All Good Things...

Ben Ramsey - Lun, 02/06/2014 - 20:00

Over the past month or so, I have wrestled with one of the hardest decisions I’ve faced in my career. I’ve spent just over one-fourth of my professional career with Moontoast—4.5 years. This is a long time in Internet years. During my time here, I’ve learned a lot about startups, building Internet products, running in the cloud, and much more. There are great things happening at Moontoast—changes that make it a stronger, more effective company with an awesome product. It’s an exciting time to be a part of the company! For me, it’s been an excellent ride, but it’s time to move on.

I do not currently have another job lined up, though I do have a number of opportunities that are under discussion. One of the primary reasons for this career move is my lack of involvement in the greater PHP and general open source communities over the last three years. I believe my visibility and personal brand have diminished, and that’s something I want to change.

In particular, here are some areas I want to focus on:

  • Blogging: In 2009, I made 24 blog posts. In 2008, I made 27. In 2007, 43. Notice a trend? Since January 2010, I have made only 17 blog posts in four years. Blogging is a great way to position yourself as a thought leader; my lack of blogging shows that I’ve not been leading any thoughts.

  • Speaking at Conferences: I enjoy speaking at conferences. I enjoy teaching. Over the last few years, I have done very little of this, and that’s been bothering me. I want to return to the conference circuit in a big way.

  • Thought Leadership: Thought leadership is one of those areas of personal branding that helps set you apart from other speakers and writers. It’s a way of defining your niche and making you one of the “go-to” people in the industry for a particular topic. I have focused little on my personal thought leadership over the last few years, and I will be changing this. I will return my focus to APIs and HTTP, but I will be focusing more on practical integrations and real-world applications, rather than theory and design.

  • Writing a Book: I am currently working on the outline of a technical book. I hope to finish the book this year. More details on this later.

  • API and Integrations Consulting/Training: I have given thought to consulting or training on APIs and integrations. If this is something that interests you, let me know, and we can talk specifics.

  • Hacking on Open Source Software: I’ve made small contributions to the PHP core, as well as other open source projects, but I want to begin contributing even more to open source libraries, tools, and SDKs.

I’m looking forward to what the rest of the year holds for me. It’s an exciting time, and I can’t wait to get started!

In evaluating opportunities, I have been asking about potential employers’ comfort level with all of the above. As an employer, if these are things you like, encourage, and think can make your own brand stronger, then I’d love to talk to you. Feel free to reach out to me via email at ben at

Categorie: Not PHP-GTK

Will Encryption Catch on With Keybase?

Ben Ramsey - Sab, 22/03/2014 - 07:14

Email is not secure. Let’s stop fooling ourselves. Just because I use Gmail, and I’m using it over HTTPS does not mean that the email I send or receive is encrypted while being transmitted outside of Google’s network. Inside Google’s network, even, the contents are not encrypted.1 So, why do we keep sending sensitive information through email, and why do our banks and mortgage brokers and HR departments keep asking for us to send our Social Security number, bank accounts, and other private details through email?

Is it because we are oblivious, naïve, or do we just not care? I suspect it’s a little of all three, but mainly it’s because encryption is hard, and the difficulty barrier keeps us from adopting it.

The alpha launch of Keybase has got me excited. It uses the public-key cryptography (a.k.a. PGP/GnuPG) model to identify yourself, prove your identity, and allow others to vouch for your identity. I hope it paves the way to making encryption easier for us all, from the technologically-skilled to the technologically-challenged.

How Public-key Encryption Works

I want people to send me sensitive information, but I don’t want anyone else to read it while the information is traveling across the Internet. So, I create a pair of keys. One is public; I can send it to others. One is private; I should keep it secret and safe, like the most secret password I’ve ever had.

I give my public key to someone who wants to send me sensitive information, like a Social Security number. They encrypt a file using my public key and send the encrypted file to me. I can decrypt it, since I have the private key that’s paired with the public key used to encrypt the file. I’m the only one in the world who can read the file, and that’s great because I was the intended recipient.

Here’s what’s important: even if someone intercepts the file, they cannot read it because they do not have the private key to decrypt the message. Even if they have my public key, they cannot decrypt it. The information is safe!

A second benefit of encryption is that I can sign my messages to other people, using my private key. If the recipient has my public key, they can verify the signature. If the signature is bogus, they know I didn’t send the message, but if it checks out, they can be certain I sent the message. No one can forge my signature. Using the signature ensures the message hasn’t been tampered with and the recipient hasn’t been fooled into thinking they’ve received a message from me that is really spam (or worse).

A third benefit is the web of trust. Others may validate my public key by signing it with their own key. These signatures are then added to public key servers as additional proofs that the keys in question do, in fact, belong to their real owners. This helps others know whether a signed message from me is actually coming from the real me and not just someone claiming to be me with a false key. The web of trust is decentralized, with key servers around the world.

Encryption Is Hard

While encryption provides massive benefits, it is difficult even for seasoned technologists to perform, much less everyone else. This is because the tools we use for encryption often require basic knowledge of how encryption works. Command line tools and mail and browser plugins may be used to encrypt and decrypt messages using your public/private key pair, but these tools are all afterthoughts, things that must be installed and maintained by a user who knows what they are doing.

In order to gain mass adoption of encryption, it needs to be made central to the applications and platforms we use, and we need the ability to use it easily without fully understanding it. It needs to just work.

How Keybase Fits In

I think Keybase is taking steps toward making encryption work for everyone. Keybase is like a key server with much more. I’m excited about what it could become and what it means for the technology community.

With the alpha launch, here are a few of the things Keybase provides:

  • Identity verification with your Twitter and GitHub accounts
  • Tracking of users to vouch for their identities
  • In-browser tools to help you encrypt/decrypt messages to/from other users
  • Command-line tools to help you encrypt/decrypt messages to/from other users and to streamline and make encryption easier to use (than with the standard GnuPG tools)

Will Keybase result in mass adoption of encryption? No, but it might get technologists and early adopters excited to start using encryption more regularly. The coolness factor could cause encryption to finally catch on in the tech community. Then our community will build the tools necessary to make it easier for our friends, family, and the rest of the world to use encryption.

Here are a few thoughts I gathered from my short time using Keybase.

  • Keybase allows you to upload your private key to the service for use in encypting/decrypting through the browser. They use a JavaScript library to encrypt your private key on the client-side before sending it to their service, but you never know what some other browser plugin or cross-site scripting attack is doing with your data. I advise against this. Use the Keybase command line tools instead. This will ensure your private key is safely kept on your computer.

  • While the Keybase concept of tracking other users is similar to following from Twitter, it also allows you to sign another user’s key. This is like the web of trust I mentioned, but it doesn’t ask for a level of trust when signing the keys. In my opinion, this is a flaw in Keybase’s design. The web of trust is important to encryption. No one has been driving the web of trust forward, and that’s partly why encryption has been neglected and forgotten. Keybase is in a unique position to drive adoption of the web of trust. I think tracking should remain, but it would be a form of loose trust. I should be able to say that I fully trust another user’s key as belonging to them—maybe they gave me their public key in person, so I know without a doubt it’s theirs—and that trust would be paramount to the system.

  • Keybase is like a key server, but keys uploaded to Keybase are not distributed to the other key servers. If someone on Keybase signs my key, indicating they trust it, this is also not propagated to the other key servers. For the public-key web of trust to work, Keybase needs to play nicely with the already decentralized body of key servers.

  • I’d like to know if Keybase has any plans for physically verifying proof of one’s identity. I’m not sure how this would work in practice, but I could see it as a very useful service, helping to boost the trust level of my key and user account.

I’ve been hoping for a long time that someone would help solve the encryption problem, making it easier for everyone to use. I don’t think Keybase will solve the problem for everyone, but I do think they are raising awareness and could help generate excitement and buzz within the tech community, getting more of us to begin using encryption regularly. When we all start using encryption, then we can drive the rest of the world to use it, making all of our data and ourselves a lot safer.

Be sure to check out my profile on Keybase, and feel free to send me an encrypted message.

Disclaimer: I am not a representative of Keybase. I am just an early user of the service who is excited about what it could become.

  1. A recent announcement from Google explains that “every single email message you send or receive—100% of them—is encrypted while moving internally.”

Categorie: Not PHP-GTK
Condividi contenuti