XSF Communications Team - 2018-11-30


  1. Neustradamus has left
  2. Link Mauve has left
  3. Link Mauve has joined
  4. arnaudj has left
  5. Neustradamus has left
  6. arnaudj has joined
  7. Neustradamus has joined
  8. jc has left
  9. vanitasvitae has left
  10. vanitasvitae has joined
  11. vanitasvitae has left
  12. vanitasvitae has joined
  13. arnaudj has left
  14. arnaudj has joined
  15. jc has joined
  16. vanitasvitae has left
  17. vanitasvitae has joined
  18. vanitasvitae has left
  19. vanitasvitae has joined
  20. vanitasvitae has left
  21. vanitasvitae has joined
  22. vanitasvitae has left
  23. vanitasvitae has joined
  24. arnaudj has left
  25. arnaudj has joined
  26. ArnaudJ has joined
  27. 404.city has joined
  28. vanitasvitae has left
  29. vanitasvitae has joined
  30. 404.city has left
  31. vanitasvitae has left
  32. vanitasvitae has joined
  33. ArnaudJ has left
  34. winfried has joined
  35. winfried has joined
  36. vanitasvitae has left
  37. vanitasvitae has joined
  38. jc arnaudj I'm writing the newsletter currently, will ping you once I'm done, if you'd like to translate
  39. arnaudj hi jc‎ !
  40. arnaudj thank you for pinging me!
  41. jc Sure! 🙂
  42. arnaudj what is the estimated date of publication?
  43. jc Today, this afternoon
  44. jc We always publish on the last Friday of the month
  45. jc "always' being interpreted loosely
  46. arnaudj OK :-)
  47. jc Sorry that you don't get much time
  48. jc Ideally we should write the newsletter throughout the month
  49. arnaudj no problem
  50. jc That would also make it easier for you and require less crunch time at the end of the month
  51. jc but so far I haven't been able to get into the habit of doing it like that
  52. jc By nature I procrastinate until the last minute
  53. SouL What I wanted to add to this newsletter
  54. SouL was to mention the section of translated newsletters
  55. SouL I also wanted to translate some, so we would have more content
  56. SouL apart from French
  57. arnaudj I've added a reminder in my calendar, to put some time aside every last Friday
  58. jc cool
  59. jc Would you guys describe Movim as an XMPP client?
  60. jc Or should it be mentioned under "Other software"? 🙂
  61. jc I'm adding this month's releases
  62. vanitasvitae has left
  63. vanitasvitae has joined
  64. vanitasvitae has left
  65. vanitasvitae has joined
  66. arnaudj jc‎: I asked edhelas‎
  67. jc tx
  68. jc This has been a good month, lots of stuff happening
  69. arnaudj he said "other" is perhaps the best choice
  70. arnaudj since it's a bit more than a client
  71. jc ok thanks, I thought so
  72. jc arnaudj, SouL: Here's the latest newsletter https://github.com/xsf/xmpp.org/blob/newsletter-2018-11-30/content/posts/newsletter/2018-11-30.md
  73. jc I would appreciate a proofread. I'll take a break and then read it again myself
  74. SouL THe Monal..
  75. SouL Just that capital H
  76. MattJ jc, the link in the Monal part to "empty state screens" appears to have the incorrect URL
  77. MattJ It links to feeds.opkode and prompts for auth
  78. jc Thanks SouL and MattJ. Fixed
  79. SouL Sorry for not better proofread, I'm ina meeting I can't escape :(
  80. jc no problem
  81. arnaudj has left
  82. jc Guus is worried about this section: https://github.com/xsf/xmpp.org/pull/484/files#diff-45ce3b70f855ee8884f189d7b4742fa6R28
  83. jc That it might look like XMPP is insecure, even though their server might have been hacked in all kinds of ways unrelated to XMPP
  84. jc Any suggestions on how to change the wording?
  85. jc I personally think it's kind of OK the way it is
  86. vanitasvitae jc: are you sure iron chat is a conversations fork?
  87. vanitasvitae It doesn't look like that at all
  88. jc I read it in twitter
  89. jc I can remove that part
  90. MattJ jc, the problem was users not verifying fingerprints, at the end of the day
  91. jc MattJ: Yes, that's mentioned in the paragraph
  92. jc That and the fact that their server (the OS) was somehow compromised
  93. MattJ Every end-to-end encryption method is vulnerable to this (you need to identify the other end somehow)
  94. MattJ No, I don't think that covers it
  95. arnaudj I read the newsletter and did not find any error
  96. MattJ OTR and OMEMO are precisely valuable because they can remain secure in the event of server compromise
  97. jc In theory 🙂
  98. vanitasvitae Wasn't there an essay by a gchq guy recently who proposed to make mitm the new standard way of intercepting comms?
  99. jc But as was shown here... users don't verify so they get compromised
  100. MattJ jc, in practice, if users verify fingerprints
  101. jc I think the fact that the server was compromised is relevant though
  102. jc Because it's a necessary (but not sufficient) first step
  103. MattJ In practice, they don't. And I think this is the point that should be called out in the newsletter, the server compromise is not the weak point
  104. jc Ok but did you read the paragraph? I do mention that they didn't verify
  105. MattJ As far as preventing any perception that XMPP is insecure
  106. jc I can update it further
  107. jc I'm being called for lunch now though 🙂
  108. MattJ Oh, I didn't see that when I read it earlier
  109. MattJ I'll work an an alternative proposal for that paragraph
  110. MattJ Another source online says IronChat was based on Xabber
  111. MattJ iirc the Xabber author confirmed this in xsf@
  112. vanitasvitae has left
  113. vanitasvitae has joined
  114. pep. "jc> I think the fact that the server was compromised is relevant though" < I think it's very important to specify that, if this gets in the newsletter. Not verifying fingerprints is one thing and we know users don't care anyway but still want e2ee [blah blah], but if the server wasn't under an $evil party in the first place, they would have had to break TLS. (or use the law)
  115. pep. "jc> I think the fact that the server was compromised is relevant though" < I think it's very important to specify that, if this gets in the newsletter. Not verifying fingerprints is one thing and we know users don't care anyway but still want e2ee [blah blah], but if the server wasn't maintained by an $evil party in the first place, they would have had to break TLS. (or use the law)
  116. pep. As I understand it the police (or gouvernment entity) controlled the server right?
  117. pep. has left
  118. jc pep. yes
  119. vanitasvitae has left
  120. vanitasvitae has joined
  121. Guus has left
  122. Guus has joined
  123. vanitasvitae has left
  124. vanitasvitae has joined
  125. jc has left
  126. jc has left
  127. jc has left
  128. arnaudj has left
  129. jc has left
  130. jc has left
  131. arnaudj has joined
  132. arnaudj has left
  133. arnaudj has joined
  134. jc has left
  135. Neustradamus has left
  136. Nÿco has left
  137. Nÿco has joined
  138. Guus has joined
  139. Guus has joined
  140. vanitasvitae has left
  141. Neustradamus has left
  142. jc has left
  143. jc has left
  144. arnaudj has left
  145. arnaudj has joined
  146. jc has left
  147. Neustradamus has left
  148. vanitasvitae has left
  149. Neustradamus has joined
  150. jc has left
  151. jc has left
  152. jc has joined
  153. vanitasvitae has left
  154. vanitasvitae has left