I was a very early user of Keybase and I've been super disappointed in the direction they've gone. They've had some neat ideas along the way but packing them onto the key service and the cryptocurrency missteps have caused me to shy away from them.
This looks like a good start for a real competitor. Obviously it's early but I'm seeing the right things.
I see this from a lot of people and I'm puzzled, can you not just avoid using the features you don't like? I don't see anyone going "I used to use VS Code but they added a database viewer so I stopped".
The keybase client went from a small CLI to a persistently connected app that ties into a filesystem, cryptocurrency platform, chat ecosystem and more.
Nothing is free. Adding features takes up resources, adds complexity and errors and increases attack surface. Sometimes that's an OK tradeoff - I like being able to see images in my email client. Sometimes the tradeoff is not worth it - my text centric IDE has no business touching database files.
That's fair, my question was more about the cryptocurrency feature specifically. "General bloat" I can understand, if you only care about the keys.
It seems to me, though, that the key part is just the first step in an entire featureset: Once you have a reliable way to get trusted encryption keys for any person, you can build a whole lot of useful functionality on top of that, which is what they've been doing.
Personally, I wouldn't have much use for just the key exchange, and I really like the encrypted chat/repos/files/etc on top, but I can understand different preferences there.
The entire cryptocurrency airdrop thing has caused lots of noise, triggered campaigns to try and hack/social engineer accounts that would qualify the attacker to grab more cryptocurrency, ... It makes it vastly less likely I'll recommend Keybase with those associations, which diminishes the value of the "key part". (Not recommending it both because it makes me question the long-term priorities of the product and because I don't want to explain why I'm recommending "weird cryptocurrency-stuff", which is the impressions others could have)
Isn't Keybase built exactly for this though? To be able to look at the connected accounts/proofs, and know that a given Keybase user has proven control of those accounts? An attacker looking for crypto may have hacked someone's HN or GitHub. However, with Keybase, you can establish someone you want to talk to has linked their Twitter and their web domain and the like, whereas an attacker probably does not have access to all of their various identities around the Internet.
Keybase promised to give out free cryptocurrency to everyone who linked an existing Github and HN account, which lead to an attack wave on such accounts from people wanting to claim that: https://essays.suryad.com/hnhack/
If you are an identity service and do things that paint a target on others online identities, causing attackers to want to link my account with their fake accounts on your service for profit, you have an image problem. Similarly, that's not something I particularly want important services to be funded through long-term.
It would be possible to build an ignorable cryptocurrency feature, and if that had been the case, I probably wouldn't have noticed or cared. Instead Keybase tied into the launch of a questionable currency which involved giving the currency to people as a marketing tool and then resulted in a spree of attackers, disclosure attacks and other problems.
There's a difference between "Hey, we've built in a small wallet feature" and "Congratulations user, we've now given you 200 Lumens of tax liability and sent you marketing emails disguised as information, please prepare for a horde of hackers. Also we've fussed with your keys to make this new feature work. Thanks!"
I haven't found a use for it yet, but I'm not upset that they gave me money. It's the only crypto I've ever owned, but it's mine I guess?
Also, my understanding is (at least in the US) that you don't need to declare gifted cryptocurrency until/unless you realize it's value by either selling it or sending it to someone else as payment for a service.
I'm one of those people, and the thing that worries me is the huge amount of code that I'm not interested in that is hovering around my keys. If it was a collection of smaller tools I doubt I'd feel the same, but as things stand grabbing a binary means a 500mb installed package with very little functionality I actually want.
Not that I'm saying they should support just me, everyone has their own set of a magical does-just-enough feature set.
If they didn’t insist on putting a kext on my system (comes with the app for kbfs), or registering a persistent launchd agent that can’t be disabled (comes with the kbfs-free CLI, always reinstalls itself), then sure, I could ignore the features.
But they did, so their clients got kicked out of my system.
I also got spammy alerts mentioned by siblings (in email).
This is kind of different. It’s more like, “I used this database viewer and suddenly it became VS Code”. It used to be something lean and simple, but now you’re simply not the target audience anymore at all.
Keybase went from a command-line tool with a clear purpose to a behemoth requiring an installer, a resident daemon, and a permanent menu-bar icon. I can't even trust a tool that is so complex (and likely has a huge attack surface).
These days, I don't even know what keybase is for. What is it for, really?
I haven't followed them too closely for a while but wasn't the cryptocurrency misstep an answer to critics about the safety of keybase as keeper of the database[0]?
Now that I'm looking it although their docs don't mention anything[1] I'd assume it's related to their funding[2].
This looks like a good start for a real competitor. Obviously it's early but I'm seeing the right things.