jcarnaudj I'm writing the newsletter currently, will ping you once I'm done, if you'd like to translate
arnaudjhi jc !
arnaudjthank you for pinging me!
arnaudjwhat is the estimated date of publication?
jcToday, this afternoon
jcWe always publish on the last Friday of the month
jc"always' being interpreted loosely
jcSorry that you don't get much time
jcIdeally we should write the newsletter throughout the month
jcThat would also make it easier for you and require less crunch time at the end of the month
jcbut so far I haven't been able to get into the habit of doing it like that
jcBy nature I procrastinate until the last minute
SouLWhat I wanted to add to this newsletter
SouLwas to mention the section of translated newsletters
SouLI also wanted to translate some, so we would have more content
SouLapart from French
arnaudjI've added a reminder in my calendar, to put some time aside every last Friday
jcWould you guys describe Movim as an XMPP client?
jcOr should it be mentioned under "Other software"? 🙂
jcI'm adding this month's releases
arnaudjjc: I asked edhelas
jcThis has been a good month, lots of stuff happening
arnaudjhe said "other" is perhaps the best choice
arnaudjsince it's a bit more than a client
jcok thanks, I thought so
jcarnaudj, SouL: Here's the latest newsletter https://github.com/xsf/xmpp.org/blob/newsletter-2018-11-30/content/posts/newsletter/2018-11-30.md
jcI would appreciate a proofread. I'll take a break and then read it again myself
SouLJust that capital H
MattJjc, the link in the Monal part to "empty state screens" appears to have the incorrect URL
MattJIt links to feeds.opkode and prompts for auth
jcThanks SouL and MattJ. Fixed
SouLSorry for not better proofread, I'm ina meeting I can't escape :(
jcGuus is worried about this section: https://github.com/xsf/xmpp.org/pull/484/files#diff-45ce3b70f855ee8884f189d7b4742fa6R28
jcThat it might look like XMPP is insecure, even though their server might have been hacked in all kinds of ways unrelated to XMPP
jcAny suggestions on how to change the wording?
jcI personally think it's kind of OK the way it is
vanitasvitaejc: are you sure iron chat is a conversations fork?
vanitasvitaeIt doesn't look like that at all
jcI read it in twitter
jcI can remove that part
MattJjc, the problem was users not verifying fingerprints, at the end of the day
jcMattJ: Yes, that's mentioned in the paragraph
jcThat and the fact that their server (the OS) was somehow compromised
MattJEvery end-to-end encryption method is vulnerable to this (you need to identify the other end somehow)
MattJNo, I don't think that covers it
arnaudjI read the newsletter and did not find any error
MattJOTR and OMEMO are precisely valuable because they can remain secure in the event of server compromise
jcIn theory 🙂
vanitasvitaeWasn't there an essay by a gchq guy recently who proposed to make mitm the new standard way of intercepting comms?
jcBut as was shown here... users don't verify so they get compromised
MattJjc, in practice, if users verify fingerprints
jcI think the fact that the server was compromised is relevant though
jcBecause it's a necessary (but not sufficient) first step
MattJIn practice, they don't. And I think this is the point that should be called out in the newsletter, the server compromise is not the weak point
jcOk but did you read the paragraph? I do mention that they didn't verify
MattJAs far as preventing any perception that XMPP is insecure
jcI can update it further
jcI'm being called for lunch now though 🙂
MattJOh, I didn't see that when I read it earlier
MattJI'll work an an alternative proposal for that paragraph
MattJAnother source online says IronChat was based on Xabber
MattJiirc the Xabber author confirmed this in xsf@
pep."jc> I think the fact that the server was compromised is relevant though" < I think it's very important to specify that, if this gets in the newsletter. Not verifying fingerprints is one thing and we know users don't care anyway but still want e2ee [blah blah], but if the server wasn't under an $evil party in the first place, they would have had to break TLS. (or use the law)
pep."jc> I think the fact that the server was compromised is relevant though" < I think it's very important to specify that, if this gets in the newsletter. Not verifying fingerprints is one thing and we know users don't care anyway but still want e2ee [blah blah], but if the server wasn't maintained by an $evil party in the first place, they would have had to break TLS. (or use the law)
pep.As I understand it the police (or gouvernment entity) controlled the server right?