XSF Discussion - 2014-03-06

  1. Zash has left

  2. Ash has left

  3. Tobias has left

  4. Alex has joined

  5. intosi has joined

  6. emcho has joined

  7. intosi has left

  8. intosi has joined

  9. emcho has left

  10. m&m has joined

  11. m&m has left

  12. emcho has joined

  13. emcho has left

  14. emcho has joined

  15. emcho has left

  16. Zash has joined

  17. emcho has joined

  18. Ash has joined

  19. Lloyd has joined

  20. m&m has joined

  21. martin.hewitt@surevine.com has joined

  22. fippo

    "There is a lesson here. Standards are there to make your life easier." -- http://www.chriskranky.com/amazon-mayday-maybe-using-webrtc-cares/

  23. m&m

    I thought standards are there to prove I'm right, for all values of "right"

  24. fippo

    they're terribly useful for that, too

  25. simon has joined

  26. ralphm


  27. m&m

    sadly too true

  28. ralphm

    but fippo is fixing that, right fippo, right????

  29. Zash has joined

  30. fippo

    later today (-:

  31. fippo

    after talky finally has its turn servers

  32. ralphm


  33. m&m

    btw: there is a TRAM working group that is improving TURN

  34. m&m

    if you're not already paying attention there, I think we should

  35. m&m

    (TRAM working group at the IETF)

  36. fippo

    i'm paying attention

  37. fippo

    but my need for turn is mostly satisfied by draft-uberti-behave-turn-rest ;-)

  38. emcho has left

  39. Zash

    And there's a TRAM session later today

  40. dwd

    Oh, I forgot about DANE.

  41. Zash

    And that's now :)

  42. m&m

    is TRAM today?

  43. fippo

    https://twitter.com/danyork/status/441503787560493056 <-- there was no space left

  44. m&m


  45. m&m

    too many conflicts

  46. dwd

    Zash, Indeed. Is it interesting?

  47. emcho has joined

  48. dwd

    I think, looking at the agenda, I've missed everything I meant to listen in on anyway.

  49. Zash

    m&m: or .. I might have been looking at yesterday

  50. Zash

    so nm

  51. Zash

    dwd: Interesting. But now it's semantics ^^

  52. Tobias has left

  53. Tobias has left

  54. ralphm

    dwd: way to go

  55. Tobias has left

  56. dwd

    In my defence, I've been quite preoccupied recently. :-)

  57. Tobias has left

  58. Tobias has left

  59. emcho has left

  60. Kev

    I'm vaguely regretting only turning up for Tuesday.

  61. dwd

    If timing had been different, I'd have thoroughly enjoyed turning up for the week.

  62. Kev

    This week wasn't convenient for me, I had to be home yesterday.

  63. dwd

    I'll just have to go to Hawai'i instead.

  64. Zash


  65. dwd

    Zash, Someone's got to do the hard jobs, you know.

  66. m&m

    you clearly weren't at the admin plenary; Hawai'i is a terrible burden to go to

  67. emcho has joined

  68. fippo

    but all the important decisions will be made there

  69. dwd

    fippo, Put your expense claim in early.

  70. fippo

    so like it or not, you have to go

  71. Kev

    Right. Certificates for XMPP servers. Do folks still use startcom?

  72. Zash

    Folks do, yes.

  73. dwd

    I went for a Comodo cheap-but-not-free cert.

  74. m&m

    there's quite a few

  75. Kev

    How cheap is cheap, and why is it better than free? :)

  76. dwd

    I think my two certs were somewhere around £15.

  77. dwd

    StartCom are free, but revokation costs about £50, whereas it's free with me.

  78. intosi has left

  79. intosi has joined

  80. m&m

    that is a good point

  81. m&m

    you want revocation to be cheap, in case you get compromised

  82. dwd

    So to some extent, I'm paying for a brand I trust to know what they're doing, and paying an insurance premium.

  83. dwd

    m&m, Right, I don't want to get compromised and *then* stung for a hefty fee.

  84. Kev

    "Starting from £41.95 per year"

  85. Kev

    This sound like significantly more than £15.

  86. m&m

    I think Startcom is free if you paid for a premium cert

  87. dwd


  88. Kev

    dwd: The text on https://www.namecheap.com/security/ssl-certificates/comodo/essentialssl.aspx, which is the £15ish one, seems to suggest it's single-domain-only (i.e. no MUC child). Sound about right?

  89. dwd

    Ah, yes. My two are single domain. But dave.cridland.net was covered, unlike StartCom.

  90. dwd

    FWIW, I think mine are the top one on that page.

  91. dwd

    I have one for cridland.im and one for dave.cridland.net

  92. Kev

    Ah, the £6/year ones?

  93. dwd

    Right. I think. :-) It was a while ago.

  94. Kev

    It's entirely unclear to me what the difference between PositiveSSL and EssentialSSL is :)

  95. dwd

    Ah, that one has unlimited reissues. Let me dig through and see what I have.

  96. Kev


  97. dwd

    Ah, so I have EssentialSSL certificates. I have a feeling they were on offer when I bought them.

  98. dwd

    So these have a "site seal", which I don't bother with, "mobile browser support", which I don't think means much, and unlimited reissues (ie, for compromise or whatever).

  99. Kev

    Getting two or three EssentialSSL certs seems a tad expensive.

  100. Kev

    £43/year or whatever. Almost worth going with a filthy wildcard at that price.

  101. Tobias

    startcoms wildcards are $60 a year it seems

  102. Tobias

    startcoms wildcards are $60 for two years it seems

  103. dwd

    Hmmm. We could always see if we could persuade a CA or two to give XMPP folk a discount because we're so lovely.

  104. Kev

    Temptation to just get a couple of these £5/year certs is fairly strong. Although I don't see anything about the reissues on the pages.

  105. dwd

    Right, I think on compromsie you pay again.

  106. Zash has joined

  107. dwd

    But they have a "live chat" thing which has people who're knowledgeable about these things.

  108. Zash has joined

  109. dwd

    By which I mean they'll be able to tell you about revokation etc, not that they can tell you much of note about odd X.509 features.

  110. dwd

    Kev, Benefits of working for Isode - discover you now know more about X.509 than most CA employees purely by osmosis.

  111. Zash


  112. simon

    you can get free wildcard certs for opensouce projects from Globalsign.

  113. Tobias

    and startcom charges for all revocations, except for their EV certs http://www.startssl.com/?app=25#72

  114. m&m

    dwd: you almost say that like it's a good thing

  115. simon


  116. dwd

    m&m, If only it was.

  117. m&m

    Tobias: right. "premium" (-:

  118. Kev

    simon: Ta. This is for my own server, rather than an OSS project.

  119. m&m has left

  120. m&m has joined

  121. simon

    Kev: with a free cert from startcom you would be able to cover muc.<domain> and <domain> since they always fill out the altname too

  122. Kev

    Right. That was how this conversation started :)

  123. Kev

    Although if I wanted to bring channels.doomsong back to life, I'd need a third domain :)

  124. Tobias

    or an additional cert just for that

  125. m&m has left

  126. simon

    Tobais: I don't think that would work - at least not from startcom - they notice that you are trying to get another free one for the same domain.

  127. Zash has left

  128. Tobias

    simon, i didn't mean from startcom...right..they'd probably notice :)

  129. intosi

    You can certainly request foo.domain.tld and bar.domain.tld at StartCom.

  130. dwd

    simon, What's actually in a StartCom cert these days?

  131. simon

    no matter what you put in your generated cert, they remove it all and put <domainname> and a hostname portion that you can select.

  132. dwd

    Right, I remember that, but what's in the Subject, and what SANs are in it?

  133. intosi

    for one of my keys, I have roughly this:

  134. intosi

    Subject: description=7u4x3xy29u755HYu, C=NL, CN=owncloud.ik.nu/emailAddress=hostmaster@ik.nu

  135. intosi

    X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Subject Key Identifier: 72:CE:E6:0C:5F:D5:EA:54:BB:F9:A8:42:28:AF:F9:DE:60:DA:9F:F5 X509v3 Authority Key Identifier: keyid:EB:42:34:D0:98:B0:AB:9F:F4:1B:6B:08:F7:CC:64:2E:EF:0E:2C:45 X509v3 Subject Alternative Name: DNS:owncloud.ik.nu, DNS:ik.nu X509v3 Certificate Policies: Policy: Policy:

  136. intosi

    That's a regular one, not one I requested for XMPP.

  137. dwd notes intosi has now learnt all the right terms by osmosis, and probably knows what the two-attribute RDN in the subject is called by now.

  138. intosi

    Those have othername fields in the SAN

  139. dwd

    intosi, Right, Sodium will tell you what those are, mind. There's a tool I miss having around.

  140. Kev

    dwd: I think if you'd seen the 16.3 MLC (which doesn't exist yet, but we know what's coming), you'd miss having that around as well :)

  141. Kev

    16.2 MLC is really rather good, mind. What was the last version you saw?

  142. intosi

    Kev, dwd: :D

  143. dwd

    Kev, A R15.X, which was certainly getting there.

  144. Kev

    Ah. Worlds apart :)

  145. simon

    What was the deal with special XMPP certificates a few years ago? What was different about them?

  146. Kev

    simon: They had the right SANs in.

  147. simon


  148. dwd

    simon, As I recall, they listed SANs, but had some funnies around the sRVName SANs they used.

  149. Kev

    dwd: I think the XSF certs were correct, IIRC.

  150. Kev

    Back when we had an ICA.

  151. simon

    Why would a normal alt-name not work?

  152. Kev

    simon: It's not 'not work', it's just that certs should be specialised for the service they're protecting.

  153. dwd

    simon, It would, but older servers were fairly restrictive in what SANs they used.

  154. dwd

    simon, ALso, there's no such thing as a "normal alt-name". :-P

  155. dwd

    simon, The Subject is a DN, originally meant to be your entry in the global X.500 directory. The Subject could have alternative names (added in v3), which are all typed. dNSName is the hostname type, and otherName is an extendable type where both sRVName and xmppName live.

  156. intosi

    Which openssl conveniently refuses to display ;)

  157. simon

    dwd: you really need to start a CA

  158. intosi

    simon: we somewhat jokingly discussed this a feww years ago, but I think the rough consensus was that running it would be entering a world of pain.

  159. Kev

    In practical terms, yes. Although in technical terms, Sodium CA makes all this rather easy.

  160. dwd

    simon, I've also contemplated a CA based around leap-of-faith verification before.

  161. Kev

    I do have my own CA I use 'internally'.

  162. dwd

    Kev, Technically, yes; I think the objections were more political ones.

  163. Kev


  164. intosi

    Running your own CA isn't the world-of-pain part. Getting your CA accepted as a trust anchor in major browsers is.

  165. Tobias

    the pain of getting it in the major OSes and browsers

  166. Kev

    If it was a CA for XMPP, you don't need to do that.

  167. Tobias

    you'd need to provide guides for all XMPP servers how to add your CA to the trusted ones

  168. dwd

    Kev, That's true, in some respects. Though you need to get it in all the XMPP implementations.

  169. emcho has left

  170. Tobias still failed to add CAcert as trusted on my bsd system....but i haven't spend more than half an hour on that yet

  171. simon


  172. Tobias has joined

  173. Tobias has joined

  174. Tobias has left

  175. m&m has joined

  176. Zash has joined

  177. m&m has left

  178. m&m has joined

  179. emcho has joined

  180. ralphm

    I got an Ubuntu update pushed today that removes CACert as a CA

  181. Zash


  182. Tobias

    ubuntu only or did debian get rid of it too?

  183. ralphm


  184. Zash

    ralphm: What Ubuntu version?

  185. ralphm


  186. ralphm


  187. intosi


  188. ralphm

    looking at the full change list of that ticket reveals it was backported to lucid, precise, quantal, raring

  189. Zash has left

  190. Ash has joined

  191. Zash

    I don't see that update in precise

  192. ralphm


  193. ralphm


  194. Zash


  195. Zash

    Are they actually really removing it completely?

  196. Zash

    As opposed to not having it enabled by default.

  197. intosi

    "No longer ship" seems to suggest they have removed it completely.

  198. intosi

    ralphm should be able to confirm.

  199. ralphm

    ralphm@waar:/etc/ssl/certs$ ls | grep -i cacert spi-cacert-2008.pem

  200. intosi


  201. intosi

    It doesn't list /usr/share/ca-certificates/cacert.org anymore.

  202. ralphm


  203. Tobias has left

  204. Tobias has left

  205. MattJ


  206. Zash

    organizationName: Software in the Public Interest

  207. Zash


  208. Zash has left

  209. Zash has joined

  210. Tobias has left

  211. MattJ


  212. Zash

    Where what?

  213. MattJ

    > 13:57:29 Zash> organizationName: Software in the Public Interest

  214. Zash

    Sooooo much lag on the IETF wifi

  215. Zash

    That was re: ralphm> spi-cacert-2008.pem

  216. simon

    Seems like Fedora, Redhat and Suse are also not too keen on CACert inclusion

  217. Zash

    It's likely that it's only in Ubuntu because it's in Debian

  218. intosi

    Hardly anybody was keen on that, mostly because it didn't pass the audit. Of course, recently the found vulnerability and subsequent lack of revocation of the ca key did not improve that. http://www.reddit.com/r/technology/comments/1qj1tz/http_20_to_be_https_only/cddfmz0?context=1 (fourth para)

  219. Zash

    I think CAcert.org themselves aborted auditing while waiting for some changes to be made.

  220. simon

    intosi: great paragraph / nice background.

  221. Zash has left

  222. Tobias has left

  223. Zash has joined

  224. m&m has left

  225. Zash has left

  226. Zash has joined

  227. emcho has left

  228. Zash has left

  229. Zash has joined

  230. Ash has left

  231. emcho has joined

  232. m&m has joined

  233. emcho has left

  234. m&m

    scribing to http://etherpad.tools.ietf.org:9000/p/notes-ietf-89-kitten?useMonospaceFont=true

  235. Lloyd

    BTW thanks for everyone who came to XMPPUK on tuesday. Hope everyone had a good time/got something out of the evening.

  236. ralphm

    Lloyd: even though I wasn't there, thanks for doing that!

  237. m&m

    yes, thank you!

  238. intosi

    Indeed. It was a very good meetup, thanks!

  239. Lloyd has left

  240. Lloyd has joined

  241. Kev

    Lloyd: Yes, thanks. And plenty of pizza :D

  242. Kev

    Well, golly. They're asking for a CSR. I guess I should work out what to put in it.

  243. Kev

    dwd: Any idea if they pay any attention to what you put in it, or if they're just going to trample over and I don't need to bother?

  244. Tobias has joined

  245. intosi

    Most CAs will replace it with the information they have on record anyway, because that's the only info they verified.

  246. intosi

    It's either that, or requiring you to send proof of identity with each CSR.

  247. Kev

    https://www.dropbox.com/s/et86sczq4h76r4u/Screenshot%202014-03-06%2015.45.44.png whaaaaaaaaat?

  248. intosi

    They want to hold your hand installing the signed cert?

  249. Kev

    I assume it's to deliver it in an appropriate format, but I still found it slightly surprising.

  250. Kev

    Oh, or that possibly, yes.

  251. simon

    Kev - which register is that and which register do I need to avoid?

  252. simon

    Some of those products are ancient!

  253. Kev

    Comodo, via Namecheap.

  254. Kev

    But it seems to be to guide you to installation instructions, so it's fine.

  255. dwd

    Kev, I don't think they used anything but the public key.

  256. Zash

    And there, prototype s2sin DANE.

  257. simon

    Zash: excellent. Looking forward to a new weekend project.

  258. Zash

    But I'm back to it being a race condition :|

  259. m&m has left

  260. m&m has joined

  261. m&m has left

  262. Zash

    so, https://www.zash.se/dane-s2s-client.html

  263. fippo

    zash: the "no port" problem sounds familiar....

  264. dwd

    Right, SRV-like is how (IIRC) dane-esmtp works, isn't it?

  265. m&m has joined

  266. m&m has left

  267. m&m has joined

  268. Lloyd has left

  269. xnyhps has left

  270. Bunneh has joined

  271. Zash

    -draft dane-smtp

  272. Bunneh

    Zash: "SMTP security via opportunistic DANE TLS", Viktor Dukhovni, Wesley Hardaker, 2014-02-14, http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-07.txt

  273. Zash

    That one?

  274. Zash

    dwd: I spent yesterday searching for anything existing on s2s client auth, found only this thread: http://www.ietf.org/mail-archive/web/dane/current/msg05110.html

  275. MattJ

    I really disagree with "the stream is not an XML document" viewpoint

  276. Kev

    It's not, as a whole.

  277. MattJ

    Yes, it is

  278. MattJ

    It has an opening tag and an ending tag

  279. Kev

    It has multiple opening tags, and one ending tag.

  280. MattJ

    No, it doesn't

  281. MattJ

    One opening, one closing

  282. MattJ

    You are confusing it with the other unfinished streams that went before

  283. Kev

    Throwing away the state each time you restart is not elegant from the XML PoV.

  284. intosi

    Except that you restart writing out the document without closing it.

  285. Zash

    dwd: But dane-smtp and dane-srv are meant to be in harmony.

  286. Kev

    MattJ: No, you're confusing my use of 'stream'.

  287. MattJ

    So what? Any XML parsing lib lets you throw the parser away and start another

  288. MattJ

    Kev, then say "connection"

  289. Kev

    That's...actually very not true :)

  290. MattJ

    Kev, e.g. ?

  291. m&m has left

  292. Kev

    The number of libraries I had to go through in Java before I found one that let me work on an incomplete stream without waiting for the end was depressing.

  293. Kev

    But this is orthogonal to the stream restart stuff.

  294. MattJ

    That's not quite the same thing

  295. MattJ

    Such libs are clearly not applicable to XMPP :)

  296. Zash

    So you need a SAX parser, we knew that already.

  297. Kev

    That alone is not enough :)

  298. Kev has left

  299. Kev has joined

  300. Kev

    Although this is more a comment on the sad state of Java XML parsers.

  301. Kev has left

  302. Kev has joined

  303. Tobias has joined

  304. Zash has left

  305. Kev

    And doomsong.co.uk finally has an A in the observatory. How nice.

  306. Kev

    (Just so long as no-one looks at the subdomains)

  307. MattJ

    Let's talk about export ciphers

  308. intosi has left

  309. Kev

    MattJ: They're disabled.

  310. simon

    Welcome to the club Kev.

  311. MattJ

    Kev, on jabber.org?

  312. Kev

    Oh, no.

  313. Kev

    Not there :)

  314. MattJ


  315. MattJ

    To continue Tuesday evening's discussion...

  316. MattJ

    Is the suggestion that jabber.org would be breaking the law to disable them? (seems ridiculous to me)

  317. MattJ

    or is the argument that people might be using software that only supports them, and we must allow that?

  318. simon

    I heard Intosi claiming the latter.

  319. MattJ

    From what Kev has said in the past I assume the latter is the case, so I don't know how legality came up in conversation

  320. MattJ

    Well, I suppose xnyhps making a US-centric statement :)

  321. simon

    I can imagine that those old clients using old ciphers are probably unused / installed at one point and sitting in a windows95 taskbar sucking the odd cpu cycle.

  322. simon

    kill the zombies.

  323. MattJ

    Indeed, I honestly think that providing people using such software with insecure service is doing nobody any good

  324. simon


  325. Kev

    MattJ: The claim was made that the old export cypher laws were no longer relevant. This isn't true.

  326. MattJ


  327. Tobias has joined

  328. Kev

    This isn't related to j.org's choice of suites.

  329. MattJ

    Ok, fine

  330. MattJ

    (and good)

  331. simon

    Did Jabber.org take part in the last test-day?

  332. Kev


  333. simon

    How did it work out?

  334. Kev

    Number of S2S dropped a lot, I think, but I didn't check.

  335. Kev

    The main complaints were Google-hosted domains.

  336. simon

    I'm quite encouraged - we started with 2% forced encryption on s2s traffic - that's almost up to 15% now.

  337. Kev


  338. simon


  339. simon

    sorry - been a long day. Tried to kill -9 <file> a few moments ago.

  340. Jef has joined

  341. ralphm has left

  342. simon has left

  343. simon has joined

  344. xnyhps

    MattJ: Now I already made it obvious I don't know much about these laws, but don't they cover only exporting software *itself*?

  345. xnyhps

    So not offering a service?

  346. MattJ

    xnyhps, correct

  347. MattJ

    Also not applicable to open-source software (i.e. OpenSSL, GnuTLS)

  348. MattJ

    I would presume bundling such software with commercial software may be problematic though

  349. xnyhps

    (I did try to read the Wassenaar agreements a week or two ago, but couldn't get further than a couple of lines with all the legalese.)

  350. simon

    Presumably any site offering an HTTPS connection with strong ciphers would be in breech of whatever agreement.

  351. Santiago26 has joined

  352. MattJ

    Well they are all outdated, and don't really match up with the way software, services and the internet work nowadays

  353. intosi has joined

  354. intosi

    Kev: well done.

  355. Santiago26 has left

  356. Santiago26 has joined

  357. intosi has left

  358. Santiago26 has left

  359. dwd

    The cipher export laws in the UK only affect stuff for which the source code is not available (ie, non-open-source), and they're an implementation of EU directives.

  360. dwd

    The problem isn't so much the EU directive, but the fact they're enforced by a bunch of civil servants who're out of their depth.

  361. xnyhps

    Well, if the directive still technically forbids the export of >56 bit symmetric and >512 bit asymmetric encryption, then I'd say it is a problem.

  362. MattJ

    Time to lobby our MPs? :)

  363. xnyhps

    But jabber.org has ciphers enabled that are even weaker than this laws would allow.

  364. xnyhps

    *this law

  365. dwd

    xnyhps, The way it's implemented in the UK is that exported software must have the means to disable "non-export" ciphers, and that those ciphers are off by default. Basically, Isode's licensing keys are largely about implementing this requirement.

  366. MattJ

    dwd, meaning it's fine to ship the software with a way to turn strong ciphers on?

  367. MattJ

    (YANAL, I know :) )

  368. dwd

    The interesting grey area is that it's the use of encryption, and not the implementation thereof, so even using platform crypto is possibly problematic.

  369. dwd

    MattJ, Right, that's what Isode do.

  370. Kev

    If anyone cares about this stuff, https://www.gov.uk/export-of-cryptographic-items

  371. Ash has joined

  372. xnyhps

    Now I'm curious which of the conditions in the Cryptographic Note Isode's stuff doesn't satisfy.

  373. MattJ

    Which ones do you think it does?

  374. xnyhps

    Sold without restrictions sounds likely. Not easy to change is somewhat inherent to it being crypto. Designed to be installed by the user without support, I don't know. Providing details on request, why not?

  375. MattJ

    #1 is arguable, #2... do config files count? I'd say so. #3... my guess is that Isode selling software without support is unlikely and #4 can be complied with by anyone

  376. Santiago26 has joined

  377. Kev

    MattJ: You can't replace the Isode crypto by changing config files.

  378. xnyhps

    MattJ: ‘The cryptographic functionality cannot easily be changed by the user’ means that the manufacturer has taken reasonable steps to ensure that the cryptographic functionality in the product can only be used according to their specification. That suggests that if they define the config files as the specification, they're fine.

  379. Santiago26 has left

  380. MattJ


  381. dwd

    xnyhps, "cannot easily be changed by the user" implies config files are not fine.

  382. simon doesn't let his users change config files :)

  383. Kev

    <!--This is an automatically generated configuration file and must not be manually edited.-->

  384. Kev

    (From an M-Link config file)

  385. Kev

    simon: Does that count as not letting users edit it? :)

  386. MattJ


  387. dwd

    In any case, it looks like I wasn't right; open source would be fine, Isode's stuff would need a license, but you could probably manage to ship a simple closed-source XMPP server under the rules too.

  388. dwd has left

  389. xnyhps

    Well, it probably won't fly to just specify "users can do EVERYTHING with this", but it suggests that you can.

  390. xnyhps has left

  391. intosi has joined

  392. Maranda has joined

  393. Ash has left

  394. Ash has joined

  395. Ash has left

  396. xnyhps has left

  397. Tobias has joined

  398. Tobias has left

  399. Tobias has joined

  400. Ash has joined

  401. intosi has left

  402. Ash has left

  403. Ash has joined

  404. Alex has left

  405. Neustradamus has left

  406. Tobias has left

  407. xnyhps has left

  408. Tobias has joined

  409. Ash has left

  410. martin.hewitt@surevine.com has left

  411. Ash has left

  412. Lloyd has joined

  413. intosi has joined

  414. intosi has left

  415. dwd has joined

  416. xnyhps has left

  417. Tobias has joined

  418. Lloyd has left

  419. Ash has joined

  420. dezant has left