sneak@nostromo-2:~$ keybase sigs list -v | grep stellar
71   289375141b43421b024be60b0569cd701061fd37ca14f047e5d96a1bf8dacefe0f   wallet.stellar   2019-02-04 15:44:31 PST   stellar  GDTEDYVMJP6SVVADO66JWSOYJALMAOJLGWNF67IHFFX4GHK4EOSXYF3E 0120e641e2ac4bfd2ad40377bc9b49d84816c0392b359a5f7d07296fc31d5c23a57c0a
sneak@nostromo-2:~$ keybase sigs revoke 289375141b43421b024be60b0569cd701061fd37ca14f047e5d96a1bf8dacefe0f
▶ ERROR sig not owned by user
sneak@nostromo-2:~$ keybase sigs revoke 0120e641e2ac4bfd2ad40377bc9b49d84816c0392b359a5f7d07296fc31d5c23a57c0a
▶ ERROR Signature matching query "0120e641e2ac4bfd2ad40377bc9b49d84816c0392b359a5f7d07296fc31d5c23a57c0a" does not exist.
sneak@nostromo-2:~$ keybase version
Client:  4.5.0-20190919040131+93e889ab01
Service: 4.5.0-20190919040131+93e889ab01
sneak@nostromo-2:~$

I addressed this false claim on HackerNews: https://news.ycombinator.com/item?id=21110473

The text above shows that it's impossible with the current cli release to remove the attestation.

15555 shows dozens of people who made it all the way to GitHub in an effort to get the unwanted attestation off of their profile.

tbh, your kid probably stole your phone to play a game, and mistook keybase for a game and tapped the wallet tab.

A single tap to the Wallet tab sets you on a UX flow where not reading anything and "just tapping to get the popups to go away" leads to the attestation you complain about.

Maybe you were messing with you smartphone in your sleep. Who knows.

I agree the UX flow should require typing a phrase to agree and attest.

Similar to account deletion, you should have to type "generate my stellar key" to agree.

Especially if it's irrevocable.

Isn't attaching a Stellar key (signed) to the users profile without entering any form of password a _backdoor_ in itself? Or am I missing something here?

@timvisee see above, if the address is in your account, it's because you consented, even if you don't remember having done it. More than half of keybase users never consented and therefore don't have a stellar address. The constent is of the form "read this disclaimer and say ok." Regular users of our app know that we almost never ask for passwords when generating signatures because it's a horrible design pattern and people hate passwords.

The modal asks if you want to create a wallet.

Key generation (of stellar keys) is not the same as signing (with a device key). It says nothing about signing a proof, which is what it does silently and without warning after generating the wallet keys.

To clarify: the claim is about the attestation made with the keybase device key, a SIGNING. It is not about the GENERATION. Generating keys on device is one cryptographic operation, one that has no external effects. The issue is that there was an attestation SIGNED by my keybase device key, and there is no consent asked for for that. Indeed, I did not ever consent to that, and it happened anyway.

Read the modal. My claims are accurate. The statement that my claim is false by @malgorithms is itself demonstrably false.

@malgorithms It's been over a month since you said we could remove the unwanted advertising from our profiles that you got paid for putting there. It's still not supported.

I'm planning on a follow up blog post, with a video that shows the wallet creation modal flow, and plainly illustrates your attempt to debunk my accurate claims of making a SIGNATURE (not key generation) without consent.

How much money did you get paid for turning your users' profile pages into advertising?

🦗 🦗 🦗 🦗 🦗 🦗 🦗

Perhaps the client is quite aware...

Sent from my iPhone

On Oct 11, 2 Reiwa, at 12:59 AM, Jeffrey Paul notifications@github.com wrote:


🦗 🦗 🦗 🦗 🦗 🦗 🦗

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.