Sell Keybase to the highest bidder regardless of reputation, ethics, and views on privacy

[imawhale]

Looks like this has already been actioned so by all means go ahead and close this issue.

[simondebbarma]

Extremely disappointed.

[milezzz]

Did you guys even consider the optics of this move? Brutal.

[atecce]

this isn't really fair imo. it's easy to jeer from the peanut gallery but this could very well be the path to securing communications for hundreds of millions who would not have it otherwise

@imawhale what have you built exactly? besides hilarious github issues

[trev-dev]

@atecce Say what you will about the criticism, precedent speaks for itself.

[atecce]

@trev-dev you’re right. undoing wrongheaded precedents takes something drastic, like, i dunno, acquiring an entire new team of engineers to solve pitfalls of your legacy systems who clearly have intrinsically motivated experience in the domain of secure communications

[atecce]

this acquisition made a lot of sense if you go two inferences passed the small-brain Stallman puritanical OSS take. Zoom had no ecosystem and no security, Keybase had no video chat

[atecce]

Zoom seems fairly good at video chat fwiw. they do one thing well

[atecce]

such is the Way of Unix

[trev-dev]

For me the argument has little to do with small-brain "purity". Many of the people I deal with on Keybase are like me and see the good the platform has done without being properly open source to begin with. Selling out to a company with questionable trust such as Zoom is the issue. For myself, it is a sign of Keybase moving far enough toward the "dark side" than I'm comfortable with.

Why Zoom as a video prospect? Why not any of the other open source solutions? Why a purchase? Why not a premium level of service instead? I would've happily written off Keybase as an expense. Why not sell consultation to Zoom as they do need help rebuilding trust and securing their platform(?)

Open source needs further adoption, not assimilation. Free software is part of the foundation of trust that we signed up for and it's being crapped on.

[atecce]

it sounds like Zoom is allowing new entrants to come in and renegotiate the arch of their video service after hearing external criticisms of it. i've rarely heard of such a radical thing in an org with software. usually they simply hire bureausticrats to apologize for their lowest common denominator cruft for the rest of time while they pile on top of it and never look back. people are entirely misreading this

[trev-dev]

I really do hope you're right.

[imawhale]

this acquisition made a lot of sense... Zoom had no ecosystem and no security, Keybase had no video chat

@atecce I agree it made sense for Zoom. But I would frame it differently: Keybase had security and an ecosystem, Zoom had video chat. Only one of those 3 things is true now. It is a slam dunk win for Zoom (and Zoom investors) but quite obviously utterly terrible for Keybase users, and the future of Keybase products and open source initiatives.

You're incredibly naive about how acquisitions work and how this is likely to pan out if you disagree.

it sounds like Zoom is allowing new entrants to come in and renegotiate the arch of their video service after hearing external criticisms of it. i've rarely heard of such a radical thing in an org with software. usually they simply hire bureausticrats to apologize for their lowest common denominator cruft for the rest of time while they pile on top of it and never look back. people are entirely misreading this

undoing wrongheaded precedents takes something drastic, like, i dunno, acquiring an entire new team of engineers to solve pitfalls of your legacy systems who clearly have intrinsically motivated experience in the domain of secure communications

Not to mention the false pretenses under which people were lured to Keybase. Chris @malgorithms Coyne literally said they are happy to never sell another company and would never do anything unethical, like, hmm, selling their user base and private information to a company which is effectively a proxy for a foreign government, after a user expressed this specific concern to him.

Don't worry guys -- the engineers are intrinsically motivated! And you call me the puritan...

We need Federated open source protocols, not black box VC pump & dump horse**** .

I was a fan of Keybase and had been recommending it to others.

GG

[atecce]

but quite obviously utterly terrible for Keybase users, and the future of Keybase products and open source initiatives.

You're incredibly naive about how acquisitions work and how this is likely to pan out if you disagree.

what a fantastic chain of reasoning! i can tell you were a killer in debate club. you go right passed the inferences to the conclusion

selling their [...] private information

you wanna substantiate this? or are you just happy baselessly slandering people because you're mad on the internet?

We need Federated open source protocols, not black box VC pump & dump horse**** .

that sounds great! go make it. or get out of the arena

[imawhale]

but quite obviously utterly terrible for Keybase users, and the future of Keybase products and open source initiatives.

You're incredibly naive about how acquisitions work and how this is likely to pan out if you disagree.

what a fantastic chain of reasoning! i can tell you were a killer in debate club. you go right passed the inferences to the conclusion

selling their [...] private information

you wanna substantiate this? or are you just happy baselessly slandering people because you're mad on the internet?

We need Federated open source protocols, not black box VC pump & dump horse**** .

that sounds great! go make it. or get out of the arena

@atecce

https://theintercept.com/2020/04/03/zooms-encryption-is-not-suited-for-secrets-and-has-surprising-links-to-china-researchers-discover/

MEETINGS ON ZOOM, the increasingly popular video conferencing service, are encrypted using an algorithm with serious, well-known weaknesses, and sometimes using keys issued by servers in China, even when meeting participants are all in North America, according to researchers at the University of Toronto.

The researchers also found that Zoom protects video and audio content using a home-grown encryption scheme, that there is a vulnerability in Zoom’s “waiting room” feature, and that Zoom appears to have at least 700 employees in China spread across three subsidiaries. They conclude, in a report for the university’s Citizen Lab — widely followed in information security circles — that Zoom’s service is “not suited for secrets” and that it may be legally obligated to disclose encryption keys to Chinese authorities and “responsive to pressure” from them.

Zoom could not be reached for comment.

Generating Encryption Keys in China Earlier this week, The Intercept reported that Zoom was misleading users in its claim to support end-to-end encryption, in which no one but participants can decrypt a conversation. Zoom’s Chief Product Officer Oded Gal later wrote a blog post in which he apologized on behalf of the company “for the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption.” The post went on to detail what encryption the company does use.

Based on a reading of that blog post and Citizen Lab’s research, here is how Zoom meetings appear to work:

When you start a Zoom meeting, the Zoom software running your device fetches a key with which to encrypt audio and video. This key comes from Zoom’s cloud infrastructure, which contains servers around the world. Specifically, it comes from a type of server known as a “key management system,” which generates encryption keys and distributes them to meeting participants. Each user gets the same, shared key as they join the meeting. It is transmitted to the Zoom software on their devices from the key management system using yet another encryption system, TLS, the same technology used in the “https” protocol that protects websites.

Depending on how the meeting is set up, some servers in Zoom’s cloud called “connectors” may also get a copy of this key. For example, if someone calls in on the phone, they’re actually calling a “Zoom Telephony Connector” server, which gets sent a copy of the key.

Some of the key management systems — 5 out of 73, in a Citizen Lab scan — seem to be located in China, with the rest in the United States. Interestingly, the Chinese servers are at least sometimes used for Zoom chats that have no nexus in China. The two Citizen Lab researchers who authored the report, Bill Marczak and John Scott-Railton, live in the United States and Canada. During a test call between the two, the shared meeting encryption key “was sent to one of the participants over TLS from a Zoom server apparently located in Beijing,” according to the report.

The report points out that Zoom may be legally obligated to share encryption keys with Chinese authorities if the keys are generated on a key management server hosted in China. If the Chinese authorities or any other hypothetical attacker with access to a key wants to spy on a Zoom meeting, they also need to either monitor the internet access of a participant in the meeting, or monitor the network inside the Zoom cloud. Once they collect the encrypted meeting traffic, they can use the key to decrypt it and recover the video and audio.

Encryption Flaws: The Worst of AES Citizen Lab flagged as worrisome not only the system used to distribute Zoom encryption keys but also the keys themselves and the way they are used to encrypt data.

Zoom’s keys conform to the widely used Advanced Encryption Standard, or AES. A security white paper from the company claims that Zoom meetings are protected using 256-bit AES keys, but the Citizen Lab researchers confirmed the keys in use are actually only 128-bit. Such keys are still considered secure today, but over the last decade many companies have been moving to 256-bit keys instead.

Furthermore, Zoom encrypts and decrypts with AES using an algorithm called Electronic Codebook, or ECB, mode, “which is well-understood to be a bad idea, because this mode of encryption preserves patterns in the input,” according to the Citizen Lab researchers. In fact, ECB is considered the worst of AES’s available modes.

Here’s why: It should be impossible to tell the difference between properly encrypted data and completely random data, such as static on a radio, but ECB mode fails to do this. If there’s a pattern in the unencrypted data, the same pattern shows up in the encrypted data. This Wikipedia page has a useful illustration to visualize this:

Once it has been poorly encrypted in this manner, video and audio data is distributed to all participants in a meeting through a Zoom Multimedia Router server. For most users, this server runs in Zoom’s cloud, but customers can choose to host this part on-premises. In this case, Zoom will generate, and thus have access to, the AES key that encrypts the meeting but shouldn’t have access to the meeting content itself, so long as none of the aforementioned “connector” servers (for phone calls and so forth) are participating in the meeting. (In its blog post, Zoom said self-hosting customers will eventually be able to manage their own encryption keys.)

Meeting hosts can set their meetings to have virtual “waiting rooms,” making it so that users do not directly enter the meeting when they log on with Zoom but instead must wait to be invited in by a participant. The Citizen Lab researchers discovered a security vulnerability with this feature while conducting their encryption analysis. They said in their report that they have disclosed the vulnerability to Zoom but that “we are not currently providing public information about the issue to prevent it from being abused.” In the meantime, the researchers advised Zoom users who desire confidentiality to avoid using waiting rooms and instead set passwords on meetings.

Corrective Moves By Zoom The newly uncovered flaws in Zoom’s encryption may be troubling for many of the company’s customers. Since the coronavirus outbreak started, Zoom’s customer base has surged from 10 million users to 200 million, including “over 90,000 schools across 20 countries,” according to a blog post by Zoom CEO Eric Yuan. The U.S. government recently spent $1.3 million on Zoom contracts as part of its response to the pandemic, according to a review of government contracts by Forbes, and the U.K. government has been using Zoom for remote Cabinet meetings, according to a tweet from Prime Minister Boris Johnson.

Among those who should be concerned about Zoom’s security issues, according to Citizen Lab, are “governments worried about espionage” and “businesses concerned about cybercrime and industrial espionage.”

Despite a recent flood of security and privacy failures, Yuan, Zoom’s CEO, appears to be listening to feedback and making a real effort to improve the service. “These new, mostly consumer use cases have helped us uncover unforeseen issues with our platform. Dedicated journalists and security researchers have also helped to identify pre-existing ones,” Yuan wrote in his blog post. “We appreciate the scrutiny and questions we have been getting — about how the service works, about our infrastructure and capacity, and about our privacy and security policies.”

In addition to promptly fixing several security issues that were reported, the company removed an “attendee attention tracker” feature, a privacy nightmare which let meeting hosts track whether participants had the Zoom window — or some other app’s window — in focus during a meeting. It has also invested in new training materials to teach users about the security features like setting passwords on meetings to avoid Zoom-bombing, the phenomenon where people disrupt unprotected Zoom meetings.

Because Zoom’s service is not end-to-end encrypted, and the company has access to all encryption keys and to all video and audio content traversing its cloud, it’s possible that governments around the world could be compelling the company to hand over copies of this data. If Zoom does help governments spy on its users, the company claims that it hasn’t built tools specifically to help law enforcement: “Zoom has never built a mechanism to decrypt live meetings for lawful intercept purposes,” Gal, Zoom’s chief product officer, wrote in the technical blog post, “nor do we have means to insert our employees or others into meetings without being reflected in the participant list.”

> Unlike some other tech companies, Zoom has never released any information about how many government requests for data it gets, and how many of those requests it complies with. But after the human rights group Access Now’s open letter urging Zoom to publish a transparency report, Yuan also promised to do just that. Within the next three months, the company will prepare “a transparency report that details information related to requests for data, records, or content.” Access Now has commended Zoom on committing to publish a transparency report.

[atecce]

i see your clipboard works. you're still going to have to think for yourself a bit here. don't be scared :D

[yericua]

this acquisition made a lot of sense... Zoom had no ecosystem and no security, Keybase had no video chat

@atecce I agree it made sense for Zoom. But I would frame it differently: Keybase had security and an ecosystem, Zoom had video chat. Only one of those 3 things is true now. It is a slam dunk win for Zoom (and Zoom investors) but quite obviously utterly terrible for Keybase users, and the future of Keybase products and open source initiatives.

You're incredibly naive about how acquisitions work and how this is likely to pan out if you disagree.

it sounds like Zoom is allowing new entrants to come in and renegotiate the arch of their video service after hearing external criticisms of it. i've rarely heard of such a radical thing in an org with software. usually they simply hire bureausticrats to apologize for their lowest common denominator cruft for the rest of time while they pile on top of it and never look back. people are entirely misreading this

undoing wrongheaded precedents takes something drastic, like, i dunno, acquiring an entire new team of engineers to solve pitfalls of your legacy systems who clearly have intrinsically motivated experience in the domain of secure communications

Not to mention the false pretenses under which people were lured to Keybase. Chris @malgorithms Coyne literally said they are happy to never sell another company and would never do anything unethical, like, hmm, selling their user base and private information to a company which is effectively a proxy for a foreign government, after a user expressed this specific concern to him.

Don't worry guys -- the engineers are intrinsically motivated! And you call me the puritan...

We need Federated open source protocols, not black box VC pump & dump horse**** .

I was a fan of Keybase and had been recommending it to others.

GG

federated msg is a hype. It's harder to make a secured federation system. Keybase's current model is the best. it bring the best of security to the mass. agree or not, it's the best.

[OneCricketeer]

Zoom seems fairly good at video chat fwiw

WebRTC isn't hard to implement and it works just as good for P2P chat or even password protected chat rooms ...

[imawhale]

i see your clipboard works. you're still going to have to think for yourself a bit here. don't be scared :D

You're right, I was wrong to doubt you, forgive me.

[OneCricketeer]

Would like to point out that I find it amusing that Zoom CEO left Webex after they rejected his smartphone video conferencing idea (which they now have AFAIK).

Meanwhile, FaceTime encryption is pretty good. Hangouts/Meet probably is as well. Haven't seen major media coverage of security issues with those.

As much as we might give Zuckerberg flak, Messenger or Whatsapp have a well respected encryption policy, for the most part.

Then Verizon just acquired Bluejeans in April for far less than what Zoom is supposedly worth...

All in all, Zoom is pure marketing hype. We've basically generated the colloquial "Zoom me" as compared to "Google it", meanwhile there's other search engines that take your security more seriously than improving Google SEO (Duckduckgo).

If y'all seriously hate Zoom, delete your accounts, tell your friends and family to boycott it until Zoom is more transparent with their development status.

Meanwhile, good luck trying to get people to switch to something else, because I know for a fact that my family refuses to listen to me or anyone else concerned about online privacy

[atecce]

WebRTC isn't hard to implement and it works just as good for P2P chat or even password protected chat rooms ...

one example i'm directly familiar with: the company Invision (which is completely remote) uses Zoom for their all hands meetings, which contain hundreds of individuals, with no problems. my Teams meetings start struggling at about 5. again, if you think you can do better than that with an implementation of WebRTC, go build it, but it's not surprising to me while optimizing perf another system aspect was neglected. this acquisition seems to be a recognition of that fact

Would like to point out that I find it amusing that Zoom CEO left Webex after they rejected his smartphone video conferencing idea (which they now have AFAIK).

Then Verizon just acquired Bluejeans in April for far less than what Zoom is supposedly worth...

having used both BlueJeans and WebEx they are complete mediocre garbage. nobody who actually interacts with these systems thinks they are well done. they are the paradigmatic example of what "Enterprise" software usually is, cruft that decision makers forcefeed their white collar wage slaves. they would never survive in a consumer environment like Zoom (or Slack, for that matter, fwiw) has. as a matter of fact, it sounds to me like that is exactly why the CEO of Zoom started his own company. he knew he could do better

Meanwhile, FaceTime encryption is pretty good. Hangouts/Meet probably is as well. Haven't seen major media coverage of security issues with those.

As much as we might give Zuckerberg flak, Messenger or Whatsapp have a well respected encryption policy, for the most part.

i generally trust aapl's professed commitment to privacy, but you should read more about FaceTime. it turns out these problems are just hard, even when the incentives and intentions are aligned. it's almost like you need an entire team of people to evaluate systems from that specific perspective

as for Hangouts and WhatsApp. just lol. Google is Evil. Facebook makes the world more closed and divided. Google attempts to reconstruct my entire browsing history because they think they own the web now that they've monopolized the interface to it. Facebook balkanizes us into sets of labels their machine learning algorithms can target for marketers. they are both totalitarian surveillance states run by Orwellian shills. they have no business model outside of that and everyone knows it. at least Zoom can collect ARR from orgs

[yericua]

Zoom seems fairly good at video chat fwiw

WebRTC isn't hard to implement and it works just as good for P2P chat or even password protected chat rooms ...

Nobody says it's hard to implement. Just that currently the webrtc solutions out there isn't capable of handling large number of users in single conference as efficient as zoom. you gotta give zoom some credit in this area.

[atecce]

exactly. they focused on doing one thing well. such is the Way of Unix

[chindraba-work]

The Way of Unix is good for the tool's development. Without other allied tools with a similar focus, however, it's not so good for a business model.

[atecce]

cat /dev/zoom | keybase

[OneCricketeer]

UUOC

keybase < zoom

IMO, it's all crap. I started with Skype. Used Lync in undergrad. Using Slack and Discord now...

If Twitch and YouTube can do real-time streaming, then how hard can it truly be to do decentralized, secure p2p video calling?

I'm a software engineer, but please eli5

[OneCricketeer]

And Skype IS encrypted. Although has a limit of somewhere between 32 and 50

https://support.skype.com/en/faq/FA31/Does-Skype-use-encryption?

[yericua]

@OneCricketeer you don't know what you don't know. ¯_(ツ)_/¯

[chindraba-work]

If Twitch and YouTube can do real-time streaming, then how hard can it truly be to do decentralized, secure p2p video calling?

You can always develop your own app to prove how easy it is.

[atecce]

@OneCricketeer fair point about UUOC

[OneCricketeer]

Lol @ Everyone telling me to make it myself. I have my own interests that are completely unrelated to the longevity of Zoom, Inc. or video conferencing

[atecce]

yeah that's totally reasonable. the point is, if you're going to impugn someone with malice like OP you should at least have some skin in the game or know what you're talking about or gtfo

i don't know how Zoom's stack is so much more effective than its competitors atm (including WebRTC). that's kind of why they are worth 50b rn

[imawhale]

yeah that's totally reasonable. the point is, if you're going to impugn someone with malice like OP you should at least have some skin in the game or know what you're talking about or gtfo

i don't know how Zoom's stack is so much more effective than its competitors atm (including WebRTC). that's kind of why they are worth 50b rn

wow you know how the stock market works too? Do you have a blog?

[OneCricketeer]

know what you're talking about or gtfo

Freedom of speech, brah

[OneCricketeer]

Speaking of stock market, anyone else have a short position in that 50b market?

[atecce]

you should absolutely do that if you liked this issue. somehow i doubt those people have the courage of their convictions

[OneCricketeer]

Nope. Haven't liked. The title doesn't make me want to like it.

[OneCricketeer]

I'm honestly not sure what we are debating now.

This is a keybase issue. It is that simple.

All I can gather from this thread @atecce is that you want to defend Zoom's decision for whatever reason, yet I cannot find a logical explanation for you doing so unless you happen to have a large stake in the company's equity... Did your time at Fidelity teach you how to sniff out a good buy and hold strategy?

[imawhale]

you should absolutely do that if you liked this issue. somehow i doubt those people have the courage of their convictions

You immediately turned this into a personal attack, rather than deconstructing the issue, which is a strong signal that you're not acting in good faith.

As for Zoom being "worth" $50B, how do you arrive at that figure? STOCK PRICE BRO?

[atecce]

eh? i’m defending Keybase’s decisions on the technical merits. i am also trolling pathetic spectators totally absent from the arena of these decisions

[imawhale]

eh? i’m defending Keybase’s decisions on the technical merits. i am also trolling pathetic spectators totally absent from the arena of these decisions

How is selling to Zoom going to improve Keybase's technology?

[OneCricketeer]

Well, at least you admit to trolling. Congrats. We can keep this going too.

[imawhale]

gg

[atecce]

How is selling to Zoom going to improve Keybase's technology?

because Zoom’s video streaming is excellent you incorrigible philistine

[OneCricketeer]

Dude. No one is calling you names.

Please prove how Zoom is seriously better than Slack video, for example.

[atecce]

already answered this. Slack can’t handle hundreds of clients at once. i have no qualms about anything i call OP given the genesis of this thread

[OneCricketeer]

And no one asked you to write the first thread of comments, so thanks for being part of the peanut gallery. Feel free to wipe the shells off as you excuse yourself.

[atecce]

can’t wait to see your implementation of WebRTC :D

[OneCricketeer]

The market is too crowded. Zoom works, but so do others.

I'm sorry you have to sit on a call with hundreds of people at a time. The company I work with isn't even that large. Most startups aren't either.... Did Zoom even have 100 people before this situation?

[OneCricketeer]

I'm just gonna leave some links here for reference, and you're more than welcome to do your own justice with them while admiring your CS degree in front of your 100 video colleagues

https://bloggeek.me/how-many-users-webrtc-call/

https://bloggeek.me/is-webrtc-safe/

[atecce]

i don’t have a cs degree or a degree of any kind. i’m not very smart