Hacker News new | past | comments | ask | show | jobs | submit login
Zoom Acquires Keybase (keybase.io)
1879 points by vikram7 on May 7, 2020 | hide | past | favorite | 711 comments

For years people have been begging Keybase to allow them to pay them for the service and Chris Coyne always refused.

Now they've lost their independence and they're owned by a communication company that has [edit: the majority of] its dev team in China.

I use Keybase to talk to my friend in China since it's one of the few services they don't block.

This is a pretty disappointing outcome.

Losing their independence was from the beginning the most likely outcome of building something that's hard to monetize like Keybase on the VC funding model. FWIW, I doubt Keybase offering a paid plan would have raised revenue that's significant compared to their burn, so Chris was probably right to not spend resources figuring out a paid offering. For raising their next round, having $5K in revenue from a paid plan few people buy might well have been worse than having $0.

The VC funding model is terrible for most open source projects. With a few exceptions, you end up with an acquisition that ends or repurposes the project, or an Open Core project. And a VC-funded Open Core project will end up trying as hard as it can to have everyone need to buy the paid version, since that's clearly the way to optimize revenue and eventually the slippery slope will get you there. I don't blame folks for taking VC; it was easy to get, and there aren't a lot of alternative funding models that can pay the multiple fulltime staff that might be required to create what one wants to create.

I don't think VC funding as it currently exists is consistent with running an open source company according to my values, which is why we're not taking venture funding for Zulip. Obviously, being scrappy, applying for NSF grants, and spending my own money have very real downsides both personally and for our growth, especially when every competitor has VC funding, but it also means that I can ensure Zulip continues existing as a real open source project for the long run.

How much power do the VCs typically have?

Don't founders often have the ability to overrule and make their own decisions?

Chris is already financially independent from the OKCupid sale, he could have open sourced the server code and/or reduced the overall burn to pivot to paid accounts.

Though the weird Stellar wallet addition implied some vision/product issues anyway.

Of course it's easy and probably unfair for me to say these things as an outsider with limited information and no real stake, it's definitely possible I'm wrong about important details that would change my mind. It'd be interesting to hear from Chris, but the sale probably restricts public communication?

This reminds me a little about the OKC sale actually, they had a blog post about why charging for dating sites made them worse that they took down after selling to match (they used to do cool analysis and publish them as blog posts, most of the details ended up in the book a different cofounder published called Dataclysm). That's more understandable to me though since I think it was their first exit.

Reading about Zulip - didn't you get bought by Dropbox before being open source? Is your current situation a lucky outcome - or was it a condition of the sale?

[Edit] - To clarify since there are downvotes, my questions aren’t rhetorical - they’re genuinely asking.

The power depends on the board structure and the ownership. But even if a founder owns 51% of the company, and so in theory can do anything, they still have an obligation to do right by the minority shareholders. This is generally known as fiduciary duty, and is a complex area of law. Here's a short summary: https://www.nolo.com/legal-encyclopedia/fiduciary-responsibi...

In a case like this, a founder can't just give away the source code. They'd have to believe that doing so was in the best interests of the company. And unless they wanted to risk a lawsuit, they'd have to persuade the shareholders of that too.

>they still have an obligation to do right by the minority shareholders

Fiduciary duty is extremely rare to be the subject of a suit against a, let's say, CEO. It's a complex area of law because it isn't actually a law, nor specified anywhere, and not a requirement for corporate existence. So, it's a set of court decisions that future cases are built upon, but in general a house of cards in that it could be invalidated by a) legislation; and b) adverse rulings at any level of a suit.

It's a myth that the only purpose of executives is to maximize profit for the shareholders. It's a canard. PBCs are a counterfactual here, full stop.


[note the significant use of "goal" in describing traditional corporations]

C-level executives are appointed and removed by the board. The board is appointed and removed by the shareholders. Yes, technically, executives are not required to act in the shareholders interests by law. But they are often appointed with the specific instruction to act in the shareholders' best interests, and can be removed from office for not doing that.

From my experience being a CEO and reporting to a board, trying to act in anything other than the shareholder's best interests would be... problematic, shall we say. I would need to be very convincing that what I was doing was in the best long-term interests of the organisation. Or have a board who agreed with the "not maximising shareholder value" goal.

It's only technically a myth that the only purpose of executives is to maximise profit for shareholders. That's definitely the most common instruction from the board, often implicit rather than explicit, and not doing that will get you into trouble in most situations. That trouble may not be a law suit, more probably just being summarily dismissed.

I think you missed the context of the founder-CEO being a 51% shareholder.

I agree with you that maximizing profit as the sole metric is a myth, which is perhaps why I didn't mention it.

However, in practice if one has taken $10m from investors looking for a big payday, one can't just do any old thing. Doing something sufficiently contrary to the interests of minority shareholders could certainly result in a lawsuit. Could the shareholders win? Who knows! As you say, it's a murky area. But winning in that case isn't what matters. The lawsuit will tie the company up for years, forcing significant spending. And if they include the CEO in the lawsuit, it will mean personal expense and an enormous headache. So in practice, the Keybase execs couldn't just say, "Fuck it, we won't sell to Zoom, everything is open source now." Not without talking it through with the investors, anyhow.

>Doing something sufficiently contrary to the interests of minority shareholders could certainly result in a lawsuit.

I suppose, but does it? Ever? Not to be antagonistic but your entire paragraph is a hypothetical which is substituting for anything from the real world, which leads me to believe that it's either not a risk at all, or such a small risk as to be invisible and still effectively not a risk. I mean, I'm sure we would have heard some cautionary tales by now!

What sort of examples are you finding yourself unable to Google for? There are plenty of lawsuits out there for breaching the rights of minority shareholders. Mostly with public companies, but private companies too.

If you're specifically asking about VC-vs-founder lawsuits, I think we don't see many of those because everybody has strong incentives not to let it get to that stage. Founders really want to keep on good terms with VCs. VCs want to be seen as pro-founder. Their incentives are generally aligned right up until things start going south.

And once we get to the on-the-brink-of-failure stage, the VCs hold all the cards. Any continued investment requires the VCs to at least approve. If a founder ever might want to do something venture-backed again, they need to stay in their VC's good graces. If the investors don't have majority control, they at least have board seats and the ability to disrupt any deals or other actions the CEO might make against their interests, both internally and by threatening deal partners. The CEO also probably can't afford a lawsuit either with the company's funds or on their own.

So I don't think we see the cautionary tales because few who have been selected by investors and spent years dancing to their tune turn out contrary enough to set those relationships on fire when it doesn't really get them anything.

Can you clarify your statement about the PBCs? I can't figure out if you're saying they are a good thing, or just a theatrical performance.

I am curious because B-corps have been popularized in the recent years, but when I looked into what B-corps are, it seems to me those are just bogus certificates that aren't doing any good, except enriching the people who print certificates for these types of corporations.

I don't really know whether I am right or wrong here, but I weren't able to find anything that actually makes a B corp different than any other. Would love to hear your thoughts.

I think they're a good thing that disproves the conventional wisdom that corporations are "required" to act only in the profit interests of shareholders, that share price is the only measure of executive performance.

Going further, I believe this canard is promoted by greedy assholes as justification for their bullying of "nicer" people who might have a more holistic view of corporate behavior, something which bullies are psychologically incapable. These people would call PBCs theatrical, "hey bro, good for you!" on par with starting a nonprofit.

I don't know a lot about B-corps so I'm generally talking out of my ass, but it seems like a "hey we tried" get out of jail card if they decide to shed it, which they can always do. If they don't wind up shedding it, do they go for PBC? Overall, maybe it's good for setting expectations, but since there's no legal committment involved I don't see much more to think about it.

> How much power do the VCs typically have?

I think it's less about the power relationship, exactly, and more about the way VC-funded companies are setup to be run. As part of raising a round, you prepare a business plan that involves aggressively spending the money over a couple years. You're committed both internally and to your board to execute that plan, and it's cognitively difficult to do something different as there's social pressure to do so (and one of your VC's greatest sources of power over you is they're the reference for your next fundraising round).

The result is that your company has planned to run out of money with potentially a multi-million dollar annual burn rate in two years. If as those two years are approaching, the company and/or market situation don't support raising more capital and the company isn't close to profitable, the momentum of that burn rate applies a great deal of pressure for a sale, destructive layoff, or total change in goals to "anything that improves the bottom line".

Also, the search for a story to help raise your next round can have a big effect on companies -- my view is most of Dropbox's problems when I was there (2012-2014) resulted from the search for a totally new business bigger than Dropbox Business that could justify a bigger valuation than $10B starving more obvious investments (Carousel, the now-dead photo sharing app, at one point had ~10x the engineering resources of Dropbox Business).

> Reading about Zulip - didn't you get bought by Dropbox before being open source? Is your current situation a lucky outcome - or was it a condition of the sale?

It's an extremely lucky outcome. There's a combination of factor that made this possible:

* Dropbox leadership prioritized doing the right thing by their users, and so we were able to get permission from both leadership and legal. I'm sure my personal position as a leader at the company who had a personal relationship with the people who had approve it made a difference (Though Luke Faraone made a big difference by asking legal if we could and inviting me to the meeting!). But I think Dropbox deserves a lot of credit, because they spend significant time from expensive resources (legal, etc.) making this happen, and I don't know of many companies that would ever do that. * Our users were big fans, enough so that 10 of them flew to Dropbox HQ for a week to help us do the technical work required to do an open source release with all 10,000 commits of history intact and with a scripted installation process. This was essential to Zulip being usable after that release.

https://zulipchat.com/history/ has a bit more background on the early history (though it's a bit out of date).

Thank you - I really appreciate the detailed answer.

I think I have a better understanding of how the incentives to cooperate would be hard to overcome even if you technically have the power as a founder (and even if you’re already financially independent).

The personal experience was also interesting - thanks!

Well, that was an interesting anecdote.

But usually VC-funded companies have a board majority of said VC's, so they can overrule the founders anytime they want to.

Most commonly that's used to fire the founders and appoint a pet CEO (sorry, professional manager) who happened to go to school with one of the VC's.

So taking a story to them about "giving away our source code" would end up with the same result in most cases.

> Though the weird Stellar wallet addition implied some vision/product issues anyway.

Stellar integration was weird indeed, but it blended really nicely into the chat, and it would totally work for Keybase if there was an easier way to cash in / cash out. That said, any cryptocurrency would do the job, but if this particular one helps monetize the product, why not?

>How much power do the VCs typically have?

I wanna say we don't know. Has there ever been an instance of any company getting their tranche(s) and saying FU to the VC, and there being any repercussions? It's a two- or three-level hypothetical, but I think it's worth exploring to give you a complete answer.

You can downvote here?

You're getting some amusing downvotes now! You have to have a certain level of karma [0] (500? 750? I'm not sure...) in order to have this ability.

[0] https://news.ycombinator.com/user?id=mlatu

It is funny that Zoom was one of the companies that I flagged in my head as the worst (or rather, most dangerous) up-and-coming tech company and I considered Keybase one of the most promising up-and-coming tech companies.

Keybase solves a (to me) nontrivial problem: How to bring private keys into social media. Just a silly example: You don't use the same private-public key exchange in Whatsapp as you would use for your emails, or to sign your packages. It's a bit of the now infamous Dropbox situation: Most people can sign things with private keys and properly keep track of it, but they don't get around to doing it. It's only critical cases where the use is common (like signing packages). It took a long time even for HTTPS to become standard practise, though I guess the situation with your browser is a bit different.

> Zoom was one of the companies that I flagged in my head as the worst [...] Keybase one of the most promising

Hear hear. It really is an absurd world we live in, and I had a good chuckle about that - just before I deleted my Keybase account.

I too deleted my keybase account right after reading this article.

Can you elaborate on what concerns you so much that it warrants deleting your account right upon hearing the news?

I wrote Zoom off last year after the local webserver nonsense. Any company that can convince itself that is a good idea doesn't deserve my business. There's no path to redemption. Game over.

In the post Covid world I was forced to compromise a bit and I will join a Zoom call in a browser (when it works) or install the app on my phone if I have to. I trust iOS to not get totally owned by a rogue app more than anything else I have available. Although recently that's not an entirely safe bet either.

Keybase was not critical to my daily life so it will not hurt to get rid of it. It's about risk management. There are no upsides to Zoom and almost no upsides to Keybase (for me). With the growing list of downsides it's an easy choice to make.

It could be argued that acquiring a whole security-focused company is a signal they’re seriously reconsidering their approach to security and deserve a benefit of the doubt.

Sure, you could argue that. It would be a terrible argument though.

Why do I owe a commercial enterprise anything? They demonstrated repeatedly they cannot be trusted. In obvious and extreme fashion.

The fact that Keybase agreed to this tells me a lot more about Keybase than it does about Zoom.

They also lied about having end-to-end encryption. The awful security practices could be chalked up to incompetence but the fact that they lied has taken it too far, in my opinion. I too have deleted by Keybase account because of this.

Zoom is, or was, collecting a list of running applications on machines. Keybase requires that you run it on multiple devices for security. It would be reasonable to expect that Zoom would love to embed such data harvesting in the Keybase client.

Do you have a reference for this? Were they confirmed to be sending the info to the server? I would note that it wouldn't be uncommon for a program like zoom to have the relevant api calls in it to allow the user share a specific app with the conference call.

This article does not say if Zoom tracks the other running application in your PC. It just detects whether the Zoom application is in focus.

Yes, this was exactly how I mentally categorized these two companies as well.

My first reaction was: it can't be that keybase can it? Huh, well maybe I'd sell my principles for that much money too, oh well.

Maybe some keybase employee will end up being a whistleblower sometime soon though.

Well, they are pitching this as bringing secure stuff to the masses. So it's arguably not all that inconsistent with what Chris etc have been saying about Keybase.

Honestly if at this point Zoom hasn't lost all credibility in your eyes I don't know what to say.

Zoom already has end to end encryption according to some of their other press releases and public statements (we know they don't), so why on earth would you believe this one?

I guess that it's because I liked Chris and his team, and so I'm trying to be generous.

Have a try of Maskbook.com , ran by our team. I believed this actually solve this problem in a more elegant way.

I thought what I’d do was, I’d pretend I was one of those deaf-mutes.

I don't quite get the purpose though, why would I post something in public only for a group of people to be able to read it? Why not post it in a private chat then (encrypted, naturally)?

Sad. Very sad. It was such a great approach to associating GnuPG keys with social media. And their chat etc were also pretty cool. But Zoom is beyond the pale.

So what now? Maybe someone could clone the GitHub repos. And/or are GnuPG keyservers safe enough again?

For chat, Session looks most interesting. It's got the Signal messaging bits. Plus anonymity via the Loki onion network. And it's available for all platforms.

However, it's very new, and often buggy. And the Loki Foundation is Australian. So at some point they'll likely get pressured to backdoor stuff. And they probably won't be able to disclose that, unless someone leaks.

There's also Tox, where each user runs a Tor onion client. That's secure enough in Whonix. But the Whonix user base is miniscule, and I wouldn't trust an implementation in Windows. But then, maybe Session in Windows is too iffy as well.

Anyway, I'll be deleting my Keybase account, as soon as I've negotiated alternate comms with my contacts.

So, yeah. Zoom did bad stuff. But Keybase is designed so that all those things would obviously be detectable (Keybase client code is open source), and the ways in which the Server could mess with data are much restricted. If that spreads to Zoom, there's a chance it'd be a good service in a year or two.

PGP keyservers have a fundamental issue that demands a solution like CT logs or Keybase-style merkle trees.

The only way to prevent getting Loki backdoor issues would seem to be a development so clearly in-the-open, that any secretive addition of significant code/suspicious PR behavior is obvious.

Tor does not use Tor by default. It works with Tor, but that's it.

They are also kinda buying a social graph of mostly IT and security professionals, sprinkled with some journalists (and not the kind that usually does the "10 things" articles) and general tinfoil hats.

My tinfoil hat tells me this information could be somewhat valuable to their Chinese overlords...

Yes, it's Zoom's Chinese connections that rule them out, for me.

Fingers crossed they open source the server portion at least -> https://github.com/keybase/client/issues/24105


Very disappointed indeed. Keybase is one of the ones I actually used.

There was a competitor app that got posted here a couple weeks ago.


Which already did some things wrong even though Keybase is around for a few years.

Care to elaborate? Just curious...

https://news.ycombinator.com/item?id=22997245 and requiring gnome-keyring on Linux are issues for me.

Does it actually require GNOME Keyring or does it just use libsecret? Because libsecret is dope and has been nothing but a joy to work with.

I've seen some examples of GNOME keyring being required because it implements the freedesktop secrets standard (which I admit to knowing nothing of) where other secret managers do not. Presumably meaning there us no common interface, so we just pick the one that implements the spec. One example:


It's (dependency on gnome-keyring) been fixed in the latest release [1].

Assuming GNOME shell is Linux users' default desktop environment is very wrong.

However, providing desktop GUI app in AppImage format is great.

[1]: https://github.com/keys-pub/app/issues/6

Those looks like differences and matters of preference not anything "wrong" about it.

Well, there are reasons why Keybase changed from key-centric to identity-centric back in 2015: https://keybase.io/blog/keybase-new-key-model

> and Chris Coyne always refused

Well, now he has a thousandfold outcome compared to breadcrumbs that devs would throw at him. I.e. the system worked.

> I use Keybase to talk to my friend in China since it's one of the few services they don't block.

I think the vital question is why was keybase not blocked?

Maybe it was owned by someone high-up in China. That is why maybe Chris Coyne refused funding. It was free to just to onboard maximum number of users. Seems like "users" where the products that bought value to keybase.

Things are usually not blocked when they’re not that popular or well known.

In the Keybase case I think it was just obscure enough to avoid the censors.

You really have imagination.

Interesting. So the question is why doesn't China block it.

I am glad you mentioned China. Many people are too afraid to acknowledge the reality of that authoritarian country, for fear of reprisal from liberal do-gooders.

This acquisition is a shame.

I am curious: do they block Zoom?

Well yes but no. The block zoom.us but there is zoom.cn

This is likely related to both nations having rules that allow only their own agencies to wiretap.

> communication company that has its entire dev team in China

citation needed

Also, what are you trying to imply by this assertion?

"Zoom is based in California’s Silicon Valley, but it owns three companies in China that develop its software. The Citizen Lab said the structure allowed the company to lower its development costs, but added “this arrangement may make Zoom responsive to pressure from Chinese authorities.”"


The implication is that China is hostile and leverages their power to censor/collect communication information from companies and their people without checks on this power.

They are aggressive in stealing IP from other companies and blocking software they can't control. They have history of wielding their power to pressure organizations to deny or ignore aspects of their history that they dislike (Taiwan, Cultural Revolution) and they pressure companies to hand over PII on people they find to be political threats without due process.

This is not a country you want to be a steward of an encryption identity standard.

Isn't the US actually at least as bad if not worse? Thanks to Edward Snowden we know without speculation that the US "is hostile and leverages their power to censor/collect communication information from companies and their people without checks on this power" (ok, supposedly there is secret judges that secretly check on this power, but that doesn't really do any good does it?). The USA also "pressure companies to hand over PII on people they find to be political threats without due process" (so called "National Security Letters").

People don't get disappeared for actively disagreeing with the government.

That's true for US citizens. But not so much otherwise.

Edit: Someone disagrees? Consider Guantanamo Bay, third-party renditions, and drone strikes. If China did drone strikes, there'd be a huge outcry.

The just get disappeared into Belmarsh and extradited to who knows where for telling the truth about the US military murdering civilians including journalists from a helicopter gunship.

How about renditions (extra judicial disappearings), black sites and extra judicial drone strikes?

Usually, but they do get into unfortunate accidents from time to time.

Not until the second term.

Criticisms were/are made against NSA surveillances and in the case where government tried to silence such criticism (Snowden), opinions that support Snowden's actions were made and published, even made into books and movies, without repercussion. Bloggers that support Edward Snowden did not disappear. Movie directors and screenwriters are not made pariah by their industry or sent to Guantanamo.

This sort of whataboutism does not surprise me but it's getting tiring when made repeatedly in disguise of intelligent discourse. It's dishonest because the difference is blatant.

Short answer? No. Not even close.

Source: have lived in both countries

Have lived in both, I can say they are equal. Just different culture norms you have to learn to navigate around.

The difference is that in the US we actually get to find out about these abuses.

I think at least the public can voice their opinion to certain degree in the US. In China...yeah, good luck with that.

I think that while both countries have the technology to facilitate censorship and oppression, the US is much more careful about how they do it. China isn't afraid to use their control over information to assist the oppression of Uighurs in 're-education' camps for example.

I don't think it's true that Zoom has its "entire dev team in China"; doing some research myself reveals Zoom definitely has engineering operations in the US[0][1].

I'm not disagreeing with you on the implications of having engineering teams in China, I think you would like to put that paragraph in your original post to give some context.

[0] Tech job postings in US: https://zoom.wd5.myworkdayjobs.com/Zoom/0/refreshFacet/318c8...

[1] H1b filing on engineering positions: https://h1bdata.info/index.php?em=Zoom+Video+Communications+...

edit: better formatting and grammar

Thanks - I edited it to soften the language a bit.

Is it called "soften the language" to fix a 100% factual error?

Honestly I feel that if you're arguing in one direction or another and haven't checked the facts, maybe it's better not to argue about it?

The vast majority of the Zoom software development team is based out of companies in China.

They do have support people in the US and a handful of non-support engineering which is why I said thanks and immediately updated the comment to say "majority" instead of "entire" since it's more correct.

That technicality is less relevant to the main point of the argument.

They do have a large R&D presence in China.

As of January 2020, they had 2,532 full-time employees. Of those, 1,396 were in the US and 1,136 were in international locations. Within the 1,136 is "more than 700" employees in R&D in China.[1]

A LinkedIn search for "engineer" working for "Zoom Video Communications" in location "United States" shows up 558 results.[2]

Their entire management team is in the US, and of their 17 data centres, only 1 is in China.[3][4]

[1] https://www.sec.gov/ix?doc=/Archives/edgar/data/1585521/0001... [2] https://www.linkedin.com/search/results/people/?facetCurrent... [3] https://zoom.us/team [4] https://blog.zoom.us/wordpress/2020/05/04/navigating-a-new-c...

My point was that you should check your facts before making an argument. Not exactly a crazy idea, right?

Your “point” was to be an asshole, and congratulations you’ve now succeeded twice.

I think you're just being overly sensitive to criticism. Not admitting that you're bullshitting is very weak. Maybe the two goes hand in hand.

If the original claim was "100% of the dev team is in China", and the reality is "only 80% of the dev team is in China", then that'd be a 20% factual error, mathematically speaking.

Or would it be a 25% error, i think it would make most sense to calculate the error-difference in relation to the actual value instead of in relation to the erroneous value.

Good point.

Haha. Do you also calculate levenshtein distance from true to false and say false isn't entirely false but a bit of true? And is it almost factually correct to say that 10 equals 8?

> And is it almost factually correct to say that 10 equals 8?

I mean, from a certain point of view, why not? If you're thinking in terms of 1, they're wildly different. If you're thinking in terms of 1,000,000,000,000, they might as well both equal 0.


That’s not true since 199x

Another citation: https://investors.zoom.us/static-files/09a01665-5f33-4007-8e... (warning, PDF)

> We also operate research and development centers in China, employing more than 700 employees as of January 31, 2020.

You can find more stories from last year talking about that was how Zoom had such a large engineering staff, is that it was cheaper for them to pay for R&D in china than in the US[0].

[0] https://www.cnbc.com/2019/03/26/zoom-key-profit-driver-ahead...

The emphasis is on entirety, please see my other reply.

China is a country with even less oversight than the US.

For a company that does security that's concerning.

Not even that. All encrypted traffic in china needs to be decryptable by CCP. Which means if your call in zoom was routed to one of their China servers, then CCP has access to it.

That is on top of the fact that Zoom encryption is weak af.


It's not nativism or racism to have security concerns about a country with a non-existent commitment to an independent judiciary.

If China wants people to think of it as a country where laws matter, then they can start acting like laws matter.


(And before we get whataboutism concerning {insert other country's wiretapping laws}, wiretapping through an independent judiciary is fundamentally different than via rubber stamp)

"China" isn't a race, it's a multi-ethnic state with laws that heavily restrict communication. It's relevant to bring up in a thread about building encrypted communication technology.

Given the security concerns around Zoom, and the apparent lack of QC that might have prevented those concerns, this news is appalling. I love Keybase, it's used by many people, but I suspect it will now die a quick death. More accurately I suspect it will slide into a coma - not quite dead, but not in wide use anymore either.

why not look at the problem the other way around?

I don't have much respect for zoom's security practices, while I do have much respect for the keybase team.

Perhaps this is Zoom's way of admitting that there is no way they can just solve the problem internally by keeping doing what they're doing and they need to get some fresh blood and build upon good practices designed outside their current culture.

> why not look at the problem the other way around?

Because no one ever buys or hires a conscience. If you thought a conscience was worth having one, that implies you would already have one and thus wouldn't need to outsource it in the first place.

Ethics always rolls downhill. If Al Capone goes out and hires Mr. Rogers, the power imbalance between them means Mr. Rogers is going to get dirtier than Capone will get clean.

Why not look at their recent actions instead?

On April 1 the CEO basically said they messed up and would pause all feature development and focus exclusively on security & privacy for 90 days.[1] They've also done weekly video AMAs that are summarised on their blog under the 90-Day Security Plan posts.[2]

They've made a lot of progress.

The Keybase acquisition is absolutely about helping to build a security team that can help them implement end-to-end encryption across 1000 person meetings. You can see that from this Twitter post[3] from Alex Stamos and this interview[4] with him.

[1] https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-u... [2] https://blog.zoom.us/wordpress/category/announcements/ [3] https://twitter.com/alexstamos/status/1258405729720918016 [4] https://cheddar.com/media/zoom-acquires-keybase-beefs-up-sec...

Thanks for this!

Besides upvotes, HN should have a hall of fame for comments this good.

It reminds me of 1 Corinthians 15:33 quoting the Greek poet Menander:

  Do not be misled: “Bad company corrupts good character.”

Click the timestamp, you can favorite a comment from there. It will show up on your profile under favorites -> comments.


How does good character develop in the first place then..?

I always try to work with people smarter than me, more ethical than me, and more productive. When we associate with people we want to fit in with, we adapt to be more like them. We can adapt in bad ways, but we can also adapt in good ways.

Essentially, on some level we never stop the role-model based adaptation we did as children, when we modeled our behavior on what our parent(s) did.

Well put! But it depends on how you approach the issue.

If having a conscience means prioritizing security above all else, then Keybase is doomed.

But security isn’t the only thing that matters. Zoom seems to have focused on making a very user friendly product. Keybase focused on making security more user friendly. In many ways, the user focus of both apps is their Prime selling point.

Perhaps they weren’t buying a conscience, they were fixing a blind spot.

I actually love Zoom as a product - far and away the best product in its class and this move likely makes sense for Zoom.

The disappointment comes from the loss of Keybase and what it could have been.

The main problem is Zoom having most of its development done via companies based in China. This means it is no longer possible for Keybase to achieve its original goal (and whatever encryption they add cannot fix this core problem).

It's one thing to accept the risk for video conferencing, but it's another to accept for an encryption ID standard.

I agreed with Chris Coyne's comments on HN a while back when he argued that the closed source server code didn't matter because of how they handled the encryption (when compared to Signal). While that's still true from a technical security standpoint, it looks like it does matter in a larger sense because this kind of sale shows that you can't really trust a company to act in its user's interests long-term.

It seems that we live in an era where if you made bad decisions in the past, you can never be trusted to make good decisions ever again. Even if you own your bad decisions and show lots of improvement.

Nope. Once a pariah, always a pariah.

Zoom's decisions did not feel like mistakes so much as an expression of their values. The company repeatedly prioritised ease of use while doing the absolute minimum on the security front. Are there any grounds to believe that that calculus has changed?

No, but now they see that the minimum is not where they had thought. As someone who does security professionally, of course a business wants to do the minimum necessary for security. The point of security systems is to break things that would otherwise work.

TLS is there to break sessions that would work under TCP. GPG is there to tell you to discard some mail.

The fact that they hired Alex Stamos and probably just spent a bunch of money on buying Keybase seem like a sign that things are changing.

They prioritized ease of use above all to get adoption before. This is appalling to me, but I believe they are seeing enough pressure to change course. It’s believable to me that they would intend to as they have already captured much of the consumer (non-B2B) market mind share and can afford to invest in this area.

Will I be using it now? Still a no. Maybe I’m time though.

> The fact that they hired Alex Stamos and ...

Call my cynical, but "hiring" a bunch of infosec celebrities and critics as part-time consultants or contractors should be considered nothing but a (brilliant and silencing) PR move until the day that product updates and analyses reveal otherwise.

> until the day that product updates and analyses reveal otherwise.

The product (and their poor installer practice) has been updated several times in the past few months alone, and each move has made Zoom a more secure product, with the vast majority of the hubbub having been addressed. So are you simply ignoring that, or are you setting your own personal goalposts?

I'm doing neither. I'm pointing out a logical fallacy in the parent comment. Hiring people part-time and buying a company does not, on its own, convey anything about improvements to product quality, security, or the corporate culture of either. I can only infer from your comment that you might think I have some beef or issue with Zoom. I said no such thing.

Sure, but it's not "on its own", it's in the context of the investment in security mentioned by the parent comment.

At this point, I'm confused, and I'm not sure what point you or the other commenter are looking for me to concede. Zoom is paying some security consultants, pushed out some product updates, and bought Keybase, so it's a story book ending?

Just as your comment was aiming to narrowly point out a logical fallacy in the parent comment, I'm pointing out a flaw in your own: I disagree with your claim that investing in security practices is just theater, and that more concrete efforts in the same direction are irrelevant. The concrete efforts are Bayesian evidence that the newer investments are more than theater.

I didn't claim that. I believe in investing in security. I'm a security professional.

You said that those things are theater until the day the product updates. We are beyond the day when that happened. So for it to be a fallacy you have to reject the context in which it was presented, which nobody but you is doing.

It's a SaaS world, baby. Product updates (can) happen everyday. I'm not sure what that proved.

Good catch, that was a misphrasing in my comment. I meant to say _Zoom's_ investments in security, not security investments in general.

I am not looking for you to concede anything. You said nothing has been done to show you that the calculus of their priorities has changed and I listed some things that could possibly show that. It’s up to you if you believe that is significant enough to convince you.

Frankly, I don’t care if it does or not. I was just providing some visible signs of investment.

I didn't see you respond to my comment in this thread unless you post under two different accounts.

You're absolutely right that past decisions focused on ease-of-use over security.

For evidence that they've changed their focus you can see their April 1 blog post[1] and the weekly video AMAs they do that are summarised in their "90-Day Security Plan Progress Report" blog posts.[2]

They're making a lot of progress.

The Keybase acquisition is about building out a strong security team that will help them implement end-to-end encryption in 1,000 person meetings, which currently isn't possible anywhere.[3]

[1] https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-u... [2] https://blog.zoom.us/wordpress/category/announcements/ [3] https://twitter.com/alexstamos/status/1258405729720918016

This is a good point.

But I do think that company values do change.

Zoom is getting the shining light of attention globally. Even human beings, in these situations, start to act more conscientiously, and then believe their own morality after the fact!

I believe the keybase acquisition demonstrates this a bit - because they will get zero public goodwill from this - nobody on Main St. knows are cares what Keybase is, this won't be on CNN so they are probably very much trying to make things better.

Owners of the company want money - now they are popular, they have to behave well to get that money. Wanting money usually transcends everything else including loyalty to state. A Chinese CEO with a popular Western product is going to realize that if his customers are way for CCP grabbing their data, it's a problem to his business. He doesn't want CCP snooping and one of the better ways to do that is to have better encryption as well.

Doing slightly suspicious things doesn't matter if nobody is watching and therefore nobody cares, now that people care ... it matters. Just as a matter of pragmatism.

The CEO of Zoom is a naturalized U.S. citizen. He is ethnically Chinese but by all means he is no longer legally a Chinese citizen.

Source: https://en.wikipedia.org/wiki/Eric_Yuan

> did not feel like mistakes so much as an expression of their values

That's an intepretation you're choosing to make.

Calling it an interpretation is nothing short of revisionism. Nobody considers the hidden web server to have been an oversight. It required forethought and effort. It's not as if they didn't know what they were doing.

Organizations are not people. It is very straightforward for an individual to change their ways from bad to good. We should have mutual empathy and forgiveness towards each other. Conversely, it is typically very difficult for organizations to change course (keep in mind the spokesperson has no real power and a strong incentive to lie) and there is zero reason to feel bad if people abandon them. The people who work there perhaps, but there should be no mourning for an entity that exists only as a legal construct.

It is possible for organizations to change course, but it usually requires a crisis or disaster to occur which pushes the drive for change.

The book "The Power of Habit" has some good examples of large organizations changing course.

I agree that there should be opportunity for individuals to learn from mistakes and improve. People can be stubborn and slow to change, but they should be given a chance. It seems reasonable that the same courtesy should be extended to organizations. However, organizations are an order of magnitude slower to change than individuals.

Ultimately, an organization's policies are a reflection of the policies of its leaders. The bigger the organization, the more leaders have to change before the organization itself can truly change. It's much more likely that those who change just move on to another organization instead.

Besides, the end-to-end encryption incident wasn't a "mistake". Zoom's response was to say that their definition of end-to-end was just different from everyone else's. They clearly knew exactly what they were doing.

Zoom can change, but given their size and past I want more than a corporate apology and pinky swear before I trust them. They are making plenty of money and aren't going anywhere. There's plenty of time for them to earn my trust. However, they haven't yet earned enough of my trust to make me comfortable with this acquisition.

Organizations don't change without throwing out a massive number of people. The people who made bad decisions at Zoom are still there.

Leopards can't change their spots.

Zoom is only a pariah on Hacker News.

I have heard from multiple friends that their employers banned Zoom after the negative press. And that's quite a few non-tech companies too.

microsoft too. people here still talk about "Embrace, extend, and extinguish" every time there's any good microsoft news.

It's far easier falling back on tired memes and muscle memory, than rewiring biases.

Muscle memory exists for a reason.

“Stove is hot, be careful before touching it.”

“Microsoft sexually discriminated in executive hires because ‘women will get pregnant and quit’, stifled completion in multiple categories, expected free overtime or you’d be stack-ranked out of a job. Be careful before trusting.”

About half of my employer's clients (in manufacturing) have banned use of zoom and block it at the firewall.

> It seems that we live in an era where if you made bad decisions in the past, you can never be trusted to make good decisions ever again. Even if you own your bad decisions and show lots of improvement.

I've seen this turn out for the best literally one time, and that was Microsoft.

All the other times the bad company just continues its horrible slide into madness. It doesn't die either, just silently keeps churning out billions of dollars of shareholder value.

You see Microsoft’s mediocre reliability making its way into GitHub. Has MSFT changed or are things breaking on the web just more accepted than your desktop?

Microsoft isn't turning out for the best, though.

They are just very good at putting a dusting of Open Source sugar on things.

However you call it, they’re producing value for me instead of (or in addition to) their shareholders.

The shit that we're complaining about happened like three weeks ago!

For businesses, the best predictor of future behavior is past behavior.

Tell that to Microsoft.

Really? Why is everyone using FB, google?

> It seems that we live in an era where

This phrasing is sophistry: there has never been an "era" where this was not true. Humans suck; humans have never not sucked.

I really hope that's the case, for Zoom's sake. Unfortunately, that means less than nothing to me; I don't use Zoom, whilst I do use Keybase.

I don't trust Zoom to be custodians of the Keybase company or software. This has been a real blow to my confidence in them and I'm not sure I'll continue to use Keybase :(

I agree. I'd bet all the cash in my wallet that this was Zoom doing a talent acquisition, to bring a team of crypto experts on board.

You are probably right but I wouldn't discount the keybase server/client IP and user base completely. If Zoom could use keybase for identity verification and adding participants to a call via social graph connections of everyone on the call that could radically improve the UX of onboarding and securing a meeting to only approved participants.

It's possible, though I think it's optimistic. Nobody really has a problem with Zoom's UX as it is now. The only people complaining about Zoom are us techies who know about the security issues. So my guess is they're just gonna quietly work on the security stuff in the background with this new team, and leave the UX largely as-is.

In general, when it's between fresh blood and old management, old management will win every time.

If Zoom is acquiring Keybase because the C-suite is pivoting culture around security, then it'll probably work. Otherwise, not much will change. So until I see more evidence that Zoom's upper management had a change of heart (creating a CISO council is a good start), I'm going to be skeptical that this will actually move the needle.

I'll take what you're drinking ;-)

Has an acquisition ever worked like that in practice? I’ve heard that github might qualify but... Keybase ain’t no github.

Then why acquire? Why not just hire as a consultant?

Because keybase obviously needs money and zoom has a lot of it right now..

That, and this is probably in large part a marketing/PR move.

Public perception of zoom/security is "beyond horrible", thus visibly spending lots of money on an acquisition of a very well respected name in security helps them polish that image at least a little.

And who knows, maybe they'll even work on actually improving security. Always the hopeless romantic/optimist, me. ¯\_(ツ)_/¯

> Public perception

I'd say you overestimate that. Perhaps 0.01% of the public knows that Keybase exists and has a bad opinion of Zoom security. Expert's opinion is important, but does not automatically become general perception.

(Anecdatum, I'm far from a security expert. I know that Keybase exists, even have an unused account; I use Zoom for work and don't blame them for not locking up tighter. Their blog post on the topic sounded reasonable to me.)

> Perhaps 0.01% of the public knows that Keybase exists and has a bad opinion of Zoom security. Expert's opinion is important, but does not automatically become general perception.

This is true, but perhaps a bit short-sighted. Expert opinion on Zoom is "avoid it like the plague". This does not automatically become general perception, true, but:

- Over time, expert opinions have a marked effect on adoption by non-experts in their vicinity. See the adoption of Firefox, or Google Chrome, for example.

- For a social networking platform, powerful well-connected never-adopters can pose a problem both to growth and to a budding monopoly. If CIOs and CISOs say, "Zoom over my dead body", that will tend to discourage adoption and encourage development of good alternatives.

Zoom may be also managing the perceptions. Some users will jump to conclusions that the aquisition means integration, like an plug-in, bam! the bad part swapped with a good one.

Hiring consultants may be perceived like starting an investigation, not getting the fix now.

The question remains how soon and how true this will translate to the stated goal of true end to end encryption.

Yeah holy crap. I've been a big fan of Keybase since they launched, but this is a deathknell. I guess I'm not too surprised, Keybase didn't seem to have a business model, but still, disappointing that they're going to go into death this way.

Attention people starting businesses: VC funding is fun and all, but please, have a business model. Your users and employees depend on it.

While honourable advice, the bottom line is Keybase sold without having a business model.

So perhaps better advice is, start a business even if you don’t have a plan and someone may buy it anyway.

The plan was to get acquired. As much as I've liked Keybase the product, their steadfast refusal to ever come up with a way to make money has always made me suspect they were doing the typical Silicon Valley thing: just burn funding until a bigger company notices and buys you.

> So perhaps better advice is, start a business even if you don’t have a plan and someone may buy it anyway.

A better world for your personal pocketbook maybe, but certainly a worse world for the rest of us. I wouldn't characterize that as "better" in any general sense.

Sometimes, acquihire is the business model. It makes money for the VCs and money for the founders. It's just the fools^wconsumers who bought in early (and the non-essential employees) who get the shaft.

What's our business model, how are we making money? Umm... don't ask me - I'm just the founder!

The sad thing is that you need to remind people of it. I would never start a business without an idea of a viable business model for it. What do they expect? Growing until they are too large to fail and then ... Godot arrives and everything is fine?

They expect to get bought. And they were right.

Yeah for the few people in the world who actually used Keybase and understood (at least partially) why it was a neat thing... most of those people are also those who have been following the Zoom debacle, and will likely consider abandoning the platform.

Might not be significant part of keybase and bots don't need privacy. ;)

Even as an information security practitioner that cares a great deal about privacy I am just not willing to jump on this "Zoom is bad" band wagon. "Zoom is bad" is a tech media narrative largely driven by the large players that have something to gain by seeing Zoom stumble. There may be QC concerns, but in general the product has been great for our team and our consensus was to give them some time. Their response has been positive and they seem to have handled it transparently. Reality says this: Zoom works well enough. When we started using it several years ago it was far ahead of the competitors. Maybe they are catching up? Anyhow, I will give Zoom a chance to do the right thing over the next 6-12 months regarding Keybase, and their product in general.

Keybase's side of the announcement: https://keybase.io/blog/keybase-joins-zoom

> What the Keybase team will be doing

> Initially, our single top priority is helping to make Zoom even more secure. There are no specific plans for the Keybase app yet. Ultimately Keybase's future is in Zoom's hands, and we'll see where that takes us. Of course, if anything changes about Keybase’s availability, our users will get plenty of notice.

> So, our shortest-term directive is to significantly improve our security effectiveness, by working on a product that's that much bigger than Keybase. We can't be more specific than that, because we're just diving in.

They're not even making the usual "Zoom is committed to keeping Keybase alive" promise :(

(We've since changed the URL from https://blog.zoom.us/wordpress/2020/05/07/zoom-acquires-keyb... to that one)

Hi dang, are there any plans to introduce a marker of some sort so that people know whether the current URL is the same as the one it was submitted with? I find that often I have no idea what the comments are talking about

It's not clear to me whether that would add more signal to the comments or more noise.

If you have specific links to cases where this has been a problem, you'd be welcome to send them to hn@ycombinator.com so we can take a look. Or keep that in mind for the next time this comes up.

I haven't been collecting links, but I'll keep my eyes open moving forward.

They are buying Keybase to shore up their security, why would they still give them time to keep it up unless, they want to also integrate their message service into Zoom chat.

is this an acquihire then?

If so, it would be in the unusual shape that it is a top-dollar one rather than cover-the-failure-with-a-pretty-ending one. But in this case, Zoom is probably actually interested in the security tech that Keybase has apart from the talent, they're just not interested in the product.

did i miss something? how do you know its top-dollar? no dollar amount was disclosed.

No, you didn't miss anything. As you probably expected, it's just my deductions from context. I may be completely wrong. I still do believe in them, but obviously no one else needs to.

keybase doesn't have any 'security tech', zoom just needs a plausible fig leaf for the analysts that somehow associates with security.

Do "acquihires" work in practice? It reminds me of this Dilbert comic: https://dilbert.com/strip/2014-07-31

"to make Zoom even more secure." I mean, this might take a while.

I can easily see the words "even more" being added only after rounds of reviews :P

When I first heard of this purchase I thought, this is PR for Zoom to recover from its recent sec fails.

Keybase helped me to identify a trend in the software industry: using a pretty UI to cover up the disruption of an open ecosystem with a closed, centralized replacement. Keybase seemed cool on the face of it - making encryption easier is a laudible goal, and PGP certainly could use the improvement. But, thanks to Keybase, now I ask different questions upfront. Beware the Keybase formula:

1. Integrates with an existing, open ecosystem

2. May have open-source clients, but server is closed source and does not federate

3. Pretty UI and good marketing

4. VC funded

I don't know how many people here remember the excitement when Android was new and, OMG, it's Linux! Open source! Finally we have a Linux-based, free and open phone platform!

I actually think that this played a non-trivial part in Android getting early traction - similar dynamic to Gmail where tech people got excited about it eventually "my friend who's good with computers recommends this" becomes a factor.

Not the exact same formula as you formulate above, but I think there are parallels to draw.

Embrace, extend, and extinguish, and all that.

I was very excited about first reports on Android. I was young, starting to earn my first money, and I wanted to spend that money by getting myself my first, awesome, Linux-powered smartphone by Google - a company I heard only good things about.

Fortunately, I've decided to go with Openmoko instead back then. I'm so glad I did.

Same happened with Telegram: from a crypto messenger for geeks (who were excited by new crypto – I know, I know – and promises of end-to-end encryption everywhere coming some day) to just another messenger with cool stickers and stuff.

Really sad because I personally recommended it too, and was hoping these things would work out somehow. Lesson learned: they don't. The next messenger I will promote with my friends would be one without the server at all.

Keybase packed together many different technologies in one place. I don't think any of us who moved to Keybase had delusions that it would be around forever. But it's an amazingly comprehensive suite for its small scope and the open source product that replaces it will only exist because Keybase existed.

If the writing is placed on the wall (the marker cap is open right now) then replacing each of Keybase's features with existing technologies won't be difficult -- just time consuming, which is why they have market fit.

Indeed. We always knew that Keybase would have to find a source of income someway, get bought, or shut down.

Each of us using Keybase saw the potential for the tech. We supported and evangelized Keybase because we wanted to see a world where the workflows enabled by Keybase were more common. There were no false pretenses: Keybase was openly flailing about for a revenue model, and the client was made open-source as a display of goodwill so that leaving would not be impossible.

If Keybase completely shuts down, I have hopes the team will be able to convince Zoom to let them pack up and release parts of the server code not being shared with Zoom's products.

This is not a trend, it’s a long standing market strategy:


Can't it be both a trend and a marketing strategy?

Yes, but in this case it isnt a trend

on the other hand, it was actually usable by somebody who isn't a privacy advocate.

the trend exists because "pretty UIs" and usability are actually valuable features to users, and the existing open ecosystems tend to fail at that aspect.

I wonder if we’ll get a fully open source release of the Keybase server out of this. It would be so awesome as a federated ecosystem...

I think we could just stop at:

VC Funded™

Sounds like protonmail.

I don't know their revenue numbers, but protonmail offers paid services, unlike Keybase. I hope protonmail doesn't go the same path.

They’re vc funded?

https://protonmail.com/about indicates they're funded to some extent by Charles River Ventures (https://www.crv.com/). They were initially crowdfunded, and also get funding from a Swiss nonprofit foundation.


it's more about the VC funding than anything else. it is almost always the reason for the death of cool software

The reason for the death of cool software is that nobody pays for software anymore.

> Ultimately Keybase's future is in Zoom's hands

Well, that definitely translates to uncertainty and ultimately the death of Keybase.

from Zoom's twitter:

"We are excited to integrate Keybase’s team into the Zoom family to help us build end-to-end encryption that can reach current Zoom scalability."

not a word about what happens to the existing technology which doesn't sound very reassuring to existing keybase users.

This is a good point. As far as I understood, Keybase's main offering, i.e. key discovery for accounts you knew little about, was never about "the best crypto that scales to Zoom levels".

Though what the main features were got very muddled anyways, especially with the odd Stellar cryptocurrency wallet implementation. I'm very interested to see what they do with the existing tech, or whether there will be open-source forks that are somehow compatible.

@Keybase users: Check if you uploaded your private key. I hope it is rare but now is the time to make that non existent.

I essentially didn't have a private key prior to Keybase, and I think it's still the only place I use it, so I'll end up rolling a new one if Keybase becomes fundamentally untrustworthy.

They are fundamentally untrustworthy. They haven't taken security issues in the past very seriously, they also have ties to China.

That’s Zoom. Post acquisition Keybase is tied to some of those, but not all. Their dev team is not going to move to China (at least not immediately) and past security issues in Zoom are no indication of Keybase safety.

This will possibly change over time though.

I signed up so long ago that I'm not quite sure what you mean. I remember posting a bunch of public keys (like on my profile here). I think the keybase app generated them along with a private key but it has been like three years.

I don't remember at all uploading one or where to find it if I did, can you explain the issue you have in mind a little more?

You can optionally have Keybase (generate and) store your private key for you.

It's designed to lower the barrier to entry, but is obviously less secure than managing it yourself outside of Keybase (e.g. in GPG keyring, or a physical OpenPGP smartcard such as a Yubikey) - and some consequently wish the storage had never even been offered.

That optional GPG/PGP private key storage was also re-hidden (and almost but not quite removed) functionality by Keybase over the course of the application's life as they moved away from using traditional GPG/PGP-style keys to a more complicated but more secure system based on device-specific keys (and chains/webs of those keys and their derivatives), around when you needed another device to onboard the next device rather than just needing to sign in with username/password.


There is still (apparently under another command name) this ability to upload your private key.

The issue is a third-party having control of your private key.

I saw that coming when they shoehorned a pointless cryptocurrency that nobody uses into it.

It was actually a really nice stellar wallet implementation. A bad bet perhaps, in hindsight. Unfortunately, this acquisition means I won’t be using it anymore for the foreseeable future.

It looked like a de-anonymization attack and brought phishing attacks to crypto groups using Keybase group chat.

It was badly implemented, badly introduced, and harmful for both users and adoption of the platform.

Keybase was always a de-anonymization platform, and there have always been spam/phishing concerns for the platform. The crypto wallet was a dumb way to force them to address some of the spam/phishing/harassment issues inherent in the platform as a "social media" with ties to nearly every other social media through its validation checks, but it was past time needed for spam/phishing/harassment control (as some minorities had said for years prior to the crypto wallet forcing such things).

I deleted my account when the crypto-spam emails started to arrive.

> Zoom does not and will not proactively monitor meeting contents, but our trust and safety team will continue to use automated tools to look for evidence of abusive users based upon other available data.

> Zoom has not and will not build a mechanism to decrypt live meetings for lawful intercept purposes.

> We also do not have a means to insert our employees or others into meetings without being reflected in the participant list. We will not build any cryptographic backdoors to allow for the secret monitoring of meetings.

One court + gag order and all of these promises are out the window.

“...will not proactively monitor...”

“...will not build a mechanism to decrypt live meetings...”

So, this means that they can record meetings, then retroactively decrypt and monitor meeting contents :)

Well, yeah, duh.

What do you expect them to do? Hire a PMC and fight a war with the police when they come around to raid the server room? Go into hiding so that the security agency can't steal the upgrade signing key from them?

We can't expect all of the internet to operate like Wikileaks and The Pirate Bay. If the justice system is broken, then the people aren't safe.

>What do you expect them to do? Hire a PMC and fight a war with the police when they come around to raid the server room? Go into hiding so that the security agency can't steal the upgrade signing key from them?

No, we want them to assume the same thing we are assuming. That if their service becomes successful, they will be coerced to compromise their users, regardless of how frequently they promise that they would never do so.

If they are even bothering to make public announcements like this, then that means they believe the security of their system can be founded on the honor of their employees. It's important to recognize that this isn't even true if you assume every member of their team is an uncorruptible seraphim.

Instead, where possible, the service should be zero knowledge, where not possible, it should be considered insecure.

> We can't expect all of the internet to operate like Wikileaks and The Pirate Bay.

Why not? That's just what it takes.

> If the justice system is broken, then the people aren't safe.

It is, and they are. After 50 years under the heel of the war on drugs, how is it not 100% obvious?

Building reasonable end-to-end encryption in the first place isn't rocket science. In fact, Keybase have done just that. As well as WhatsApp, Signal, and many others.

Consider these promises a warrant canary. They will be removed at some point.

I thought warrant canaries had to be in financial reports because those are one of the documents where companies are legally cannot lie under SEC rules?

only that it is not.

warrant canaries must be written in the past tense. This is future tense. So they can monitor millions of calls, and give your information away at every second. This text only tells you about the next second (a promise they will break too, but then the text will be about the next second)

Perhaps it's my inexperience with the english language showing, but I thought "has" in this context was past tense.

Nope you’re right. They could use this as a warrant canary by removing the “has not” part

> Zoom has not and will not build a mechanism to decrypt live meetings for lawful intercept purposes.

That seems to include past tense.

I wonder how important the word "live" is there. Does this statement only apply to real-time decryption of ongoing meetings?

I think yes: they lack the technical infrastructure to decrypt the meeting in real time (which totally makes sense), rather than they have no plans to buid any infrastructure to decrpyt it afterwards (which cannot be guaranteed against a hostile actor).

And how long of a delay counts as no longer "live"? After the meeting ends? Five seconds? A millisecond? Does the latency to the server mean it's not "live", since it happened in the past?

One full meeting duration after the meeting ends.

Let alone the legalese included that makes 'will not' lose any meaning at all.

The statement about lawful intercept can only be considered a blatant lie. It’s a requirement in China and CALEA applies in the US. Europe, India and Australia have their own laws around this.

What makes you think that CALEA applies to Zoom (in the U.S.)?

IANAL, but I'm reasonably confident that it does not.

EFF says[1] it applies to Skype, so I think it should apply to Zoom as well.

[1] - https://www.eff.org/issues/calea

It also does not say that they have not provided key material or RNG output, or that they have not deliberately weakened any aspect of their design other than "cryptographic backdoors" to accommodate law enforcement desires.

These kinds of statements are typically most usefully interpreted as a template for the kinds of things they plan to do, just maybe not exactly in that way.

On announcing that they'll support git [1]:

> > > You guys should be taking my money

> > One way to pay, if you want to help ensure their success & longevity, is to evangelize for them, and get other people hooked on their product. Getting other people hooked on it like you are and seeing the potential and get over the adoption humps... that's valuable! They're not taking money because it raises the barrier to entry, and growth is most important. Pay them by helping them grow.

> It's valuable, but not in the capital sense. Each person you get hooked on their product increases their burn rate, and both makes them more attractive as an acquisition (which is scary for users) and more desperate for cash (which makes acquiescing to acquisition more tempting).

> Without a road to profitability (or at least a road to revenue) even attracting equity is difficult; investors who enter with that knowledge will be looking to exit through acquisition, since that's basically the only way to exit, other than just getting more capital.

[1] https://news.ycombinator.com/item?id=15403772

Congratulations to the keybase team.

Most people here seem to be making a self fulfilling prophecy of keybase's death.

But I like to think that Zoom intends to reuse large parts of keybase codebase:

> Logged-in users will generate public cryptographic identities that are stored in a repository on Zoom’s network and can be used to establish trust relationships between meeting attendees. An ephemeral per-meeting symmetric key will be generated by the meeting host. This key will be distributed between clients, enveloped with the asymmetric keypairs and rotated when there are significant changes to the list of attendees. The cryptographic secrets will be under the control of the host, and the host’s client software will decide what devices are allowed to receive meeting keys, and thereby join the meeting. We are also investigating mechanisms that would allow enterprise users to provide additional levels of authentication.

Will the founders be interested in releasing parts if not all of the server code to the public? I believe the founders' mission is still achievable and can be carried out, should they be willing to release the code in public.

I'm seeing a certain pattern here, aren't we all just fooling ourselves?

Isn't this just all inevitable? Aren't all these startups just lining up all in the hopes just to get acquired?

I guess when we see VC Funded™ on any startup what it _really means_ is that:

"We are prioritising a return for our investors even if it means violating our mission statement".

No, that's not how this works.

This outcome is almost certainly seen as a failure by the VCs. It looks like an acquihire. If so, it's quite possible that the VCs didn't even get their money back. Acquihires generally do not return money to VCs -- obviously, given that the employees are free to work anywhere, the acquirer's interest is in paying as much as possible to the employees and as little as possible to the now-worthless acquired company.

It's likely the employees are the ones benefiting most from this outcome, in that their pay has probably gone up considerably and they are no longer nervous about their job security, after many years of high stress and low pay.

It's possible the VCs were even offering some more cash to keep going, but at unfavorable terms, and the team said: "No, we'd rather take the big paychecks from Zoom."

Given Keybase has only had one funding round (according to crunchbase), the founders certainly still had a controlling stake in the company and the VCs couldn't force them to sell or not sell.

You can blame VCs for a lot of things but this kind of outcome is just not one of them (except insofar as that it allowed a company with little viable business strategy to exist in the first place).

(I am the founder of a failed startup. We had multiple "acquihire" offers, none of which offered any money back to investors.)

Typical VC terms give them veto rights over future deals even though they are minority stakeholders.

I think it is inevitable, yeah. But, this wouldn't have been a problem if the product itself was decentralized.

For example, if it was optional to connect to the Keybase network to begin with.

Imagine a keybase-type app that is built on web of trust rather than centralized servers.

Wait what? That's called PGP. And people like to hate on it because it's a decentralized web of trust. The whole point of Keybase is to pave over the problems with web of trust by creating a social identity layer that more accurately reflects how trust relationships actually form.

An open source social identity attestation layer that people can operate and federate. Now that sounds cool!

> An open source social identity attestation layer that people can operate and federate. Now that sounds cool!

Hard agree! Let me know what you think of this project Iris. I know it's still early, but the plan is sound imo https://github.com/irislib/iris

For most, sure. How else do you "exit"? It's not a great time for an IPO. Nor for raising money.

So either you're self-sustaining and are in it for the long haul, or you're looking to get acquired.

The fact that the ultimate goal of most startups is to "exit" says an awful lot. It's an obvious signal that they are not prioritizing your needs in the long-term.

My two cents: that's part of the game in today's marketplace. It's pretty difficult to 'disrupt' firmly cemented market footholds and play with the big boys with seemingly endless streams of capital (though it certainly is possible, tech is more notorious for this than most industries, though highly improbable).

You really want to lock down some strategic IP that stands in the path of a behemoth and hope they'll want to aquire it under their growth goals or attempts to stomp out potential competitors (by throwing money at them and not through litigation or other paths). The big boys win because they buy out proven effective solutions/IP and models while failed startups eat the market high-risk exploratory costs.

We need a new type of company that can never be acquired.

Ghost (blogging software) chose to incorporate as a Company Limited by Guarantee [1], which doesn't have shares and can't be acquired that way: https://ghost.org/changelog/moving-to-singapore/

[1] https://en.wikipedia.org/wiki/Private_company_limited_by_gua...

Sweet, i kind of knew it already existed, but this type of structure is just so damn rare.

I guess most founders are really just motivated by the pot of gold at the end of the rainbow :/

It only really works for bootstrapped non-profits, and for projects that are entirely volunteer-driven. No VC would be able to invest in something like this (unless it's a grant like what YC does for non-profits [1]).

Even Mozilla Foundation [2] was spun off from Netscape, and heavily supported by AOL in its early years.

[1] https://www.effectivealtruism.org/articles/why-nonprofits-sh...

[2] https://en.wikipedia.org/wiki/Mozilla_Foundation#History

By definition, worker coops are never acquirable by private controlling interests; they are always employee-owned.

That definitely cannot be acquired. No sane business would want to convert actual money into fun bucks and put those into a buggy script that would lock everyone out if someone pwns it.

> convert actual money into fun bucks

What is more 'fun'? USD in bank account, USD as cash, DAO, or gold? I would think those are monotonically decreasing in 'fun'-ness. "Actual" money is not a good word for printable items of arbitrary scarcity. Not arguing for or against GP, just saying.

So if I'm reading this right... the participants of the DAO can band together and sell their company to a company as well? It looks like a DAO just requires some kind of cryptocurrency to participate, and then the participants get control over the operations of the DAO. So ownership is transferable at any time by these parties.

It would have to be built into the DAO smart contract. You could make a smart contract where it can't be sold.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact