jdev - 2024-03-03


  1. Schimon

    moparisthebest, I will ask him to join

  2. Schimon

    moparisthebest, I think wgreenhouse told this to me.

  3. moparisthebest

    Ah ok

  4. Wirlaburla

    MUC v2

  5. lovetox

    there are 100 ways to social enigneer a user to reveal his JID, personally i would simply create a few MUCs with interesting title, and try to get the user to join, and voila as admin of this room i have his JID

  6. singpolyma

    > As i see it, at most there should be a info message that says, "if you send adhoc commands to muc participants you can reveal your JID" No. If you send to MUC participants you cannot reveal your jid. But if you send to a different jid you discovered from a MUC participant, then you can

  7. singpolyma

    Schimon: no one is going do deprecate 0045 nor would we want them to

  8. Schimon

    singpolyma, please tell me what to write instead.

  9. singpolyma

    I think the only person who really needs to know about this is lovetox (+ a psi maintainer if there still are any?)

  10. Schimon

    Psi is great. I love Psi.

  11. Schimon

    I will forward this to Psi+ maintainers who are also Psi maintainers.

  12. singpolyma

    Im not sure if any other client even has this feature to know if they could have something in the UI to improve or not

  13. singpolyma

    Have you also fixed slixfeed so that it at least does not get the jid of the user?

  14. singpolyma

    Havieg a warning is good, but not needing to show it is better 🙂

  15. Schimon

    > Have you also fixed slixfeed so that it at least does not get the jid of the user? No I did not. I did not find a way to do so. All I get is Real JID with no mention of MUC JID.

  16. singpolyma

    The iq doing the disco#items get will come from the MUC jid. When it does you need to alter your reply to set jid= in the items to your own MUC jid

  17. singpolyma

    Then you will never see their real jid and it won't be possible

  18. Schimon

    I have renamed "Exploit" into "Profile", which displays JID at top, by which people can be aware of the matter.

  19. singpolyma

    And then even once gajim has a warning dialog they won't have to show it for your bot

  20. Schimon

    > The iq doing the disco#items get will come from the MUC jid. When it does you need to alter your reply to set jid= in the items to your own MUC jid Is this available in the slixmpp API? All I get is a "session". Though, I did not look into the result of "iq". I will check.

  21. singpolyma

    This is before the session starts. When the user fetches the list of commands

  22. singpolyma

    You probably want to customize the list of commands for each user anyway depending on permissions or settings

  23. Schimon

    I understand the process. I do not know yet where it is realized in slixmpp.

  24. Schimon

    > You probably want to customize the list of commands for each user anyway depending on permissions or settings Is it possible yet? https://codeberg.org/poezio/slixmpp/issues/3515

  25. singpolyma

    Well by default slix has a global static command list, which is fine for quick hacks but you'll want to replace that with something dynamic. nicoco does something for it in slidge at least

  26. Schimon

    This might be a solution to the OOP challenge I have with Slixfeed

  27. Schimon

    I will look. This might be a solution to the OOP challenge I have with Slixfeed.

  28. moparisthebest

    > there are 100 ways to social enigneer a user to reveal his JID, personally i would simply create a few MUCs with interesting title, and try to get the user to join, and voila as admin of this room i have his JID lovetox: I agree but that's way different than a bot joining huge channels and harvesting jids

  29. Schimon

    moparisthebest, is it possible? Is not it happening only when JID actively and voluntarily initiates an IQ request?

  30. moparisthebest

    probably not

  31. moparisthebest

    probably not, if it can happen it'd be a major security bug

  32. Schimon

    moparisthebest, do you have a sample IQ I can test this?

  33. moparisthebest

    no, if I did I'd test it myself right?

  34. Schimon

    Perhaps

  35. Schimon

    I will try to do this. If possible, I will add this to the bot.

  36. singpolyma

    > moparisthebest, is it possible? > Is not it happening only when JID actively and voluntarily initiates an IQ request? Its only when you voluntarily send your jid to the bot yes

  37. singpolyma

    Nothing to do with iqs

  38. singpolyma

    I mean there happen to be iqs in the flow but that's not really relevant

  39. Wirlaburla

    Have an avatar on your vCard? Congrats, you aren't anonymous.

  40. Wirlaburla

    They won't know your exact JID but they'll figure it out since they can know what public mucs you are in.

  41. Schimon

    Wirlaburla, avatar should be exposed selectively. I will send this to the mailing-list

  42. Schimon

    Wirlaburla, I think avatars should be exposed selectively. I will send this to the mailing-list

  43. singpolyma

    That's up to you and your server basically

  44. Schimon

    > They won't know your exact JID but they'll figure it out since they can know what public mucs you are in. Even if so, this does not mean we should not take care of issues.

  45. Wirlaburla

    I think it should be an option to disable sharing an avatar or details of the vCard in a muc. Especially if it is semi-anon.

  46. singpolyma

    semi anon is heavy on the semi. Prevents rampant spam harvesting for anyone who chooses to be worried about that, but if you want something stronger you need burner jid (or similar)

  47. singpolyma

    Wirlaburla: sure, you can do that if you want

  48. wgreenhouse

    > moparisthebest, I think wgreenhouse told this to me. Schimon: what are you claiming I said?

  49. moparisthebest

    >> accelerate the transfer from MUC to MIX > Lol what does this have to do with anything wgreenhouse: this top quote, from the gajim issue

  50. wgreenhouse

    yeah, not correctly attributed to me.

  51. kapad

    Schimon: as for ExploitIq, isn't it the server that must keep that leak, and not the client ?

  52. singpolyma

    kapad: what server?

  53. kapad

    that host the muc

  54. singpolyma

    They are not involved

  55. singpolyma

    The client chooses to send their jid direcsly to the bot. It doesn't go via the muc

  56. singpolyma

    It's not really a "leak" it's at most a social engineering opportunity

  57. kapad

    ...if you speak to the bot

  58. singpolyma

    No, not if you speak to it

  59. kapad

    just if bot message you ?

  60. singpolyma

    If you ask it what commands it know about, it tells you it knows about some horted on a different jid, and then you choose to execute one of those commands by talking to that different jid

  61. singpolyma

    The UI just doesn't happen to show the jid, which means in theory you could be tricked

  62. singpolyma

    So the solution is to add the jid to the ui and/or warn before executing a command on a different jid than the one you asked about

  63. singpolyma

    (or hide commands that are for a different jid but that feels probably extreme)

  64. kapad

    cant get it, to complicated for my knowledge. i'try to run it on myself...

  65. singpolyma

    You right click the bot in the participants list rnd choose execute command. The client ask the MUC to ask that participant for a listkof commands to show you. The bot in this case has a bug where it replies with a list of commands but says to talk to a jid not related to the MUC in order to execute them. *If* yiu choose one of these commands and press execute then you client obeys and sends the request to that other jid, which then of course reveals your jid to that other jid

  66. singpolyma

    The inly issue is that it's not obvious to you from the list of commands which ones are against what jid

  67. singpolyma

    The only issue is that it's not obvious to you from the list of commands which ones are against what jid

  68. kapad

    ok!

  69. kapad

    that somehow reminds me, when from psi i chat with some in a muc, my muc address is show, but when message him, my real jid is in the message window

  70. singpolyma

    That's only possible if you know the target's real jid, but if you do that may be an option

  71. kapad

    hmm, finally that is not happening, the sender in the dialog *is* my real jid, but finally what the other side see is my `muc` jid. so is confusing ...

  72. singpolyma

    Oh I see, so just confusing ui

  73. kapad

    yes. i'm happier now ... ;)

  74. Schimon

    wgreenhouse (Tue 27 Feb 2024 09:54:39 PM) > blocking PMs would do it > as IQs are PMs This is from mmxxx's groupchat

  75. wgreenhouse

    Schimon: I misunderstood the causation; I think singpolyma's explanation is correct > You right click the bot in the participants list rnd choose execute command. The client ask the MUC to ask that participant for a listkof commands to show you. The bot in this case has a bug where it replies with a list of commands but says to talk to a jid not related to the MUC in order to execute them. *If* yiu choose one of these commands and press execute then you client obeys and sends the request to that other jid, which then of course reveals your jid to that other jid

  76. Schimon

    wgreenhouse, yes, this is a good explanation.

  77. wgreenhouse

    Schimon: also I never said this was a reaon to move away from 0045, you likely confused me with someone else there

  78. Schimon

    > also I never said this was a reaon to move away from 0045, you likely confused me with someone else there Please pardon me for the confusion.

  79. lovetox

    are there any strong arguments to keep supporting message receipts instead of chat markers, except for backwards compatibility with super old clients?

  80. singpolyma

    Recepts are to know if a message was received. Different use case from markers

  81. lovetox

    marker has the same capability just not on a per message basis

  82. singpolyma

    Right, and unless it's per message it's useless for knowing if your message was received

  83. lovetox

    i really question the per message necessity in todays times

  84. lovetox

    its not useless

  85. lovetox

    you send a message, you get back a received for the message, you know the message was received but not yet displayed

  86. lovetox

    why would this be useless?

  87. singpolyma

    If you received message X is means nothing about messages before X

  88. lovetox

    yes correct, i would argue nobody wants to really know that

  89. lovetox

    but i still want to know if my last message was received

  90. lovetox

    the assumption here is servers dont lose messages

  91. singpolyma

    I definitely want to know if my message is delivered or not. I'd argue it's the main thing I want to know

  92. lovetox

    but not *every* message

  93. lovetox

    its enough if the client tells you the last message was received

  94. singpolyma

    Without delivery receipts there are so many ways a message can be silently lost

  95. lovetox

    so many assumptions need to be true to make receipts usefull

  96. lovetox

    it starts with clients answering receipts

  97. lovetox

    clients answering receipts correctly

  98. lovetox

    and so on

  99. lovetox

    i can tell you that gajim never in its existence answered a receipt received via MAM

  100. lovetox

    nobody ever complained

  101. singpolyma

    Sure if I get no recept it *might* have still been delivered but with one I know it was

  102. lovetox

    receipts are useless, because they depend on every developer doing 100% the right thing every time

  103. lovetox

    and *only* then you can make any assumption about if a message was lost

  104. lovetox

    but you said you want to know if a message was received, and its not in your control

  105. lovetox

    its in the control of the other user

  106. singpolyma

    > i can tell you that gajim never in its existence answered a receipt received via MAM As well it should not? Receipts are for first device to receive (so live or offline queue)

  107. lovetox

    its a theoretical technical capability we have in xmpp, which i would argue is dead, users dont activitate it because of privacy, developers implement it incorrectly, software has bugs

  108. lovetox

    equals you get a receipt in 5% of the time

  109. lovetox

    singpolyma, i think we firmly go into the direction that "offline message" will not be a thing anymore

  110. lovetox

    but i guess i could simply send a receipt with every received marker i send out

  111. lovetox

    and because implementing somekind of batch processing for received markers, where i send out only a received marker after 20 messages, is anyway to complicated

  112. lovetox

    it would be essentially that i answer any message with a received marker / receipt marker

  113. lovetox

    so not that different from now

  114. lovetox

    this would allow me to throw out at least the whole incoming receipts processing

  115. lovetox

    and just add for backwards compatibility the receipt to the received marker i send out

  116. lovetox

    another question, if i receive a message correction, do i answer with the id of the correction, or again the original message?

  117. lovetox

    display/received marker id i mean

  118. singpolyma

    > equals you get a receipt in 5% of the time I get receipt basically all of the time. I have a few people on old clients that don't send them

  119. singpolyma

    I doubt anyone processes received markers, but it doesn't hurt to send them as you say, a few bytes

  120. lovetox

    and what is with replying to corrected messages

  121. lovetox

    do i reference the original or the correction

  122. lovetox

    i mean i hope we do reference the original in both cases, markers and replies ..

  123. lovetox

    but this is nowhere written down

  124. singpolyma

    original surely. corrected messages don't change the id of the original

  125. singpolyma

    just the content

  126. lovetox

    thanks