[PLUG] Vetting security apps?

[Mike C.]

> I like the key validation part of keybase, which somewhat takes the place
> of crypto party in-person web-of-trust key exchange event thingies. For
> those unfamiliar, keybase uses various social media accounts or domain or
> website rights to demonstrate that a person that is able to post
> information to those places also has access to their private key. So, for
> example, if you know someone and follow their work on a social media
> account or can check their DNS information or a magical URL on a site they
> control, and you are reasonably confident they haven't been kidnapped and
> they haven't mentioned losing control of their private key, then you have
> some confidence you have a valid public key.
>
> I don't completely trust the keybase application (in fact I have it turned
> off) because "it's just some random binary a company gave me".  It does
> some cool things though, including the userfs where you can copy files and
> they are magically transported to a corresponding directory on another
> keybase users machine, and vice versa. I think the application is open
> source though, so you could presumably inspect the source code and build

I really appreciate your analysis and opinion as someone who has
actually used the app and has some technical understanding of how it
works. Very useful!

"Rocket Chat is another solution.  You can set up your own server fairly
easily with docker if you want. I haven't seen a recent security audit for it."

Thanks! I'll check out Rocket Chat. I like the idea of setting up a
server in docker!

"If you want to play on the bleeding edge here, I'd suggest you start
following (well known) security people (CSO, researchers, InfoSec).
Listen to podcasts where these people talk about things. Don't jump in
right away. Mostly listen and watch. After a while, you'll start
seeing patterns, some things will be recommended, some will start that
way and then stop. The bleeding edge is bumpy. The bleeding edge is
also not where most people are, so your communication radius will be
small if you're using bleeding edge tools."

To be clear, I DON"T play on  the bleeding edge for all the reasons
you mention and more. That's why I asked if anyone on the PLUG list
does play on the bleeding edge.

I run Debian Stable on my pc. I don't install any more sw/apps than
are completely necessary for my daily activities on my pc & my phone.

 I used to listen to security podcasts and read security blogs and all
that did was make me not want to use any digital device connected to
the Internet.

"This is a decent list to check out
https://digitalguardian.com/blog/best-information-security-podcasts

I like the security rabbit hole, and risky business."

Thank you for this link and your recommendation. I'll check them out soon!