XMPP Service Operators - 2023-06-27


  1. anaxagoras

    wherethehairygirlsat@conversations.im for rtbl please

  2. Amolith

    anaxagoras: added

  3. anaxagoras

    ty

  4. cumoozingfromerectanuses removed by moderator

  5. cumoozingfromerectanuses removed by moderator

  6. psjjenw removed by moderator

  7. psjjenw removed by moderator

  8. psjjenw removed by moderator

  9. psjjenw removed by moderator

  10. psjjenw removed by moderator

  11. psjjenw removed by moderator

  12. psjjenw removed by moderator

  13. psjjenw removed by moderator

  14. psjjenw removed by moderator

  15. psjjenw removed by moderator

  16. psjjenw removed by moderator

  17. psjjenw removed by moderator

  18. psjjenw removed by moderator

  19. r0 removed by moderator

  20. r0 removed by moderator

  21. r0 removed by moderator

  22. r0 removed by moderator

  23. r0 removed by moderator

  24. r0 removed by moderator

  25. r0 removed by moderator

  26. r0 removed by moderator

  27. r0 removed by moderator

  28. r0 removed by moderator

  29. r0 removed by moderator

  30. r0 removed by moderator

  31. r0 removed by moderator

  32. r0 removed by moderator

  33. r0 removed by moderator

  34. r0 removed by moderator

  35. r0 removed by moderator

  36. r0 removed by moderator

  37. r0 removed by moderator

  38. r0 removed by moderator

  39. r0 removed by moderator

  40. r0 removed by moderator

  41. r0 removed by moderator

  42. r0 removed by moderator

  43. r0 removed by moderator

  44. r0 removed by moderator

  45. r0 removed by moderator

  46. r0 removed by moderator

  47. r0 removed by moderator

  48. r0 removed by moderator

  49. r0 removed by moderator

  50. r0 removed by moderator

  51. r0 removed by moderator

  52. r0 removed by moderator

  53. r0 removed by moderator

  54. r0 removed by moderator

  55. r0 removed by moderator

  56. r0 removed by moderator

  57. r0 removed by moderator

  58. r0 removed by moderator

  59. r0 removed by moderator

  60. r0 removed by moderator

  61. nuron

    ralphm, MattJ, jonasā€™: ^

  62. anaxagoras

    rapeandkillamolithonsight@conversations.im for rtbl please

  63. anaxagoras

    there is also mayflower12693, same person, but not sure host part

  64. hairygirlsequalserectpenis removed by moderator

  65. hairygirlsequalserectpenis removed by moderator

  66. hairygirlsequalserectpenis removed by moderator

  67. hairygirlsequalserectpenis removed by moderator

  68. penisfartsmakingpee removed by moderator

  69. a moderator removed a message

  70. a moderator removed a message

  71. a moderator removed a message

  72. a moderator removed a message

  73. a moderator removed a message

  74. a moderator removed a message

  75. a moderator removed a message

  76. a moderator removed a message

  77. a moderator removed a message

  78. a moderator removed a message

  79. a moderator removed a message

  80. a moderator removed a message

  81. a moderator removed a message

  82. a moderator removed a message

  83. a moderator removed a message

  84. a moderator removed a message

  85. a moderator removed a message

  86. a moderator removed a message

  87. a moderator removed a message

  88. a moderator removed a message

  89. a moderator removed a message

  90. a moderator removed a message

  91. a moderator removed a message

  92. a moderator removed a message

  93. a moderator removed a message

  94. a moderator removed a message

  95. a moderator removed a message

  96. a moderator removed a message

  97. a moderator removed a message

  98. a moderator removed a message

  99. a moderator removed a message

  100. a moderator removed a message

  101. a moderator removed a message

  102. a moderator removed a message

  103. a moderator removed a message

  104. a moderator removed a message

  105. a moderator removed a message

  106. a moderator removed a message

  107. a moderator removed a message

  108. a moderator removed a message

  109. a moderator removed a message

  110. a moderator removed a message

  111. a moderator removed a message

  112. a moderator removed a message

  113. a moderator removed a message

  114. a moderator removed a message

  115. a moderator removed a message

  116. a moderator removed a message

  117. a moderator removed a message

  118. a moderator removed a message

  119. a moderator removed a message

  120. a moderator removed a message

  121. a moderator removed a message

  122. a moderator removed a message

  123. a moderator removed a message

  124. a moderator removed a message

  125. a moderator removed a message

  126. a moderator removed a message

  127. a moderator removed a message

  128. a moderator removed a message

  129. a moderator removed a message

  130. a moderator removed a message

  131. a moderator removed a message

  132. a moderator removed a message

  133. a moderator removed a message

  134. a moderator removed a message

  135. a moderator removed a message

  136. a moderator removed a message

  137. a moderator removed a message

  138. a moderator removed a message

  139. a moderator removed a message

  140. a moderator removed a message

  141. a moderator removed a message

  142. a moderator removed a message

  143. Guus

    Server operators: as a developer of server software, how would you suggest that I reach you with important information? I'm trying to get people to upgrade to a version of our software that doesn't have an exploitable vulnerability, but I am having a hard time reaching more than ~6% of you. Does anyone have suggestions on how to improve this?

  144. MattJ

    Guus, "hard time reaching more than 6% of you" - are you saying you have managed to reach 6%, but unable to reach more? or there are 6% you are finding it hard to reach?

  145. Guus

    Only 6% of the active servers have been updated to the latest version.

  146. Guus

    (less than, even)

  147. henriette

    was a CVE filed? some distros won't push updates without one

  148. MattJ

    Openfire users don't use distro packages :)

  149. henriette

    eek

  150. MattJ

    Guus, if you can work out a suitable shodan search to identify the vulnerable services, you can look up IP/domain contacts

  151. henriette

    maybe add an update check/notification for future occurrences

  152. henriette

    if people neglect their server, let them toil

  153. MattJ

    Unless you are already able to get the domains/IPs from your telemetry

  154. Guus

    CVE had been published. We're not maintaining packages in distro specific management repos.

  155. MattJ

    The 6% probably hang around places like this, or the forums, etc. and they're the wrong crowd to adk how to reach them

  156. henriette

    do you maintain an rpm/apt repo that people install from? or is no one updated because they have to deploy a jar?

  157. Guus

    I can record IPs. Apart from apparent privacy issues: How do I get contact information from that?

  158. henriette

    maybe check dockerhub for any openfires and push them to update, users may rely on that way

  159. Guus

    > The 6% probably hang around places like this, or the forums, etc. and they're the wrong crowd to adk how to reach them Yeah, but not being able to ask the other 94% is kind of the stated problem. šŸ˜‰

  160. henriette

    hairlygirl@conversations.im for rtbl please

  161. MattJ

    henriette, done

  162. henriette

    ty

  163. MattJ

    Guus, look up the reverse DNS

  164. henriette

    and then do whois on that

  165. MattJ

    That should give you their domain, or at least their provider, which you can contact

  166. Guus

    We do not maintain package repos at all. We only offer downloads

  167. MattJ

    Failing that, whois for the IP will give contact addresses

  168. henriette

    just note that reverse dns sometimes isn't set or may be a remanent from a previous IP holder (on some low end hosts)

  169. Guus

    > do you maintain an rpm/apt repo that people install from? or is no one updated because they have to deploy a jar? No jars. We offer platform specific installers

  170. henriette

    and they have no auto update mechanism?

  171. Guus

    No

  172. Guus

    Only an update check that's reported in the administrative interface

  173. jonasā€™

    Guus, build an opt-in update notification thing into the next release.

  174. jonasā€™

    this can be done in a way that it's not privacy invasive

  175. henriette

    and make a deb+rpm repo

  176. jonasā€™

    (e.g. using a DNS record)

  177. Guus

    > (e.g. using a DNS record) šŸ¤Ø

  178. jonasā€™

    Guus, you could have TXT records for each openfire version with machine-readable content which indicates the security status of that release ("supported", "vulnerable:$fixedVersion", "unsupported") and build code into openfire which looks up the TXT record of its own version and acts according to the result

  179. jonasā€™

    as DNS resolution generally happens through recursive resolvers, this is pseudonymised.

  180. jonasā€™

    for example, run `dig TXT auth-3.4.0.security-status.secpoll.powerdns.com`

  181. jonasā€™

    (to nobody's surprise, powerdns, a DNS server, uses this technique)

  182. Guus

    That'd improve/make more anonymous the already existing update check. My issue is that only 6% of our admins look at the results of such an update check.

  183. jonasā€™

    oh

  184. jonasā€™

    make it send a daily message to the admin via XMPP? :-)

  185. Guus

    We Do That

  186. jonasā€™

    ok, then you're doomed

  187. Guus

    Not daily, but on update availability.

  188. jonasā€™

    might be your (corporate) audience :|

  189. Guus

    Yeah

  190. jonasā€™

    Guus, to me, it seems you've done much more than the typical software vendor already and you cannot force people to act responsibly.

  191. Guus

    Thanks. It's kind of heartbreaking to get reports about crypto miners being installed.

  192. jonasā€™

    indeed

  193. jonasā€™

    you could also build a kill-switch into the next release.

  194. jonasā€™

    but I'm not sure if that's ethical

  195. Guus

    Absolutely not

  196. jonasā€™

    :-)

  197. Guus

    Our stuff is used in military, law enforcement, health care

  198. jonasā€™

    myeah

  199. jonasā€™

    that might cause some issues :-)

  200. jonasā€™

    but is it better if it's shut down controlledly, or when a cryptominer or worse takes over?

  201. henriette

    do you provided a hardened systemd unit with your packages?

  202. jonasā€™

    but is it better if it's shut down controlledly, or when a cryptominer or worse takes (ransomware in a hospital, yay) over?

  203. Guus

    Well, all of those users are in that 6 percent.

  204. Guus

    > do you provided a hardened systemd unit with your packages? No. I don't know what that is, but no.

  205. henriette

    systemd has native sandboxing capabilities

  206. jonasā€™

    hardened systemd units: you can restrict what a process can do with systemd, such as removing write access to anywhere except specific directories, restrict access to systemcalls, network families etc.

  207. henriette

    so at least it'd be limited to miner and not a root escalation/total system compromise

  208. jonasā€™

    *much harder to do full system compromise

  209. Guus

    That's actually a good improvement (but won't help the majority of our instances that are running on Windows).

  210. henriette

    win32 has sandboxing options too

  211. henriette

    but must be directly integrated and may not play nice with java

  212. Guus

    Is worth looking into

  213. Guus

    Yeah, Java is powerful in that way. And with our plugin API, you can pretty much add any custom code that you like.

  214. Guus

    (which is part of the current attack vector)

  215. henriette

    maybe default disable that if possible?

  216. Guus

    Yeah we've been thinking about that

  217. Guus

    It's a heavily used feature though

  218. Guus

    Gotta run. Thanks for the feedback everyone

  219. jonasā€™

    cs

  220. jonasā€™

    (ignore)

  221. jonasā€™

    FWIW, we set this room to moderated to combat the spam. We used to have a bot here which auto-voices server admins, which is currently broken. We'll work on fixing that and then we can also process further voice requests.

  222. jonasā€™

    (moderated == you can only read, not send messages unless you're "voiced")

  223. henriette

    hairygirl@conversations.im for rtbl please

  224. henriette

    (last one was ly)

  225. Zash

    Guus, posted to https://www.openwall.com/lists/oss-security/ ?

  226. Link Mauve

    Hi, Matrix.org is now making a publicly accessible archive of their rooms (which includes MUCs), you might want to ban their bot if you donā€™t want that: https://chaos.social/@n0toose/110593475148424017

  227. Link Mauve

    I see it at xsf@ for instance, under the nick archive.matrix.org/faq

  228. Link Mauve

    Or voice your concerns if you donā€™t think this is a good way to leak all of your chats to the world.

  229. MattJ

    On the one hand, xsf@ is already publicly logged

  230. MattJ

    On the other hand, we control those logs (e.g. I suspect when we remove objectionable stuff, the matrix side won't update)

  231. msavoritias

    also i have no idea i am being logged by a third party when joining the xsf room

  232. Link Mauve

    MattJ, speaking of which, we might want to reduce the verbosity of those logs by hiding joins/parts by default, to make them more easily readable.

  233. henriette

    Would it have to be banned from matrix side, or can it be banned from xmpp side across the bifrost?

  234. henriette

    And weren't most already logged at view.matrix.org?

  235. MattJ

    FWIW their site now says "The Matrix Public Archive is on hold" - "We are reviewing the Matrix Public Archive to ensure that it doesn't break privacy expectations and have taken it down as a temporary measure while we conduct the investigation."

  236. Trung

    I'm getting this when visit https://archive.matrix.org/ > We are reviewing the Matrix Public Archive to ensure that it doesn't break privacy expectations and have taken it down as a temporary measure while we conduct the investigation.

  237. MSavoritias (fae,ve)

    yeah there was backlash. (unsurprisingly)

  238. bkil

    henriette: Precisely. static-view have been working just like that since 2017, but due to certain bugs, it can't be reliably used for sharing permalinks to past messages (the whole point of the project in my opinion). Hence why the (badly named) archive was created that is basically just a noJS, server-side rendered matrix client. It is not meant to persist (i.e., backup, store, aggregate) messages, as that would be prohibitively expensive. If you check the FAQ, they usually only cache messages for minutes, so the moment you make the room invite-only, the public log disappears.

  239. bkil

    I'm also puzzled why a few started a banning spree just now - the first public release of archive-matrix went live almost 1 year ago.

  240. msavoritias

    because probably they dont follow all github repos of matrix closely?

  241. msavoritias

    its fair if they found out only now

  242. msavoritias

    aside of all the ethical concerns of course