Isn't it funny how within 24h the approach to changed from "it's secure and awesomesauce, use it for everything!!1!" to "I just use it to share stuff but warn users not to do sensitive stuff there"?

No, actually it's not funny. Because it keeps happening:

1. a new shiny startup does X in an open source but centralized way
2. a lot of "experts" saying how great it is; some greybeards warn that it's centralized but nobody listens - it's so shiny and cool!

3. startup makes a horrible business decision or gets bought up by someone onerous; it's inevitable, it's a startup.
4. everybody's shocked, shocked™, but still go with "using it for non-sensitive stuff, too late to move on"
5. rinse, repeat.

Do you know why we don't get a proper, decentralized, easy to use software solutions? This is why. Because we keep letting shitty startups crowd out the good projects.



Security is hard. Decentralization is hard. Usability is hard.

Being first to market is *easier* if you drop some, or most, of these.

So, shitty startups get to market first, and then crowd out the decent-but-necessarily-slower projects.

Every time you recommend a tool that follows this pattern of abuse, you are enabling it. You, personally, become a part of the problem. You, personally, help a shitty startup crowd out a decent project.



This is obviously not all black and white. There are edge cases, but then again there are clear red flags.

is a good example of an edge case. Decentralized? No. Startup? Also no. So, one red flag fewer.

Does this mean we can be certain Signal will not screw us over one day? No. But it not being a startup lowers that chance considerably, at least.

We techies need to be more mindful of this. After all, we are all complicit.


@rysiek It is hard to get enough people to use the system we prefer when the 'good enough' options are better to the average joe.

We need to keep trying to, but it is going to be a hard lift most of the time.

@LovesTha sure. but those "good enough options" often became good enough fast enough because they focused on UI/UX and cut corners on other things, like security and privacy.

And they could do that because there is almost no cost of doing so.

We must ramp up that cost. One way to do this is to stop absolving shitty startups of their sins as soon as they say "we're sorry" and make a :blobaww: face.

@rysiek @LovesTha also maybe stop absolving “good” projects from the requirements of UI/UX. To Average Jane, UI/UX are 100% of “how it works“. After many years trying to educate people about this, I have come around to the view that Average Jane actually is 95% right.

@kopischke @rysiek I don't like percentages for importance, but I'll agree UX can't be a second class priority if you need lots of people to use a thing.

@rysiek the immune ☣ I dont understand. It keeps changing all the time (remember github) and people just dont seem to get it. Use decentralized FLOSS stuff and you are set. Specially the federated ones or p2p. How many more times you need to get burned to finally get it.
Startups come and go, decentralized, federated net stays up and running. The faster you realize this and embrace it the better for you :P

@muppeth @rysiek Yeah, but first of all, the people out there have to know that these decentralised, federated things exist. Which they don't because nobody advertises them.

We need people from our own ranks to go out to the tech media or even mass media and tell them that free, decentralised, federated alternatives exist.

And we need people who can talk to journalists differently than they'd talk to FLOSS coders, i.e. refrain from just bombarding them with under-the-hood tech details.

@rysiek it seems to me the PGP case is also a little different because the existing software wasn't saying "yes the ux is bad and needs to be improved", but instead "this is the best possible ux so tough if you can't read through tens of pages of text to know what settings to use".

Keybase showed what was also possible, i.e., sane defaults.

@mvz well, I agree to some extent. there was software trying to do OpenPGP better. is one example.

@rysiek Does Mailpile handle creating and managing keys? The website is a bit low on details.


Telegram isn't a start up either and arguably this shelters it from some specific risks that startups are exposed to

@AbbieNormal sure. but with Telegram there are other red flags, like the way they originally responded to some rather serious concerns about their home-grown crypto.

@rysiek @AbbieNormal

Most people don't use the "Secret chats" function, just client-to-server encryption.

@cuniculus @AbbieNormal which begs the question why are there non-secret chats implemented at all. But let's not open that can of worms! :blobcatcoffee:

@rysiek @AbbieNormal

Usage on all devices and large public groups. Also, secret chats are only supported on iOS, Android and macOS.

The official Windows and Linux clients do not support them.


> Startup? Also no.

It is a start-up alright (and not their first). I did post about it some time ago.

Here you go:

All the info straight from public records available to anyone.

@rysiek I've been thinking I want to help people use multiple applications and platforms. Help them move, try new stuff. So when the capitalists burn a platform, we can move to a better one with less hassle.

I think I get worried when us techies try to find perfect platforms. I want to perfect mobility instead.

@panina that's fair. thing is, with centralized services like Keybase there is no mobility. The network effect takes care of that...

@rysiek that's sort of built-in with the idea. If you prefer mobility, centralized services, and all-in-one solutions in particular, gets less attractive.

@rysiek our personal decisions can help sway the market and expand the ecosystem for better more secure decentralized software, especially as techies who are the early adopters of new tech. But its important to also look at the structural elements in the global economy. As long as software or any enterprise is driven by profit you're going to see corners cut and spackled over. As you point out Signal is among the best option, not only because they're not a startup, but specifically because they're nonprofit

@peacelovememes totally. And I strongly applaud and support any and all projects that bring funding (including public funding) to FLOSS projects.

that being said, we also need to bring sanity into the commercial software space. and that requires making proprietary software (and hardware) vendors responsible for their products, including warranty and damages in case a vulnerability in their product was instrumental in a compromise.

what I am saying is: Microsoft and others should be paying billions in damages to hospitals hit by malware that used exploits against Windows and other proprietary software to gain access to and infect hospital networks, for example.

I wonder how that would change their approach to security engineering. I am guessing: considerably!

@rysiek couldn't agree more! All corporations need to be held more accountable for the impacts/failings of their products!

@rysiek Hey, that sounds great on first read, but… The way stricter rules end up working in practice is usually: smaller actors are destroyed by the consequences of one mistake, if not crushed by the operational costs of complying, while too-big-to-fail corporations pay a few fines or compensatory damages here and there, just pennies to them (if they pay at all).

To break this pattern we'd need laws and regulations that actively target and discriminate bigger, wealthier corporations (that would be nice!). Fines scaled for company size, for example.

In software, it would be great if makers of proprietary software were subject to careful scrutiny and deemed responsible for everything their software does, while releasing source code in advance freed you of those obligations.


@rafu @peacelovememes oh, totally.

Big players can factor fines into the business model. I'd like to see if there are some ways to punish big players that are nit that easy to factor in.

In case of physical persons, that's called jail time. In case of corporations, that could perhaps be freezing of all assets for a prescribed time (apart from payroll-related, and without indemnifying them for whatever breach of contract occurs due to their assets being frozen).

@rafu @peacelovememes that being said, GDPR did not kill small Internet players, and definitely affected the big ones in a meaningful way. So, regulation can be done in a way that works (with all the flaws of GDPR, I don't really want to dive into that here :-) )

@rysiek @peacelovememes Right. The only thing that can harm those power-mongering US-based IT giga-corporations if they're forced to pay so much in penalties, damages and compensations that it threatens their very existence, Gawker-style.

Won't happen, though, at least not in Europe. They're all sitting in Ireland, and Ireland has actually at least once turned down a penalty payment by one of these corporations because they had no idea what to do with so much money.

@rysiek that's not a big surprise but never pleasant.

I've played with keybase a little over the years too: seeing they had nothing to sell, it's pretty clear that the exit plan was always to sell the users (and tech?).

I wonder if the folks at the Stellar fundation knew ; after all they invested into Keybase last year.


recemtly I heard Bradley Kuhn making this argument: IRC os old an crank but it has resisted the onslaught of the proprietary chat techs

Why ?

Because its people clung on it

It's not the tech, its the culture

In some cases it's the anthropologies that drive the tech, not the other way around

and geeks suffer from dopamine pollution as everybody else 🤷‍♂️

@AbbieNormal @rysiek to add to the IRC sticking around thread, i do like the ideas proposed in "It seems that technical deficiencies can have positive social consequences"

@decentral1se @rysiek

yeah, lack of features can explain some things

But I think the FLOSS devs would have stuck on IRC even if it had been a bit more featureful

Very interesting document, anyway 🤔

@decentral1se @rysiek

one of the lacking feature that I appreciate the most is the fact that IRC doesn't participate in the "notifications" circus

I get to see it when my own processes bring me to it

@mmu_man @AbbieNormal @rysiek I'd disagree, sadly. I don't think IRC has really survived the proprietary silos.

The fact that you can still go on IRC and see channels, etc. -- well, great.

But instead of the old days when a bazillion people were *actually* on and banging their keyboards constantly, now it's a bunch of mostly dead channels with lurkers logging.

In contrast, Slack and Discord seem to be where all the action has gone.

Probably because IRC stayed old school text-only.

@AbbieNormal @rysiek That, and you can't take over something that's owned by everyone and no-one. IRC still exists because there's no company behind it that can be bought out.

This is also why XMPP has survived until today: XMPP is a pile of open standards. There is no central commercial entity that "owns" them. XMPP is not a product of a company that can be proprietarised or extinguished with a swift hostile buyout by Microsoft or Apple or whomever.

@rysiek The key is, startups aren’t wrong about the MVP concept, that an idea’s viability can be tested via the most minimal version of itself.

We need to build a social system that
a) sees how societally crucial privacy and security are
b) has tech to quantify how good an app or system is at these

Then the MVP definition will have to include better security and privacy.

Societally: it’s a super new problem culture hasn’t adapted to yet.

Tech: quantifying is super hard.


Part of the vicious cycle of open-source projects is the 80/20 rule unfortunately: 20% effort goes on actually solving challenging problems while 80% goes on GUI, user support, documentation, bug reports, testing, infrastructure and other horribly boring stuff. And when you're an user, FOSS or not, you will always expect at least base level of stability and usage comfort. That's why I stopped using any Matrix clients other than Riot, because they sucked from usability perspective...

@kravietz @rysiek Or let's say they should go on it.

In reality, everyone just wants to code away on the backend.

You've got one poor sap who's forced to make a graphical frontend although he'd rather work on the backend, and he's got no clue whatsoever about GUI design.

If there's any documentation, it's written by backend developers from a backend developer's POV (that's all they can), incomprehensible for end users and terribly outdated because nobody wants to work on it.


@kravietz @rysiek (...Continued)

Support is left to those users who have managed to grok the whole thing without any documentation or precious little of it. The devs don't do support because they can't talk to people who aren't software developers. Also, at least 90% of them have crippling social anxiety.

This is also the reason why the whole project remains an obscure grassroots thing: Nobody is willing and able to advertise it to anyone, especially not in a way that end users understand.

@rysiek so how would you feel if Keybase became federated? Seriously thinking about forking if it goes downhill from here...

@rysiek but hey, they added this cool new online cloud based text editor...

wait this wasn't about github?


Well said.
(The whole thread really, but my comment is relevant here)

If we are tired of starting over on new platforms maybe we should focus on not having to quit using the old one in the first place!

@d599f84e provided that the old one is actually not going to screw us over.

That's why we make sure it becomes a proper, decentralized, easy to use software solution.

@rysiek Just a point of clarification: Keybase wasn't a start-up. If people think of them as a start-up, it's because they fell into obscurity years ago.

I remember exploring Keybase when I started working at Rackspace, had registered an identity there, installed the keybase CLI tool, attended my first "key party". Back when that was literally the ONLY thing you could do with them.

@rysiek I haven't touched it in about 3 years since that time, so finally removed all my info and uninstalled. It was about 2 years ago IIRC that I said good riddance.

The whole experience was a total waste of my time, and I still don't personally know anyone else who actually relies upon their services.

I can't recall a single VC funded project that ended up good...

VC funding equals broken from the roots to me. It'll never be a healthy tree to build tree houses in.

@rysiek while I don't know a lot about keybase, I do find myself thinking about wanting to look into building decentralized apps that are secure but also suitable for the average joe... recently had an idea for a decentralized alternative to ubereats but I'll have to look into details...

@rysiek as u said when greybeards warn nobody fucking care... it’s not going to change since every fucking technology not only security follow the same stupid pattern look at the garbage web stack everybody wow because it sooo pretttttttttyyyy, node+js, etc.. and the list goes on, github, so prettyyyyyy, and covenient and *click* *look i just made a machine learning app*, codespaces (recently released by github the next big buzz thing) so pretttttttttyyyyyyyy

@rysiek I have actually never used it. Sounded fishy and suspicious from the beginning on.

Sign in to participate in the conversation

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!