XMPP Service Operators

tom 03:44:02
Apparently Zoom is based on XMPP. yet another evil tech corp taking free software & open interoperable standards, ripping out the interoperability, and adding in spyware https://upload.nuegia.net/e33e0872-eda4-49c3-9dd2-715e668c98a1/screenshot.png
tom 03:54:23
» Elastic Search, Elastic cache, DynamoDB, SQS and S3 I can't think of why these tools would be required to running an XMPP server
tom 03:54:49
My guess is that they are storing absolutely EVERYTHING to an amazon S3 bucket
tom 03:54:53
Even videocalls
tom 03:55:07
Running ""analytics"" on them
tom 03:55:33
Did you know that Egypt was found to record ALL IP traffic egressing the country to disk?
tom 04:06:34
» Running ""analytics"" on them to """improve our services"""
thndrbvr 04:17:20
Zoom has also said they want to be able to share everything with the US gov't. They kept flip flopping with how any sort of encryption was being done.
tom 04:21:13
Sooner or later that giant bucket of userdata is going to leak
tom 04:21:20
Especially with their security track record
tom 04:21:43
It will probably be the next Cambridge analytica
tom 04:21:46
Possibly worse
tom 04:22:23
I'm tempted to download the binary on a separate machine, do a little blackboxing myself. Maybe throw it into Ghirda
stvn 13:22:04
Prosody or ejabberd ?
Licaon_Kter 13:22:44
stvn: yes...
stvn 13:22:56
Haha, so both are good ?
Licaon_Kter 13:23:30
stvn: yes, depends on stuff, what's your usecase?
stvn 13:23:56
Personal server, vps hosted, id also open registration for other people to use
stvn 13:25:24
thndrbvr: now on zoom you have to pay for e2e
MattJ 13:33:42
stvn: running a public server involves some amount of work - dealing with spammers, and so on
MattJ 13:34:35
I'd recommend against it generally, unless you're really prepared for that
a 13:34:52
or not dealing with spammers at all
a 13:35:18
~~I was told about day Tigase can automatically detect and block spam accounts~~ ✎
a 13:35:27
I was told another day Tigase can automatically detect and block spam accounts ✏
a 13:35:40
sadly I don't use Tigase
MattJ 13:36:21
Not sure what Tigase does exactly, but Prosody has similar capabilities
a 13:36:27
~~but I'm pretty sure a similar feature will be available in ejaaberd eventually~~ ✎
a 13:36:35
but I'm pretty sure a similar feature will be available in ejabberd eventually ✏
Ge0rG 13:36:39
"automatically detect and block spammers" - ha, I wish there'd be such a thing
Ge0rG 13:37:03
the best you can get is automatically block people who registered throuh potential proxy servers
a 13:37:06
so... go for it. go for the open server. the more the merrier
MattJ 13:37:35
https://yaxim.org/blog/2020/05/12/new-anti-spam-measures/ - example write-up from Ge0rG for Prosody
Licaon_Kter 13:37:44
stvn: open for other people does not mean public necessary, eg. You can create the account and share the credentials.
MattJ 13:37:58
Licaon_Kter: noooooooooooo
MattJ 13:38:37
Why do XMPP folk think that handing around passwords is acceptable in 2020?
Ge0rG 13:39:23
MattJ: because there is no other way with an UX that is understandable by users
MattJ 13:39:42
Ge0rG: that's demonstrably not true?
Ge0rG 13:39:50
MattJ: ...in XMPP
MattJ 13:40:17
Easy invites work great
Ge0rG 13:40:46
MattJ: I tried it once with a family member, and it wasn't perfect.
MattJ 13:41:03
Oh?
MattJ 13:41:27
I tried it with 8 family members and about 20 people at FOSDEM
Ge0rG 13:44:15
MattJ: maybe it's better if we push the JID and token through Google Play.
MattJ 13:44:50
That's what Snikket does, works great
stvn 13:44:53
Dont think id had much public traffic tbh
stvn 13:45:20
But id defently allow public acces, i will look around spam protection then
MattJ 13:45:25
stvn: spam bots scan for servers that allow registration and can register thousands of accounts each day
stvn 13:45:32
Is there some xmpp monitor ?
MattJ 13:47:03
Also see https://prosody.im/doc/public_servers
Ge0rG 13:48:35
MattJ: it still lacks a big bold 30pt statement about the rule #1 of running public xmpp servers
Licaon_Kter 13:54:48
> I tried it with 8 family members and about 20 people at FOSDEM I'm not doing this ^^^ so it scales :))
Licaon_Kter 13:55:05
Also clients can change passwords...c'mon
Licaon_Kter 13:55:26
Ge0rG: what's that? _"DON'T"_?
pep. 13:55:32
Licaon_Kter, how many of these users are going to it (change passwords)
Licaon_Kter 14:00:31
Let's not move the goalpost :))
pep. 14:10:46
"Why do XMPP folk think that handing around passwords is acceptable in 2020?" < I'm not moving this one. I agree with the statement behind the question and I was just continuing to highlight pitfalls of your approach :)
Licaon_Kter 14:11:06
¯\_(ツ)_/¯
Licaon_Kter 14:11:19
ejabberd lol
Martin 14:12:23
> Why do XMPP folk think that handing around passwords is acceptable in 2020? I had to do those for my apples.
Licaon_Kter 14:14:31
MattJ: > Why do XMPP folk think that handing around passwords is acceptable in 2020? Having one client on one platform and one server...is acceptable? What is this now, Matrix?
pep. 14:17:02
I agree that's a fair point. Neither protocols nor implementations are close to fixing this. That doesn't make handling around passwords more acceptable though
MattJ 14:19:19
Martin: Siskin has supported invite links since FOSDEM
Ge0rG 14:19:39
Licaon_Kter: exactly!
MattJ 14:19:48
And the invite page allows you to enter a password manually to create the account
MattJ 14:20:07
So no, I don't think a single implementation is healthy, and I don't think it's what we have
pep. 14:21:22
MattJ, prosody's original mod_invite you mean?
Martin 14:21:52
MattJ: Hmm, didn't know that.
Licaon_Kter 14:22:21
MattJ: I do want all this ofcourse, but I can't erlang so there's that....
MattJ 14:22:23
pep.: original and the Snikket one
pep. 14:22:33
ok
MattJ 14:23:16
So from the user perspective the only difference with the new stuff is that you can register right within the app instead of on the site
MattJ 14:23:43
So no awkwardly typing your password twice