Zoom acquires Keybase to get end-to-end encryption expertise

https://techcrunch.com/2020/05/07/zoom-acquires-keybase-to-get-end-to-end-encryption-expertise/

3 Likes

Words alone can not express the depth of my sadness at this unholy pairing :frowning:

3 Likes

Their own announcements:

https://keybase.io/blog/keybase-joins-zoom


The Keybase one states:

2 Likes

Just when I’ve recently signed up to Keybase.
In terms, Bad things are to expected for sure ?

1 Like

It really depends.

My best guess is that Zoom shuts Keybase down and just keeps on their team they need to role it’s E2EE technology into Zoom.

Ideally Keybase would be left alone and Zoom would just use the team to help integrate technology into Zoom and keybase would just have more resources to improve.

But since Keybase isn’t even sure of its future i don’t see that happening.

3 Likes

Wow, didn’t expect this. All eyes are on Matrix (Riot) now :expressionless: Maybe consider to re-list Wire, with huge “Warning” sign

1 Like

I don’t think we need to re-list Wire. They have all but given up on consumer based chat and are still focused on being the next Skype.

I also think all of the reasons we de-listed them still stands. They haven’t made any effort to change those reasons because they have no reason to.

The users we recommend apps to are not the same users Wire does. Unless a whole bunch of our users are CTOs of multimillion dollar corporations or US govt officials.

1 Like

There is a huge difference between the Wire and Keybase acquisitions. Wire was mostly legal/financially motivated. They were purchased by venture capitalists to try to gain more footing in the corporate world.

Zoom truly has a need for encryption technology and knowledge. Their acquisition is more based on survival and the need to adopt encryption technologies. The tech and people were chosen to move the platform forward resulting from all the lax security decisions made in the past. What happens to the current Keybase platform and infrastructure now is unknown. But if it does get killed off as a result, it would be a big mistake to do it quickly considering the valuable assets in cryptocurrency and git repositories that are currently managed in the Keybase system. It could even be a lawsuit against Zoom if they shut down Keybase without giving users adequate opportunity to withdraw their currency holdings from accounts.

1 Like

I was joking a bit regarding Wire de-lisitng, but I have to disagree about Keybase. In my opinion, Wire and Keybase did the same thing. Keybase case might be even worse. If they can not guarantee Keybase will continue with their roadmap and don’t know if it’ll exist at all in (near) future, then what did they negotiated about? Only money? That’s fine, it’s their company, but as a user, I don’t trust them at all now. Wire actually added new features (self-host for business users), and say they will probably keep personal plans in future.

I also pointed out few times here and on some reddit discussions, that Keybase current (now former) business model is not good enough to consider them as a good alternative to popular RTC/IM services. Even though I use it, and would pay for the service they provide, if they had such plans.

They also presented their service as a great Slack/Teams alternative. Imagine (small) business who decided to use KB, hoping they’ll even offer some better plans for their use-case, and now they don’t know if it will be available next year. Most likely Slack or Microsoft will get new users then, not Mattermost or Rocket.chat.

1 Like

yup, that sucks

1 Like

Another one bites the dust, another nail in the coffin of privacy messaging apps.

Where to now? How many messaging apps are left to try? How many times can i ask my friends and family members to try a new messaging app before they tell me to f-off?

1 Like

I guess there are always Signal, federated solutions like Matrix and XMPP and P2P projects like Jami.

While Signal is centralized, I hope their nonprofit status prevents them from getting bought or anything bad happening.

1 Like

Ummm, sure sure, yes, except for the fact that

  1. Signal requires a phone number to register as does Telegram

  2. Matrix security is in the hands of whoever is hosting the federated server

  3. XMPP doesn’t play nice with iOS

  4. Jami doesn’t work…no really it doesn’t, nor Tox and Briar is only Android

  5. other suggestions such as on the outdated securechatguide.org are outdated.

BTW someone should really remove Keybase from privacytools.

The only messenger which is opensource, decentralized and encrypted seems to be Session Messenger, an that isn’t even being recommended by Privacytools. Why?

Anyway, what a crap show, the messenger scene. Makes me ill.

3 Likes

We aren’t removing it from Privacy Tools just yet. We feel it’s too soon to make that decision.

My 2-cents is we’ve rushed decisions in the past and learn from each instance.

Instead we are closely watching the situation and will determine if we should keep or remove at a later date.

1 Like

It was more about the fact that wire stores quite a bit of data about who you’ve been talking to.

Also if you look at our Cutting the Wire article we mention two points:

Morpheus Ventures holds a portfolio including companies in healthcare, voice AI, life insurance, and retail customer data analytics: All sectors that have historically used invasive data collection methods to survive.

Yet another red flag, and one of the more important ones to us, was is that Wire decided not to disclose this policy change to its users, and when asked why, Brøgger was flippant in his response, stating: “Our evaluation was that this was not necessary. Was it right or wrong? I don’t know.”

I am inclined to agree with @Supernova in regard to Zoom just wanting acquire technical and intellectual support regarding encryption. It is likely their way of responding to jitsi’s example of E2EE.

Zoom’s decision from a business point makes a lot of sense. It would be very risky to not have something planned in response. They also got a lot of bad press regarding their bad marketing (saying they had E2EE when they didn’t), so I think sitting back and waiting for Jitsi to implement it and doing nothing just was not a realistic pathway for them to regain any kind of trust.

It is also likely that Keybase had issues really finding a way to monetize their platform without compromising on their ideals. They were giving KBFS storage and everything away for free.

I don’t think the model for Zoom has ever been to have analytics as the main path generating revenue. It seems to be more about marketing paid plans for paid features. That said I am concerned by Zoom’s announcement that E2EE will only be for paid customers. Hopefully that changes in the future.

They did after all remove that code that called back to Facebook when dragged over the coals about it.

I do think generally a lot of companies use the Facebook APIs without realizing the kinds of data it is collecting on their users. This presentation at CCC 35C3 How Facebook tracks you on Android indicates a lot of companies don’t realize the impact.

Okay, so you’ve established your use case here, with your family.

I don’t see how this would be a problem. Wouldn’t your family already have your phone number?

This is a really poor generalization. In regard to E2EE, that’s in the hands of the client. Sure, a home server may be able to tell who is talking to who, and if you’re really concerned about that, maybe setup your own, or buy an instance from modular.im which is pretty cheap and invite your family to that.

You’ll find decentralized distributed platforms that lack servers have less features. That is really a trade off.

We have a issue open but as nothing has really changed we see no point in removing it yet.

The reason is because session is very new, and a bit experimental. We’re waiting to see how that pans out and what the community things of it in regards to stability. That said we have this tracking issue in regard to it’s inclusion.

Since the re-organization of the instant messenger page we’ve taken a policy of not recommending products which are not mature enough to be depended on for every day use.

3 Likes

I understand the need for a wait and see approach and I agree it is the wiser thing to do in these situations, but, does PT have an internal timeframe for delistings when a product has been potentially compromized? 2 weeks? 1 month? Is it a passive approach, ie, scouring the internet for newsbites or do members actively contact the company/devs to determine what is happening regarding the acquisition?

Regarding Signal and Telegram and their need for a phone number to register a user account; many people, not just me have taken issue with this as it is an invasion to one’s privacy. I should not need to have a phone number to chat securely with other people. Maybe I’m crazy for thinking like that, but it just doesn’t compute, that a secure messenger needs a meatspace identifier.

Now i know the counter arguments, but regardless of the origins of Signal, now in 2020, years later when SMS is essentially irrelevant, why are they still pursuing this avenue with phone numbers? Forget about your phone number being compromized internally by Signal somehow (even though there is possibility), but, if I have to get a phone number my security can still be compromized outside of the Signal eco-system by the telco and other agencies.

It just doesn’t make sense anymore to have a phone number necessary for an account. Riot doesn’t need it, Session doesn’t need it, ZOM doesn’t need it, and others like TwinMe etc. But this is a dead end talking point as Signal will apparently never have email signups. There was a thread about this and it was closed by the lead dev.

Anyhow, let’s wait and see.

1 Like

There is no specific time frame as every situation is different. In regards to Keybase, nothing has actually changed with the product source code is the same as it always was.

I think delisting at this point would be pending an announcement of it’s discontinuation. I doubt Zoom is going to do this, until at the very least their product has all of the features Keybase currently has, or at least most of them.

Sure, and with general people on the internet, that makes perfect sense. However you did mention your family. It’s entirely suitable to use Signal with your family and Riot with everyone else, or Riot for everything.

It comes down to:

  • Your family already knows your phone number
  • If you use riot with your family the home server admin might know who you talk to, but not what you’re saying. They’re not going to know if they are random people or indeed your family. If you have your own home server then they won’t know that either, unless they connect from another server.

Either I think are entirely acceptable in this threat model.

I think that was because Signal was designed to be private, but not anonymous.

Sure, sim jacking is an issue. However with Signal you can verify identity via a QR code. The keys are stored on the device, so they would have to change, and the other recipient would be notified of that change.

Well there is this make note of Signal allowing signups with UUID, which we are keeping an eye. Hopefully it will be possible one day.

1 Like

Please, picture the PTIO folks are willing volunteers, not really burdened by time frames in a usual corporate culture sense.

I think another reason they require a number is that to limit bot accounts. If the service is flooded with bot accounts spamming, it is not desirable. These are open source projects and thus plugging bots in should be trivial to code in theoretically.

Its a bummer to ask for a phone number, so I am eager to see how Session turns out as well.

1 Like

I have not seen references to these before but perhaps I missed it. Was the Keybase acquisition related to this at all?

zoombot | Keybase - https://keybase.io/zoombot

This is interesting. First registered on March 17. Notice it has a verified https URL of bots.keybase.io which you can follow to find:

1 Like

No ofense, I understand your point but I think y’all contradict themselves over there. You list Jami which literally doesn’t work, but Session which is far more mature isn’t listed?

Good thing about Telegram, though, is that you do not need to show your phone number to other people, you can hide it on your settings from everyone and people can find you through your username.

1 Like