[PLUG] Vetting security apps?

Russell Senior russell at personaltelco.net
Wed Jan 9 06:57:21 UTC 2019 

I like the key validation part of keybase, which somewhat takes the place
of crypto party in-person web-of-trust key exchange event thingies. For
those unfamiliar, keybase uses various social media accounts or domain or
website rights to demonstrate that a person that is able to post
information to those places also has access to their private key. So, for
example, if you know someone and follow their work on a social media
account or can check their DNS information or a magical URL on a site they
control, and you are reasonably confident they haven't been kidnapped and
they haven't mentioned losing control of their private key, then you have
some confidence you have a valid public key.

I don't completely trust the keybase application (in fact I have it turned
off) because "it's just some random binary a company gave me".  It does
some cool things though, including the userfs where you can copy files and
they are magically transported to a corresponding directory on another
keybase users machine, and vice versa. I think the application is open
source though, so you could presumably inspect the source code and build it
yourself. I haven't tried that.

To your specific question at the end, I don't have much to contribute,
sadly.

On Tue, Jan 8, 2019 at 10:42 PM Mike C. <mconnors1 at gmail.com> wrote:

> I'm curious to know what others do in vetting security apps they use
> or may recommend to others.
>
> I use a variety of fairly well known secure email & chat apps but just
> learned about an app called Keybase. https://keybase.io/docs
>
> It's like encrypted Slack but also some really interesting things like
> an encrypted cloud based file system and secure digital identity
> management.
>
> Also, this seems like they're using blockchain:
> "Every account on Keybase has a public history. "Sigchains" let
> Keybase clients reconstruct the present without trusting Keybase's
> servers. And when you "follow" someone on Keybase, you sign a snapshot
> of your view of the claims in their sigchain."
>
> In the past I trusted apps that I use because of recommendations by
> the EFF, Edward Snowden, the general digital security community.
>
> Currently, there doesn't seem to be too much written up about  Keybase
> other than an article on HackerNews from 2016.
>
> The ask. Does anyone play a bit more on the bleeding edge with privacy
> & encryption apps and if so how do you go about vetting an a new app
> that's relatively unknown?
>
> Thank you,
>
> Mike
> _______________________________________________
> PLUG mailing list
> PLUG at pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>

More information about the PLUG mailing list