XMPP Service Operators - 2020-08-17

Apparently Zoom is based on XMPP. yet another evil tech corp taking free software & open interoperable standards, ripping out the interoperability, and adding in spyware https://upload.nuegia.net/e33e0872-eda4-49c3-9dd2-715e668c98a1/screenshot.png

» Elastic Search, Elastic cache, DynamoDB, SQS and S3 I can't think of why these tools would be required to running an XMPP server

My guess is that they are storing absolutely EVERYTHING to an amazon S3 bucket

Even videocalls

Running ""analytics"" on them

Did you know that Egypt was found to record ALL IP traffic egressing the country to disk?

» Running ""analytics"" on them to """improve our services"""

Zoom has also said they want to be able to share everything with the US gov't. They kept flip flopping with how any sort of encryption was being done.

Sooner or later that giant bucket of userdata is going to leak

Especially with their security track record

It will probably be the next Cambridge analytica

Possibly worse

I'm tempted to download the binary on a separate machine, do a little blackboxing myself. Maybe throw it into Ghirda

Prosody or ejabberd ?

stvn: yes...

Haha, so both are good ?

stvn: yes, depends on stuff, what's your usecase?

Personal server, vps hosted, id also open registration for other people to use

thndrbvr: now on zoom you have to pay for e2e

stvn: running a public server involves some amount of work - dealing with spammers, and so on

I'd recommend against it generally, unless you're really prepared for that

or not dealing with spammers at all

I was told another day Tigase can automatically detect and block spam accounts ✏

sadly I don't use Tigase

Not sure what Tigase does exactly, but Prosody has similar capabilities

but I'm pretty sure a similar feature will be available in ejabberd eventually ✏

"automatically detect and block spammers" - ha, I wish there'd be such a thing

the best you can get is automatically block people who registered throuh potential proxy servers

so... go for it. go for the open server. the more the merrier

https://yaxim.org/blog/2020/05/12/new-anti-spam-measures/ - example write-up from Ge0rG for Prosody

stvn: open for other people does not mean public necessary, eg. You can create the account and share the credentials.

Licaon_Kter: noooooooooooo

Why do XMPP folk think that handing around passwords is acceptable in 2020?

MattJ: because there is no other way with an UX that is understandable by users

Ge0rG: that's demonstrably not true?

MattJ: ...in XMPP

Easy invites work great

MattJ: I tried it once with a family member, and it wasn't perfect.

Oh?

I tried it with 8 family members and about 20 people at FOSDEM

MattJ: maybe it's better if we push the JID and token through Google Play.

That's what Snikket does, works great

Dont think id had much public traffic tbh

But id defently allow public acces, i will look around spam protection then

stvn: spam bots scan for servers that allow registration and can register thousands of accounts each day

Is there some xmpp monitor ?

Also see https://prosody.im/doc/public_servers

MattJ: it still lacks a big bold 30pt statement about the rule #1 of running public xmpp servers

> I tried it with 8 family members and about 20 people at FOSDEM I'm not doing this ^^^ so it scales :))

Also clients can change passwords...c'mon

Ge0rG: what's that? _"DON'T"_?

Licaon_Kter, how many of these users are going to it (change passwords)

Let's not move the goalpost :))

"Why do XMPP folk think that handing around passwords is acceptable in 2020?" < I'm not moving this one. I agree with the statement behind the question and I was just continuing to highlight pitfalls of your approach :)

¯\_(ツ)_/¯

ejabberd lol

> Why do XMPP folk think that handing around passwords is acceptable in 2020? I had to do those for my apples.

MattJ: > Why do XMPP folk think that handing around passwords is acceptable in 2020? Having one client on one platform and one server...is acceptable? What is this now, Matrix?

I agree that's a fair point. Neither protocols nor implementations are close to fixing this. That doesn't make handling around passwords more acceptable though

Martin: Siskin has supported invite links since FOSDEM

Licaon_Kter: exactly!

And the invite page allows you to enter a password manually to create the account

So no, I don't think a single implementation is healthy, and I don't think it's what we have

MattJ, prosody's original mod_invite you mean?

MattJ: Hmm, didn't know that.

MattJ: I do want all this ofcourse, but I can't erlang so there's that....

pep.: original and the Snikket one

ok

So from the user perspective the only difference with the new stuff is that you can register right within the app instead of on the site

So no awkwardly typing your password twice