-
dwd
Board, anyone? I think Laura is still in a meeting that's running over.
-
ralphm
hi
-
dwd
Just us, then.
-
dwd
bear, ?
-
dwd
Oh, well. ralphm - anything happening with the Summit? And anything you need help with?
-
ralphm
nothing I can think of
-
ralphm
Just got some stickers delivered
-
Kev
Excellent. We like stickers
-
ralphm
They look great
-
andy
http://upload.strb.org:8081/bOdqEobC58xhgApH2NtkknvDG9s/uAzVHRT6YH8q4/97f14f1b7506484fa57532112ca25509.jpg
- andy is bringing stickers, too
-
andy
:)
-
andy
I'll be at FOSDEM on saturday, if anybody wants an OMEMO fish sticker :P
-
SamWhited
andy: Now I'm really sad I won't be there!
-
andy
SamWhited, give me your address and I'll mail you some
-
SamWhited
andy: Appreciated, but that's okay, probably not worth it to mail them all the way from the other side of the pond :)
-
SamWhited
(and I'm moving this weekend and am not entirely sure what my new address is anyways…)
-
kalkin
andy: they look awesome!
-
ralphm
SamWhited: never to late to book a ticket
-
ralphm
too late
- SamWhited tries to decide if an OMEMO sticker and some ribs are worth ~900 USD…
-
kalkin
SamWhited: Yeah we all could share a beer in bruessel on saturday :)
-
kalkin
SamWhited: let your company pay it. It's hmm .... an educational trip!
-
kalkin
:)
-
SamWhited
kalkin: They might, I haven't asked; I'm actually just really busy right now. I probably should have asked at least a month in advance though
-
ralphm
SamWhited: so no hipchat people at all?
-
SamWhited
ralphm: I don't think so; I was hoping the Jitsi guys were going to go, but I think they said something about doing something else that week too
-
SamWhited
We'll see; I'll ask my boss about it.
-
kalkin
SamWhited: 👍
-
ralphm
Jitsi used to do the Lounge with us, really sad they cancelled for this year
-
SamWhited
ralphm: Yah, I think they were pretty upset about that too. I know Emil was looking forward to it.
- ralphm nods
-
winfried
ralphm: who will be contacting aloft?
-
thorsten
Is here a party planning?
-
ralphm
I'd be happy to do that, but the list on the wiki isn't really filling up. Unless this is all, which would be disappointing
-
winfried
last call on the mailing list?
-
ralphm
winfried: yeah
-
ralphm
I'll try to do that today
-
andy
SamWhited, international postage is literally under 1 euro. I don't mind. It would probably just take a while to get there. But I've printed up way more stickers than I can possibly use anyway ;)
-
SamWhited
andy: Awesome! Sounds good then.
-
thorsten
andy: omemo stickers? ;)
-
Flow
dwd: how are PEP nodes with access-model roster related to privacy lists? Or did I get your comment in council@ wrong?
-
Lance
Flow: servers generally already have an implementation for doing access controls based on roster groups, because of pep/pubsub. so it shouldn't be too much additional complexity for a server to also implement roster group blocking if that is added to the blocking xep
-
Flow
Lance: I see, the question still is if we want that
- Lance nods
-
Flow
I'd like the idea of an ad-hoc based blocking xep
-
Flow
so servers can implement what they want
-
Flow
and the client UI would be more or less similar, no matter which client is used
-
Flow
that, and remove the "list" from privacy lists and then most people would be happy I believe
-
Flow
What I wonder is, if we need a mechanism to inform the user about blocked stanzas/messages, and if so, how it should look like
-
Zash
Flow: What direction?
-
Lance
that is already in the blocking xep, iirc, for outgoing things that are to blocked users
-
Lance
i would not expect to be informed that someone blocked you, if you try sending a stanza to them
-
Flow
Zash: incoming
-
Flow
i.e. a blocked entity send you a message
-
Lance
oh, that direction
-
Zash
That ... that's weird
-
Flow
but I always believe that the solution should be similar to what we do with email these days
-
Flow
i.e. a spam folder
-
Flow
and that's most likely not related to blocking
-
Zash
Did y'all see my post to the list?
-
Flow
because if you block someone you usually really do not want to receive anything from him/her
-
Flow
Zash: hard to tell :)
-
Zash
well, it was to operators becasue I replied to stpeter who posted to operators
-
Zash
Probably would have made sense to reply to standards@ too
-
Lance
Zash: +1, the current reporting mechanisms are not really aimed for use by end users
-
Zash
XEP-0287 which was mentioned seems to assume we already have the filtering in place
-
Flow
Zash: I do believe you can use xep287 without filtering
-
Flow
a server could always add <report/> and let the client report spim
-
Flow
or maybe even report spim over s2s
-
Flow
isn't that what you wanted? an easy way to report spim?
-
Zash
I'm a bit tired but it is not obvious to me how that would work
-
Zash
I was thinking something simple like this https://www.zash.se/simply-report-spam.html
-
Lance
+1. Add a user enterable description/reason, and maybe allow forwarding the original stanza
-
Flow
or use the stanza-id to link the original stanza
-
Flow
Zash: that does look similar to xep287 spim report
-
Zash
I wrote this before I saw 287
-
Flow
(which should also use xep359 IDs to link the spim stanza)
-
Zash
Flow: IDs assume that the server has those stored.
-
Zash
I don't want to assume that
-
Zash
I also don't want to attach more data to every stanza if it can be avoided
-
Flow
optional
-
Lance
The main thing lacking from 287 is optional user provided feedback, and ability to send a report without requiring a server to stamp additional data into stanzas for that purpose.
-
Lance
Its about more than just spam, we need a way for users to report harassment and other policy violations that aren't strictly spim
-
Lance
Which might not be the result of a single, particular stanza
-
Zash
Yeah
-
Lance
Arguably covered by http://xmpp.org/extensions/xep-0157.html
-
Lance
but it would be nice to have a more structured query, to ensure that the abuser jid is included correctly
-
Zash
Sounds like what I had in mind for the thing above :)
-
Lance
yep! just add a user comment field and i'd +1 it
-
Lance
the remaining question would be where to send it
-
Zash
To something that supports it
-
Zash
Either the bare server jid, your own account or maybe a remote thing that accepts reports
-
dwd
Flow, You've got to do group-lookup by jid to do the access-model anyway, so the privacy list additions in terms of code would not be huge.
-
dwd
Zash, Lance - I'd seriously look at STIX/IODEF for the reporting. I really don't like reinventing the wheel, and given they're both XML anyway it makes sense.
-
Zash
dwd: But NIH!! And huge XML spec
-
fippo
dwd: but isn't xml out of fashion?
-
Lance
yeah, i'd prefer to keep things simpler for clients to implement / users to use. use iodef/stix for inter-server reporting
-
Zash
You could write an informational spec that describes the absolute minimum of IODEF you would need as a client
-
Flow
I guess that absolut minimum would be something like xep287 reporting or simply-report-spam.
-
ralphm
and/or creating a mapping to it from a custom protocol you define. We did something similar with things like geoloc
-
stpeter
I'll note that we did have a bespoke format for the inter-server reporting earlier on and I changed it to IODEF because of standards compliance & existing code libraries. Zash is right that we could define a slimmed down profile of IODEF for client-to-server reporting, although a simple command that forwards a message and flags it as abusive doesn't seem completely wrong.
- ralphm nods
-
Flow
don't forget about the use case where you just want to report a malicious jid
-
Lance
Given the importance of the feature, I'm in favor of whatever will lead to clients and servers actually implementing it, and a simpler spec seems best for that.
-
Flow
such report should come optionally with a stanza in question (or a link to it's id) and a more detailed reason (spam, harrasment, fraud, ...)
-
Flow
Lance: exactly my thought
-
stpeter
sure, I don't disagree
-
stpeter
Flow: don't we know that a JID is malicious based on a particular stanza? (message, presence invite, etc.)
-
Flow
stpeter: not sure, if there is always a stanza to report at hand
-
Flow
but anyway the information that matters most is the JID, all other information (stanza, exact reason, ...) should be optional IMHO
-
stpeter
Sure.
-
stpeter
Flow: yes, I think you're right - and let's keep the reporting as simple as possible
-
Kev
> Flow: don't we know that a JID is malicious based on a particular stanza? (message, presence invite, etc.) Not really. <body>Hi there!</body> isn't malicious. Once. By the hundredth time they probably are as a set.
-
Lance
I've started some conversations with people working on abuse handling problems on various social media, and have gotten some useful feedback that I'll write up and send to standards@
-
Lance
One of the interesting points is that blocking really needs a sharing component to really do the job of mitigating/preventing abuse. otherwise the user has to receive & react to everything. (Which could be a substantial amount on other networks)
-
Lance
So at minimum, opening up my blocklist to let people on my roster see it would be a big help. Even better would be a way to make incorporating friends' block lists automatic (subscriptions?)
-
stpeter
huh interesting
-
Lance
federation makes things harder, of course :/, but there are other things to automatically filter on, such as age of accounts
-
Lance
most of that information would only be available inside each service, though
-
fippo
age of account... we tried that in psyc ~2003 lance :-)
-
Lance
fippo: as is tradition
-
fippo
it is still somewhat useful if the remote server is not evil. e.g. the case of a "public server" that gets abused
-
stpeter
I don't think that most XMPP servers have kept track of that
-
stpeter
although this account I'm using goes back to 1999 :P
-
narcode
:D
-
narcode
nice
-
stpeter
I'm still intrigued by reputation systems but I don't know if they're truly useful in practice ... http://xmpp.org/extensions/xep-0275.html
-
narcode
look complicated but could be really accurate“>For each room in which the user is banned (XEP-0045 "outcast"), divide the room's reputation by 10 and decrement the user's score by the result”
-
Lance
my server always returns a score of 100 for me, naturally :p
-
Lance
but I think that aside from 1) making it easy for users to report and 2) making it easier to populate block lists based on my network of friends, its a service operations problem, and not a protocol one
-
Lance
as in, new protocols won't solve things. operational work is needed
-
fippo
so apparently i've been logged in five years with one account and four years with the other since that feature was implemented. but that is way too little, probably there is a bug in t he counting!
-
fippo
reputation systems can make sense if we assume that it is evil clients abusing an open server
-
stpeter
fippo: I think we have a mix of evil servers (less common) and evil clients abusing open servers
-
stpeter
e.g., I'm pretty sure that buycc.me was/is an evil server
-
fippo
right. but there is quite some value in "public servers" (I have a hard time avoiding the term "open relay") coordinating against spam from evil clients
-
stpeter
yes
-
stpeter
by public server you mean a server that allows essentially anyone to register an account?
-
fippo
yeah.
-
stpeter
nod