Hacker News new | past | comments | ask | show | jobs | submit login

Last time Keybase came up I made sure to post about how great using it is and that I am super-duper enthused about Keybase. I entreated 'malgorithms to let me give him money for Keybase. And I have recommended Keybase to a ton of people and a bunch of my clients, using it in a bunch of workflows. Now those people and those clients are going to have cryptocoin bullshit stuffed into a work tool?

Thanks, Chris. You're doing a great job of making me look like an asshole for believing in you guys.

I don't want your "monetization plays" and my clients don't either. Giving you guys money for Keybase is infinitely preferable to having cryptocoin crap, Stellar or otherwise, being jammed into a tool I use for work. (Or anything else, really, that I ever have to touch.) And I feel like a sap for being an enthusiastic user of Keybase and recommending it to people when this sort of garbage is coming down the pike.

I am really, really disappointed.

Harsh. Nothing about this post implies a monetization play. The whole point of Keybase is identity verification. How is it not a natural evolution for them to explore trusted cross-border, multicurrency transactions?

That's not to say you even have to use a payments feature if it's integrated into the primary Keybase application. You don't have to verify ownership of a domain or register a Bitcoin address, but both of them are options in Keybase right now.

Maybe it would be helpful to consider what it means to have a crypto wallet (because that's the likely endpoint here, otherwise why would they have to partner with Stellar?) on production servers. Consider explaining to a client that, no, it's totally fine, it doesn't do anything. I promise. Doable, I'll grant you. Consider explaining that to an auditor. No, nobody can ever compromise this, nobody could use this for shenanigans, it just doesn't do anything!

An auditor who did not bug his or her eyes out at that and ask some very hard questions would be doing a bad job as an auditor.

It is harsh--but, one, I thought they were legitimately better than this, and two, it's a problem. Keybase wants to be infrastructure, and people have different needs for infrastructure. That's an argument for different tools, not a multi-tool that makes its use in some situations problematic.

> Maybe it would be helpful to consider what it means to have a crypto wallet ... on production servers.

Why would anyone install the Keybase app on production servers?

Given that the protocol is open and the app code is available, I imagine there will be plenty of cli clients that just do not implement the currency stuff. Or at least I hope so, given that I share the above concern.

If this is really a huge deal for you, it sounds like you're just not the target audience. I'm a keybase user and I think this is really cool.

Yeah, main thing is that part can be easily taken out for those who do not want it. Should not be an issue at all imho.

If it were aboveboard, it would be opt-in, not opt-out, yeah?

Keybase started out with an identity system because it was the key foundational module to create their entire e2e encrypted software system.

After the user system, they created a network filesystem, which their git system is based upon, and I'm guessing it's also something their team chat system uses too. The entire groups system is also based on their user system.

It looked like they were building out a dependency tree bit by bit.

Easy there.

Don't you think your prejudice against cryptocurrency is clouding your judgement here?

Keybase is an identity tool and it makes every sense for it to make a wallet. Also, you provided no reasons that being involved in cryptocurrency will undermine keybase's security. Do you think?

The main problem is that dealing with money has all sorts of legal implications for businesses.

By adding cryptocurrency to a communication/identity client, a jurisdiction will probably classify your business as a money transmitter, financial institution, and/or stock broker. After reclassifying your business, they then fine you into the stone age for not registering and following all of the laws associated with that status. While technically, it might be no different than handling money via your bank, the law has not caught up with that yet in quite a few jurisdictions.

US Judge has ruled cryptocurrencies are commodities, not money.

Granted, that's just the US, but..

Google wasn't the first search engine. Facebook wasn't the first social media site.

Keybase is the first product/software of its kind (as far as what I've seen)

Maybe Keybase will be wildly successful. Maybe someone else will come along and build upon what they've started.

Either way, I'm excited to see its continued development, and if this partnership helps fund them and keep them developing the concept, then even better.

Why are you disappointed if Keybase includes a wallet or a way to send people Lumens? Can you not just not use it?

I recommended Keybase to people as a security tool. This isn't security. There is no reason for cryptocurrency bullshit to exist in tools I rely upon. There is no reason for cryptocurrency bullshit to exist things that I use in production capacities.

It is the pure addition of risk to my operations and my clients' operations and offers nothing to me except a ding to my reputation, because I now look like an asshole because a security tool I recommended and spoke highly of is now going to be flogging funbux.

I'm not so sure that your recommendation is the reason why you look like an asshole at the present moment..

I could maybe see your concern if Keybase were announcing an ICO for their own token, but that is not what this is.

This really is about Keybase bringing expertise with identity to the table and it makes a lot of sense for the two teams to work together. The currency side of things is still going to be handled by Stellar as far as I can tell.

I understand what they are doing.

Here's how normal people look at something like this. It's not "oh, but they're just facilitating," it's "why is there cryptocoin crap in this thing we use for work?". Then it's "Ed, why is this thing you recommended and spoke so highly about doing this? Are they cryptomining on our computers now?". Then, even after an explanation, they're probably still suspicious and probably right to still be suspicious because the cryptocurrency universe is, by normal and sane people, still viewed as a scammer's paradise. (To be clear: is this entirely justified? No, and I think there are decent people trying to make a go of it. But there's plenty of dirt going on and people should be suspicious until it's proven otherwise.)

I don't want this on my computers. But, more than that, I don't want my clients thinking that I am a party to shady business because of the tools I recommend that they use.

If you are so allergic to cryptocurrency, why didn't it bother you when Keybase started writing their root into the Bitcoin blockchain (https://keybase.io/docs/server_security/merkle_root_in_bitco...)?

There are obviously annoying ways in which keybase could support cryptocurrency, but you are making a lot of assumptions about what Keybase is going to do that are not based on the blog post. For example, wallets do not mine coins and Stellar does not support mining.

Why don't you wait to see what comes out and submit a feature request if you don't like it, instead of flipping out about some hypothetical feature you won't like.

Thou art too wise sir. I guess we all have to do is to first wait and see how the implementation is done.

There's nothing wrong with reverting a recommendation. Sounds like you have a great explanation for why you would revert your own recommendation, as well. Just like every other startup in the world, Keybase doesn't "owe" anything to you and might make business decisions that affect your own.

I'm sorry, maybe I misspoke--is there something in my post that suggests that they can't do it? I'm saying that them doing it sucks, and explaining why. And, yes, of course I can change my recommendation--what would make you think that I'm not aware of that?

Rofl, I definitely share some of the sentiments you have regarding crypto is a scammers paradise. That is pretty much due to ICO's imho. What you might want to do, if you do use this in production servers, and I am sure the keybase team will add the option not to use it, it is open source. So you can easily simply remove that, I know that creates a bit of work and will therefore make it harder. I am just saying if this is being used in something that you find as useful, than the extra effort is definitely worth it. There simply isn't a tool like Keybase out there anyway. They literally solved the WOT issues related to PGP, and now they are adding some extra features which can potentially lead to other use cases. There are always upsides and downsides to anything. Imho, the upsides here might be justified, given the unique position that keybase is in.

So FUD. You're complaining about FUD.

Otherwise known as "things that make ordinary consumers (ones without the time or desire to get deep knowledge about something) choose competing alternatives".

To put it bluntly, this seems like your own irrational biases against a technology than any real issue. Having a crypto wallet tied to an identity management service does make perfect sense because of the reasons detailed in the article.

Where is this risk you speak of? Can you articulate it in any way? "Flogging"? Not anymore than they're flogging Hacker News or Facebook or Reddit by having an ID verification hook into them (complete with corporate logos!)

Hell, they already let you add Bitcoin (that thing that's only ever supposedly used for scams and drugs if the cynics are to be believed) and ZCash addresses for verification.

If the people you recommended Keybase to weren't turned off by having those front and center, it's likely they won't be turned off by this either. Take a deep breath.

Keybase is also an identity tool, and I see value in having proof of identity when making crypto transactions.

That's great--but I don't care about what value you see when making cryptocurrency transactions. I care about the security and uptime of my services, which is why we started using Keybase in the first place.

If they wanted to build some whateverthing that leverages Keybase for identity? Sure, go nuts, I think it's silly but it's not my time. But injecting it "into their apps"? No. These are tools for production, for me, and were developed with certain explicit and implicit promises. I see cryptocoin junk being shoved into production tools as a break of those promises.

> That's great--but I don't care about what value you see when making cryptocurrency transactions.

So... don't use it? I probably don't use 99% of the functionality in the software installed on my computer.

It sounds like you just have an axe to grind with anything relating to cryptocurrency.

AFAIK Keybase's clients are all open source. If this is a real problem someone (maybe you?) will fork them and remove the "cryptocoin crap".

I don't understand why you're upset (genuinely, I don't understand) about them adding new features. Are existing features reduced or worsened in some way I don't understand?

Let's say you recommended Slack and your company started using it. Then Slack adds PornHub integration. Wouldn't you be upset? Would you say: "just don't use it"?

Uh...yes? Do you have any idea how many integrations Slack has?

So adding a distributed change/audit log - don't forget, that's all any blockchain really is - is the deal breaker and will cause you to fail audits or break production systems? How is it different from the GPG chain that is the Keybase changelog?

What is it about this change that makes you assume you're going to have to deal with cryptomining et al?

Nobody said they'll be injecting anything in their apps, where did you read that?

I know a bit about how Stellar works, and I can't imagine any kind of software they could "inject" in their apps besides perhaps a way to post a Stellar address into the current merkle-tree they host and a way to fetch that through an API. How is that worse than having a Bitcoin address optionally includable in the same way?

"All while integrating certain Stellar features directly into Keybase's apps."

The rest of their announcement, I legit don't care about. This is the deal-breaker here. You don't need a Big Announcement or to hire more people to add a Stellar address for verification. I know a bit about Stellar as well (granted, you probably know more) but this reads to me as a let's-be-a-wallet game.

And this is worse than having Bitcoin addresses: active functionality versus passive functionality. Difference of kind, yeah?

I think you are making a TON of assumptions here.

Because cryptocurrency has a very high potential for propagating failures or legal risks. It's like being given a free piece of asbestos with your sandwich.

It's also prone to reputational risks; basically everyone who hears about cryptocurrency almost immediately either loves it or hates it.

> It's like being given a free piece of asbestos with your sandwich.

It seems less like you're being given a free piece of asbestos and more like you're being given tongs for holding some asbestos if you choose. Allowing one technology to work with another is different than marrying two technologies in an inseparable way.

you're implying that your revised analogy is better? If I order a sandwich I don't expect or want any tongs. To get them is suspicious.

You didn't order the sandwich.

Someone made the sandwich and let you use it, being clear along the way optional toppings may be added later.

If 1Pass added an optional bitcoin-browser miner, would that make you feel better about its security? What if it partnered up with BonziBuddy and pinged you during the installer? Just simple choices, they don't affect the security profile at all.

There's an obvious difference between putting mining software or other malware into product, versus adding support for a major blockchain platform.

Well, unless you, like me, think that blockchain is malware.

Before integrating a cryptocurrency, the incentive for someone to try and hack my account is "gee, maybe they have interesting encrypted files."

I assume that the incentive already includes “the sorts of files people typically bother encrypting include wallets and private keys”, whether or not the file encryption service itself integrates cryptocurrency directly.

It would be kinda nice if keybase had a setting to turn off features. My mom doesn't care what git is, but she is a regular for chat and interested in keybasefs. Same with a wallet, if a user could hide it and forget about it there wouldn't be any reason for it to bother them.

I think the reverse: Keybase should be aiming for a minimal feature set and allow for extending it.

If people want to mess with cryptobullshit, that's on them, but the more code that's active and doing stuff, the wider the attack surface is. I don't want it and don't need it.

I read the GP, and some other comments, as equivalent to:

* Keybase's plans will create an unofficial security bounty that is paid (1) out of users' wallets (2) to actors who haven't agreed to responsible disclosure practices.

* My personal choice not to use this (presumably) upcoming feature will protect my financial assets from exposure to (1), but it won't protect my data and identity from exposure to (2).


I myself am happy with Keybase, and looking forward to using it with crypto. I don't think it's irrational for someone with a different set of concerns to raise this, though.

.. Bitcoin and Zcash have had integrations into Keybase for a long time.

Yeah, I am not going to use any product associated with anything cryptocurrency. Just smells bad.

For now. We will see what you say in 5 or 10 years.

Keybase protocol is public. Write your own client(or you know fork the public codebase), if you don't want to get jammed by "crypto junk".

Clumsily putting cryptocurrency features in their app will look bad, I agree. Hopefully it won't be "jammed in" and in-your-face: just another feature among many (besides, doesn't it make sense to manage your keys for things, including cryptocurrencies or any other application, on something called keybase?)

But I think for the average platform, taking money from cryptocurrency foundations is a lot better than taking VC money. This was seen recently with the Matrix funding by Status token. Cryptocurrency goals usually need the platform to be open: just having a big integration with your token or cryptocurrency system can be a massive boost to your ecosystem. On the other hand, VC goals eventually require the platform to be closed off to milk all their users with actual "monetization plays" like Slack has recently done.

Gosh, really unfair to Keybase. From the moment I became aware of Keybase I've been thinking about where and when would be the nexus with cryptocurrency and smart contracts. Keybase does a nice job of relieving pain for me and my business and until proven otherwise I give them the benefit of the doubt.

This is an interesting comment as I’m not sure what the goal was aside from wanting to vent to the internet.

For a moment, I put myself in the shoes of Keybase and thought “how would I respond if a user felt this way?”. I would probably reply with a respectful something like “I’m sorry you feel this way but here’s why we are doing this”, but behind all of that, I probably wouldn’t care that much. You just insulted my vision, so why would I want you as a user? You gave me money, but you clearly didn’t trust me enough with it. Is that my fault?

I don't see what the issue is of a development tool supporting blockchain development. Like it or not, this tech is here to stay, and blockchain devs need very similar tools.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact