
Zoom Acquires Keybase - vikram7
https://keybase.io/blog/keybase-joins-zoom
======
fossuser
For years people have been begging Keybase to allow them to pay them for the
service and Chris Coyne always refused.

Now they've lost their independence and they're owned by a communication
company that has [edit: the majority of] its dev team in China.

I use Keybase to talk to my friend in China since it's one of the few services
they don't block.

This is a pretty disappointing outcome.

~~~
bgee
> communication company that has its entire dev team in China

citation needed

Also, what are you trying to imply by this assertion?

~~~
fossuser
"Zoom is based in California’s Silicon Valley, but it owns three companies in
China that develop its software. The Citizen Lab said the structure allowed
the company to lower its development costs, but added “this arrangement may
make Zoom responsive to pressure from Chinese authorities.”"

[https://www.theguardian.com/uk-news/2020/apr/24/uk-
governmen...](https://www.theguardian.com/uk-news/2020/apr/24/uk-government-
told-not-to-use-zoom-because-of-china-fears)

The implication is that China is hostile and leverages their power to
censor/collect communication information from companies and their people
without checks on this power.

They are aggressive in stealing IP from other companies and blocking software
they can't control. They have history of wielding their power to pressure
organizations to deny or ignore aspects of their history that they dislike
(Taiwan, Cultural Revolution) and they pressure companies to hand over PII on
people they find to be political threats without due process.

This is not a country you want to be a steward of an encryption identity
standard.

~~~
Gasp0de
Isn't the US actually at least as bad if not worse? Thanks to Edward Snowden
we know without speculation that the US "is hostile and leverages their power
to censor/collect communication information from companies and their people
without checks on this power" (ok, supposedly there is secret judges that
secretly check on this power, but that doesn't really do any good does it?).
The USA also "pressure companies to hand over PII on people they find to be
political threats without due process" (so called "National Security
Letters").

~~~
patmorgan23
People don't get disappeared for actively disagreeing with the government.

~~~
mirimir
That's true for US citizens. But not so much otherwise.

Edit: Someone disagrees? Consider Guantanamo Bay, third-party renditions, and
drone strikes. If China did drone strikes, there'd be a huge outcry.

------
Communitivity
Given the security concerns around Zoom, and the apparent lack of QC that
might have prevented those concerns, this news is appalling. I love Keybase,
it's used by many people, but I suspect it will now die a quick death. More
accurately I suspect it will slide into a coma - not quite dead, but not in
wide use anymore either.

~~~
ithkuil
why not look at the problem the other way around?

I don't have much respect for zoom's security practices, while I do have much
respect for the keybase team.

Perhaps this is Zoom's way of admitting that there is no way they can just
solve the problem internally by keeping doing what they're doing and they need
to get some fresh blood and build upon good practices designed outside their
current culture.

~~~
frogpelt
It seems that we live in an era where if you made bad decisions in the past,
you can never be trusted to make good decisions ever again. Even if you own
your bad decisions and show lots of improvement.

Nope. Once a pariah, always a pariah.

~~~
lmm
Zoom's decisions did not feel like mistakes so much as an expression of their
values. The company repeatedly prioritised ease of use while doing the
absolute minimum on the security front. Are there any grounds to believe that
that calculus has changed?

~~~
ViViDboarder
The fact that they hired Alex Stamos and probably just spent a bunch of money
on buying Keybase seem like a sign that things are changing.

They prioritized ease of use above all to get adoption before. This is
appalling to me, but I believe they are seeing enough pressure to change
course. It’s believable to me that they would intend to as they have already
captured much of the consumer (non-B2B) market mind share and can afford to
invest in this area.

Will I be using it now? Still a no. Maybe I’m time though.

~~~
purple-dragon
> The fact that they hired Alex Stamos and ...

Call my cynical, but "hiring" a bunch of infosec celebrities and critics as
part-time consultants or contractors should be considered nothing but a
(brilliant and silencing) PR move until the day that product updates and
analyses reveal otherwise.

~~~
djrogers
> until the day that product updates and analyses reveal otherwise.

The product (and their poor installer practice) has been updated several times
in the past few months alone, and each move has made Zoom a more secure
product, with the vast majority of the hubbub having been addressed. So are
you simply ignoring that, or are you setting your own personal goalposts?

~~~
purple-dragon
I'm doing neither. I'm pointing out a logical fallacy in the parent comment.
Hiring people part-time and buying a company does not, on its own, convey
anything about improvements to product quality, security, or the corporate
culture of either. I can only infer from your comment that you might think I
have some beef or issue with Zoom. I said no such thing.

~~~
wutbrodo
Sure, but it's not "on its own", it's in the context of the investment in
security mentioned by the parent comment.

~~~
purple-dragon
At this point, I'm confused, and I'm not sure what point you or the other
commenter are looking for me to concede. Zoom is paying some security
consultants, pushed out some product updates, and bought Keybase, so it's a
story book ending?

~~~
wutbrodo
Just as your comment was aiming to narrowly point out a logical fallacy in the
parent comment, I'm pointing out a flaw in your own: I disagree with your
claim that investing in security practices is just theater, and that more
concrete efforts in the same direction are irrelevant. The concrete efforts
are Bayesian evidence that the newer investments are more than theater.

~~~
purple-dragon
I didn't claim that. I believe in investing in security. I'm a security
professional.

~~~
albedoa
You said that those things are theater until the day the product updates. We
are beyond the day when that happened. So for it to be a fallacy you have to
reject the context in which it was presented, which nobody but you is doing.

~~~
purple-dragon
It's a SaaS world, baby. Product updates (can) happen everyday. I'm not sure
what that proved.

------
underyx
Keybase's side of the announcement: [https://keybase.io/blog/keybase-joins-
zoom](https://keybase.io/blog/keybase-joins-zoom)

> What the Keybase team will be doing

> Initially, our single top priority is helping to make Zoom even more secure.
> There are no specific plans for the Keybase app yet. Ultimately Keybase's
> future is in Zoom's hands, and we'll see where that takes us. Of course, if
> anything changes about Keybase’s availability, our users will get plenty of
> notice.

> So, our shortest-term directive is to significantly improve our security
> effectiveness, by working on a product that's that much bigger than Keybase.
> We can't be more specific than that, because we're just diving in.

They're not even making the usual "Zoom is committed to keeping Keybase alive"
promise :(

~~~
swyx
is this an acquihire then?

~~~
jng
If so, it would be in the unusual shape that it is a top-dollar one rather
than cover-the-failure-with-a-pretty-ending one. But in this case, Zoom is
probably actually interested in the security tech that Keybase has apart from
the talent, they're just not interested in the product.

~~~
swyx
did i miss something? how do you know its top-dollar? no dollar amount was
disclosed.

~~~
jng
No, you didn't miss anything. As you probably expected, it's just my
deductions from context. I may be completely wrong. I still do believe in
them, but obviously no one else needs to.

------
ddevault
Keybase helped me to identify a trend in the software industry: using a pretty
UI to cover up the disruption of an open ecosystem with a closed, centralized
replacement. Keybase seemed cool on the face of it - making encryption easier
is a laudible goal, and PGP certainly could use the improvement. But, thanks
to Keybase, now I ask different questions upfront. Beware the Keybase formula:

1\. Integrates with an existing, open ecosystem

2\. May have open-source clients, but server is closed source and does not
federate

3\. Pretty UI and good marketing

4\. VC funded

~~~
oever
Sounds like protonmail.

~~~
gruez
They’re vc funded?

~~~
nathcd
[https://protonmail.com/about](https://protonmail.com/about) indicates they're
funded to some extent by Charles River Ventures
([https://www.crv.com/](https://www.crv.com/)). They were initially
crowdfunded, and also get funding from a Swiss nonprofit foundation.

------
rvz
> Ultimately Keybase's future is in Zoom's hands

Well, that definitely translates to uncertainty and ultimately the death of
Keybase.

~~~
DyslexicAtheist
from Zoom's twitter:

 _" We are excited to integrate Keybase’s team into the Zoom family to help us
build end-to-end encryption that can reach current Zoom scalability."_

not a word about what happens to the existing technology which doesn't sound
very reassuring to existing keybase users.

~~~
chrisma0
This is a good point. As far as I understood, Keybase's main offering, i.e.
key discovery for accounts you knew little about, was never about "the best
crypto that scales to Zoom levels".

Though what the main features were got very muddled anyways, especially with
the odd Stellar cryptocurrency wallet implementation. I'm very interested to
see what they do with the existing tech, or whether there will be open-source
forks that are somehow compatible.

------
cbg0
> Zoom does not and will not proactively monitor meeting contents, but our
> trust and safety team will continue to use automated tools to look for
> evidence of abusive users based upon other available data.

> Zoom has not and will not build a mechanism to decrypt live meetings for
> lawful intercept purposes.

> We also do not have a means to insert our employees or others into meetings
> without being reflected in the participant list. We will not build any
> cryptographic backdoors to allow for the secret monitoring of meetings.

One court + gag order and all of these promises are out the window.

~~~
notriddle
Well, yeah, duh.

What do you expect them to do? Hire a PMC and fight a war with the police when
they come around to raid the server room? Go into hiding so that the security
agency can't steal the upgrade signing key from them?

We can't expect all of the internet to operate like Wikileaks and The Pirate
Bay. If the justice system is broken, then the people aren't safe.

~~~
oehpr
>What do you expect them to do? Hire a PMC and fight a war with the police
when they come around to raid the server room? Go into hiding so that the
security agency can't steal the upgrade signing key from them?

No, we want them to assume the same thing we are assuming. That if their
service becomes successful, they will be coerced to compromise their users,
regardless of how frequently they promise that they would never do so.

If they are even bothering to make public announcements like this, then that
means they believe the security of their system can be founded on the honor of
their employees. It's important to recognize that this isn't even true if you
assume every member of their team is an uncorruptible seraphim.

Instead, where possible, the service should be zero knowledge, where not
possible, it should be considered insecure.

------
andrewla
On announcing that they'll support git [1]:

> > > You guys should be taking my money

> > One way to pay, if you want to help ensure their success & longevity, is
> to evangelize for them, and get other people hooked on their product.
> Getting other people hooked on it like you are and seeing the potential and
> get over the adoption humps... that's valuable! They're not taking money
> because it raises the barrier to entry, and growth is most important. Pay
> them by helping them grow.

> It's valuable, but not in the capital sense. Each person you get hooked on
> their product increases their burn rate, and both makes them more attractive
> as an acquisition (which is scary for users) and more desperate for cash
> (which makes acquiescing to acquisition more tempting).

> Without a road to profitability (or at least a road to revenue) even
> attracting equity is difficult; investors who enter with that knowledge will
> be looking to exit through acquisition, since that's basically the only way
> to exit, other than just getting more capital.

[1]
[https://news.ycombinator.com/item?id=15403772](https://news.ycombinator.com/item?id=15403772)

------
wadkar
Congratulations to the keybase team.

Most people here seem to be making a self fulfilling prophecy of keybase's
death.

But I like to think that Zoom intends to reuse large parts of keybase
codebase:

> Logged-in users will generate public cryptographic identities that are
> stored in a repository on Zoom’s network and can be used to establish trust
> relationships between meeting attendees. An ephemeral per-meeting symmetric
> key will be generated by the meeting host. This key will be distributed
> between clients, enveloped with the asymmetric keypairs and rotated when
> there are significant changes to the list of attendees. The cryptographic
> secrets will be under the control of the host, and the host’s client
> software will decide what devices are allowed to receive meeting keys, and
> thereby join the meeting. We are also investigating mechanisms that would
> allow enterprise users to provide additional levels of authentication.

Will the founders be interested in releasing parts if not all of the server
code to the public? I believe the founders' mission is still achievable and
can be carried out, should they be willing to release the code in public.

------
kgraves
I'm seeing a certain pattern here, aren't we all just fooling ourselves?

Isn't this just all inevitable? Aren't all these startups just lining up all
in the hopes just to get acquired?

I guess when we see VC Funded™ on any startup what it _really means_ is that:

"We are prioritising a return for our investors even if it means violating our
mission statement".

~~~
Galaxeblaffer
We need a new type of company that can never be acquired.

~~~
techntoke
DAO:

[https://en.wikipedia.org/wiki/Decentralized_autonomous_organ...](https://en.wikipedia.org/wiki/Decentralized_autonomous_organization)

~~~
floatboth
That definitely cannot be acquired. No sane business would want to convert
actual money into fun bucks and put those into a buggy script that would lock
everyone out if someone pwns it.

~~~
elwell
> convert actual money into fun bucks

What is more 'fun'? USD in bank account, USD as cash, DAO, or gold? I would
think those are monotonically decreasing in 'fun'-ness. "Actual" money is not
a good word for printable items of arbitrary scarcity. Not arguing for or
against GP, just saying.

------
rvz
Looks like it wasn't a good idea to leave your private keys in Keybase's
servers was it?

Perhaps the moment that Keybase took VC funding a while back, it was over to
begin with and the principles of being a "Slack competitor" and respecting
their users privacy went straight out of the window and into the bin.

I really had high hopes for Keybase as a Slack competitor, the cryptocurrency
stuff I actively ignored, but this is a disaster.

Fission Mailed.

~~~
gspr
Wait, what? People gave Keybase their private keys?? Isn't keybase just some
glorified modernized web of trust infrastructure?

~~~
coldpie
It was well-intentioned. For a time, Keybase provided users the option to
upload their private keys so they didn't have to maintain them themselves. You
could just log into Keybase and send signed messages, decrypt messages, etc
without the hassle of managing your keys locally. It was definitely a bad idea
and I think they dropped it a few months/years later, but it at least wasn't
totally out of left field.

~~~
bamboozled
They don't have access to your unencrypted private key, it's just a backup of
your private key which is encrypted by (hopefully) a very strong password.

This feature saved my skin on one occasion.

~~~
coldpie
I believe the argument is that a private key encrypted with a password is not
cryptographically different from a plaintext private key. The password is more
of a "keeping honest people honest" kind of thing, than true security. If it
was truly secure, then you'd be using a new private key to encrypt your real
private key, and then you're back to where you started. Cryptography is hard,
which is why I was such a big fan of Keybase trying to fix it for real people
:)

Edit: This has a received a few downvotes. If I'm wrong here, I'd really like
to know why! I thought this explanation was correct and clear.

~~~
dcow
I didn't downvote. Here are my thoughts.

> I believe the argument is that a private key encrypted with a password is
> not cryptographically different from a plaintext private key.

You have it backwards. On principle an encrypted anything (key in this case)
is of zero value to anyone. It does’t matter if you tweet encrypted messages
every 30 seconds to millions of followers or not: they're encrypted.

When you use a password to encrypt, and you (or your client/agent) selects an
appropriately sophisticated suite, you end up seeding a KDF with your password
and then using the resulting data as the actual “private key” (its just a
symmetric key, no public/private). If your password has enough entropy, then
the resulting key is perfectly secure.

In practice people are paranoid. “If the key is on Keybase’s servers, someone
could get it and brute force decrypt it.” It’s almost pop culture fallacious,
though, because if you believe someone can do that, then they can just as
easily brute force the actual key. In practice people use shitty passwords,
and crypto weakens as time moves forward, there are good and bad algorithms,
and the whole point of a _public_ key infrastructure is to keep private keys
off the wire. So it’s generally seen as bad form to copy private keys around,
even if they're encrypted. We’re still pretty far on the spectrum here because
if your crypto breaks you have to rey key everything anyway. Not just re-
encrypt unchanged private keys.

At the end of the day you're either copying a private key around or you
aren't. And you should probably avoid situations where you need to do that
because there are better ways to PKI. If your threat model can tolerate
encrypted key backups and key sharing, then go for it. But that should be
something you control.

~~~
orblivion
If people have bad passwords, that makes brute force recovery of the private
key on a Keybase server plausible, right? At least a lot more so than the
whole key from scratch. I'd assume that a machine generated key has more
entropy than any password that a human can memorize.

If sharing a password-protected private key is perfectly safe, why bother
having them? Why don't PGP users just password protect everything?

Above all else though, is there an authoritative source that can answer these
questions? As a run-of-the-mill programmer, I don't really understand how
crypto works well enough to trust my own common sense here. It's been drilled
into my head that there are certain rules to follow set out by people who do
know what they're doing. And when people say "it's all good, it's password
protected", and I'm not sure what their credentials are, I get a little
nervous. I did notice that Werner Koch uses Keybase, but if they could simply
point to an "okay" from him or Zimmerman explaining the situation, it would be
settled. To me anyway, it's not simply an abundance of caution ("paranoia"),
it's that something seems fundamentally wrong with the approach and I just
don't know the actual cost.

~~~
asdf123wtf
I think people are confusing things a bit here. Sure, you can protect your pgp
key with a password, but I don't think that adds a whole lot of security to
your uploaded private keys. When you upload a pgp key to keybase, it encrypts
the key again, using your keybase device key. So its double encrypted,
basically.

The keybase model revolves around devices. Device keys are private keys that
are tied to a particular device (your phone, pc, etc) and never leave that
device (unless it gets compromised somehow). The only way you can decrypt your
data on another device is by registering it using another authenticated
device. These keys don't have passwords.

Its basically like encrypting a pgp key with another pgp key, and uploading it
somewhere, like people upload all manner of secrets to github or s3 or
whatever.

Keybase just provides an easier flow to register new devices and to import and
decrypt your secrets (like via a QR code scanned by your phone, for example).
Your private keys are as secure as any private, encrypted piece of data that
you might send out over the wire, so long as your devices are secure, that is.

If one or more of your devices gets owned, all bets are off, AFAIK. Even if
you set a passphrase on your pgp key, all it takes is a key-logger to get it.
And since your device is already compromised...

This is where hardware keys win out (yubikey, etc), that require a physical
touch to unlock.

DISCLAIMER: I really only have a layman's understanding of crypto.

~~~
orblivion
Thank you. If that's true I wish they would have just said so when people
started complaining about it on Github. Everybody seems to have a different
take on this.

Assuming what you're saying is correct, it seems much more sensible. It almost
makes the PGP key seem superfluous, though I suppose it help with legacy this
way.

It still seems not ideal, in that having one device compromised would give
away your main private key and thus your whole identity. It would be nice to
have it be some sort of subkey situation. I'd have to think about how that
would work.

~~~
dcow
>It almost makes the PGP key seem superfluous, though I suppose it help with
legacy this way.

This is actually one of the best "features" of keybase. They've backed
everything by some strong pgp crypto roots, but none of their stuff really
"operates" using pgp. The fact that they have abstracted it, in my opinion, is
part of why people have adopted it so easily.

------
DCKing
People are expressing they will stop using Keybase because of this. That's
fine, probably a good idea.

But reading this, Zoom+Keybase will make sure of this themselves. This press
release indicates that this is a 100% acquihire. There's only talk about what
the Keybase people will be tasked to do, and there isn't any talk about
Keybase's services in the first place. There's no real reason Zoom would be
interested in keeping Keybase's services up and running anyway.

Let's hope they make it a swift death. Shame about Keybase, loved using it so
far. It's somewhat encouraging to see a change in direction for Zoom, too.
Hope the acquihire works out.

------
wharfjumper
I would participate in (and could provide resources to) the creation of an
open foundation that had as one of its goals the writing of an open source
keybase API[0] compatible server.

If anyone else is interested, please contact me directly (email in my
profile).

[0][https://keybase.io/docs/api/1.0](https://keybase.io/docs/api/1.0)

~~~
Legogris
Maybe try approaching the keys.pub devs?

------
roblabla
Keybase' post about the acquisition: [https://keybase.io/blog/keybase-joins-
zoom](https://keybase.io/blog/keybase-joins-zoom)

> What the Keybase team will be doing

> Initially, our single top priority is helping to make Zoom even more secure.
> There are no specific plans for the Keybase app yet. Ultimately Keybase's
> future is in Zoom's hands, and we'll see where that takes us. Of course, if
> anything changes about Keybase’s availability, our users will get plenty of
> notice.

> So, our shortest-term directive is to significantly improve our security
> effectiveness, by working on a product that's that much bigger than Keybase.
> We can't be more specific than that, because we're just diving in.

So, yup, keybase is dead.

~~~
INTPenis
How can they be so obvlivious though? Their own blog post doesn't even mention
the tarnished reputation Zoom has acquired lately.

A lot of people will stop developing integrations for Keybase because of this.
It's sad.

~~~
momokoko
They aren’t. They are making a lot of money which is what the business was
made for.

The post is actually refreshingly honest that keybase is now abandoned and
will probably die at some point.

The idea that companies were stupid enough to place their internal identity on
some random 3rd party is so incredibly stupid that it’s hard to feel too bad
for anyone.

Congrats Keybase!

~~~
AgloeDreams
> They are making a lot of money which is what the business was made for.

I miss the days when businesses existed not just to serve investors but also
their employees and the common good. It's like a 1%-er meta profit model where
the actual business is in buying and selling the business and the core
business is really just a temporary front that is designed to never make a
profit, just create fancy looking charts and eventually bait and switch
consumers when it is sold to the highest bidder and the employees all
eventually lose their jobs.

One day, VC funding will either be illegal or required. considering the flow
of money in this exchange, I'm betting on the second.

~~~
ativzzz
> I miss the days when businesses existed not just to serve investors but also
> their employees and the common good

Uh when was this? For-profit businesses have always been created for the
primary purpose of making money. Any side effect like employee well being
happened to coincide with what maximized profits at the time or due to
regulation.

~~~
rabidrat
Pre-1970 or so. Before Milton Friedman, there was a general sense that
companies existed to fulfill some mission, with profit as a means. The CEO of
Kellogg commented on this in an interview ca. 1980, that money for a business
is like a gasoline for a road trip. You need it to get where you're going, but
the point of a road trip is not to accumulate as much gasoline as possible.

~~~
snowwrestler
Is this a joke? The bulk of the labor movement happened before 1970, and it
was not because workers were so well-treated and well-compensated that they
had a lot of free time on their hands.

I'm a big fan of business and entrepreneurship, but let's be clear here: there
is a reason we invented government. There was never a time when we could 100%
count on the beneficence of business leaders to advance social goals.

Edit to add: I'm not trying to demonize all business leaders here. There are
some bad actors, but even business leaders who desire to do well have to
succeed in the marketplace--even against bad actors. Unfortunately, doing bad
things in business often confers the benefit of lowering costs, which is a
competitive advantage. This is a known structural issue with a marketplace
economy and why we need more than just business to have a good society.

~~~
rabidrat
Of course, there have always been bad businesses. The difference between
pre-1970 and now, is that we've not only socially legitimized the maximization
of profit, we've also all but legally mandated it. Now even "decent" business
leaders like the CEO of Costco have to continually answer to their
shareholders as to why they're not lowering wages and reducing benefit--and in
Costco's case, the shareholders may try to take legal action to force them to
lower costs, even though Costco the business is already quite profitable. Due
to lack of labor regulation and the mantra that "business are required to
maximize shareholder value", Costco's decency is fully dependent on its CEO's
(unusual) fortitude to fend off those shareholder demands. When its leadership
changes, its ability to care for its employees will likely revert to the mean,
which as we see in today's environment is abysmal.

So really, it's not that "there are some bad actors", but that "the system
strongly encourages businesses to install these so-called bad actors as their
leaders". I agree with you, that we need strong government labor regulations
to counter this mentality, but this mentality is why these regulations have
deteriorated over the past 50 years.

~~~
snowwrestler
> The difference between pre-1970 and now, is that we've not only socially
> legitimized the maximization of profit, we've also all but legally mandated
> it.

I'm sorry, but this is just not true. If it was legally mandated, then the
Costco CEO would not have been able to resist such shareholder demands. Your
example proves the opposite of what you think it does.

Nothing has changed in the legal structure of corporate governance since 1970.
Do you think that investors never demanded greater returns from business
leaders prior to 1970?

They can still demand all they want, but the law remains clear today that
corporate directors and managers have the power to run the business as they
see fit, and shareholders' sole remedy for their disappointment, in the
absence of outright fraud or gross negligence, is to sell their stock.

In February 2014, Tim Cook was the CEO of one of the most valuable companies
in the world. At Apple's shareholder meeting, he directly told his
shareholders that he does not even consider ROI in some of his decisions.
Legal consequences to Apple and Tim Cook for this statement? Zero. He's still
CEO. Because there is no legal mandate to maximize corporate profits.

Honestly, by buying into this myth that the law changed in the 1970s, you're
lending power to a fake idea that you seem to be opposed to. There is a group
of people who wish such a mandate existed, and by acting like they're right,
you're kind of helping them.

Business leaders might make anti-social decisions because they feel
_competitive_ pressure to succeed in a marketplace where customers are free to
choose and are price-sensitive. That's not nearly the same thing as saying
that corporate governance law _forces them_ to make such decisions. It
doesn't.

~~~
rabidrat
The expression "all but" means "almost but not quite".

~~~
snowwrestler
I know, that's what I'm trying to say: it's not true that CEOs are "almost but
not quite" legally mandated to maximize profit or shareholder value. The law
says plainly that they are not.

"All but" is handy phrasing if you're trying to create the impression that
something you prefer is true. If you don't prefer it, I think that using that
phrase is like shooting yourself in the foot rhetorically.

I think it's more constructive to point out that such a mandate does not exist
(regardless of what some shareholders seem to believe), and there are good
reasons it doesn't.

------
dcow
Honest question, why does Zoom’s security reputation matter more than
Keybase’s? There’s so much pessimism in here but I really don't get it. I
disliked zoom long before any of the security issues because frankly it’s
rough, unpolished, software that’s never really worked well for me. I, for
one, would be excited to get a functional Zoom with better security integrated
into Keybase as an option for UI so that you have a serious “productivity”
app. Why does the fact that zoom needs help in the security department
automatically spell the end of times?

~~~
vz8
Just out of curiosity, what was it about Zoom that never worked well for you?
I work with oodles of academics, and that was the singular reason they flocked
to Zoom - out of box ease of setup / ease of use that trumped WebEx and GoTo
Meeting.

Privacy considerations were secondary and only came to light (from their
perspective) during the increased scrutiny brought during COVID-19.

~~~
dcow
Their client software locks up my machine every other day. You can’t screen
share on wayland. My coworker can’t run a build while on a zoom call or his
machine just dies. The UI has never scaled properly on my displays. The zoom
icon is distorted in my task switcher. You can’t use zoom in the browser. It’s
a lot of little things that add up. I’ll admit I’ve never used zoom on
Windows. Perhaps they've invested most of their effort on that platform. And
credit where it’s due, when the video calls work, they work as well as any.

~~~
vlowther
Zoom running on Plasma in X has worked fine for me for years. I would suggest
that the problem (like so many others) is a Wayland ecosystem maturity thing,
not a zoom thing.

------
jtchang
The negativity here is astounding. This really comes down a company putting
their money where their mouth is. Think about the reasons you'd decide to
acquire Keybase. It certainly isn't for PR as most people have no idea what
Keybase is.

What we are seeing is that Zoom is truly concerned about how their security
posture is hurting their business. Remember they aren't the only game in town
and there are plenty of competitors. Buying Keybase is an investment in their
culture and longterm outlook.

~~~
throwawaygo
Best thing they could have done. They purchased expertise and a brand that is
untarnished and loved in security circles.

~~~
decebalus1
> a brand that is untarnished and loved in security circles.

It was just tarnished and unloved. Got notified this morning that I won't be
able to access the public files of most of my 'security circle' on Keybase
because they deleted their accounts.

------
AndyKelley
I worked at OkCupid long after Chris Coyne and Max Krohn abandoned it. From
the vestigial remains of the founders' code and features it was clear what
their main objectives were: have fun with cool tech, on the dime of VC
funding. As soon as they got bored, they moved on to the next thing. KeyBase
is the same pattern. I mean, good for them, they're successful by any measure
- how they spend their time and how much money they have. But this outcome was
to be expected.

------
Arathorn
It's kinda ironic that Keybase disappears into Zoom the day after Matrix/Riot
enabled end-to-end encryption by default, with cross-signed device
verification similar to Keybase's concept of connected keys - see
[https://blog.riot.im/e2e-encryption-by-default-cross-
signing...](https://blog.riot.im/e2e-encryption-by-default-cross-signing-is-
here/).

In other words, a fully open source (and open standardised) alternative
continues to exist in the form of Matrix.

[disclaimer: project lead for Matrix]

~~~
RMPR
I was about to complain about your desktop Electron app but it seems that
spectral[0] is already usable without any hassle (build from source, ...) at
least on Fedora, time to reactivate my Matrix account, keep up with the great
work

0: [https://gitlab.com/spectral-im/spectral](https://gitlab.com/spectral-
im/spectral)

~~~
roblabla
There's also Fractal[0] which uses GTK+ instead of Qt, and is maintained by
the Gnome foundation and planned to be used by the Librem 5 AFAIK.

[0]:
[https://matrix.org/docs/projects/client/fractal](https://matrix.org/docs/projects/client/fractal)

~~~
RMPR
Unfortunately, can't find it in the Fedora's repo

~~~
uneekname
I know it isn't ideal, but Fractal is available through Flatpak and Snap

------
emersion
[https://keybase.io/account/delete_me](https://keybase.io/account/delete_me)

~~~
nathcd
Anybody else having trouble deleting their account? When I go to
/account/delete_me, I get redirected to /?next=%2Faccount%2Fdelete_me, which
is just the home page. Also, I get the logged out navigation bar even after
logging in. Logging in seems to just redirect me to my own profile page. (I've
got my content blockers disabled, etc.)

Edit: deleting my cookies and re-logging in did the trick, in case anybody
else hits this issue. After re-logging in I now have one fewer cookie than
before, so I must've picked up an extra cookie that was screwing with their
auth handler or something.

------
kirillzubovsky
Although I would consider myself to be a technical person in general sense, I
was definitely a non-technical light user of Keybase. More specifically, I was
not really concerned of how they did their encryption, as long as they did it
well, and I had Keybase just in case I needed to encrypt, rather than than
actually using it daily like some here.

Looking back on my usage of Keybase, I realize that encryption to me is a
feature, not a tool or an app. I prefer my conversations encrypted, but I
don't seek out an app that does it. I would like my files to not be tampered
with, but I just kind of assume that's the default on Dropbox at el, even if
it's not.

From this view point, it might be a good thing that Zoom acquired Keybase. I
would have rather it be Slack or Google or Microsoft, but Zoom will have to
do. If they don't murder the acquisition right away, there is a chance they
turn Zoom and all their future tools into a more secure environment, in which
case it's a win-win for all.

------
kylehotchkiss
Keybase was cool tech that for years I hoped would find a profit model and
more everyday use case. I liked being able to prove I was in control of
something on the web. I use Zoom for work and think it's been one of the more
stable video conferencing solutions out there but I certainly can't trust them
to maintain something like Keybase in a secure manner. Bye keybase, I know you
had bills to pay and that this is a tough economy :( I hope your core team
will be able to regroup after cashing out at Zoom with some new projects!

------
jrochkind1
From the headline, I didn't understand why Zoom, a videoconferencing company,
would want to buy a secure messaging/sharing app.

But after reading it, duh. It's an acqui-hire. Zoom definitely needs to
improve it's security, because of recently publisized problems. These are the
right people to work on that, the security problems are similar in keybase and
zoom, and an outside team with an established track record will help Zoom
regain credibility. And Zoom probably had lots of cash on hand to buy whatever
they wanted.

So that all makes sense. I wouldn't expect the keybase product to stick around
though.

Not because, as other commenters had said "Zoom doesn't care about security."
Because they did an acqui-hire to get a team to help them with security, not
because they wanted the product. I expect this _will_ result in Zoom's own
security improving, it's not some kind of smoke and mirrors trick. It's not
that they don't care about security, I think they are presently prioritizing
it. They just don't care about the keybase product. Obviously, why would they?
It can't have revenue or profit anything close to what the zoom product has.

------
SirensOfTitan
This sounds like an acquihire, or am I reading it wrong? If so, I doubt anyone
at keybase is necessarily thrilled about this.

I’ve enjoyed keybase for many years, it made a lot of annoyances of encryption
and key management easy. I particularly liked its encrypted git repo
feature—now I’m struggling to think of an easy alternative.

------
schoolornot
Surprised they took the path of acquiring Keybase and hiring Alex Stamos (ex
FB CISO) vs. hiring Moxie Marlinspike and other respectable professionals.
Keybase's reputation has become eroded with their recent crypto currency
signing nonsense.

[https://en.wikipedia.org/wiki/Moxie_Marlinspike](https://en.wikipedia.org/wiki/Moxie_Marlinspike)

~~~
munchbunny
Zoom's problems aren't really a matter of having security _talent_ , they're a
matter of the company as a whole not prioritizing security. Fixing the former
doesn't fix the problem, it just makes for good PR. The latter is a
requirement for the former.

Brian Krebs talked about this a bit in the wake of Equifax:
[https://krebsonsecurity.com/2018/12/a-chief-security-
concern...](https://krebsonsecurity.com/2018/12/a-chief-security-concern-for-
executive-teams/)

Assuming Zoom is really trying to fix the problem, it makes a lot of sense to
bring in management (and/or teams) who have experience with bringing security
into engineering culture, as opposed to individual security experts who may
not even want to work for Zoom in the first place.

------
paramk
Will this mean Keybase will be killed in the near future ?

From the blog

Initially, our single top priority is helping to make Zoom even more secure.
There are no specific plans for the Keybase app yet. Ultimately Keybase's
future is in Zoom's hands, and we'll see where that takes us. Of course, if
anything changes about Keybase’s availability, our users will get plenty of
notice.

So, our shortest-term directive is to significantly improve our security
effectiveness, by working on a product that's that much bigger than Keybase.
We can't be more specific than that, because we're just diving in.

~~~
conroy
> Will this mean Keybase will be killed in the near future ?

Absolutely. This was clearly an acquihire.

I copied all of my data out of my keybase folder today and I'd suggest you do
the same.

------
TomGullen
Zoom trading at ~1,700 P/E which to me seems absurd. Wonder if the acquisition
involved much stock! Seems like a good time for Zoom to make transactions like
this.

~~~
davedx
Can you explain this in a little more detail please? Would love to understand
more.

~~~
durkie
I think the thought GP was expressing was that it would be a good time for
Zoom to make an acquisition of Keybase paid for in Zoom stock since Zoom stock
is trading at a very high multiple of Zoom's earnings.

Some people would regard this stock price as unsustainable compared to
historic/similar earnings multiples, and that the stock will likely decrease
in value in the "near" future. So from Zoom's perspective they may as well buy
as much as they can while their Zoombucks are worth a lot since they'd be
parting with fewer shares now than if they made the transaction later on.

------
frisco
I had such high hopes for Keybase; kbfs had completely replaced Dropbox for
me. This is terrible news.

~~~
souterrain
This is precisely why Zoom is acquiring Keybase. Zoom seeks to become the
single "remote work tool", challenging Dropbox, et al. directly.

I'm particularly disenchanted with the growth of these multipurpose tools, but
I am not their target audience. (Nor, I suspect, are many HN participants, but
this is a baseless guess.) I suppose I'm more of an adherent to so-called
"UNIX philosophy"\--the best, single-purpose tool for each task, preferably
that can be combined with its like for a solution customizable to how a
specific user gets work done.

~~~
_asummers
> Zoom seeks to become the single "remote work tool", challenging Dropbox, et
> al. directly.

Maybe they should work on the fact I can run Zoom in screen share and just
about nothing else. Just entering a call for me takes ~75% of my CPU and I
beach ball regularly when screen sharing lightweight text editors doing barely
more than scrolling and typing.

------
hnarn
I've used Keybase for a long time but I never quite understood the purpose of
it. It never "just worked" for me and my experience was mostly chats being
unreadable, my account having to be reset, and a lot of new functionality that
seemed like it did what other products already did, just not as good.

I always liked the idea and the people behind it seemed like good people, but
I'm sad to say I won't miss a worse version of Slack, Bitcoin and Dropbox.

------
xoa
> _" We're thrilled with the match, and we're excited to be working on
> security that affects everyone we know."_

[https://ourincrediblejourney.tumblr.com/](https://ourincrediblejourney.tumblr.com/)

Argh, yet another for the list. Certain cycles in the tech world are both
extremely predictable and regrettable, yet for most of them the sting seems to
fade a bit as the decades go by. But the acquisition-for-the-talent/IP-now-
great-product-is-toast one somehow never, ever manages to lose its capability
to be depressing. On the contrary new ones just make me think back on previous
dearly departed that never got an equivalent replacement. It's part of what's
made me particularly suspicious about new non-OSS "free" offerings, because
that's generally just not sustainable. And the better it is the more I beg
them to have some sort of decent paid tier. I guess some though just plain are
aiming for a buyout from the start and that is in fact their planned
profit/exit strategy, and fair enough but still ouch each time.

------
stickac
I am glad we have [https://keys.pub/](https://keys.pub/) :-)

------
rbarroso
Strangely the Core Security documents which should be available through the
links on the Crypto page:

    
    
      - https://book.keybase.io/docs/crypto
    

are not available!

Missing linked documents:

    
    
      - https://book.keybase.io/docs/server_security
      - https://book.keybase.io/docs/server_security/merkle_root_in_bitcoin_blockchain
      - https://book.keybase.io/docs/sigchain

~~~
notpushkin
merkle_root_in_bitcoin_blockchain is now in the Server section:
[https://book.keybase.io/docs/server/merkle-root-in-
bitcoin-b...](https://book.keybase.io/docs/server/merkle-root-in-bitcoin-
blockchain)

------
grenoire
I don't quite know how to feel about this. Perhaps it is my mistrust against
Zoom, but I did enjoy the run Keybase had as a semi-independent key and ID
manager.

~~~
Latty
Yeah, with the recent issues they had after doing the cryptocurrency stuff
(which didn't really bother me, but it definitely seemed to generate some
negative feelings in general), this feels like a poorly-timed move.

Zoom is presumably going for "look, we are bringing on-board this team of
trusted people who understand privacy", but I think most are just going to
assume it'll work the other way and Zoom's culture of poor security practice
will bleed into Keybase over time.

------
Legogris
I recently posted this comment during a recent Keybase/Keys.pub thread:
[https://news.ycombinator.com/item?id=22996981](https://news.ycombinator.com/item?id=22996981)

Looking forward, none of that seems to matter due to this
acquisition/acquihire - it seems clear that we'll not be able to count on
Keybase in any meaningful way from now on.

This is the most disillusioning acquisition to date for me.

------
pbnjay
Oof. Keybase was struggling to define what exactly it was, so I guess they is
the best exit option for them anyway...

~~~
cowmix
Thank you!

I've been using it on and off for years.. I'm still not sure what exactly it
is or under what circumstances I should be using it.

~~~
soulofmischief
I use it for shared network storage, frictionless private git repoisitories,
basic static web hosting, personal and work chat, and I make heavy use of the
teams feature. Not a day goes by I don't use it for something.

------
zegl
First, a huge congratulations to the founders of Keybase! Running a self-
founded messaging company can't be an easy feat.

For me personally, this is of course worrying news. I'll suspect that Keybase
will die a rather quick death, as most of it's users are security minded that
wouldn't ever trust Zoom.

------
kemonocode
Well, I guess that's it for Keybase. I distinctly remember expressing my
worries about them spreading themselves too thin and not really having a clear
monetization plan, so an acquihire was the easy way out.

Say, anyone got any Keybase alternatives that are focused _only_ on identity
management?

~~~
stickac
[https://keys.pub](https://keys.pub)

------
Kipters
Congrats to the keybase team, but I guess I'll just stop using it

~~~
steve_adams_86
Likewise. My friends and I have been using it throughout the pandemic to chat,
I've been using it for years, but we're all deleting our accounts this
morning. All around unsettling news as far as keybase software goes.
Congratulations keybase team, though.

~~~
otachack
I'm curious where Keybase refugees are going to end up. Matrix? Telegram?

~~~
Avamander
Nothing FOSS really offers nearly the same level of team tools. Multiple
channels in same group? Subgroups? Not a single FOSS thing I'm aware of.

Discord is a nice solution if proprietary solutions aren't a problem. It's
really sad.

------
defulmere
Wow, it didn't take them long to dumb down
[https://keybase.io](https://keybase.io) \- no mention of all of the cool
nerdy crypto stuff, git, etc at all, now it's just another chat app.

~~~
corkscrew
It's been like this for weeks

------
franga2000
This might be an exaggeration, but this feels one of the last nails in the
coffin of PGP. Keybase felt like it could become the thing that finally starts
making PGP more widel-used by giving it some new powers (verifying social
network identities, etc.) and from the way this acquisition looks, it won't
last much longer or at least won't improve much.

It's a shame, really. The web of trust idea from PGP could've been really cool
and useful to apply to modern social networking and communication services -
one that I can imagine even some normal users using. But it seems that Keybase
were one of the last willing to try...

------
gkoberger
I don’t think they bought Keybase for the team or security. I think it’s one
of the few good Slack competitors out there for sale.

Zoom definitely sees this as a chance to take on Slack given their new
momentum.

------
Havoc
Well they had better sort out their security ASAP. The South African
parliament's Zoom meeting just because a porn stream. Second time that has
happened in <month. Can't really see why anyone is still using it for serious
work.

[https://www.heraldlive.co.za/news/politics/2020-05-07-parlia...](https://www.heraldlive.co.za/news/politics/2020-05-07-parliaments-
zoom-meeting-hacked-with-porn-images-racial-abuse/)

------
nullc
So does this mean getting marketed sketchy cryptocurrencies during your
teleconferences, sending your PGP keys to random servers in other countries,
... or both?

Relevant to the acquisition, perhaps:
[https://web.archive.org/web/20191122031523/https://github.co...](https://web.archive.org/web/20191122031523/https://github.com/keybase/keybase-
issues/issues/788#issuecomment-46240258)

------
eganist
Congratulations, malgorithms and team!

Selfishly hoping the cores service isn't shut down, though. I've been using it
authoritatively for 5+ years. Treasuring the username I got too.

------
sneak
So, the company that got bribed by a shitcoin promoter to backdoor the keybase
app so it can abuse your secret keybase identity keys to place permanent, non-
removable shitcoin ads on your profile[1] (and then immediately denied that it
was a backdoor and _also_ lied about implementing the ability for users to
remove the ads keybase got paid to place[2]) is now joining up with the
company that has shipped sketchy backdoored client software[3], consistently
lied about having end to end encryption (and even doubled down on their lies
when confronted about it!)[4] and delivers their encryption keys from
generation servers in China[5].

I'm sure the result of this will be lots of good and secure trustworthy
software that I'll be eager to install on my computer. It's totally legitimate
and accurate that people are reporting today that this acquisition will bring
real end to end encryption to Zoom as if buying a company causes software to
spontaneously manifest out of the ether with zero delay. Don't worry,
everyone: Zoom is secure now because they wrote a check!

What is it with cryptographic charlatans these days?

[1]: [https://sneak.berlin/20190929/keybase-
backdoor/](https://sneak.berlin/20190929/keybase-backdoor/)

[2]:
[https://news.ycombinator.com/item?id=21109530](https://news.ycombinator.com/item?id=21109530)

[3]: [https://www.zdnet.com/article/zoom-defends-use-of-local-
web-...](https://www.zdnet.com/article/zoom-defends-use-of-local-web-server-
on-macs-after-security-report/)

[4]: [https://blog.zoom.us/wordpress/2020/04/01/facts-around-
zoom-...](https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-
encryption-for-meetings-webinars/)

[5]:
[https://www.forbes.com/sites/thomasbrewster/2020/04/03/warni...](https://www.forbes.com/sites/thomasbrewster/2020/04/03/warning-
zoom-sends-encryption-keys-to-china-sometimes/)

~~~
ViViDboarder
From your second link a commenter actually steps through the flow:
[https://news.ycombinator.com/item?id=21116981](https://news.ycombinator.com/item?id=21116981)

It seems pretty clear from that description that the user consents to
signing...

I think it’s annoying to see wallet and chat when all I really cared about was
a discoverable public key, but it doesn’t appear to be a backdoor signing
method.

~~~
avree
The guy you're replying to is the one who wrote the misleading blogpost that
was (rightfully flagged) in link [2]. I think it's likely that if he's still
grinding this axe 7 months after a very reasonable explanation was given by
Keybase, he's not going to change his mind now.

------
brigandish
There's a petition for them to open source the backend, much as that seems
hopeless we should do _something_ (and this is preferable to going back to gpg
for everything:)

[https://www.change.org/p/zoom-video-communications-inc-
relea...](https://www.change.org/p/zoom-video-communications-inc-release-the-
keybase-back-end-as-foss)

------
danrl
Congrats to the team for having a nice exit. I myself removed all my data from
keybase und stopped using it. There is just no trust left on my side for Zoom
and those who join Zoom in a business relationship. Indistinguishable from
malware it has been for me. Disrespectful of my privacy and hard to remove
from my machine. No, thanks. Nevertheless, wishing all the best for keybase.

------
mcovey
I love(d) the idea of Keybase but I always had in the back of my mind that it
was too good to be true. I'm guessing this will be the end as they announce in
a few months that Keybase is being retired as it's "best security features"
have been integrated into Zoom. Seems to happen to just about every good
product that isn't fervently open-source.

------
anigbrowl
Good thing I already finished my coffee before seeing this headline. With no
disrespect to Zoom, who might even have the best intentions, seeing Keybase
just get _acquired_ spooks me, and makes me glad I wasn't seriously invested
in it. I had been under the impression (as a very casual user) that it was
using a foundation finance model to ensure its independence.

------
pot8n
Keybase went from ranking 30,000 to 65,000 in 3 months. What happened here? It
seems like Keybase has been falling in traffic already for the past 3 months
and it's reputations has been tarnished in HN for months now.

[https://www.alexa.com/siteinfo/keybase.io](https://www.alexa.com/siteinfo/keybase.io)

~~~
RL_Quine
The product is simply not good in its current form. It's a strange mix of
instant messaging, web of trust, and cryptocurrency scam. It doesn't strongly
give any particular goal. The tools are shiny, pleasant enough to look at any
use, but isn't going in any direction.

A lot of push recently has been into making it a "team chat" platform, which
is great except that all of the participants are public, and tied to their
name. It makes for hideously bad opsec if any company were to seriously use
it.

~~~
coldpie
God, that cryptocurrency scam. If ever there was a clear message screaming "we
have no idea how to turn this into something profitable/sustainable," that was
it.

~~~
kybernetikos
Not sure why people keep saying things like this.

The truth is that sharing money in the same way we share messages and images
(i.e. chat) is a good idea, and in my opinion is absolutely _inevitable_.

Now we don't have to do that via cryptocurrency, but the reason we don't
already have it in the west is because it's a coordination problem, and there
are entrenched interests that won't care about giving the user a good
experience until forced to by competition. Cryptocurrency lets you avoid that
problem, and given that it is entirely around managing keys, it's a very
natural fit for KeyBase.

I thought the integration into keybase chat was genius, and the user
experience of transferring money in that way was much better than anything
traditional banking has ever offered me.

------
thinkmassive
Whoa, how much? The press release doesn’t say, but this will come out
eventually since Zoom is publicly traded, right?

------
brynet
You can permanently delete your keybase.io account with the command-line
utility:

    
    
        $ keybase account delete

------
jokoon
There were local, volunteering missions to help healthcare workers, the
homeless, etc all done by some "non-profit" in europe. Those missions had
state-sponsored ads, and I volunteered online.

As soon as they required me to use zoom, I told them I would not use zoom. I
just go on their whatsapp thing, so of course I get less info, etc.

I really fail to understand how Zoom became so popular, and I was recently
wondering the same thing about TikTok, which by the way, was just a clone of
Vine.

Essentially, with apps like that, advertising and adoption is critical, the
tech doesn't really matter that much. I would really be interested in
understanding what are the strategies in place to make people use those
things. Of course the virus played a huge role, but I'm certain there are
specialists about how to gain users rapidly.

~~~
baumy
Can't help you with TikTok or Vine since I don't understand those either (I
believe the target market for them is mostly people around age 21 or younger,
so if you're outside that group that's not surprising).

For Zoom though, I feel it's quite trivial to see how it became popular. Of
all the various video chat/conferencing software that exists, Zoom is the
easiest for the layperson to setup and use while also tending to be the best
performing in terms of audio/video quality, latency, large numbers of users on
a single call, etc. My girlfriend was able join a Zoom call with her parents a
few days ago without even telling them how to do it; yesterday I overheard a
30 minute phone conversation while she tried to explain to her mother how to
edit a facebook post (unsuccessfully, despite valiant efforts).

Outside of this niche community, basically nobody knows or cares about Zoom's
various security gaffes. They just want something that works and gets out of
the way. And I say all this as somebody who has watched others use Zoom a few
times and read about it, but never used it myself nor felt the inclination to.

I'm sure you're right about specialists and strategies to try to spark mass
adoption being things that happen, but the technology matters as well.

------
soulofmischief
I have moved much of my digital life to Keybase. This news brings me much fear
but I just pray that Zoom takes the best parts and then allows Keybase to
continue to function as a goodwill venture at least until a suitable
replacement appears. The software package Keybase offers is unbeatable.

------
f38zf5vdt
Zoom: Well boys, we did it. Privacy problems are no more.

------
jklinger410
> Engineer: Sir, it would be easier to just start over and build a video app
> for security from the ground up.

> CEO: But that would cost millions over the course of years!

> Engineer: Or we could just buy an already secure video app and put our
> features inside of that instead?

> CEO: Genius!

And that's how Keybase became Zoom.

------
CalmStorm
I have been working on this decentralized key-value database:
[https://github.com/kevacoin-project/kevacoin](https://github.com/kevacoin-
project/kevacoin)

Together with W3C's draft Decentralized Identifiers (DID:
[https://www.w3.org/TR/did-core/](https://www.w3.org/TR/did-core/)), it could
provide a decentralized alternative.

Not sure what is the best way to verify Twitter/Github account though. This
has to be managed by users themselves. E.g. one user posts a proof in the
Twitter account, the other user verifies the proof by checking the proof
against the public key posted in the database.

Edit: updated description.

------
nske
Very unfortunate. Besides its main purpose, Keybase has been my chat app of
choice for quite a while, after I decided I could no longer put up with
Signal's general crappiness.

Keybase has been one of the very few performant and usable "new-style"
applications that I've used -and the only one of its kind.

Sadly I am forced to suffer electron-based vomit every day -between Skype,
Teams, Whatsapp, Hangouts, Facebook messenger and whatever else I might be
fortunate enough to be forgetting. It sucks that I might have to be on the
lookout for a decent encrypted chat application that I don't actually hate,
again.

Not sure why the use-case of chat communications has been afflicted by so much
crappiness -as if it's a curse.

~~~
LeoPanthera
The Keybase app is also written in Electron.

~~~
nske
I know, that's why I was surprised it managed to somehow not suffer from the
same performance and functionality problems that I observe on the rest I
mentioned.

I didn't say that all electron apps have to suffer, at the same time it seems
to me that there is a strong correlation.

~~~
ValentineC
I suspect it might be because most Keybase users don't receive data on the
Keybase app on the same scale as how they might on Slack etc.

~~~
nske
I was using Signal before Keybase for exactly the same volume of chats and the
difference in performance (search, input lag, displaying lag) was huge.

Once Skype was rewritten as an Electron app, I noticed the same performance
issues. MS Teams at work, same.

This on very decent computers.

I really feel there has to be something that Keybase does differently on the
front-end.

------
AnonC
This is sad. To me Keybase always seemed like it had a big mindshare among
techies (more so before the cryptocurrency venture), but never had a good
enough market share for its offerings (like chat, for example). As others here
have said, Keybase could’ve launched some paid services.

With the shitshow that Zoom has turned out to be (there’s a long article on
tidbits.com about the various issues), I don’t have any confidence that any
part of Keybase as it exists now will survive. My belief is that it’ll shut
down its services sometime this year or the next. I used it very rarely to
verify certain identities, but am going to just delete my account and be done
now.

------
freewizard
Guess I shouldn’t be surprised. After all, Microsoft acquired GitHub, IBM
acquired RedHat.

~~~
searchableguy
Many weird acquisitions past few years but all make sense from a monopolistic
angle.

Startpage by an ad company.

PIA by an anti privacy malware company.

Keybase being a slack competitor merging with zoom makes much more sense in
retrospect. Zoom is insecure while keybase is seen as secure.

Companies are purchasing competitors or revenue stealers.

------
choppaface
If you’re a Californian be sure to send your CCPA notice to privacy@keybase.io

------
bergstromm466
Poor Zoom, first they were scapegoated due to the whole industry’s overuse, or
faulty use, of the term ‘end-to-end encryption’ (especially if we believe
Snowden’s claims in his latest book that portrays corporate cloud computing as
a way for American corporations to create and sustain NSA backdoors). Now the
team is probably pretty motivated to kick ass and show the world what they’re
made of, considering they have Microsoft Teams, Skype Google Meet and other
big co’s as competitors (or maybe it’s the opposite, and Zoom is the bigger
NSA Trojan horse here).

------
dcchambers
If the main reason for this acquision is for the Keybase engineering talent, I
hope Zoom/Keybase does the right thing and open-sources the server code for
Keybase, rather than letting the product die.

------
pianoben
Another "incredible journey" comes to a close.

What a solid and useful product Keybase was! I'm ashamed that I didn't see
this coming. Now I have to find a replacement that isn't compromised.

------
nathcd
Mergers and acquisitions make me so sad :/ I need to stop letting myself get
excited about VC funded companies, because it always ends in disappointment. I
really should know better by now!

------
erydo
Congrats to the team. Though in the inevitable acquisition, I wish
GitHub/Microsoft had been the acquirer: there are a lot of natural fits
between that ecosystem and Keybase's model, and a reasonable history of
successful acquisition.

Hopefully Zoom avoids gutting Keybase. I found it really useful for
bootstrapping credentials when onboarding remote team members and contractors.
Way easier to manage than GPG: it was fairly painless even for non-technical
people.

Fingers crossed. I wonder what the infrastructure overhead cost is?

------
crazygringo
Everyone here saying Keybase is dead... why hasn't anyone mentioned that
Keybase is open-source? New BSD (3 Clause) License. [1]

So regardless of what happens to it with Zoom, the community can fork it and
continue developing it, no?

So if people don't want it to be dead... it's not dead. That seems like great
news, right? (And great foresight?)

[1]
[https://keybase.io/docs/the_app/source_code](https://keybase.io/docs/the_app/source_code)

~~~
coldpie
I know we all like to pretend it's all passion projects, but the reality is
that with very few exceptions, developing large-scale, end-user-ready software
costs money, regardless of the license. If devs aren't getting paid, they're
not going to work on it. Keybase is dead.

------
chrisma0
This is the company with the "we recognize that there is a discrepancy between
the commonly accepted definition of end-to-end encryption and how we were
using it" statement... [https://blog.zoom.us/wordpress/2020/04/01/facts-
around-zoom-...](https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-
encryption-for-meetings-webinars/)

------
dang
We changed the URL from [https://blog.zoom.us/wordpress/2020/05/07/zoom-
acquires-keyb...](https://blog.zoom.us/wordpress/2020/05/07/zoom-acquires-
keybase-and-announces-goal-of-developing-the-most-broadly-used-enterprise-end-
to-end-encryption-offering/) to the Keybase equivalent since more people were
commenting on that one anyway.

------
floren
I've found kbfs a very convenient way to share files with collaborators.
Anyone know of a self-hosted encrypted remote filesystem that might replace
it?

~~~
ajb
This. In fact I've found it pretty useful just for just personal files.

There's Tahoe-lafs, which ahs been around for years but, although secure was
originally pretty notorious for being hard to use. Maybe it's improves
since...

------
nemoniac
The Keybase client is open source. How hard would it be to build an open
source server or federated servers to work with the client? Genuine question.

------
noodlesUK
This is so saddening. I use Keybase for a lot of my personal chat, as I find
the signal multi-device workflow to be a bit crap. Keybase has been flawless.
I love the kbfs and git integration, and I’ve desperately wanted to pay for
ages. In fact the company I just started uses them for our git hosting and
shared files. I’m gonna have to move now.

Please please please can someone fork and RE the backend code?

------
ianopolous
If anyone's looking for a fully open source, decentralized encrypted
filesystem similar to keybase fs, then checkout Peergos[1][2]. It's built on
top of IPFS.

[1] [https://book.peergos.org](https://book.peergos.org)

[2] [https://github.com/peergos/peergos](https://github.com/peergos/peergos)

[disclaimer: Peergos founder]

------
richardknop
Strange combination.

~~~
jrockway
Why? Keybase's product is team chat. Zoom wants to kill Slack. Seems perfect.

(Keybase's crypto stuff is nifty, but we all know there is no money in that.
They tried to make money by integrating cryptocurrency, and people did NOT
seem to like that. So here we are.)

~~~
lord-squirrel
Never thought of Keybase as a team chat product. Maybe thats just because I'm
one of the older users :)

------
preinheimer
Congrats to the keybase team! They seemed to grow in fits and starts,
hopefully this sort of thing helps push encryption to even more places.

------
jononomo
I think this is fantastic news. I expect adoption of both Zoom and Keybase to
increase as a result of this partnership. I love both these platforms and this
feels to me like a really perfect match. I'm so glad that people aren't going
to be forced to use Google and Microsoft for everything -- it is good for
monopolies to be challenged with innovative tech.

------
p0llard
Oh wow, I had a guest lecture from Max Krohn yesterday in which I asked about
how Keybase was being funded; no mention of this at all!

~~~
lexicality
Possibly because of the confidentiality agreements everyone signs at the start
of an acquisition?

~~~
p0llard
I'm sure, I just found it amusing that it comes so soon after I directly asked
about it!

~~~
otachack
To be fair, that seems a common question to ask Keybase prior to the
acquisition :P

------
anotherevan
This reminds me of when Lastpass was bought by Logmein. It went downhill very
fast after that. I hope history does not repeat itself.

------
austinjp
So, unless I've missed it in the comments here, what are the alternatives?
Where are people putting their keys?

~~~
austinjp
Thread here:
[https://news.ycombinator.com/item?id=23103386](https://news.ycombinator.com/item?id=23103386)

------
gumby
Many are bemoaning what zoom will do with Keybase, but the code is bad
licensed so nothing’s stopping anyone from forking the repos now and building
a parallel distro.

Realistically this is probably the best outcome for the Keybase team as they
presumably have jobs for the foreseeable future.

~~~
zanderz
The server was never open source and that will be a pretty big obstacle to the
product living on beyond the company. That and maybe the Amazon S3 bill.

------
up2isomorphism
Unregulated capital dominance is current at the historical peak in US. And
funny thing is people can not do anything about it. Considering the time where
AT&T (which is much more benevolent in today's term) can be broken up, today
is just money game and money game.

------
rasengan0
The shareholders will be pleased, enterprise and beyond:
[https://www.marketscreener.com/ZOOM-VIDEO-
COMMUNICATIONS-570...](https://www.marketscreener.com/ZOOM-VIDEO-
COMMUNICATIONS-57086220/company/)

------
ccktlmazeltov
This is actually a really interesting acquisition, keybase wasn't going
anywhere yet was producing some really good stuff. On the other hand zoom is a
bunch of security and cryptography amateur, I can't wait to see what's going
to happen. Good luck!

------
627467
I can't help but feel shocked by this development. I guess it's my fault given
that keybase was always potentially a target for acquisition.

PR-wise it does not seem to bode well for those who relied on it for both
file, chat and social graph storage...

------
js4
Why do I feel that this is Keybase selling out?

Zoom seems so off mission for them. Very disappointing.

------
siruncledrew
Somewhat predictable move. Buying a security company (on the cheap with
Keybase) is an easy way to advertise “See, security now!”. It’s a fast-track
solution to slap some duct tape on the problem and at least say they fixed it.

~~~
damanamathos
They bought Keybase to bring on a strong security team as they try to build
end-to-end encryption into 1,000 person meetings which is currently not
possible with any solution.[1]

They'll either deliver that or they won't.

[1]
[https://twitter.com/alexstamos/status/1258405729720918016](https://twitter.com/alexstamos/status/1258405729720918016)

------
justusthane
In case it's helpful to anyone, to uninstall on MacOS:

    
    
      # keybase uninstall
    

And then delete the app from Applications (recommend using AppCleaner to
delete the app, as it leaves behind almost a GB of stuff).

------
2throwaway44332
Keybase has been pretty okay with free-speech groups like:
[https://keybase.io/team/det_disp](https://keybase.io/team/det_disp)

I wonder if Zoom will change that or not...

------
urda
Well that's it for Keybase. I can't continue to recommend them. I was able to
look past the cryptocoin distribution to be honest, but teaming up with Zoom
seems like the kiss of death for any security focus.

------
ammmir
Keybase was almost the perfect Slack-killer for security-minded teams, except
it had a few wiggles, including their sluggish client. I believe there is an
opportunity for someone to capture the users who are about to be abandoned by
this transaction, if they implement a subset of the Keybase client
functionality like team chat, shared files/git repos, but get rid of the
crypto wallet nonsense. I, and others, would gladly pay $10/mo for this.

Matrix isn't the answer. That's like saying just use SMTP for email.

The slackification of Keybase did not lead to a viable business model,
unfortunately. In fact, it's such a no brainer, I can't wait for someone to
build Keybase 2.0. It might not be a VC enterprise, but could be a great
lifestyle business for a small team.

------
noodlesUK
So, reading this, it’s clearly an aquihire, and they don’t care about the
Keybase product. Please open source the server. We want our communities to
still be able to run, and self hosting would be fine.

------
reneberlin
Meh. They did it. Surprise. Think about what kind of intelligence is working
in the inner of z00m. You should be afraid of them, the same as you are of
whatsapp, telegram and your knik-knok to come.

------
jchw
Why? This doesn’t even make _sense_.

Now I don’t even know if I can trust Keybase, and am trying to figure out if I
should delete my account. Does anyone have any persuasive arguments
for/against?

------
smolder
This is hilarious to me, because I finally decided to make a keybase account
and start making use of their service _two_ days ago, and today it appears to
be a dead product.

------
reneberlin
Lookinmg forward to see what happens to those boys standing up to make life
easier for encryption and idintity. From that point of view, the project is
canceled immediately.

------
alwillis
I woke up this morning and read this and literally thought it was a belated
April fool’s joke or something.

Best case scenario: the Keybase app gets spun out and gets an appropriate
home.

------
koirapoika
Zoom?! What a twist! Congrats to the Keybase team! Although it's time to drop
the account and move further, I'll keep it for a while in case of another
twist.

------
kerouanton
Glad I _deleted_ my keybase account several weeks ago...

------
walkingolof
Mixed feelings, Keybase could become a "modern" Skype, but it may be the zoom
is not that interested in the chat/teams/fs parts of Keybase...

------
the_resistence
How will the need for private matters to stay private be dealt with as
mainland China requires use of a version that provides surveillance of all
calls?

------
rising-sky
I was starting to look at the space of public trustworthy identities, are
there any viable alternatives out there that are vouched for in the community?

------
reneberlin
To all the utopist at the bar right now: do not give up!

------
lanevorockz
Would it be great to be link social media accounts to your professional
behaviour in Zoom? So we can make sure all your actions are company compliant?

------
reneberlin
Revoke all your keys. Give back any money you made of it. Relax. Enjoy your
fucking life a little better as it should have been without keybase, bro.

------
mfer
What are the best alternatives to Keybase?

I'm curious about the encrypted filesystem, secure messaging that works on
computers (non-phone), and public key trust.

------
eximius
Does anyone know if Keybase's data retention policy actually deletes the data
if I delete my account?

I don't want to delete it if it is just a soft delete.

------
sm4rk0
I trusted Keybase. They sold me. I deleted my account. For the same reason I
deleted my account when LinkedIn sold my data and trust to Microsoft.

------
badrabbit
I hate to be right but years ago people kept asking me to use keybase and I
refused. Kinda defeated the whole "web of trust" mantra.

------
bad_user
I like Keybase's encrypted Git repos.

I hope it doesn't die.

------
arto
Seems a rather poor cultural fit, to say the least.

------
chicombase_io
Let's be based. This shit is CCPromised. Please dang finest let's this skit
stand. Never trusted keybase in the first place

------
clortho
Optically, this is suspect. But, I don't blame Keybase. This is an opportunity
for them. I hope Zoom doesn't mess it up.

------
reneberlin
Maybe they think, you understood the product so natively. You can reproduce it
with a new domain: keybeasehasjustended.in?

------
crad
Well that sucks. I'm glad they got an exit. I won't be using them moving
forward due to trust issues with Zoom.

------
peternicky
very unfortunate news given that I have zero trust in zoom. To be honest, i've
never found a unique use for keybase in the past years that my account was
active and was always disappointed with the quality of their desktop and
iphone applications.

later today or tomorrow when I have free time, I will be deleting my keybase
account.

------
quipquopro
This unwise business transaction is forgivable, but the product placement for
the woodworking neighbor is inexcusable.

------
stickac
I am glad we have [https://keys.pub/](https://keys.pub/) :-)

------
technick
This is why we can't have nice things! Be sure to transfer any crypto out of
keybase now before its too late.

------
upofadown
>We believe this will provide equivalent or better security than existing
consumer end-to-end encrypted messaging platforms...

So it will be harder for us to get at your stuff than is is presently, but we
will still be able to if we bother to do the work.

>We are also investigating mechanisms that would allow enterprise users to
provide additional levels of authentication.

So they will offer completely secure communications if you are at the paid
level.

------
juskrey
Looks like a bad PR stunt. One does not need to acquire another firm to
implement direct secure video channel.

------
adadahdjej
I am truly disappointed. But I should have known better. Big woop. Keybase and
Zoom deserve each other.

------
mike-cardwell
Eurgh. Time to transfer out my XLM and find some other way to handle my
private git repos.

------
freen
And I’m done with Keybase.

What’s that open source alternative that someone recently posted here?

~~~
nathcd
keys.pub:

[https://news.ycombinator.com/item?id=22995792](https://news.ycombinator.com/item?id=22995792)

[https://keys.pub/](https://keys.pub/)

~~~
abdullahkhalids
> This project is in development and has not been audited.

~~~
gnufx
Isn't it reassuring, at least, to see that said? Also presumably an
opportunity for the right people to help?

------
whateveracct
This is kind of comical - I guess when leadership-types want to recover from
the recent bad press, they decided they could buy a security-oriented company
and that'll "help make Zoom more secure." I guess what more can you do when
you can't implement this stuff lmao

------
tfranco
They spelled aquihire wrong.

------
m0zg
"All your base are belong to us", Zoom CEO was quoted as saying.

------
sealthedeal
I was one of the early Keybase adopters/users, this is kind of a sad and happy
day all at once. I am happy for the founders and team as this is a great exit,
but am sad because I think Keybase, one of my favorite products, is going to
go to the wayside :(

------
pkilgore
You can put lipstick on an aqui-hire, and it's still an aquihire.

------
HashThis
Please open source keybase

------
benecollyridam
I thought this was satire

------
blunte
What the fuck? Now I have to look for another secure chat system.

------
drcongo
This is horrible news.

------
ForHackernews
> Zoom Acquires Keybase and Announces Goal of Developing the Most Broadly Used
> Enterprise End-to-End Encryption Offering

So is this real end-to-end encryption, or Zoom-brand "end"-to-our-server-
to-"end" encryption?

------
HumblyTossed
Now if they'll just push that server code to github...

------
DyslexicAtheist
time to ditch keybase

------
reneberlin
Saturation. The zoom folks had too much publicity.

------
fareesh
Promising product but I will not use it anymore

------
BERTHart
And I just started to use Keybase 3 days ago...

------
JensRantil
Seriously, is this an April Fools' joke?

------
CodeSheikh
Is Zoom trying to disrupt Whatsapp space?

------
freakynit
Is there a viable alternative to keybase?

------
albybisy
and what about the partnership Keybase had with Stellar? What are destiny of
all the lumens XLM they had...??

------
sealthedeal
NOOOOOOO!!! I am going to miss Keybase

------
mikaelf
zoombombing just got another meaning

------
metreo
Keybase is dead long live Keybase2!

------
ezoe
"Our existing codebase sucks. So let's buy some cool companies in the wild and
let them help fixing our codebase"

Yup, it sounds like the perfect plan to me.

What likely happens is this. The current codebase is too ugly to improve. But
since they have a lot of users, it has value. So, the engineers from Keybase
started from scratch, try to implement all of the functions in the existing
codebase, plus secure. The plan is, after it has been developed, replace the
existing codebase. But unfortunately, they miss the planed deadline by years
and when it's finally working, they couldn't implement all of the existing
codebase because nobody knows how to implement it. No documents and original
implementers were left the company long ago. But they spent so much effort on
the new project and all the new features are implemented just on the new one.
Resulting the chimera of old and new code base both running at the same time.
Oh and by that time, the user is rapidly decreasing for they failed to improve
the service for years while the competitors offer the better service now.

The same story repeated countless times.

~~~
president
You forgot:

\- Acquihired employees end up having zero passion or motivation to work on
tech from their new masters and end up doing a crappy job and implementation
before their retention period ends and they bail out.

\- Mish-mash of additional crap code increases tech debt to a point that
alienates top engineers causing them to leave for greener pastures. The
second-tier engineers end up taking up the reigns hack band-aid further
destroying the codebase. Cycle of crap code and good engineers leaving
continues until the company is left with lowest-tier engineers who couldn't
get a job elsewhere or desperate H1-B visa holders who hold up the fort until
a competitor comes to eat their lunch with a better, more performant product.

------
nyxtom
Well that's disappointing

------
frag
I guess moving to Matrix?

------
reneberlin
keybase "joins" zoom get a better presser

------
oskenso
Fork incoming~

------
dwighttk
anybody want to buy some Lumens?

------
reneberlin
HOW MUCH?

------
KingOfCoders
Oh no.

------
kevinwang
Huh??

------
wjd2030
account deleted. bye bye.

------
mixturez
Wow. why?. Bye keybase

------
reneberlin
I do not know the paperwork around this, but my guess is the same as with:
WhatsApp-founders or some compareable. They begin hating what they did. Quit
as fast as the contract allows.

And stupidly try to restart the same shit in the same niche.

------
monadic2
This is really concerning given Zoom’s clear lack of security
expertise—there’s no good outcome here.

------
Xophmeister
No thanks... Cheerio, Keybase

------
cityzen
"We are excited to integrate Keybase’s team into the Zoom family to help us
build end-to-end encryption that can reach current Zoom scalability."

you mean... to help you sort out your false advertising.

I just pulled a random page from Dec 25 of 2019 from internet archive where
the site says this:

[https://d.pr/i/w3Ac0f](https://d.pr/i/w3Ac0f)

Meet securely End-to-end encryption for all meetings, role-based user
security, password protection, waiting rooms, and place attendee on hold.

[https://web.archive.org/web/20191225055029/https://zoom.us/m...](https://web.archive.org/web/20191225055029/https://zoom.us/meetings)

Fake it til you make it?

