XMPP Service Operators - 2020-03-28


  1. thndrbvr

    jonas’: I use riseup. Connected to we.riseup right now.

  2. thndrbvr

    Have you guys heard of EARN IT? Slimeballs in Washington DC trying to pass it while everyone's panicking and news is obsessed with the pandemic.

  3. thndrbvr

    If it somehow passes... what's everyone who's located in the USA going to do? Hope to stay under the radar and practice civil disobedience?

  4. pep.

    Yep.. it's not new that politics abuse this kind of moment where everybody is distracted to pass s@#t laws

  5. tom

    thndrbvr: what does the bill do?

  6. tom

    I'm ready to use mod_onions and tor maps should any political bs happen

  7. tom

    Oh banning end-to-end encryption

  8. tom

    I don't see how that can even effect XMPP

  9. tom

    We are decentralized by nature and enough already, and most of the clients out there are open source

  10. tom

    What's the government going to do? DMCA a github repo?

  11. tom

    A simple git clone and copying the folder to a mirror will fix that

  12. pep.

    tom, https://www.eff.org/deeplinks/2020/03/earn-it-bill-governments-not-so-secret-plan-scan-every-message-online some information here

  13. tom

    I support omemo

  14. pep.

    (and off to bed)

  15. tom

    And it auto-turns on whenever someone else does too

  16. thndrbvr

    I'm afraid they're going to find out who's running the server in question and show up with a SWAT team kicking down a person's front door and hauling them away while ransacking the place.

  17. thndrbvr

    It removes the protections under Sections 230 and the server operator would be held accountable for everything users of the platform say.

  18. thndrbvr

    We've seen this sort of thing before. Someone the gov't didn't like had an e-mail account on Lavabit and the owner shutdown the service, went to jail presumably, and spent years fighting in court in order to protect the rest of the people who had e-mail accounts there. I think they confiscated the servers but I don't recall. All because a whistleblower had encrypted e-mails.

  19. tom

    Are you hosting hardware or vps thndrbvr?

  20. tom

    https://nixnet.services/blog/vps-providers/

  21. tom

    If it passes you can migrate to non-US hosting company

  22. tom

    One that doesn't have insane copyright and crypto laws

  23. thndrbvr

    I'm running a social network. GNU Social, phpBB forums, Matrix chat, etc. I've got a dedicated server with www.orangewebsite.com which is in Iceland outside the jusidiction of the US, CA, EU, & GB.

  24. tom

    Iceland

  25. thndrbvr

    The drives are encrypted too. But, what does any of that matter if I'm a US/CA citizen living in either of those countries?

  26. tom

    Well

  27. tom

    I've read in the news that the owner of cockli hosted their stuff in hanetzer's datacenter in germany

  28. tom

    And they had a problem with people just yanking drives out of their machine

  29. tom

    Not just ounce. It happened twice

  30. tom

    They said they would never used hanetzer again

  31. pep.

    hetzner? I can't find hanetzer

  32. pep.

    But cockli anyway..

  33. tom

    I wish I knew more details, like if they installed the security bezel onto their server or not

  34. tom

    Or if they were in a shared cage

  35. tom

    Or rack

  36. tom

    Hetzner yeah

  37. tom

    What kind of datacenter just allows some agent to show up, without papers or even a support ticket head of time, and start yanking drives out of machines

  38. tom

    To be clear no charges were even pressed against the owner of that host

  39. thndrbvr

    Wow.

  40. tom

    I thought Germany was supposed to have good privacy laws

  41. mss_cyclist

    As far as I can search it seems the drives were taken by command of a prosecutor.

  42. Martin

    A service having domains like nuke.africa probably had enough 'verfassungswidriges' going on to get a warrant by a judge.

  43. mss_cyclist

    Yup

  44. mss_cyclist

    I guess it is not very smart to host such a server anywhere in Europe

  45. Martin

    > As far as I can search it seems the drives were taken by command of a prosecutor. Do you have a link? I hope they really had a warrant, otherwise it would be very bad even while I dislike this racism pack of cock.li.

  46. thndrbvr

    jonas’: Not to change topic but I thought I was also connected to Riseup's XMPP but I see my client is saying "server not found". I feel like they need donations

  47. tom

    Yeah hold on

  48. mss_cyclist

    Martin, Link https://www.golem.de/news/bombendrohung-per-cock-li-staatsanwaltschaft-beschlagnahmt-festplatte-bei-hetzner-1512-118169.html

  49. tom

    https://web.archive.org/web/20181019170928/https://arstechnica.com/tech-policy/2015/12/cock-li-e-mail-server-seized-by-german-authorities-admin-announces/

  50. mss_cyclist

    >I thought Germany was supposed to have good privacy laws Germany has/had good privacy laws. But some rights are more valuable than privacy. Whenever racism or terrorism pops up they will not hesitate to go over to investigation. But I guess most western countries will do.

  51. tom

    https://arstechnica.com/tech-policy/2016/01/cock-li-server-seized-again-by-german-prosecutor-service-moves-to-iceland/

  52. tom

    It happened two times before they switches colo providers

  53. mss_cyclist

    They obviously did not get the message 1st time

  54. tom

    » Germany has/had good privacy laws. But some rights are more valuable than privacy. Whenever racism or terrorism pops up they will not hesitate to go over to investigation. But I guess most western countries will do. That really does not mean all that much

  55. tom

    All you have to do is send a single hoax email from a provider, and all their rights go away?

  56. tom

    As long as it's related to 'terrorism'

  57. tom

    Etc etc

  58. mss_cyclist

    I guess it needs some more than one email. You are free to try it out. Maybe you can report back and then tell us the exact number

  59. tom

    I imagine that what if somebody on one of your XMPP servers said something 'racist' or made bomb hoax to get out of an exam what that would mean for your servers

  60. Martin

    mss_cyclist: > Martin, Link > https://www.golem.de/news/bombendrohung-per-cock-li-staatsanwaltschaft-beschlagnahmt-festplatte-bei-hetzner-1512-118169.html Thx

  61. Martin

    tom: > I imagine that what if somebody on one of your XMPP servers said something 'racist' or made bomb hoax to get out of an exam what that would mean for your servers It's not about some racist using the server, it's about being a server dedicated to racists. Look at their domains like nuke.africa

  62. mss_cyclist

    tom, that is a tricky subject. But it seems, seen from German law, that there were more than one accounts on the server which were questionable. But one of the searchings was on behalf of us authorities

  63. tom

    Remember when lavabit shut down their servers

  64. tom

    Because 1 political dissident caused lavabit to be forced to give up their private keys

  65. Martin

    > Remember when lavabit shut down their servers Totally different case, lavabit was no service dedicated to criminals/racists.

  66. tom

    Seems like a trolling site to me

  67. mss_cyclist

    >Totally different case, lavabit was no service dedicated to criminals/racists. At least it is not intended. You never know what your users are into

  68. tom

    You could probably say the same thing about any imageboard

  69. tom

    Or free speech mailinglist

  70. Martin

    > from his Bavarian data center by the district attorney for the City of Zwickau in eastern Germany. Something is fishy with this ars technica post. Why should Zwickau be in charge for a Bavarian datacenter.

  71. jonas’

    it’s a thin line, but if you cater primarily to "trolls", you provide a safe (plausible deniable) harbour to the real people

  72. mss_cyclist

    Zwickau is by no means Bavaria

  73. Martin

    mss_cyclist: qed

  74. Martin

    That's why I say that's fishy.

  75. thndrbvr

    While I, myself, am a person of color, and am totally against racism.. I don't think that itself is a reason for a server seizure. Anything that is public the authorities can check and I think they should go after the people who make content that promotes RL threats/violence.

  76. thndrbvr

    Serious threats, not jokes.

  77. jonas’

    Martin, if the DC operator is registered in Zwickau, Saxony and one of their DCs is in Bavaria, I don’t see what’s wrong with this.

  78. tom

    Well on their site they say that they comply with legal data requests

  79. tom

    So i don't even know why the drive seize was nedded

  80. tom

    Couldn't they have just asked the server op

  81. Martin

    > Martin, if the DC operator is registered in Zwickau, Saxony and one of their DCs is in Bavaria, I don’t see what’s wrong with this. I still think you need the Bavarian authorities to seize something in a Bavarian data center.

  82. jonas’

    tom, if the server op caters for this type of folk, they might’ve seen a risk that they would "lose" data before agreeing to hand some data over

  83. tom

    Guess that's just another reason to use full disk encryption on your servers nowadays. Make sure things go through the proper channels

  84. tom

    Martin: if you look at all of their domains it's not specifically about racism. It's just a bunch of edgy knee-jerk names designed to offend people

  85. tom

    420blaze.it goat.si national.shitposting.agency horsefucker.org

  86. Martin

    It were the racist ones catching my eye. That reminds me that I wanted to stop federating to them…

  87. tom

    What is a cocaine ninja?

  88. Martin

    Dunno

  89. tom

    Unless your saying the ownership of offensive or racist domains means you lose your privacy rights on germany

  90. tom

    *in

  91. Martin

    Don't understand.

  92. tom

    Or is that just something that stuck out to you

  93. Martin

    > Or is that just something that stuck out to you What I told you > It were the racist ones catching my eye. That reminds me that I wanted to stop federating to them…

  94. Martin

    I don't care about their weird horsefucking stuff but I am allergic to this racism stuff.

  95. Martin

    And no, that ain't fun or trolling.

  96. Martin

    Maybe that's due to me being a german raised and educated here and in Trumpistan racism is not morally problematic but here it is a no-go.

  97. Martin

    We might have different views regarding that, I can accept that. But for me this cock.li thing crossed the line.

  98. tom

    You should probably put a list of servers on your website or something of servers you do not federate with

  99. tom

    For transparency purposes if you host a public server

  100. Martin

    It's a private server. And so far I have only blocked spam servers not reacting to abuse reports.

  101. tom

    I remember on the ActivityPub based federated blogs

  102. tom

    And the operator of the server i was using, random posts would dissapear into the ether

  103. tom

    The ops wasn't transparent about their blocklist policies

  104. tom

    I deleted my account there because I felt that was really shady

  105. tom

    It was really bad because things would just silently not appear, no indication of an error, unlike email where you'll get a bounce message like 5XX host blacklisted by dnsbl.someblacklistprovider.tld

  106. Martin

    I have no users contacting those servers, so in fact nothing would change. Maybe that's why I didn't block them yet. The servers I have blocked due to spamming are the ones from the public spam blocklist in the xmpp antispam repo.

  107. Martin

    Also a lot of spam servers fail to s2s because they have no valid certs.

  108. Martin

    Like jabber.cd or xmpp.us

  109. robertooo

    mss_cyclist: > There is a fourth: Those who do not check their backups. How do you do this?

  110. robertooo

    > Yeah, 99% of guides for Prosody are terrible Sounds like a Prosody should write better docs then. Guides aren't needed if docs are good.

  111. tom

    Martin: did you do anything to attract spammers?

  112. tom

    I don't have a spam problem

  113. tom

    (yet anyways)

  114. Ellenor Malik

    xmpp.jp has an endogenous spam problem

  115. tom

    Although I do only allow authenticated certs as per that encrypted-s2s-only manifesto

  116. Ellenor Malik

    > robertooo has written: > Sounds like a Prosody should write better docs then. Guides aren't needed if docs are good. The project's guides are pretty good but not ideal.

  117. Ellenor Malik

    tom: is that some sorta fox in your avatar?

  118. tom

    Yes

  119. Martin

    tom: > Martin: did you do anything to attract spammers? > I don't have a spam problem > (yet anyways) Not me. But spammers targetting my server, although so far they only send to non existing accounts. But still I report the spammers to the operator and in case he doesn't reply to the hoster.

  120. Martin

    How do you know you have no spam? Do you scan incoming messages for spam URLs?

  121. tom

    Is there any pattern to nonexistant users?

  122. Martin

    It's always the same three accounts one is like aaaaa1zz@ or something, so looking pretty random and not like from any wordlist. Don't know how those ended up in the spamlists.

  123. Martin

    But it's good for me as it doesn't reach any existing users and I can report the spammers and let the operators remove those accounts.

  124. tom

    Well actually that's perfect

  125. tom

    Just write a hookin to your server to log those known spam targets

  126. tom

    And use them as a tarpit

  127. tom

    If a server messages one of those known spam addresses you tarpit their server

  128. tom

    This can be automated

  129. tom

    Keep the connection open and only reply at like 1/bit per second to waste the spammer's resources

  130. tom

    Every file descriptor kept open is open less than can be used in a spam attack

  131. tom

    Or you could be lazy and just write a fail2ban rule

  132. tom

    Firewall them off

  133. tom

    Similar mitigation techniques to email can be used

  134. Maranda

    🤦🏼‍♂️

  135. Martin

    tom: Also good servers get spammers. I tell them, they delete them. Throttling s2s to that server would also affect innocent users.

  136. ajeremias

    mastodon has very good moderation tools.. notifying both admins of both servers.. maybe xmpp needs something like that.. how can u notify an xmpp admin?

  137. tom

    There's a xep

  138. tom

    That has the admins's contact info

  139. tom

    You query the server with a special stanza

  140. tom

    I don't know of any abuse report automation tools though