XMPP Service Operators - 2023-06-27

wherethehairygirlsat@conversations.im for rtbl please

anaxagoras: added

ty

ralphm, MattJ, jonas’: ^

rapeandkillamolithonsight@conversations.im for rtbl please

there is also mayflower12693, same person, but not sure host part

Server operators: as a developer of server software, how would you suggest that I reach you with important information? I'm trying to get people to upgrade to a version of our software that doesn't have an exploitable vulnerability, but I am having a hard time reaching more than ~6% of you. Does anyone have suggestions on how to improve this?

Guus, "hard time reaching more than 6% of you" - are you saying you have managed to reach 6%, but unable to reach more? or there are 6% you are finding it hard to reach?

Only 6% of the active servers have been updated to the latest version.

(less than, even)

was a CVE filed? some distros won't push updates without one

Openfire users don't use distro packages :)

eek

Guus, if you can work out a suitable shodan search to identify the vulnerable services, you can look up IP/domain contacts

maybe add an update check/notification for future occurrences

if people neglect their server, let them toil

Unless you are already able to get the domains/IPs from your telemetry

CVE had been published. We're not maintaining packages in distro specific management repos.

The 6% probably hang around places like this, or the forums, etc. and they're the wrong crowd to adk how to reach them

do you maintain an rpm/apt repo that people install from? or is no one updated because they have to deploy a jar?

I can record IPs. Apart from apparent privacy issues: How do I get contact information from that?

maybe check dockerhub for any openfires and push them to update, users may rely on that way

> The 6% probably hang around places like this, or the forums, etc. and they're the wrong crowd to adk how to reach them Yeah, but not being able to ask the other 94% is kind of the stated problem. 😉

hairlygirl@conversations.im for rtbl please

henriette, done

ty

Guus, look up the reverse DNS

and then do whois on that

That should give you their domain, or at least their provider, which you can contact

We do not maintain package repos at all. We only offer downloads

Failing that, whois for the IP will give contact addresses

just note that reverse dns sometimes isn't set or may be a remanent from a previous IP holder (on some low end hosts)

> do you maintain an rpm/apt repo that people install from? or is no one updated because they have to deploy a jar? No jars. We offer platform specific installers

and they have no auto update mechanism?

No

Only an update check that's reported in the administrative interface

Guus, build an opt-in update notification thing into the next release.

this can be done in a way that it's not privacy invasive

and make a deb+rpm repo

(e.g. using a DNS record)

> (e.g. using a DNS record) 🤨

Guus, you could have TXT records for each openfire version with machine-readable content which indicates the security status of that release ("supported", "vulnerable:$fixedVersion", "unsupported") and build code into openfire which looks up the TXT record of its own version and acts according to the result

as DNS resolution generally happens through recursive resolvers, this is pseudonymised.

for example, run `dig TXT auth-3.4.0.security-status.secpoll.powerdns.com`

(to nobody's surprise, powerdns, a DNS server, uses this technique)

That'd improve/make more anonymous the already existing update check. My issue is that only 6% of our admins look at the results of such an update check.

oh

make it send a daily message to the admin via XMPP? :-)

We Do That

ok, then you're doomed

Not daily, but on update availability.

might be your (corporate) audience :|

Yeah

Guus, to me, it seems you've done much more than the typical software vendor already and you cannot force people to act responsibly.

Thanks. It's kind of heartbreaking to get reports about crypto miners being installed.

indeed

you could also build a kill-switch into the next release.

but I'm not sure if that's ethical

Absolutely not

:-)

Our stuff is used in military, law enforcement, health care

myeah

that might cause some issues :-)

do you provided a hardened systemd unit with your packages?

but is it better if it's shut down controlledly, or when a cryptominer or worse takes (ransomware in a hospital, yay) over? ✏

Well, all of those users are in that 6 percent.

> do you provided a hardened systemd unit with your packages? No. I don't know what that is, but no.

systemd has native sandboxing capabilities

hardened systemd units: you can restrict what a process can do with systemd, such as removing write access to anywhere except specific directories, restrict access to systemcalls, network families etc.

so at least it'd be limited to miner and not a root escalation/total system compromise

*much harder to do full system compromise

That's actually a good improvement (but won't help the majority of our instances that are running on Windows).

win32 has sandboxing options too

but must be directly integrated and may not play nice with java

Is worth looking into

Yeah, Java is powerful in that way. And with our plugin API, you can pretty much add any custom code that you like.

(which is part of the current attack vector)

maybe default disable that if possible?

Yeah we've been thinking about that

It's a heavily used feature though

Gotta run. Thanks for the feedback everyone

(ignore) ✏

FWIW, we set this room to moderated to combat the spam. We used to have a bot here which auto-voices server admins, which is currently broken. We'll work on fixing that and then we can also process further voice requests.

(moderated == you can only read, not send messages unless you're "voiced")

hairygirl@conversations.im for rtbl please

(last one was ly)

Guus, posted to https://www.openwall.com/lists/oss-security/ ?

Hi, Matrix.org is now making a publicly accessible archive of their rooms (which includes MUCs), you might want to ban their bot if you don’t want that: https://chaos.social/@n0toose/110593475148424017

I see it at xsf@ for instance, under the nick archive.matrix.org/faq

Or voice your concerns if you don’t think this is a good way to leak all of your chats to the world.

On the one hand, xsf@ is already publicly logged

On the other hand, we control those logs (e.g. I suspect when we remove objectionable stuff, the matrix side won't update)

also i have no idea i am being logged by a third party when joining the xsf room

MattJ, speaking of which, we might want to reduce the verbosity of those logs by hiding joins/parts by default, to make them more easily readable.

Would it have to be banned from matrix side, or can it be banned from xmpp side across the bifrost?

And weren't most already logged at view.matrix.org?

FWIW their site now says "The Matrix Public Archive is on hold" - "We are reviewing the Matrix Public Archive to ensure that it doesn't break privacy expectations and have taken it down as a temporary measure while we conduct the investigation."

I'm getting this when visit https://archive.matrix.org/ > We are reviewing the Matrix Public Archive to ensure that it doesn't break privacy expectations and have taken it down as a temporary measure while we conduct the investigation.

yeah there was backlash. (unsurprisingly)

henriette: Precisely. static-view have been working just like that since 2017, but due to certain bugs, it can't be reliably used for sharing permalinks to past messages (the whole point of the project in my opinion). Hence why the (badly named) archive was created that is basically just a noJS, server-side rendered matrix client. It is not meant to persist (i.e., backup, store, aggregate) messages, as that would be prohibitively expensive. If you check the FAQ, they usually only cache messages for minutes, so the moment you make the room invite-only, the public log disappears.

I'm also puzzled why a few started a banning spree just now - the first public release of archive-matrix went live almost 1 year ago.

because probably they dont follow all github repos of matrix closely?

its fair if they found out only now

aside of all the ethical concerns of course