XMPP Service Operators - 2024-02-25


  1. r00tobo

    > > I fully agree with Steven Roose here. a home connection is not meant for hosting stuff at least if you label it "mission critical" because IM is very sensitive to uptime if it's down then your family or friends can't communicate with you. an ISP outage can last weeks literally. I have seen it > Who said a home connection isn't meant for hosting stuff? Your ISP? Don't believe the lies, the internet actually works this way, every end is equal I know you can host stuff but unlike phone lines where you can literally self host it 24/7 without even electricity I think ? (last time he used a phone line was in 2006) hosting anything computer related is harder because you need UPS you need to protect it from catching fire etc... what about DDoS protection ? if you really want to turn your home into a datacenter fine go ahead. someone on LET (lowendtalk) did that started selling vpses from his basement and he got ddos'ed and could not even handle a cheap ddos attack because he used a normal "home" fiber connection. I know the concept of decentralization is nice and ideal but it does not work everywhere this is why proper real datacenters exist otherwise we would not need one. P.S: I know this is off-topic but just had to put my 2 cent. will move this discussion elsewhere if you would like moparisthebest 👍️

  2. moparisthebest

    A UPS doesn't prevent fires... Why do you need DDoS protection for your house? This is all crazy

  3. chunk

    r00tobo: you won that arguement, I'd say

  4. agris

    If you have a UPS and a fiber internet connection, you have a business grade line as good as a data center for hosting

  5. agris

    Paying for rack units in a data center is rarely worth it when you already have those things where your already paying rent

  6. agris

    > r00tobo: > 2024-02-24 07:13 (CST) > I know you can host stuff but unlike phone lines where you can literally self host it 24/7 without even electricity I think ? (last time he used a phone line was in 2006) hosting anything computer related is harder because you need UPS you need to protect it from catching fire etc... what about DDoS protection ? if you really want to turn your home into a datacenter fine go ahead. someone on LET (lowendtalk) did that started selling vpses from his basement and he got ddos'ed and could not even handle a cheap ddos attack because he used a normal "home" fiber connection. I know the concept of decentralization is nice and ideal but it does not work everywhere this is why proper real datacenters exist otherwise we would not need one. P.S: I know this is off-topic but just had to put my 2 cent. will move this discussion elsewhere if you would like moparisthebest 👍️ He could have just rerouted his address space to a cloud router and then tunneled the filtered traffic back to his home router

  7. agris

    With ipv6 you can do this easily

  8. agris

    Just learn how to do policy based routing and have multiple routing tables

  9. agris

    There's also MPLS for legacy stuff

  10. jonas-l

    > With ipv6 you can do this easily How is this related to v6? Another option are multiple servers with a streaming replication in a primary secondary setup. One could be at home and another at a datacenter. I considee high avaibility with a single physical location impossible - at home and at datacenters.

  11. jonas-l

    > With ipv6 you can do this easily How is this related to v6? Another option are multiple servers with a streaming replication in a primary secondary setup. One could be at home and another at a datacenter. I consider high avaibility with a single physical location impossible - at home and at datacenters.

  12. Menel

    You're all overthinkig it much. You can host from home without all that. And likely you won't get ddos, because you don't host huge public projects there. Real life shows it works. You can always use your backup and use a vps if you do get trouble with that.

  13. chunk

    agris: damnit that's good info man

  14. chunk

    iptables for the win

  15. moparisthebest

    > You're all overthinkig it much. > You can host from home without all that. And likely you won't get ddos, because you don't host huge public projects there. Real life shows it works. > You can always use your backup and use a vps if you do get trouble with that. Exactly

  16. Polarian

    > Polarian: yup, same ISP, land line IPv6, mobile...only IPv4 HE is hanging out IPv6 blocks. and you could use a proxy...

  17. Polarian

    > Everyone should host a server at their own home, normalize home hosting -1, although self hosting is good... its also a good market for those who don't want to host, or don't have the time. Take monocles chat as an example, its funded through its hosting... Self hosting should be there for those with the skill to do it (and it does require some skill, slapping a RPI in your living room might work, but only to a certain degree) There should be a strong community of hosting providers as well for those who do not want to self host.

  18. Licaon_Kter

    Right, there's a place for all

  19. Polarian

    > Steven Roose: better down than mitm Legal MITM is not a security flaw... and speaking about mitigations is illegal depending on the country

  20. Polarian

    promoting avoiding governmental authorities is illegal

  21. MSavoritias (fae,ve)

    security in computing doesnt care about what is legal. its either secure or it is not.

  22. moparisthebest

    What are you talking about? Nothing anyone else was talking about for sure

  23. moparisthebest

    > promoting avoiding governmental authorities is illegal What are you talking about? Nothing anyone else was talking about for sure

  24. Menel

    This is an international room, everyone can post what they see fit for their feeling. The strongedt law here is the channel rules

  25. Licaon_Kter

    Polarian: yes, court orders are the law...

  26. Polarian

    > This is an international room, everyone can post what they see fit for their feeling. The strongedt law here is the channel rules apart from the fact the logs are public and if you start advertising how to bypass the court orders you will get us all in trouble

  27. Menel

    You can always leave if you're afraid, I don't know where you are from to think you might be in danger

  28. Menel

    Surely you must see, that a room can't adhere to all law there is simultaneously. Some may contradict each other

  29. Polarian

    true... but its generally a good idea to stay on the good side of most

  30. agris

    This isn't a law chat

  31. Polarian

    So you would rather discuss how to break the law... publicly so when some malicious XMPP server is under investigation they will come knocking asking why you told people how to prevent legal wiretaps?

  32. Polarian

    Which is obstructing the course of justice by the way...

  33. agris

    This is offtopic

  34. agris

    A lawyer would be better to ask law questions instead of it nerds

  35. Polarian

    not really... Licaon_Kter referenced the mitm of jabber.ru, and unless I missed some change, this is still a legal wiretap conducted by the cloud provider, discussion on preventing said wiretaps, is potentially illegal and thus shouldn't be done.

  36. Polarian

    I don't want to be on public record condoning discussions on preventing court orders

  37. agris

    No, technical foxes for said wiretap is fine. Arguing what's legal and not about vague problems is offtopic

  38. agris

    > Me: > 2024-02-25 10:49 (CST) > No, technical fixes for said wiretap is fine. Arguing what's legal and not about vague problems is offtopic

  39. Polarian

    Licaon_Kter point was cloud hosting allows legal wiretaps... should you really be telling people not to use cloud hosting because the authorities might wiretap you? Maybe I am overly paranoid, but especially in 2024 where privacy is seen as hiding illegal content, do you really want to come off as shady in public logs?

  40. agris

    This server is not hosted in the jurisdiction of Russia so your probably fine

  41. Polarian

    It doesn't take a warrant to look at this MUCs logs...

  42. agris

    Can we move on?

  43. Polarian

    Sure.

  44. Licaon_Kter

    Polarian: > Maybe I am overly paranoid, but especially in 2024 where privacy is seen as hiding illegal content, do you really want to come off as shady in public logs? So better host somewhere where you can easily be spied on because you got #nothingtohide, right? :))

  45. Polarian

    no comment

  46. Menel

    There isn't even any official conformation this .ru thing was by the law. And discussing hardening the sever is on topic here.

  47. Polarian

    > There isn't even any official conformation this .ru thing was by the law. > And discussing hardening the sever is on topic here. Hardening servers from the government... ok

  48. Polarian

    s/government/authorities/

  49. Menel

    You may not like it, but this is was peak chatsever looks like.

  50. Polarian

    There is a very fine line when it comes to the law... what is security, and what is hiding illegal actions... Personally I would rather authorities ask for data instead of trying to mitm it... but hey ho, can't complain. Also... if the mitm is conducted illegally you could sue your cloud provider :)

  51. moparisthebest

    Polarian: again no idea what you are even talking about, no one mentioned "legal wiretaps" or anything I think someone said MITMs were prevented with DANE/channel binding which is true, best practice, and illegal in 0 jurisdictions so probably just drop it?

  52. Polarian

    This conversation got derailed apologies

  53. agris

    Can someone go into channel binding more specificly and how it help?

  54. agris

    The problem if you don't own your ip addresses is your provider can take them over and relay them to you. Taking inspiration from the gfoc in active mitm surveillance

  55. agris

    Caa records can be used to restrict which certificate authorities can issue for your domain

  56. agris

    But how can we restrict say, the most popular ca let's encrypt from issuing certificates to a bad guy if they control your ip addresses?

  57. MattJ

    agris: the CAA record can include additional parameters, Let's Encrypt supports including a specific account ID

  58. MattJ

    So they would only issue to that account ID, which only you have the key for (hopefully)

  59. agris

    Another thing I'd like to know is which cloud provider was this attack performed with and if there was any red flags about them that would indicate their willingness to do such things or negligence in netsec

  60. MattJ

    The affected servers were on Linode and Hetzner IIRC

  61. agris

    > MattJ: > 2024-02-25 05:16 (CST) > agris: the CAA record can include additional parameters, Let's Encrypt supports including a specific account ID Is there a guide on how to set that up?

  62. agris

    Linode!?

  63. agris

    We're can I get all the technical details regarding the linode attack?

  64. MattJ

    https://snikket.org/blog/on-the-jabber-ru-mitm/ https://letsencrypt.org/docs/caa/

  65. agris

    Ty

  66. MattJ

    Channel binding is basically some magic that can use the mutual authentication feature of some authentication mechanisms (usually SCRAM) to confirm that the ends of the TLS connection are the same ends as the authentication

  67. agris

    Does anyone have a suricata rule for this: Incoming TCP connections to port 5222 are altered: they have different source port, SEQ/ACK numbers, and appear to arrive without any intermediate routing hops (TTL=64).

  68. agris

    This seems like something that would be trivial to write an ids rule for, if public ip addresses have high TTLs. That would never happen irl