Skip to main content

Introducing Bots on Keybase

Hi Human!

Here at Keybase, we manage our own infrastructure via “chatops.” That is, we collaborate in a chat channel where we discuss and perform deployments. Chatops is great because:

  1. the discussion and the actions are coordinated
  2. it can be done on the road, from a mobile chat interface

Here's a screengrab from my iPhone's Keybase app:

Above we see @amarcedone asking a bot for a server graph. And @joshblum deploying a program.


And then in our desktop app, a celebration of software well done:

@bottenderbot responds to a request to describe the ingredients of a Negroni

Chatops like this might sound or look familiar. But in our case, there's no dangerous man-in-the-middle.

Why this is better than plaintext

Trusting a plaintext-chat as a devops chat manager comes with 3 monster risks:

  1. a breach of it. When a script-kiddie, black hat, motorhead, geek, waistoid, or evil nation state finds their way into the chat company's infrastructure, now they are in your devops, too. As a good rule of thumb, you should act as if your chat provider's servers have been broken into.

  2. one of your team members WILL choose a weak password. It only takes one to think "Celtics2022" is secure, or to use the same password as they do on other sites.

  3. bugs. If your chat provider can read your messages, then they could give them to the wrong person.

Any team software that isn't end-to-end encrypted and authenticated shares these monster risks.

How It Works on Keybase

You can write a bot in a few lines of TypeScript/JavaScript, Go, Python, or a language of your choosing. In just a few lines, that bot can do plenty of things:

These cute little bots you write will have their own keys and sigchain—just like a baby human in the Keybase era! In other words, the bot gets end-to-end device and team management for free.

Part 2: Hosted Bots

Besides writing your own, you might wish to use 3rd party bots. Here's why:

  • you won't have to run them yourself
  • you won't have to worry about uptime
  • you can add them to any chat in a couple clicks

So Keybase has begun a directory of useful community & Keybase-authored bots. They are available from the info-pane in any chat, starting in this week's release:

And here's one in action, a super-simple bot that generates Google Meet links:

Convenient, right? This bot is a "Restricted Bot", which means it can't read what's happening in your chats—only messages directed at it:

This limits it to certain messages, as the next screen shows:

And that's it. You can add Google Meet Bot, Reminderbot, Jirabot, etc., to your teams, in just a couple clicks, and without exposing your normal messages to whoever's hosting the bot.

This is not server trust

Even a hosted bot lacks the keys to read your other messages.

When a team admin invites a bot into a channel, they announce a bot-specific key in the team's sigchain.

Only messages intended for the bot (say, prefixed with !meet) are encrypted for the bot. All other messages aren't encrypted using the key, so the bot can't read them. It can tell those messages are happening, and who is sending them, but it cannot understand them.

You can tell in the app which messages are readable by a bot, because they get this icon on them:

In short, after a couple clicks, it works.

All without letting any 3rd party read your private messages,

💖 Keybase


FAQ

What's your favorite bot on Keybase?

@hellobot. Say hi, and ask for a puzzle.

What's stopping Keybase from injecting a bot I didn't ask for into my team?

Ahhh, evil Keybase Corp. Your team members won't accept anyone into their team—bot or human—unless an admin adds them. Which, as you can imagine, is a cryptographically-signed statement. If it's a restricted bot, the addition statement says so.

Team changes are appended to an auditable, growing chain for the team.

What's wrong with passwords? And doesn't 2FA help?

⚠️ Password+2FA does absolutely nothing to protect against server break-ins or server bugs by your chat provider.

Also, it only requires one person to write their 2fa “backup codes” into gmail or a Google drive. That would be the same person who's bad at picking passwords. So your weakest link may have their passwords and their 2FA broken into, simultaneously.

But again, even if that's not a concern, it doesn't solve the server problems.

How do I write my own bot?

The easiest way is using one of our packages listed above: TypeScript/JavaScript, Go, Python.

If you prefer to write your own from scratch, you can explore Keybase's bot API with commands such as:

keybase chat api --help
keybase team api --help
# etc

If I install multiple bots in one chat, can they read each other's messages?

No, they get independently derived keys, and therefore can't snoop on each other.

Can you be more specific about the bot's keys?

Behind the scenes, the cryptography is exceedingly simple (we like that!). In Keybase, team members share a symmetric per-team key. This is a random 32-byte key that all members of the team can see. They rotate this key whenever anyone in the team revokes a device (and more frequently for exploding messages). Keybase users symmetricly encrypt all data in a chat channel using this key. When a team admin invites a bot into a channel, she derives a bot-specific key from the shared key (via HMAC-based key derivation), and encrypts this derived key for the bot's public key. Simple crypto ensures this derivation in uninvertible, so the bot learns nothing about the underlying key. You can also check out the docs for some more technical details.

All messages to and from the bot are encrypted using this derived key. People in the conversation will only encrypt messages that begin with bot-specific prefixes (like !meet) for the derived key. All human readers can derive this key from the shared team key, and therefore can decrypt the bot's outputs.

Comments

Popular posts from this blog

How to hack wifi in Windows 7/8/8.1/10 without any software | using with cmd

How to Hack Wifi password using cmd Hello Friends, In this article we will share some tricks that can help you to hack wifi password using cmd. Youcan experiment these trick with your neighbors or friends. It’s not necessarily that this trick will work with every wifi because of upgraded hardware. But you can still try this crack with wifi having old modems or routers. 1: WEP: Wired Equivalent Privacy (WEP) is one of the widely used security key in wifi devices. It is also the oldest and most popular key and was added in 1999. WEP uses 128 bit and 256-bit encryption. With the help of this tutorial, you can easily get into 128-bit encryption and Hack WiFi password using CMD. 2: WAP and WAP2: Wi-Fi Protected Access is an another version of WiFi encryption and was first used in 2003. It uses the 256-bit encryption model and is tough to hack. WAP2 is an updated version of WAP and was introduced in 2006. Since then it has replaced WAP and is now been used mostly in offices and colle...

A Beginner’s Guide to Getting Started with Bitcoin

A man looks for Bitcoin Oasis If you have heard about blockchain or cryptocurrency, then the term that initially comes to mind is Bitcoin . Launched 12 years ago, it was the late 2017 bull run that created a media frenzy that propelled Bitcoin into the mainstream and our modern day lexicon. Often labeled as the “original” cryptocurrency, Bitcoin has been the catalyst (directly and/or indirectly) behind many new innovations in the blockchain and digital asset space, most notably Ethereum and Monero . Shortly after the late 2017 bull run lost its steam, interest in these new technologies started to fade ― but here we are in 2021 with Bitcoin having risen like a phoenix from the ashes. As you would assume, an appetite for the blockchain and digital asset space has returned and now it is more important than ever that we understand what exactly is behind this unique asset, Bitcoin. This article is meant to be a guide for individuals who are new to cryptocurren...

Copilot - Microsoft is gearing up to introduce its AI companion

 Microsoft is gearing up to introduce its AI companion, Copilot, this upcoming fall season. The highly-anticipated rollout is scheduled for September 26, with Copilot poised to seamlessly integrate with various Microsoft services, including Windows 11 and Microsoft 365. Additionally, enterprise customers can look forward to the availability of a new AI assistant, Microsoft 365 Chat, starting in November. Copilot, described by Yusuf Mehdi, Corporate Vice President and Consumer Chief Marketing Officer at Microsoft, as an "everyday AI companion," aims to make your daily workflow smoother and more efficient. Its primary goal is to embed an AI-powered "copilot" within Microsoft's most popular products, ensuring widespread accessibility. What distinguishes Copilot from other AI assistants is its focus on integration. Rather than operating in isolation within specific applications, Copilot promises a seamless user experience across multiple Microsoft products. This com...