Consider the following:

1. #Zoom, a company with bad security track record and murky ownership now has clandestine supply-chain-attack capability on #Keybase, and

2. Keybase is used by a lot of people to sign their #git commits and whatnot.

Therefore:

3. Zoom, a company with bad security track record and murky ownership now has potential supply-chain-attack capability on a lot of software whose git commits are signed using keys that touch Keybase.

#ThisIsFine #InfoSec

Show thread

@rysiek Yeah it's been interesting to see everyone list their Keybase account in their profile, and then this. Just when we thought Zoom was gonna keel over, they slice at their detractor's achilles heels

@joeterranova well, see, it almost worked, but for the "decentralized" part. Decentralized encryption nerds kept away from Keybase.

Precisely because it's centralized and this kind of shit is bound to happen.

Follow

@rysiek Well probably not all of them, given that it was Mastodon users touting it so much. Folks are often willing to give up a bit of resiliency to tomfoolery for convenience, until it bites them.

Sign in to participate in the conversation
Leftist Network

Leftist Network is an instance of Mastodon, the social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! This Mastodon instance is designed for those with Leftist politics to share posts with each other. We strongly recommend using secure and decentralized communications for your private discussions, and we have recommendations!