XMPP Service Operators - 2022-03-11

TheCoffeMaker: isn't it... actually better to wait a bit before retweeting?

> TheCoffeMaker: isn't it... actually better to wait a bit before retweeting? Maybe ... Depends on the tweet I guess, i.e. the tweet abt xmpp + activity pub needs to be on time

> *people* don't care about new xeps they care about "apps" they can use Not sure that's the subject, again emus said "xep", yes that's another demographic, developers, and they need another type of info. Devs can't make apps or add features if they believe xmpp is dead. Hearing about a new Siskin update every 6 months (and the latest one breaks group omemo _"Why I've decided to implement OMEMO?". I do not use it, yet I have to deal with issues with OMEMO_) does not help that much. _Ohhhhh look weekly info on new shiny stuff libmatrix added that's easy to use_

> *people* don't care about new xeps they care about "apps" they can use Apparently they care about "app names", that's the most important part...if it's not the same on all platforms it's unusable omg MattJ found the golden goose right there Ref: https://eylenburg.github.io/im_comparison.htm ✏

> XMPP and Matrix leak metadata, Signal doesn't ugh this lie again

Someone needs to manage to selfhost signal and then be an evil admin to test it.. Otherwise people will believe..

Ans then demand yet another update to the admin-in-the-middle article 😆

not needed, it's obvious any centralized service like signal has *all* the metadata

whether they pinky-promise not to look at it is beside the point

Not for infosec it seems

They believed in the magic

as usual, they are malicious or stupid or both

Menel: > Not for infosec it seems > They believed in the magic They did remove Signal recommendation when they republished the posts each year They also deflect the Signal criticism as whataboutism

Its just.. People believe more in actions then in words.. So a life test with signal would be devastating I think. Just saying how it is does nothing as we see

From the not existing article:"I could actually see who is messaging who at any time" 😲😲😲

if there's a system you run where 2 people connect and you relay messages back and forth between them, obviously you can see this

Yes. But somehow doing it impresses people still.. ✏

Probably off topic but from past actions Signal does seem legit. I wouldn't complain too much if a contact insisted on signal, certainly better than WhatsApp or SMS. Not to say it's perfect or won't turn spooky, but it does look like a good option and is easy to use/understand. https://signal.org/bigbrother/cd-california-grand-jury/

I don't want to make a bold claim I can't back up right now, but as far as I can tell they lied to the courts 😅

Check the DB schema in their server repo, and consider that they also store device IDs for push notifications at least

This can be used, with the help of Google/Apple, to identify a specific user/device

Hmm. Something to think about and look into

But I agree, if someone wants to do this properly, they should set up a Signal server and do a full write-up

I'm 100% certain there are operational attacks that Signal can perform on its users

savagepeanut: and again, this is them saying "we set up our systems not to log" they can change that at anytime without anyone knowing, and an XMPP server can be set up to log nothing also

But am I that interested in taking Signal down a peg? Not especially

The difference is there is 1 signal server with metadata on everyone, where as your XMPP server has no metadata on my users, and vice versa

Not "you promise not to look" but "you couldn't look if you wanted"

I am here because I support xmpp and decentralization in general :) I do think the metadata concern is poorly explained whenever mentioned with xmpp, because of what you say about setting up a server. And it's not like anyone I manage to drag onto my server isn't already linked to me.

moparisthebest: > if there's a system you run where 2 people connect and you relay messages back and forth between them, obviously you can see this https://www.bmj.com/content/363/bmj.k5094

Yes, maybe reiterate that Signal, just like XMPP and Matrix and Whatsapp and everything else except Briar or Jami, they are ALL store-and-forward systems. So they need to STORE the message until contact is online and they need to KNOW the contact to be able to forward that message. So if you contact is offline, Signal has your message on their server (ahem Amazons server or Googles server or Microsofts server actually) and they have in memory the ID of your contact. That's why having the LEA asking for "info on target NOW" might be 2 bits of info (like they blog) or "info on target for 1 week" might be...more than 2 lol ✏

Yes, maybe reiterate that Signal, just like XMPP and Matrix and Whatsapp and everything else except Briar or Jami, they are ALL store-and-forward systems. So they need to STORE the message until contact is online and they need to KNOW the contact to be able to forward that message. So if your contact is offline, Signal has your message on their server (ahem Amazons server or Googles server or Microsofts server actually) and they have in memory the ID of your contact. That's why having the LEA asking for "info on target NOW" might be 2 bits of info (like they blog) or "info on target for 1 week" might be...more than 2 lol ✏

Yes, maybe reiterate that Signal, just like XMPP and Matrix and Whatsapp and everything else except Briar or Jami, they are ALL store-and-forward systems. So they need to STORE the message until contact is online and they need to KNOW the contact to be able to forward that message. So if your contact is offline, Signal has your message on their server (ahem Amazons server or Googles server or Microsofts server actually) and they have in memory/storage the ID of your contact. That's why having the LEA asking for "info on target NOW" might be 2 bits of info (like they blog) or "info on target for 1 week" might be...more than 2 lol ✏

Signal accounts have a UUID, a phone number, and a list of devices: https://github.com/signalapp/Signal-Server/blob/65b49b2d9c4fe4a21468e2bb53fb6a7a8a8c49a9/service/src/main/java/org/whispersystems/textsecuregcm/storage/Account.java#L89 A device stores the 'created' and 'lastSeen' timestamps, as Signal often talks about. It also has a 'name', 'userAgent', and several unique IDs issued by Apple/Google: https://github.com/signalapp/Signal-Server/blob/65b49b2d9c4fe4a21468e2bb53fb6a7a8a8c49a9/service/src/main/java/org/whispersystems/textsecuregcm/storage/Device.java#L79

This is not more than an XMPP server operator has access to, but it's more than they are telling people in their blog posts :)

The difference in XMPP is that you can choose your operator (including yourself), whereas for Signal you can only choose one US entity with infrastructure on US cloud providers

moparisthebest: I hate to be saying this like this, but when you find yourself making an argument like this: > The difference is there is 1 signal server with metadata on everyone, where as your XMPP server has no metadata on my users, and vice versa ... try to imagine that there is a sizable audience who actually is unable to follow any discussion which requires simultaneously visualizing what two separate entities are doing—even if that image is symmetrical. Imagine an audience that is basically "not smart enough to grok concepts like ʿsymmetryʾ". And then imagine that those people are in all sorts of jobs where you think they couldn't be (like "infosec expert")..., because actually they are.

Thanks for the links Matt

rozzin: rephrase better

> moparisthebest: I hate to be saying this like this, but when you find yourself making an argument like this: I think I've just cracked the code to xmpp adoption. Most people don't understand or care about the protocol you use, extendability, decentralization, or e2e. We need stickers like Signal.

savagepeanut: old news

Aw, looks like I'm not as original as I thought. I think Movim does already have stickers though, so I guess that was obvious.

Licaon_Kter: I don't know—it's 3 AM here so TBH I'm not all that smart myself right now; that may be the best that I can manage.

I also want to provide as a reference a conversation that I had in the Monal MUC in late June 2021, about a friend of mine basically ʿrunning away screaming in terrorʾ after reading the description of Monal/XMPP in the App Store, but I'm not really even up for the copy/paste/link sequence at the moment.

Doesn't seem _that_ bad to me, it explained what each extension does at least. Maybe just a "Features" list without scary numbers would be better though, idk.

Basically, there are lots of people who are more easily confused than you might think is even possible, for whom what's totally obvious to you is not only ʿnot obvious at allʾ but borderline unthinkable, and who can read what you intend to be positive/negative depictions completely backward e.g. "there's only 1 monopoly server" is "simpler and better because I don't have to think about complicated multi-server scenarios or multi-party trust scenarios or weigh alternatives and make choices; Moxie's a good guy and knows what he's doing, so if all I have to do is trust him then that's a win for me".

We got that already.

I'm thinking that one phrase to encompass all that tech stuff would be nice. ✏

_"The Signal server has all the metadata of all Signal users, but Moxie promises not to look at it. An XMPP server has only that of its users, and You can be the admin._

-------- I tried ¯\_(ツ)_/¯ ✏

"But they say they don't keep it!!! And it is split on several different servers managed by the same people on the same AWS tenant, so what could go wrong"

That's not an argument dismissing what I said lol

> <mathieui> "But they say they don't keep it!!! And it is split on several different servers managed by the same people on the same AWS tenant, so what could go wrong" The NSA gonna catch 'em all? Pokémon style?

😸

To be frank, Signal's "sealed sender" sounds sound at a high level: do an anonimous drop that has "deliver to +1555..." written over it. This _could_ work (modulo the spam potential; although blind signature magic could maybe somehow make it not terrible), but the devil is in the implementation, of course. And also in the fact that they don't even mention the fact that it can't work without sender IP address anonymization.

This one? _Signal is a very secure service mapping your messages to your phone number and hosted by a privacy concerned company on behalf of a NSA foundation while XMPP leaks valuable metadata about XEPs, protocol, coding and nerd stuff discussions to evil admins._ ✏

Oh, I see what you did there...

One correction: _only to your evil admins_

> _ XMPP leaks valuable metadata about XEPs, protocol, coding and nerd stuff discussions_ *sad laugh*

Sometimes I feel I troll without intention^^

No, it's everyone else 😀. You just provided the stage, without intention. But its more a social exercise then trolling I think

^^ I invite everyone to blame me if users start claiming about following a standards organsiation 😉¯\_(ツ)_/¯

All blame would be yours! :))

all your blame are belong to us ✏

yes

Thx folks ... U provided a lot of arguments to have in the toolbox when its time discuss about IM providers and services

There is something in development I think

https://upload.convorb.im/7c370453f738f2c0c995eaee643e5e0aba76aeb0/j4INu5LDqhEZxEVHxotVg8rrTKCggKQA9Jun8oWv/YWiUPyWEQBC3tTWNNDQH9A.jpg

Fedi fans, yours for the taking, spread out and zeal!

Licaon_Kter: 🤣

Looks like a big security _owl_

> The difference in XMPP is that you can choose your operator (including yourself), whereas for Signal you can only choose one US entity with infrastructure on US cloud providers So you're saying... that as an American, with Signal I only have to trust 1 domestic company that all of my peers already trust, instead of a whole bunch of different independent operators who might even be foreign spy agencies; and I can be sure that none of my data is ever leaving the country and going to China or Putinstan or whoever if I use Signal, whereas if I use XMPP I need to continually go through this giant effort to find out who's running the services that each and every person I talk to uses, and I have to read I-can't-even-know-how-many different operators ToS docs and decide whether I trust each of those operators to even keep whatever promises the make...?

one domestic company, one domestic cloud provider and one domestic government with a dozen of secret agencies?

rozzin, exactly, as long as you are sure you are and will stay in the good will of your country, you can trust it I guess.

I've heard that depending on your skin color, you have high chances of being killed by the government in a random encounter, like a routine traffic inspection.

Although I guess your country treats even its own citizens as potential threats.

Right, or that.

Okay, the borderline off-topic is going pretty off-topic

🤦

Sorry.

The threat vector difference discussion is worth having for operators, I think. The what-about-ism doesn't help that though. It may be perfectly reasonable to want to centralize in a single country or other political environment, even if that environment has serious problems. The problem with rozzin's initial argument is that it makes it sound like all the information is always going to untrusted sources, but it's not, you only have to trust servers that you *choose* to communicate with (or that you allow to communicate with you).

So deciding between a single provider with resources in a single place and many providers with resources in many places really depends on what the threat is you're trying to protect against?

Sam, I'm okay with on-topic stuff relevant to operators, but in the past 15 minutes or so there were specific countries named that are likely to provoke, discussion about skin colour and non-internet law enforcement scenarios, etc.

yah, I was trying to redirect it back to rozzin's initial threat discussion

Sure, that's fine if we can manage that

I'm a pessimist in this regard, nowadays :)

You could also argue that you don't have to trust the servers you're contacting yourself. In either situation you have to trust your contacts to not leave their phone in a bar, or screenshot and post your messages, so maybe it's worth trusting them to pick a safe server too (or maybe not? I don't know if that's significantly harder than not leaving your phone lying around unlocked or not)

rozzin: the issue is _"my peers trust"_, how what that trust gained exactly? By false advertisment of "no messages on server" and "we don't know who you message"?

I do want to be clear that the point of my comment was to show just how easily these sort of well-intentioned statements that we about "open and federated and international band of small independent hackers with no political ties" type of arguments that *we* (myself included, actually) find so appealing... can be pretty grossly misread when they land in the wrong audience. If you're wondering why we're failing at "mass appeal"..., it's helpful to remember that "the masses" are actually a pretty big part of anything with the word "mass" in it. And yes there are multiple different-even-if-overlapping "mass" audiences, so be clear on which ones you're targetting at any given point in time.

I'll try to pull together that monal MUC conversation I referenced last night, since I'm awake again now.

> The problem with rozzin's initial argument is that it makes it sound like all the information is always going to untrusted sources, but it's not, you only have to trust servers that you *choose* to communicate with (or that you allow to communicate with you). Well, no the issue there is that the prospective XMPP user is being told that they need to worry about "which *server*" at all, where that reads as a non-issue in the "only one operator to trust" alternative. And you actually just reinforced that with your response 😜

I just wanted to say I really enjoy this nuanced conversation about the merits & issues of the different platforms/protocols, that is almost completely absent from most other places.

rozzin: not sure XMPP zealots brought up this

I've used all of these and hosted both XMPP, Matrix, Session Open Groups etc. I like XMPP more as time goes on, because it doesn't seem to randomly run into issues and become bloated, small server resources footprint all things considered. I heard a lot about "the metadata issue" for Matrix and XMPP in Session chats (expected, since "no metadata" is their slogan)

The way I've seen discourse, _"hey, wanna get out of the toxic silo, use xmpp"_ and the answer from security ~theater~tweeter was _"omfg metadata, use signal, no message stored, they don't know who you talk with, etc"_

Signal works great, but the phone number requirement, the centralization, and them being hosted on Google/AWS rubs me the wrong way.

The flip side of that is, people often aren't interested in the added effort of needing to learn something other than the app automatically harvesting contacts *for your convenience

Quicksy covers this case pretty neatly, has numbers for normies that don't care, but still has federation.

I didn't know Quicksy, I'll check it out

Yeah in general "it's so much better, all you have to do is [list of new concerns you'd need to manage during and/or after switching that you don't need to think about now]" seems like... unlikely to be convincing.

I liked xmpp for work environment, we used it for years at the telco i worked at until one day they decided to replace it with google hangouts :-(

Ew

apparently maintaining xmpp was too much for major national telco to justify

I thought telecom companies used erlang anyway

Just ejabberd it up