/blog post for an unrelated to the issue acquisition!
| Doesn't make sense to sabotage themselves this way...
| bjoli wrote:
| Sure, the reputation might be tarnished, but to it seems like
| they have hired recently to ensure people that they are
| taking measures to change that.
|
| This seems like an extension of that. If anyone has thought a
| lot about multi-party encrypted communication it is the
| keybase folks.
| mtmail wrote:
| Zoom is publicly traded. Assume their blog post had to be
| approved by Zoom's press department.
| momokoko wrote:
| They aren't. They are making a lot of money which is what the
| business was made for.
|
| The post is actually refreshingly honest that keybase is now
| abandoned and will probably die at some point.
|
| The idea that companies were stupid enough to place their
| internal identity on some random 3rd party is so incredibly
| stupid that it's hard to feel too bad for anyone.
|
| Congrats Keybase!
| formercoder wrote:
| Thank you. Keybase had investors and I'm sure the premium
| Zoom offered was unbeatable. Zoom can effectively pay
| infinity with equity. Those investors knew that this was
| the best way they'd ever have to realize gains. That's why
| they invested in the first place.
| gwd wrote:
| Well, when FB bought WhatsApp, its founders stayed on for
| a bit to vest his shares then founded Signal with his
| "screw you" money. Maybe some of Keybase's founders can
| do the same thing.
| tass wrote:
| Founded 'Signal Foundation' with Signal's creator. Signal
| was around before FB bought WhatsApp.
| bigbob2 wrote:
| Unless I imagined it, they previously said publicly that
| they were unlikely to pursue a sell like this because they
| had succeeded at previous companies and cared more about
| the impact this product could make than the profit they
| could make from selling it. I based my decision to agree to
| the terms of Keybase around this statement which I can
| conveniently no longer find. I suspect it was in one of
| their airdrop announcements, and conveniently those links
| don't work in the Wayback Machine.
| windthrown wrote:
| You are referring to this Github Issue:
| https://github.com/keybase/keybase-issues/issues/788
|
| "Yes, we sold our previous 2 businesses. But I want to
| point out that (1) neither of those sales ever hurt (and
| arguably both sales greatly helped) our users, (2)
| Keybase deserves special consideration which we are aware
| of, and (3) both Max and I are happy in a world where we
| never try to sell a company again, and only build things
| we like."
|
| I feel silly for falling for it too. Even very wealthy
| people enjoy extra money.
| AgloeDreams wrote:
| > They are making a lot of money which is what the business
| was made for.
|
| I miss the days when businesses existed not just to serve
| investors but also their employees and the common good.
| It's like a 1%-er meta profit model where the actual
| business is in buying and selling the business and the core
| business is really just a temporary front that is designed
| to never make a profit, just create fancy looking charts
| and eventually bait and switch consumers when it is sold to
| the highest bidder and the employees all eventually lose
| their jobs.
|
| One day, VC funding will either be illegal or required.
| considering the flow of money in this exchange, I'm betting
| on the second.
| floatingatoll wrote:
| I miss the days when businesses existed not just to
| support free users but also their revenue model and
| profits. It's like the 0%-er meta profit model where the
| actual business is in building and marketing the userbase
| and the core business is really just a temporary front
| that is designed to never make a profit, just create
| fancy MAU charts and eventually bait and switch free
| users when it is sold to the highest bidder and the free
| users all eventually lose their service.
|
| One day, revenue models will either be illegal or
| required. Considering the outflow of users in this
| exchange, I'm betting on the second.
| centimeter wrote:
| I think you have a rose-tinted view of what old-timey
| businesses looked like. We moved past mom-and-pop
| subsistence industry like 400 years ago. No one ever said
| "I'm going to create a sheet metal production company for
| the common good."
| willis936 wrote:
| Could you point to examples that support the existence of
| this alternate history of which I've never heard of?
| centimeter wrote:
| To be clear, you are asking for examples of historical
| companies that were profit motivated?
| logifail wrote:
| > No one ever said "I'm going to create a sheet metal
| production company for the common good."
|
| Look up Joseph Rowntree[0]
|
| [0] https://en.wikipedia.org/wiki/Joseph_Rowntree_(philan
| thropis...
| ballooney wrote:
| You're very wrong.
| dfragnito wrote:
| Software exists for its users business exist for its
| owners more precisely its stakeholder, further divide
| stakeholders into the various rights, control, claims on
| cash flow, claims on assets, give users the first then
| watch what happens.
| ativzzz wrote:
| > I miss the days when businesses existed not just to
| serve investors but also their employees and the common
| good
|
| Uh when was this? For-profit businesses have always been
| created for the primary purpose of making money. Any side
| effect like employee well being happened to coincide with
| what maximized profits at the time or due to regulation.
| freepor wrote:
| No, when businesses were owned primarily by single
| individuals, their priorities were much more aligned with
| the goals of a single individual. The owners cared not
| only about profits but respect in the community,
| influence over politics, etc. and made choices that
| today's publicly traded companies would and do not.
| djrogers wrote:
| > The owners cared not only about profits but respect in
| the community
|
| I think you need to read a little more history. People
| haven't changed their core nature in the past 40 years.
| Look at Carpetbaggers, the Triangle Shirtwaist company,
| and William Hearst for relatively recent examples.
| Further back you can look at The Dutch East India
| Company, the Knights Templar, and the various and sundry
| monopolies that have arisen throughout history.
|
| People are driven to acquire capital initially to meet
| their own needs, then for power. There always have been
| people and groups of people who strive for the latter,
| not being satisfied with the former. Romanticizing long
| dead business owners may play well in movies and books,
| but it isn't reflective of human nature.
| rabidrat wrote:
| Pre-1970 or so. Before Milton Friedman, there was a
| general sense that companies existed to fulfill some
| mission, with profit as a means. The CEO of Kellogg
| commented on this in an interview ca. 1980, that money
| for a business is like a gasoline for a road trip. You
| need it to get where you're going, but the point of a
| road trip is not to accumulate as much gasoline as
| possible.
| nickik wrote:
| This a perfect example of how mythical history of the
| left totally distorts peoples view of history.
|
| Kellogg also burned girls clitoris away because he was
| against masturbation. Other then he had incredibly toxic
| fights about the right to the IP and broke his relation
| with his brother. Clearly he didn't care about profits.
|
| Also a single example doesn't prove that things were
| structurally different. There are tons of companies now
| that exist with different goals.
| snowwrestler wrote:
| Is this a joke? The bulk of the labor movement happened
| before 1970, and it was not because workers were so well-
| treated and well-compensated that they had a lot of free
| time on their hands.
|
| I'm a big fan of business and entrepreneurship, but let's
| be clear here: there is a reason we invented government.
| There was never a time when we could 100% count on the
| beneficence of business leaders to advance social goals.
|
| Edit to add: I'm not trying to demonize all business
| leaders here. There are some bad actors, but even
| business leaders who desire to do well have to succeed in
| the marketplace--even against bad actors. Unfortunately,
| doing bad things in business often confers the benefit of
| lowering costs, which is a competitive advantage. This is
| a known structural issue with a marketplace economy and
| why we need more than just business to have a good
| society.
| rabidrat wrote:
| Of course, there have always been bad businesses. The
| difference between pre-1970 and now, is that we've not
| only socially legitimized the maximization of profit,
| we've also all but legally mandated it. Now even "decent"
| business leaders like the CEO of Costco have to
| continually answer to their shareholders as to why
| they're not lowering wages and reducing benefit--and in
| Costco's case, the shareholders may try to take legal
| action to force them to lower costs, even though Costco
| the business is already quite profitable. Due to lack of
| labor regulation and the mantra that "business are
| required to maximize shareholder value", Costco's decency
| is fully dependent on its CEO's (unusual) fortitude to
| fend off those shareholder demands. When its leadership
| changes, its ability to care for its employees will
| likely revert to the mean, which as we see in today's
| environment is abysmal.
|
| So really, it's not that "there are some bad actors", but
| that "the system strongly encourages businesses to
| install these so-called bad actors as their leaders". I
| agree with you, that we need strong government labor
| regulations to counter this mentality, but this mentality
| is why these regulations have deteriorated over the past
| 50 years.
| asveikau wrote:
| Your idea is not an inevitability but actually from the
| late 20th century, and became very popular starting in
| the 80s.
|
| Here is a link that showed up in google for me when I
| tried to find support of this claim:
| https://www.washingtonpost.com/opinions/harold-meyerson-
| the-...
| ativzzz wrote:
| Sure, and here is a counterexample from the 1600-1800s:
| https://en.wikipedia.org/wiki/East_India_Company
|
| Literally they bought an army and took over India for
| money.
| asveikau wrote:
| Need to keep in mind we now remember this endeavor as
| ethically challenged, but was it literally 100% for money
| or did want of these goods play a role:
|
| > cotton, silk, indigo dye, salt, spices, saltpetre, tea,
| and opium.
|
| Surely access to those provides some benefit other than
| making money, which it also did for them.
|
| Also worth noting that not every company is ... _that
| one_.
| wutbrodo wrote:
| > was it literally 100% for money or did want of these
| goods play a role: > cotton, silk, indigo dye, salt,
| spices, saltpetre, tea, and opium. Surely access to those
| provides some benefit other than making money, which it
| also did for them.
|
| This is an utterly meaningless distinction. Money is
| fungible with all of those goods.
| asveikau wrote:
| I am not sure you are using fungibility completely
| correctly because the goods have a condition, are
| perishable, they can be bartered or traded or maybe are
| fungible with respect to each other but are not literal
| money and literally interchangeable with money.
|
| Anyway, if you want to go down that path you can easily
| conclude that literally any good or activity is just
| money, that you live a money-dominated life and we all
| exist for money all the time and while useful in some
| contexts I don't think it's particularly apt, but I hope
| you enjoy it.
| ativzzz wrote:
| > literally any good or activity is just money
|
| In the grand context of life, no (despite the vast
| majority of large scale events that we learn about in
| history being usually a result of conflict over
| money/power) , but in the context of business, as this
| thread is, yes in a for-profit business literally every
| good and activity is about money.
|
| Some businesses may choose to sacrifice money for things
| like employee well-being or community contribution, but
| that's a choice they make, or more likely are forced to
| make.
| willis936 wrote:
| Prior to the 1980s.
|
| https://en.wikipedia.org/wiki/Shareholder_value
| [deleted]
| verytrivial wrote:
| > doesn't even mention the tarnished reputation Zoom has
| acquired lately
|
| I'm interested to know if you thought keybase doing the whole
| unsolicited Initial Coin Offering was a reputation tarnishing
| or polishing event for that company. (I'm circumspect about
| both of these outfits to be honest.)
| OJFord wrote:
| Isn't getting bought and there being no plans for your business
| bonkers? Or at least, it's a bonkers/highly-unusual admission
| that it's an acqui-hire.
| pwinnski wrote:
| Bonkers how? Zoom gave them money, they took the money.
| emersion wrote:
| https://keybase.io/account/delete_me
| ashconnor wrote:
| Make sure you sell your free Lumens before you delete your
| account. I got $55 a few months ago.
| nathcd wrote:
| Anybody else having trouble deleting their account? When I go
| to /account/delete_me, I get redirected to
| /?next=%2Faccount%2Fdelete_me, which is just the home page.
| Also, I get the logged out navigation bar even after logging
| in. Logging in seems to just redirect me to my own profile
| page. (I've got my content blockers disabled, etc.)
|
| Edit: deleting my cookies and re-logging in did the trick, in
| case anybody else hits this issue. After re-logging in I now
| have one fewer cookie than before, so I must've picked up an
| extra cookie that was screwing with their auth handler or
| something.
| seemslegit wrote:
| ha ha ha ha ha ha
|
| ha ha ha ha ha
|
| ha ha ha ha
|
| ha ha ha
|
| ha ha
|
| ha.
| drcongo wrote:
| This is horrible news.
| p0llard wrote:
| Oh wow, I had a guest lecture from Max Krohn yesterday in which I
| asked about how Keybase was being funded; no mention of this at
| all!
| lexicality wrote:
| Possibly because of the confidentiality agreements everyone
| signs at the start of an acquisition?
| p0llard wrote:
| I'm sure, I just found it amusing that it comes so soon after
| I directly asked about it!
| otachack wrote:
| To be fair, that seems a common question to ask Keybase
| prior to the acquisition :P
| crad wrote:
| Well that sucks. I'm glad they got an exit. I won't be using them
| moving forward due to trust issues with Zoom.
| TomGullen wrote:
| Zoom trading at ~1,700 P/E which to me seems absurd. Wonder if
| the acquisition involved much stock! Seems like a good time for
| Zoom to make transactions like this.
| m3kw9 wrote:
| PE is price to earning, but if you look at earnings when is
| very low(barely making a profit), the number will be very high.
| So people tend to project the Earnings a year or so, and it
| would fall drastically.
| davedx wrote:
| Can you explain this in a little more detail please? Would love
| to understand more.
| durkie wrote:
| I think the thought GP was expressing was that it would be a
| good time for Zoom to make an acquisition of Keybase paid for
| in Zoom stock since Zoom stock is trading at a very high
| multiple of Zoom's earnings.
|
| Some people would regard this stock price as unsustainable
| compared to historic/similar earnings multiples, and that the
| stock will likely decrease in value in the "near" future. So
| from Zoom's perspective they may as well buy as much as they
| can while their Zoombucks are worth a lot since they'd be
| parting with fewer shares now than if they made the
| transaction later on.
| [deleted]
| dpflan wrote:
| Sounds like: stock price is high so use its value to its full
| extent while the price is high and more valuable. Allows
| selling/granting of fewer shares of stock too.
| gumby wrote:
| Many are bemoaning what zoom will do with Keybase, but the code
| is bad licensed so nothing's stopping anyone from forking the
| repos now and building a parallel distro.
|
| Realistically this is probably the best outcome for the Keybase
| team as they presumably have jobs for the foreseeable future.
| zanderz wrote:
| The server was never open source and that will be a pretty big
| obstacle to the product living on beyond the company. That and
| maybe the Amazon S3 bill.
| soulofmischief wrote:
| I have moved much of my digital life to Keybase. This news brings
| me much fear but I just pray that Zoom takes the best parts and
| then allows Keybase to continue to function as a goodwill venture
| at least until a suitable replacement appears. The software
| package Keybase offers is unbeatable.
| reneberlin wrote:
| 1 Trillion? 10? maybe 5 Billion? What if they all kill themselves
| after 14 days waking up in a zoom-meeting?
|
| "Don't come around here no more" -tompetty i hear along the
| lines.
|
| Maybe you can go sunbathing with US-leaders, or US-businesspeople
| on behalf of their own island. But, come clear: you cashed out,
| and, in the far, far world, that you would invest the money back
| into the dev-world with a cut- you will ephemeral be remebered
| as: a cunt!
| mrtweetyhack wrote:
| Developed in China means code accessible and changed by China
| HumblyTossed wrote:
| Now if they'll just push that server code to github...
| crazygringo wrote:
| Everyone here saying Keybase is dead... why hasn't anyone
| mentioned that Keybase is open-source? New BSD (3 Clause)
| License. [1]
|
| So regardless of what happens to it with Zoom, the community can
| fork it and continue developing it, no?
|
| So if people don't want it to be dead... it's not dead. That
| seems like great news, right? (And great foresight?)
|
| [1] https://keybase.io/docs/the_app/source_code
| coldpie wrote:
| I know we all like to pretend it's all passion projects, but
| the reality is that with very few exceptions, developing large-
| scale, end-user-ready software costs money, regardless of the
| license. If devs aren't getting paid, they're not going to work
| on it. Keybase is dead.
| wink wrote:
| Despite being one of the earlier signups I have never fully
| grasped what it's actually good for.
|
| Time and time again I forget about it and when I check the
| website it seems to be doing something different - but it all
| sounded very centralized, first the gpg keys, then the file-
| sharing and chat - it doesn't seem to be federated.
|
| So unless some entity steps up as the de-facto api-compatible
| replacement, I don't see how having the code alone would help,
| unless you want a chat solution for a handful of users?
| eropple wrote:
| The backend isn't open-source, AFAIK. It isn't a full reverse
| engineer job to implement that, but it's not trivial.
| alwillis wrote:
| I woke up this morning and read this and literally thought it was
| a belated April fool's joke or something.
|
| Best case scenario: the Keybase app gets spun out and gets an
| appropriate home.
| Phosphenes wrote:
| Keybase launched in 2014 as a directory for public encryption
| keys and has since grown to include secure messaging and file-
| sharing features. Keybase profiles are meant to serve as the
| center of your online identity: Keybase verifies you, and it
| verifies that you actually own other online accounts that belong
| to you. From there, people can visit your Keybase profile and
| feel confident that any account claimed is an authentic one.
| Usually, these profiles include encryption keys that can be used
| to securely contact a person.
| underyx wrote:
| Keybase's side of the announcement:
| https://keybase.io/blog/keybase-joins-zoom
|
| > What the Keybase team will be doing
|
| > Initially, our single top priority is helping to make Zoom even
| more secure. There are no specific plans for the Keybase app yet.
| Ultimately Keybase's future is in Zoom's hands, and we'll see
| where that takes us. Of course, if anything changes about
| Keybase's availability, our users will get plenty of notice.
|
| > So, our shortest-term directive is to significantly improve our
| security effectiveness, by working on a product that's that much
| bigger than Keybase. We can't be more specific than that, because
| we're just diving in.
|
| They're not even making the usual "Zoom is committed to keeping
| Keybase alive" promise :(
| m3kw9 wrote:
| They are buying Keybase to shore up their security, why would
| they still give them time to keep it up unless, they want to
| also integrate their message service into Zoom chat.
| swyx wrote:
| is this an acquihire then?
| jng wrote:
| If so, it would be in the unusual shape that it is a top-
| dollar one rather than cover-the-failure-with-a-pretty-ending
| one. But in this case, Zoom is probably actually interested
| in the security tech that Keybase has apart from the talent,
| they're just not interested in the product.
| swyx wrote:
| did i miss something? how do you know its top-dollar? no
| dollar amount was disclosed.
| jng wrote:
| No, you didn't miss anything. As you probably expected,
| it's just my deductions from context. I may be completely
| wrong. I still do believe in them, but obviously no one
| else needs to.
| seemslegit wrote:
| "to make Zoom even more secure." I mean, this might take a
| while.
| seba_dos1 wrote:
| I can easily see the words "even more" being added only after
| rounds of reviews :P
| dang wrote:
| (We've since changed the URL from
| https://blog.zoom.us/wordpress/2020/05/07/zoom-acquires-keyb...
| to that one)
| sincerely wrote:
| Hi dang, are there any plans to introduce a marker of some
| sort so that people know whether the current URL is the same
| as the one it was submitted with? I find that often I have no
| idea what the comments are talking about
| dang wrote:
| It's not clear to me whether that would add more signal to
| the comments or more noise.
|
| If you have specific links to cases where this has been a
| problem, you'd be welcome to send them to
| hn@ycombinator.com so we can take a look. Or keep that in
| mind for the next time this comes up.
| ForHackernews wrote:
| > Zoom Acquires Keybase and Announces Goal of Developing the Most
| Broadly Used Enterprise End-to-End Encryption Offering
|
| So is this real end-to-end encryption, or Zoom-brand "end"-to-
| our-server-to-"end" encryption?
| itsajoke wrote:
| All your Keybase are belong to Zoom.
| nullc wrote:
| So does this mean getting marketed sketchy cryptocurrencies
| during your teleconferences, sending your PGP keys to random
| servers in other countries, ... or both?
|
| Relevant to the acquisition, perhaps:
| https://web.archive.org/web/20191122031523/https://github.co...
| floren wrote:
| I've found kbfs a very convenient way to share files with
| collaborators. Anyone know of a self-hosted encrypted remote
| filesystem that might replace it?
| gnu wrote:
| There is tahoe-lafs. Give it a try.
| ajb wrote:
| This. In fact I've found it pretty useful just for just
| personal files.
|
| There's Tahoe-lafs, which ahs been around for years but,
| although secure was originally pretty notorious for being hard
| to use. Maybe it's improves since...
| ccktlmazeltov wrote:
| This is actually a really interesting acquisition, keybase wasn't
| going anywhere yet was producing some really good stuff. On the
| other hand zoom is a bunch of security and cryptography amateur,
| I can't wait to see what's going to happen. Good luck!
| metreo wrote:
| Keybase is dead long live Keybase2!
| eximius wrote:
| Does anyone know if Keybase's data retention policy actually
| deletes the data if I delete my account?
|
| I don't want to delete it if it is just a soft delete.
| reneberlin wrote:
| Lookinmg forward to see what happens to those boys standing up to
| make life easier for encryption and idintity. From that point of
| view, the project is canceled immediately.
| Arathorn wrote:
| It's kinda ironic that Keybase disappears into Zoom the day after
| Matrix/Riot enabled end-to-end encryption by default, with cross-
| signed device verification similar to Keybase's concept of
| connected keys - see https://blog.riot.im/e2e-encryption-by-
| default-cross-signing....
|
| In other words, a fully open source (and open standardised)
| alternative continues to exist in the form of Matrix.
|
| [disclaimer: project lead for Matrix]
| RMPR wrote:
| I was about to complain about your desktop Electron app but it
| seems that spectral[0] is already usable without any hassle
| (build from source, ...) at least on Fedora, time to reactivate
| my Matrix account, keep up with the great work
|
| 0: https://gitlab.com/spectral-im/spectral
| Hitton wrote:
| Alternatively Mirage[0] - Qt + Python. There is really a lot
| to choose from with Matrix. The beauty of open protocol.
|
| [0]: https://github.com/mirukana/mirage
| RMPR wrote:
| Seems like on Fedora the only mirage available is Mirage
| the image viewer
|
| http://mirageiv.sourceforge.net/
| RIMR wrote:
| You can install the other Mirage on Fedora by following
| the instruction in the Github link...
| roblabla wrote:
| There's also Fractal[0] which uses GTK+ instead of Qt, and is
| maintained by the Gnome foundation and planned to be used by
| the Librem 5 AFAIK.
|
| [0]: https://matrix.org/docs/projects/client/fractal
| RMPR wrote:
| Unfortunately, can't find it in the Fedora's repo
| uneekname wrote:
| I know it isn't ideal, but Fractal is available through
| Flatpak and Snap
| gnufx wrote:
| But unfortunately these alternatives don't have the same
| encryption support, do they? (Some seem not to have any.)
| Arathorn wrote:
| https://blog.riot.im/e2e-encryption-by-default-cross-
| signing... has a list of E2E-capable clients. For instance,
| Mirage, mentioned as an alternative here, has full E2EE
| support (but no cross-signing yet, given it's brand new).
| zfnmxt wrote:
| It's funny, but I think I get most of my Riot/Matrix news from
| your comments scattered about hacker news.
|
| Anyway, I run a matrix server for my family (and we all use the
| Riot client) and the number one issue is encryption and
| mysterious "Unable to Decrypt" messages. (Closely followed by
| how rough the Android client is.) This fixes all of that (well,
| once RiotX replaces the standard Android client) and I think it
| will remove a lot of friction.
|
| Thanks for your work!
| packetlost wrote:
| Matrix and Keybase have entirely different goals and
| functionalities. There's barely any feature overlap besides
| end-to-end encrypted messaging, but it's not like XMPP hasn't
| had that for years. I think it's silly to even compare the two
| KAMSPioneer wrote:
| Holy crap, the Matrix/Riot teams have been busy! Congrats on
| the progress, it's very exciting to watch. Although I have a
| Matrix account I have had trouble getting friends/family to
| switch with me (mostly non-technical folks, and Signal was much
| stickier for them), it might be time to convince them to try
| again.
|
| Thanks to you and the team for all the hard work!
| mikro2nd wrote:
| Interesting. I've turned quite a number of non-technical
| friends/family into Signal users, just by telling them,
| "Here's the messaging app I'm using if you want to talk to
| me..." without mention of encryption until they're already
| hooked. Uniformly comments have been favourable concerning
| ease-of-use and quality of voice/video calls (at least
| compared to what they're already used to -- generally Zoom or
| Skype), and several of them have pushed it out to their
| networks in turn.
| KAMSPioneer wrote:
| Oh definitely, my experience is similar. Sorry if I was
| unclear: by Signal being "stickier" than Matrix I meant
| that I've had better luck getting friends to continue using
| Signal than continue using Matrix. So far, anyway.
| SAI_Peregrinus wrote:
| Ease of use is the big elephant-in-the-room issue for
| Matrix.
|
| The only way I've found to join a room is the `/join`
| command. There's a GUI search, but it doesn't work.
|
| Users have to pick their identity provider, their home
| server, etc. Lots of choices, scary messages, and generally
| annoying to set up. Services that depend on someone who is
| technically inclined setting things up never become
| widespread outside technical communities.
|
| If users pick an unreliable server to connect to, or
| there's a network split, things break, just like IRC does.
|
| There are several clients, all slightly different. It's up
| to the user to pick which one they want, when they've never
| used any of them and just want something to work.
|
| It's better than IRC, but that bar is so low you'd have to
| bury it to get any lower.
| ccktlmazeltov wrote:
| > The only way I've found to join a room is the `/join`
| command. There's a GUI search, but it doesn't work.
|
| never used that /join command, the GUI works fine for me
| Arathorn wrote:
| The GUI search should work fine these days. (It was
| broken about 6 months ago due to the room lists getting
| too big, but was fixed in https://github.com/matrix-
| org/synapse/pull/6019).
|
| It's true you have to pick a server to use, but we try to
| provide decent defaults (although it's true matrix.org
| has been overloaded recently).
|
| We're trying to simplify onboarding via P2P Matrix - by
| default, you'd start off entirely P2P, and only pick a
| server if you want to 'anchor' your account somewhere.
|
| I have a feeling you may be going off outdated
| impressions here; we've been desperately trying to
| improve UI/UX (as per
| https://blog.riot.im/e2e-encryption-by-default-cross-
| signing... and https://blog.riot.im/e2e-encryption-by-
| default-cross-signing...).
| SAI_Peregrinus wrote:
| I last used it for the recent (Thursday, April 30th) Rust
| Zurich meetup. I've got it installed via apt, and updated
| to
|
| riot-web version: 1.6.0 olm version: 3.1.3
|
| Search didn't find the room. /join did.
|
| Also it just took me over a minute to find the version
| number, because the client settings are hidden in a
| dropdown menu under my user name, not in the gear icon
| (tooltip "settings") on the upper left or the hamburger
| menu that says explore, and even in the right dropdown
| it's under "settings->help & about" instead of just under
| "help" where the "about" box has lived in every single
| program since the '90s...
| Arathorn wrote:
| Well, if search didn't find the room, it sounds like a
| plain old bug. (Or was the room marked ex-directory?) If
| you can file details at https://github.com/matrix-
| org/synapse/issues we'll dig into it.
|
| And noted, in terms of the version number being in the
| wrong place on Riot/Web.
| folex wrote:
| Awesome work, thank you for that! Keep it up! :)
| Legogris wrote:
| I've been looking into Matrix as a "personal IM bridge" and I'm
| thinking this could be a way for Matrix to get traction.
|
| Let's say you're in a position that I think may here are: You
| would prefer to use IM in a secure way. Let me qualify "secure"
| for this purpose meaning: Encryption of communication in rest
| and transit; not relying on a single infra/network/service
| provider; being able to communicate with new peers easily
| without having to sign up with new providers; not requiring
| sign-ups leaking PIIs such as phone numbers; being able to sync
| message history across devices; all of this should hold for
| group conversations.
|
| matrix.org seems to be on the right track towards that.
| Feature-wise there's some missing pieces in terms of federation
| but the roadmap looks like the ambition is right.
|
| But in practice, it's realistically years until you can meet a
| random person in a bar and ask to join you on matrix to stay in
| touch, so many of us will still keep our accounts on the not-
| as-great platforms such as FB, Skype, WhatsApp, Signal.
|
| Given that, wouldn't it be nice to facilitate using those
| platforms in a way that 1) absolves you from the behavioral
| tracking that comes with most of the first-party web- and
| smartphone apps and 2) integrates them in the same UI?
|
| There are, of course, solutions to this end. Bitblbee (IRC
| gateway), libpurple (pidgin, finch), third-party clients like
| franz. I'm sure there are many here who have or are using
| libpurple or bitlbee for this.
|
| But matrix also has bridges!
|
| I'm thinking one potential way that matrix could really get
| traction and seed the network infrastructure would be just
| that. Given stable gateways for the IM networks people already
| use, it's suddenly a _much_ easier sell to get enthusiasts and
| power-users to self-host matrix servers just to solve their own
| bridging needs and get a unified flow for disparate protocols.
|
| As that grows, eventually there's a large spread-out flora of
| matrix servers that can become part of something larger.
|
| I think if there's one thing that can make matrix succeed in
| it's mission, it's stable, feature-complete (or at least
| ticking the important boxes for the majority) bridges to
| mainstream services such as Facebook, Whatsapp, Signal, LINE,
| Skype, Google and Keybase.
|
| I think this should be a focus for Matrix, and amazing it would
| be to have these be the fruit of voluntary contributors, some
| funding is likely required if it's to be sustainable as
| proprietary protocols and endpoints will inevitably break.
|
| What's your take on that? I realize it's a long comment and I'm
| in a bit of a rush, but I'd be really curious to hear how you
| think about these things.
| toyg wrote:
| I'm not Arathorn (and not even a Matrix user yet, barely ever
| on Signal too), but the problem with bridges to 3rd-parties
| is that you're effectively allowing these non-Matrix users to
| keep doing what they're doing, instead of incentivising them
| to switch. The walled gardens know this very well - that's
| why they've discontinued their XMPP gateways.
| Arathorn wrote:
| We're working on making bridges better integrated in Matrix
| to help with this use case - it's certainly a good way to
| drive uptake.
|
| On the other hand, bridges are always an impedance mismatch -
| you have to keep up with new features on both side of the
| bridge, and the system you're bridging into doesn't always
| want to be bridged.
|
| So, we think bridges are a key thing for Matrix (it's where
| the name comes from - matrixing together different comms
| platforms!) - but it'd be wrong to predicate the success of
| the protocol on bridges. They're useful, they have their
| place, but they're not the sole reason to use Matrix.
| Legogris wrote:
| On feature-mismatch, I don't think it has to be that big of
| a deal - as long as * delivering messages
| and file/image attachments work reliably in both directions
| * stickers and other native attachments (location, audio
| clips, etc) can be received, not necessarily sent
|
| , that's absolutely Good Enough for daily use for me and I
| imagine many others.
|
| Reactions and sending of stickers etc optional, but if
| that's there, that's basically full parity of what anyone
| in the target audience mentioned above could expect. Actual
| parsing of non-plaintext data is obviously up to clients
| and should be approachable for the average casual
| contributor.
|
| > the system you're bridging into doesn't always want to be
| bridged.
|
| This should be the crucial and challenging part to
| maintain.
| rakoo wrote:
| > This should be the crucial and challenging part to
| maintain.
|
| More than that, some of the system explicitely _don't_
| want to be bridged, because retaining users in their
| silos brings in more money than maintaining a window to
| the world outside the silo. It's tolerated at best today,
| but you can be sure that if a bridge ever get traction,
| the Whatsapps/Facebooks/Wechats will do what they can to
| block you.
|
| Rather than betting on the bridges in the long term, I
| believe it's in your interest (as a Matrix user) to host
| a bridge to Whatsapp, and tell your Whatsapp friends that
| it kinda works but it's gonna fail at some point, so they
| better have a second account for the future. Install the
| account for them even, that removes some of the friction.
| But ultimately you have to realize that Whatsapp doesn't
| want to talk to Matrix (the situation is completely
| different for an open protocol of course, like IRC or
| XMPP)
| eslaught wrote:
| The thing I like about Keybase is that keys are always
| generated client-side and never leave the client, and all of
| the functionality associated with adding/removing devices is
| done in a way so that there's no way for a server to tamper
| with it (aside from denying service).
|
| Is that true in Matrix? Several services advertise themselves
| as "end-to-end" encrypted, but then when you poke harder it
| turns out either there is some sort of TOFU (so an opportunity
| for the server to insert itself) or else there is no device
| continuity (which means in the case of e.g. Whatsapp that keys
| are reprovisioned almost promiscuously to avoid bad UX).
| Whatsapp is a particularly bad example because (a) I lose chat
| history when I move devices, and yet (b) the UX does not
| require an old device to authenticate the new one, so I can
| compromise conversations (at least moving forward) if I can
| compromise a server.
|
| How end-to-end is Matrix really, and how similar is the new
| support to Keybase's key management flow?
| Arathorn wrote:
| Yes, Matrix is properly end-to-end encrypted (with all keys
| generated clientside) and has been independently audited as
| such: https://www.nccgroup.trust/us/our-research/matrix-olm-
| crypto.... We have gone to huge efforts to prevent MITMs via
| device verification and cross signing - which specifically
| addresses both problems of a) losing chat history when you
| move between devices (via https://github.com/uhoreg/matrix-
| doc/blob/e2e_backup/proposa...) and b) requiring cross-
| signing when you log in on a new device, to spread trust to
| new logins, as per https://github.com/uhoreg/matrix-
| doc/blob/cross-signing2/pro....
|
| All keys are stored clientside, with the exception of if you
| enable serverside key backup, when they are then encrypted
| and optionally stored serverside to allow you to recover your
| history if you lose all your devices.
| eslaught wrote:
| Just to confirm, if I turn off backup, does anything stop
| working aside from needing at least one device to be
| operational at any given time?
|
| Edit: Specifically, is key backup tied to the ability to
| recover account history on a new device, or can I still get
| that with key backup disabled as long as I have at least
| one other device active?
|
| Edit 2: Can you address this paragraph:
|
| > One point for super-paranoid users: currently the private
| key used to sign your own devices and the private key used
| to sign other users are encrypted by your recovery
| passphrase/key and stored on the server to allow recovery
| if you lose all your devices. We also allow signing keys to
| be shared (gossiped) between devices, but right now the
| implementation also stores them encrypted on the server
| too. This restriction will be fixed in future, but for now
| if you don't trust your server with encrypted keys, you may
| want to hold off on using cross-signing.
|
| If I understand correctly, sounds like security is based on
| the complexity of your recovery passphrase and an implicit
| assumption that the passphrase doesn't get transmitted to
| the server... is that correct?
| Arathorn wrote:
| If you turn off message key backup, all it means is that
| if you lose all your devices (and thus your keys), you
| will lose your history. Otherwise, if you have at least
| one device active on your account, it will receive your
| message keys and gossip them (if needed) with your other
| devices. You can always do a manual offline backup too
| for safekeeping as a workaround.
|
| > If I understand correctly, sounds like security is
| based on the complexity of your recovery passphrase and
| an implicit assumption that the passphrase doesn't get
| transmitted to the server... is that correct?
|
| If you use cross-signing, then yes - your signing keys
| are stored protected by the recovery passphrase on the
| server. We also support gossiping them between devices
| (same as message keys), and there's no reason for them to
| have to persist on the server. We just need to hook up
| the UI to expose that as an option and we ran out of time
| to do that before shipping the initial release. It will
| follow shortly.
| seemslegit wrote:
| What endgame do you think your company has other than
| eventually selling out its userbase in one way or another ?
| Arathorn wrote:
| Matrix isn't a company, it's a non-profit foundation,
| expressly set up to protect its users: see
| https://matrix.org/foundation for details.
|
| Riot is a Matrix client made by New Vector
| (https://vector.im), the company started by the team who
| originally created Matrix. The endgame there is to sell
| Matrix hosting (https://modular.im), support and other value-
| added services for Matrix. We are categorically not going to
| sell out our userbase - and we have no reason to; if we did,
| they'd just move to a different Matrix service provider.
| seemslegit wrote:
| I can imagine keybase delivering a similar statement back
| in the day, good luck.
| dancemethis wrote:
| Keybase was always grey area since the server-side was
| proprietary.
|
| Matrix is 100% Free Software and you can run a server
| yourself.
| Legogris wrote:
| I think a key difference here is fully open and
| collaborative specs, with Apache-licensed reference
| implementations for server and client that they dogfood
| themselves. It's also getting federated. So protocol,
| tech and network can live on regardless of who's running
| the servers people are using or driving the development
| of implementations.
| seemslegit wrote:
| Until one day the foundation decides federation is not in
| the best interest of the community, the standards and
| reference implementation start to reflect closely the
| interests of the leading player[s] with other
| implementations having to play catchup. It would have
| been a very cynical take if it wasn't business as usual
| in our industry.
| ccktlmazeltov wrote:
| your scenario really makes no sense to me, maybe you're
| not familiar with what Matrix is?
| Arathorn wrote:
| That would be like the W3C declaring that interoperable
| hypertext is not in the best interest of the Web
| community. Or the Linux Foundation declaring that the
| Linux being open source is not in the best interest of
| the community.
|
| It would be utterly sabotaging, and in the case of the
| Matrix Foundation, the Foundation is independently
| regulated by the UK Government as a Community Interest
| Company - and so anyone would be welcome to complain to
| the regulator (via
| https://www.gov.uk/government/organisations/office-of-
| the-re...) that the Foundation was breaking its charter,
| and the Directors would face fines and/or legal action.
|
| This is why Matrix is in a fundamentally different
| situation to Keybase, or Zoom, or pretty much any other
| communication project out there, and why we spent so much
| time (and money) setting it up properly as a non-profit
| Foundation.
| ryukafalz wrote:
| Hi! I use Matrix a lot, but a privacy-sensitive group of my
| friends recently switched to Keybase largely due to the per-
| room/per-message retention policies. This might be a good
| opportunity to convince them to jump ship, and I know something
| similar has been in the works for Matrix, but do you know where
| it is on the list of priorities?
|
| (Congrats on the cross-signing release though, it's been a long
| time coming and it's been working really well!)
| Semaphor wrote:
| Hijacking this: Does anyone know if there's a Matrix client
| (out or in dev) that has the UI/UX of old 1on1 messengers
| (ICQ, MSN) and not chatrooms (IRC, Slack)? Specifically not
| the weird list of bubbles on the side, but instead a list of
| accounts/rooms and a window per chat.
| Arathorn wrote:
| I guess Pidgin has that UI, although its Matrix support is
| alpha sadly. Not aware of anyone else who's done that sort
| of UI yet, but it's only a matter of time.
| Arathorn wrote:
| We've had per-room/per-message retention policies in Matrix
| for months now (although Riot hasn't exposed UX to configure
| them yet, as we were drowning in cross-signing work).
|
| https://github.com/matrix-
| org/synapse/blob/master/docs/messa... has the details.
| ryukafalz wrote:
| Hmm, that document seems to indicate they're disabled by
| default in synapse though?
|
| >Note that over every server in the room, only the ones
| with support for message retention policies will actually
| remove expired events. This support is currently not
| enabled by default in Synapse.
| Arathorn wrote:
| True - we did a slow roll-out whilst testing. It should
| be okay to turn on everywhere now :)
| rasengan0 wrote:
| The shareholders will be pleased, enterprise and beyond:
| https://www.marketscreener.com/ZOOM-VIDEO-COMMUNICATIONS-570...
| jokoon wrote:
| There were local, volunteering missions to help healthcare
| workers, the homeless, etc all done by some "non-profit" in
| europe. Those missions had state-sponsored ads, and I volunteered
| online.
|
| As soon as they required me to use zoom, I told them I would not
| use zoom. I just go on their whatsapp thing, so of course I get
| less info, etc.
|
| I really fail to understand how Zoom became so popular, and I was
| recently wondering the same thing about TikTok, which by the way,
| was just a clone of Vine.
|
| Essentially, with apps like that, advertising and adoption is
| critical, the tech doesn't really matter that much. I would
| really be interested in understanding what are the strategies in
| place to make people use those things. Of course the virus played
| a huge role, but I'm certain there are specialists about how to
| gain users rapidly.
| baumy wrote:
| Can't help you with TikTok or Vine since I don't understand
| those either (I believe the target market for them is mostly
| people around age 21 or younger, so if you're outside that
| group that's not surprising).
|
| For Zoom though, I feel it's quite trivial to see how it became
| popular. Of all the various video chat/conferencing software
| that exists, Zoom is the easiest for the layperson to setup and
| use while also tending to be the best performing in terms of
| audio/video quality, latency, large numbers of users on a
| single call, etc. My girlfriend was able join a Zoom call with
| her parents a few days ago without even telling them how to do
| it; yesterday I overheard a 30 minute phone conversation while
| she tried to explain to her mother how to edit a facebook post
| (unsuccessfully, despite valiant efforts).
|
| Outside of this niche community, basically nobody knows or
| cares about Zoom's various security gaffes. They just want
| something that works and gets out of the way. And I say all
| this as somebody who has watched others use Zoom a few times
| and read about it, but never used it myself nor felt the
| inclination to.
|
| I'm sure you're right about specialists and strategies to try
| to spark mass adoption being things that happen, but the
| technology matters as well.
| ddevault wrote:
| Keybase helped me to identify a trend in the software industry:
| using a pretty UI to cover up the disruption of an open ecosystem
| with a closed, centralized replacement. Keybase seemed cool on
| the face of it - making encryption easier is a laudible goal, and
| PGP certainly could use the improvement. But, thanks to Keybase,
| now I ask different questions upfront. Beware the Keybase
| formula:
|
| 1. Integrates with an existing, open ecosystem
|
| 2. May have open-source clients, but server is closed source and
| does not federate
|
| 3. Pretty UI and good marketing
|
| 4. VC funded
| soulofmischief wrote:
| Keybase packed together many different technologies in one
| place. I don't think any of us who moved to Keybase had
| delusions that it would be around forever. But it's an
| amazingly comprehensive suite for its small scope and the open
| source product that replaces it will only exist because Keybase
| existed.
|
| If the writing is placed on the wall (the marker cap is open
| right now) then replacing each of Keybase's features with
| existing technologies won't be difficult -- just time
| consuming, which is why they have market fit.
| Legogris wrote:
| I don't know how many people here remember the excitement when
| Android was new and, OMG, it's Linux! Open source! Finally we
| have a Linux-based, free and open phone platform!
|
| I actually think that this played a non-trivial part in Android
| getting early traction - similar dynamic to Gmail where tech
| people got excited about it eventually "my friend who's good
| with computers recommends this" becomes a factor.
|
| Not the exact same formula as you formulate above, but I think
| there are parallels to draw.
|
| Embrace, extend, and extinguish, and all that.
| seba_dos1 wrote:
| I was very excited about first reports on Android. I was
| young, starting to earn my first money, and I wanted to spend
| that money by getting myself my first, awesome, Linux-powered
| smartphone by Google - a company I heard only good things
| about.
|
| Fortunately, I've decided to go with Openmoko instead back
| then. I'm so glad I did.
| kgraves wrote:
| I think we could just stop at:
|
| VC Funded(tm)
| edraferi wrote:
| I wonder if we'll get a fully open source release of the
| Keybase server out of this. It would be so awesome as a
| federated ecosystem...
| adtac wrote:
| it's more about the VC funding than anything else. it is almost
| always the reason for the death of cool software
| oever wrote:
| Sounds like protonmail.
| gruez wrote:
| They're vc funded?
| nathcd wrote:
| https://protonmail.com/about indicates they're funded to
| some extent by Charles River Ventures
| (https://www.crv.com/). They were initially crowdfunded,
| and also get funding from a Swiss nonprofit foundation.
| ddevault wrote:
| _Fascinating_.
| fmpwizard wrote:
| I don't know their revenue numbers, but protonmail offers
| paid services, unlike Keybase. I hope protonmail doesn't go
| the same path.
| Endlessly wrote:
| This is not a trend, it's a long standing market strategy:
|
| https://en.m.wikipedia.org/wiki/Embrace,_extend,_and_extingu...
| leafmeal wrote:
| Can't it be both a trend and a marketing strategy?
| 627467 wrote:
| I can't help but feel shocked by this development. I guess it's
| my fault given that keybase was always potentially a target for
| acquisition.
|
| PR-wise it does not seem to bode well for those who relied on it
| for both file, chat and social graph storage...
___________________________________________________________________
(page generated 2020-05-07 23:00 UTC)