search

keybase / keybase-issues

A single repo for managing publicly recognized issues with the keybase client, installer, and website.
899 stars 37 forks source link

FAQ / documentation material #830

Open sciurius opened 10 years ago

sciurius commented 10 years ago

Some questions that need good answers before Keybase opens for the general public.

  1. ‘If a service is free, you are the product being sold.’ Why is that not applicable to Keybase?
  2. Keybase is based in the US. Why is our data safe? Note that even though an uploaded private key is encrypted it is still vulnerable to attacks.
  3. Is the Keybase server software open source, in other words, can I audit it, and run my own Keybase server?
  4. When a user deletes his account, is all information physically removed? Will it be kept on archives and backups?
zQueal commented 10 years ago
  1. If you are not paying for it, you're not the customer; you're the product being sold. I'm quite positive that Andrew Lewis had something else in mind when making that claim--specifically on the shift from content publishers to user driven content. For example, Reddit and MetaFilter. I'd argue that Keybase does not apply to this general rule of thumb as nothing at all is being sold. (yet)
  2. It could be said that no data is safe, ever. I don't see why the USA is special in that endeavor and the Netherlands are not, but you should always operate under the assumption that any security measure that you have in place has already been compromised. By practicing this technique you're constantly looking for new ways to protect yourself against threats. This includes Keybase, and your private key. Start by creating a new PGP key for communications sake and don't trust any infrastructure with mission critical information.
  3. Most if not all. Giving cryptography its due respect I'm sure Max and Chris welcome community based security audits as well as insite into their use of current technologies.
  4. I've seen it referenced many times in the issue tracker -- once information is removed, it's gone within a relatively short period of time. Once a user's key is removed from the active database, it's immediately removed for good and will be permanently removed when the backups are cycled.

Keep in mind, I have no official affiliation with Keybase. I'm just trying to answer your questions.

sciurius commented 10 years ago

Thanks for your reply.

  1. Your argument that this claim does not apply to Keybase since "nothing at all is being sold" has little or no value. We do not know whether something is being sold. Running a website, developing software, bandwidth an so on requires resources, hence money. Someone has to pay for this.
  2. The answer is: No, the data at Keybase is not safe. So don't upload your private keys no matter how encrypted they are. Basically, this restricts the use of encryption techniques to local keybase clients, currently CLI. But CLI people already could run PGP or GPG...
  3. It seems that a lot of components that make up the Keybase server are free and available.
  4. We can consider this answered. In the context of Q2 the answer doesn't matter much.

For Keybase marketing, we do need some better stories.

zQueal commented 10 years ago
  1. We do not know whether something is being sold. I'll give you that one. An official reply would be helpful. Someone has to pay for this. -- bootstrapping? It's all the rage these days.
  2. We're pretty much agreeing with this....just saying it in different ways. Although, the keybase client isn't for GPG/PGP veterans. It's more geared towards those who are inexperienced with GPG/PGP as an aide to do more of the complex commands. You're not going to gain much traction with this argument, I think.
  3. Yup. I'm just not sure if all of them are. For example, the node code base is not freely available (I'm pretty sure), but that's not developed by Max and Chris, however, it's used as a platform to facilitate the keybase CLI.
  4. :thumbsup:

I think calling them stories is a bit derogatory, don't you think? Additionally, I don't think it's appropriate to call it marketing as no product or service is being sold. But that's just my opinion and probably too curt.

sciurius commented 10 years ago

My apologies for using terrms like stories and marketing -- English is not my native language. What I intended to say is that when we want to convince other people to use keybase, we need good answers to the questions from this thread.

zQueal commented 10 years ago

What I intended to say is that when we want to convince other people to use keybase

Ahh! I see what you mean now. That's a good idea.