3. startup makes a horrible business decision or gets bought up by someone onerous; it's inevitable, it's a startup.
4. everybody's shocked, shocked™, but still go with "using it for non-sensitive stuff, too late to move on"
5. rinse, repeat.
Do you know why we don't get a proper, decentralized, easy to use software solutions? This is why. Because we keep letting shitty startups crowd out the good projects.
Security is hard. Decentralization is hard. Usability is hard.
Being first to market is *easier* if you drop some, or most, of these.
So, shitty startups get to market first, and then crowd out the decent-but-necessarily-slower projects.
Every time you recommend a tool that follows this pattern of abuse, you are enabling it. You, personally, become a part of the problem. You, personally, help a shitty startup crowd out a decent project.
This is obviously not all black and white. There are edge cases, but then again there are clear red flags.
#Signal is a good example of an edge case. Decentralized? No. Startup? Also no. So, one red flag fewer.
Does this mean we can be certain Signal will not screw us over one day? No. But it not being a startup lowers that chance considerably, at least.
We techies need to be more mindful of this. After all, we are all complicit.
@rysiek It is hard to get enough people to use the system we prefer when the 'good enough' options are better to the average joe.
We need to keep trying to, but it is going to be a hard lift most of the time.
@LovesTha sure. but those "good enough options" often became good enough fast enough because they focused on UI/UX and cut corners on other things, like security and privacy.
And they could do that because there is almost no cost of doing so.
We must ramp up that cost. One way to do this is to stop absolving shitty startups of their sins as soon as they say "we're sorry" and make a face.
We need people from our own ranks to go out to the tech media or even mass media and tell them that free, decentralised, federated alternatives exist.
And we need people who can talk to journalists differently than they'd talk to FLOSS coders, i.e. refrain from just bombarding them with under-the-hood tech details.
@rysiek it seems to me the PGP case is also a little different because the existing software wasn't saying "yes the ux is bad and needs to be improved", but instead "this is the best possible ux so tough if you can't read through tens of pages of text to know what settings to use".
Keybase showed what was also possible, i.e., sane defaults.
Telegram isn't a start up either and arguably this shelters it from some specific risks that startups are exposed to
@AbbieNormal sure. but with Telegram there are other red flags, like the way they originally responded to some rather serious concerns about their home-grown crypto.
> Startup? Also no.
It is a start-up alright (and not their first). I did post about it some time ago.
@rysiek I've been thinking I want to help people use multiple applications and platforms. Help them move, try new stuff. So when the capitalists burn a platform, we can move to a better one with less hassle.
I think I get worried when us techies try to find perfect platforms. I want to perfect mobility instead.
@panina that's fair. thing is, with centralized services like Keybase there is no mobility. The network effect takes care of that...
@rysiek that's sort of built-in with the idea. If you prefer mobility, centralized services, and all-in-one solutions in particular, gets less attractive.
@rysiek our personal decisions can help sway the market and expand the ecosystem for better more secure decentralized software, especially as techies who are the early adopters of new tech. But its important to also look at the structural elements in the global economy. As long as software or any enterprise is driven by profit you're going to see corners cut and spackled over. As you point out Signal is among the best option, not only because they're not a startup, but specifically because they're nonprofit
@peacelovememes totally. And I strongly applaud and support any and all projects that bring funding (including public funding) to FLOSS projects.
that being said, we also need to bring sanity into the commercial software space. and that requires making proprietary software (and hardware) vendors responsible for their products, including warranty and damages in case a vulnerability in their product was instrumental in a compromise.
what I am saying is: Microsoft and others should be paying billions in damages to hospitals hit by malware that used exploits against Windows and other proprietary software to gain access to and infect hospital networks, for example.
I wonder how that would change their approach to security engineering. I am guessing: considerably!
@rysiek couldn't agree more! All corporations need to be held more accountable for the impacts/failings of their products!
@rysiek Hey, that sounds great on first read, but… The way stricter rules end up working in practice is usually: smaller actors are destroyed by the consequences of one mistake, if not crushed by the operational costs of complying, while too-big-to-fail corporations pay a few fines or compensatory damages here and there, just pennies to them (if they pay at all).
To break this pattern we'd need laws and regulations that actively target and discriminate bigger, wealthier corporations (that would be nice!). Fines scaled for company size, for example.
In software, it would be great if makers of proprietary software were subject to careful scrutiny and deemed responsible for everything their software does, while releasing source code in advance freed you of those obligations.
Big players can factor fines into the business model. I'd like to see if there are some ways to punish big players that are nit that easy to factor in.
In case of physical persons, that's called jail time. In case of corporations, that could perhaps be freezing of all assets for a prescribed time (apart from payroll-related, and without indemnifying them for whatever breach of contract occurs due to their assets being frozen).
@rysiek @peacelovememes Right. The only thing that can harm those power-mongering US-based IT giga-corporations if they're forced to pay so much in penalties, damages and compensations that it threatens their very existence, Gawker-style.
Won't happen, though, at least not in Europe. They're all sitting in Ireland, and Ireland has actually at least once turned down a penalty payment by one of these corporations because they had no idea what to do with so much money.
@rysiek that's not a big surprise but never pleasant.
I've played with keybase a little over the years too: seeing they had nothing to sell, it's pretty clear that the exit plan was always to sell the users (and tech?).
I wonder if the folks at the Stellar fundation knew ; after all they invested into Keybase last year.
recemtly I heard Bradley Kuhn making this argument: IRC os old an crank but it has resisted the onslaught of the proprietary chat techs
Because its people clung on it
It's not the tech, its the culture
In some cases it's the anthropologies that drive the tech, not the other way around
and geeks suffer from dopamine pollution as everybody else 🤷♂️
The fact that you can still go on IRC and see channels, etc. -- well, great.
But instead of the old days when a bazillion people were *actually* on and banging their keyboards constantly, now it's a bunch of mostly dead channels with lurkers logging.
In contrast, Slack and Discord seem to be where all the action has gone.
Probably because IRC stayed old school text-only.
This is also why XMPP has survived until today: XMPP is a pile of open standards. There is no central commercial entity that "owns" them. XMPP is not a product of a company that can be proprietarised or extinguished with a swift hostile buyout by Microsoft or Apple or whomever.
@rysiek The key is, startups aren’t wrong about the MVP concept, that an idea’s viability can be tested via the most minimal version of itself.
We need to build a social system that
a) sees how societally crucial privacy and security are
b) has tech to quantify how good an app or system is at these
Then the MVP definition will have to include better security and privacy.
Societally: it’s a super new problem culture hasn’t adapted to yet.
Tech: quantifying is super hard.
Part of the vicious cycle of open-source projects is the 80/20 rule unfortunately: 20% effort goes on actually solving challenging problems while 80% goes on GUI, user support, documentation, bug reports, testing, infrastructure and other horribly boring stuff. And when you're an user, FOSS or not, you will always expect at least base level of stability and usage comfort. That's why I stopped using any Matrix clients other than Riot, because they sucked from usability perspective...
In reality, everyone just wants to code away on the backend.
You've got one poor sap who's forced to make a graphical frontend although he'd rather work on the backend, and he's got no clue whatsoever about GUI design.
If there's any documentation, it's written by backend developers from a backend developer's POV (that's all they can), incomprehensible for end users and terribly outdated because nobody wants to work on it.
Support is left to those users who have managed to grok the whole thing without any documentation or precious little of it. The devs don't do support because they can't talk to people who aren't software developers. Also, at least 90% of them have crippling social anxiety.
This is also the reason why the whole project remains an obscure grassroots thing: Nobody is willing and able to advertise it to anyone, especially not in a way that end users understand.
@rysiek so how would you feel if Keybase became federated? Seriously thinking about forking if it goes downhill from here...
@rysiek but hey, they added this cool new online cloud based text editor...
wait this wasn't about github?
(The whole thread really, but my comment is relevant here)
If we are tired of starting over on new platforms maybe we should focus on not having to quit using the old one in the first place!
@rysiek Just a point of clarification: Keybase wasn't a start-up. If people think of them as a start-up, it's because they fell into obscurity years ago.
I remember exploring Keybase when I started working at Rackspace, had registered an identity there, installed the keybase CLI tool, attended my first "key party". Back when that was literally the ONLY thing you could do with them.
@rysiek I haven't touched it in about 3 years since that time, so finally removed all my info and uninstalled. It was about 2 years ago IIRC that I said good riddance.
The whole experience was a total waste of my time, and I still don't personally know anyone else who actually relies upon their services.
Server run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!