Conversation

Notices

1. Oneesan succubus (lain@pleroma.soykaf.com@pleroma.soykaf.com)'s status on Monday, 30-Sep-2019 17:53:38 JST Oneesan succubus

   • Oneesan succubus
   > Keybase’s iOS client has received a backdoor.
   > It seems that Stellar, the extremely well-funded and well-marketed cryptocurrency, has struck a deal with Keybase to “airdrop” (give away) their tokens to keybase users in an effort to drive adoption.
   > Keybase updated their iOS client to sign an attestation, as a user, that a given stellar address belongs to them, even if it does not. This is done without any user interaction or consent, violating the fundamental principle of Keybase’s product until now: the user controls their keys.
   > Of course, the user controls their keys using Keybase’s software, which, under normal circumstances, means the user controls their keys. But in this instance, Keybase’s software decided to sign, for a user, without their knowledge or consent, an attestation saying that username*keybase.io is a legitimate stellar payment address for the user—even if the user has never heard of it.
   
   https://sneak.berlin/20190929/keybase-backdoor/
   • Oneesan succubus (lain@pleroma.soykaf.com@pleroma.soykaf.com)'s status on Monday, 30-Sep-2019 18:16:22 JST Oneesan succubus
     @opal i thought it was pretty clickbaity at first as well, but now i think it's not far from the truth. The purpose of keybase is to sign things with your key that you approve of, and this signs something you might not even know about.
   • バツ子（喉痛いよX_X (shmibs@tomo.airen-no-jikken.icu)'s status on Monday, 30-Sep-2019 19:46:12 JST バツ子（喉痛いよX_X

     in reply to

     • バツ子（喉痛いよX_X
     @lain
     stuff you obvs know, and probably anyone else who might read this and care, but
     
     pgp is a terrible choice for chat, using a single-point-of-failure good-forever key rather than a ratcheting system of transients
     
     and the fact that keybase has so much pushed chat as "their usecase"
     
     coupled with their trying to get users to let them "just store for you" their private keys
     
     has always seemed very suspect
     
     trying to intercept that "i am a reddit user and am vaguely aware that computers exist" demographic's vague thoughts about encryption
     
     this new development might indicate that that things didn't turn out as well as hoped, adoption rates etc, and so they're willing to instead risk that userbase's goodwill in exchange for marketing revenue from what i guess is the latest new-and-failing cryptocurrencycashgrab, trying, in turn, to revive themselves for long enough to get some return on investment
     2019-1569840078.png
     Oneesan succubus likes this.