Hacker News new | past | comments | ask | show | jobs | submit login

Official response here - I work for Keybase.

This article isn't just misleading; it's entirely false, and the title is both highly damaging AND false. Someone below threw out the word "libel" here. I don't know about that, but it's incredibly frustrating to read this title on HN right now.

* THERE IS NO BACKDOOR HERE. Neither the especially scary kind suggested by the title (everyone assumes encryption breaking!), nor the coerced attestation kind suggested in the text.

* Put simply, KEYBASE HAS NOT BACKDOORED its apps and cannot coerce them into signing someone else's Stellar address into a profile.

Further, THIS USER VOLUNTARILY GENERATED A STELLAR PRIVATE KEY. What follows is the flow for generating a Stellar wallet and attaching it to one's profile. The author of this post went through this flow on Feb 4, 2019:

1. Visited the "wallet" tab in the app

2. read a brief description of Stellar in a modal.

3. Saw our disclaimer in a modal (not hidden - printed out front) about how scary cryptocurrency is, how it's permanently attached to your identity, and how it's important to backup your private key if you plan on leaving Keybase.

4. Only once they accepted that, then their client app (not our server) generated a Stellar private key. The app signed the public Stellar address into his sig chain. And the Stellar private key counter-signed, proving bidirectionally. The stellar key was then encrypted in a way so their devices could gossip them to each other.

So to be clear (1) this writer did in fact have that Stellar Key. And (2) we, Keybase, did not. And (3) they knew they were doing it. I encourage anyone curious to go try it out -- the flow has not changed.

I don't understand what their agenda is here. Offering some charity, perhaps they went through this flow late at night and forgot. (Looks like they generated their Stellar account well after midnight in Europe.) But the claims in the post are just false.

I accept some people don't like the opinionated cryptocurrency partnership Keybase has formed. We do like Stellar. However, that doesn't change our security story. Nor does it force users to set up Stellar keys, and something like half of our users have not. Actually - we spent a great effort building around the fact that many users wouldn't be interested in the cryptocurrency side of things.

For those who generate Stellar keys and then change their mind, not wanting them, we'll add the feature to delete all of them.

Anyway, this is just not true. All of it.

Reading the article, I took sympathy with the Keybase team. As a dev working at a relatively large software company, I commonly see the smallest issues causing users to knee-jerk and claim conspiracy to harm them. Of course, this headline is shocking, and many probably upvoted it without reading the article, or having any context into your software.

Is there any precedent to getting posts like this (blatant lies) removed from HN? I will report the post, but this article has the potential to be highly damaging to your business, even if it has zero truth to it.

The post appears to have been flagged and is no longer visible on the front page.

Honestly I don’t know if it’s better to hide it so it doesn’t do more damage, or to change the title so people who already saw it can see it’s false.

I actually can’t ever recall a story on HN that was so highly upvoted and damaging yet unsubstantiated. What a crappy situation.

This appears to be legit. I got the email about free Lumens, but I don't have a Stellar key signed by my private key. Granted, I haven't signed into my account from any of Keybase's mobile apps, but it seems unlikely that they would backdoor _only_ the mobile apps.

THERE IS NO BACKDOOR HERE. Neither the especially scary kind suggested by the title (everyone assumes encryption breaking!), nor the coerced attestation kind suggested in the text.

I agree with this. It is very sensational & I was expecting something totally different when I clicked on it then what I found.

I think a moderator should change this title.

This is done without any user interaction or consent, violating the fundamental principle of Keybase’s product until now: the user controls their keys.

I am confussed by this. Pre- stellar accounts have to opt in to a wallet... and after you get one you can easily find the private key in the settings.

Random user here, I can confirm, at least for the desktop app. I had to explicitly agree to create a wallet.

I checked a few friends' profiles. I knew one of them hadn't set up a wallet and hey, you know what? Their profile doesn't include a Stellar address.

The people complaining need to review a glossary before they start complaining. Maybe also becoming knowledgeable about the subject matter might help.

> Someone below threw out the word "libel" here.

Where? Your comment, and now this reply, are the only occurrences of that word on this page.

It's really irksome when someone tells me I consent to something that I don't. I'm the authority on whether or not my keys were used improperly—no one else.

You used my keys in a way in which I did not want. That's the beginning and the end of it.

I hope you got paid a lot for it.

Here are dozens of other users who made it all the way to GitHub and provided feedback in an effort to resolve the same issue:


How many others just gave up?

Those users appear to acknowledge that there was consent sort before the key was generated.

> I created a stellar wallet to explore the feature

Creating a wallet (generating a keypair offline) and signing+publishing an attestation using a non-wallet keybase key to publicly associate that wallet on your profile are two different things. Adding cryptocurrency support is fine; using my private keys without my consent to publish an implicit endorsement of that cryptocurrency is not, especially when it can't be removed. It's a dark pattern that enables paid advertising designed to look like an endorsement/user engagement.

Furthermore, there is a way to remove/revoke every other type of attestation/claim on a keybase profile - except for the permanent, paid ad for Stellar.

See: https://github.com/keybase/client/issues/20022#issuecomment-...

It sounds like that part is being fixed, though, which is good.

> So to be clear (1) this writer did in fact have that Stellar Key. And (2) we, Keybase, did not. And (3) they knew they were doing it. I encourage anyone curious to go try it out -- the flow has not changed.

1) I have never seen the private key you claim I "in fact have".

2) I have no way of verifying this information, but I will accept your words on their face.

3) I did not. Your own description of the UX flow says nothing of using the keybase (not Stellar) device key to sign an attestation/proof. That was the unwanted bit, the use of my keybase (again, not Stellar) key to publicly state that I wish to use Stellar.

I'll make a screencap video of the flow if necessary to illustrate how sketchy it is.

The Stellar private key is easy to find in the wallet settings on all of the clients.

Also, I made a test account from scratch to test out the UX flow. Here's what I found (Note, this is the Android version, not iOS).

1) I created a new username and entered the new account on mobile client.

2) I created a password so I could log into the web client.

3) Out of curiosity I went ahead and clicked the wallet tab in the burger menu.

4) I'm then presented with a brief (full screen) 'Welcome' message and have to click a button that says 'Open Your Wallet' to continue.

5) once that button is clicked you are presented with a more lengthy, full screen, disclaimer that takes a minute to read.

Here is what point #3 says 3. CRYPTOCURRENCY ISN'T REALLY ANONYMOUS. When you sign your first of "default" Stellar address into your signature chain on Keybase, you are announcing it publicly as a known address for you. Assume that all of your transactions from that account are public. You can have as many Stellar accounts as you like in Keybase, but whenever you make one your default, that one is then announced as your. Consider that data permanent.

6) I then clicked 'Not now' button. Instead of 'Yes, I agree' button.

7) I log into my web client to see how my new account looks, and in fact, there is no Stellar wallet or address.

Seems to me like you have to explicitly opt into creating a wallet, and the disclaimer is very clear about signing it into your signature chain and announcing it publicly.

So unless the iOS client does not have the same disclaimer and wording, which would surprise me, I'm still not understanding what the problem is. The developer also said they are working on the feature totally remove your default Stellar wallet, so I imagine in the near future you can delete it.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact