Hacker News new | past | comments | ask | show | jobs | submit login
Graph of Keybase commits pre and post Zoom acquisition (github.com/keybase)
349 points by 0des on Oct 9, 2021 | hide | past | favorite | 69 comments

My friend who joined Zoom via the acquisition said it’s abandoned, all future work is on Zoom, no plans to do anything other than bare minimum maintenance on the keybase systems. No surprise here. Bit of a shame though.

Edit: following up on this since i think it was slightly misleading -- this has always been Zoom's public opinion since they announced the acquisition. Their goal was always to integrate the Keybase technology into Zoom. See their blogpost for more https://blog.zoom.us/zoom-acquires-keybase-and-announces-goa...

It is being maintained and still actively used. The largest user, afaik, is Chia Network (https://www.chia.net) and they rely on that for the bulk of their internal and external community comms. If Zoom decides not to host the servers anymore I predict they will likely try to acquire it from Zoom or re-implement the server portion.

There is probably a profitable business to be built to implement an opensource version of the Keybase server that is backwards compatible with the client and then start charging enterprises a reasonable price for data storage and communications to host it in the cloud. Zoom is sitting on a potential gold mine and they are just letting it languish.

Yes, Zoom is sitting on a gold mine and it is online video conferencing. Keybase is a silver mine at best. Guess which mine you would prioritize?

Hard disagree. A global identity network that has end-to-end encrypted chat that can be used for secure authentication in a variety of scenarios and allows users to exchange data is a much bigger market than video conferencing. If anything Zoom should be working on integrating Zoom video conferencing into the Keybase product.

If average people cared about security like they do real time video conferencing then Keybase would have not been for sale.

how big is Chia Network, 50 employees? I have a feeling my town's school has more zoom users and provides more revenue to Zoom, Inc then Chia.

It would be very cool if they acquired it tho, and I agree it is a potentially profitable business, but only barely so.

The Chia community is much much larger than the number of employees working at Chia Network and the community is all on Keybase. At times Keybase has strained under the load from all the users. The #general channel has something close to 20,000 members last time I checked.

Keybase had one of the few centralized chat apps I didn't hate.

It's all such a shame but I guess that's why I stay away from centralized chat services.

Well they didn’t lie then when they said “nothing will change after the acquisition”.

It's quite heart breaking. I particularly loved the idea of the Keybase Filesystem, sad to see this fall into an abandoned state.

The closest Keybase alternative I've found so far is https://keys.pub/ (on HN: https://news.ycombinator.com/item?id=22995792)

Welcome any suggestions for KBFS alternatives!

Agreed, file sharing via Keybase is a dream. It automatically creates an encrypted folder on my filesystem that is shared with the other party. Super convenient, I tried to evangelize it solely for this reason.

ignoring its UX, https://upspin.io/ is the closest alternative that i'm aware of

You might like Peergos (disclaimer: co-founder here), an encrypted global filesystem built on ipfs - https://peergos.org

More detail in our book - https://book.peergos.org

We can also do signed identity proofs with better privacy than keybase's. Here's a public example https://beta.peergos.net/public/ianopolous/.profile/ids/iano...

I popped over for a glance, as I have been seeing a need for something very similar.

pricing 5 GBP per month - I read over that 4 times and it kept becoming 5 GB in my head... might I suggest adding $7 US per month and $80 per year perhaps.

then I checked the terms and I saw UK law - which has fluctuated a lot with content that is okay and not okay.. and then the word "obscene" is in there.. and other stuff that makes me wish this was hosted elsewhere.

perhaps for an extra X$ one can choose to host an instance on other locations and avoid some of the uk things I dunno.

Thanks for the feedback. It's mainly UK based because most of our team is UK based. Our actual hosting is in Germany.

There is also the option to self-host and still be able to interact with users on other instances, including https://beta.peergos.net.

I use keyoxide (https://keyoxide.org) for showing proofs such dns and github.

KBFS was pure magic. I wish they had kept their focus on that. Alas, all good things…

Compare to rundeck after they were acquired by Pagerduty


A good reminder to take the verification off my HN profile now.

It always bugged me that the proof went on the profile itself and not on a mere comment like it does for other identities (Twitter → tweet, Reddit → a post in /r/KeybaseProofs etc).

The problem with doing this on HN is that you can’t delete or edit comments after a few hours, so there would be no way to remove the proof besides a reply to your own comment (which also doesn’t work once the thread is old enough to not allow comments)

no real place to make such a comment where it's not out-of-place, profile IMHO makes sense then.

I've been surprised at how long it's taken the community to react in this way.

It looks as if it's been in maintenance mode since the acquisition. Why is that?

From https://keybase.io/blog/keybase-joins-zoom > Initially, our single top priority is helping to make Zoom even more secure.

Although the git graph looks like it's their only priority at the moment...

This PR release says the point was "Developing the Most Broadly Used Enterprise End-to-End Encryption Offering" (https://investors.zoom.us/news-releases/news-release-details...)

Five months later, they announce their initial technical preview of E2E encryption (https://blog.zoom.us/zoom-rolling-out-end-to-end-encryption-...)

What usually happens after M&A is if the acquired product isn't a profit-maker, they "integrate" it into other products and it goes into maintenance mode, eventually to be sunset. If the product did make money, they'd re-brand it and keep development going... unless they have plans to integrate the product's core feature into a larger corporate product (Zoom) that a separate branded product would compete against internally.

It seems like keybase has been eaten and absorbed into the Zoom app, and the rest will be flushed.

Because Zoom only wanted the employees and the appearance of caring about encryption and didn't care about the product.

It's entirely possible they genuinely cared about encryption for their own product, and didn't give two hoots about the Keybase product.

If they genuinely cared, they would have started a lot sooner.

Are they not allowed to shift priorities as they grow? I'm sure there are many things you genuinely care for these days which wouldn't have been true a few years ago. It would be dismissive for me to assert you don't truly care about those things, would it not?

That's not fair. A lot of companies start off not caring about security because they just need to ship and grow. They add security later after they get owned or when they need to take on the type of customer that also genuinely care about security. Maybe they didn't care before and they care now. That's allowed.

I disagree. At this point, there's no real reason to just not care about security from day one.

There's a wealth of tools and docs, and users are becoming more and more conscious (which is fantastic, for the record!). There's the obvious ethics of keeping the data your users entrust you with safe to the best of your abilities, too.

There's a real reason to not care about security from day one... the competitor who doesn't care will beat you to market, and then you don't get a day 2.

Sorry, but the vast majority of people just don't care. Customers want a working product.

Or they suddenly had a lot of reason to start caring more, and the best way to get competent people onto improving security was an acquihire?

Zoom wanted the hashes, not the employees.

Yours is the only comment on this thread so far that mentions hashes. Care to explain what you mean by hashes in this context, and what benefit you think zoom would get from acquiring them?

chinese law is such that any company holding password hashes turns them over to the government

none of those hashes stand up to government level resources

every keybase customer is now available to china, which has a long pattern of logging in as you

Ah I see, that seems to be a reasonable concern.

They were acquired to appease investors/public relations during the explosive pandemic growth phase when a multitude of security issues were uncovered.

Oh boy. Is it too early to say RIP?

The github repo looks ripe for a fork.

The servers are not FOSS and would need reimplementing.

I encourage everyone who liked Keybase to add a comment to this issue to support opensourcing the server portion of Keybase.


Hopefully if enough people make their voices heard Zoom will either opensource it or maybe revive development of it.

That thread just represents demand to them, no?

Likely easy enough for a client based on E2E encryption principles; the backend is in many ways a (fancy) dumb pipe. (It could still require complex infrastructure, but at least there'd be relative little "feature" code on the backend to be rewritten.)

FWIU, Cyph does Open Source E2E chat, files, and unlimited length social posts to circles or to public; but doesn't yet do encrypted git repos that can be solved with something like git-crypt. https://github.com/cyph/cyph

It would be wasteful to throw away the Web of Trust (people with handles to keys) that everyone entered into Keybase. Hopefully, Zoom will consider opening up the remaining pieces of Keybase if not just spinning the product back out to a separate entity?

From https://news.ycombinator.com/item?id=19185998 https://westurner.github.io/hnlog/#comment-19185998 :

> There's also "Web Key Directory"; which hosts GPG keys over HTTPS from a .well-known URL for a given user@domain identifier: https://wiki.gnupg.org/WKD

> GPG presumes secure key distribution

> Compared to existing PGP/GPG keyservers [HKP], WKD does rely upon HTTPS.

Blockcerts can be signed when granted to a particular identity entity:

> Here are the open sources of blockchain-certificates/cert-issuer and blockchain-certificates/cert-verifier-js: https://github.com/blockchain-certificates

CT Certificate Transparency logs for key grants and revocations may depend upon a centralized or a decentralized Merkleized datastore: https://en.wikipedia.org/wiki/Certificate_Transparency

How do I specify the correct attributes of my schema.org/Person record (maybe on my JAMstack site) in order to approximate the list of identities that e.g. Keybase lets one register and refer to a cryptographic proof of?

Do I generate a W3C DID and claim my identities by listing them in a JSON-LD document signed with W3C ld-proofs (ld-signatures)? Which of the key directory and Web of Trust features of Keybase are covered by existing W3C spec Use Cases?

From https://news.ycombinator.com/item?id=28701355:

> "Use Cases and Requirements for Decentralized Identifiers" https://www.w3.org/TR/did-use-cases/

>> 2. Use Cases: Online shopper, Vehicle assemblies, Confidential Customer Engagement, Accessing Master Data of Entities, Transferable Skills Credentials, Cross-platform User-driven Sharing, Pseudonymous Work, Pseudonymity within a supply chain, Digital Permanent Resident Card, Importing retro toys, Public authority identity credentials (eIDAS), Correlation-controlled Services

> And then, IIUC W3C Verifiable Credentials / ld-proofs can be signed with W3C DID keys - that can also be generated or registered centrally, like hosted wallets or custody services. There are many Use Cases for Verifiable Credentials: https://www.w3.org/TR/vc-use-cases/ :

>> 3. User Needs: Education, Retail, Finance, Healthcare, Professional Credentials, Legal Identity, Devices

>> 4. User Tasks: Issue Claim, Assert Claim, Verify Claim, Store / Move Claim, Retrieve Claim, Revoke Claim

>> 5. Focal Use Cases: Citizenship by Parentage, Expert Dive Instructor, International Travel with Minor and Upgrade

>> 6. User Sequences: How a Verifiable Credential Might Be Created, How a Verifiable Credential Might Be Used

Is there an ACME-like thing to verify online identity control like Keybase still does?

Hopefully, Zoom will consider opening up the remaining pieces of Keybase if not just spinning the product back out to a separate entity?

> Is there an ACME-like thing to verify online identity control like Keybase still does?

From https://news.ycombinator.com/item?id=28926739 :

> NIST SP 800-63 https://pages.nist.gov/800-63-3/ :

> SP 800-63-3: Digital Identity Guidelines https://doi.org/10.6028/NIST.SP.800-63-3

> SP 800-63A: Enrollment and Identity Proofing https://doi.org/10.6028/NIST.SP.800-63a

FWIU, NIST SP 800-63A Enrollment and Identity Proofing specifies a spec sort of like ACME but for offline identity.

"Key server (cryptographic)" https://en.wikipedia.org/wiki/Key_server_(cryptographic)

> The last IETF draft for HKP also defines a distributed key server network, based on DNS SRV records: to find the key of someone@example.com, one can ask it by requesting example.com's key server.

> Keyserver examples: These are some keyservers that are often used for looking up keys with `gpg --recv-keys`.[6] These can be queried via https:// (HTTPS) or hkps:// (HKP over TLS) respectively: keys.openpgp.org , pgp.mit.edu , keyring.debian.org , keyserver.ubuntu.com ,

"Linked Data Signatures for GPG" https://gpg.jsld.org/

  npm i @transmute/lds-gpg2020 -g
  gpg2020 sign -u "3BCAC9A882DEFE703FD52079E9CB06E71794A713" $(pwd)/docs/example/doc.json did:btcr:xxcl-lzpq-q83a-0d5#yubikey
From https://gpg.jsld.org/contexts/#GpgSignature2020 :

> GpgSignature2020: A JSON-LD Document has been signed with GpgSignature2020, when it contains a proof field with type GpgSignature2020. The proof must contain a key signatureValue with value defined by the signing algorithm described here. Example:

  "@context": [
      "schema": "http://schema.org/",
      "name": "schema:name",
      "homepage": "schema:url",
      "image": "schema:image"
  "name": "Manu Sporny",
  "homepage": "https://manu.sporny.org/",
  "image": "https://manu.sporny.org/images/manu.png",
  "proof": {
    "type": "GpgSignature2020",
    "created": "2020-02-16T18:21:26Z",
    "verificationMethod": "did:web:did.or13.io#20a968a458342f6b1a822c5bfddb584bdf141f95",
    "proofPurpose": "assertionMethod",
    "signatureValue": "-----BEGIN PGP SIGNATURE-----\n\niQEzBAABCAAdFiEEIKlopFg0L2sagixb/dtYS98UH5UFAl5JiCYACgkQ/dtYS98U\nH5U8TQf/WS92hXkdkdBQ0xJcaSkoTsGspshZ+lT98N2Dqu6I1Q01VKm+UMniv5s/\n3z4VX83KuO5xtepFjs4S95S4gLmr227H7veUdlmPrQtkGpvRG0Ks5mX7tPmJo2TN\nDwm1imm+zvJ+MXr3Ld24qaRJA9dI+AoZ5HXqNp96Yncj3oWD+DtVIZmC/ZiUw43a\nLpMYy94Hie7Ad86hEoqsdRxrwq7O6KZ29TAKi5T/taemayyXY7papU28mGjVEcvO\na7M3XNBflMcMEB+g6gjrANsgFNO6tOuvOQ2+4v6yMfpJ0ji4ta7q2d4QKqGi5YhE\nsRUORN+7HJrkmSTaT7gBpFQ+YUnyLA==\n=Uzp1\n-----END PGP SIGNATURE-----\n"

and that's numberwang


Zoom must have had the craziest period of hyper-growth over the past 18 months. Not at all surprising that the Keybase engineering team would be focused on Zoom problems.

One of the top three worst things to happen in 2020.

I would be really fascinated to read about acquisitions that led to actual explosion of the original product inside an organization and those that didn't, apparently like Keybase. Seems like there must be a financial metric where the purchase price should reflect that, or the size of the team divided by the purchase price would indicate something.

Wasn't Tesla one of these that was purchased and then blew up?

Can anyone get the "abandon proof" button to work in the profile in-browser if you want to remove something from your profile? I can't get it to work in Firefox and Edge for some reason.

Don't want to reset or delete the entire account for now, but I'd like to remove some stuff.

It is broken in the browser, but the desktop app is still able to revoke proofs (click your name in top left sidebar and pick edit profile from dropdown)

This functionality is now fixed on the website

Acquisition canary

I don’t know if I believe in such a thing. Salesforce has done many acquisitions over the years, and they have ranged from acqui-hire to complete independence. Zoom has no such history, and I’m bummed about Keybase, but the next one could be 100% different.

What was so special about keybase that a bunch of nerds needed to add their public key everywhere?

What's special is the ability to publish cryptographic proofs on public social media profiles to link back to a central identity. You could say this person on Twitter, Facebook (discontinued), Github, HN, etc. is 100% the same person. Key provisioning and recovery becomes easy then when you setup multiple devices and your messages are available across mobile, laptop, desktop and across various operating systems. And it was all end-to-end encrypted.

With good UX for chat and excellent file sharing.

Very sad it didn't get more traction. I still use it.

I still use it regularly as well. There is definitely a thriving ecosystem of users on it, which tells me that it is providing real value to some people. Either someone is going to breathe new life into Keybase or someone is going to come along and build something similar to Keybase with better execution and be wildly successful.

The browser extension also gave you a way help verify as well as giving you the ability to send an encrypted DM which is more secure than most of these social platforms. (But had it caught on, it would not have been fun to deal with spam and moderation)

What's so special about Zoom? If Zoom fell off the face of the Earth, by the next day everybody would have switched to any of half a dozen nearly identical services, many of them older than Zoom. Within another couple of days, everybody would have stopped noticing the difference.

We've used Skype, GoToMeeting, Slack... and finally Zoom, and Zoom was the best quality video conferencing by far.

No echo, no sound+video synch issues, rarely any "breaking up"... they must've implemented some very nice tricks to make all these work even when we have meetings with people sitting in from several different countries.

Despite their security issues, it's not surprising they came to dominate the market: it was the only product that really worked.

It was a wonderfully user-friendly front end to GPG. I used it extensively with some non-technical clients to exchange credentials when they originally wanted to send them via email.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact