
Unsolicited messages on Keybase - galaxyLogic
https://www.whiskey-tango.org/2019/11/keybase-weve-got-privacy-problem.html
======
byproxy
I believe they're going to address this with an update?

[https://keybase.io/blog/dealing-with-spam](https://keybase.io/blog/dealing-
with-spam)

~~~
geofft
It's fascinating that the two example spammers in that post have women
personas, whereas a huge chunk of the problem is men (generally _actual_ men,
not fake personas) trying to hit on women. It's not clear to me Keybase
believes that's actually a problem or, as the original article says, working
as designed.

~~~
buzzkillington
It's fascinating that you think the problem of being uncomfortable is worse
than the problem of cat phishing.

~~~
adamsea
Uncomfortable?

~~~
geofft
Don't feed the trolls.

------
souterrain
Keybase seems to be enjoying an identity crisis. On one hand, it’s a tool that
makes a lot of sense for team collaboration, particularly with its low-effort
encrypted git implementation. I even know a couple teams doing software
development for the US government using Keybase for collaboration.

On the other hand, the Stellar (cryptocurrency) wallet and the “feature”
referenced in this article are something... else. Granted, Keybase is $0/month
per user currently, so it’s no surprise it is the founders’ personal sandbox
for experimentation.

I thought Keybase were on the right track in the past with their feature
conservatism. Now, not so much.

~~~
prophesi
Feature conservatism has never been Keybase; their identity crisis has been
going on for quite some time. What first started as a simple messaging app
became a file-sharing service, then a Slack competitor, and now a
cryptocurrency wallet.

Adding a simple toggle to block unsolicited messages doesn't sound like too
much in that respect.

~~~
flurdy
To me, it first started out as a key sharing and identity verification
service.

That was quite useful to me.

Then they pivoted to a chat app. I had no need for yet another chat app.

Then lately this messy cryptocurrency integration which so far just seems
shady.

I am not sure Keybase provides to me any value anymore.

~~~
alwillis
>Then lately this messy cryptocurrency integration which so far just seems
shady.

Stellar is actually pretty legit and is backed by a real organization going
back to 2014:
[https://www.stellar.org/foundation](https://www.stellar.org/foundation)

As far as Keybase is concerned, I can't complain when a company sends me free
money every month—I'm up to about $60 USD now and there’s another airdrop next
week.

I think we're just at the beginning of the integration of messaging clients +
digital currency—you know if Facebook’s Libra gets off the ground, people will
be using Facebook Messenger to send it around.

------
Already__Taken
Don't all platforms with added messaging make this mistake at a certain size?
Well done to keybase I suppose. I'm sure I read about github having the same
exploit years ago, anyone could add you to a repository and it would just show
up on your profile.

I think it was Zed;

HN 2011:
[https://news.ycombinator.com/item?id=2601342](https://news.ycombinator.com/item?id=2601342)

working link:
[https://web.archive.org/web/20111202200335/http://sheddingbi...](https://web.archive.org/web/20111202200335/http://sheddingbikes.com/posts/1306816425.html)

------
jrockway
It is somewhat unfortunate to watch what's happening to Keybase. I read
/r/keybase over on Reddit and every single post is whining about how they
didn't get enough free bullshitcoins or how some people are exploiting the
system to get too many free bullshitcoins. It is the highest concentration of
whining I've ever seen on the Internet... and I read my own posts ;)

I think there are some fundamental conflicts that are going to be difficult to
resolve. Back in the old days of the Internet, everyone could message everyone
else. This was great, except for all the spam. Ultimately, by putting our
email in a central place, capturing the text of every email message, and
analyzing it, we got a world where you could use email and largely be free of
spam. But it did come at a great privacy cost; the same access that allows ML
to categorize your email allows anyone to read your email; server
administrators, hackers, law enforcement.

(This problem plagues every open network, not just email. You are not the only
one that gets 6 phone calls a day about how Microsoft needs to be updated or
the Internal Revenue Service will come get you, or something.)

This all blows up with end-to-end encryption. There is no centralized place
for messages to be classified, so no spam filtering can be done. It is the
wild wild west. The mistake I think Keybase made was not realizing that having
easy discovery AND private messaging was going to result in a lot of spam. You
can have easy discovery and then analyze every message to make sure it's not
abuse. Or you can have great privacy, and require everyone to exchange a
1024-bit secret key in person before they can talk to each other. Keybase has
a kind of middle-of-the-road approach that is the spammer's dream platform.
You can find all the information you need to message me right on my HN
profile, and I can't do anything to stop you.

They also made it worse by giving people free money. Now people are
conditioned to think that a message announcing they just got some free money
is legit. (The first I heard about the airdrop thing was when I had received
my first drop.)

You hate to see it, but I think that secure messaging and showing your
investors exponential growth are basically mutually exclusive. As long as
Keybase pays people to have their account open, they'll have users... but I
wonder what their plan is after that.

~~~
dr_win
Back in the old days if the Internet, there was no cryptocurrency. I strongly
believe (crypto)payments can be used as a pretty effective anti-spam measure
in the future.

~~~
alwillis
Agreed; the goal is to make it too costly to spam.

~~~
jlgaddis
I think this falls under the "e-postage" variant of the Final Ultimate
Solution to the Spam Problem (FUSSP).

[https://www.rhyolite.com/anti-spam/you-might-
be.html](https://www.rhyolite.com/anti-spam/you-might-be.html)

------
ahnick
As a Keybase user for a number of years I'm very happy with the platform. I'm
probably part of the silent majority who use Keybase and have been genuinely
happy with it and don't speak up when others have complaints. I use it for
personal messaging and for my business and it has been great.

I think Keybase's position on this is on point. This is spam and needs to be
dealt with as such. It's no more an issue than with email. Anyone can send you
a virus or harassing message in your email, but where is the angry mob of
people beating down the doors of every email provider?

There is certainly a problem that needs to be addressed, but lets not blow
this up into something it is not. Keybase's spam controls will continue to
mature as it grows.

~~~
lucb1e
Is there any reason you chose Keybase over other solutions? From my
perspective, it's like Wire but without the video calling or end to end
encryption, or like WhatsApp but without the network effect, or like Slack but
without a number of features. I don't really understand Keybase's selling
point.

~~~
ahnick
There is no video calling, but I already have other solutions that I use for
that. Keybase is end-to-end encrypted as mentioned in the other comment, has
good multi-platform support, and is free. The fact that the user can revoke a
device if it is compromised is excellent. I also have intentions for using it
as a secure SSO ID across company applications using the
API([https://keybase.io/docs/api/1.0/intro](https://keybase.io/docs/api/1.0/intro)).
(Basically replacing how some companies use Active Directory)

For me the secure identity and communication part of Keybase is a critical
base layer that no one else really gets right. I can have a new hire create a
Keybase account and use that to securely exchange documents (e.g. w-4
allocation, health insurance, etc.) two weeks before they are even part of the
company.

The only long-term downside to Keybase for me is it is a centralized cloud
service run by a single company and the application is not open source. What I
really want is a decentralized open source version of Keybase that's operated
as a global network that lots of companies/individuals ran nodes for and you
paid for your use of the network. That way I'd be more certain that it will be
around in 10 years time.

~~~
lucb1e
Regarding "Keybase is end to end encrypted", it's sorta true but comes with an
asterisk. I answered the sibling comment who asks that question directly:
[https://news.ycombinator.com/item?id=21741466](https://news.ycombinator.com/item?id=21741466)

It's a relatively minor issue though (and one they could fix at any moment,
it's not a crypto flaw but a verification flaw), so it's probably fine to send
sensitive data over it. Definitely better than what most people use :)

------
jakelazaroff
Women have been complaining about this for ages. See for example:

[https://twitter.com/jennschiffer/status/1171615043387109376](https://twitter.com/jennschiffer/status/1171615043387109376)

[https://twitter.com/geekygirlsarah/status/116636030680693964...](https://twitter.com/geekygirlsarah/status/1166360306806939649)

[https://twitter.com/aredridel/status/1171824207069614081](https://twitter.com/aredridel/status/1171824207069614081)

~~~
geofft
I appreciated this later thread from the third person you linked:
[https://twitter.com/aredridel/status/1201348525499523072](https://twitter.com/aredridel/status/1201348525499523072)

Quoting in part:

> _The onslaught of sexual harassment on platforms like early Twitter (and
> later twitter for people of notability), @KeybaseIO, every naive social
> network is an attack on the right to exist in public. It is the inverse of a
> privacy problem._

> _But the conceiving of this as a privacy problem brings the wrong solutions.
> It means we are offered tools to remove ourselves from public view, to
> restrict our public personas, to retreat from public life. It means women
> are again confined to private sphere, denied civic life._

~~~
buzzkillington
> But the conceiving of this as a privacy problem brings the wrong solutions.
> It means we are offered tools to remove ourselves from public view, to
> restrict our public personas, to retreat from public life. It means women
> are again confined to private sphere, denied civic life.

Yes, welcome to real life.

Where I can't say I'm an atheist back home because I will get beheaded. Or say
what I think of capital accumulation in SF because I will never work again.

And if you take the cowards way out of "We should only protect people for what
they are and not what they do", being a woman in this day and age is a choice
on par with being blond or a socialist.

~~~
geofft
> _Where I can 't say I'm an atheist back home because I will get beheaded. Or
> say what I think of capital accumulation in SF because I will never work
> again._

These are bad things, right? Like you want to live in a society where this
doesn't happen, I assume? Or are you saying this is all right and proper?

~~~
buzzkillington
I want to live in a society where I can live my life as I see fit in private
with as little performance art in public as possible.

The idea that your public persona should be anything like your private one is
so wrong its laughable.

Right now SF is giving most of the middle east a run for it's money for the
number of things no one believes but pretends to so they aren't killed - or
worse become unemployable and homeless.

------
rgoulter
The client is here, right?
[https://github.com/keybase/client](https://github.com/keybase/client) I'd
prefer to see "discuss on a GitHub issue" or "open a pull request" to "send
+1s to these email addresses". (The author does discuss how annoying it is to
receive unsolicited messages, after all).

I'd think "contacting is as frictionless as email or phonecalls" sounds
reasonable for messaging. (EDIT:although email avoids 'unsolicited messages'
with spam control, phones with "phone number is secret"; so perhaps not).
Another suggestion: Maybe UI would help this; on FB messenger I can't see
messages from strangers unless I go into the "messages from strangers" tab.
That seems like it'd solve annoyances from unsolicited messages.

~~~
geofft
Frictionless phone calls worked for decades until automation made
telemarketing possible, at which point we had laws that stemmed the tide for a
bit, and then further automation made _anonymous_ telemarketing / scamming
possible, and we're on the edge of a cultural shift to not picking up the
phone when you don't recognize the caller. The latest version of iOS already
has a checkbox to block all calls from people not in your address book (24/7,
this is a separate feature from "Do not disturb").

Frictionless email had this problem since the very early days. A huge amount
of algorithmic effort goes into identifying spam, and there are still large
numbers of false negatives _and_ false positives.

These were architectural mistakes, and it's not a credit to a new messaging
platform that it doesn't see this as a problem worth solving from day 1.

~~~
jlgaddis
> _The latest version of iOS already has a checkbox to block all calls from
> people not in your address book (24 /7, this is a separate feature from "Do
> not disturb")._

Thank you! I have been wanting exactly this for a long time now -- my phone is
pretty much _always_ on DnD for this reason. I guess I'll finally upgrade to
13 now.

------
rocqua
I'm not sure this counts as a privacy problem. Freedom from harassment is
important, but it does not fall under privacy. I'd even say that it is more
important than privacy. Privacy is about what others can learn about you, not
what they can do to you.

~~~
rtkwe
Yeah... spam sucks and Keybase should probably shunt unfollowed messages into
a second screen or do something like Instagram where the first message comes
with a "do you want this person to be able to message you?" prompt where you
can easily block them, but there's no private information being leaked here.

------
octocode
I'm a bit confused, this blog post is written as if it's an exploit, but it
looks like it's the intended functionality? Am I missing something?

~~~
lucb1e
Indeed, it's intended functionality that you can talk to anyone and spammers
are apparently just discovering the platform, and Keybase is reacting to it
(see the recent blog post mentioned in other comments). The article is written
a bit confusingly.

------
pythux
I used to love keybase and used it for a while, but somehow since the crypto
coins donations I started getting followed by random people and getting some
"spam". So nowadays I avoid it and stick to Signal. I really like the idea
behind it though and I hope they manage to solve of these issues eventually!

~~~
hs86
The spam folder in my Fastmail account usually got only one or two spam mails
in a month but recently it went up to ~10 per day. The only change that
happened around the same time was that Keybase added some crypto-play money to
my account which is associated to that Fastmail account.

I know that correlation does not imply causation but this stellar addition
after the fact left a sour taste in my mouth. :(

~~~
rbritton
Do you use Fastmail’s aliases? Those are one way to pinpoint which service
revealed your email address if you’re diligent about creating them.

------
mfer
From the keybase update:

> As a bonus, their profile pic will get covered in Poo.

This is in reference to accounts that have been blocked.

If more people see this than the person who blocked it’ll be ripe for abuse.

This seems entirely unprofessional and a bit childish. Says something about
the culture at keybase.

~~~
byproxy
If you've read any of their blog posts you'll see that that's their general
vibe: irreverence

~~~
geofft
Is that supposed to make it better? "It's okay they don't take things
seriously, they make a practice of not treating things seriously, so you
should use their service?"

(And, like, I get it, I have a good knack for being a troll and annoying all
my friends, but at least I'm aware that _this isn 't a good thing_ and if I
were running a business, I'd find someone else who could keep my instincts in
check!)

~~~
byproxy
I was responding to this:

>Says something about the culture at keybase.

That is, they've been saying something about their culture with every blog
post. I'm not making a judgement call on it.

~~~
geofft
Ah, that's fair!

------
AdmiralAsshat
> A solution like "you have to opt into being added to a team" is really ugly
> from a UX perspective and harms the service for honest people. We have
> thought tons of this.

Clearly, this person has never been involuntarily added to a chatty group MMS
conversation.

------
nemild
More in this post too:

[https://vicki.substack.com/p/keybase-and-the-chaos-of-
crypto](https://vicki.substack.com/p/keybase-and-the-chaos-of-crypto)

> All of a sudden, I started receiving lots of random messages from people
> without profile pictures.

> These were people I didn’t know contacting me on a pretty frequent basis,
> and I had no way to opt-in to their messages. Pretty ironic for a platform
> built on privacy.

> I wasn’t the only one. After asking around, it seems that everyone I knew on
> Keybase was getting these. But of course, women with female names and
> profile pictures got a lot more than most men I knew. Other women online
> were experiencing it, too.

------
hughpeters
One of the companies I do contract work for uses Keybase to share credentials
between engineers. Like database credentials, AWS access keys, ect. Including
production credentials. I felt like it was a security risk when they started
sharing creds with me over Keybase but didn't know enough about Keybase at the
time to feel comfortable saying something so just followed their process.

Does anyone here use Keybase for this use case? Is it secure?

~~~
jedberg
I've used it for this use case. When I onboard new employees, I add them on
Keybase and have them add me, and then I send them their AWS keys via Keybase
chat.

I've also used it to exchange AWS keys and other credentials when consulting.

I chose keybase because it was the easiest chat to set up with end-to-end
encryption that works on the desktop, where I generally needed to be to
copy/paste the keys.

It's certainly not the most secure way to share keys, but it's fairly secure
and a decent trade off since I consider the credentials I'm sharing on there
to be medium value at most.

------
floatingatoll
The issue described in this post is the same issue that drove me to stop using
IRC and XMPP.

I’m all for open protocols and interop, but I’ve had an online stalker since
dialup (Winsock). Building a system where anyone can message anyone is the
same problem in each system.

Anti-spam is _not_ the solution. Harassment (and spear phishing) issues will
not be solved by anti-spam.

------
asdkhadsj
Glad to see this. Recently I was debating using Keybase for chat at home over
Telegram. For now I guess I'll need to use something else.

 _edit_ : oh never mind, looks like they started to address it:
[https://keybase.io/blog/dealing-with-spam](https://keybase.io/blog/dealing-
with-spam)

~~~
iudqnolq
FYI, Telegram is insecure by default, run by unsavory characters, and possibly
compromised.

[https://news.ycombinator.com/item?id=15281788](https://news.ycombinator.com/item?id=15281788)

~~~
asdkhadsj
Indeed, that's why I wanted to migrate from it

~~~
iudqnolq
Have you tried Signal? Not as majy features as Telegram, bit they have very
good reasons for why the missing features are difficult to do and are working
hard at solving the crypto problems necessary.

A good discussion about this today:
[https://news.ycombinator.com/item?id=21744274](https://news.ycombinator.com/item?id=21744274)

------
xref
Discord has a similar problem where crypto scammers come on any public servers
and mass message all the users. There are no controls except to block them
after the fact one by one.

------
vips7L
Not related to the article, but that background is terrible and flickers
everytime I scroll on Firefox.

~~~
lucb1e
No such issues on the latest stable Firefox on Linux here.

The background is one of those that looks like it might cause issues while
scrolling with a lot of monitors though, are you sure it's the site / some
software and not your hardware?

Edit: similar to these patterns: [http://www.lagom.nl/lcd-
test/inversion.php#invpattern](http://www.lagom.nl/lcd-
test/inversion.php#invpattern)

------
reffaelwallen
Hmm, I just had people contact me out of the blue. I wonder if someone is
taking advantage.

------
brunoqc
Is there a way to convert that useless crypto money they gave us into real
money?

~~~
ceejayoz
I got mine out via Coinbase.

(I had to use the pro offering, at
[https://pro.coinbase.com/](https://pro.coinbase.com/), as apparently Stellar
isn't available in the main app for US users yet, but it worked fine.)

~~~
alwillis
I have some Stellar on my regular Coinbase account, so I imagine I could use
it to get my Stellar out if I wanted to.

~~~
lozf
I think pro.coinbase still has lower fees than the regular interface.

