![]() Using this method, an unscrupulous individual with access to a conversation could recover sensitive data. How does this work? When the Keybase desktop client is operating, a user can switch out of Keybase’s Chat tab and put their computer to sleep if a second user explodes a message in a shared chat during that time, the message will still be visible to the original user when they return to the chat. So I could rant further but in practice the rant is not important because mostly people don't care and the convenience gained far outweighs the loss of privacy for the vast majority.Wednesday, FebruCVE-2022-22779 :: Keybase App Vulnerability: Retained Exploded Messages in Keybase Clients for macOS and Windows In desktop versions of Keybase older than 5.9.0, users can easily retain "exploded" messages with a few clever clicks, meaning your sensitive chats may still be read after you want them gone. The threat model does not consider state actors acting legally as an enemy and in Google's case the users are the product rather than the customer. The fact that Microsoft and Google are required to backdoor their software by law is not of much interest to the majority of people. There are good secure solutions across the entire gamut of collaborations software but the customers aren't even considering privacy as a requirement in their use cases. Signal provides encrypted video calling but again Skype and Hangouts dominate my calls followed by webex, bluejeans etc. Pidgen provides an encrypted plugin for texting. No one I know is interested and almost without exception they use Microsoft Exchange Server or Google. Thunderbird has offered a plug-in for rsa encrypted email forever. This someone by definition is fairly hard to trust. This leaves us with peer-to-peer open source or someone hosting a server in khazakstan, managing it through tor and paying with bitcoin. The small number of businesses that provide secure communications are often american companies that are required by law to provide a backdoor for law enforcement. The fact that the internet is driven on advertising means that all the big providers spy as a business. Public key encryption has provided the ability to sign and communicate securely for ages. I've been looking at veracrypt, bitlocker and encrypted zfs over the last couple of days and am still undecided. My problem with all things encrypted in communication is that no-one on the other end is ever willing to cooperate. ![]() Glorious.Ĭlient - Keybase Go Library, Client, Service, OS X, iOS, Android, Electron If they don't have an account yet, you can reference their Twitter name for example ( Once they verify that account, they can see the files. The way you can store files is a little unique - you have private and public folders where you can put files, but you can also share files specifically with other people, like so: /keybase/private/me,you. Keybase also provides some other services including end-to-end encrypted chat and file sharing capabilities up to 10GB. In order to do much more than that it encourages you to post your public key and install the app. It's easy enough to do the bare minimum, which is basically just connecting Twitter and Facebook together to prove you're the same person. It's an open source cryptographic manager built on Go to try to bring crypto to "everyone," not just programmers. ![]() The more substantial part of my weekends has been working with Keybase. I'm now using Keepass2Android on my phone - it's working very well and I've had no issues. I gave up trying to import directly to KeePassX and just copy/pasted directly from the csv I got from LastPass. ![]() I'd heard enough about it, and it gets away from using proprietary software and storing all the important information on somebody else's servers. I'd been having some issues with it recently - a lot of bugs in the Chrome extension. One of the first things I wanted to do was move away from LastPass. While I've seen it around I had never read into it much or used it to any extent other than what's automated through ProtonMail or verifying packages through package managers. I'd never touched GPG before (or PGP for that matter). Over the past couple of weekends, I've been trying to dig in and fix my crypto life - up until this point I have been using LastPass and 2FA through Authy, and that was the extent of my personal security.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |