Migrate from Slack to Keybase #127
Comments
|
Agreed Slack is bad for many reasons...we've been talking about migrating from it for many months now. But I'm not convinced Keybase is the right way forward. Keybase's main value for us, as I see it, is identity verification for avoiding scammers. But this can also be achieved (to a large degree) through other means like forcing unique usernames, permissions, new user restrictions, and other admin tools available on self-hosted team chat software. For Keybase:
I think it's important to keep the purpose of this communication medium in mind. It's meant to be a public collaboration space for contributors and users, where open discussion fosters a culture of transparency. Is E2EE nice? Yes of course. But I'm not sure it matters much in this particular scenario since there is no need for privacy (exception: private messaging). I think the original plan to use a self-hosted tool like Rocket Chat or Zulip is better. I worked with Rocket Chat a bit last year and got the impression it wasn't going to be fun to maintain. Documentation isn't great, so there's a lot of guesswork when setting things up, and support isn't available reliably unless you pay...but it did hit v1.0 "LTS" a month or so ago, so maybe things are better now. In any case, I've set up my own instances of Rocket Chat and Zulip. @KanoczTomas offered to help with setting these up, so maybe we'll both look at these options and determine which one makes more sense, unless people have other thoughts/suggestions. |
Well, Keybase is the only chat app that offers an acceptable level of security, privacy, and cryptographic identity verification to be on par with Bisq itself. AFAIK nothing else really comes close, and users seem to agree, since our Keybase team is gaining more people every day. We're up to 150+ members currently. It does use a centralized server instead of a P2P network, but this isn't a huge concern since everything is E2E encrypted and signed, and you also can use Tor to access Keybase. Censorship isn't a problem unless you're in China, where you'd have to use a VPN to use Bisq anyway.
Take a look at this impersonation scam on Telegram, can you tell me which user is the real person? https://twitter.com/duck1123/status/1178072100856373254 But more importantly, I feel your argument goes against the founding principals of Bitcoin and Bisq. We shouldn't have to trust a centralized server to tell me a person is who they claim to be, or to trust the centralized server not spy on my private conversations, even if that server is run by a well respected Bisq contributor. Bisq has worked very hard to avoid having trusted third parties, and migrating to Rocket Chat would be adding a trusted server. We are cypherpunks. We should verify the identity of everyone ourselves, and we should verify the end-to-end privacy ourselves. As far as I know, Keybase is the only chat app that offers this functionality with a decent UX. I heard a rumor that eventually Keybase will offer a self-hosted solution as well, so we can migrate to that when it is released for the best of both worlds.
Really? You can do one-to-one chats, one-to-many chats, small groups, or large teams (with sub-teams, etc.), and the permissions are pretty straightforward. Their apps support Windows, macOS, Linux, Android, and iOS. You can even do headless mode for bots. They even have Dark Mode. What more do you want?
Slack is famous for its excellent third party integrations, but this is something we can improve over time. Since all keybase apps verify the authenticity of all messages, it's non-trivial to allow third party services to inject messages into our chat in a secure way. It's kinda like how the UX of Bitcoin and Bisq suffer from it being decentralized. Currently the solution is to run self-hosted bots for integrations. I already got a GitHub bot working, and I'm also working on integrating monitoring alerts. So while we have to run some bots for integrations with our Keybase team, it won't be as hard as maintaining a rocket chat instance AND integrations for the rocket chat as well.
You can install the Keybase app on your desktop or phone and sign up in seconds. It's actually about the same as Slack, which requires that weird email invitation thing. But I'll use your own argument against you: "Signing up for Bisq in the first place is not trivial... it's unrealistic to expect people to set up a Bisq node, create offers, etc. just to trade Bitcoin." Remember, the Bisq community is here mostly because we don't want to trust third parties, not even Bisq itself. If somebody is self-hosting the chat server, then I need to trust them, and I don't want to do that.
Are you confusing privacy with security? Our Keybase team is public, that's not changing. By migrating to Keybase we're gaining security, specifically by verifying every message and every user's identity using cryptographic proofs and open-source software. Our impersonator scammer already demonstrated why this is important. If "m52go" shows up in a public channel and says something, you want to be sure it's actually him talking, and you shouldn't have to trust anyone to tell you this, you should be able to verify it for yourself.
Well, that proposal had 9 months to get implemented, and in the meantime somebody impersonated me on Slack and tricked other Bisq contributors into thinking it was actually me. On the other hand, since I recently kickstarted it about a month ago, our Keybase team now feels more active than Slack in many ways, and it's gaining more users every day. So now that I think about it, I guess this proposal is already accepted by the community, indicated by all the new users who have recently started chatting on Keybase... so I guess I can close this proposal as it's basically implemented now. All that's left for me to do is delete the Slack app from my phone 😅 |
Bisq is a financial application, with real money on the line, and so security and privacy are a high priority for our project. We need our community to collaborate using a chat service that provides a high level of security and privacy to protect our communications, with built-in identity verification to defend against scammers and impersonators. Unfortunately, Slack does not sufficiently protect our communications in this regard.
Recently @m52go and I have discovered some serious security and privacy vulnerabilities in Bisq's slack workspace. The most obvious example is that anyone can sign up with the same name and profile photo and trivially impersonate people, demonstrated today when a scammer tried to impersonate me and ask people for ETH (which is hilarious because I'm a hardcore Bitcoin maximalist)
Other security vulnerabilities are probably even worse so I won't go into more detail here to give our attackers any ideas, but long story short we need to move away from Slack ASAP.
My proposal is to migrate to Keybase, which is an open-source, multi-platform, end-to-end encrypted chat app, that has the excellent identity verification using cryptographic proofs (posted as tweets, github gists, etc.), and cryptographically signs and verifies all messages. Additionally, the privacy of users is respected by basing identity on cryptography and not on phone numbers or other real-world things.
The bisq team on Keybase was created by @cbeams a few years back and so far over 100 people have joined. He's recently set me as admin and I've started setting up channels similar to our Slack workspace to prepare for a migration. Today's event showed us we are vulnerable to various attacks, but there are willing attackers poking around already.
Keybase has apps for Windows, macOS, Linux, Android, and iOS. It's come a long way in the past few years of development. Please try it out and join: https://keybase.io/team/bisq
The text was updated successfully, but these errors were encountered: