[HN Gopher] Zoom Acquires Keybase ___________________________________________________________________ Zoom Acquires Keybase Author : vikram7 Score : 1454 points Date : 2020-05-07 12:58 UTC (10 hours ago) (HTM) web link (keybase.io) (TXT) w3m dump (keybase.io) | rvz wrote: | > Ultimately Keybase's future is in Zoom's hands | | Well, that definitely translates to uncertainty and ultimately | the death of Keybase. | api wrote: | I saw that coming when they shoehorned a pointless | cryptocurrency that nobody uses into it. | stevekemp wrote: | I deleted my account when the crypto-spam emails started to | arrive. | tobyjsullivan wrote: | It was actually a really nice stellar wallet implementation. | A bad bet perhaps, in hindsight. Unfortunately, this | acquisition means I won't be using it anymore for the | foreseeable future. | yarrel wrote: | It looked like a de-anonymization attack and brought | phishing attacks to crypto groups using Keybase group chat. | | It was badly implemented, badly introduced, and harmful for | both users and adoption of the platform. | WorldMaker wrote: | Keybase was always a de-anonymization platform, and there | have always been spam/phishing concerns for the platform. | The crypto wallet was a dumb way to force them to address | some of the spam/phishing/harassment issues inherent in | the platform as a "social media" with ties to nearly | every other social media through its validation checks, | but it was past time needed for spam/phishing/harassment | control (as some minorities had said for years prior to | the crypto wallet forcing such things). | tobylane wrote: | @Keybase users: Check if you uploaded your private key. I hope | it is rare but now is the time to make that non existent. | ocdtrekkie wrote: | I essentially didn't have a private key prior to Keybase, and | I think it's still the only place I use it, so I'll end up | rolling a new one if Keybase becomes fundamentally | untrustworthy. | redbeard0x0a wrote: | They are fundamentally untrustworthy. They haven't taken | security issues in the past very seriously, they also have | ties to China. | ViViDboarder wrote: | That's Zoom. Post acquisition Keybase is tied to some of | those, but not all. Their dev team is not going to move | to China (at least not immediately) and past security | issues in Zoom are no indication of Keybase safety. | | This will possibly change over time though. | neltnerb wrote: | I signed up so long ago that I'm not quite sure what you | mean. I remember posting a bunch of public keys (like on my | profile here). I think the keybase app generated them along | with a private key but it has been like three years. | | I don't remember at all uploading one or where to find it if | I did, can you explain the issue you have in mind a little | more? | tobylane wrote: | https://github.com/keybase/keybase-issues/issues/160 | | There is still (apparently under another command name) this | ability to upload your private key. | OJFord wrote: | You can optionally have Keybase (generate and) store your | private key for you. | | It's designed to lower the barrier to entry, but is | obviously less secure than managing it yourself outside of | Keybase (e.g. in GPG keyring, or a physical OpenPGP | smartcard such as a Yubikey) - and some consequently wish | the storage had never even been offered. | WorldMaker wrote: | That optional GPG/PGP private key storage was also re- | hidden (and almost but not quite removed) functionality | by Keybase over the course of the application's life as | they moved away from using traditional GPG/PGP-style keys | to a more complicated but more secure system based on | device-specific keys (and chains/webs of those keys and | their derivatives), around when you needed another device | to onboard the next device rather than just needing to | sign in with username/password. | jlgaddis wrote: | The issue is a third-party having control of your private | key. | DyslexicAtheist wrote: | from Zoom's twitter: | | _" We are excited to integrate Keybase's team into the Zoom | family to help us build end-to-end encryption that can reach | current Zoom scalability."_ | | not a word about what happens to the existing technology which | doesn't sound very reassuring to existing keybase users. | [deleted] | noodlesUK wrote: | So, reading this, it's clearly an aquihire, and they don't care | about the Keybase product. Please open source the server. We want | our communities to still be able to run, and self hosting would | be fine. | wharfjumper wrote: | I would participate in (and could provide resources to) the | creation of an open foundation that had as one of its goals the | writing of an open source keybase API[0] compatible server. | | If anyone else is interested, please contact me directly (email | in my profile). | | [0]https://keybase.io/docs/api/1.0 | fossuser wrote: | For years people have been begging Keybase to allow them to pay | them for the service and Chris Coyne always refused. | | Now they've lost their independence and they're owned by a | communication company that has [edit: the majority of] its dev | team in China. | | I use Keybase to talk to my friend in China since it's one of the | few services they don't block. | | This is a pretty disappointing outcome. | tabbott wrote: | Losing their independence was from the beginning the most | likely outcome of building something that's hard to monetize | like Keybase on the VC funding model. FWIW, I doubt Keybase | offering a paid plan would have raised revenue that's | significant compared to their burn, so Chris was probably right | to not spend resources figuring out a paid offering. For | raising their next round, having $5K in revenue from a paid | plan few people buy might well have been worse than having $0. | | The VC funding model is terrible for most open source projects. | With a few exceptions, you end up with an acquisition that ends | or repurposes the project, or an Open Core project. And a VC- | funded Open Core project will end up trying as hard as it can | to have everyone need to buy the paid version, since that's | clearly the way to optimize revenue and eventually the slippery | slope will get you there. I don't blame folks for taking VC; it | was easy to get, and there aren't a lot of alternative funding | models that can pay the multiple fulltime staff that might be | required to create what one wants to create. | | I don't think VC funding as it currently exists is consistent | with running an open source company according to my values, | which is why we're not taking venture funding for Zulip. | Obviously, being scrappy, applying for NSF grants, and spending | my own money have very real downsides both personally and for | our growth, especially when every competitor has VC funding, | but it also means that I can ensure Zulip continues existing as | a real open source project for the long run. | fossuser wrote: | How much power do the VCs typically have? | | Don't founders often have the ability to overrule and make | their own decisions? | | Chris is already financially independent from the OKCupid | sale, he could have open sourced the server code and/or | reduced the overall burn to pivot to paid accounts. | | Though the weird Stellar wallet addition implied some | vision/product issues anyway. | | Of course it's easy and probably unfair for me to say these | things as an outsider with limited information and no real | stake, it's definitely possible I'm wrong about important | details that would change my mind. It'd be interesting to | hear from Chris, but the sale probably restricts public | communication? | | This reminds me a little about the OKC sale actually, they | had a blog post about why charging for dating sites made them | worse that they took down after selling to match (they used | to do cool analysis and publish them as blog posts, most of | the details ended up in the book a different cofounder | published called Dataclysm). That's more understandable to me | though since I think it was their first exit. | | Reading about Zulip - didn't you get bought by Dropbox before | being open source? Is your current situation a lucky outcome | - or was it a condition of the sale? | | [Edit] - To clarify since there are downvotes, my questions | aren't rhetorical - they're genuinely asking. | tabbott wrote: | > How much power do the VCs typically have? | | I think it's less about the power relationship, exactly, | and more about the way VC-funded companies are setup to be | run. As part of raising a round, you prepare a business | plan that involves aggressively spending the money over a | couple years. You're committed both internally and to your | board to execute that plan, and it's cognitively difficult | to do something different as there's social pressure to do | so (and one of your VC's greatest sources of power over you | is they're the reference for your next fundraising round). | | The result is that your company has planned to run out of | money with potentially a multi-million dollar annual burn | rate in two years. If as those two years are approaching, | the company and/or market situation don't support raising | more capital and the company isn't close to profitable, the | momentum of that burn rate applies a great deal of pressure | for a sale, destructive layoff, or total change in goals to | "anything that improves the bottom line". | | Also, the search for a story to help raise your next round | can have a big effect on companies -- my view is most of | Dropbox's problems when I was there (2012-2014) resulted | from the search for a totally new business bigger than | Dropbox Business that could justify a bigger valuation than | $10B starving more obvious investments (Carousel, the now- | dead photo sharing app, at one point had ~10x the | engineering resources of Dropbox Business). | | > Reading about Zulip - didn't you get bought by Dropbox | before being open source? Is your current situation a lucky | outcome - or was it a condition of the sale? | | It's an extremely lucky outcome. There's a combination of | factor that made this possible: | | * Dropbox leadership prioritized doing the right thing by | their users, and so we were able to get permission from | both leadership and legal. I'm sure my personal position as | a leader at the company who had a personal relationship | with the people who had approve it made a difference | (Though Luke Faraone made a big difference by asking legal | if we could and inviting me to the meeting!). But I think | Dropbox deserves a lot of credit, because they spend | significant time from expensive resources (legal, etc.) | making this happen, and I don't know of many companies that | would ever do that. * Our users were big fans, enough so | that 10 of them flew to Dropbox HQ for a week to help us do | the technical work required to do an open source release | with all 10,000 commits of history intact and with a | scripted installation process. This was essential to Zulip | being usable after that release. | | https://zulipchat.com/history/ has a bit more background on | the early history (though it's a bit out of date). | fossuser wrote: | Thank you - I really appreciate the detailed answer. | | I think I have a better understanding of how the | incentives to cooperate would be hard to overcome even if | you technically have the power as a founder (and even if | you're already financially independent). | | The personal experience was also interesting - thanks! | bgee wrote: | > communication company that has its entire dev team in China | | citation needed | | Also, what are you trying to imply by this assertion? | aaomidi wrote: | China is a country with even less oversight than the US. | | For a company that does security that's concerning. | andoriyu wrote: | Not even that. All encrypted traffic in china needs to be | decryptable by CCP. Which means if your call in zoom was | routed to one of their China servers, then CCP has access | to it. | | That is on top of the fact that Zoom encryption is weak af. | kyrra wrote: | Another citation: https://investors.zoom.us/static- | files/09a01665-5f33-4007-8e... (warning, PDF) | | > We also operate research and development centers in China, | employing more than 700 employees as of January 31, 2020. | | You can find more stories from last year talking about that | was how Zoom had such a large engineering staff, is that it | was cheaper for them to pay for R&D in china than in the | US[0]. | | [0] https://www.cnbc.com/2019/03/26/zoom-key-profit-driver- | ahead... | bgee wrote: | The emphasis is on entirety, please see my other reply. | umeshunni wrote: | > Also, what are you trying to imply by this assertion? | | It's just casual nativism/racism - acceptable on HN as long | as it's about China. | ethbro wrote: | It's not nativism or racism to have security concerns about | a country with a non-existent commitment to an independent | judiciary. | | If China wants people to think of it as a country where | laws matter, then they can start acting like laws matter. | | https://worldjusticeproject.org/sites/default/files/documen | t... | | (And before we get whataboutism concerning {insert other | country's wiretapping laws}, wiretapping through an | independent judiciary is fundamentally different than via | rubber stamp) | cmelbye wrote: | "China" isn't a race, it's a multi-ethnic state with laws | that heavily restrict communication. It's relevant to bring | up in a thread about building encrypted communication | technology. | mrtweetyhack wrote: | China is not to be trusted, Zoom and now Keybase is not to be | trusted | fossuser wrote: | "Zoom is based in California's Silicon Valley, but it owns | three companies in China that develop its software. The | Citizen Lab said the structure allowed the company to lower | its development costs, but added "this arrangement may make | Zoom responsive to pressure from Chinese authorities."" | | https://www.theguardian.com/uk-news/2020/apr/24/uk- | governmen... | | The implication is that China is hostile and leverages their | power to censor/collect communication information from | companies and their people without checks on this power. | | They are aggressive in stealing IP from other companies and | blocking software they can't control. They have history of | wielding their power to pressure organizations to deny or | ignore aspects of their history that they dislike (Taiwan, | Cultural Revolution) and they pressure companies to hand over | PII on people they find to be political threats without due | process. | | This is not a country you want to be a steward of an | encryption identity standard. | Gasp0de wrote: | Isn't the US actually at least as bad if not worse? Thanks | to Edward Snowden we know without speculation that the US | "is hostile and leverages their power to censor/collect | communication information from companies and their people | without checks on this power" (ok, supposedly there is | secret judges that secretly check on this power, but that | doesn't really do any good does it?). The USA also | "pressure companies to hand over PII on people they find to | be political threats without due process" (so called | "National Security Letters"). | remarkEon wrote: | The difference is that in the US we actually get to find | out about these abuses. | Baeocystin wrote: | Short answer? No. Not even close. | | Source: have lived in both countries | patmorgan23 wrote: | People don't get disappeared for actively disagreeing | with the government. | bgee wrote: | I don't think it's true that Zoom has its "entire dev team | in China"; doing some research myself reveals Zoom | definitely has engineering operations in the US[0][1]. | | I'm not disagreeing with you on the implications of having | engineering teams in China, I think you would like to put | that paragraph in your original post to give some context. | | [0] Tech job postings in US: https://zoom.wd5.myworkdayjobs | .com/Zoom/0/refreshFacet/318c8... | | [1] H1b filing on engineering positions: https://h1bdata.in | fo/index.php?em=Zoom+Video+Communications+... | | edit: better formatting and grammar | fossuser wrote: | Thanks - I edited it to soften the language a bit. | wutwutwutwut wrote: | Is it called "soften the language" to fix a 100% factual | error? | | Honestly I feel that if you're arguing in one direction | or another and haven't checked the facts, maybe it's | better not to argue about it? | yellowapple wrote: | If the original claim was "100% of the dev team is in | China", and the reality is "only 80% of the dev team is | in China", then that'd be a 20% factual error, | mathematically speaking. | simongr3dal wrote: | Or would it be a 25% error, i think it would make most | sense to calculate the error-difference in relation to | the actual value instead of in relation to the erroneous | value. | yellowapple wrote: | Good point. | fossuser wrote: | The vast majority of the Zoom software development team | _is_ based out of companies in China. | | They do have support people in the US and a handful of | non-support engineering which is why I said thanks and | immediately updated the comment to say "majority" instead | of "entire" since it's more correct. | | That technicality is less relevant to the main point of | the argument. | uoaei wrote: | > this arrangement may make Zoom responsive to pressure | from Chinese authorities | | "May" is a weasel word that doesn't offend the | sensibilities of CCP. | | In reality, every single company which is incorporated in | China must be majority-owned by the Chinese government. | This is what makes their economic system "state capitalism" | and not "communism". But that also means they have a | _controlling_ share and get last word on _any_ executive | and administrative decision within the company. | [deleted] | ahnick wrote: | Fingers crossed they open source the server portion at least -> | https://github.com/keybase/client/issues/24105 | wiggler00m wrote: | +1 | poofyleek wrote: | Very disappointed indeed. Keybase is one of the ones I actually | used. | pmorici wrote: | There was a competitor app that got posted here a couple | weeks ago. | | https://keys.pub/ | chupasaurus wrote: | Which already did some things wrong even though Keybase is | around for a few years. | MrGilbert wrote: | Care to elaborate? Just curious... | chupasaurus wrote: | https://news.ycombinator.com/item?id=22997245 and | requiring gnome-keyring on Linux are issues for me. | Spivak wrote: | Does it actually require _GNOME Keyring_ or does it just | use libsecret? Because libsecret is dope and has been | nothing but a joy to work with. | trey-jones wrote: | I've seen some examples of GNOME keyring being required | because it implements the freedesktop secrets standard | (which I admit to knowing nothing of) where other secret | managers do not. Presumably meaning there us no common | interface, so we just pick the one that implements the | spec. One example: | | https://github.com/pithos/pithos/issues/559 | chupasaurus wrote: | https://keys.pub/docs/specs/keyring.html | mikorym wrote: | It is funny that Zoom was one of the companies that I flagged | in my head as the worst (or rather, most dangerous) up-and- | coming tech company and I considered Keybase one of the most | promising up-and-coming tech companies. | | Keybase solves a (to me) nontrivial problem: How to bring | private keys into social media. Just a silly example: You don't | use the same private-public key exchange in Whatsapp as you | would use for your emails, or to sign your packages. It's a bit | of the now infamous Dropbox situation: Most people _can_ sign | things with private keys and properly keep track of it, but | they _don 't get around to doing it_. It's only critical cases | where the use is common (like signing packages). It took a long | time even for HTTPS to become standard practise, though I guess | the situation with your browser is a bit different. | freshhawk wrote: | Yes, this was exactly how I mentally categorized these two | companies as well. | | My first reaction was: it can't be _that_ keybase can it? | Huh, well maybe I 'd sell my principles for that much money | too, oh well. | | Maybe some keybase employee will end up being a whistleblower | sometime soon though. | zamalek wrote: | > Zoom was one of the companies that I flagged in my head as | the worst [...] Keybase one of the most promising | | Hear hear. It really is an absurd world we live in, and I had | a good chuckle about that - just before I deleted my Keybase | account. | foobiekr wrote: | I am curious: do they block Zoom? | Jon_Lowtek wrote: | Well yes but no. The block zoom.us but there is zoom.cn | | This is likely related to both nations having rules that | allow only their own agencies to wiretap. | reneberlin wrote: | Saturation. The zoom folks had too much publicity. | ammmir wrote: | Keybase was almost the perfect Slack-killer for security-minded | teams, except it had a few wiggles, including their sluggish | client. I believe there is an opportunity for someone to capture | the users who are about to be abandoned by this transaction, if | they implement a subset of the Keybase client functionality like | team chat, shared files/git repos, but get rid of the crypto | wallet nonsense. I, and others, would gladly pay $10/mo for this. | | Matrix isn't the answer. That's like saying just use SMTP for | email. | | The slackification of Keybase did not lead to a viable business | model, unfortunately. In fact, it's such a no brainer, I can't | wait for someone to build Keybase 2.0. It might not be a VC | enterprise, but could be a great lifestyle business for a small | team. | albybisy wrote: | and what about the partnership Keybase had with Stellar? What are | destiny of all the lumens XLM they had...?? | DCKing wrote: | People are expressing they will stop using Keybase because of | this. That's fine, probably a good idea. | | But reading this, Zoom+Keybase will make sure of this themselves. | This press release indicates that this is a 100% acquihire. | There's only talk about what the Keybase people will be tasked to | do, and there isn't any talk about Keybase's services in the | first place. There's no real reason Zoom would be interested in | keeping Keybase's services up and running anyway. | | Let's hope they make it a swift death. Shame about Keybase, loved | using it so far. It's somewhat encouraging to see a change in | direction for Zoom, too. Hope the acquihire works out. | jrochkind1 wrote: | From the headline, I didn't understand why Zoom, a | videoconferencing company, would want to buy a secure | messaging/sharing app. | | But after reading it, duh. It's an acqui-hire. Zoom definitely | needs to improve it's security, because of recently publisized | problems. These are the right people to work on that, the | security problems are similar in keybase and zoom, and an outside | team with an established track record will help Zoom regain | credibility. And Zoom probably had lots of cash on hand to buy | whatever they wanted. | | So that all makes sense. I wouldn't expect the keybase product to | stick around though. | | Not because, as other commenters had said "Zoom doesn't care | about security." Because they did an acqui-hire to get a team to | help them with security, not because they wanted the product. I | expect this _will_ result in Zoom 's own security improving, it's | not some kind of smoke and mirrors trick. It's not that they | don't care about security, I think they are presently | prioritizing it. They just don't care about the keybase product. | Obviously, why would they? It can't have revenue or profit | anything close to what the zoom product has. | SirensOfTitan wrote: | This sounds like an acquihire, or am I reading it wrong? If so, I | doubt anyone at keybase is necessarily thrilled about this. | | I've enjoyed keybase for many years, it made a lot of annoyances | of encryption and key management easy. I particularly liked its | encrypted git repo feature--now I'm struggling to think of an | easy alternative. | reneberlin wrote: | Maybe they think, you understood the product so natively. You can | reproduce it with a new domain: keybeasehasjustended.in? | justusthane wrote: | In case it's helpful to anyone, to uninstall on MacOS: | # keybase uninstall | | And then delete the app from Applications (recommend using | AppCleaner to delete the app, as it leaves behind almost a GB of | stuff). | erydo wrote: | Congrats to the team. Though in the inevitable acquisition, I | wish GitHub/Microsoft had been the acquirer: there are a lot of | natural fits between that ecosystem and Keybase's model, and a | reasonable history of successful acquisition. | | Hopefully Zoom avoids gutting Keybase. I found it really useful | for bootstrapping credentials when onboarding remote team members | and contractors. Way easier to manage than GPG: it was fairly | painless even for non-technical people. | | Fingers crossed. I wonder what the infrastructure overhead cost | is? | mikaelf wrote: | zoombombing just got another meaning | m0zg wrote: | "All your base are belong to us", Zoom CEO was quoted as saying. | pot8n wrote: | Keybase went from ranking 30,000 to 65,000 in 3 months. What | happened here? It seems like Keybase has been falling in traffic | already for the past 3 months and it's reputations has been | tarnished in HN for months now. | | https://www.alexa.com/siteinfo/keybase.io | RL_Quine wrote: | The product is simply not good in its current form. It's a | strange mix of instant messaging, web of trust, and | cryptocurrency scam. It doesn't strongly give any particular | goal. The tools are shiny, pleasant enough to look at any use, | but isn't going in any direction. | | A lot of push recently has been into making it a "team chat" | platform, which is great except that all of the participants | are public, and tied to their name. It makes for hideously bad | opsec if any company were to seriously use it. | coldpie wrote: | God, that cryptocurrency scam. If ever there was a clear | message screaming "we have no idea how to turn this into | something profitable/sustainable," that was it. | kybernetikos wrote: | Not sure why people keep saying things like this. | | The truth is that sharing money in the same way we share | messages and images (i.e. chat) is a good idea, and in my | opinion is absolutely _inevitable_. | | Now we don't have to do that via cryptocurrency, but the | reason we don't already have it in the west is because it's | a coordination problem, and there are entrenched interests | that won't care about giving the user a good experience | until forced to by competition. Cryptocurrency lets you | avoid that problem, and given that it is entirely around | managing keys, it's a very natural fit for KeyBase. | | I thought the integration into keybase chat was genius, and | the user experience of transferring money in that way was | much better than anything traditional banking has ever | offered me. | ValentineC wrote: | > _It 's a strange mix of instant messaging, web of trust, | and cryptocurrency scam._ | | They ended their Stellar airdrop early, but I guess it didn't | help that bots were joining the platform, and affecting the | other parts of the Keybase community, just to get a share of | it. | BERTHart wrote: | And I just started to use Keybase 3 days ago... | hnarn wrote: | I've used Keybase for a long time but I never quite understood | the purpose of it. It never "just worked" for me and my | experience was mostly chats being unreadable, my account having | to be reset, and a lot of new functionality that seemed like it | did what other products already did, just not as good. | | I always liked the idea and the people behind it seemed like good | people, but I'm sad to say I won't miss a worse version of Slack, | Bitcoin and Dropbox. | urda wrote: | Well that's it for Keybase. I can't continue to recommend them. I | was able to look past the cryptocoin distribution to be honest, | but teaming up with Zoom seems like the kiss of death for any | security focus. | brynet wrote: | You can permanently delete your keybase.io account with the | command-line utility: $ keybase account delete | freakynit wrote: | Is there a viable alternative to keybase? | IgorPartola wrote: | Correct me if I'm wrong here, but isn't the company behind Zoom | owned or at least partly owned by the Chinese Communist Party? If | so, wow, Keybase really is dead to me. | | https://www.politifact.com/factchecks/2020/apr/07/charlie-ki... | mceachen wrote: | The article you posted concludes with the statement you made as | being mostly false. | ShakataGaNai wrote: | Zoom is a US Based, publicly traded company listed on the | NASDAQ [1]. So to that first part, no, that's not correct. | | However they have a Chinese subsidiary that does some of their | development work along with supporting their in-China services. | Any tech company that operates inside of China is legally | obligated to private the CCP access to anything and everything | they want. This is why most companies has separate, special, | dedicated servers for/in China (up to and including AWS [2]). | | The reason for the purchase of Keybase is to up Zoom's crypto | game. They (Zoom) made a pledge to do significantly better | around encryption and user controls, right after they became | super popular and started getting targeted for news/abuse/etc. | | Sadly it probably doesn't matter what you think of Keybase as | this looks like this was probably an Acquihire for the team and | their knowledge. Maybe Keybase the product will be totally open | sourced, but beyond that it's likely dead. | | [1] https://www.nasdaq.com/market-activity/stocks/zm/real-time | | [2] https://www.amazonaws.cn/en/about-aws/china/ | adadahdjej wrote: | I am truly disappointed. But I should have known better. Big | woop. Keybase and Zoom deserve each other. | up2isomorphism wrote: | Unregulated capital dominance is current at the historical peak | in US. And funny thing is people can not do anything about it. | Considering the time where AT&T (which is much more benevolent in | today's term) can be broken up, today is just money game and | money game. | xoa wrote: | > _" We're thrilled with the match, and we're excited to be | working on security that affects everyone we know."_ | | https://ourincrediblejourney.tumblr.com/ | | Argh, yet another for the list. Certain cycles in the tech world | are both extremely predictable and regrettable, yet for most of | them the sting seems to fade a bit as the decades go by. But the | acquisition-for-the-talent/IP-now-great-product-is-toast one | somehow never, ever manages to lose its capability to be | depressing. On the contrary new ones just make me think back on | previous dearly departed that never got an equivalent | replacement. It's part of what's made me particularly suspicious | about new non-OSS "free" offerings, because that's generally just | not sustainable. And the better it is the more I beg them to have | some sort of decent paid tier. I guess some though just plain are | aiming for a buyout from the start and that is in fact their | planned profit/exit strategy, and fair enough but still ouch each | time. | rising-sky wrote: | I was starting to look at the space of public trustworthy | identities, are there any viable alternatives out there that are | vouched for in the community? | kemonocode wrote: | Well, I guess that's it for Keybase. I distinctly remember | expressing my worries about them spreading themselves too thin | and not really having a clear monetization plan, so an acquihire | was the easy way out. | | Say, anyone got any Keybase alternatives that are focused _only_ | on identity management? | stickac wrote: | https://keys.pub | lanevorockz wrote: | Would it be great to be link social media accounts to your | professional behaviour in Zoom? So we can make sure all your | actions are company compliant? | grenoire wrote: | I don't quite know how to feel about this. Perhaps it is my | mistrust against Zoom, but I did enjoy the run Keybase had as a | semi-independent key and ID manager. | Latty wrote: | Yeah, with the recent issues they had after doing the | cryptocurrency stuff (which didn't really bother me, but it | definitely seemed to generate some negative feelings in | general), this feels like a poorly-timed move. | | Zoom is presumably going for "look, we are bringing on-board | this team of trusted people who understand privacy", but I | think most are just going to assume it'll work the other way | and Zoom's culture of poor security practice will bleed into | Keybase over time. | bad_user wrote: | I like Keybase's encrypted Git repos. | | I hope it doesn't die. | ezoe wrote: | "Our existing codebase sucks. So let's buy some cool companies in | the wild and let them help fixing our codebase" | | Yup, it sounds like the perfect plan to me. | | What likely happens is this. The current codebase is too ugly to | improve. But since they have a lot of users, it has value. So, | the engineers from Keybase started from scratch, try to implement | all of the functions in the existing codebase, plus secure. The | plan is, after it has been developed, replace the existing | codebase. But unfortunately, they miss the planed deadline by | years and when it's finally working, they couldn't implement all | of the existing codebase because nobody knows how to implement | it. No documents and original implementers were left the company | long ago. But they spent so much effort on the new project and | all the new features are implemented just on the new one. | Resulting the chimera of old and new code base both running at | the same time. Oh and by that time, the user is rapidly | decreasing for they failed to improve the service for years while | the competitors offer the better service now. | | The same story repeated countless times. | president wrote: | You forgot: | | - Acquihired employees end up having zero passion or motivation | to work on tech from their new masters and end up doing a | crappy job and implementation before their retention period | ends and they bail out. | | - Mish-mash of additional crap code increases tech debt to a | point that alienates top engineers causing them to leave for | greener pastures. The second-tier engineers end up taking up | the reigns hack band-aid further destroying the codebase. Cycle | of crap code and good engineers leaving continues until the | company is left with lowest-tier engineers who couldn't get a | job elsewhere or desperate H1-B visa holders who hold up the | fort until a competitor comes to eat their lunch with a better, | more performant product. | mike-cardwell wrote: | Eurgh. Time to transfer out my XLM and find some other way to | handle my private git repos. | kylehotchkiss wrote: | Keybase was cool tech that for years I hoped would find a profit | model and more everyday use case. I liked being able to prove I | was in control of something on the web. I use Zoom for work and | think it's been one of the more stable video conferencing | solutions out there but I certainly can't trust them to maintain | something like Keybase in a secure manner. Bye keybase, I know | you had bills to pay and that this is a tough economy :( I hope | your core team will be able to regroup after cashing out at Zoom | with some new projects! | freen wrote: | And I'm done with Keybase. | | What's that open source alternative that someone recently posted | here? | nathcd wrote: | keys.pub: | | https://news.ycombinator.com/item?id=22995792 | | https://keys.pub/ | abdullahkhalids wrote: | > This project is in development and has not been audited. | gnufx wrote: | Isn't it reassuring, at least, to see that said? Also | presumably an opportunity for the right people to help? | defulmere wrote: | Wow, it didn't take them long to dumb down https://keybase.io - | no mention of all of the cool nerdy crypto stuff, git, etc at | all, now it's just another chat app. | corkscrew wrote: | It's been like this for weeks | Xophmeister wrote: | No thanks... Cheerio, Keybase | mfer wrote: | What are the best alternatives to Keybase? | | I'm curious about the encrypted filesystem, secure messaging that | works on computers (non-phone), and public key trust. | thinkmassive wrote: | Whoa, how much? The press release doesn't say, but this will come | out eventually since Zoom is publicly traded, right? | jklinger410 wrote: | > Engineer: Sir, it would be easier to just start over and build | a video app for security from the ground up. | | > CEO: But that would cost millions over the course of years! | | > Engineer: Or we could just buy an already secure video app and | put our features inside of that instead? | | > CEO: Genius! | | And that's how Keybase became Zoom. | pkilgore wrote: | You can put lipstick on an aqui-hire, and it's still an aquihire. | nemoniac wrote: | The Keybase client is open source. How hard would it be to build | an open source server or federated servers to work with the | client? Genuine question. | AndyKelley wrote: | I worked at OkCupid long after Chris Coyne and Max Krohn | abandoned it. From the vestigial remains of the founders' code | and features it was clear what their main objectives were: have | fun with cool tech, on the dime of VC funding. As soon as they | got bored, they moved on to the next thing. KeyBase is the same | pattern. I mean, good for them, they're successful by any measure | - how they spend their time and how much money they have. But | this outcome was to be expected. | koirapoika wrote: | Zoom?! What a twist! Congrats to the Keybase team! Although it's | time to drop the account and move further, I'll keep it for a | while in case of another twist. | chicombase_io wrote: | Let's be based. This shit is CCPromised. Please dang finest let's | this skit stand. Never trusted keybase in the first place | oskenso wrote: | Fork incoming~ | HashThis wrote: | Please open source keybase | NikolaeVarius wrote: | Wat | reneberlin wrote: | To all the utopist at the bar right now: do not give up! | binichgross wrote: | Good night sweet prince, and flights of angels sing thee to thy | rest. | schoolornot wrote: | Surprised they took the path of acquiring Keybase and hiring Alex | Stamos (ex FB CISO) vs. hiring Moxie Marlinspike and other | respectable professionals. Keybase's reputation has become eroded | with their recent crypto currency signing nonsense. | | https://en.wikipedia.org/wiki/Moxie_Marlinspike | munchbunny wrote: | Zoom's problems aren't really a matter of having security | _talent_ , they're a matter of the company as a whole not | prioritizing security. Fixing the former doesn't fix the | problem, it just makes for good PR. The latter is a requirement | for the former. | | Brian Krebs talked about this a bit in the wake of Equifax: | https://krebsonsecurity.com/2018/12/a-chief-security-concern... | | Assuming Zoom is really trying to fix the problem, it makes a | lot of sense to bring in management (and/or teams) who have | experience with bringing security into engineering culture, as | opposed to individual security experts who may not even want to | work for Zoom in the first place. | rvz wrote: | Exactly. It was part of their 90-day strategic move in Zoom | Security. | | From this article: [0] | | > Within days, Stamos was on the phone with Keybase co-founder | Max Krohn, and the teams started working toward a deal. Yuan | said after he talked with Krohn and dug into Keybase's | software, he was convinced this was the right deal. | | [0] https://www.cnbc.com/2020/05/07/zoom-buys-keybase-in- | first-d... | sealthedeal wrote: | NOOOOOOO!!! I am going to miss Keybase | technick wrote: | This is why we can't have nice things! Be sure to transfer any | crypto out of keybase now before its too late. | frag wrote: | I guess moving to Matrix? | AnonC wrote: | This is sad. To me Keybase always seemed like it had a big | mindshare among techies (more so before the cryptocurrency | venture), but never had a good enough market share for its | offerings (like chat, for example). As others here have said, | Keybase could've launched some paid services. | | With the shitshow that Zoom has turned out to be (there's a long | article on tidbits.com about the various issues), I don't have | any confidence that any part of Keybase as it exists now will | survive. My belief is that it'll shut down its services sometime | this year or the next. I used it very rarely to verify certain | identities, but am going to just delete my account and be done | now. | sneak wrote: | So, the company that got bribed by a shitcoin promoter to | backdoor the keybase app so it can abuse your secret keybase | identity keys to place permanent, non-removable shitcoin ads on | your profile[1] (and then immediately denied that it was a | backdoor and _also_ lied about implementing the ability for users | to remove the ads keybase got paid to place[2]) is now joining up | with the company that has shipped sketchy backdoored client | software[3], consistently lied about having end to end encryption | (and even doubled down on their lies when confronted about | it!)[4] and delivers their encryption keys from generation | servers in China[5]. | | I'm sure the result of this will be lots of good and secure | trustworthy software that I'll be eager to install on my | computer. It's totally legitimate and accurate that people are | reporting today that this acquisition will bring real end to end | encryption to Zoom as if buying a company causes software to | spontaneously manifest out of the ether with zero delay. Don't | worry, everyone: Zoom is secure now because they wrote a check! | | What is it with cryptographic charlatans these days? | | [1]: https://sneak.berlin/20190929/keybase-backdoor/ | | [2]: https://news.ycombinator.com/item?id=21109530 | | [3]: https://www.zdnet.com/article/zoom-defends-use-of-local- | web-... | | [4]: https://blog.zoom.us/wordpress/2020/04/01/facts-around- | zoom-... | | [5]: | https://www.forbes.com/sites/thomasbrewster/2020/04/03/warni... | ViViDboarder wrote: | From your second link a commenter actually steps through the | flow: https://news.ycombinator.com/item?id=21116981 | | It seems pretty clear from that description that the user | consents to signing... | | I think it's annoying to see wallet and chat when all I really | cared about was a discoverable public key, but it doesn't | appear to be a backdoor signing method. | avree wrote: | The guy you're replying to is the one who wrote the | misleading blogpost that was (rightfully flagged) in link | [2]. I think it's likely that if he's still grinding this axe | 7 months after a very reasonable explanation was given by | Keybase, he's not going to change his mind now. | sneak wrote: | No, the consent modal is for generation of the wallet keys. | It says nothing about the fact that if you agree to make a | wallet, it will then use your _keybase identity keys_ | (different keys, not the shitcoin keys you consented to | generate) to sign the attestation and permanently affix the | resulting ad for Stellar to your profile. | plttn wrote: | 1: it wasn't a backdoor 2: it wasn't a backdoor | yarrel wrote: | RON HOWARD VOICE OVER: It was a backdoor. | dang wrote: | Please don't post in the flamewar style to HN. We're here for | curious conversation, not to smite enemies, snark, score | rhetorical points, and whatnot. | | Also, if you ratchet rhetoric up to this level of indignation, | you detract from your own credibility, so it's not in your | interest. | | https://news.ycombinator.com/newsguidelines.html | sneak wrote: | My apologies; I thought it was on this side of the line, if a | bit sarcastic. I do my best to comply with the guidelines and | keep it on topic here. | | Please delete/kill the comment, it's actually irrelevant | because their old product is probably toast now (as is | implied in TFA). My delete button timer has expired. | technoplato wrote: | After reading part of [1], I have no idea how you draw the | conclusions you do. | | I was playing around with a bunch of different crypto | currencies when Keybase did the airdrop with Stellar. At every | point in the process, it was opt in. Then I received ~$60 and | that was it. | | It seems your article was going for sensationalism and was | highly disputed by all commenters on HN, not covered up by some | capital driven conspiracy. | BillinghamJ wrote: | I'm pretty sure I ended up receiving a load of XLM without | opting in at all. | sneak wrote: | You're wrong. There is an opt-in for wallet key generation. | The opt-in does not say that when you opt-in to generate a | wallet keypair, it will _also_ do a second operation and | use your existing keybase identity keys to sign an | attestation that will then be permanently affixed to your | profile. | | The text alludes to that being possible, but it doesn't | tell you it's going to actually do that, or that it will | then be impossible to remove the ad from your profile after | you do. | | The specific opt-in consent text _matters_. It says a | thing, you click ok, but then it does that thing but also a | second thing. | | Ultimately this doesn't matter though, because keybase is | toast now. | preinheimer wrote: | Congrats to the keybase team! They seemed to grow in fits and | starts, hopefully this sort of thing helps push encryption to | even more places. | wjd2030 wrote: | account deleted. bye bye. | richardknop wrote: | Strange combination. | jrockway wrote: | Why? Keybase's product is team chat. Zoom wants to kill Slack. | Seems perfect. | | (Keybase's crypto stuff is nifty, but we all know there is no | money in that. They tried to make money by integrating | cryptocurrency, and people did NOT seem to like that. So here | we are.) | lord-squirrel wrote: | Never thought of Keybase as a team chat product. Maybe thats | just because I'm one of the older users :) | [deleted] | js4 wrote: | Why do I feel that this is Keybase selling out? | | Zoom seems so off mission for them. Very disappointing. | nathcd wrote: | Mergers and acquisitions make me so sad :/ I need to stop letting | myself get excited about VC funded companies, because it always | ends in disappointment. I really should know better by now! | sealthedeal wrote: | I was one of the early Keybase adopters/users, this is kind of a | sad and happy day all at once. I am happy for the founders and | team as this is a great exit, but am sad because I think Keybase, | one of my favorite products, is going to go to the wayside :( | bergstromm466 wrote: | Poor Zoom, first they were scapegoated due to the whole | industry's overuse, or faulty use, of the term 'end-to-end | encryption' (especially if we believe Snowden's claims in his | latest book that portrays corporate cloud computing as a way for | American corporations to create and sustain NSA backdoors). Now | the team is probably pretty motivated to kick ass and show the | world what they're made of, considering they have Microsoft | Teams, Skype Google Meet and other big co's as competitors (or | maybe it's the opposite, and Zoom is the bigger NSA Trojan horse | here). | jononomo wrote: | I think this is fantastic news. I expect adoption of both Zoom | and Keybase to increase as a result of this partnership. I love | both these platforms and this feels to me like a really perfect | match. I'm so glad that people aren't going to be forced to use | Google and Microsoft for everything -- it is good for monopolies | to be challenged with innovative tech. | eganist wrote: | Congratulations, malgorithms and team! | | Selfishly hoping the cores service isn't shut down, though. I've | been using it authoritatively for 5+ years. Treasuring the | username I got too. | [deleted] | clortho wrote: | Optically, this is suspect. But, I don't blame Keybase. This is | an opportunity for them. I hope Zoom doesn't mess it up. | DyslexicAtheist wrote: | time to ditch keybase | anigbrowl wrote: | Good thing I already finished my coffee before seeing this | headline. With no disrespect to Zoom, who might even have the | best intentions, seeing Keybase just get _acquired_ spooks me, | and makes me glad I wasn 't seriously invested in it. I had been | under the impression (as a very casual user) that it was using a | foundation finance model to ensure its independence. | CalmStorm wrote: | I have been working on this decentralized key-value database: | https://github.com/kevacoin-project/kevacoin | | Together with W3C's draft Decentralized Identifiers (DID: | https://www.w3.org/TR/did-core/), it could provide a | decentralized alternative. | | Not sure what is the best way to verify Twitter/Github account | though. This has to be managed by users themselves. E.g. one user | posts a proof in the Twitter account, the other user verifies the | proof by checking the proof against the public key posted in the | database. | | Edit: updated description. | reneberlin wrote: | Revoke all your keys. Give back any money you made of it. Relax. | Enjoy your fucking life a little better as it should have been | without keybase, bro. | brenden2 wrote: | Cue the anti-China conspiracy theories. It's incredible how | effective the anti-China propaganda has been. | doublesCs wrote: | My conspiracy is that people who have my private keys can read | my encrypted communication. No need to drag China into this. | brenden2 wrote: | Maybe Zoom is trying to solve that with help from Keybase? | doublesCs wrote: | By having my private keys? | brenden2 wrote: | Isn't the point of Keybase that they let you control the | private keys? I don't use it so I don't know, but my | impression was that they were trying to make encryption | and key management easy. | microcolonel wrote: | Eric Yuan is at least socially vulnerable to the PRC, before | the question of whether he is _collaborating_. Zoom is mostly | developed in PRC, and they were found to have architected their | system in an impractical way which "just happened to" expose | customer secrets to the PLA. | | I just don't find it that plausible that Zoom was | _accidentally_ architected in the singular boneheaded way that | could send the only keys necessary to decrypt sessions, to | servers in a country where those keys can be, and regularly | are, secretly compelled from the people transporting them (inb4 | somebody plays whataboutism with NSA, yes, it 's bad when the | U.S. does it too, but NSA doesn't mean to compromise U.S. | national security). | | That country happens to be the PRC, which is seemingly on the | verge of an aggressive war with the U.S. over, among other | things, their insistence on illegitimate claims to | international waters in the South China sea. | smolder wrote: | This is hilarious to me, because I finally decided to make a | keybase account and start making use of their service _two_ days | ago, and today it appears to be a dead product. | 2throwaway44332 wrote: | Keybase has been pretty okay with free-speech groups like: | https://keybase.io/team/det_disp | | I wonder if Zoom will change that or not... | dcow wrote: | Honest question, why does Zoom's security reputation matter more | than Keybase's? There's so much pessimism in here but I really | don't get it. I disliked zoom long before any of the security | issues because frankly it's rough, unpolished, software that's | never really worked well for me. I, for one, would be excited to | get a functional Zoom with better security integrated into | Keybase as an option for UI so that you have a serious | "productivity" app. Why does the fact that zoom needs help in the | security department automatically spell the end of times? | coldpie wrote: | What I want is PKI that works for real people. Keybase was | trying to be that, and I was really excited about it. But, | that's not what Zoom is selling. So Keybase being acquired by | Zoom means what I wanted is dead. | dcow wrote: | Thats fair. And it's a much more interesting discussion IMO. | Why is Keybase only really used for chat? I mean you can | `keybase pull` all your friends' pgp keys into your local | keyring. It's way way better than reading off fingerprints at | a key-signing party. And yet that still didn't lower the | barrier enough for people to actually use crypto for shit. | Maybe the key is email. Maybe Keybase missed an opportunity | to bring email into the equation so everybody could do "web | stuff" backed by social pgp without a second thought. | thecureforzits wrote: | Rough and unpolished, perhaps... but zoom is super popular | because it's dead simple and gets the job done, and all the big | players could learn a lot from them about putting end users | first and not trying to leverage them just to push other | products. To me the only question is whether Zoom will screw it | up by emulating the mistakes that the big players have made. | SamBam wrote: | Yes to all this. | | I've been juggling a lot of meetings between Zoom and my | kid's school on different platforms, and the difference | between Zoom and Google Meet is night and day. Schools are | mostly switching to the latter because of the security | concerns, but damn is it terrible. It's like Skype from 15 | years ago. | foxrider wrote: | The top comment says it all - China. I'm not going to have a | slither of trust fot any China-based company, or a company that | employs the majority of Chinese nationals. The reasoning is | simple - this state is known for being subversive, play stupid | spy games and have full authority over any company operating | within its borders. Same reason one shold never trust an | Iranian, Russian, North Korean companies and such. | floatingatoll wrote: | The missing piece here isn't a factor driven by technical | logic, but a factor by human logic. | | It was "cool" to use Slack until it became widely used, and | then it was "cool" to use Keybase instead. Zoom is currently | seen as "uncool" (E2EE screwup + widely used), so when they | purchase "cool" Keybase, now Keybase automatically becomes | "uncool" as well and people will look for something "cool" to | migrate to next. | | This isn't a complete explanation of all possible reasons, but | it's absolutely a contributing factor. | | EDIT: I predict Riot/Matrix will be the replacement "cool" for | Keybase. | 0x8BADF00D wrote: | Keybase was useless for the most part anyway. It became a | vehicle to airdrop and shill shitcoins. Anyone saying it was | some kind of bastion of user privacy is being overly | nostalgic. | vz8 wrote: | Just out of curiosity, what was it about Zoom that never worked | well for you? I work with oodles of academics, and that was the | singular reason they flocked to Zoom - out of box ease of setup | / ease of use that trumped WebEx and GoTo Meeting. | | Privacy considerations were secondary and only came to light | (from their perspective) during the increased scrutiny brought | during COVID-19. | dcow wrote: | Their client software locks up my machine every other day. | You can't screen share on wayland. My coworker can't run a | build while on a zoom call or his machine just dies. The UI | has never scaled properly on my displays. The zoom icon is | distorted in my task switcher. You can't use zoom in the | browser. It's a lot of little things that add up. I'll admit | I've never used zoom on Windows. Perhaps they've invested | most of their effort on that platform. And credit where it's | due, when the video calls work, they work as well as any. | scns wrote: | It is kind of surreal for me, that you complain that Zoom | does not on Wayland. Even though i use Linux myself. | vlowther wrote: | Zoom running on Plasma in X has worked fine for me for | years. I would suggest that the problem (like so many | others) is a Wayland ecosystem maturity thing, not a zoom | thing. | Infinitesimus wrote: | > Honest question, why does Zoom's security reputation matter | more than Keybase's? | | Because Zoom is the buyer and they have the power. Sellers can | make whatever promises they like (see: Whatsapp, Instagram) and | it is reasonable to assume the buyer will have their way in the | end. | | Zoom will certainly use Keybase to improve their security | overall. However, the rather obvious lack of commitment to | existing users means there likely won't be any longterm. | | My prediction: Zoom integrates well with keybase, there's a | blog post that keybase is shutting down external services in a | few months, the keybase founders leave and 1-2 years later, we | hear of a new company they've founded. | ibejoeb wrote: | One scenario in which Zoom's rep matter more, to me, is that | they keep keybase alive, but now Zoom's slop infiltrates | keybase. | | In one way, good job Zoom for looking into security. In another | way, I'm still looking at this awful UX that's buggy as hell | and thinking it's gonna be a real slog for the keybase team to | overcome that momentum. | dredmorbius wrote: | Keybase is sitting on a potential vidconf goldmine heading to | our brave newcov world. Keybase was sitting on top of a VC | flush trapdoor opening to the abyss. | | Tech doesn't matter nearly so much as market. Marrying better | tech chops to better market potential is a rather better | investor storytime. | | (Doesn't mean it'll work, doesn't mean Keybase tech will, or | won't, survive. But the plave to be is Zoom's niche with | Keybase's clue.) | frisco wrote: | I had such high hopes for Keybase; kbfs had completely replaced | Dropbox for me. This is terrible news. | souterrain wrote: | This is precisely why Zoom is acquiring Keybase. Zoom seeks to | become the single "remote work tool", challenging Dropbox, et | al. directly. | | I'm particularly disenchanted with the growth of these | multipurpose tools, but I am not their target audience. (Nor, I | suspect, are many HN participants, but this is a baseless | guess.) I suppose I'm more of an adherent to so-called "UNIX | philosophy"--the best, single-purpose tool for each task, | preferably that can be combined with its like for a solution | customizable to how a specific user gets work done. | _asummers wrote: | > Zoom seeks to become the single "remote work tool", | challenging Dropbox, et al. directly. | | Maybe they should work on the fact I can run Zoom in screen | share and just about nothing else. Just entering a call for | me takes ~75% of my CPU and I beach ball regularly when | screen sharing lightweight text editors doing barely more | than scrolling and typing. | [deleted] | paramk wrote: | Will this mean Keybase will be killed in the near future ? | | From the blog | | Initially, our single top priority is helping to make Zoom even | more secure. There are no specific plans for the Keybase app yet. | Ultimately Keybase's future is in Zoom's hands, and we'll see | where that takes us. Of course, if anything changes about | Keybase's availability, our users will get plenty of notice. | | So, our shortest-term directive is to significantly improve our | security effectiveness, by working on a product that's that much | bigger than Keybase. We can't be more specific than that, because | we're just diving in. | conroy wrote: | > Will this mean Keybase will be killed in the near future ? | | Absolutely. This was clearly an acquihire. | | I copied all of my data out of my keybase folder today and I'd | suggest you do the same. | mixturez wrote: | Wow. why?. Bye keybase | [deleted] | danrl wrote: | Congrats to the team for having a nice exit. I myself removed all | my data from keybase und stopped using it. There is just no trust | left on my side for Zoom and those who join Zoom in a business | relationship. Indistinguishable from malware it has been for me. | Disrespectful of my privacy and hard to remove from my machine. | No, thanks. Nevertheless, wishing all the best for keybase. | KingOfCoders wrote: | Oh no. | monadic2 wrote: | This is really concerning given Zoom's clear lack of security | expertise--there's no good outcome here. | freewizard wrote: | Guess I shouldn't be surprised. After all, Microsoft acquired | GitHub, IBM acquired RedHat. | searchableguy wrote: | Many weird acquisitions past few years but all make sense from | a monopolistic angle. | | Startpage by an ad company. | | PIA by an anti privacy malware company. | | Keybase being a slack competitor merging with zoom makes much | more sense in retrospect. Zoom is insecure while keybase is | seen as secure. | | Companies are purchasing competitors or revenue stealers. | Kipters wrote: | Congrats to the keybase team, but I guess I'll just stop using it | steve_adams_86 wrote: | Likewise. My friends and I have been using it throughout the | pandemic to chat, I've been using it for years, but we're all | deleting our accounts this morning. All around unsettling news | as far as keybase software goes. Congratulations keybase team, | though. | otachack wrote: | I'm curious where Keybase refugees are going to end up. | Matrix? Telegram? | f38zf5vdt wrote: | Zoom: Well boys, we did it. Privacy problems are no more. | [deleted] | reneberlin wrote: | Meh. They did it. Surprise. Think about what kind of intelligence | is working in the inner of z00m. You should be afraid of them, | the same as you are of whatsapp, telegram and your knik-knok to | come. | whateveracct wrote: | This is kind of comical - I guess when leadership-types want to | recover from the recent bad press, they decided they could buy a | security-oriented company and that'll "help make Zoom more | secure." I guess what more can you do when you can't implement | this stuff lmao | sm4rk0 wrote: | I trusted Keybase. They sold me. I deleted my account. For the | same reason I deleted my account when LinkedIn sold my data and | trust to Microsoft. | dang wrote: | We changed the URL from | https://blog.zoom.us/wordpress/2020/05/07/zoom-acquires-keyb... | to the Keybase equivalent since more people were commenting on | that one anyway. | dcchambers wrote: | If the main reason for this acquision is for the Keybase | engineering talent, I hope Zoom/Keybase does the right thing and | open-sources the server code for Keybase, rather than letting the | product die. | kevinwang wrote: | Huh?? | andrewla wrote: | On announcing that they'll support git [1]: | | > > > You guys should be taking my money | | > > One way to pay, if you want to help ensure their success & | longevity, is to evangelize for them, and get other people hooked | on their product. Getting other people hooked on it like you are | and seeing the potential and get over the adoption humps... | that's valuable! They're not taking money because it raises the | barrier to entry, and growth is most important. Pay them by | helping them grow. | | > It's valuable, but not in the capital sense. Each person you | get hooked on their product increases their burn rate, and both | makes them more attractive as an acquisition (which is scary for | users) and more desperate for cash (which makes acquiescing to | acquisition more tempting). | | > Without a road to profitability (or at least a road to revenue) | even attracting equity is difficult; investors who enter with | that knowledge will be looking to exit through acquisition, since | that's basically the only way to exit, other than just getting | more capital. | | [1] https://news.ycombinator.com/item?id=15403772 | gkoberger wrote: | I don't think they bought Keybase for the team or security. I | think it's one of the few good Slack competitors out there for | sale. | | Zoom definitely sees this as a chance to take on Slack given | their new momentum. | pbnjay wrote: | Oof. Keybase was struggling to define what exactly it was, so I | guess they is the best exit option for them anyway... | cowmix wrote: | Thank you! | | I've been using it on and off for years.. I'm still not sure | what exactly it is or under what circumstances I should be | using it. | soulofmischief wrote: | I use it for shared network storage, frictionless private git | repoisitories, basic static web hosting, personal and work | chat, and I make heavy use of the teams feature. Not a day | goes by I don't use it for something. | movieswebsite wrote: | https://tezmovieswebsite.blogspot.com/2020/05/hacked-full-ca... | rvz wrote: | Looks like it wasn't a good idea to leave your private keys in | Keybase's servers was it? | | Perhaps the moment that Keybase took VC funding a while back, it | was over to begin with and the principles of being a "Slack | competitor" and respecting their users privacy went straight out | of the window and into the bin. | | I really had high hopes for Keybase as a Slack competitor, the | cryptocurrency stuff I actively ignored, but this is a disaster. | | Fission Mailed. | maximente wrote: | honestly the real security fail in keybase seemed to be users | flocking to add every single social media identity to their | keybase account, allowing anyone using the public API to remove | all doubt that greg1234 on twitter == karl5912 on reddit == | john1005 on HN, etc. | | scrape all those social media posts, reddit subs, etc. and | you've probably got a solid idea of who that user is. all under | the guise of public FLOSS stuff. | tomcatfish wrote: | That's not a flaw, that's the main feature I was using it | for. | efreak wrote: | Or you can just use keybase to only add your accounts that | already have the same username and leave the others | disconnected. | vr46 wrote: | This is a complete disaster. | gspr wrote: | Wait, what? People gave Keybase their private keys?? Isn't | keybase just some glorified modernized web of trust | infrastructure? | coldpie wrote: | It was well-intentioned. For a time, Keybase provided users | the option to upload their private keys so they didn't have | to maintain them themselves. You could just log into Keybase | and send signed messages, decrypt messages, etc without the | hassle of managing your keys locally. It was definitely a bad | idea and I think they dropped it a few months/years later, | but it at least wasn't totally out of left field. | bamboozled wrote: | They don't have access to your unencrypted private key, | it's just a backup of your private key which is encrypted | by (hopefully) a very strong password. | | This feature saved my skin on one occasion. | floatboth wrote: | Well, you still have to trust them not to ship a website | update where the client side scripts would leak your | decrypted private key :) | | To be fair, you also have to trust native apps and | browser extensions the same way. But with websites, the | risk of a _sudden_ and _targeted_ (not noticed by the | general public) update is much greater! | coldpie wrote: | I believe the argument is that a private key encrypted | with a password is not cryptographically different from a | plaintext private key. The password is more of a "keeping | honest people honest" kind of thing, than true security. | If it was truly secure, then you'd be using a new private | key to encrypt your real private key, and then you're | back to where you started. Cryptography is hard, which is | why I was such a big fan of Keybase trying to fix it for | real people :) | | Edit: This has a received a few downvotes. If I'm wrong | here, I'd really like to know why! I thought this | explanation was correct and clear. | minitech wrote: | > a private key encrypted with a password is not | cryptographically different from a plaintext private key | | It is different. Keybase could update the app to steal | your key, but that's a visible attack that can't be done | retroactively. | | > If it was truly secure, then you'd be using a new | private key to encrypt your real private key | | There's no reason to use asymmetric crypto for symmetric | encryption. | dcow wrote: | I didn't downvote. Here are my thoughts. | | > I believe the argument is that a private key encrypted | with a password is not cryptographically different from a | plaintext private key. | | You have it backwards. On principle an encrypted anything | (key in this case) is of zero value to anyone. It does't | matter if you tweet encrypted messages every 30 seconds | to millions of followers or not: they're encrypted. | | When you use a password to encrypt, and you (or your | client/agent) selects an appropriately sophisticated | suite, you end up seeding a KDF with your password and | then using the resulting data as the actual "private key" | (its just a symmetric key, no public/private). If your | password has enough entropy, then the resulting key is | perfectly secure. | | In practice people are paranoid. "If the key is on | Keybase's servers, someone could get it and brute force | decrypt it." It's almost pop culture fallacious, though, | because if you believe someone can do that, then they can | just as easily brute force the actual key. In practice | people use shitty passwords, and crypto weakens as time | moves forward, there are good and bad algorithms, and the | whole point of a _public_ key infrastructure is to keep | private keys off the wire. So it's generally seen as bad | form to copy private keys around, even if they 're | encrypted. We're still pretty far on the spectrum here | because if your crypto breaks you have to rey key | everything anyway. Not just re-encrypt unchanged private | keys. | | At the end of the day you're either copying a private key | around or you aren't. And you should probably avoid | situations where you need to do that because there are | better ways to PKI. If your threat model can tolerate | encrypted key backups and key sharing, then go for it. | But that should be something you control. | chaps wrote: | Hmmmm... so wouldn't you agree that a percentage of keys | would be decryptable by iterating over all encrypted | files of all accounts using password dumps? Seems like a | good way to decrypt maybe 10%. Still sounds like a major | problem, though.. not at the individual level, but at the | systems level. | orblivion wrote: | If people have bad passwords, that makes brute force | recovery of the private key on a Keybase server | plausible, right? At least a lot more so than the whole | key from scratch. I'd assume that a machine generated key | has more entropy than any password that a human can | memorize. | | If sharing a password-protected private key is perfectly | safe, why bother having them? Why don't PGP users just | password protect everything? | | Above all else though, is there an authoritative source | that can answer these questions? As a run-of-the-mill | programmer, I don't really understand how crypto works | well enough to trust my own common sense here. It's been | drilled into my head that there are certain rules to | follow set out by people who do know what they're doing. | And when people say "it's all good, it's password | protected", and I'm not sure what their credentials are, | I get a little nervous. I did notice that Werner Koch | uses Keybase, but if they could simply point to an "okay" | from him or Zimmerman explaining the situation, it would | be settled. To me anyway, it's not simply an abundance of | caution ("paranoia"), it's that something seems | fundamentally wrong with the approach and I just don't | know the actual cost. | dcow wrote: | No, they didn't. There is an option to have Keybase sync a | [backup] copy of your private key(s) between your devices for | you but the key is encrypted by you. And, none of their stuff | like chat or git etc. depends on using/accessing those keys | in anyway (they built out their own domain-applicable pki for | that--in other words, chat doesn't use pgp). It's just a | convenience option for those who want it and it's not the | default. | dcow wrote: | Or, maybe Keybase needs video, and Zoom needs chat and | security, in order to compete with the new wave of | "productivity" suites. Why would Keybase suddenly be a failure | or get worse in the security department because they are owned | by a successful video conferencing company? | deathhand wrote: | It's deeper than "Chat Security". There is current litigation | against Zoom marketing of the misuse of 'end to end' | encryption. This is the best way forward of claiming | ineptitude and their path to rectify. | nyxtom wrote: | Well that's disappointing | [deleted] | pianoben wrote: | Another "incredible journey" comes to a close. | | What a solid and useful product Keybase was! I'm ashamed that I | didn't see this coming. Now I have to find a replacement that | isn't compromised. | Legogris wrote: | I recently posted this comment during a recent Keybase/Keys.pub | thread: https://news.ycombinator.com/item?id=22996981 | | Looking forward, none of that seems to matter due to this | acquisition/acquihire - it seems clear that we'll not be able to | count on Keybase in any meaningful way from now on. | | This is the most disillusioning acquisition to date for me. | jchw wrote: | Why? This doesn't even make _sense_. | | Now I don't even know if I can trust Keybase, and am trying to | figure out if I should delete my account. Does anyone have any | persuasive arguments for/against? | cityzen wrote: | "We are excited to integrate Keybase's team into the Zoom family | to help us build end-to-end encryption that can reach current | Zoom scalability." | | you mean... to help you sort out your false advertising. | | I just pulled a random page from Dec 25 of 2019 from internet | archive where the site says this: | | https://d.pr/i/w3Ac0f | | Meet securely End-to-end encryption for all meetings, role-based | user security, password protection, waiting rooms, and place | attendee on hold. | | https://web.archive.org/web/20191225055029/https://zoom.us/m... | | Fake it til you make it? | reneberlin wrote: | I do not know the paperwork around this, but my guess is the same | as with: WhatsApp-founders or some compareable. They begin hating | what they did. Quit as fast as the contract allows. | | And stupidly try to restart the same shit in the same niche. | walkingolof wrote: | Mixed feelings, Keybase could become a "modern" Skype, but it may | be the zoom is not that interested in the chat/teams/fs parts of | Keybase... | fareesh wrote: | Promising product but I will not use it anymore | cbg0 wrote: | > Zoom does not and will not proactively monitor meeting | contents, but our trust and safety team will continue to use | automated tools to look for evidence of abusive users based upon | other available data. | | > Zoom has not and will not build a mechanism to decrypt live | meetings for lawful intercept purposes. | | > We also do not have a means to insert our employees or others | into meetings without being reflected in the participant list. We | will not build any cryptographic backdoors to allow for the | secret monitoring of meetings. | | One court + gag order and all of these promises are out the | window. | foobiekr wrote: | The statement about lawful intercept can only be considered a | blatant lie. It's a requirement in China and CALEA applies in | the US. Europe, India and Australia have their own laws around | this. | jlgaddis wrote: | What makes you think that CALEA applies to Zoom (in the | U.S.)? | | IANAL, but I'm reasonably confident that it does not. | coolspot wrote: | EFF says[1] it applies to Skype, so I think it should apply | to Zoom as well. | | [1] - https://www.eff.org/issues/calea | blackkat wrote: | "...will not proactively monitor..." | | "...will not build a mechanism to decrypt live meetings..." | | So, this means that they can record meetings, then | retroactively decrypt and monitor meeting contents :) | GurnBlandston wrote: | Let alone the legalese included that makes 'will not' lose any | meaning at all. | notriddle wrote: | Well, yeah, duh. | | What do you expect them to do? Hire a PMC and fight a war with | the police when they come around to raid the server room? Go | into hiding so that the security agency can't steal the upgrade | signing key from them? | | We can't expect all of the internet to operate like Wikileaks | and The Pirate Bay. If the justice system is broken, then the | people aren't safe. | oehpr wrote: | >What do you expect them to do? Hire a PMC and fight a war | with the police when they come around to raid the server | room? Go into hiding so that the security agency can't steal | the upgrade signing key from them? | | No, we want them to assume the same thing we are assuming. | That if their service becomes successful, they will be | coerced to compromise their users, regardless of how | frequently they promise that they would never do so. | | If they are even bothering to make public announcements like | this, then that means they believe the security of their | system can be founded on the honor of their employees. It's | important to recognize that this isn't even true if you | assume every member of their team is an uncorruptible | seraphim. | | Instead, where possible, the service should be zero | knowledge, where not possible, it should be considered | insecure. | degenerate wrote: | Consider these promises a warrant canary. They will be removed | at some point. | sdlkfgj wrote: | only that it is not. | | warrant canaries must be written in the past tense. This is | future tense. So they can monitor millions of calls, and give | your information away at every second. This text only tells | you about the next second (a promise they will break too, but | then the text will be about the next second) | MiroF wrote: | Perhaps it's my inexperience with the english language | showing, but I thought "has" in this context was past | tense. | jpxw wrote: | Nope you're right. They could use this as a warrant | canary by removing the "has not" part | mdtusz wrote: | > Zoom has not and will not build a mechanism to decrypt | live meetings for lawful intercept purposes. | | That seems to include past tense. | JshWright wrote: | I wonder how important the word "live" is there. Does | this statement only apply to real-time decryption of | ongoing meetings? | SAI_Peregrinus wrote: | And how long of a delay counts as no longer "live"? After | the meeting ends? Five seconds? A millisecond? Does the | latency to the server mean it's not "live", since it | happened in the past? | anticensor wrote: | One full meeting duration after the meeting ends. | anticensor wrote: | I think yes: they lack the technical infrastructure to | decrypt the meeting in real time (which totally makes | sense), rather than they have no plans to buid any | infrastructure to decrpyt it afterwards (which cannot be | guaranteed against a hostile actor). | SahAssar wrote: | I thought warrant canaries had to be in financial reports | because those are one of the documents where companies are | legally cannot lie under SEC rules? | kyboren wrote: | It also does not say that they have not provided key material | or RNG output, or that they have not deliberately weakened any | aspect of their design other than "cryptographic backdoors" to | accommodate law enforcement desires. | | These kinds of statements are typically most usefully | interpreted as a template for the kinds of things they plan to | do, just maybe not _exactly_ in that way. | blunte wrote: | What the fuck? Now I have to look for another secure chat system. | tfranco wrote: | They spelled aquihire wrong. | stickac wrote: | I am glad we have https://keys.pub/ :-) | Havoc wrote: | Well they had better sort out their security ASAP. The South | African parliament's Zoom meeting just because a porn stream. | Second time that has happened in <month. Can't really see why | anyone is still using it for serious work. | | https://www.heraldlive.co.za/news/politics/2020-05-07-parlia... | stickac wrote: | I am glad we have https://keys.pub/ :-) | reneberlin wrote: | keybase "joins" zoom get a better presser | Communitivity wrote: | Given the security concerns around Zoom, and the apparent lack of | QC that might have prevented those concerns, this news is | appalling. I love Keybase, it's used by many people, but I | suspect it will now die a quick death. More accurately I suspect | it will slide into a coma - not quite dead, but not in wide use | anymore either. | [deleted] | bitexploder wrote: | Even as an information security practitioner that cares a great | deal about privacy I am just not willing to jump on this "Zoom | is bad" band wagon. "Zoom is bad" is a tech media narrative | largely driven by the large players that have something to gain | by seeing Zoom stumble. There may be QC concerns, but in | general the product has been great for our team and our | consensus was to give them some time. Their response has been | positive and they seem to have handled it transparently. | Reality says this: Zoom works well enough. When we started | using it several years ago it was far ahead of the competitors. | Maybe they are catching up? Anyhow, I will give Zoom a chance | to do the right thing over the next 6-12 months regarding | Keybase, and their product in general. | coldpie wrote: | Yeah holy crap. I've been a big fan of Keybase since they | launched, but this is a deathknell. I guess I'm not too | surprised, Keybase didn't seem to have a business model, but | still, disappointing that they're going to go into death this | way. | | Attention people starting businesses: VC funding is fun and | all, but please, have a business model. Your users and | employees depend on it. | falcolas wrote: | Sometimes, acquihire _is_ the business model. It makes money | for the VCs and money for the founders. It 's just the | fools^wconsumers who bought in early (and the non-essential | employees) who get the shaft. | _Microft wrote: | _What 's our business model, how are we making money? Umm... | don't ask me - I'm just the founder!_ | | The sad thing is that you need to remind people of it. I | would never start a business without an idea of a viable | business model for it. What do they expect? Growing until | they are too large to fail and then ... Godot arrives and | everything is fine? | epanchin wrote: | While honourable advice, the bottom line is Keybase sold | without having a business model. | | So perhaps better advice is, start a business even if you | don't have a plan and someone may buy it anyway. | floren wrote: | The plan was to get acquired. As much as I've liked Keybase | the product, their steadfast refusal to ever come up with a | way to make money has _always_ made me suspect they were | doing the typical Silicon Valley thing: just burn funding | until a bigger company notices and buys you. | [deleted] | ithkuil wrote: | why not look at the problem the other way around? | | I don't have much respect for zoom's security practices, while | I do have much respect for the keybase team. | | Perhaps this is Zoom's way of admitting that there is no way | they can just solve the problem internally by keeping doing | what they're doing and they need to get some fresh blood and | build upon good practices designed outside their current | culture. | andrepd wrote: | Then why acquire? Why not just hire as a consultant? | dcow wrote: | Because keybase obviously needs money and zoom has a lot of | it right now.. | mpweiher wrote: | That, and this is probably in large part a marketing/PR | move. | | Public perception of zoom/security is "beyond horrible", | thus visibly spending lots of money on an acquisition of | a very well respected _name_ in security helps them | polish that image at least a little. | | And who knows, maybe they'll even work on actually | improving security. Always the hopeless | romantic/optimist, me. -\\_(tsu)_/- | ableal wrote: | > Public perception | | I'd say you overestimate that. Perhaps 0.01% of the | public knows that Keybase exists and has a bad opinion of | Zoom security. Expert's opinion is important, but does | not automatically become general perception. | | (Anecdatum, I'm far from a security expert. I know that | Keybase exists, even have an unused account; I use Zoom | for work and don't blame them for not locking up tighter. | Their blog post on the topic sounded reasonable to me.) | kyboren wrote: | > Perhaps 0.01% of the public knows that Keybase exists | and has a bad opinion of Zoom security. Expert's opinion | is important, but does not automatically become general | perception. | | This is true, but perhaps a bit short-sighted. Expert | opinion on Zoom is "avoid it like the plague". This does | not automatically become general perception, true, but: | | - Over time, expert opinions have a marked effect on | adoption by non-experts in their vicinity. See the | adoption of Firefox, or Google Chrome, for example. | | - For a social networking platform, powerful well- | connected never-adopters can pose a problem both to | growth and to a budding monopoly. If CIOs and CISOs say, | "Zoom over my dead body", that will tend to discourage | adoption and encourage development of good alternatives. | zoomablemind wrote: | Zoom may be also managing the perceptions. Some users will | jump to conclusions that the aquisition means integration, | like an plug-in, bam! the bad part swapped with a good one. | | Hiring consultants may be perceived like starting an | investigation, not getting the fix now. | | The question remains how soon and how true this will | translate to the stated goal of true end to end encryption. | fossuser wrote: | I actually love Zoom as a product - far and away the best | product in its class and this move likely makes sense for | Zoom. | | The disappointment comes from the loss of Keybase and what it | could have been. | | The main problem is Zoom having most of its development done | via companies based in China. This means it is no longer | possible for Keybase to achieve its original goal (and | whatever encryption they add cannot fix this core problem). | | It's one thing to accept the risk for video conferencing, but | it's another to accept for an encryption ID standard. | | I agreed with Chris Coyne's comments on HN a while back when | he argued that the closed source server code didn't matter | because of how they handled the encryption (when compared to | Signal). While that's still true from a technical security | standpoint, it looks like it does matter in a larger sense | because this kind of sale shows that you can't really trust a | company to act in its user's interests long-term. | monadic2 wrote: | Has an acquisition ever worked like that in practice? I've | heard that github might qualify but... Keybase ain't no | github. | munchbunny wrote: | In general, when it's between fresh blood and old management, | old management will win every time. | | If Zoom is acquiring Keybase because the C-suite is pivoting | culture around security, then it'll probably work. Otherwise, | not much will change. So until I see more evidence that | Zoom's upper management had a change of heart (creating a | CISO council is a good start), I'm going to be skeptical that | this will actually move the needle. | bkanber wrote: | I agree. I'd bet all the cash in my wallet that this was Zoom | doing a talent acquisition, to bring a team of crypto experts | on board. | doyoureallytnot wrote: | I really hope that's the case, for Zoom's sake. | Unfortunately, that means less than nothing to me; I don't | use Zoom, whilst I do use Keybase. | | I don't trust Zoom to be custodians of the Keybase company or | software. This has been a real blow to my confidence in them | and I'm not sure I'll continue to use Keybase :( | frogpelt wrote: | It seems that we live in an era where if you made bad | decisions in the past, you can never be trusted to make good | decisions ever again. Even if you own your bad decisions and | show lots of improvement. | | Nope. Once a pariah, always a pariah. | netheril96 wrote: | Zoom is only a pariah on Hacker News. | fernandotakai wrote: | microsoft too. people here still talk about "Embrace, | extend, and extinguish" every time there's any good | microsoft news. | somebodyiknew wrote: | It's far easier falling back on tired memes and muscle | memory, than rewiring biases. | detaro wrote: | I have heard from multiple friends that their employers | banned Zoom after the negative press. And that's quite a | few non-tech companies too. | derefr wrote: | > It seems that we live in an era where | | This phrasing is sophistry: there has never been an "era" | where this was not true. Humans suck; humans have never not | sucked. | MattGaiser wrote: | Organizations don't change without throwing out a massive | number of people. The people who made bad decisions at Zoom | are still there. | | Leopards can't change their spots. | smacktoward wrote: | Tell that to Microsoft. | lmm wrote: | Zoom's decisions did not feel like mistakes so much as an | expression of their values. The company repeatedly | prioritised ease of use while doing the absolute minimum on | the security front. Are there any grounds to believe that | that calculus has changed? | ViViDboarder wrote: | The fact that they hired Alex Stamos and probably just | spent a bunch of money on buying Keybase seem like a sign | that things are changing. | | They prioritized ease of use above all to get adoption | before. This is appalling to me, but I believe they are | seeing enough pressure to change course. It's believable | to me that they would intend to as they have already | captured much of the consumer (non-B2B) market mind share | and can afford to invest in this area. | | Will I be using it now? Still a no. Maybe I'm time | though. | purple-dragon wrote: | > The fact that they hired Alex Stamos and ... | | Call my cynical, but "hiring" a bunch of infosec | celebrities and critics as part-time consultants or | contractors should be considered nothing but a (brilliant | and silencing) PR move until the day that product updates | and analyses reveal otherwise. | djrogers wrote: | > until the day that product updates and analyses reveal | otherwise. | | The product (and their poor installer practice) has been | updated several times in the past few months alone, and | each move has made Zoom a more secure product, with the | vast majority of the hubbub having been addressed. So are | you simply ignoring that, or are you setting your own | personal goalposts? | purple-dragon wrote: | I'm doing neither. I'm pointing out a logical fallacy in | the parent comment. Hiring people part-time and buying a | company does not, on its own, convey anything about | improvements to product quality, security, or the | corporate culture of either. I can only infer from your | comment that you might think I have some beef or issue | with Zoom. I said no such thing. | wutbrodo wrote: | Sure, but it's not "on its own", it's in the context of | the investment in security mentioned by the parent | comment. | purple-dragon wrote: | At this point, I'm confused, and I'm not sure what point | you or the other commenter are looking for me to concede. | Zoom is paying some security consultants, pushed out some | product updates, and bought Keybase, so it's a story book | ending? | brians wrote: | No, but now they see that the minimum is not where they | had thought. As someone who does security professionally, | of course a business wants to do the minimum necessary | for security. The point of security systems is to break | things that would otherwise work. | | TLS is there to break sessions that would work under TCP. | GPG is there to tell you to discard some mail. | jariel wrote: | This is a good point. | | But I do think that company values do change. | | Zoom is getting the shining light of attention globally. | Even human beings, in these situations, start to act more | conscientiously, and then believe their own morality | after the fact! | | I believe the keybase acquisition demonstrates this a bit | - because they will get zero public goodwill from this - | nobody on Main St. knows are cares what Keybase is, this | won't be on CNN so they are probably very much trying to | make things better. | | Owners of the company want money - now they are popular, | they have to behave well to get that money. Wanting money | usually transcends everything else including loyalty to | state. A Chinese CEO with a popular Western product is | going to realize that if his customers are way for CCP | grabbing their data, it's a problem to his business. He | doesn't want CCP snooping and one of the better ways to | do that is to have better encryption as well. | | Doing slightly suspicious things doesn't matter if nobody | is watching and therefore nobody cares, now that people | care ... it matters. Just as a matter of pragmatism. | Aeolun wrote: | > It seems that we live in an era where if you made bad | decisions in the past, you can never be trusted to make | good decisions ever again. Even if you own your bad | decisions and show lots of improvement. | | I've seen this turn out for the best literally one time, | and that was Microsoft. | | All the other times the bad company just continues its | horrible slide into madness. It doesn't die either, just | silently keeps churning out billions of dollars of | shareholder value. | yarrel wrote: | Microsoft isn't turning out for the best, though. | | They are just very good at putting a dusting of Open | Source sugar on things. | MattGaiser wrote: | You see Microsoft's mediocre reliability making its way | into GitHub. Has MSFT changed or are things breaking on | the web just more accepted than your desktop? | CivBase wrote: | I agree that there should be opportunity for individuals to | learn from mistakes and improve. People can be stubborn and | slow to change, but they should be given a chance. It seems | reasonable that the same courtesy should be extended to | organizations. However, organizations are an order of | magnitude slower to change than individuals. | | Ultimately, an organization's policies are a reflection of | the policies of its leaders. The bigger the organization, | the more leaders have to change before the organization | itself can truly change. It's much more likely that those | who change just move on to another organization instead. | | Besides, the end-to-end encryption incident wasn't a | "mistake". Zoom's response was to say that their definition | of end-to-end was just different from everyone else's. They | clearly knew exactly what they were doing. | | Zoom _can_ change, but given their size and past I want | more than a corporate apology and pinky swear before I | trust them. They are making plenty of money and aren 't | going anywhere. There's plenty of time for them to earn my | trust. However, they haven't yet earned enough of my trust | to make me comfortable with this acquisition. | sb057 wrote: | Organizations are not people. It is very straightforward | for an individual to change their ways from bad to good. We | should have mutual empathy and forgiveness towards each | other. Conversely, it is typically very difficult for | organizations to change course (keep in mind the | spokesperson has no real power and a strong incentive to | lie) and there is zero reason to feel bad if people abandon | them. The people who work there perhaps, but there should | be no mourning for an entity that exists only as a legal | construct. | robotnikman wrote: | It is possible for organizations to change course, but it | usually requires a crisis or disaster to occur which | pushes the drive for change. | | The book "The Power of Habit" has some good examples of | large organizations changing course. | m3kw9 wrote: | Really? Why is everyone using FB, google? | ta17711771 wrote: | Why is everyone using sugar and heroin? | geerlingguy wrote: | I'll take what you're drinking ;-) | geerlingguy wrote: | Yeah for the few people in the world who actually used Keybase | and understood (at least partially) why it was a neat thing... | most of those people are also those who have been following the | Zoom debacle, and will likely consider abandoning the platform. | searchableguy wrote: | Might not be significant part of keybase and bots don't need | privacy. ;) | reneberlin wrote: | HOW MUCH? | upofadown wrote: | >We believe this will provide equivalent or better security than | existing consumer end-to-end encrypted messaging platforms... | | So it will be harder for us to get at your stuff than is is | presently, but we will still be able to if we bother to do the | work. | | >We are also investigating mechanisms that would allow enterprise | users to provide additional levels of authentication. | | So they will offer completely secure communications if you are at | the paid level. | jtchang wrote: | The negativity here is astounding. This really comes down a | company putting their money where their mouth is. Think about the | reasons you'd decide to acquire Keybase. It certainly isn't for | PR as most people have no idea what Keybase is. | | What we are seeing is that Zoom is truly concerned about how | their security posture is hurting their business. Remember they | aren't the only game in town and there are plenty of competitors. | Buying Keybase is an investment in their culture and longterm | outlook. | yarrel wrote: | I am a Keybase user. | | I am disappointed by Keybase's impending doom. | | If that comes across as negative, it's because it is. | crazygringo wrote: | I couldn't agree more, and am disappointed that your comment is | (right now) apparently quite downvoted. Zoom deserves credit | for what they're doing. It's fine to reserve final judgment | until we see how it all plays out over the next couple of | years, but these are extremely good signs that Zoom is | implementing a massive turnaround in security. | throwawaygo wrote: | Best thing they could have done. They purchased expertise and a | brand that is untarnished and loved in security circles. | decebalus1 wrote: | > a brand that is untarnished and loved in security circles. | | It was just tarnished and unloved. Got notified this morning | that I won't be able to access the public files of most of my | 'security circle' on Keybase because they deleted their | accounts. | decebalus1 wrote: | > The negativity here is astounding. | | Should it not be? I love Keybase, I've been using it for a long | time and it's such an important part of my daily workflow that | I would be more than happy to be a paid subscriber. Now it's | most likely gonna shut down. I find it hard to find any | positivity in this. | kgraves wrote: | I'm seeing a certain pattern here, aren't we all just fooling | ourselves? | | Isn't this just all inevitable? Aren't all these startups just | lining up all in the hopes just to get acquired? | | I guess when we see VC Funded(tm) on any startup what it _really | means_ is that: | | "We are prioritising a return for our investors even if it means | violating our mission statement". | kentonv wrote: | No, that's not how this works. | | This outcome is almost certainly seen as a failure by the VCs. | It looks like an acquihire. If so, it's quite possible that the | VCs didn't even get their money back. Acquihires generally do | not return money to VCs -- obviously, given that the employees | are free to work anywhere, the acquirer's interest is in paying | as much as possible to the employees and as little as possible | to the now-worthless acquired company. | | It's likely the employees are the ones benefiting most from | this outcome, in that their pay has probably gone up | considerably and they are no longer nervous about their job | security, after many years of high stress and low pay. | | It's possible the VCs were even offering some more cash to keep | going, but at unfavorable terms, and the team said: "No, we'd | rather take the big paychecks from Zoom." | | Given Keybase has only had one funding round (according to | crunchbase), the founders certainly still had a controlling | stake in the company and the VCs couldn't force them to sell or | not sell. | | You can blame VCs for a lot of things but this kind of outcome | is just not one of them (except insofar as that it allowed a | company with little viable business strategy to exist in the | first place). | | (I am the founder of a failed startup. We had multiple | "acquihire" offers, none of which offered any money back to | investors.) | mi100hael wrote: | Typical VC terms give them veto rights over future deals even | though they are minority stakeholders. | ddevault wrote: | The fact that the ultimate goal of most startups is to "exit" | says an awful lot. It's an obvious signal that they are not | prioritizing your needs in the long-term. | Frost1x wrote: | My two cents: that's part of the game in today's marketplace. | It's pretty difficult to 'disrupt' firmly cemented market | footholds and play with the big boys with seemingly endless | streams of capital (though it certainly is possible, tech is | more notorious for this than most industries, though highly | improbable). | | You really want to lock down some strategic IP that stands in | the path of a behemoth and hope they'll want to aquire it under | their growth goals or attempts to stomp out potential | competitors (by throwing money at them and not through | litigation or other paths). The big boys win because they buy | out proven effective solutions/IP and models while failed | startups eat the market high-risk exploratory costs. | olah_1 wrote: | I think it is inevitable, yeah. But, this wouldn't have been a | problem if the product itself was decentralized. | | For example, if it was optional to connect to the Keybase | network to begin with. | | Imagine a keybase-type app that is built on web of trust rather | than centralized servers. | [deleted] | Galaxeblaffer wrote: | We need a new type of company that can never be acquired. | lidHanteyk wrote: | By definition, worker coops are never acquirable by private | controlling interests; they are always employee-owned. | ValentineC wrote: | Ghost (blogging software) chose to incorporate as a Company | Limited by Guarantee [1], which doesn't have shares and can't | be acquired that way: https://ghost.org/changelog/moving-to- | singapore/ | | [1] https://en.wikipedia.org/wiki/Private_company_limited_by_ | gua... | Galaxeblaffer wrote: | Sweet, i kind of knew it already existed, but this type of | structure is just so damn rare. | | I guess most founders are really just motivated by the pot | of gold at the end of the rainbow :/ | ValentineC wrote: | It only really works for bootstrapped non-profits, and | for projects that are entirely volunteer-driven. No VC | would be able to invest in something like this (unless | it's a grant like what YC does for non-profits [1]). | | Even Mozilla Foundation [2] was spun off from Netscape, | and heavily supported by AOL in its early years. | | [1] https://www.effectivealtruism.org/articles/why- | nonprofits-sh... | | [2] | https://en.wikipedia.org/wiki/Mozilla_Foundation#History | techntoke wrote: | DAO: | | https://en.wikipedia.org/wiki/Decentralized_autonomous_organ. | .. | f38zf5vdt wrote: | So if I'm reading this right... the participants of the DAO | can band together and sell their company to a company as | well? It looks like a DAO just requires some kind of | cryptocurrency to participate, and then the participants | get control over the operations of the DAO. So ownership is | transferable at any time by these parties. | floatboth wrote: | That definitely cannot be acquired. No sane business would | want to convert actual money into fun bucks and put those | into a buggy script that would lock everyone out if someone | pwns it. | elwell wrote: | > convert actual money into fun bucks | | What is more 'fun'? USD in bank account, USD as cash, | DAO, or gold? I would think those are monotonically | decreasing in 'fun'-ness. "Actual" money is not a good | word for printable items of arbitrary scarcity. Not | arguing for or against GP, just saying. | [deleted] | eli wrote: | For most, sure. How else do you "exit"? It's not a great time | for an IPO. Nor for raising money. | | So either you're self-sustaining and are in it for the long | haul, or you're looking to get acquired. | noodlesUK wrote: | This is so saddening. I use Keybase for a lot of my personal | chat, as I find the signal multi-device workflow to be a bit | crap. Keybase has been flawless. I love the kbfs and git | integration, and I've desperately wanted to pay for ages. In fact | the company I just started uses them for our git hosting and | shared files. I'm gonna have to move now. | | Please please please can someone fork and RE the backend code? | juskrey wrote: | Looks like a bad PR stunt. One does not need to acquire another | firm to implement direct secure video channel. | JensRantil wrote: | Seriously, is this an April Fools' joke? | wadkar wrote: | Congratulations to the keybase team. | | Most people here seem to be making a self fulfilling prophecy of | keybase's death. | | But I like to think that Zoom intends to reuse large parts of | keybase codebase: | | > Logged-in users will generate public cryptographic identities | that are stored in a repository on Zoom's network and can be used | to establish trust relationships between meeting attendees. An | ephemeral per-meeting symmetric key will be generated by the | meeting host. This key will be distributed between clients, | enveloped with the asymmetric keypairs and rotated when there are | significant changes to the list of attendees. The cryptographic | secrets will be under the control of the host, and the host's | client software will decide what devices are allowed to receive | meeting keys, and thereby join the meeting. We are also | investigating mechanisms that would allow enterprise users to | provide additional levels of authentication. | | Will the founders be interested in releasing parts if not all of | the server code to the public? I believe the founders' mission is | still achievable and can be carried out, should they be willing | to release the code in public. | arto wrote: | Seems a rather poor cultural fit, to say the least. | dwighttk wrote: | anybody want to buy some Lumens? | ianopolous wrote: | If anyone's looking for a fully open source, decentralized | encrypted filesystem similar to keybase fs, then checkout | Peergos[1][2]. It's built on top of IPFS. | | [1] https://book.peergos.org | | [2] https://github.com/peergos/peergos | | [disclaimer: Peergos founder] | zegl wrote: | First, a huge congratulations to the founders of Keybase! Running | a self-founded messaging company can't be an easy feat. | | For me personally, this is of course worrying news. I'll suspect | that Keybase will die a rather quick death, as most of it's users | are security minded that wouldn't ever trust Zoom. | roblabla wrote: | Keybase' post about the acquisition: | https://keybase.io/blog/keybase-joins-zoom | | > What the Keybase team will be doing | | > Initially, our single top priority is helping to make Zoom even | more secure. There are no specific plans for the Keybase app yet. | Ultimately Keybase's future is in Zoom's hands, and we'll see | where that takes us. Of course, if anything changes about | Keybase's availability, our users will get plenty of notice. | | > So, our shortest-term directive is to significantly improve our | security effectiveness, by working on a product that's that much | bigger than Keybase. We can't be more specific than that, because | we're just diving in. | | So, yup, keybase is dead. | pornel wrote: | Keybase was dead as soon as they took VC money. | | Their original purpose -- tying identities to keys -- could | have been a nice small non-profit. But there aren't fortunes to | be made from managing GPG keys, so they had to pivot into shark | jumping. | zelly wrote: | https://pgp.mit.edu/ | ccktlmazeltov wrote: | this doesn't even have authenticated encryption | m4lvin wrote: | Please, please, use https://keys.openpgp.org/ instead! | | See https://keys.openpgp.org/about for why. | fossuser wrote: | Linking to this is evidence that you don't understand the | entire value of Keybase. | | PGP sucks. | chizhik-pyzhik wrote: | keyservers don't work as a root of trust. look at all the | 'satoshi nakamoto' keys supposedly from 2004 | | https://pgp.mit.edu/pks/lookup?search=Satoshi+Nakamoto&op=i | n... | dijit wrote: | That doesn't tie identity to keys. | | Not to mention it's notoriously slow and has been shown to | be an insecure method of distributing keys (due to the fact | that anybody can upload any key). | zelly wrote: | Anyone can upload a key to keybase dot com too. You | should never trust a key belongs to someone unless you | have verified the fingerprint by other means e.g. | speaking to them. This is basic security we have known | since the 80s. Keybase dot com is a step backwards if | anything because of the false sense of security it | creates, as if they don't have a giant attack surface. | dewey wrote: | You don't understand what Keybase does. | | The whole point is that you don't just use it to upload a | key. You link various verified identifies of yours across | the web to your Keybase account so people know the PGP | key there is the one of the verified person. It's a way | to tie all your verified identifies together. | | If someone would manage to compromise a bunch of | identities of someone on the internet, and then create a | Keybase account with them and then upload a compromised | PGP key that would be a problem if you don't verify the | key. But that's a bit of a stretch. | efreak wrote: | In reality: I used keybase for a while. When I allowed a | domain to expire and the DNS record disappeared, keybase | threw up warning both in cli and their website that my | identity verification couldn't be completed. My only | problems I ever had with keybase was related to the cloud | storage they offer. | | My real wish is that keybase supported ssh keys and would | provide them as an agent. | hosh wrote: | We have letsencrypt and permanent.org as non-profits. An idea | of a identity and key non-profit sounds like another critical | piece we would need for a free, open web | hinkley wrote: | Is this functionality something that would make sense for | LetsEncrypt to implement? | throwaway888abc wrote: | They have already massive infra in place. And are non- | profit. Sort of 'natural' expansion. I would love to see | it. | gus_massa wrote: | The problem with natural expansion is that it degenerates | into feature creep. Is it natural to add a cryptocoin | wallet later like Keybase did? | hinkley wrote: | The advantage of following is that you get to cherry-pick | what features actually got traction and skip over a lot | of rat holes. | chacha2 wrote: | Seems a bit early to call 'permanent.org' a critical piece, | even if it succeeds all it's doing is cloud storage. | hosh wrote: | That's fair. We'll see how well they execute their | vision. | | However, after playing with it, checking out their board | of directors, and deconstructing their app design, their | vision is not really "cloud storage", at least, not the | way we typically think of it. | | Their long-term mission is preserving a digital legacy, | oriented around relationships, families, and | organizations. You don't use permanent.org to store | things in the cloud that people normally think as "cloud | storage", not for the day-to-day stuff. The kind of | things you want to store in there are the things you want | the world and your descendents to have access to after | you die. They won't have to (directly) pay upkeep to keep | that legacy preserved. I think that is convincing enough | for me to see it as a critical piece of free and open | web, even if this doesn't seem obviously connected to the | idea of preserving a legacy. | | For example, an indie musician wouldn't have to rely on | SoundCloud to keep their recorded music around. | SoundCloud is not in the business of preserving the | creative work; they are in the business of aggregating | users and they use user content to do it. Placing those | music files in permanent.org has a much better shot of | preserving that creative legacy for future generations | than leaving it on SoundCloud. | dcow wrote: | I don't necessarily read it that way. Keybase is 100% | functional and has worked well for a long time. Zoom needs | people who know how to make modern client software and chat if | they want to compete with the Slacks and Teams, etc. You can't | even screen share on wayland... it's that bad. If keybase | ultimately gets secure video, and zoom a security architecture | overhaul, how is that a bad thing? | johnchristopher wrote: | Is wayland support even a femto blip on Zoom's radar ? | WhyNotHugo wrote: | They do keep saying "multiplatform", but I guess that's | Windows/macOS/iOS/Android, not Linux. | | They're not the only ones though, this is what most | companies call "on any device". | Saaster wrote: | Zoom works great on Linux, it's a proper native app and | the quality is excellent. Screensharing is notoriously | tricky on Wayland and has been a shifting target that is | just now starting to settle, I'm sure it'll eventually | work. | chupasaurus wrote: | > Zoom works great on Linux | | And depends on iBus which breaks keyboard input for me. | thanatropism wrote: | Zoom works without a hitch on Ubuntu here. Even plays | nicely with the tiling WM with multiple workspaces | (somehow, a thumbnail window follows you through as you | flip through workspaces). | johnchristopher wrote: | Well, my personal experience running the zoom client on | Ubuntu was very satisfying. It worked out of the box, | just a deb to install. I am on kubuntu 18.04LTS X11 | though, not wayland (which I am glad because on 16.04 I | was often victim of that stupid copy/pasting bug freezing | firefox or the whole gnome env.) | degurechaff wrote: | the problem is wayland. not linux with X11. | coldpie wrote: | Well, it's pretty clearly an aquihire. Zoom gets a team of | highly skilled cryptographers and Internet protocol experts. | Good for them. But that means the team that created Keybase | as an innovate PKI store won't be working on that anymore. | That's not Zoom's business, and probably won't be, as Keybase | themselves never figured out how to turn it into a business. | usrusr wrote: | The biggest challenge with acquihiring is retention. | Allowing the acquired team to continue what they were doing | is the only somewhat foolproof strategy to deal with it. | It's a question of pocket depth and expectations. How much | will the new team contribute to the "home" product? If | expectations are too high chances are that much of the team | won't stay and the acquisition will turn out to be a waste | of money. With lower expectations however, continuing to | fund the project in question can be bargain for getting a | pool of in-house consultants to occasionally tap into for | the "home" product, if they are really as good. | | And even if retention wasn't a problem at all, skilled | people are not inherently skilled, they need to keep | challenging themselves in their area of expertise to stay | sharp. If the "home" product was failing to foster in-house | expertise before then chances are high that it's a problem | based on culture and priorities and experts injected from | outside would quickly lose their edge. Keep them on the | project they became experts on and they stay experts. | labster wrote: | Retention isn't going to be a problem in this market. | Hiring in general has almost disappeared. And if you get | hospitalized with coronavirus without health insurance, | it will almost certainly lead to bankruptcy. It's too | risky not to have a job right now. | jki275 wrote: | I don't think hiring has disappeared - I got contacted by | four recruiters just yesterday alone asking me to apply | to vacancies they're trying to hire for. | | I wouldn't quit my job (and I'm not looking anyway), but | there's plenty of hiring going on. | hinkley wrote: | My experiences with acquihires have not been good. | | People went to work for this company based on the domain, | the people, or the culture. With the acquihire they change | the domain first, and the culture about a year in. Then the | people start to leave, and it's just a job, and one you | didn't even apply for. | | On my worst days it felt like I was sold like cattle, and I | would have seen more upside by hiring on someplace else. | buttersbrian wrote: | It doesn't seem certain that they won't dogfood in addition | to using the expertise internally. | asdkhadsj wrote: | It bothers me that they even tried, honestly. | | Keybase seems like something that should be small, | isolated, FOSS, supported by a foundation, etc. They could | have built a business _around_ Keybase I'd imagine, but all | they managed to do with this is invalidate Keybase and make | people like myself, who feared their business motivations, | feel vindicated for being paranoid. | | I'll never blame anyone for wanting to make money, to make | a business, etc. But if you make a product that walks talks | and acts like a FOSS project, but keep it to center your | business around... I'll always be longing for a real, true | FOSS replacement. | | In this case a good looking FOSS alternative came out a few | months ago iirc. Though for the life of me I can't remember | the name. | | _edit_ : https://keys.pub/ - though I will still miss KBFS | StavrosK wrote: | keys.pub doesn't have the single most useful feature | Keybase has: The ability to verifiably establish a secure | channel with anyone given their Twitter/Github/whatever | username. | floatingatoll wrote: | Their homepage advertises 'keys pull username@github' as | an example. Is the missing piece you describe here simply | the command 'keys chat username@github'? | StavrosK wrote: | No, it's the cryptographic attestation so you know you | are getting the right key. | Squithrilve wrote: | They don't support it? That's weird (maybe a missing | feature) given that it's quite easy to add to anything | that has signed metadata, see e.g. this for OpenPGP: | https://github.com/wiktor-k/openpgp-proofs#openpgp-proofs | StavrosK wrote: | I'm not very familiar with the service, but AFAIK they | don't. It would be great if they added it. | | EDIT: It looks like it might, from the front page, I will | try it out to make sure. If it does, that'll be great! | | EDIT 2: It sort of does, but it's on a per-key basis, not | an entire identity. You can publish proof on | Twitter/Github/whatever, but it's only for one specific | key, and it's one key per service, which means you can't | only have one identity and multiple services. | dcow wrote: | How was their product ever marketed that way? They have | open source clients because that security table stakes. | They're a solution to crypto anarchy because they help | link your crypto identities to your social ones. None of | that has changed. You talk like all valid software is | free of corporate ownership/sponsorship. Why is zoom's | money somehow worse than e.g. softbank's. | asdkhadsj wrote: | Oh I didn't mean to imply it was, maybe my "walks talks" | bit was unfair. Rather I merely meant that Keybase, like | Keys.pub, seems like a great isolated tool for the | internet. Something exceptionally well suited for a | foundation. | coldpie wrote: | As someone who works at an open-source-focused business, | I respectfully disagree. Unlike proprietary software, | open source software doesn't depend on the broken window | fallacy. As a result, it's really hard to make open | source profitable. There's lots of different avenues to | get there, and I don't like to fault someone for their | efforts if the bulk of their work goes towards improving | open source software, as I think Keybase did. | zomglings wrote: | I didn't follow your reasoning about proprietary software | depending on the broken window fallacy. | | I don't see how Google's proprietary search engine or | Facebook's proprietary interface to our social network | rely on the broken window fallacy. | | Would you mind elaborating? | coldpie wrote: | Sure! The idea is that each proprietary project is | wasting effort implementing their own clones of everyone | else's software. To use your example, Google, Microsoft, | Yahoo, Yandex etc etc are all developing their own search | engines. Instead they could all be contributing to one | search engine to push the state of search engine software | forward, instead of all spinning their wheels re-doing | what everyone else is doing. How many devs are employed | doing what someone else in some other company has already | done? That's the broken window: someone else has already | done the work, but it must be wastefully re-done because | of the license. There's a lot of room for profit in all | that extra waste. | snowwrestler wrote: | Aside from whether this matches the typical meaning of | "broken window fallacy," I think the substance of what | you're saying doesn't match reality. | | Open source is famous for fostering a bunch of different | approaches to the same problem, and slightly different | forks of the same concept. That's the "bazaar" in the | famous metaphor, as opposed to the "cathedral" of | monolithic, hierarchical, linear proprietary development | within a closed-source company. | | "Everyone working on the same thing" only works well when | there is broad agreement on what that thing should be, | and strong governance to resolve disputes. National | highway systems, militaries, and power grids are good | examples. | | I don't think search engines are a good example of where | this would work; it's not clear in advance what will make | a given search engine better. Thus we benefit from a | variety of competing approaches, essentially to expand | the space in which we're searching for the optimum. | rstupek wrote: | That's not what the broken window fallacy is though. It | references the idea that breaking a window generates | economic activity which is good for everyone. | vlowther wrote: | Open source software is (I would argue) even more driven | to fragmentation by political, ideological, and | personality conflict driven squabbles than proprietary | software, as there is no profit motive to also satisfy. | | Also, the broken window thing asserts that small amounts | of criminal activity lead to larger amounts of criminal | activity via signaling that being bad or neglectful is | OK, which is both not proven and irrelevant to software | writers being prone to reinvent the wheel for whatever | reasons they have. | wutbrodo wrote: | You're describing the broken windows theory. The broken | window fallacy is the claim that destruction or waste is | good for the economy because the cleanup generates | economic activity (with the attendant multipliers). It's | a fallacy because it leaves out that the original spender | (by the owner of the broken window), on average, | displaced other economic activity. | zomglings wrote: | Thanks for the elaboration. | | I think you would be right about the greater good being | served by everyone being aligned on the same search | engine ONLY IF we understood search engines so well that | we knew there to be only one mathematically optimal way | to build search engines. | | Since we don't understand search engines that well, there | is a LOT of value in the exploration over the space of | search engines that these different companies represent. | | The broken window fallacy argument is that those speaking | of the benefits of the broken window are mistaking | maintenance cost for generated value. That doesn't seem | to be the case here. This is society implicitly investing | in exploration over exploitation. | nske wrote: | Well, in reality there wouldn't be one optimal product, | there would be many, for the reason that you said -and | for human reasons. | | However they would still be able to borrow good bits from | each other and gain insight on how things could be done | differently to what result, so arguably the end result | would be a win. From a technical standpoint (I think | where it gets messy is when we try to factor in the | business implications). | stereolambda wrote: | While I'm no fan of these companies, I'm not convinced by | that particular argument for FOSS either. Imagine the | world where we would be always iterating on one | lineage/model of refrigerator, each automobile type etc. | instead of many companies rebuilding basic stuff. I don't | believe we would be better off. Not all progress can be | driven by consensus and iteration, some needs to be done | by competition, divergence and outright discontinuing old | approaches. | fao_ wrote: | I mean, there's a fatal flaw in the broken window fallacy | anyway: | | > It is not seen that as our shopkeeper has spent six | francs upon one thing, he cannot spend them upon another. | It is not seen that if he had not had a window to | replace, he would, perhaps, have replaced his old shoes, | or added another book to his library. In short, he would | have employed his six francs in some way, which this | accident has prevented.[1] | | Capitalism is about _acquiring capital_ , i.e. money. | There's no such evidence that people _with_ money | actually spend it in ways other than investment, and the | sole purpose of that isn 't to donate to companies that | need it, it's to profit off it and essentially hoard | _more_ capital. Sure, _poor_ people with either very | little or no capital spend that capital on necessities, | and thus drive the economy, but there 's no evidence that | people _with large amounts of capital_ spend that on | anything at all, there 's more evidence that they hoard | it and seek only to acquire more capital. The entire | system is built to favour those people. | djrogers wrote: | We're getting way off topic here, but you have a horribly | misguided premise here. A typical shopkeeper is not in | the .1% 'cash hoarding' class. Small businesses are | mostly run by people with average resources, and their | capital is typically spent on their business and personal | needs. | uHuge wrote: | That feels like strict oposit of the falacy claim, which | would hold in case of perfectly stable and suppied | currency is employed. Still would be rational to invest | research, diversify against theft etc. | carapace wrote: | I think you're reading too much into it. | | If you have to pay to replace a window that should have | lasted, say, ten more years, that's money you now cannot | spend on improving your factory somehow. | | It is still economic activity (and the glazier doesn't | mind the work) but it's remedial rather than generative. | (The glazier that repairs the window _could have_ been | installing a new one in a new factory, eh?) | asdkhadsj wrote: | Possibly, but in this case I didn't expect them to make | Keybase profitable, if anything I expect the opposite. I | expect Keybase to be a FOSS, foundation for profitable | extensions that the company builds and sells. | | Arguably I think they agree with me, about the extensions | at least. As seen by their seemingly random directions of | feature extensions that Keybase was prone to. My issue is | not that they chose random features to try to make | profitable, but rather that the core premise, a public | keystore, was tied so closely to a for profit company. | | It would be like losing Git because Github went under. | _(Though, terrible example because Git works without a | centralized repo, but it 's just the first company <-> | FOSS relationship that came to mind lol.)_ | 411111111111111 wrote: | It's actually a pretty good example to be honest. | | Keybase was a centralized key storage with value-add | services such as file storage and chat. | | That was absolutely comparable to github, as you could've | just gone back to manually syncing pubkeys and encrypting | msgs. If github went away, you'd be without a lot of | value-add services as well such as wiki, issues user | management etc | | Realistically speaking, nobody is going to do that... And | tbh, it was already dead in the water when they added | crypto currencies... Just took a while for their money to | run out. | | The actual difference is that there are enough competing | products for github, not for keybase however, as that is | just too niche | semi-extrinsic wrote: | Maybe "losing Ubuntu if Canonical went under" is a better | analogy then? | plebian wrote: | Zoom is actually one of the view applications that can screen | share on Wayland | | I believe it's only enabled for a few distros though | dcow wrote: | If you know how to make that work I'm all ears. I run | Debian testing, wayland, gnome. I tried to screen share | yesterday and got a popup about how its not supported. | Maybe mu zoom client is out-of-date? | ISL wrote: | What does "enabled for a few distros" mean? | RMPR wrote: | Does it work with the browser version? | nvarsj wrote: | Zoom uses a proprietary gnome API / hack to do it I | believe. It works on Gnome only. Note that with pipewire, | wayland screensharing already works on Chrome/Firefox (for | all of the video chat apps), and it will come to electron | eventually. I imagine in a year or two screensharing on | wayland will become seamless for most things. | f38zf5vdt wrote: | If Keybase acquired Zoom (haha), then, sure. This is a PR | move for a public company. They'll probably gut Keybase, move | their Chinese server generated AES128 keys to AES256 keys | generated by you and uploaded to their Chinese server, then | call it a day. | | I can't think of a single instance where acquisition of a | smaller company like this resulted in an improved version of | the original product. How many of us are running RHL? Skype | is now close to Microsoft spyware that's impossible to remove | from a Windows installation. Facebook purchasing Whatsapp, | another service that formerly stressed encryption, resulted | in things like plaintext backups of your texts on Facebook | servers being aggressively promoted as soon as you loaded the | app. | | It's pretty much always cheaper to gut the original product, | ignore the problems with your software, and enjoy the | enhanced price of your shares while effectively spending no | more money than you had for the original acquisition. As far | as I can tell, Keybase has never had a business model or | constant source of revenue. | fwn wrote: | > Facebook purchasing Whatsapp, another service that | formerly stressed encryption, resulted in things like | plaintext backups of your texts on Facebook servers being | aggressively promoted as soon as you loaded the app. | | Ia that the case? AFAIK WhatsApp gained proper end to end | encryption after being bought by Facebook and pushes for | backups to Google (and maybe iCloud?) servers. | | Wikipedia writes: | | > WhatsApp was initially criticized for its lack of | encryption, sending information as plaintext. Encryption | was first added in May 2012. In 2016, WhatsApp was widely | praised for the addition of end-to-end encryption | | https://en.wikipedia.org/wiki/WhatsApp | f38zf5vdt wrote: | Whatsapp announced encryption to the world in 2012. OWS | helped secure their app further after the 2014 | acquisition by FB, but encryption was something stressed | by Koum and Acton from the get-go. Integration of E2EE | into Whatsapp/FB Messaging is one of the few examples of | Zuck being on the right side of things. | | Long term it ended up pretty good, with Koum and Acton | taking their acquisition money bags and pouring them into | FOSS projects like FreeBSD and the Signal Foundation. | Maybe malgorithms will do the same. | | https://en.wikipedia.org/wiki/Timeline_of_WhatsApp | | > pushes for backups to Google (and maybe iCloud?) | servers. | | Yeah, I was incorrect. They backup to Google servers. Not | sure if that's better or worse. :) | | Since then, FB has offered willingness to cooperate with | foreign governments to break encryption. I guess we will | see what happens with the EARN IT Act. | | https://www.bloomberg.com/news/articles/2019-09-28/facebo | ok-... | | RHL might be a bad example too, since Fedora is still | pretty prominent, even if not often used compared to | debian or debian-based distros these days. | fredfjohnsen wrote: | I can. https://www.jamf.com/products/jamf-connect/ | https://www.jamf.com/products/jamf-protect/ | colinstrickland wrote: | Apple aquired NeXT and completely reinvented their | organisation based on that. | gk1 wrote: | Anything positive can be called a PR move if you're cynical | enough. | core-questions wrote: | Who gives a fuck about Wayland, honestly? It seems like it | was designed by people who didn't like the few good things | about X and wanted something to further fracture the Linux | desktop. Well, they got it. | | > Zoom needs people who know how to make modern client | software | | It's the best video client available on Windows / Mac and | works acceptably on Linux, what exactly needs to be more | "modern" about it? Slack's video call thing is way less | featureful, and Teams is still the abortion that is Lync / | Skype for Business under the hood which is and always will be | shit-tier. | | > chat | | I don't want my video app to be my chat app. There's any | number of reasons why separation there is a good thing. I can | start a Zoom call from Slack in 1 second, what more do I | really need on that front? | andrewaylett wrote: | > people who didn't like the few good things about X | | Since these were also pretty much the only people who were | putting effort into maintaining X, I think it's reasonable | that they decided to replace it instead. | | The history of X is a history of forks. But we've not seen | another X fork appear to compete against Wayland. Instead | we see the people who are writing Wayland continuing to | retrofit the new technologies they're able to bring back, | back to X. | skykooler wrote: | Wayland was designed by people who didn't like the features | of X that almost nobody used (X forwarding, for example). | And X is still around for those obscure use cases, while | Wayland can serve almost everyone with a much simpler and | cleaner system. | | Now, why Canonical decided to go off and write Mir instead | of collaborating on Wayland development, I have no idea. | pavel_lishin wrote: | > If keybase ultimately gets secure video, and zoom a | security architecture overhaul, how is that a bad thing? | | If. | StreamBright wrote: | Why would it be? | cactus2093 wrote: | I remember thinking they were neat a few years ago, I made an | account and tried out exchanging some keys. It's slick but I | don't see how it was ever going to be a mainstream product for | non technical users who mostly don't even understand what | encryption is. Haven't heard anything about them since, I kinda | already assumed they were dead. | dgellow wrote: | It doesn't have to be mainstream. A niche product can be | viable. | | Unless you begin to accept investors money who want an | exponential growth at all cost. But if that's what you want | as an investor, no idea why you would invest in Keybase. | zcid wrote: | You can also have investors that buy into a company because | it is counterproductive to their goals. Not all investments | are meant to produce financial profit. | fwip wrote: | Sounds like good timing that https://keys.pub has become usable | recently. :) | bloopernova wrote: | > So, yup, keybase is dead. | | Well, shit. | | Keybase had an _amazing_ potential. I use it every day to ad- | hoc securely share /store stuff. It will be sad to see it | wither even more than it has. :( | herval wrote: | While it's a cool tool, what exactly was the (commercial) | potential Keybase had? I could never tell. | bloopernova wrote: | Ability to assign roles(groups) to heterogeneous users. | | So imagine being able to add user@domainA.com, | user@domainB.com, and name@nonprofitname.org to cool-dev- | group and them being to instantly be able to access the | relevant chat rooms, git repos, shared folders, etc. If | password/secret management had been added, then access to | that too could have been allowed. If SSO/Oauth had been | added, then any service could be covered by this sort of | role-based-access-control-for-anyone. | | So no user has been created, they're using their existing | identity to access new resources. With some extra coding, | triggers and events could have been added to do things like | auto-sign public keys. | gallamine wrote: | Secure filesharing and chat, for starters. Secure digital | wallets tied to identity. It was a wallet platform I'd | actually be interested in. | chupasaurus wrote: | Encrypted git repos with ties to team chat... | neltnerb wrote: | Lucky for us it is open source? I was hoping to use it to | replace Dropbox but they kept not taking my money... small | wonder they went for the acquisition. | ackbar03 wrote: | What was the main difference with this a drop box though? | It's encrypted? | [deleted] | chupasaurus wrote: | The data is stored after encryption by client which are | open source (and by using boring(c) crypto schemes). | thayne wrote: | > it is open source | | Not exactly. The clients are open source, but the central | server isn't. See | https://github.com/keybase/client/issues/6374. It might be | possible to reverse engineer the server, but it would be a | lot more involved than just forking the project. | thayne wrote: | The best scenario would be if this led to keybase open- | sourcing the server as well. I have no idea how likely | that is. | neltnerb wrote: | That's unfortunate. I assume Zoom would have no interest | in open sourcing the server software now that they've | paid for the cryptographic expertise and code, but I | think the previous owners might have been willing to... | surprised they never did, maybe they decided they'd never | get bought if they did. | | A shame, it seemed to work really well. Maybe Zoom will | be willing to take my money to be a DropBox end-to-end | encrypted cloud sync service instead, they seem to be | fairly on the ball with responding to complaints and that | they decided it was worth buying Keybase to improve their | service maybe they'll come out alright. | | Wishful thinking maybe =) | dgellow wrote: | Is the server open source? I know that the client is, but I | haven't found sources for the backend. | an_ko wrote: | It's not: https://github.com/keybase/client/issues/6374 | xiphias2 wrote: | ,,helping to make Zoom even more secure. '' | | Wow, this means that keybase stuff thinks that Zoom is secure | already. Zoom should have hired people who don't think that | way. | dasil003 wrote: | Keybase product and engineering do not think this way. | Corporate PR thinks this way. Don't get it twisted. | lgessler wrote: | Come on, the engineers at Keybase are serious crypto nuts. | Give them some more credit | INTPenis wrote: | How can they be so obvlivious though? Their own blog post | doesn't even mention the tarnished reputation Zoom has acquired | lately. | | A lot of people will stop developing integrations for Keybase | because of this. It's sad. | mc32 wrote: | They're not oblivious but two things; you don't bite the hand | that feeds and it's easier to get someone to see your side of | things when you agree with them. Confrontation will not help | to fix Zoom's culture of insecurity. | tensor wrote: | That's probably why Zoom is buying them, to double down on | security and repair their reputation. They genuinely seem to | be putting all their focus on improving security. Seems like | a smart buy to me. | [deleted] | coldtea wrote: | > _How can they be so obvlivious though? Their own blog post | doesn 't even mention the tarnished reputation Zoom has | acquired lately_ | | I'd say, don't overestimate the tarnished reputation (= some | news stories for a while, most didn't read or care about -- | including corporate users). | | And of course they wouldn't get into it in a press | release/blog post for an unrelated to the issue acquisition! | Doesn't make sense to sabotage themselves this way... | bjoli wrote: | Sure, the reputation might be tarnished, but to it seems like | they have hired recently to ensure people that they are | taking measures to change that. | | This seems like an extension of that. If anyone has thought a | lot about multi-party encrypted communication it is the | keybase folks. | mtmail wrote: | Zoom is publicly traded. Assume their blog post had to be | approved by Zoom's press department. | momokoko wrote: | They aren't. They are making a lot of money which is what the | business was made for. | | The post is actually refreshingly honest that keybase is now | abandoned and will probably die at some point. | | The idea that companies were stupid enough to place their | internal identity on some random 3rd party is so incredibly | stupid that it's hard to feel too bad for anyone. | | Congrats Keybase! | formercoder wrote: | Thank you. Keybase had investors and I'm sure the premium | Zoom offered was unbeatable. Zoom can effectively pay | infinity with equity. Those investors knew that this was | the best way they'd ever have to realize gains. That's why | they invested in the first place. | gwd wrote: | Well, when FB bought WhatsApp, its founders stayed on for | a bit to vest his shares then founded Signal with his | "screw you" money. Maybe some of Keybase's founders can | do the same thing. | tass wrote: | Founded 'Signal Foundation' with Signal's creator. Signal | was around before FB bought WhatsApp. | bigbob2 wrote: | Unless I imagined it, they previously said publicly that | they were unlikely to pursue a sell like this because they | had succeeded at previous companies and cared more about | the impact this product could make than the profit they | could make from selling it. I based my decision to agree to | the terms of Keybase around this statement which I can | conveniently no longer find. I suspect it was in one of | their airdrop announcements, and conveniently those links | don't work in the Wayback Machine. | windthrown wrote: | You are referring to this Github Issue: | https://github.com/keybase/keybase-issues/issues/788 | | "Yes, we sold our previous 2 businesses. But I want to | point out that (1) neither of those sales ever hurt (and | arguably both sales greatly helped) our users, (2) | Keybase deserves special consideration which we are aware | of, and (3) both Max and I are happy in a world where we | never try to sell a company again, and only build things | we like." | | I feel silly for falling for it too. Even very wealthy | people enjoy extra money. | AgloeDreams wrote: | > They are making a lot of money which is what the business | was made for. | | I miss the days when businesses existed not just to serve | investors but also their employees and the common good. | It's like a 1%-er meta profit model where the actual | business is in buying and selling the business and the core | business is really just a temporary front that is designed | to never make a profit, just create fancy looking charts | and eventually bait and switch consumers when it is sold to | the highest bidder and the employees all eventually lose | their jobs. | | One day, VC funding will either be illegal or required. | considering the flow of money in this exchange, I'm betting | on the second. | floatingatoll wrote: | I miss the days when businesses existed not just to | support free users but also their revenue model and | profits. It's like the 0%-er meta profit model where the | actual business is in building and marketing the userbase | and the core business is really just a temporary front | that is designed to never make a profit, just create | fancy MAU charts and eventually bait and switch free | users when it is sold to the highest bidder and the free | users all eventually lose their service. | | One day, revenue models will either be illegal or | required. Considering the outflow of users in this | exchange, I'm betting on the second. | centimeter wrote: | I think you have a rose-tinted view of what old-timey | businesses looked like. We moved past mom-and-pop | subsistence industry like 400 years ago. No one ever said | "I'm going to create a sheet metal production company for | the common good." | willis936 wrote: | Could you point to examples that support the existence of | this alternate history of which I've never heard of? | centimeter wrote: | To be clear, you are asking for examples of historical | companies that were profit motivated? | logifail wrote: | > No one ever said "I'm going to create a sheet metal | production company for the common good." | | Look up Joseph Rowntree[0] | | [0] https://en.wikipedia.org/wiki/Joseph_Rowntree_(philan | thropis... | ballooney wrote: | You're very wrong. | dfragnito wrote: | Software exists for its users business exist for its | owners more precisely its stakeholder, further divide | stakeholders into the various rights, control, claims on | cash flow, claims on assets, give users the first then | watch what happens. | ativzzz wrote: | > I miss the days when businesses existed not just to | serve investors but also their employees and the common | good | | Uh when was this? For-profit businesses have always been | created for the primary purpose of making money. Any side | effect like employee well being happened to coincide with | what maximized profits at the time or due to regulation. | freepor wrote: | No, when businesses were owned primarily by single | individuals, their priorities were much more aligned with | the goals of a single individual. The owners cared not | only about profits but respect in the community, | influence over politics, etc. and made choices that | today's publicly traded companies would and do not. | djrogers wrote: | > The owners cared not only about profits but respect in | the community | | I think you need to read a little more history. People | haven't changed their core nature in the past 40 years. | Look at Carpetbaggers, the Triangle Shirtwaist company, | and William Hearst for relatively recent examples. | Further back you can look at The Dutch East India | Company, the Knights Templar, and the various and sundry | monopolies that have arisen throughout history. | | People are driven to acquire capital initially to meet | their own needs, then for power. There always have been | people and groups of people who strive for the latter, | not being satisfied with the former. Romanticizing long | dead business owners may play well in movies and books, | but it isn't reflective of human nature. | rabidrat wrote: | Pre-1970 or so. Before Milton Friedman, there was a | general sense that companies existed to fulfill some | mission, with profit as a means. The CEO of Kellogg | commented on this in an interview ca. 1980, that money | for a business is like a gasoline for a road trip. You | need it to get where you're going, but the point of a | road trip is not to accumulate as much gasoline as | possible. | nickik wrote: | This a perfect example of how mythical history of the | left totally distorts peoples view of history. | | Kellogg also burned girls clitoris away because he was | against masturbation. Other then he had incredibly toxic | fights about the right to the IP and broke his relation | with his brother. Clearly he didn't care about profits. | | Also a single example doesn't prove that things were | structurally different. There are tons of companies now | that exist with different goals. | snowwrestler wrote: | Is this a joke? The bulk of the labor movement happened | before 1970, and it was not because workers were so well- | treated and well-compensated that they had a lot of free | time on their hands. | | I'm a big fan of business and entrepreneurship, but let's | be clear here: there is a reason we invented government. | There was never a time when we could 100% count on the | beneficence of business leaders to advance social goals. | | Edit to add: I'm not trying to demonize all business | leaders here. There are some bad actors, but even | business leaders who desire to do well have to succeed in | the marketplace--even against bad actors. Unfortunately, | doing bad things in business often confers the benefit of | lowering costs, which is a competitive advantage. This is | a known structural issue with a marketplace economy and | why we need more than just business to have a good | society. | rabidrat wrote: | Of course, there have always been bad businesses. The | difference between pre-1970 and now, is that we've not | only socially legitimized the maximization of profit, | we've also all but legally mandated it. Now even "decent" | business leaders like the CEO of Costco have to | continually answer to their shareholders as to why | they're not lowering wages and reducing benefit--and in | Costco's case, the shareholders may try to take legal | action to force them to lower costs, even though Costco | the business is already quite profitable. Due to lack of | labor regulation and the mantra that "business are | required to maximize shareholder value", Costco's decency | is fully dependent on its CEO's (unusual) fortitude to | fend off those shareholder demands. When its leadership | changes, its ability to care for its employees will | likely revert to the mean, which as we see in today's | environment is abysmal. | | So really, it's not that "there are some bad actors", but | that "the system strongly encourages businesses to | install these so-called bad actors as their leaders". I | agree with you, that we need strong government labor | regulations to counter this mentality, but this mentality | is why these regulations have deteriorated over the past | 50 years. | asveikau wrote: | Your idea is not an inevitability but actually from the | late 20th century, and became very popular starting in | the 80s. | | Here is a link that showed up in google for me when I | tried to find support of this claim: | https://www.washingtonpost.com/opinions/harold-meyerson- | the-... | ativzzz wrote: | Sure, and here is a counterexample from the 1600-1800s: | https://en.wikipedia.org/wiki/East_India_Company | | Literally they bought an army and took over India for | money. | asveikau wrote: | Need to keep in mind we now remember this endeavor as | ethically challenged, but was it literally 100% for money | or did want of these goods play a role: | | > cotton, silk, indigo dye, salt, spices, saltpetre, tea, | and opium. | | Surely access to those provides some benefit other than | making money, which it also did for them. | | Also worth noting that not every company is ... _that | one_. | wutbrodo wrote: | > was it literally 100% for money or did want of these | goods play a role: > cotton, silk, indigo dye, salt, | spices, saltpetre, tea, and opium. Surely access to those | provides some benefit other than making money, which it | also did for them. | | This is an utterly meaningless distinction. Money is | fungible with all of those goods. | asveikau wrote: | I am not sure you are using fungibility completely | correctly because the goods have a condition, are | perishable, they can be bartered or traded or maybe are | fungible with respect to each other but are not literal | money and literally interchangeable with money. | | Anyway, if you want to go down that path you can easily | conclude that literally any good or activity is just | money, that you live a money-dominated life and we all | exist for money all the time and while useful in some | contexts I don't think it's particularly apt, but I hope | you enjoy it. | ativzzz wrote: | > literally any good or activity is just money | | In the grand context of life, no (despite the vast | majority of large scale events that we learn about in | history being usually a result of conflict over | money/power) , but in the context of business, as this | thread is, yes in a for-profit business literally every | good and activity is about money. | | Some businesses may choose to sacrifice money for things | like employee well-being or community contribution, but | that's a choice they make, or more likely are forced to | make. | willis936 wrote: | Prior to the 1980s. | | https://en.wikipedia.org/wiki/Shareholder_value | [deleted] | verytrivial wrote: | > doesn't even mention the tarnished reputation Zoom has | acquired lately | | I'm interested to know if you thought keybase doing the whole | unsolicited Initial Coin Offering was a reputation tarnishing | or polishing event for that company. (I'm circumspect about | both of these outfits to be honest.) | OJFord wrote: | Isn't getting bought and there being no plans for your business | bonkers? Or at least, it's a bonkers/highly-unusual admission | that it's an acqui-hire. | pwinnski wrote: | Bonkers how? Zoom gave them money, they took the money. | emersion wrote: | https://keybase.io/account/delete_me | ashconnor wrote: | Make sure you sell your free Lumens before you delete your | account. I got $55 a few months ago. | nathcd wrote: | Anybody else having trouble deleting their account? When I go | to /account/delete_me, I get redirected to | /?next=%2Faccount%2Fdelete_me, which is just the home page. | Also, I get the logged out navigation bar even after logging | in. Logging in seems to just redirect me to my own profile | page. (I've got my content blockers disabled, etc.) | | Edit: deleting my cookies and re-logging in did the trick, in | case anybody else hits this issue. After re-logging in I now | have one fewer cookie than before, so I must've picked up an | extra cookie that was screwing with their auth handler or | something. | seemslegit wrote: | ha ha ha ha ha ha | | ha ha ha ha ha | | ha ha ha ha | | ha ha ha | | ha ha | | ha. | drcongo wrote: | This is horrible news. | p0llard wrote: | Oh wow, I had a guest lecture from Max Krohn yesterday in which I | asked about how Keybase was being funded; no mention of this at | all! | lexicality wrote: | Possibly because of the confidentiality agreements everyone | signs at the start of an acquisition? | p0llard wrote: | I'm sure, I just found it amusing that it comes so soon after | I directly asked about it! | otachack wrote: | To be fair, that seems a common question to ask Keybase | prior to the acquisition :P | crad wrote: | Well that sucks. I'm glad they got an exit. I won't be using them | moving forward due to trust issues with Zoom. | TomGullen wrote: | Zoom trading at ~1,700 P/E which to me seems absurd. Wonder if | the acquisition involved much stock! Seems like a good time for | Zoom to make transactions like this. | m3kw9 wrote: | PE is price to earning, but if you look at earnings when is | very low(barely making a profit), the number will be very high. | So people tend to project the Earnings a year or so, and it | would fall drastically. | davedx wrote: | Can you explain this in a little more detail please? Would love | to understand more. | durkie wrote: | I think the thought GP was expressing was that it would be a | good time for Zoom to make an acquisition of Keybase paid for | in Zoom stock since Zoom stock is trading at a very high | multiple of Zoom's earnings. | | Some people would regard this stock price as unsustainable | compared to historic/similar earnings multiples, and that the | stock will likely decrease in value in the "near" future. So | from Zoom's perspective they may as well buy as much as they | can while their Zoombucks are worth a lot since they'd be | parting with fewer shares now than if they made the | transaction later on. | [deleted] | dpflan wrote: | Sounds like: stock price is high so use its value to its full | extent while the price is high and more valuable. Allows | selling/granting of fewer shares of stock too. | gumby wrote: | Many are bemoaning what zoom will do with Keybase, but the code | is bad licensed so nothing's stopping anyone from forking the | repos now and building a parallel distro. | | Realistically this is probably the best outcome for the Keybase | team as they presumably have jobs for the foreseeable future. | zanderz wrote: | The server was never open source and that will be a pretty big | obstacle to the product living on beyond the company. That and | maybe the Amazon S3 bill. | soulofmischief wrote: | I have moved much of my digital life to Keybase. This news brings | me much fear but I just pray that Zoom takes the best parts and | then allows Keybase to continue to function as a goodwill venture | at least until a suitable replacement appears. The software | package Keybase offers is unbeatable. | reneberlin wrote: | 1 Trillion? 10? maybe 5 Billion? What if they all kill themselves | after 14 days waking up in a zoom-meeting? | | "Don't come around here no more" -tompetty i hear along the | lines. | | Maybe you can go sunbathing with US-leaders, or US-businesspeople | on behalf of their own island. But, come clear: you cashed out, | and, in the far, far world, that you would invest the money back | into the dev-world with a cut- you will ephemeral be remebered | as: a cunt! | mrtweetyhack wrote: | Developed in China means code accessible and changed by China | HumblyTossed wrote: | Now if they'll just push that server code to github... | crazygringo wrote: | Everyone here saying Keybase is dead... why hasn't anyone | mentioned that Keybase is open-source? New BSD (3 Clause) | License. [1] | | So regardless of what happens to it with Zoom, the community can | fork it and continue developing it, no? | | So if people don't want it to be dead... it's not dead. That | seems like great news, right? (And great foresight?) | | [1] https://keybase.io/docs/the_app/source_code | coldpie wrote: | I know we all like to pretend it's all passion projects, but | the reality is that with very few exceptions, developing large- | scale, end-user-ready software costs money, regardless of the | license. If devs aren't getting paid, they're not going to work | on it. Keybase is dead. | wink wrote: | Despite being one of the earlier signups I have never fully | grasped what it's actually good for. | | Time and time again I forget about it and when I check the | website it seems to be doing something different - but it all | sounded very centralized, first the gpg keys, then the file- | sharing and chat - it doesn't seem to be federated. | | So unless some entity steps up as the de-facto api-compatible | replacement, I don't see how having the code alone would help, | unless you want a chat solution for a handful of users? | eropple wrote: | The backend isn't open-source, AFAIK. It isn't a full reverse | engineer job to implement that, but it's not trivial. | alwillis wrote: | I woke up this morning and read this and literally thought it was | a belated April fool's joke or something. | | Best case scenario: the Keybase app gets spun out and gets an | appropriate home. | Phosphenes wrote: | Keybase launched in 2014 as a directory for public encryption | keys and has since grown to include secure messaging and file- | sharing features. Keybase profiles are meant to serve as the | center of your online identity: Keybase verifies you, and it | verifies that you actually own other online accounts that belong | to you. From there, people can visit your Keybase profile and | feel confident that any account claimed is an authentic one. | Usually, these profiles include encryption keys that can be used | to securely contact a person. | underyx wrote: | Keybase's side of the announcement: | https://keybase.io/blog/keybase-joins-zoom | | > What the Keybase team will be doing | | > Initially, our single top priority is helping to make Zoom even | more secure. There are no specific plans for the Keybase app yet. | Ultimately Keybase's future is in Zoom's hands, and we'll see | where that takes us. Of course, if anything changes about | Keybase's availability, our users will get plenty of notice. | | > So, our shortest-term directive is to significantly improve our | security effectiveness, by working on a product that's that much | bigger than Keybase. We can't be more specific than that, because | we're just diving in. | | They're not even making the usual "Zoom is committed to keeping | Keybase alive" promise :( | m3kw9 wrote: | They are buying Keybase to shore up their security, why would | they still give them time to keep it up unless, they want to | also integrate their message service into Zoom chat. | swyx wrote: | is this an acquihire then? | jng wrote: | If so, it would be in the unusual shape that it is a top- | dollar one rather than cover-the-failure-with-a-pretty-ending | one. But in this case, Zoom is probably actually interested | in the security tech that Keybase has apart from the talent, | they're just not interested in the product. | swyx wrote: | did i miss something? how do you know its top-dollar? no | dollar amount was disclosed. | jng wrote: | No, you didn't miss anything. As you probably expected, | it's just my deductions from context. I may be completely | wrong. I still do believe in them, but obviously no one | else needs to. | seemslegit wrote: | "to make Zoom even more secure." I mean, this might take a | while. | seba_dos1 wrote: | I can easily see the words "even more" being added only after | rounds of reviews :P | dang wrote: | (We've since changed the URL from | https://blog.zoom.us/wordpress/2020/05/07/zoom-acquires-keyb... | to that one) | sincerely wrote: | Hi dang, are there any plans to introduce a marker of some | sort so that people know whether the current URL is the same | as the one it was submitted with? I find that often I have no | idea what the comments are talking about | dang wrote: | It's not clear to me whether that would add more signal to | the comments or more noise. | | If you have specific links to cases where this has been a | problem, you'd be welcome to send them to | hn@ycombinator.com so we can take a look. Or keep that in | mind for the next time this comes up. | ForHackernews wrote: | > Zoom Acquires Keybase and Announces Goal of Developing the Most | Broadly Used Enterprise End-to-End Encryption Offering | | So is this real end-to-end encryption, or Zoom-brand "end"-to- | our-server-to-"end" encryption? | itsajoke wrote: | All your Keybase are belong to Zoom. | nullc wrote: | So does this mean getting marketed sketchy cryptocurrencies | during your teleconferences, sending your PGP keys to random | servers in other countries, ... or both? | | Relevant to the acquisition, perhaps: | https://web.archive.org/web/20191122031523/https://github.co... | floren wrote: | I've found kbfs a very convenient way to share files with | collaborators. Anyone know of a self-hosted encrypted remote | filesystem that might replace it? | gnu wrote: | There is tahoe-lafs. Give it a try. | ajb wrote: | This. In fact I've found it pretty useful just for just | personal files. | | There's Tahoe-lafs, which ahs been around for years but, | although secure was originally pretty notorious for being hard | to use. Maybe it's improves since... | ccktlmazeltov wrote: | This is actually a really interesting acquisition, keybase wasn't | going anywhere yet was producing some really good stuff. On the | other hand zoom is a bunch of security and cryptography amateur, | I can't wait to see what's going to happen. Good luck! | metreo wrote: | Keybase is dead long live Keybase2! | eximius wrote: | Does anyone know if Keybase's data retention policy actually | deletes the data if I delete my account? | | I don't want to delete it if it is just a soft delete. | reneberlin wrote: | Lookinmg forward to see what happens to those boys standing up to | make life easier for encryption and idintity. From that point of | view, the project is canceled immediately. | Arathorn wrote: | It's kinda ironic that Keybase disappears into Zoom the day after | Matrix/Riot enabled end-to-end encryption by default, with cross- | signed device verification similar to Keybase's concept of | connected keys - see https://blog.riot.im/e2e-encryption-by- | default-cross-signing.... | | In other words, a fully open source (and open standardised) | alternative continues to exist in the form of Matrix. | | [disclaimer: project lead for Matrix] | RMPR wrote: | I was about to complain about your desktop Electron app but it | seems that spectral[0] is already usable without any hassle | (build from source, ...) at least on Fedora, time to reactivate | my Matrix account, keep up with the great work | | 0: https://gitlab.com/spectral-im/spectral | Hitton wrote: | Alternatively Mirage[0] - Qt + Python. There is really a lot | to choose from with Matrix. The beauty of open protocol. | | [0]: https://github.com/mirukana/mirage | RMPR wrote: | Seems like on Fedora the only mirage available is Mirage | the image viewer | | http://mirageiv.sourceforge.net/ | RIMR wrote: | You can install the other Mirage on Fedora by following | the instruction in the Github link... | roblabla wrote: | There's also Fractal[0] which uses GTK+ instead of Qt, and is | maintained by the Gnome foundation and planned to be used by | the Librem 5 AFAIK. | | [0]: https://matrix.org/docs/projects/client/fractal | RMPR wrote: | Unfortunately, can't find it in the Fedora's repo | uneekname wrote: | I know it isn't ideal, but Fractal is available through | Flatpak and Snap | gnufx wrote: | But unfortunately these alternatives don't have the same | encryption support, do they? (Some seem not to have any.) | Arathorn wrote: | https://blog.riot.im/e2e-encryption-by-default-cross- | signing... has a list of E2E-capable clients. For instance, | Mirage, mentioned as an alternative here, has full E2EE | support (but no cross-signing yet, given it's brand new). | zfnmxt wrote: | It's funny, but I think I get most of my Riot/Matrix news from | your comments scattered about hacker news. | | Anyway, I run a matrix server for my family (and we all use the | Riot client) and the number one issue is encryption and | mysterious "Unable to Decrypt" messages. (Closely followed by | how rough the Android client is.) This fixes all of that (well, | once RiotX replaces the standard Android client) and I think it | will remove a lot of friction. | | Thanks for your work! | packetlost wrote: | Matrix and Keybase have entirely different goals and | functionalities. There's barely any feature overlap besides | end-to-end encrypted messaging, but it's not like XMPP hasn't | had that for years. I think it's silly to even compare the two | KAMSPioneer wrote: | Holy crap, the Matrix/Riot teams have been busy! Congrats on | the progress, it's very exciting to watch. Although I have a | Matrix account I have had trouble getting friends/family to | switch with me (mostly non-technical folks, and Signal was much | stickier for them), it might be time to convince them to try | again. | | Thanks to you and the team for all the hard work! | mikro2nd wrote: | Interesting. I've turned quite a number of non-technical | friends/family into Signal users, just by telling them, | "Here's the messaging app I'm using if you want to talk to | me..." without mention of encryption until they're already | hooked. Uniformly comments have been favourable concerning | ease-of-use and quality of voice/video calls (at least | compared to what they're already used to -- generally Zoom or | Skype), and several of them have pushed it out to their | networks in turn. | KAMSPioneer wrote: | Oh definitely, my experience is similar. Sorry if I was | unclear: by Signal being "stickier" than Matrix I meant | that I've had better luck getting friends to continue using | Signal than continue using Matrix. So far, anyway. | SAI_Peregrinus wrote: | Ease of use is the big elephant-in-the-room issue for | Matrix. | | The only way I've found to join a room is the `/join` | command. There's a GUI search, but it doesn't work. | | Users have to pick their identity provider, their home | server, etc. Lots of choices, scary messages, and generally | annoying to set up. Services that depend on someone who is | technically inclined setting things up never become | widespread outside technical communities. | | If users pick an unreliable server to connect to, or | there's a network split, things break, just like IRC does. | | There are several clients, all slightly different. It's up | to the user to pick which one they want, when they've never | used any of them and just want something to work. | | It's better than IRC, but that bar is so low you'd have to | bury it to get any lower. | ccktlmazeltov wrote: | > The only way I've found to join a room is the `/join` | command. There's a GUI search, but it doesn't work. | | never used that /join command, the GUI works fine for me | Arathorn wrote: | The GUI search should work fine these days. (It was | broken about 6 months ago due to the room lists getting | too big, but was fixed in https://github.com/matrix- | org/synapse/pull/6019). | | It's true you have to pick a server to use, but we try to | provide decent defaults (although it's true matrix.org | has been overloaded recently). | | We're trying to simplify onboarding via P2P Matrix - by | default, you'd start off entirely P2P, and only pick a | server if you want to 'anchor' your account somewhere. | | I have a feeling you may be going off outdated | impressions here; we've been desperately trying to | improve UI/UX (as per | https://blog.riot.im/e2e-encryption-by-default-cross- | signing... and https://blog.riot.im/e2e-encryption-by- | default-cross-signing...). | SAI_Peregrinus wrote: | I last used it for the recent (Thursday, April 30th) Rust | Zurich meetup. I've got it installed via apt, and updated | to | | riot-web version: 1.6.0 olm version: 3.1.3 | | Search didn't find the room. /join did. | | Also it just took me over a minute to find the version | number, because the client settings are hidden in a | dropdown menu under my user name, not in the gear icon | (tooltip "settings") on the upper left or the hamburger | menu that says explore, and even in the right dropdown | it's under "settings->help & about" instead of just under | "help" where the "about" box has lived in every single | program since the '90s... | Arathorn wrote: | Well, if search didn't find the room, it sounds like a | plain old bug. (Or was the room marked ex-directory?) If | you can file details at https://github.com/matrix- | org/synapse/issues we'll dig into it. | | And noted, in terms of the version number being in the | wrong place on Riot/Web. | folex wrote: | Awesome work, thank you for that! Keep it up! :) | Legogris wrote: | I've been looking into Matrix as a "personal IM bridge" and I'm | thinking this could be a way for Matrix to get traction. | | Let's say you're in a position that I think may here are: You | would prefer to use IM in a secure way. Let me qualify "secure" | for this purpose meaning: Encryption of communication in rest | and transit; not relying on a single infra/network/service | provider; being able to communicate with new peers easily | without having to sign up with new providers; not requiring | sign-ups leaking PIIs such as phone numbers; being able to sync | message history across devices; all of this should hold for | group conversations. | | matrix.org seems to be on the right track towards that. | Feature-wise there's some missing pieces in terms of federation | but the roadmap looks like the ambition is right. | | But in practice, it's realistically years until you can meet a | random person in a bar and ask to join you on matrix to stay in | touch, so many of us will still keep our accounts on the not- | as-great platforms such as FB, Skype, WhatsApp, Signal. | | Given that, wouldn't it be nice to facilitate using those | platforms in a way that 1) absolves you from the behavioral | tracking that comes with most of the first-party web- and | smartphone apps and 2) integrates them in the same UI? | | There are, of course, solutions to this end. Bitblbee (IRC | gateway), libpurple (pidgin, finch), third-party clients like | franz. I'm sure there are many here who have or are using | libpurple or bitlbee for this. | | But matrix also has bridges! | | I'm thinking one potential way that matrix could really get | traction and seed the network infrastructure would be just | that. Given stable gateways for the IM networks people already | use, it's suddenly a _much_ easier sell to get enthusiasts and | power-users to self-host matrix servers just to solve their own | bridging needs and get a unified flow for disparate protocols. | | As that grows, eventually there's a large spread-out flora of | matrix servers that can become part of something larger. | | I think if there's one thing that can make matrix succeed in | it's mission, it's stable, feature-complete (or at least | ticking the important boxes for the majority) bridges to | mainstream services such as Facebook, Whatsapp, Signal, LINE, | Skype, Google and Keybase. | | I think this should be a focus for Matrix, and amazing it would | be to have these be the fruit of voluntary contributors, some | funding is likely required if it's to be sustainable as | proprietary protocols and endpoints will inevitably break. | | What's your take on that? I realize it's a long comment and I'm | in a bit of a rush, but I'd be really curious to hear how you | think about these things. | toyg wrote: | I'm not Arathorn (and not even a Matrix user yet, barely ever | on Signal too), but the problem with bridges to 3rd-parties | is that you're effectively allowing these non-Matrix users to | keep doing what they're doing, instead of incentivising them | to switch. The walled gardens know this very well - that's | why they've discontinued their XMPP gateways. | Arathorn wrote: | We're working on making bridges better integrated in Matrix | to help with this use case - it's certainly a good way to | drive uptake. | | On the other hand, bridges are always an impedance mismatch - | you have to keep up with new features on both side of the | bridge, and the system you're bridging into doesn't always | want to be bridged. | | So, we think bridges are a key thing for Matrix (it's where | the name comes from - matrixing together different comms | platforms!) - but it'd be wrong to predicate the success of | the protocol on bridges. They're useful, they have their | place, but they're not the sole reason to use Matrix. | Legogris wrote: | On feature-mismatch, I don't think it has to be that big of | a deal - as long as * delivering messages | and file/image attachments work reliably in both directions | * stickers and other native attachments (location, audio | clips, etc) can be received, not necessarily sent | | , that's absolutely Good Enough for daily use for me and I | imagine many others. | | Reactions and sending of stickers etc optional, but if | that's there, that's basically full parity of what anyone | in the target audience mentioned above could expect. Actual | parsing of non-plaintext data is obviously up to clients | and should be approachable for the average casual | contributor. | | > the system you're bridging into doesn't always want to be | bridged. | | This should be the crucial and challenging part to | maintain. | rakoo wrote: | > This should be the crucial and challenging part to | maintain. | | More than that, some of the system explicitely _don't_ | want to be bridged, because retaining users in their | silos brings in more money than maintaining a window to | the world outside the silo. It's tolerated at best today, | but you can be sure that if a bridge ever get traction, | the Whatsapps/Facebooks/Wechats will do what they can to | block you. | | Rather than betting on the bridges in the long term, I | believe it's in your interest (as a Matrix user) to host | a bridge to Whatsapp, and tell your Whatsapp friends that | it kinda works but it's gonna fail at some point, so they | better have a second account for the future. Install the | account for them even, that removes some of the friction. | But ultimately you have to realize that Whatsapp doesn't | want to talk to Matrix (the situation is completely | different for an open protocol of course, like IRC or | XMPP) | eslaught wrote: | The thing I like about Keybase is that keys are always | generated client-side and never leave the client, and all of | the functionality associated with adding/removing devices is | done in a way so that there's no way for a server to tamper | with it (aside from denying service). | | Is that true in Matrix? Several services advertise themselves | as "end-to-end" encrypted, but then when you poke harder it | turns out either there is some sort of TOFU (so an opportunity | for the server to insert itself) or else there is no device | continuity (which means in the case of e.g. Whatsapp that keys | are reprovisioned almost promiscuously to avoid bad UX). | Whatsapp is a particularly bad example because (a) I lose chat | history when I move devices, and yet (b) the UX does not | require an old device to authenticate the new one, so I can | compromise conversations (at least moving forward) if I can | compromise a server. | | How end-to-end is Matrix really, and how similar is the new | support to Keybase's key management flow? | Arathorn wrote: | Yes, Matrix is properly end-to-end encrypted (with all keys | generated clientside) and has been independently audited as | such: https://www.nccgroup.trust/us/our-research/matrix-olm- | crypto.... We have gone to huge efforts to prevent MITMs via | device verification and cross signing - which specifically | addresses both problems of a) losing chat history when you | move between devices (via https://github.com/uhoreg/matrix- | doc/blob/e2e_backup/proposa...) and b) requiring cross- | signing when you log in on a new device, to spread trust to | new logins, as per https://github.com/uhoreg/matrix- | doc/blob/cross-signing2/pro.... | | All keys are stored clientside, with the exception of if you | enable serverside key backup, when they are then encrypted | and optionally stored serverside to allow you to recover your | history if you lose all your devices. | eslaught wrote: | Just to confirm, if I turn off backup, does anything stop | working aside from needing at least one device to be | operational at any given time? | | Edit: Specifically, is key backup tied to the ability to | recover account history on a new device, or can I still get | that with key backup disabled as long as I have at least | one other device active? | | Edit 2: Can you address this paragraph: | | > One point for super-paranoid users: currently the private | key used to sign your own devices and the private key used | to sign other users are encrypted by your recovery | passphrase/key and stored on the server to allow recovery | if you lose all your devices. We also allow signing keys to | be shared (gossiped) between devices, but right now the | implementation also stores them encrypted on the server | too. This restriction will be fixed in future, but for now | if you don't trust your server with encrypted keys, you may | want to hold off on using cross-signing. | | If I understand correctly, sounds like security is based on | the complexity of your recovery passphrase and an implicit | assumption that the passphrase doesn't get transmitted to | the server... is that correct? | Arathorn wrote: | If you turn off message key backup, all it means is that | if you lose all your devices (and thus your keys), you | will lose your history. Otherwise, if you have at least | one device active on your account, it will receive your | message keys and gossip them (if needed) with your other | devices. You can always do a manual offline backup too | for safekeeping as a workaround. | | > If I understand correctly, sounds like security is | based on the complexity of your recovery passphrase and | an implicit assumption that the passphrase doesn't get | transmitted to the server... is that correct? | | If you use cross-signing, then yes - your signing keys | are stored protected by the recovery passphrase on the | server. We also support gossiping them between devices | (same as message keys), and there's no reason for them to | have to persist on the server. We just need to hook up | the UI to expose that as an option and we ran out of time | to do that before shipping the initial release. It will | follow shortly. | seemslegit wrote: | What endgame do you think your company has other than | eventually selling out its userbase in one way or another ? | Arathorn wrote: | Matrix isn't a company, it's a non-profit foundation, | expressly set up to protect its users: see | https://matrix.org/foundation for details. | | Riot is a Matrix client made by New Vector | (https://vector.im), the company started by the team who | originally created Matrix. The endgame there is to sell | Matrix hosting (https://modular.im), support and other value- | added services for Matrix. We are categorically not going to | sell out our userbase - and we have no reason to; if we did, | they'd just move to a different Matrix service provider. | seemslegit wrote: | I can imagine keybase delivering a similar statement back | in the day, good luck. | dancemethis wrote: | Keybase was always grey area since the server-side was | proprietary. | | Matrix is 100% Free Software and you can run a server | yourself. | Legogris wrote: | I think a key difference here is fully open and | collaborative specs, with Apache-licensed reference | implementations for server and client that they dogfood | themselves. It's also getting federated. So protocol, | tech and network can live on regardless of who's running | the servers people are using or driving the development | of implementations. | seemslegit wrote: | Until one day the foundation decides federation is not in | the best interest of the community, the standards and | reference implementation start to reflect closely the | interests of the leading player[s] with other | implementations having to play catchup. It would have | been a very cynical take if it wasn't business as usual | in our industry. | ccktlmazeltov wrote: | your scenario really makes no sense to me, maybe you're | not familiar with what Matrix is? | Arathorn wrote: | That would be like the W3C declaring that interoperable | hypertext is not in the best interest of the Web | community. Or the Linux Foundation declaring that the | Linux being open source is not in the best interest of | the community. | | It would be utterly sabotaging, and in the case of the | Matrix Foundation, the Foundation is independently | regulated by the UK Government as a Community Interest | Company - and so anyone would be welcome to complain to | the regulator (via | https://www.gov.uk/government/organisations/office-of- | the-re...) that the Foundation was breaking its charter, | and the Directors would face fines and/or legal action. | | This is why Matrix is in a fundamentally different | situation to Keybase, or Zoom, or pretty much any other | communication project out there, and why we spent so much | time (and money) setting it up properly as a non-profit | Foundation. | ryukafalz wrote: | Hi! I use Matrix a lot, but a privacy-sensitive group of my | friends recently switched to Keybase largely due to the per- | room/per-message retention policies. This might be a good | opportunity to convince them to jump ship, and I know something | similar has been in the works for Matrix, but do you know where | it is on the list of priorities? | | (Congrats on the cross-signing release though, it's been a long | time coming and it's been working really well!) | Semaphor wrote: | Hijacking this: Does anyone know if there's a Matrix client | (out or in dev) that has the UI/UX of old 1on1 messengers | (ICQ, MSN) and not chatrooms (IRC, Slack)? Specifically not | the weird list of bubbles on the side, but instead a list of | accounts/rooms and a window per chat. | Arathorn wrote: | I guess Pidgin has that UI, although its Matrix support is | alpha sadly. Not aware of anyone else who's done that sort | of UI yet, but it's only a matter of time. | Arathorn wrote: | We've had per-room/per-message retention policies in Matrix | for months now (although Riot hasn't exposed UX to configure | them yet, as we were drowning in cross-signing work). | | https://github.com/matrix- | org/synapse/blob/master/docs/messa... has the details. | ryukafalz wrote: | Hmm, that document seems to indicate they're disabled by | default in synapse though? | | >Note that over every server in the room, only the ones | with support for message retention policies will actually | remove expired events. This support is currently not | enabled by default in Synapse. | Arathorn wrote: | True - we did a slow roll-out whilst testing. It should | be okay to turn on everywhere now :) | rasengan0 wrote: | The shareholders will be pleased, enterprise and beyond: | https://www.marketscreener.com/ZOOM-VIDEO-COMMUNICATIONS-570... | jokoon wrote: | There were local, volunteering missions to help healthcare | workers, the homeless, etc all done by some "non-profit" in | europe. Those missions had state-sponsored ads, and I volunteered | online. | | As soon as they required me to use zoom, I told them I would not | use zoom. I just go on their whatsapp thing, so of course I get | less info, etc. | | I really fail to understand how Zoom became so popular, and I was | recently wondering the same thing about TikTok, which by the way, | was just a clone of Vine. | | Essentially, with apps like that, advertising and adoption is | critical, the tech doesn't really matter that much. I would | really be interested in understanding what are the strategies in | place to make people use those things. Of course the virus played | a huge role, but I'm certain there are specialists about how to | gain users rapidly. | baumy wrote: | Can't help you with TikTok or Vine since I don't understand | those either (I believe the target market for them is mostly | people around age 21 or younger, so if you're outside that | group that's not surprising). | | For Zoom though, I feel it's quite trivial to see how it became | popular. Of all the various video chat/conferencing software | that exists, Zoom is the easiest for the layperson to setup and | use while also tending to be the best performing in terms of | audio/video quality, latency, large numbers of users on a | single call, etc. My girlfriend was able join a Zoom call with | her parents a few days ago without even telling them how to do | it; yesterday I overheard a 30 minute phone conversation while | she tried to explain to her mother how to edit a facebook post | (unsuccessfully, despite valiant efforts). | | Outside of this niche community, basically nobody knows or | cares about Zoom's various security gaffes. They just want | something that works and gets out of the way. And I say all | this as somebody who has watched others use Zoom a few times | and read about it, but never used it myself nor felt the | inclination to. | | I'm sure you're right about specialists and strategies to try | to spark mass adoption being things that happen, but the | technology matters as well. | ddevault wrote: | Keybase helped me to identify a trend in the software industry: | using a pretty UI to cover up the disruption of an open ecosystem | with a closed, centralized replacement. Keybase seemed cool on | the face of it - making encryption easier is a laudible goal, and | PGP certainly could use the improvement. But, thanks to Keybase, | now I ask different questions upfront. Beware the Keybase | formula: | | 1. Integrates with an existing, open ecosystem | | 2. May have open-source clients, but server is closed source and | does not federate | | 3. Pretty UI and good marketing | | 4. VC funded | soulofmischief wrote: | Keybase packed together many different technologies in one | place. I don't think any of us who moved to Keybase had | delusions that it would be around forever. But it's an | amazingly comprehensive suite for its small scope and the open | source product that replaces it will only exist because Keybase | existed. | | If the writing is placed on the wall (the marker cap is open | right now) then replacing each of Keybase's features with | existing technologies won't be difficult -- just time | consuming, which is why they have market fit. | Legogris wrote: | I don't know how many people here remember the excitement when | Android was new and, OMG, it's Linux! Open source! Finally we | have a Linux-based, free and open phone platform! | | I actually think that this played a non-trivial part in Android | getting early traction - similar dynamic to Gmail where tech | people got excited about it eventually "my friend who's good | with computers recommends this" becomes a factor. | | Not the exact same formula as you formulate above, but I think | there are parallels to draw. | | Embrace, extend, and extinguish, and all that. | seba_dos1 wrote: | I was very excited about first reports on Android. I was | young, starting to earn my first money, and I wanted to spend | that money by getting myself my first, awesome, Linux-powered | smartphone by Google - a company I heard only good things | about. | | Fortunately, I've decided to go with Openmoko instead back | then. I'm so glad I did. | kgraves wrote: | I think we could just stop at: | | VC Funded(tm) | edraferi wrote: | I wonder if we'll get a fully open source release of the | Keybase server out of this. It would be so awesome as a | federated ecosystem... | adtac wrote: | it's more about the VC funding than anything else. it is almost | always the reason for the death of cool software | oever wrote: | Sounds like protonmail. | gruez wrote: | They're vc funded? | nathcd wrote: | https://protonmail.com/about indicates they're funded to | some extent by Charles River Ventures | (https://www.crv.com/). They were initially crowdfunded, | and also get funding from a Swiss nonprofit foundation. | ddevault wrote: | _Fascinating_. | fmpwizard wrote: | I don't know their revenue numbers, but protonmail offers | paid services, unlike Keybase. I hope protonmail doesn't go | the same path. | Endlessly wrote: | This is not a trend, it's a long standing market strategy: | | https://en.m.wikipedia.org/wiki/Embrace,_extend,_and_extingu... | leafmeal wrote: | Can't it be both a trend and a marketing strategy? | 627467 wrote: | I can't help but feel shocked by this development. I guess it's | my fault given that keybase was always potentially a target for | acquisition. | | PR-wise it does not seem to bode well for those who relied on it | for both file, chat and social graph storage... ___________________________________________________________________ (page generated 2020-05-07 23:00 UTC)