Post 9uo1pNF0bclrn9tOHA by rysiek@mastodon.social
(DIR) More posts by rysiek@mastodon.social
(DIR) Post #9uo1pNF0bclrn9tOHA by rysiek@mastodon.social
2020-05-07T14:23:19Z
0 likes, 4 repeats
Zoom aquires Keybase: https://blog.zoom.us/wordpress/2020/05/07/zoom-acquires-keybase-and-announces-goal-of-developing-the-most-broadly-used-enterprise-end-to-end-encryption-offering/You read that right! Now to find the list of all people who were badgering me to set-up a Keybase account...#Schadenfreude #InfoSec
(DIR) Post #9uo1pNPzwlYsLF2APA by tomasino@mastodon.sdf.org
2020-05-07T14:24:00Z
0 likes, 0 repeats
@rysiek well i guess that's one way to solve their crypto issue
(DIR) Post #9uo1pNfwzSK18iUuGm by minus@cmpwn.com
2020-05-07T14:26:09Z
1 likes, 0 repeats
@tomasino @rysiek I don't see how being acquired by Zoom would solve Keybase's crypto issue
(DIR) Post #9uo2itDxOZ6cuds9VQ by rysiek@mastodon.social
2020-05-07T14:34:51Z
0 likes, 0 repeats
@minus @tomasino 10/10 for that toot
(DIR) Post #9uo4yohKBw89PrKbAm by resist_berlin_@chaos.social
2020-05-07T14:29:55Z
0 likes, 0 repeats
@rysiek Exactly.Also, lol @ those people ("experts") who recently started recommending Keybase as a viable alternative for e2e encrypted messaging.
(DIR) Post #9uo4yop7iwMvo2ypKS by loke@functional.cafe
2020-05-07T14:54:13Z
0 likes, 0 repeats
@resist_berlin_ @rysiek unless they changed anything recently the chat is still endless to end encrypted and open source, so I'm not sure how the recommendations were in any way false.What will happen of course is that Keybase as a product will die. Probably by being ignored by both its developer as well as its users. Zoom has no interest in this product at all. It's clearly as aquihire and the blog post pretty much admits this.
(DIR) Post #9uo4yovVLDTO7pxvH6 by resist_berlin_@chaos.social
2020-05-07T14:58:32Z
1 likes, 0 repeats
@loke @rysiek How does being e2e-encrypted and "open-source" already grant a recommendation? "Experts" should at least take 5-6 more factors into consideration, including the handling of metadata, the organization behind it, centralization tendencies, location of data centers and so on.
(DIR) Post #9uo6D4aO15sKhURolk by tagomago@mastodon.social
2020-05-07T15:15:15Z
0 likes, 0 repeats
@minus @tomasino @rysiek Or Zoom's?
(DIR) Post #9uo6vm17twkE8rGney by rysiek@mastodon.social
2020-05-07T15:18:36Z
3 likes, 11 repeats
Consider the following:1. #Zoom, a company with bad security track record and murky ownership now has clandestine supply-chain-attack capability on #Keybase, and2. Keybase is used by a lot of people to sign their #git commits and whatnot.Therefore:3. Zoom, a company with bad security track record and murky ownership now has potential supply-chain-attack capability on a lot of software whose git commits are signed using keys that touch Keybase.#ThisIsFine #InfoSec
(DIR) Post #9uo6xRiGMZRzkTFChE by wolf480pl@mstdn.io
2020-05-07T15:23:37Z
0 likes, 0 repeats
@rysiek fortunately, they can't compromise your PGP key retroactively.If you stopped using keybase before the acquisition, and never uploaded your private key to their website (or their JS crypto was sound and you never entered your keybase password after the acquisition), you should be fine.
(DIR) Post #9uo8NHVT258JZr8sqW by musicmatze@mastodon.technology
2020-05-07T15:39:28Z
0 likes, 0 repeats
@wolf480plWait a second? Upload private key?People did that? Keybase expected them to? What the actual fuck?@rysiek
(DIR) Post #9uo8rx8Wokv3NV2Q9g by wolf480pl@mstdn.io
2020-05-07T15:45:01Z
0 likes, 0 repeats
@musicmatze @rysiek It was supposedly encrypted client-side using JS crypto and a key derived from your password. And it was optional.Back in the day, before KBFS and Keybase Chat, for each action on keybase they were 3 ways to do it:A) directly through web interface (only if the web interface had your private key)B) using keybase clientC) using curl and gpg (the web interface told you exactly the shell commands you need to run to accomplish the action)Supposedly, some people chose A
(DIR) Post #9uoE0v1YXZtZCfs5su by doenietzomoeilijk@mastodon.nl
2020-05-07T16:42:40Z
0 likes, 0 repeats
@minus @tomasino @rysiek ah, the old Mastodon switcheroo. Hold my keys, I'm going in!
(DIR) Post #9uoESYRg55cnHkGdvM by carcinopithecus@x0r.be
2020-05-07T16:47:43Z
0 likes, 0 repeats
@minus @tomasino @rysiek lowering expectations
(DIR) Post #9uoGC0Drkj1KQ72gJU by siliconshecky@infosec.exchange
2020-05-07T15:40:29Z
0 likes, 0 repeats
@rysiek Microsoft also had a bad Security track record, and turned it around. Cisco jsut released a ton of advisories for ASA, FTD and FMC that are pretty bad and tend to hide their issues until they can't.Apple does not disclose the security issues they fix very easily if at all.Zoom starts to take steps by getting people like Katie Mussouris and her company to help and actually has responded to the security findings at least. Shows intent to get better at it.
(DIR) Post #9uoGC0SOsge99BqHy4 by msh@coales.co
2020-05-07T17:07:07Z
0 likes, 0 repeats
@siliconshecky I'm not entirely sure what you're trying to argue here, but intent is meaningless without results.Microsoft's has shown some results but arguably not yet sufficient improvement.Cisco is one big overpriced garbage fire. They've shown little intent to improve and virtually no results.Zoom is behaving just like Facebook. Lots if apology, noble intention (at least the appearance of it) but woefully inadequate results. They are not at all proactive, just reactive...@rysiek
(DIR) Post #9uoGcaAeijfJRODO6q by msh@coales.co
2020-05-07T17:11:56Z
0 likes, 0 repeats
@siliconshecky ...anyway my take on the situation:1. It is best to vote with your feet and make maximum effort to avoid products and services that are insufficiently secure or abuse users regardless of their intentions. Only support them once they adequately demonstrate they *presently* respect users and practice good security.2. Any product or service, and especially those security related, should be viewed with suspicion if they are closed and cannot be completely self hosted.@rysiek
(DIR) Post #9uoGcswouOt5fyt6gK by siliconshecky@infosec.exchange
2020-05-07T17:11:57Z
0 likes, 0 repeats
@msh @rysiek So Zoom has hires Luta Security to now handle its bug bounty program. Brought on Alex Stamos to help build/fix its security program, has been working with other security consultants to help with the security issues, put a 90 day feature freeze on its product to solely work on security issues, has released numerous updates to fix the issues at hand, made Passwords the default, New easier to access area for security settings...Sounds like they have done nothing to me.
(DIR) Post #9uoH5HsnnH1r7TYGPI by msh@coales.co
2020-05-07T17:17:08Z
0 likes, 0 repeats
@siliconshecky this is very promising and good news to hear. They are going in the right direction.But, I would say they still have critical issues that need addressing beneath all these surface level fixes they've released. I still need to be sold on their transparency and trustworthiness as well. As such I will continue to observe but Zoom will continue to be disallowed in my workplace.@rysiek
(DIR) Post #9uoIlLQX6i58EBwn6e by 0x00@social.panthermodern.net
2020-05-07T17:35:57Z
1 likes, 0 repeats
@rysiek https://keys.pub/ did you try this?
(DIR) Post #9uoJVnRrFyO4SIiW12 by thor@mstdn.social
2020-05-07T17:44:20Z
0 likes, 0 repeats
@rysiek Why would you need Keybase to use Git?
(DIR) Post #9uoJeTGneHDCTngHTM by sneak@s.sneak.berlin
2020-05-07T17:45:52Z
0 likes, 0 repeats
@rysiek i'll do you one better: pretty much every single mac developer uses homebrew (which is spyware, but that's separate). homebrew gets its package database (including the hashes of the source tarballs it builds) from github. microsoft, a large us military contractor and eager participant in us hegemony/surveillance state/PRISM/et c owns github.homebrew autoupdates.the US military (via microsoft via github) has optional RCE on pretty much every mac developer's workstation if they want it
(DIR) Post #9uoJl6rtKu5h1rCCqe by rysiek@mastodon.social
2020-05-07T14:57:53Z
0 likes, 0 repeats
@loke @resist_berlin_ there's a single point of failure, which is Keybase itself.That is, if Zoom::Keybase decides to 1). change the protocol in some subtle (or not-so-subtle) way that undermines its security; and 2). not release those changes as FLOSS - how soon would you notice?Basically, Zoom is in a position to do a very clandestine supply-chain attack on Keybase, and by extension all its users, simply by owning them.And yes, "owning" here was used in both relevant meanings.
(DIR) Post #9uoJl74eZSIbfRAOjw by rysiek@mastodon.social
2020-05-07T15:01:18Z
1 likes, 0 repeats
@loke @resist_berlin_ here's another gedankenexperiment: if Zoom::Keybase decides to close the source code tomorrow, how many people will immediately stop using Keybase?My guess is: not many. Some people who were already on the fence, sure. But most "regular users" who deployed Keybase because "an expert told them to" would not. And thus they would now become potentially exposed due to those "experts" ignoring the fact that centralization is as big of a red flag as being closed source.
(DIR) Post #9uoJm7lhTVZW6tmeRc by sneak@s.sneak.berlin
2020-05-07T17:47:17Z
0 likes, 0 repeats
@rysiek also: https://news.ycombinator.com/item?id=23103578
(DIR) Post #9uoJmBRHpLcTUkGPBI by loke@functional.cafe
2020-05-07T15:01:32Z
0 likes, 0 repeats
@resist_berlin_ @rysiek yes, but if the goal is to fulfil a number of requirements, one of which is to be seamless for non-experts you are going to have to make some sacrifices.Different experts have different opinions on what should be sacrificed to achieve this.
(DIR) Post #9uoJmBel1GOYAWZAB6 by rysiek@mastodon.social
2020-05-07T15:03:32Z
1 likes, 0 repeats
@loke @resist_berlin_ totally. However, I would posit that a company with known bad security track record and murky ownership/control structure having supply-chain-attack capability on the tool is not an acceptable risk.
(DIR) Post #9uoJmnTOPxspSHXcjw by loke@functional.cafe
2020-05-07T15:03:40Z
0 likes, 0 repeats
@rysiek @resist_berlin_ sure. I agree with that completely. However, the same argument can be made for every single solution that has a mobile application which is installed from an appstore. Yes, even Matrix, since at the end of the day someone holds the deployment keys for the application all those users use.
(DIR) Post #9uoJmnjLSedyFl0MbY by rysiek@mastodon.social
2020-05-07T15:04:38Z
1 likes, 0 repeats
@loke @resist_berlin_ true, but you can deploy Matrix without going to an appstore. Which means I can use it without relying on the same gatekeeper. Which in turn means that if the gatekeepr starts doing something shady, more people have a chance to notice.
(DIR) Post #9uoJrBqrikHEDqcD5c by rysiek@mastodon.social
2020-05-07T16:34:49Z
1 likes, 0 repeats
@siliconshecky re: Microsoft - https://www.bleepingcomputer.com/news/security/microsofts-github-account-allegedly-hacked-500gb-stolen/re: everything else - I find it objectionable that it's still okay for shitty startups do shitty security while promising the world, get called out on it, pretend to apologize, and then do some more shitty security things, and *still* get credit for "trying"; meanwhile projects with sane security practices get crowded out of the market (and thus, funding).https://www.imore.com/hacker-finds-another-zoom-bug-can-be-used-take-over-your-mac
(DIR) Post #9uoJsnBAQKLAHTsJyi by elpanzer@mamot.fr
2020-05-07T16:35:07Z
1 likes, 0 repeats
@rysiek [Zoom] "We are committed to remaining transparent and open as we build our end-to-end encryption offering."Bon ben quand ça commence comme ça... Z'ont les mêmes stagiaires que Facebook pour rédiger leurs communiqués ?Time to leave Keybase.
(DIR) Post #9uofMpFbNt2mQl6zhY by rysiek@mastodon.social
2020-05-07T18:55:53Z
0 likes, 0 repeats
@siliconshecky @msh oh sure. but consider, how much time and pressure it took for them to even start getting their shit together.Now imagine the same amount of time, effort, and money is invested into something like Jitsi, BigBlueButton, or Nextcloud Talk. Where the security is mostly there, audit would be welcome, code is open, and usability issues could be ironed with such resources.Once you do that you will perhaps understand why I refuse to cut Zoom any slack here.
(DIR) Post #9uofMpUqTDElC2FASe by siliconshecky@infosec.exchange
2020-05-07T18:59:57Z
0 likes, 0 repeats
@rysiek @msh I have used Kitsi, and I applaud some of these. Have you taught a non-tech person how toi set them up? Just curious.And yeah there was pressure of a ton of people auditing and fuzzing Zoom as it ballooned for 10 Million to 200 million users in a few weeks time. Also issues were brought straight into the public, no responsible disclosure at all.Yes Zoom has problems, but they are working on fixing them.Just remember, Open source has issues also, and some take years to show.
(DIR) Post #9uofMpifdoIPsuiD0i by rysiek@mastodon.social
2020-05-07T19:14:51Z
0 likes, 0 repeats
@siliconshecky @msh set what up? A Jitsi call? Yes, I work with dozens of non-techie journalists, and they're using Jitsi calls AOK."FLOSS has issues", again, is true but also again: whataboutism. And I will eat my hat if it turns out Jitsi or BBB are using AES_ECB. Everybody knows not to use these. Unless you're Zoom!The bug from a year ago I linked in another toot followed proper channels and responsible disclosure. I can understand why after that security researchers decided it's bonkers.
(DIR) Post #9uofMpvmr2muXaqgSG by siliconshecky@infosec.exchange
2020-05-07T19:17:30Z
0 likes, 0 repeats
@rysiek @msh Also, you obviously did not see that they have started up a new bug bounty program with a reputable company.I could not explain to my son's grandmother how to set up a jitsi setup. I'm talking the everyday person, which is where Zoom ballooned.Listen, I get it, you love open source and that is fine. You probably do not use commercial unless you have to, that is fine. But if you do not allow for change and adjustments, you are not allowing for solutions.
(DIR) Post #9uofMqFHgYNrW3yFqS by rysiek@mastodon.social
2020-05-07T19:19:51Z
0 likes, 0 repeats
@siliconshecky @msh Zoom had over a year for change and adjustments. Now it's too little too late.And again, you are missing the point: had the same amount of money and resources been invested in projects like Jitsi or BBB, your grandmother could use them too. The difference is that it would be without a J. Random ScriptKiddie zoombombing the call.It's not about Zoom, specifically. It's about how we seem to incentivise this kind of abusive developer behaviour.
(DIR) Post #9uofMqZUTQXyWjQOLA by siliconshecky@infosec.exchange
2020-05-07T19:22:09Z
0 likes, 0 repeats
@rysiek @msh Now we get to the core of it, and that is monetization which promotes said developer behaviour. That said, Hitsi or BBB could have, but are not ready for a grandmother at this time. Not enough people willing to spend time working on them without getting paid? That could be, but then you run into the return on investment issue again.
(DIR) Post #9uofMqo1bOAnFoDzzk by msh@coales.co
2020-05-07T21:49:12Z
0 likes, 0 repeats
@siliconshecky the industry is pretty sick right now. Everyone externalises IT costs. It's always someone else's problem. Put it in the cloud. Use Free software but don't take any responsibility for your installations.There has to be a change. Free software devs don't always need to be on payroll but they need support of big users who already have ample resources to do so.Also, I'm curious about how Jitsi is "not ready" . You send a link, user clicks link, they connect!...@rysiek
(DIR) Post #9uofvnLETTjee2Q6TI by msh@coales.co
2020-05-07T21:55:32Z
0 likes, 0 repeats
@siliconshecky ... I've had to deal with both Zoom and Jitsi meetings and honestly Jitsi is easier to support. No plugins or apps, everything is standard etc. After eliminating Zoom we have had less trouble overall.Finally I think the repeated reference ro "grandmother" a bit insulting. My parents are in their 80s and are quite capable of learning. If mum could key COBOL code onto punch cards to run accounting batch jobs I'm sure she can figure out things as easy as Jitsi.@rysiek