Patreon donor goodness: Scott S. and Ion S. @_noid_ @davedittrich Their response:  “it’s not a bug, it’s a feature”     “Don’t write a blog post that will point out the issue”     “You pointing out our issues makes things more difficult for us”     “It’s a free service, why are you hurting us?”     https://keybase.io/docs/bug_reporting Nov 22nd   Noid (@_noid_) Keybase discussion blog post https://www.whiskey-tango.org/2019/11/keybase-weve-got-privacy-problem.html   Reddit post showing potential SE attacks occurring: https://www.reddit.com/r/Keybase/comments/e6uou3/hi_guys_i_received_a_message_today_that_is/    Keybase’s decision to fix it came out after The Register asked them about the issue…   Dec 4th https://keybase.io/blog/dealing-with-spam           Dec 5th. https://www.theregister.co.uk/2019/12/05/keybase_struggles_with_harassment/ Problems with the implementation:           Requiring admins for Keybase to decide what’s wrong or if they need to be deleted         Additional dummy accounts being created on other sites (keybase, twitter, git, reddit, etc), generating problems for those services (as if Twitter doesn’t have enough issues with bots/shitty people)         Cryptocurrency = trolls/phishing/SE attempts to get folks to hand over their lumens (what’s the motivation of creating the coin?)         They’ve already opened the spam door, and they’ll not be able to shut it. Once they took the VC and aligned themselves with Stellar, the attack surface changes     From Account takeover (integrity attacks) to deception (social engineering)   What is keybase?     Social network?     E2E chat Encrypted file share/storage?     CryptoCurrency Company?      Secure git repo protector?   Which ones do they do well?   How could they have solved the spam issue?     Made the cryptocoin a separate application?         Even their /r/keybase is filling up with spammers asking about their Lumens   How could they fix it?     You can’t contact someone unless that person allows you to.     Allow someone to contact you, but do not allow adding to teams without permission   https://news.ycombinator.com/item?id=21719702 (ongoing HN thread) Noid isn’t the only person with issues in Keybase: https://vicki.substack.com/p/keybase-and-the-chaos-of-crypto   https://it.slashdot.org/story/19/12/06/1610259/keybase-moves-to-stop-onslaught-of-spammers-on-encrypted-message-platform   https://keybase.io/docs-assets/blog/NCC_Group_Keybase_KB2018_Public_Report_2019-02-27_v1.3.pdf  Stephen Carter's definition of “integrity.” Integrity, as I will use the term, requires three steps: (1) discerning what is right and what is wrong, (2) acting on what you have discerned, even at personal cost; and (3) saying openly that you are acting on your understanding of right from wrong.  — Stephen Carter, “Integrity.” Harper-Collins. https://www.harpercollins.com/9780060928070/integrity/   Can the person [who took the controversial act] explain their reasoning, based on principles they can articulate and would follow even if it meant they paid a price? Or do they selectively choose principles in arbitrary ways so as to fit the current circumstances in order to guarantee they get an outcome that benefits them?   noid’s blog post clearly documents the timeline of interactions with Keybase, including: (1) providing detailed steps to reproduce; (2) suggesting mitigations that could be implemented in the architecture; (3) providing guidance to users to protect themselves when the vulnerability disclosure was made public; and (4) justifying his decision to go public by citing and following a vulnerability disclosure policy of a major industry leader in this area, Google: Following Google Security’s guidelines for issues being actively exploited in the wild, I chose to release this information 7 days after I last heard from Keybase. The ACM Code of Conduct has several sections that could apply here: 1.1 Contribute to society and to human well-being, acknowledging tha