XSF Communications Team - 2018-11-30

  1. jc

    arnaudj I'm writing the newsletter currently, will ping you once I'm done, if you'd like to translate

  2. arnaudj

    hi jcโ€Ž !

  3. arnaudj

    thank you for pinging me!

  4. jc

    Sure! ๐Ÿ™‚

  5. arnaudj

    what is the estimated date of publication?

  6. jc

    Today, this afternoon

  7. jc

    We always publish on the last Friday of the month

  8. jc

    "always' being interpreted loosely

  9. arnaudj

    OK :-)

  10. jc

    Sorry that you don't get much time

  11. jc

    Ideally we should write the newsletter throughout the month

  12. arnaudj

    no problem

  13. jc

    That would also make it easier for you and require less crunch time at the end of the month

  14. jc

    but so far I haven't been able to get into the habit of doing it like that

  15. jc

    By nature I procrastinate until the last minute

  16. SouL

    What I wanted to add to this newsletter

  17. SouL

    was to mention the section of translated newsletters

  18. SouL

    I also wanted to translate some, so we would have more content

  19. SouL

    apart from French

  20. arnaudj

    I've added a reminder in my calendar, to put some time aside every last Friday

  21. jc

    cool

  22. jc

    Would you guys describe Movim as an XMPP client?

  23. jc

    Or should it be mentioned under "Other software"? ๐Ÿ™‚

  24. jc

    I'm adding this month's releases

  25. arnaudj

    jcโ€Ž: I asked edhelasโ€Ž

  26. jc

    tx

  27. jc

    This has been a good month, lots of stuff happening

  28. arnaudj

    he said "other" is perhaps the best choice

  29. arnaudj

    since it's a bit more than a client

  30. jc

    ok thanks, I thought so

  31. jc

    arnaudj, SouL: Here's the latest newsletter https://github.com/xsf/xmpp.org/blob/newsletter-2018-11-30/content/posts/newsletter/2018-11-30.md

  32. jc

    I would appreciate a proofread. I'll take a break and then read it again myself

  33. SouL

    THe Monal..

  34. SouL

    Just that capital H

  35. MattJ

    jc, the link in the Monal part to "empty state screens" appears to have the incorrect URL

  36. MattJ

    It links to feeds.opkode and prompts for auth

  37. jc

    Thanks SouL and MattJ. Fixed

  38. SouL

    Sorry for not better proofread, I'm ina meeting I can't escape :(

  39. jc

    no problem

  40. jc

    Guus is worried about this section: https://github.com/xsf/xmpp.org/pull/484/files#diff-45ce3b70f855ee8884f189d7b4742fa6R28

  41. jc

    That it might look like XMPP is insecure, even though their server might have been hacked in all kinds of ways unrelated to XMPP

  42. jc

    Any suggestions on how to change the wording?

  43. jc

    I personally think it's kind of OK the way it is

  44. vanitasvitae

    jc: are you sure iron chat is a conversations fork?

  45. vanitasvitae

    It doesn't look like that at all

  46. jc

    I read it in twitter

  47. jc

    I can remove that part

  48. MattJ

    jc, the problem was users not verifying fingerprints, at the end of the day

  49. jc

    MattJ: Yes, that's mentioned in the paragraph

  50. jc

    That and the fact that their server (the OS) was somehow compromised

  51. MattJ

    Every end-to-end encryption method is vulnerable to this (you need to identify the other end somehow)

  52. MattJ

    No, I don't think that covers it

  53. arnaudj

    I read the newsletter and did not find any error

  54. MattJ

    OTR and OMEMO are precisely valuable because they can remain secure in the event of server compromise

  55. jc

    In theory ๐Ÿ™‚

  56. vanitasvitae

    Wasn't there an essay by a gchq guy recently who proposed to make mitm the new standard way of intercepting comms?

  57. jc

    But as was shown here... users don't verify so they get compromised

  58. MattJ

    jc, in practice, if users verify fingerprints

  59. jc

    I think the fact that the server was compromised is relevant though

  60. jc

    Because it's a necessary (but not sufficient) first step

  61. MattJ

    In practice, they don't. And I think this is the point that should be called out in the newsletter, the server compromise is not the weak point

  62. jc

    Ok but did you read the paragraph? I do mention that they didn't verify

  63. MattJ

    As far as preventing any perception that XMPP is insecure

  64. jc

    I can update it further

  65. jc

    I'm being called for lunch now though ๐Ÿ™‚

  66. MattJ

    Oh, I didn't see that when I read it earlier

  67. MattJ

    I'll work an an alternative proposal for that paragraph

  68. MattJ

    Another source online says IronChat was based on Xabber

  69. MattJ

    iirc the Xabber author confirmed this in xsf@

  70. pep.

    "jc> I think the fact that the server was compromised is relevant though" < I think it's very important to specify that, if this gets in the newsletter. Not verifying fingerprints is one thing and we know users don't care anyway but still want e2ee [blah blah], but if the server wasn't under an $evil party in the first place, they would have had to break TLS. (or use the law)

  71. pep.

    "jc> I think the fact that the server was compromised is relevant though" < I think it's very important to specify that, if this gets in the newsletter. Not verifying fingerprints is one thing and we know users don't care anyway but still want e2ee [blah blah], but if the server wasn't maintained by an $evil party in the first place, they would have had to break TLS. (or use the law)

  72. pep.

    As I understand it the police (or gouvernment entity) controlled the server right?

  73. jc

    pep. yes