Zoom Acquires Keybase To Get End-to-End Encryption Expertise

Zoom announced this morning that it has acquired Keybase, a startup with encryption expertise. From a report: Keybase, which has been building encryption products for several years including secure file sharing and collaboration tools, should give Zoom some security credibility as it goes through pandemic demand growing pains. The company has faced a number of security issues in the last couple of months as demand as soared and exposed some security weaknesses in the platform. As the company has moved to address these issues, having a team of encryption experts on staff should help the company build a more secure product. In a blog post announcing the deal, CEO Eric Yuan said they acquired Keybase to give customers a higher level of security, something that's increasingly important to enterprise customers as more operations are relying on the platform, working from home during the pandemic.

Ridiculous

[swilver]

You need to acquire a company to get end-to-end encryption expertise? Surely you can just walk up to one of your senior developers and ask them to implement it...

Re:Ridiculous

[jellomizer]

It says a lot on how much management trusts its internal staff doesn't it.

This happens to me at work all the time. They will go out and hire a consultant to do something that I had already done for the company, but they had rejected it, because I wasn't working it in the right department.
The CIO touts how the organization is now so much better with this new technology. While my department had it implemented for about a decade already, and no one bothered to ask us how we did it.

Re:Ridiculous

[idji]

They didn't acquire this company to get end-to-end encryption expertise. They did it to make pointy heads relax and tell their employees that Zoom is safe to use.

Re:

[jellomizer]

Are you saying Zoom Corporate hates Zoom Employees?

That's how you end up with securtiy holes.

[BAReFO0t]

Security is hard.

Avoid re-implementing it whenever possible.

As you will have to go through ALL the lessons again. With leaks at every step of the way.

It's still ridiculous of course, as they would have gotten Signal's implementation for free.

Re:

[XXongo]

Security is hard. Avoid re-implementing it whenever possible.

Yeah.

God save us from management idiots who think "oh, we'll just ask one of our senior developers to implement security. How hard can it be? Can they get it done by Tuesday?"

Re: That's how you end up with securtiy holes.

[BAReFO0t]

Better: Another manager from the club will suggest outsourcing it to this great cheap Japanese-Scottish offshore company called Russ Ian-Ha KERS.

Re:Ridiculous

[Rosco P. Coltrane]

You're correct: "end-to-end encryption" consists in encrypting at one end and decrypting at the other; You don't need to buy a startup for that, just to hire an encryption specialist - and only for the time it takes them to tell you wnat cipher to use, and to review the implementation when you're done coding.

But that Zoom purchase has nothing to do with buying technical expertise, and everything to do with PR: it's meant to tell customers and investors that "look, we're so serious about it we blew a gigantic bunch of money on the problem". And after all, why not...

Re:

[Joce640k]

Use AES128.

Re:

[Joce640k]

...in CBC mode, with initial salt.

Re:Ridiculous

[ljw1004]

You're correct: "end-to-end encryption" consists in encrypting at one end and decrypting at the other; You don't need to buy a startup for that, just to hire an encryption specialist - and only for the time it takes them to tell you wnat cipher to use, and to review the implementation when you're done coding.

I don't think it's anywhere near that simple. Consider a video call with 100 participants. Are you going to have 100^2 pairwise streams? (no one can encrypt+decrypt that fast). Presumably each participant will exchange keys with the 100 other participants and there'll be 100 separate encrypted video streams. What key exchange algorithm do you use? There of course won't be a reliable network in the way. When a participant joins in or drops out, how will keys be exchanged? How many participants will this scale to?

Re:

[tomz16]

I don't think it's anywhere near that simple. Consider a video call with 100 participants. Are you going to have 100^2 pairwise streams?

Of course not... that would be idiotic. This has been a solved problem since the advent of cryptography. You only use the public key infrastructure to wrap the delivery of a symmetric session key.

Re: Ridiculous

[ToasterMonkey]

Right... how many symmetric keys would you end up with on a hundred person call?

Between 1 and 5000ish?

Now one person dials into the call on a cellphone, the system handling the call negotiates between 1 and 5000 ish keys and starts decrypting all incoming lines on the call... on a Zoom server.

So symmetric encryption... doesn't really change the scope of the problem does it, but thanks for pointing it out?

Re: Ridiculous

[optic acid]

What if you want you call to scale to 10K or even 200K people (like zoom does)? Thats a lot of public key operations your sender is doing.

Re:

[chrish]

1) Don't let anyone into the call until the host joins.
2) Everyone does a key exchange with the host to get the symmetric session key.
3) PROFIT

I'm hoping Zoom bought Keybase for their design expertise; Keybase is far and away the best PKI UI I've ever used, nothing else makes PGP this usable.

Worst-case scenario is that Zoom doesn't get any better, and Keybase gets worse.

Re: Ridiculous

[optic acid]

I'm guessing they bought them as much for their key management tech as anything. Thats what makes keybase different then most other e2e solutions from a tech perspective.

Re:

[Paradise Pete]

You need to acquire a company to get end-to-end encryption expertise? Surely you can just walk up to one of your senior developers and ask them to implement it...

It's a stock-buoying move. It's a much better announcement than saying, for example, "we just asked one of guys to do it."

Re:

[geekmux]

You need to acquire a company to get end-to-end encryption expertise? Surely you can just walk up to one of your senior developers and ask them to implement it...

Uh, after the latest round of shit hit the fan for Zoom, what the hell makes you think that "senior" developer, is still employed?

There is no vaccine, for a corporate scapegoat.

Re:

[guruevi]

They already had end-to-end encryption. You just needed to pay for it.

Re:

[bill_mcgonigle]

> Surely you can just walk up to one of your senior developers and ask them to implement it...

What is "it"? Have you solved large-group encryption?

That would be impressive as it's an open topic in research. Keybase chat has a decent head-start, as does Signal.

Re: Ridiculous

[optic acid]

Neith Keybase not Signal (nor any other E2E solution currently deployed) has scales slower than linearly in the group size as far as both bandwidth and computation go. But new E2E tech that does is now being developed at the IETF under the name Messaging Layer Security : https://datatracker.ietf.org/w... [ietf.org]

Re: Ridiculous

[optic acid]

I think they were bought for their key management not just some particular e2e protocol. (Zoom already has e2e encryption but poor key management.) Also getting realtime E2E to scale beyond a couple hundred is *hard*. As in no one has done it (with out seriously compromising on security).

Why Aquire not consult?

[jellomizer]

This is what happens when you acquire a company.
Company A wants to do things like Company B
Company A buys Company B
now that Company A owns Company B they tell the people from Company B to do things the way that Company A does it.
So Company A isn't doing things like Company B

Now if they consulted with Company B
Company B gives Company A a set of rules and requirements.
Company A not wanting to waste their money will often implement such advice.
Now Company A is doing it the way Company B does it.

Reminds me of people who move

[raymorris]

Yep. Your comment reminds me of people who move here to Texas from California. They come here because they can easily find a job that lets them afford a 2,500 sq foot house, while in California they could only afford a 800 SQ foot apartment, until they lost the job because the company moved out of California. So they come here and start telling us how we should do things. "In California we ...". Didn't you just flew feom California because they way things are done in California doesn't work for you? You

Re:

[jellomizer]

Your example is a bit flipped than mine.
A closer analogy would be the person from California being told from a Texan this is how you have to do things here. You *have* to give up you Prius and your Fancy Apple watch and get a Pickup Truck and a Cowboy Hat.

Your example does have a point of truth in it, being that if you left a place because of its problems, you shouldn't try to bring its problems there. However California does have some good things that Texas doesn't have that could be imported in, that w

Re:

[Cylix]

Exactly what is good about California?

Re:Reminds me of people who move

[jellomizer]

It is the state with the Largest Economy in the Nation of the largest Economy. It is also the 5th largest economy in the world by itself. It also produces the most Food by value.

I know, Fox News and the GOP wants to paint a picture of California as some failing LiBeRaL state, by laser focus on its particular unique problems. But in truth California has its act together.

Re:

[sarren1901]

I live in California. The best parts of the state have zero to do with the liberal governance of the state. All the natural beauties are what make California great. The cities do not. The politics don't. The politics suck in fact. The last thing Texas needs or wants is California politics brought to them. Unfortunately I think Texas will be blue if not purple in 12 more years.

Most of California ideas result in more taxes and maybe if you are lucky some services out of it. California is good at raising a tax

They asked what is GOOD. Like India and Mexico

[raymorris]

I chuckle whenever someone tries to say California is good because it's big. There arw some good things about California; I'm not sure that's the best example. Yeah the economy of California is around the same size as India or Mexico.

I don't know that I'd be bragging that "economically, California is like Mexico or India". A big pile of shit is still a pile of shit.

To measure if an economy is GOOD, you look at things like unemployment rate. The unemployment rate in California is higher than the country a

Re:

[sysrammer]

I think *everyone* in Texas chuckles whenever someone tries to say that any other place is good because it's big.

Re:

[sysrammer]

"A big pile of shit is still a pile of shit."

That big pile of shit is used to produce a lot of that "5th largest economy in the world"--it's good for growing stuff.

Yeah, and unemp is high, and housing, for sure. Cali is definitely too popular. Some recent numbers about emigration have been a needed relief.

Re:

[HiThere]

Sorry, but there are real problems with California ever since the passage of Proposition 13 back a long time ago. Much of the economic success since then is due to momentum. Another problem was caused by the state level government grabbing the financing of schools, and nobody wanted to pay other people kids being taught, so the schools have gone WAY down hill. In the rich areas the PTA subsidizes things that the schools used to provide. In the poorer areas the teachers need to buy and provide toilet pap

Re:

[guruevi]

Those are all relatively untrue. They're only that way with some very creative accounting and other points are due to reasons nothing to do with the politics.

Re:

[ageoffri]

I always chuckle when people talk about the size of the California economic output. Sure it is the 5th largest, but it would drop quite a bit if it suddenly wasn't part of the U.S. Tariffs would be put in place, making goods more expensive to export. Ocean freighters would be going to deep water ports in Washington. California is part of a system right now. Remove it from that system and it will suffer greatly. Yes the rest of the U.S. will also suffer but I am confident the system of the U.S. would r

8th state in terms of economy (plus Chinese mport)

[raymorris]

California's economy is smaller than 7 other US states per capita. California simply has the most people, so therefore the most buying and selling. Several states have a larger economy per person - more output person.

That's not even factoring that LA is the largest port in the country - everything shipped into the US from China is counted as California economy, just because that's the first state it happened to pass through.

8th GDP per capita in the US (7 states beat Cali)

[raymorris]

California's economy is smaller than 7 other US states per capita. California simply has the most people, so therefore the most buying and selling.

Seven states have a larger economy per person - more output person.

That's not even factoring that LA is the largest port in the country - everything shipped into the US from China is counted as California economy, just because that's the first state it happened to pass through.

Re:

[raymorris]

If policies mess your life up so badly that you have flee to a different state, a state that has policies that work, you sure as shit can be smart enough to not mess up your new life in the new place. That's how having a brain works.

Re:

[JaredOfEuropa]

Company A buys Company B

Followed by many employees from Company B resigning (especially key staff with valuable skills), perhaps to re-form as a new startup. Especially in cases like these where a large company buys a small startup. I've seen it happen...

Welp...

[Zaraday]

Time to delete by Keybase account

Open Whisper Systems would've given it to them for

[BAReFO0t]

In case the subject gets cut off:
Open Whisper Systems would've given it to them for free.
Or almost free, ideally.

They did it for WhatsApp before.
Because their primary goal is not profit, but to *improve* the world.

Re:

[XXongo]

Open Whisper Systems would've given it to them for free. Or almost free, ideally. They did it for WhatsApp before.

Yes, because WhatsApp, a service that distributes text and voice messages, is just like a video conferencing service that can have up to a thousand people [support.zoom.us] on.

Easy peasy! Text, video-- yeah, whatever, it's all the same. It's just bits, right?

Re: Open Whisper Systems would've given it to them

[optic acid]

OWS charges company's million (if not 10s of M) to use their code base at scales that zoom wants too. In fact they've also tried to sue several times because they felt other companies didnt reimplement the protocol "clean room" enough. their protocol is great (for 1:1 messaging at least) but their code sure isnt free. (Which is fine and their right of course. I'm just setting the record straight is all.)

"Just ask a developer" "just pick a cipher"

[ardmhacha]

Any one who thinks this is a trivial exercise doesn't understand what Zoom are trying to do.

https://blog.zoom.us/wordpress... [blog.zoom.us]

Re:

[jellomizer]

I have found that companies will often opt for the Grand Redesign vs that one good quick fix.
winess many times my life salary with my ability to drill down to the root cause, and fix the small problem, that creates a large impact. Even for large complex systems there is often just a small problem, that needs to be retooled and worked around. It sometimes just needs to take some bravery to recompile that old code in Fortran or COBOL with that small fix to the code. However because everyone else was so wor

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[robot5x]

Nobody's saying it's simple, but why does it still tell me the call is 'end to end encrypted' - along with a beautiful green padlock - when it ISN'T?

Re:

[Tony Isaac]

Also, anyone who thinks it's trivial doesn't understand encryption.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Security is not something you can acquire

[gillbates]

We've known for a good few decades that security is not something that can just be bolted onto an application later. It has to be designed in from the start.

Instead of buying Keybase, they could have much more cheaply sent their engineers to secure coding courses, abandoned the existing codebase, and rewrote everything.

you heard it here first

[jmccue]

Once End to End is enabled, that will be the end of the Zoom Linux client. That client worked pretty well, but we moved on due to encryption.

Why do I say this, I know first hand of another proprietary enterprise front end that is being rolled out now with encryption. The change for Linux - "Not supported, use a Windows 10 VM"

Retro fit?

[pedz]

MS DOS / Windows never did get secure. Security isn't something that you can retrofit. Its a state of mind.

End to end encryption is the easiest of the easy parts. There needs to be a security conscious culture from the start or there will forever be leaks and bugs.

This isn't just for security but for any basic concept such as maintenance, privacy, etc.