-
jc
arnaudj I'm writing the newsletter currently, will ping you once I'm done, if you'd like to translate
-
arnaudj
hi jcโ !
-
arnaudj
thank you for pinging me!
-
jc
Sure! ๐
-
arnaudj
what is the estimated date of publication?
-
jc
Today, this afternoon
-
jc
We always publish on the last Friday of the month
-
jc
"always' being interpreted loosely
-
arnaudj
OK :-)
-
jc
Sorry that you don't get much time
-
jc
Ideally we should write the newsletter throughout the month
-
arnaudj
no problem
-
jc
That would also make it easier for you and require less crunch time at the end of the month
-
jc
but so far I haven't been able to get into the habit of doing it like that
-
jc
By nature I procrastinate until the last minute
-
SouL
What I wanted to add to this newsletter
-
SouL
was to mention the section of translated newsletters
-
SouL
I also wanted to translate some, so we would have more content
-
SouL
apart from French
-
arnaudj
I've added a reminder in my calendar, to put some time aside every last Friday
-
jc
cool
-
jc
Would you guys describe Movim as an XMPP client?
-
jc
Or should it be mentioned under "Other software"? ๐
-
jc
I'm adding this month's releases
-
arnaudj
jcโ: I asked edhelasโ
-
jc
tx
-
jc
This has been a good month, lots of stuff happening
-
arnaudj
he said "other" is perhaps the best choice
-
arnaudj
since it's a bit more than a client
-
jc
ok thanks, I thought so
-
jc
arnaudj, SouL: Here's the latest newsletter https://github.com/xsf/xmpp.org/blob/newsletter-2018-11-30/content/posts/newsletter/2018-11-30.md
-
jc
I would appreciate a proofread. I'll take a break and then read it again myself
-
SouL
THe Monal..
-
SouL
Just that capital H
-
MattJ
jc, the link in the Monal part to "empty state screens" appears to have the incorrect URL
-
MattJ
It links to feeds.opkode and prompts for auth
-
jc
Thanks SouL and MattJ. Fixed
-
SouL
Sorry for not better proofread, I'm ina meeting I can't escape :(
-
jc
no problem
-
jc
Guus is worried about this section: https://github.com/xsf/xmpp.org/pull/484/files#diff-45ce3b70f855ee8884f189d7b4742fa6R28
-
jc
That it might look like XMPP is insecure, even though their server might have been hacked in all kinds of ways unrelated to XMPP
-
jc
Any suggestions on how to change the wording?
-
jc
I personally think it's kind of OK the way it is
-
vanitasvitae
jc: are you sure iron chat is a conversations fork?
-
vanitasvitae
It doesn't look like that at all
-
jc
I read it in twitter
-
jc
I can remove that part
-
MattJ
jc, the problem was users not verifying fingerprints, at the end of the day
-
jc
MattJ: Yes, that's mentioned in the paragraph
-
jc
That and the fact that their server (the OS) was somehow compromised
-
MattJ
Every end-to-end encryption method is vulnerable to this (you need to identify the other end somehow)
-
MattJ
No, I don't think that covers it
-
arnaudj
I read the newsletter and did not find any error
-
MattJ
OTR and OMEMO are precisely valuable because they can remain secure in the event of server compromise
-
jc
In theory ๐
-
vanitasvitae
Wasn't there an essay by a gchq guy recently who proposed to make mitm the new standard way of intercepting comms?
-
jc
But as was shown here... users don't verify so they get compromised
-
MattJ
jc, in practice, if users verify fingerprints
-
jc
I think the fact that the server was compromised is relevant though
-
jc
Because it's a necessary (but not sufficient) first step
-
MattJ
In practice, they don't. And I think this is the point that should be called out in the newsletter, the server compromise is not the weak point
-
jc
Ok but did you read the paragraph? I do mention that they didn't verify
-
MattJ
As far as preventing any perception that XMPP is insecure
-
jc
I can update it further
-
jc
I'm being called for lunch now though ๐
-
MattJ
Oh, I didn't see that when I read it earlier
-
MattJ
I'll work an an alternative proposal for that paragraph
-
MattJ
Another source online says IronChat was based on Xabber
-
MattJ
iirc the Xabber author confirmed this in xsf@
-
pep.
"jc> I think the fact that the server was compromised is relevant though" < I think it's very important to specify that, if this gets in the newsletter. Not verifying fingerprints is one thing and we know users don't care anyway but still want e2ee [blah blah], but if the server wasn't under an $evil party in the first place, they would have had to break TLS. (or use the law)✎ -
pep.
"jc> I think the fact that the server was compromised is relevant though" < I think it's very important to specify that, if this gets in the newsletter. Not verifying fingerprints is one thing and we know users don't care anyway but still want e2ee [blah blah], but if the server wasn't maintained by an $evil party in the first place, they would have had to break TLS. (or use the law) ✏
-
pep.
As I understand it the police (or gouvernment entity) controlled the server right?
-
jc
pep. yes