Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
IT Technology

Keybase Moves To Stop Onslaught of Spammers on Encrypted Message Platform (arstechnica.com) 13

From a report: Keybase started off as co-founder and developer Max Krohn's "hobby project" -- a way for people to share PGP keys with a simple username-based lookup. Then Chris Coyne (who also was cofounder of OkCupid and SparkNotes) got involved and along came $10.8 million in funding from a group of investors led by Andreesen Horowitz. And then things got increasingly more complicated. Keybase aims to make public-key encryption accessible to everyone, for everything from messaging to file sharing to throwing a few crypto-coins someone's way. But because of that level of accessibility, Keybase faces a very OkCupid kind of problem: after drawing in people interested in easy public-key crypto-based communications and then drawing in blockchain lovers with its partnership with (and funding from) Stellar.org, Keybase has also drawn in spammers and scammers. And that has brought a host of alerts and messages that have made what was once a fairly clear communications channel into one clogged with unwanted alerts, messages, and other unpleasantry -- raising a chorus of complaints in Keybase's open chat channel. It turns out there's a reason spell check keeps wanting to tell me that Keybase should be spelled "debase."

Keybase's leadership is promising to do something to fix the spam problem -- or at least make it easier to report and block abusers. In a blog post, Krohn and Coynes wrote, "To be clear, the current spam volume isn't dire, YET. Keybase still works great. But we should act quickly." But the measures promised by Keybase won't completely eliminate the issue. And Keybase execs have no interest in getting involved with additional steps that they see as censorship. "Keybase is a private company and we do retain our rights to kick people out," the co-founders said in the blog post. "That hammer will not be used because someone is mostly disliked, as long as they're playing nicely on Keybase."

This discussion has been archived. No new comments can be posted.

Keybase Moves To Stop Onslaught of Spammers on Encrypted Message Platform

Comments Filter:
  • by Anonymous Coward

    "That hammer will not be used because someone is mostly disliked, as long as they're playing nicely on Keybase."

    In other words, another Twitter and Facebook.

    One of the reason's Reddit works when so many other mediums fail is because users can set up their own police stations and impose everything from draconian rules, to a free-for-all. But it's the tightly-regulated communities that are the most vibrant. The Internet has come full circle, just like a regular society. In a regular society, in the early

    • > society, in the early days, you don't need a ton of regulation because there's more than enough space for everybody, and early adopters aren't malicious, psychopathic asshats. But as a community matures and gets larger, it needs regulation ...
      > the premise that people will be "free to do what they want" is like creating a public vegetable garden without any rules whatsoever regarding who can plant, where and who can harvest what

      Yeah it could work for a year or so, but imagine after 20 years, for exa

    • And when you regulate them, it turns into either robots being idiots, or has a severe bias towards left or right, ironically the lefty ones become the most oppressive. The only true moderation a site needs is the ignore command and regex filters.
  • This problem is well known with all public PGP lookup lists. Once you have put your public key and your e-mail address on such a list, you have basically shouted out to all spammers that that address is used.
    • What I do is have an email account that is intended for spam. That is what I send out for my public key. Then, I send the other party a signed, temporary key to an alias from my domain which we use for the interim. When done, the mail alias gets deleted. That way, if the temporary key winds up on a keyserver and spammed to hell, it doesn't register on my mail system.

  • i've gotten zero spam from keybase, and i've been a member since... pretty much day one....
  • by ctilsie242 ( 4841247 ) on Friday December 06, 2019 @02:04PM (#59492310)

    What might be the best is a way to move to a PGP/GPG mechanism where key servers store by key ID, fingerprint, and relation in a web of trust. This way, email addresses are not used, nor a directly searchable field. Of course, it would be nice to find Phil Zimmerman's original PGP key from the 1.0 days, but that is what a web of trust is for.

    On the server side, perhaps add a limit for searches, perhaps a CAPTCHA for that, and a mechanism for key adding, perhaps two parts, where one adds a key, types in an email address, which they have to decrypt a message sent to them and type in the code from that, for the key to be included on the server.

    OpenPGP has been an extremely strong, robust architecture, but it was designed before spammers were the main source of E-mail traffic, and when people really didn't want their keys published. Maybe it is time to have a modification to the protocol to drop the email field, and for applications like GitHub which use the email field for authentication, to allow users to just upload a key instead, and go by key ID.

    It might be time to add a few other things to the OpenPGP protocol as well, be it forward secrecy, or maybe adapt what the saltpack protocol has done for some more robustness in .asc files.

There's no sense in being precise when you don't even know what you're talking about. -- John von Neumann

Working...