You read that right! Now to find the list of all people who were badgering me to set-up a Keybase account...
Consider the following:
2. Keybase is used by a lot of people to sign their #git commits and whatnot.
3. Zoom, a company with bad security track record and murky ownership now has potential supply-chain-attack capability on a lot of software whose git commits are signed using keys that touch Keybase.
@rysiek Microsoft also had a bad Security track record, and turned it around.
Cisco jsut released a ton of advisories for ASA, FTD and FMC that are pretty bad and tend to hide their issues until they can't.
Apple does not disclose the security issues they fix very easily if at all.
Zoom starts to take steps by getting people like Katie Mussouris and her company to help and actually has responded to the security findings at least. Shows intent to get better at it.
re: everything else - I find it objectionable that it's still okay for shitty startups do shitty security while promising the world, get called out on it, pretend to apologize, and then do some more shitty security things, and *still* get credit for "trying"; meanwhile projects with sane security practices get crowded out of the market (and thus, funding).
@rysiek So Zoom has done nothing to address the security bugs you say? Honestly we can disagree, and it is obvious that we will never see eye to eye. I think the attitude you are showing does not translate into a more secure environment, as I read it as once shitty always shitty nothing ever changes.
As I said, believe what you want. I will respectfully disagree with your assessment.
@siliconshecky and the here point is?.. I am neither advocating Cisco nor Apple. In fact, I have no clue why Cisco and Apple even showed up in this conversation.
All the Microzon Facegoopples of this world should go the way for the Dodo for all I care. I'd just like them to take all the startup snakeoil salespeople like Zoom along for the ride.
@rysiek You talked about Zoom burying an issue a year ago (which they fixed in a couple of days after publicized). I was just showing that other companies do the same. In fact, it might have been the bug bounty programs fault and not Zooms that things got boggled, just as a what might have been.
@siliconshecky I know other companies do the same. That's kind of the point.
This kind of behaviour is incentivized, made into a winning business model. And defending such practices *is* co-responsible for these practices flourishing.
What I am saying is we must stop doing that. "All software has bugs" is the "boys will be boys" of the tech industry.
A Mastodon instance for info/cyber security-minded people.