Re: [PLUG] Vetting security apps (Rocket Chat)

2019-01-09 Thread Nat Taylor 
That seems to be if you use their hosted service?
I don't believe that is applicable to the open source code they have posted
on github:
https://github.com/RocketChat
(interestingly, it looks like they use Meteor!)
(they also have snaps, as well as images in docker hub.  snaps look even
faster to deploy?)

This is the LIMITATION_OF_RESPONSIBILITY.md file from the repo for the
server:


WARNING to ROCKET.CHAT USERS

Rocket.Chat is open source software. Anyone in the world can download and
run a Rocket.Chat server at any time.

As a user of Rocket.Chat, someone with a Rocket.Chat account, you need to
be aware that you may be using a Rocket.Chat server that is operated by
arbitrary businesses, groups or individuals with no relationship to
Rocket.Chat Technologies Corp.

In particular:

   - Rocket.Chat Technologies Corp. do not have access to these servers.
   - Rocket.Chat Technologies Corp. do not and cannot control or regulate
   how these servers are operated.
   - Rocket.Chat Technologies Corp. cannot access, determine or regulate
   any contents or information flow on these servers.


IMPORTANT

For total transparency, Rocket.Chat Technologies Corp. owns and operates
only ONE publicly available Rocket.Chat server in the world. The server
that Rocket.Chat Technologies Corp. operates can only be accessed at:

https://open.rocket.chat

Any other Rocket.Chat server you access is not operated by Rocket.Chat
Technologies Corp. and is subjected to the usage warning above.

On Wed, Jan 9, 2019 at 8:32 PM Mike C.  wrote:

> "Rocket Chat is another solution.  You can set up your own server fairly
> easily with docker if you want. I haven't seen a recent security audit for
> it."
>
> Unfortunately, this makes Rocket Chat a non-starter for me
>
> "When a User (including you) submits content or information to the
> Services, such as messages or files (“Customer Data”), you acknowledge
> and agree that the Customer Data is owned by Rocket.Chat. Rocket.Chat
> may provision or deprovision access to the Services, enable or disable
> third party integrations, manage permissions, retention and export
> settings, transfer or assign workspaces, share channels, or
> consolidate this workspace or channels with other workspaces or
> channels, and these choices and instructions may result in the access,
> use, disclosure, modification or deletion of certain or all Customer
> Data."
> ___
> PLUG mailing list
> PLUG@pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>
___
PLUG mailing list
PLUG@pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

[PLUG] Vetting security apps?

2019-01-09 Thread Mike C. 
> I like the key validation part of keybase, which somewhat takes the place
> of crypto party in-person web-of-trust key exchange event thingies. For
> those unfamiliar, keybase uses various social media accounts or domain or
> website rights to demonstrate that a person that is able to post
> information to those places also has access to their private key. So, for
> example, if you know someone and follow their work on a social media
> account or can check their DNS information or a magical URL on a site they
> control, and you are reasonably confident they haven't been kidnapped and
> they haven't mentioned losing control of their private key, then you have
> some confidence you have a valid public key.
>
> I don't completely trust the keybase application (in fact I have it turned
> off) because "it's just some random binary a company gave me".  It does
> some cool things though, including the userfs where you can copy files and
> they are magically transported to a corresponding directory on another
> keybase users machine, and vice versa. I think the application is open
> source though, so you could presumably inspect the source code and build

I really appreciate your analysis and opinion as someone who has
actually used the app and has some technical understanding of how it
works. Very useful!

"Rocket Chat is another solution.  You can set up your own server fairly
easily with docker if you want. I haven't seen a recent security audit for it."

Thanks! I'll check out Rocket Chat. I like the idea of setting up a
server in docker!

"If you want to play on the bleeding edge here, I'd suggest you start
following (well known) security people (CSO, researchers, InfoSec).
Listen to podcasts where these people talk about things. Don't jump in
right away. Mostly listen and watch. After a while, you'll start
seeing patterns, some things will be recommended, some will start that
way and then stop. The bleeding edge is bumpy. The bleeding edge is
also not where most people are, so your communication radius will be
small if you're using bleeding edge tools."

To be clear, I DON"T play on  the bleeding edge for all the reasons
you mention and more. That's why I asked if anyone on the PLUG list
does play on the bleeding edge.

I run Debian Stable on my pc. I don't install any more sw/apps than
are completely necessary for my daily activities on my pc & my phone.

 I used to listen to security podcasts and read security blogs and all
that did was make me not want to use any digital device connected to
the Internet.

"This is a decent list to check out
https://digitalguardian.com/blog/best-information-security-podcasts

I like the security rabbit hole, and risky business."

Thank you for this link and your recommendation. I'll check them out soon!
___
PLUG mailing list
PLUG@pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] Vetting security apps?

2019-01-08 Thread Louis Kowolowski 
Bleeding edge vs Established
new technology, new implementation, new user base(s), new bugs. even if the 
math is solid, implementation may not be. 
I'm not trying to suggest you shouldn't use new things. I'm pointing out the 
potential compromise in doing it.

If you want to play on the bleeding edge here, I'd suggest you start following 
(well known) security people (CSO, researchers, InfoSec). Listen to podcasts 
where these people talk about things. Don't jump in right away. Mostly listen 
and watch. After a while, you'll start seeing patterns, some things will be 
recommended, some will start that way and then stop. The bleeding edge is 
bumpy. The bleeding edge is also not where most people are, so your 
communication radius will be small if you're using bleeding edge tools.

This is a decent list to check out
https://digitalguardian.com/blog/best-information-security-podcasts

I like the security rabbit hole, and risky business.


> On Jan 9, 2019, at 12:40 AM, Mike C.  wrote:
> 
> I'm curious to know what others do in vetting security apps they use
> or may recommend to others.
> 
> I use a variety of fairly well known secure email & chat apps but just
> learned about an app called Keybase. https://keybase.io/docs
> 
> It's like encrypted Slack but also some really interesting things like
> an encrypted cloud based file system and secure digital identity
> management.
> 
> Also, this seems like they're using blockchain:
> "Every account on Keybase has a public history. "Sigchains" let
> Keybase clients reconstruct the present without trusting Keybase's
> servers. And when you "follow" someone on Keybase, you sign a snapshot
> of your view of the claims in their sigchain."
> 
> In the past I trusted apps that I use because of recommendations by
> the EFF, Edward Snowden, the general digital security community.
> 
> Currently, there doesn't seem to be too much written up about  Keybase
> other than an article on HackerNews from 2016.
> 
> The ask. Does anyone play a bit more on the bleeding edge with privacy
> & encryption apps and if so how do you go about vetting an a new app
> that's relatively unknown?
> 
> Thank you,
> 
> Mike
> ___
> PLUG mailing list
> PLUG@pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug

--
Louis Kowolowskilou...@cryptomonkeys.org 

Cryptomonkeys:   http://www.cryptomonkeys.com/ 


Making life more interesting for people since 1977

___
PLUG mailing list
PLUG@pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] Vetting security apps?

2019-01-08 Thread Russell Senior 
FWIW, I'm: https://keybase.io/rssenior

On Tue, Jan 8, 2019 at 10:57 PM Russell Senior 
wrote:

> I like the key validation part of keybase, which somewhat takes the place
> of crypto party in-person web-of-trust key exchange event thingies. For
> those unfamiliar, keybase uses various social media accounts or domain or
> website rights to demonstrate that a person that is able to post
> information to those places also has access to their private key. So, for
> example, if you know someone and follow their work on a social media
> account or can check their DNS information or a magical URL on a site they
> control, and you are reasonably confident they haven't been kidnapped and
> they haven't mentioned losing control of their private key, then you have
> some confidence you have a valid public key.
>
> I don't completely trust the keybase application (in fact I have it turned
> off) because "it's just some random binary a company gave me".  It does
> some cool things though, including the userfs where you can copy files and
> they are magically transported to a corresponding directory on another
> keybase users machine, and vice versa. I think the application is open
> source though, so you could presumably inspect the source code and build it
> yourself. I haven't tried that.
>
> To your specific question at the end, I don't have much to contribute,
> sadly.
>
> On Tue, Jan 8, 2019 at 10:42 PM Mike C.  wrote:
>
>> I'm curious to know what others do in vetting security apps they use
>> or may recommend to others.
>>
>> I use a variety of fairly well known secure email & chat apps but just
>> learned about an app called Keybase. https://keybase.io/docs
>>
>> It's like encrypted Slack but also some really interesting things like
>> an encrypted cloud based file system and secure digital identity
>> management.
>>
>> Also, this seems like they're using blockchain:
>> "Every account on Keybase has a public history. "Sigchains" let
>> Keybase clients reconstruct the present without trusting Keybase's
>> servers. And when you "follow" someone on Keybase, you sign a snapshot
>> of your view of the claims in their sigchain."
>>
>> In the past I trusted apps that I use because of recommendations by
>> the EFF, Edward Snowden, the general digital security community.
>>
>> Currently, there doesn't seem to be too much written up about  Keybase
>> other than an article on HackerNews from 2016.
>>
>> The ask. Does anyone play a bit more on the bleeding edge with privacy
>> & encryption apps and if so how do you go about vetting an a new app
>> that's relatively unknown?
>>
>> Thank you,
>>
>> Mike
>> ___
>> PLUG mailing list
>> PLUG@pdxlinux.org
>> http://lists.pdxlinux.org/mailman/listinfo/plug
>>
>
___
PLUG mailing list
PLUG@pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] Vetting security apps?

2019-01-08 Thread Nat Taylor 
Rocket Chat is another solution.  You can set up your own server fairly
easily with docker if you want.
I haven't seen a recent security audit for it.

On Tue, Jan 8, 2019 at 10:59 PM Russell Senior 
wrote:

> I like the key validation part of keybase, which somewhat takes the place
> of crypto party in-person web-of-trust key exchange event thingies. For
> those unfamiliar, keybase uses various social media accounts or domain or
> website rights to demonstrate that a person that is able to post
> information to those places also has access to their private key. So, for
> example, if you know someone and follow their work on a social media
> account or can check their DNS information or a magical URL on a site they
> control, and you are reasonably confident they haven't been kidnapped and
> they haven't mentioned losing control of their private key, then you have
> some confidence you have a valid public key.
>
> I don't completely trust the keybase application (in fact I have it turned
> off) because "it's just some random binary a company gave me".  It does
> some cool things though, including the userfs where you can copy files and
> they are magically transported to a corresponding directory on another
> keybase users machine, and vice versa. I think the application is open
> source though, so you could presumably inspect the source code and build it
> yourself. I haven't tried that.
>
> To your specific question at the end, I don't have much to contribute,
> sadly.
>
> On Tue, Jan 8, 2019 at 10:42 PM Mike C.  wrote:
>
> > I'm curious to know what others do in vetting security apps they use
> > or may recommend to others.
> >
> > I use a variety of fairly well known secure email & chat apps but just
> > learned about an app called Keybase. https://keybase.io/docs
> >
> > It's like encrypted Slack but also some really interesting things like
> > an encrypted cloud based file system and secure digital identity
> > management.
> >
> > Also, this seems like they're using blockchain:
> > "Every account on Keybase has a public history. "Sigchains" let
> > Keybase clients reconstruct the present without trusting Keybase's
> > servers. And when you "follow" someone on Keybase, you sign a snapshot
> > of your view of the claims in their sigchain."
> >
> > In the past I trusted apps that I use because of recommendations by
> > the EFF, Edward Snowden, the general digital security community.
> >
> > Currently, there doesn't seem to be too much written up about  Keybase
> > other than an article on HackerNews from 2016.
> >
> > The ask. Does anyone play a bit more on the bleeding edge with privacy
> > & encryption apps and if so how do you go about vetting an a new app
> > that's relatively unknown?
> >
> > Thank you,
> >
> > Mike
> > ___
> > PLUG mailing list
> > PLUG@pdxlinux.org
> > http://lists.pdxlinux.org/mailman/listinfo/plug
> >
> ___
> PLUG mailing list
> PLUG@pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>
___
PLUG mailing list
PLUG@pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

Re: [PLUG] Vetting security apps?

2019-01-08 Thread Russell Senior 
I like the key validation part of keybase, which somewhat takes the place
of crypto party in-person web-of-trust key exchange event thingies. For
those unfamiliar, keybase uses various social media accounts or domain or
website rights to demonstrate that a person that is able to post
information to those places also has access to their private key. So, for
example, if you know someone and follow their work on a social media
account or can check their DNS information or a magical URL on a site they
control, and you are reasonably confident they haven't been kidnapped and
they haven't mentioned losing control of their private key, then you have
some confidence you have a valid public key.

I don't completely trust the keybase application (in fact I have it turned
off) because "it's just some random binary a company gave me".  It does
some cool things though, including the userfs where you can copy files and
they are magically transported to a corresponding directory on another
keybase users machine, and vice versa. I think the application is open
source though, so you could presumably inspect the source code and build it
yourself. I haven't tried that.

To your specific question at the end, I don't have much to contribute,
sadly.

On Tue, Jan 8, 2019 at 10:42 PM Mike C.  wrote:

> I'm curious to know what others do in vetting security apps they use
> or may recommend to others.
>
> I use a variety of fairly well known secure email & chat apps but just
> learned about an app called Keybase. https://keybase.io/docs
>
> It's like encrypted Slack but also some really interesting things like
> an encrypted cloud based file system and secure digital identity
> management.
>
> Also, this seems like they're using blockchain:
> "Every account on Keybase has a public history. "Sigchains" let
> Keybase clients reconstruct the present without trusting Keybase's
> servers. And when you "follow" someone on Keybase, you sign a snapshot
> of your view of the claims in their sigchain."
>
> In the past I trusted apps that I use because of recommendations by
> the EFF, Edward Snowden, the general digital security community.
>
> Currently, there doesn't seem to be too much written up about  Keybase
> other than an article on HackerNews from 2016.
>
> The ask. Does anyone play a bit more on the bleeding edge with privacy
> & encryption apps and if so how do you go about vetting an a new app
> that's relatively unknown?
>
> Thank you,
>
> Mike
> ___
> PLUG mailing list
> PLUG@pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>
___
PLUG mailing list
PLUG@pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug

[PLUG] Vetting security apps?

2019-01-08 Thread Mike C. 
I'm curious to know what others do in vetting security apps they use
or may recommend to others.

I use a variety of fairly well known secure email & chat apps but just
learned about an app called Keybase. https://keybase.io/docs

It's like encrypted Slack but also some really interesting things like
an encrypted cloud based file system and secure digital identity
management.

Also, this seems like they're using blockchain:
"Every account on Keybase has a public history. "Sigchains" let
Keybase clients reconstruct the present without trusting Keybase's
servers. And when you "follow" someone on Keybase, you sign a snapshot
of your view of the claims in their sigchain."

In the past I trusted apps that I use because of recommendations by
the EFF, Edward Snowden, the general digital security community.

Currently, there doesn't seem to be too much written up about  Keybase
other than an article on HackerNews from 2016.

The ask. Does anyone play a bit more on the bleeding edge with privacy
& encryption apps and if so how do you go about vetting an a new app
that's relatively unknown?

Thank you,

Mike
___
PLUG mailing list
PLUG@pdxlinux.org
http://lists.pdxlinux.org/mailman/listinfo/plug