XMPP Service Operators - 2020-03-28

jonas’: I use riseup. Connected to we.riseup right now.

Have you guys heard of EARN IT? Slimeballs in Washington DC trying to pass it while everyone's panicking and news is obsessed with the pandemic.

If it somehow passes... what's everyone who's located in the USA going to do? Hope to stay under the radar and practice civil disobedience?

Yep.. it's not new that politics abuse this kind of moment where everybody is distracted to pass s@#t laws

thndrbvr: what does the bill do?

I'm ready to use mod_onions and tor maps should any political bs happen

Oh banning end-to-end encryption

I don't see how that can even effect XMPP

We are decentralized by nature and enough already, and most of the clients out there are open source

What's the government going to do? DMCA a github repo?

A simple git clone and copying the folder to a mirror will fix that

tom, https://www.eff.org/deeplinks/2020/03/earn-it-bill-governments-not-so-secret-plan-scan-every-message-online some information here

I support omemo

(and off to bed)

And it auto-turns on whenever someone else does too

I'm afraid they're going to find out who's running the server in question and show up with a SWAT team kicking down a person's front door and hauling them away while ransacking the place.

It removes the protections under Sections 230 and the server operator would be held accountable for everything users of the platform say.

We've seen this sort of thing before. Someone the gov't didn't like had an e-mail account on Lavabit and the owner shutdown the service, went to jail presumably, and spent years fighting in court in order to protect the rest of the people who had e-mail accounts there. I think they confiscated the servers but I don't recall. All because a whistleblower had encrypted e-mails.

Are you hosting hardware or vps thndrbvr?

https://nixnet.services/blog/vps-providers/

If it passes you can migrate to non-US hosting company

One that doesn't have insane copyright and crypto laws

I'm running a social network. GNU Social, phpBB forums, Matrix chat, etc. I've got a dedicated server with www.orangewebsite.com which is in Iceland outside the jusidiction of the US, CA, EU, & GB.

Iceland

The drives are encrypted too. But, what does any of that matter if I'm a US/CA citizen living in either of those countries?

Well

I've read in the news that the owner of cockli hosted their stuff in hanetzer's datacenter in germany

And they had a problem with people just yanking drives out of their machine

Not just ounce. It happened twice

They said they would never used hanetzer again

hetzner? I can't find hanetzer

But cockli anyway..

I wish I knew more details, like if they installed the security bezel onto their server or not

Or if they were in a shared cage

Or rack

Hetzner yeah

What kind of datacenter just allows some agent to show up, without papers or even a support ticket head of time, and start yanking drives out of machines

To be clear no charges were even pressed against the owner of that host

Wow.

I thought Germany was supposed to have good privacy laws

As far as I can search it seems the drives were taken by command of a prosecutor.

A service having domains like nuke.africa probably had enough 'verfassungswidriges' going on to get a warrant by a judge.

Yup

I guess it is not very smart to host such a server anywhere in Europe

> As far as I can search it seems the drives were taken by command of a prosecutor. Do you have a link? I hope they really had a warrant, otherwise it would be very bad even while I dislike this racism pack of cock.li.

jonas’: Not to change topic but I thought I was also connected to Riseup's XMPP but I see my client is saying "server not found". I feel like they need donations

Yeah hold on

Martin, Link https://www.golem.de/news/bombendrohung-per-cock-li-staatsanwaltschaft-beschlagnahmt-festplatte-bei-hetzner-1512-118169.html

https://web.archive.org/web/20181019170928/https://arstechnica.com/tech-policy/2015/12/cock-li-e-mail-server-seized-by-german-authorities-admin-announces/

>I thought Germany was supposed to have good privacy laws Germany has/had good privacy laws. But some rights are more valuable than privacy. Whenever racism or terrorism pops up they will not hesitate to go over to investigation. But I guess most western countries will do.

https://arstechnica.com/tech-policy/2016/01/cock-li-server-seized-again-by-german-prosecutor-service-moves-to-iceland/

It happened two times before they switches colo providers

They obviously did not get the message 1st time

» Germany has/had good privacy laws. But some rights are more valuable than privacy. Whenever racism or terrorism pops up they will not hesitate to go over to investigation. But I guess most western countries will do. That really does not mean all that much

All you have to do is send a single hoax email from a provider, and all their rights go away?

As long as it's related to 'terrorism'

Etc etc

I guess it needs some more than one email. You are free to try it out. Maybe you can report back and then tell us the exact number

I imagine that what if somebody on one of your XMPP servers said something 'racist' or made bomb hoax to get out of an exam what that would mean for your servers

mss_cyclist: > Martin, Link > https://www.golem.de/news/bombendrohung-per-cock-li-staatsanwaltschaft-beschlagnahmt-festplatte-bei-hetzner-1512-118169.html Thx

tom: > I imagine that what if somebody on one of your XMPP servers said something 'racist' or made bomb hoax to get out of an exam what that would mean for your servers It's not about some racist using the server, it's about being a server dedicated to racists. Look at their domains like nuke.africa

tom, that is a tricky subject. But it seems, seen from German law, that there were more than one accounts on the server which were questionable. But one of the searchings was on behalf of us authorities

Remember when lavabit shut down their servers

Because 1 political dissident caused lavabit to be forced to give up their private keys

> Remember when lavabit shut down their servers Totally different case, lavabit was no service dedicated to criminals/racists.

Seems like a trolling site to me

>Totally different case, lavabit was no service dedicated to criminals/racists. At least it is not intended. You never know what your users are into

You could probably say the same thing about any imageboard

Or free speech mailinglist

> from his Bavarian data center by the district attorney for the City of Zwickau in eastern Germany. Something is fishy with this ars technica post. Why should Zwickau be in charge for a Bavarian datacenter.

it’s a thin line, but if you cater primarily to "trolls", you provide a safe (plausible deniable) harbour to the real people

Zwickau is by no means Bavaria

mss_cyclist: qed

That's why I say that's fishy.

While I, myself, am a person of color, and am totally against racism.. I don't think that itself is a reason for a server seizure. Anything that is public the authorities can check and I think they should go after the people who make content that promotes RL threats/violence.

Serious threats, not jokes.

Martin, if the DC operator is registered in Zwickau, Saxony and one of their DCs is in Bavaria, I don’t see what’s wrong with this.

Well on their site they say that they comply with legal data requests

So i don't even know why the drive seize was nedded

Couldn't they have just asked the server op

> Martin, if the DC operator is registered in Zwickau, Saxony and one of their DCs is in Bavaria, I don’t see what’s wrong with this. I still think you need the Bavarian authorities to seize something in a Bavarian data center.

tom, if the server op caters for this type of folk, they might’ve seen a risk that they would "lose" data before agreeing to hand some data over

Guess that's just another reason to use full disk encryption on your servers nowadays. Make sure things go through the proper channels

Martin: if you look at all of their domains it's not specifically about racism. It's just a bunch of edgy knee-jerk names designed to offend people

420blaze.it goat.si national.shitposting.agency horsefucker.org

It were the racist ones catching my eye. That reminds me that I wanted to stop federating to them…

What is a cocaine ninja?

Dunno

Unless your saying the ownership of offensive or racist domains means you lose your privacy rights on germany

*in

Don't understand.

Or is that just something that stuck out to you

> Or is that just something that stuck out to you What I told you > It were the racist ones catching my eye. That reminds me that I wanted to stop federating to them…

I don't care about their weird horsefucking stuff but I am allergic to this racism stuff.

And no, that ain't fun or trolling.

Maybe that's due to me being a german raised and educated here and in Trumpistan racism is not morally problematic but here it is a no-go.

We might have different views regarding that, I can accept that. But for me this cock.li thing crossed the line.

You should probably put a list of servers on your website or something of servers you do not federate with

For transparency purposes if you host a public server

It's a private server. And so far I have only blocked spam servers not reacting to abuse reports.

I remember on the ActivityPub based federated blogs

And the operator of the server i was using, random posts would dissapear into the ether

The ops wasn't transparent about their blocklist policies

I deleted my account there because I felt that was really shady

It was really bad because things would just silently not appear, no indication of an error, unlike email where you'll get a bounce message like 5XX host blacklisted by dnsbl.someblacklistprovider.tld

I have no users contacting those servers, so in fact nothing would change. Maybe that's why I didn't block them yet. The servers I have blocked due to spamming are the ones from the public spam blocklist in the xmpp antispam repo.

Also a lot of spam servers fail to s2s because they have no valid certs.

Like jabber.cd or xmpp.us

mss_cyclist: > There is a fourth: Those who do not check their backups. How do you do this?

> Yeah, 99% of guides for Prosody are terrible Sounds like a Prosody should write better docs then. Guides aren't needed if docs are good.

Martin: did you do anything to attract spammers?

I don't have a spam problem

(yet anyways)

xmpp.jp has an endogenous spam problem

Although I do only allow authenticated certs as per that encrypted-s2s-only manifesto

> robertooo has written: > Sounds like a Prosody should write better docs then. Guides aren't needed if docs are good. The project's guides are pretty good but not ideal.

tom: is that some sorta fox in your avatar?

Yes

tom: > Martin: did you do anything to attract spammers? > I don't have a spam problem > (yet anyways) Not me. But spammers targetting my server, although so far they only send to non existing accounts. But still I report the spammers to the operator and in case he doesn't reply to the hoster.

How do you know you have no spam? Do you scan incoming messages for spam URLs?

Is there any pattern to nonexistant users?

It's always the same three accounts one is like aaaaa1zz@ or something, so looking pretty random and not like from any wordlist. Don't know how those ended up in the spamlists.

But it's good for me as it doesn't reach any existing users and I can report the spammers and let the operators remove those accounts.

Well actually that's perfect

Just write a hookin to your server to log those known spam targets

And use them as a tarpit

If a server messages one of those known spam addresses you tarpit their server

This can be automated

Keep the connection open and only reply at like 1/bit per second to waste the spammer's resources

Every file descriptor kept open is open less than can be used in a spam attack

Or you could be lazy and just write a fail2ban rule

Firewall them off

Similar mitigation techniques to email can be used

🤦🏼‍♂️

tom: Also good servers get spammers. I tell them, they delete them. Throttling s2s to that server would also affect innocent users.

mastodon has very good moderation tools.. notifying both admins of both servers.. maybe xmpp needs something like that.. how can u notify an xmpp admin?

There's a xep

That has the admins's contact info

You query the server with a special stanza

I don't know of any abuse report automation tools though