[PLUG] Vetting security apps?

Russell Senior russell at personaltelco.net
Wed Jan 9 07:27:33 UTC 2019


FWIW, I'm: https://keybase.io/rssenior

On Tue, Jan 8, 2019 at 10:57 PM Russell Senior <russell at personaltelco.net>
wrote:

> I like the key validation part of keybase, which somewhat takes the place
> of crypto party in-person web-of-trust key exchange event thingies. For
> those unfamiliar, keybase uses various social media accounts or domain or
> website rights to demonstrate that a person that is able to post
> information to those places also has access to their private key. So, for
> example, if you know someone and follow their work on a social media
> account or can check their DNS information or a magical URL on a site they
> control, and you are reasonably confident they haven't been kidnapped and
> they haven't mentioned losing control of their private key, then you have
> some confidence you have a valid public key.
>
> I don't completely trust the keybase application (in fact I have it turned
> off) because "it's just some random binary a company gave me".  It does
> some cool things though, including the userfs where you can copy files and
> they are magically transported to a corresponding directory on another
> keybase users machine, and vice versa. I think the application is open
> source though, so you could presumably inspect the source code and build it
> yourself. I haven't tried that.
>
> To your specific question at the end, I don't have much to contribute,
> sadly.
>
> On Tue, Jan 8, 2019 at 10:42 PM Mike C. <mconnors1 at gmail.com> wrote:
>
>> I'm curious to know what others do in vetting security apps they use
>> or may recommend to others.
>>
>> I use a variety of fairly well known secure email & chat apps but just
>> learned about an app called Keybase. https://keybase.io/docs
>>
>> It's like encrypted Slack but also some really interesting things like
>> an encrypted cloud based file system and secure digital identity
>> management.
>>
>> Also, this seems like they're using blockchain:
>> "Every account on Keybase has a public history. "Sigchains" let
>> Keybase clients reconstruct the present without trusting Keybase's
>> servers. And when you "follow" someone on Keybase, you sign a snapshot
>> of your view of the claims in their sigchain."
>>
>> In the past I trusted apps that I use because of recommendations by
>> the EFF, Edward Snowden, the general digital security community.
>>
>> Currently, there doesn't seem to be too much written up about  Keybase
>> other than an article on HackerNews from 2016.
>>
>> The ask. Does anyone play a bit more on the bleeding edge with privacy
>> & encryption apps and if so how do you go about vetting an a new app
>> that's relatively unknown?
>>
>> Thank you,
>>
>> Mike
>> _______________________________________________
>> PLUG mailing list
>> PLUG at pdxlinux.org
>> http://lists.pdxlinux.org/mailman/listinfo/plug
>>
>



More information about the PLUG mailing list