> I like the key validation part of keybase, which somewhat takes the place > of crypto party in-person web-of-trust key exchange event thingies. For > those unfamiliar, keybase uses various social media accounts or domain or > website rights to demonstrate that a person that is able to post > information to those places also has access to their private key. So, for > example, if you know someone and follow their work on a social media > account or can check their DNS information or a magical URL on a site they > control, and you are reasonably confident they haven't been kidnapped and > they haven't mentioned losing control of their private key, then you have > some confidence you have a valid public key. > > I don't completely trust the keybase application (in fact I have it turned > off) because "it's just some random binary a company gave me". It does > some cool things though, including the userfs where you can copy files and > they are magically transported to a corresponding directory on another > keybase users machine, and vice versa. I think the application is open > source though, so you could presumably inspect the source code and build
I really appreciate your analysis and opinion as someone who has actually used the app and has some technical understanding of how it works. Very useful! "Rocket Chat is another solution. You can set up your own server fairly easily with docker if you want. I haven't seen a recent security audit for it." Thanks! I'll check out Rocket Chat. I like the idea of setting up a server in docker! "If you want to play on the bleeding edge here, I'd suggest you start following (well known) security people (CSO, researchers, InfoSec). Listen to podcasts where these people talk about things. Don't jump in right away. Mostly listen and watch. After a while, you'll start seeing patterns, some things will be recommended, some will start that way and then stop. The bleeding edge is bumpy. The bleeding edge is also not where most people are, so your communication radius will be small if you're using bleeding edge tools." To be clear, I DON"T play on the bleeding edge for all the reasons you mention and more. That's why I asked if anyone on the PLUG list does play on the bleeding edge. I run Debian Stable on my pc. I don't install any more sw/apps than are completely necessary for my daily activities on my pc & my phone. I used to listen to security podcasts and read security blogs and all that did was make me not want to use any digital device connected to the Internet. "This is a decent list to check out https://digitalguardian.com/blog/best-information-security-podcasts I like the security rabbit hole, and risky business." Thank you for this link and your recommendation. I'll check them out soon! _______________________________________________ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug