-
tom
Apparently Zoom is based on XMPP. yet another evil tech corp taking free software & open interoperable standards, ripping out the interoperability, and adding in spyware https://upload.nuegia.net/e33e0872-eda4-49c3-9dd2-715e668c98a1/screenshot.png
-
tom
» Elastic Search, Elastic cache, DynamoDB, SQS and S3 I can't think of why these tools would be required to running an XMPP server
-
tom
My guess is that they are storing absolutely EVERYTHING to an amazon S3 bucket
-
tom
Even videocalls
-
tom
Running ""analytics"" on them
-
tom
Did you know that Egypt was found to record ALL IP traffic egressing the country to disk?
-
tom
» Running ""analytics"" on them to """improve our services"""
-
thndrbvr
Zoom has also said they want to be able to share everything with the US gov't. They kept flip flopping with how any sort of encryption was being done.
-
tom
Sooner or later that giant bucket of userdata is going to leak
-
tom
Especially with their security track record
-
tom
It will probably be the next Cambridge analytica
-
tom
Possibly worse
-
tom
I'm tempted to download the binary on a separate machine, do a little blackboxing myself. Maybe throw it into Ghirda
-
stvn
Prosody or ejabberd ?
-
Licaon_Kter
stvn: yes...
-
stvn
Haha, so both are good ?
-
Licaon_Kter
stvn: yes, depends on stuff, what's your usecase?
-
stvn
Personal server, vps hosted, id also open registration for other people to use
-
stvn
thndrbvr: now on zoom you have to pay for e2e
-
MattJ
stvn: running a public server involves some amount of work - dealing with spammers, and so on
-
MattJ
I'd recommend against it generally, unless you're really prepared for that
-
a
or not dealing with spammers at all
-
a
I was told about day Tigase can automatically detect and block spam accounts✎ -
a
I was told another day Tigase can automatically detect and block spam accounts ✏
-
a
sadly I don't use Tigase
-
MattJ
Not sure what Tigase does exactly, but Prosody has similar capabilities
-
a
but I'm pretty sure a similar feature will be available in ejaaberd eventually✎ -
a
but I'm pretty sure a similar feature will be available in ejabberd eventually ✏
-
Ge0rG
"automatically detect and block spammers" - ha, I wish there'd be such a thing
-
Ge0rG
the best you can get is automatically block people who registered throuh potential proxy servers
-
a
so... go for it. go for the open server. the more the merrier
-
MattJ
https://yaxim.org/blog/2020/05/12/new-anti-spam-measures/ - example write-up from Ge0rG for Prosody
-
Licaon_Kter
stvn: open for other people does not mean public necessary, eg. You can create the account and share the credentials.
-
MattJ
Licaon_Kter: noooooooooooo
-
MattJ
Why do XMPP folk think that handing around passwords is acceptable in 2020?
-
Ge0rG
MattJ: because there is no other way with an UX that is understandable by users
-
MattJ
Ge0rG: that's demonstrably not true?
-
Ge0rG
MattJ: ...in XMPP
-
MattJ
Easy invites work great
-
Ge0rG
MattJ: I tried it once with a family member, and it wasn't perfect.
-
MattJ
Oh?
-
MattJ
I tried it with 8 family members and about 20 people at FOSDEM
-
Ge0rG
MattJ: maybe it's better if we push the JID and token through Google Play.
-
MattJ
That's what Snikket does, works great
-
stvn
Dont think id had much public traffic tbh
-
stvn
But id defently allow public acces, i will look around spam protection then
-
MattJ
stvn: spam bots scan for servers that allow registration and can register thousands of accounts each day
-
stvn
Is there some xmpp monitor ?
-
MattJ
Also see https://prosody.im/doc/public_servers
-
Ge0rG
MattJ: it still lacks a big bold 30pt statement about the rule #1 of running public xmpp servers
-
Licaon_Kter
> I tried it with 8 family members and about 20 people at FOSDEM I'm not doing this ^^^ so it scales :))
-
Licaon_Kter
Also clients can change passwords...c'mon
-
Licaon_Kter
Ge0rG: what's that? _"DON'T"_?
-
pep.
Licaon_Kter, how many of these users are going to it (change passwords)
-
Licaon_Kter
Let's not move the goalpost :))
-
pep.
"Why do XMPP folk think that handing around passwords is acceptable in 2020?" < I'm not moving this one. I agree with the statement behind the question and I was just continuing to highlight pitfalls of your approach :)
-
Licaon_Kter
¯\_(ツ)_/¯
-
Licaon_Kter
ejabberd lol
-
Martin
> Why do XMPP folk think that handing around passwords is acceptable in 2020? I had to do those for my apples.
-
Licaon_Kter
MattJ: > Why do XMPP folk think that handing around passwords is acceptable in 2020? Having one client on one platform and one server...is acceptable? What is this now, Matrix?
-
pep.
I agree that's a fair point. Neither protocols nor implementations are close to fixing this. That doesn't make handling around passwords more acceptable though
-
MattJ
Martin: Siskin has supported invite links since FOSDEM
-
Ge0rG
Licaon_Kter: exactly!
-
MattJ
And the invite page allows you to enter a password manually to create the account
-
MattJ
So no, I don't think a single implementation is healthy, and I don't think it's what we have
-
pep.
MattJ, prosody's original mod_invite you mean?
-
Martin
MattJ: Hmm, didn't know that.
-
Licaon_Kter
MattJ: I do want all this ofcourse, but I can't erlang so there's that....
-
MattJ
pep.: original and the Snikket one
-
pep.
ok
-
MattJ
So from the user perspective the only difference with the new stuff is that you can register right within the app instead of on the site
-
MattJ
So no awkwardly typing your password twice