-
Maranda
Menel: I think it's this
-
Maranda
presence_broadcast: [moderator | participant | visitor, ...] List of roles for which presence is broadcasted. The list can contain one or several of: moderator, participant, visitor. The default value is shown in the example below: Example: presence_broadcast: - moderator - participant - visitor
-
Maranda
https://docs.ejabberd.im/admin/configuration/modules/#mod-muc
-
Maranda
Tbh the room is half borked like that and will cause Bifrost issues
-
Maranda
(They already prohibit IQs to occupante)✎ -
Maranda
(They already prohibit IQs to occupants) ✏
-
Maranda
So... As long as they're aware 🤷
-
Menel
Well. They fixes the presence sometimes today in the morning /last night. Its as it was now.. I didn't realize it was a config option.
-
Licaon_Kter
> all ~300,000 XMPP servers found on Shodan yay https://bishopfox.com/blog/xmpp-underappreciated-attack-surface nay 🙁 Stay safe... fix stuff!
-
mjk
the whole "vulnerability" is "oops we forgot to disable IBR on our private instance" 🙄
-
Licaon_Kter
yes, also some anon logins
-
moparisthebest
Signal/Slack/Teams: can't run your own infrastructure poorly if you can't run your own infrastructure 🤔
-
Menel
Without knowing how many of the scanned servers have anon and open registration because its intended, any conclusion there (in the last sentence) is worthless IMHO
-
Menel
(Not a bug, but a feature)
-
moparisthebest
I like the # of servers though, that's huge
-
mjk
Hmmmnope, still dead
-
moparisthebest
Hmm it'd be pretty easy to write a script to harvest all publicly federated XMPP servers but is that a good idea or not :/
-
moparisthebest
Monitor cert renewals since they are all public, check each domain for XMPP service
-
mjk
Since many of those don't federate _intentionally_ it would be pretty bad for those
-
moparisthebest
You'd have most XMPP serving domains within 60 days and all of them within a year
-
moparisthebest
Oh and I shouldn't have said federated, they still may not federate, but rather "on the internet with trusted TLS cert"
-
mjk
Yea, I mean many are probably in the internet by virtue of misconfiguration :shrug:
-
mjk
Probably not nice to list indiscriminately
-
moparisthebest
It's already public though?
-
mjk
Mmhyeah
-
mjk
A script registering on every public IBR-supporting server to say "I'm in ur server, versioning ur rosterz" to everyone in the default roster might be funny, useful and kinda ethical
-
moparisthebest
No that's not what I'm saying
-
mjk
Nah, my thought just wandered
-
mjk
I see your point, I'm just not sure all server operators would be okay with what practically is scraping. S.j.n. requires operators' consent for a reason
-
mjk
Xmpp really needs robots.txt equivalent :)
-
moparisthebest
They might not be happy but they probably don't realize that info is already just there for bad actors already
-
Licaon_Kter
Why X on 198 and 352 and 411 though? https://compliance.conversations.im/server/jabberfr.org/
-
Menel
well the 411 might be because of the new modue that obsoletes that.. its the compliance tester thats outdated there.. but for mobile devices 198 and 352 are nice...
-
Maranda
I wanted to add Bifrost on disco on lightwitch.org, but that'll cause it to lower the score... Apparently if you advertise multiple MUC services it wants all of 'em to be supporting MAM.
-
Maranda
(although it also advertises the gateway category so it could be a bit more assertive, if it's not the only MUC service there)
-
Menel
it just wants you to get mam support to the bridge ;)
- Maranda shows a long TODO list to Menel before that's going to even be taken in consideration.
-
Maranda
.. and finally if they would stop the annoying DDoSes, that would help on stopping to waste time on tweaking infrastructure configuration, role placement and applying mitigations and leave more to actually code.✎ -
Maranda
.. and finally if they would stop the annoying DDoSes, that would help on not wasting time on tweaking infrastructure configuration, role placement and applying mitigations and leave more to actually code. ✏
-
Menel
xmpp ddos or matrix? is there a post somewhere, does anyody know who and why?
-
Maranda
Matrix mostly
-
Maranda
Some more chipping over XMPP, but nothing of note. And initially it was trolls from stopdronebl.org, now it's just trolls following the tail period.
-
Menel
I didnt know, people woud do it without agenda
-
rozzin
mjk: > the whole "vulnerability" is "oops we forgot to disable IBR on our private instance" 🙄 Well, they also mention other stuff like user-search, and mismatched user-expectations about MUC default settings?
-
mjk
rozzin: those seem like deliberate things for an internal company server that go horribly wrong once registration is free for all
-
rozzin
mjk: yeah, or if you just make them available to external users with no local registration required. So you can mess those up without having IBR or anonymous login.
-
rozzin
They didn't really show all of the angles very clearly....
-
mjk
ah, it seemed they were talking in a context of non-federating services, so I didn't consider external users, yes