Zoom acquired Keybase today.

Keybase helped me to identify a trend in the software industry: using a pretty UI to cover up the disruption of an open ecosystem with a closed, centralized replacement. Keybase seemed cool on the face of it - making encryption easier is a laudible goal, and PGP certainly could use the improvement. But, thanks to Keybase, now I ask different questions upfront.

Beware the Keybase formula:

1. Integrates with an existing, open ecosystem
2. May have open-source clients, but server is closed source and does not federate
3. Pretty UI and good marketing
4. VC funded

Anyway, the ultimate motivations of Keybase became clear to me a long time ago, and explains very neatly all of their behavior since. I recommend conducting similar motivation-identification exercises for other tools in your life.

@sir Embrace, Extend, Extinguish for the modern age.

@sir indeed. Falsely positioned projects like #Keybase popup routinely. What I find most disturbing is not their existence (the free market is designed to encourage the deception), but rather ppl's inability to spot the red flags. Keybase was throwing up many easily visible red flags & so-called #privacy proponents were blind to them.

@aktivismoEstasMiaLuo @sir
The moment they started being more than just a way to find your friends' PGP pubkeys, I lost interest. Did I miss some earlier drama?

@wolf480pl @sir Not sure where you enter the timeline, but my 1st look at #keybase was horrific. It's remarkable that they were able to carry on despite this history:

@aktivismoEstasMiaLuo @sir
Well, I started using it in 2014.

I do remember the 777 /keybase incident, but the rest of the stuff listed in that post you linked is new to me.

At the same time, I'm not surprised.

@wolf480pl @sir not sure when I 1st encountered Keybase, but the cool feature that sucked me in was that I could send someone with no PGP tools or capability could go a webpage, enter a msg, and get back PGP-encrypted text that can be copied into an email msg.

@aktivismoEstasMiaLuo @wolf480pl such an experience would terrify me, because it would involve writing a secret message into a web page controlled by a third party

@wolf480pl @aktivismoEstasMiaLuo I wish it was easier to normalize the idea that JS crypto is broken, and get people to think critically about that kind of problem in a more general way

@sir @wolf480pl That's an evolutionary step far in the future. I told ppl: no plaintext email. If they want to email me, it must be encrypted. That Keybase mechanism was one way to enable normies to msg me. This is just to get ppl to accept that they shouldn't be sending plaintext.

@wolf480pl @sir I used for ppl who were most resistant to setting up crypto.. who wouldn't consider installing a tool or opening a Hushmail/Protonmail acct.

@sir @wolf480pl And in some cases, it was just a psychological tool to guage their resistence. If they also refused the keybase j/s mechanism, then I could rule out effort as being their issue. When my accountant refused to use it, it demonstrated that she had something against crypto entirely.

@aktivismoEstasMiaLuo @sir
Did you figure out more specifically what the accountant had against crypto?

@wolf480pl @sir no, she just said "I'm not doing that" in her reply, which she sent in-the-clear with relatively sensitive info about my income

@sir @wolf480pl then she never heard from me again. I took my business elsewhere. It's a common problem too. Another accountant had an IT team capable of making the crypto work transparently for her, but she ultimately gave the excuse: "we can't use crypto b/c email will not get checked for malware"

@wolf480pl @sir Crypto is very much appropriate for accountants, & when I impose it on them only a minority of accountants are willing to use it. Lawyers are even worse, & the need for confidentiality is obviously quite high.

@aktivismoEstasMiaLuo @sir
I was suspecting some like "nothing to hide" mentality, or some "crypto<->crime" connection in their mind,
but if that happens with lawyers...
Like, lawyers are supposed to keep your secrets even if you tell them you did something illegal, right?
Why would a lawyer be opposed to encrypting their communications with their client...

@wolf480pl @sir lawyers have a reputation for being low-tech. They also trust the protections of their industry. That is, interception of attorney-client priv. info is illegal and unusable. They overestimate the extent of protection the law offers, and fail to see that technical protection is worthwhile.

Show more

@sir @aktivismoEstasMiaLuo
depends on threat model...

I think in cases like zerobin, it's not necessairly bad. You still need to trust the service provider, but if you do, it makes it slightly harder for attackers to extract plaintext from the service provider by using software bugs or legal threats.

@sir I ever wondered why I should use it in the first place.
If I have a new key, I can distribute it on my site, alongside my mailadress or within the mails I send.

You have the oppotunity to get some of sour accounts to API with it, but that wasn't that much trust, either.

@alsternerd @sir It was for those who do not have their own site. I don't, for example.

Also, I didn't mind submitting a key to an yet another key exchange mechanism.
@sir Federating doesn't matters much, heck I'd rather see less federating things, specially when privacy is needed.

For example: Forums, Blogs/Webcomics, IRC networks, … do not need to be federated, the client can handle multiple hosts fine. But it should speak a common client protocol and be self-hostable.

@lanodan IRC networks are already federated, and This Is Good. Note that, importantly, I don't equate federation with activitypub. Federation also doesn't have to be automatic, like Mastodon, it can be up to the admins to have a whitelist of other instances they federate with (like how IRC works). The blogosphere also federates well with things like web rings. Federation can be simple.

@sir I mean between each other, EFNet and Freenode do not need to federate between each other and tbh they shouldn't. It means a quite different protocol / trust-issues if you mean to federate between your trusted network or the chaos of the internet.

And multiple implementations must speak a common client protocol, which for example isn't the case in the fediverse, Mastodon API is mastodon and pleroma, ActivityPub C2S is pleroma and kroeg, meanwhile [friendica, honk, …] have their own protocols.

@lanodan I agree, but you're missing my point: federation doesn't have to mean federating with everyone. IRC _is_ federated, and it's a better protocol for it. You're adding more meaning to my use of "federation" than there actually is.

@lanodan IRC is federated by mutual agreement between server operators in the federation. This Be Good.

@sir Probably but tbh the federation part of IRC doesn't matters much, the centralisation part is more about power, most services are actually on multiple synchronised servers for redundancy.

@lanodan I disagree, but the reasons wrt IRC in particular are subtle and I'd rather not explain too much right now

@lanodan @sir

> Federating doesn't matters much, heck I'd rather see less federating things, specially when privacy is needed.… But it should speak a common client protocol and be self-hostable.

I'd argue that anything that follows an open protocol (and commits to keep following that protocol) *is* federated, even if there's only one implementation right now

@lanodan @sir

> So Unix wall(1) is federated?

Ok, fine, my definition was too broad :D

How about "anything that, acting as a server, exposes a public client protocol over a shared network and commits to following that protocol is federated (from the perspective of that network)"?

@codesections @sir So Unix talk(1) or finger(1) is federated?
public client protocol: glorified netcat
shared network: Unixes on the internet
commits to following that protocol: POSIX + RFCs, maybe?

@lanodan @codesections imo federation is more about distribution of political power than it is about technical design.

@sir @codesections Same, which means that to me IRC isn't because netops of the same network tends to be friends or part of the same organisation.

@lanodan @codesections depends on the network. For the big ones, yeah, perhaps.

@lanodan @codesections nah, there are others besides, I'm not deliberately not mentioning them here

@lanodan @sir

> So Unix talk(1) … is federated?

I'd say that talk(1) (as a technology) is straightforwardly federated, in exactly the same way email is.

In practice, it doesn't get used in a way that takes advantage of the federated nature of the technology very often (ever?) which gets into the "distribution of political power" point but, imo, that's separate from whether the technology is federated (though maybe more important!).

@codesections @sir Unix talk(1) isn't federated at all, sure it's decentralised as fuck, but it's only peer to peer.
Like if everyone using email would drop the client-to-server part and use mail(1)/sendmail(1)/… (which is my email setup, with mutt(1) as an interface on top of sendmail(1))

To me a federation means: Different organisations/groups of machines with potentially different implementations speaking to each others in both ways (pull and push).
So, no email isn't federated, usenet is much more close to that for example (NNTP having both read and push, both of which can be used in servers). And federation tends to mean clear-text until we get something like OpenPGP which isn't a swiss army knife with all the tools and knifes open, like give me OpenPGP being done for just messaging (and with ephemeral/time-locked signing/decryption because then it should be stored in another way) please.
@lanodan @codesections @sir federation just takes from country power distribution. You could say email is federated because email servers are pretty much their own structures most of the time, operated by their own bodies but connected with each other and abiding to single entity the protocol.

fedi on the other hand with "we instance block you" and network ruining feels more like a confederation.
@hj @codesections @sir Yes, which is why it depends if it's about politics, technology or politics of technology. (latter should be much more discussed with less flamewars/shitstorms or oligarchy)
The political part being reality and technical part being theory.

Also I disagree a bit with this graph, international organisation (NATO, EU, UN, …) to me is federalism. I'm more of a confederation or swarm (many small states) kind of person btw.

@lanodan @sir @codesections For what it's worth webfinger was a fundamental part of Statusnet's federation.

@sir #Keybase from day one has always been trying to become a Facebook of sorts. They completely neglect many substantial security problems while chasing the shiny. Just look at the installation script that they expect root to run & be amazed at what they're getting away with.

@sir I have concerns about Open Collective due to pretty much this same list.

@sir Pretty UI *is* good, but not when it covers up other points. Damn, without pretty UI we couldn't get the commoner to use E2E encyption.


> Beware the Keybase formula:
1. Integrates with an existing, open ecosystem
2. May have open-source clients, but server is closed source and does not federate
3. Pretty UI and good marketing
4. VC funded

Agreed. And I'd pay *particular* attention to #4.

With a normal company, you have to ask "can the current business model make money?" If not, it will change.

With a VC-backed company, you have to ask "can the current business model make 10× returns?" If not, it will change.

@sir Hi Drew, I'd say that once a company accept VC funding, probability to see company being acquired is high as... this the way VC makes money! This model is rigged. That's when I stopped following Keybase. We got to innovate first on the way this whole economy works. Till it's linked with exponential growth, IMHO we're heading towards a dead end. @write_as is a big inspiration in that way I'd say. I'd be happy to hear from you about other sources of inspiration :)

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!