XSF Discussion - 2014-02-21

Zash: thanks. Putting that on the reading list for tomorrow

DHT..

Maranda: ?

oh, does Tobias mention DHTs in that message?

I need to read it again

stpeter, not sure but the whole mention of having a DHT overlay on top of xmpp gives me chills, no trolling intended :) sorry.

actually I know some people building a DHT-based overlay on the entire Internet ;-)

It'd be nice to have a mobile client that gives you a view like WhatsApp (ignoring groups and only showing the list of recent conversations, sorted by recentness)

But I don't think you'll be able to do the 0-step setup unless you compromise in some way.

It's exactly an example of Zooko's Triangle: you can either have it secure, or decentralized, but not both.

xnyhps - I wish Adium gave me the option to sort my chat tabs by recentness too :)

the third edge being usable?

Human-meaningful.

(Human-meaningful in this context because you're trying to link an existing phone number to an account, not because phone numbers are particularly easy to remember)

the twinlife guys had some interesting idea about giving out personalized addresses to each contact -- http://bloggeek.me/twinlife-webrtc-interview/

but I think that is very far from the human-meaningful edge :-/

i wonder why people still get away with "our webrtc thing works on chrome only" without a decent technical reason...

The page isn't clear to me whether that is decentralized or not.

xnyhps: isn't whatsapp a one-step setup?

What step? Picking a display name?

And phone numbers aren't exactly hard to predict / brute-force

xnyhps: you have to at least enter / confirm your phone number

Pretty sure your phone will know its phone number. :P

xnyhps: pretty sure is not factual knowledge. I know that my phone doesn't know its number

Okay, it's clicking "OK" a couple of times, but in a typical setup you wouldn't need to enter anything yourself.

IIRC apple phones are disallowed from getting the phone number at all

I know you can setup WhatsApp on a different device, but its not common and probably not something they officially support.

Ge0rG: I really doubt that. Don't you mean IMEI?

xnyhps: no, I meant phone number

Are phones really aware of their own phone number?

xnyhps: http://stackoverflow.com/questions/193182/programmatically-get-own-phone-number-in-ios

I stand corrected. :)

But does it still do the text message activation?

xnyhps: yes it does. So I assume you have to enter the phone number

Sorry about wading into a discussion that I know little about, but couldn't an app send a text message to the app provider, which would then reveal the phone number?

No.

Or, rather, yes, they could send a text revealing /a/ phone number, but necessarily their own.

I don't think the phone number on texts is strongly authenticated. I could be wrong.

Although I could easily be wrong, and thinking of something else.

alex: update your email template :-)

ups, ya, that was the wrong one ;-)

Kev, Ash: a phone can not easily fake the sender number when sending an SMS, but there are services that can do that. So you'd have to prevent the original SMS from being sent, and fake it from another SMS source

Ge0rG: Preventing an SMS being sent is fairly easy. Just turn off the mobile network.

Kev: it requirese some sophistication at least

the more important point I see is, many people still have to pay for SMS, so it is better to let the provider send an SMS to the customer

Is it possible for an app to receive an SMS? If so you could have the app send an sms to the app provider, and along another channel (https) send a generated token. The app provider could then send an sms back to the number with the token in. I assume this reply would be far more difficult to subvert?

Ash - yes, at least in Android and Symbian you have a receieve priority for inbound SMSs. https://stackoverflow.com/questions/18940286/how-to-make-my-sms-app-is-highest-priority-to-receive-broadcast-receiver

simon, You don't happen to know if the SMS "port number" stuff works in Android, do you?

Oh, turns out it does.

So that might be more reliable than listening to all SMSs.

Done my voting.

Did mine this morning. Not entirely sure how I failed to do it until today.

I typically do it the moment Alex sends the first mail.

Yeah, I confess to being busy. I've tried to be as careful as I can with "yes" votes; to the extent of even voting down people I know quite well, which feels a bit weird.

I applied my normal rules.

significant_contributor_to_the_XSF's_goals() ? yes : no;

Yeah, I just was more struct about XMPP vs XSF this time around.

struct? strict.

Guess what langauge Dave is programming in today.

COBOL?

:P

dwd: I'm not sure what the full list of reasons new members get past my filter is. I think it's largely just standards contributions or outreach.

14/02/22: the second security test day: http://xmpp.org/2014/02/second-security-test-day/