Isn't it funny how within 24h the approach to #Keybase changed from "it's secure and awesomesauce, use it for everything!!1!" to "I just use it to share stuff but warn users not to do sensitive stuff there"?
No, actually it's not funny. Because it keeps happening:
1. a new shiny startup does X in an open source but centralized way
2. a lot of "experts" saying how great it is; some greybeards warn that it's centralized but nobody listens - it's so shiny and cool!
(cont.)
(cont.)
3. startup makes a horrible business decision or gets bought up by someone onerous; it's inevitable, it's a startup.
4. everybody's shocked, shocked™, but still go with "using it for non-sensitive stuff, too late to move on"
5. rinse, repeat.
Do you know why we don't get a proper, decentralized, easy to use software solutions? This is why. Because we keep letting shitty startups crowd out the good projects.
(cont.)
(cont.)
Security is hard. Decentralization is hard. Usability is hard.
Being first to market is *easier* if you drop some, or most, of these.
So, shitty startups get to market first, and then crowd out the decent-but-necessarily-slower projects.
Every time you recommend a tool that follows this pattern of abuse, you are enabling it. You, personally, become a part of the problem. You, personally, help a shitty startup crowd out a decent project.
(cont.)
(cont.)
This is obviously not all black and white. There are edge cases, but then again there are clear red flags.
#Signal is a good example of an edge case. Decentralized? No. Startup? Also no. So, one red flag fewer.
Does this mean we can be certain Signal will not screw us over one day? No. But it not being a startup lowers that chance considerably, at least.
We techies need to be more mindful of this. After all, we are all complicit.
(end.)
@rysiek our personal decisions can help sway the market and expand the ecosystem for better more secure decentralized software, especially as techies who are the early adopters of new tech. But its important to also look at the structural elements in the global economy. As long as software or any enterprise is driven by profit you're going to see corners cut and spackled over. As you point out Signal is among the best option, not only because they're not a startup, but specifically because they're nonprofit
@peacelovememes totally. And I strongly applaud and support any and all projects that bring funding (including public funding) to FLOSS projects.
that being said, we also need to bring sanity into the commercial software space. and that requires making proprietary software (and hardware) vendors responsible for their products, including warranty and damages in case a vulnerability in their product was instrumental in a compromise.
@peacelovememes
what I am saying is: Microsoft and others should be paying billions in damages to hospitals hit by malware that used exploits against Windows and other proprietary software to gain access to and infect hospital networks, for example.
I wonder how that would change their approach to security engineering. I am guessing: considerably!
@rysiek Hey, that sounds great on first read, but… The way stricter rules end up working in practice is usually: smaller actors are destroyed by the consequences of one mistake, if not crushed by the operational costs of complying, while too-big-to-fail corporations pay a few fines or compensatory damages here and there, just pennies to them (if they pay at all).
To break this pattern we'd need laws and regulations that actively target and discriminate bigger, wealthier corporations (that would be nice!). Fines scaled for company size, for example.
In software, it would be great if makers of proprietary software were subject to careful scrutiny and deemed responsible for everything their software does, while releasing source code in advance freed you of those obligations.
@rafu @peacelovememes that being said, GDPR did not kill small Internet players, and definitely affected the big ones in a meaningful way. So, regulation can be done in a way that works (with all the flaws of GDPR, I don't really want to dive into that here :-) )
@rafu @peacelovememes oh, totally.
Big players can factor fines into the business model. I'd like to see if there are some ways to punish big players that are nit that easy to factor in.
In case of physical persons, that's called jail time. In case of corporations, that could perhaps be freezing of all assets for a prescribed time (apart from payroll-related, and without indemnifying them for whatever breach of contract occurs due to their assets being frozen).