Another point worth bringing up: it'd be nice if we set up either a PGP-like trust ring for host SSH signatures, or relied on a set of CAs like we do for TLS.

Something as simple as confirm-fingerprint-over-https (eg. look for https://ssh-host/.host-ssh-fingerprint) could work if enough ssh clients used it.

From what I can tell, v7 is Intel-only. That means when Apple sunsets Rosetta 2, it’s not going to work anymore. I’ll need to switch to something else before then, but hate Electron, and all the other options seem to use it (and now 1Password does, too).

> We began investigating how the threat actor gained initial access to the environment and determined it was obtained by leveraging a compromised token for a Heroku machine account. We determined that the unidentified threat actor gained access to the machine account from an archived private GitHub repository containing Heroku source code. We assessed that the threat actor accessed the repository via a third-party integration with that repository. We continue to work closely with our partners, but have been unable to definitively confirm the third-party integration that was the source of the attack

So they still don't know how it happened.

Is the CodeQL project itself open source? I would love to contribute support for Elixir.

Keybase CEO here. Let me tell a quick story. January 2019. I was loading the car to leave for a short family ski vacation when I got a truly horrifying email: that my slack account had been accessed from a distant land (that I hadn't been to).

There goes my weekend!

When we first started Keybase, we used Slack as other teams did, but were gradually moving all Slack-based workflows over to Keybase. As such, we didn't use it for anything beyond communicating when Keybase was down. But I was very worried. I knew I used a good, random, one-time password for Slack, so it couldn't have been that the password was stolen from somewhere else. Had my computer been rooted? Had my side-hustle password manager been compromised (oneshallpass.com). I immediately contacted Slack security and asked them if this issue was on their side, and they neglected to point me to the relevant blog article from 2015 (which didn't detail the extent of the compromise, we now know). They just said they take security very seriously and hinted I was at fault.

In the subsequent few weeks, I reset all of my passwords, threw away all my computers, bought new computers, factory-reset my phone, rotated all of my Keybase devices, and reestablished everything from the ground up. It cost me a lot of time, money and stress. In the end, I was pretty sure but not 100% convinced that if I had been rooted, that the attackers couldn't follow me to my new setup. But with these things, you can really never know for sure.

I got the email today that my account might have been compromised in the attack. I would say for sure that it was compromised, and I can breathe a big sigh of relief, that was the explanation I wanted to hear all along.

It was great to know throughout this ordeal that the product we're building --- Keybase --- solves this problem in a fundamental way, not with adding further workarounds (2FA while better than just password alone, reminds me a bit of the 3-digit verification code on the back of your credit card; and if Slack's credential database is compromised again, 2FA won't help at all). With Keybase, all of your data is E2E encrypted, and your encryption keys never leave your device. A would-be attacker who compromised our database would have no ability to access any important user data.

Summary: estimated cost to me:

   - $5000 worth of hardware
   - 60 hours of labor
   - 25 hours of lost sleep
   - 10 additional hours of team effort

Fortunately:

   * Keybase does not communicate sensitive information in slack such as cap tables, financials, employment decisions or compensation discussions, team reviews, company devops secrets, stupid memes that could be taken out of context, or private DM'ing.  Basically we just use a `#breaking` channel in Slack, for when we break Keybase.
   * Keybase itself is immune from this kind of break-in.

Edits: wordsmithing and improvements

Also: Import your Slack team to Keybase: https://keybase.io/slack-importer

That "explanation" is the biggest joke.

Seriously, why can't companies just behave normal when Apple enters a market?