Consider the following:

1. #Zoom, a company with bad security track record and murky ownership now has clandestine supply-chain-attack capability on #Keybase, and

2. Keybase is used by a lot of people to sign their #git commits and whatnot.


3. Zoom, a company with bad security track record and murky ownership now has potential supply-chain-attack capability on a lot of software whose git commits are signed using keys that touch Keybase.

#ThisIsFine #InfoSec

fortunately, they can't compromise your PGP key retroactively.
If you stopped using keybase before the acquisition, and never uploaded your private key to their website (or their JS crypto was sound and you never entered your keybase password after the acquisition), you should be fine.


Wait a second? Upload private key?

People did that? Keybase expected them to? What the actual fuck?

@musicmatze @rysiek
It was supposedly encrypted client-side using JS crypto and a key derived from your password. And it was optional.

Back in the day, before KBFS and Keybase Chat, for each action on keybase they were 3 ways to do it:
A) directly through web interface (only if the web interface had your private key)
B) using keybase client
C) using curl and gpg (the web interface told you exactly the shell commands you need to run to accomplish the action)

Supposedly, some people chose A

Sign in to participate in the conversation
Mastodon for Tech Folks

This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!