39 min listen
Unavailable
Currently unavailable
2019-044-Noid and Dave Dittrich discusses recent keybase woes - Part 1
Currently unavailable
2019-044-Noid and Dave Dittrich discusses recent keybase woes - Part 1
ratings:
Length:
62 minutes
Released:
Dec 10, 2019
Format:
Podcast episode
Description
Patreon donor goodness: Scott S. and Ion S. @_noid_ @davedittrich Their response: “it’s not a bug, it’s a feature” “Don’t write a blog post that will point out the issue” “You pointing out our issues makes things more difficult for us” “It’s a free service, why are you hurting us?” https://keybase.io/docs/bug_reporting Nov 22nd Noid (@_noid_) Keybase discussion blog post https://www.whiskey-tango.org/2019/11/keybase-weve-got-privacy-problem.html Reddit post showing potential SE attacks occurring: https://www.reddit.com/r/Keybase/comments/e6uou3/hi_guys_i_received_a_message_today_that_is/ Keybase’s decision to fix it came out after The Register asked them about the issue… Dec 4th https://keybase.io/blog/dealing-with-spam Dec 5th. https://www.theregister.co.uk/2019/12/05/keybase_struggles_with_harassment/ Problems with the implementation: Requiring admins for Keybase to decide what’s wrong or if they need to be deleted Additional dummy accounts being created on other sites (keybase, twitter, git, reddit, etc), generating problems for those services (as if Twitter doesn’t have enough issues with bots/shitty people) Cryptocurrency = trolls/phishing/SE attempts to get folks to hand over their lumens (what’s the motivation of creating the coin?) They’ve already opened the spam door, and they’ll not be able to shut it. Once they took the VC and aligned themselves with Stellar, the attack surface changes From Account takeover (integrity attacks) to deception (social engineering) What is keybase? Social network? E2E chat Encrypted file share/storage? CryptoCurrency Company? Secure git repo protector? Which ones do they do well? How could they have solved the spam issue? Made the cryptocoin a separate application? Even their /r/keybase is filling up with spammers asking about their Lumens How could they fix it? You can’t contact someone unless that person allows you to. Allow someone to contact you, but do not allow adding to teams without permission https://news.ycombinator.com/item?id=21719702 (ongoing HN thread) Noid isn’t the only person with issues in Keybase: https://vicki.substack.com/p/keybase-and-the-chaos-of-crypto https://it.slashdot.org/story/19/12/06/1610259/keybase-moves-to-stop-onslaught-of-spammers-on-encrypted-message-platform https://keybase.io/docs-assets/blog/NCC_Group_Keybase_KB2018_Public_Report_2019-02-27_v1.3.pdf Stephen Carter's definition of “integrity.” Integrity, as I will use the term, requires three steps: (1) discerning what is right and what is wrong, (2) acting on what you have discerned, even at personal cost; and (3) saying openly that you are acting on your understanding of right from wrong. — Stephen Carter, “Integrity.” Harper-Collins. https://www.harpercollins.com/9780060928070/integrity/ Can the person [who took the controversial act] explain their reasoning, based on principles they can articulate and would follow even if it meant they paid a price? Or do they selectively choose principles in arbitrary ways so as to fit the current circumstances in order to guarantee they get an outcome that benefits them? noid’s blog post clearly documents the timeline of interactions with Keybase, including: (1) providing detailed steps to reproduce; (2) suggesting mitigations that could be implemented in the architecture; (3) providing guidance to users to protect themselves when the vulnerability disclosure was made public; and (4) justifying his decision to go public by citing and following a vulnerability disclosure policy of a major industry leader in this area, Google: Following Google Security’s guidelines for issues being actively exploited in the wild, I chose to release this information 7 days after I last heard from Keybase. The ACM Code of Conduct has several sections that could apply here: 1.1 Contribute to society and to human well-being, acknowledging tha
Released:
Dec 10, 2019
Format:
Podcast episode
Titles in the series (100)
2020-019-Masha Sedova, customized training, phishing, ransomware, and privacy implications: Masha Sedova - Founder, Elevate Security Topic ideas from the PR company: Inability to measure human security behaviors leads to increased risk in our computing environments. For too long, we’ve accepted training completion and mock... by BrakeSec Education Podcast