XSF Discussion - 2016-01-13

Board, anyone? I think Laura is still in a meeting that's running over.

hi

Just us, then.

bear, ?

Oh, well. ralphm - anything happening with the Summit? And anything you need help with?

nothing I can think of

Just got some stickers delivered

Excellent. We like stickers

They look great

http://upload.strb.org:8081/bOdqEobC58xhgApH2NtkknvDG9s/uAzVHRT6YH8q4/97f14f1b7506484fa57532112ca25509.jpg

:)

I'll be at FOSDEM on saturday, if anybody wants an OMEMO fish sticker :P

andy: Now I'm really sad I won't be there!

SamWhited, give me your address and I'll mail you some

andy: Appreciated, but that's okay, probably not worth it to mail them all the way from the other side of the pond :)

(and I'm moving this weekend and am not entirely sure what my new address is anyways…)

andy: they look awesome!

SamWhited: never to late to book a ticket

too late

SamWhited: Yeah we all could share a beer in bruessel on saturday :)

SamWhited: let your company pay it. It's hmm .... an educational trip!

:)

kalkin: They might, I haven't asked; I'm actually just really busy right now. I probably should have asked at least a month in advance though

SamWhited: so no hipchat people at all?

ralphm: I don't think so; I was hoping the Jitsi guys were going to go, but I think they said something about doing something else that week too

We'll see; I'll ask my boss about it.

SamWhited: 👍

Jitsi used to do the Lounge with us, really sad they cancelled for this year

ralphm: Yah, I think they were pretty upset about that too. I know Emil was looking forward to it.

ralphm: who will be contacting aloft?

Is here a party planning?

I'd be happy to do that, but the list on the wiki isn't really filling up. Unless this is all, which would be disappointing

last call on the mailing list?

winfried: yeah

I'll try to do that today

SamWhited, international postage is literally under 1 euro. I don't mind. It would probably just take a while to get there. But I've printed up way more stickers than I can possibly use anyway ;)

andy: Awesome! Sounds good then.

andy: omemo stickers? ;)

dwd: how are PEP nodes with access-model roster related to privacy lists? Or did I get your comment in council@ wrong?

Flow: servers generally already have an implementation for doing access controls based on roster groups, because of pep/pubsub. so it shouldn't be too much additional complexity for a server to also implement roster group blocking if that is added to the blocking xep

Lance: I see, the question still is if we want that

I'd like the idea of an ad-hoc based blocking xep

so servers can implement what they want

and the client UI would be more or less similar, no matter which client is used

that, and remove the "list" from privacy lists and then most people would be happy I believe

What I wonder is, if we need a mechanism to inform the user about blocked stanzas/messages, and if so, how it should look like

Flow: What direction?

that is already in the blocking xep, iirc, for outgoing things that are to blocked users

i would not expect to be informed that someone blocked you, if you try sending a stanza to them

Zash: incoming

i.e. a blocked entity send you a message

oh, that direction

That ... that's weird

but I always believe that the solution should be similar to what we do with email these days

i.e. a spam folder

and that's most likely not related to blocking

Did y'all see my post to the list?

because if you block someone you usually really do not want to receive anything from him/her

Zash: hard to tell :)

well, it was to operators becasue I replied to stpeter who posted to operators

Probably would have made sense to reply to standards@ too

Zash: +1, the current reporting mechanisms are not really aimed for use by end users

XEP-0287 which was mentioned seems to assume we already have the filtering in place

Zash: I do believe you can use xep287 without filtering

a server could always add <report/> and let the client report spim

or maybe even report spim over s2s

isn't that what you wanted? an easy way to report spim?

I'm a bit tired but it is not obvious to me how that would work

I was thinking something simple like this https://www.zash.se/simply-report-spam.html

+1. Add a user enterable description/reason, and maybe allow forwarding the original stanza

or use the stanza-id to link the original stanza

Zash: that does look similar to xep287 spim report

I wrote this before I saw 287

(which should also use xep359 IDs to link the spim stanza)

Flow: IDs assume that the server has those stored.

I don't want to assume that

I also don't want to attach more data to every stanza if it can be avoided

optional

The main thing lacking from 287 is optional user provided feedback, and ability to send a report without requiring a server to stamp additional data into stanzas for that purpose.

Its about more than just spam, we need a way for users to report harassment and other policy violations that aren't strictly spim

Which might not be the result of a single, particular stanza

Yeah

Arguably covered by http://xmpp.org/extensions/xep-0157.html

but it would be nice to have a more structured query, to ensure that the abuser jid is included correctly

Sounds like what I had in mind for the thing above :)

yep! just add a user comment field and i'd +1 it

the remaining question would be where to send it

To something that supports it

Either the bare server jid, your own account or maybe a remote thing that accepts reports

Flow, You've got to do group-lookup by jid to do the access-model anyway, so the privacy list additions in terms of code would not be huge.

Zash, Lance - I'd seriously look at STIX/IODEF for the reporting. I really don't like reinventing the wheel, and given they're both XML anyway it makes sense.

dwd: But NIH!! And huge XML spec

dwd: but isn't xml out of fashion?

yeah, i'd prefer to keep things simpler for clients to implement / users to use. use iodef/stix for inter-server reporting

You could write an informational spec that describes the absolute minimum of IODEF you would need as a client

I guess that absolut minimum would be something like xep287 reporting or simply-report-spam.

and/or creating a mapping to it from a custom protocol you define. We did something similar with things like geoloc

I'll note that we did have a bespoke format for the inter-server reporting earlier on and I changed it to IODEF because of standards compliance & existing code libraries. Zash is right that we could define a slimmed down profile of IODEF for client-to-server reporting, although a simple command that forwards a message and flags it as abusive doesn't seem completely wrong.

don't forget about the use case where you just want to report a malicious jid

Given the importance of the feature, I'm in favor of whatever will lead to clients and servers actually implementing it, and a simpler spec seems best for that.

such report should come optionally with a stanza in question (or a link to it's id) and a more detailed reason (spam, harrasment, fraud, ...)

Lance: exactly my thought

sure, I don't disagree

Flow: don't we know that a JID is malicious based on a particular stanza? (message, presence invite, etc.)

stpeter: not sure, if there is always a stanza to report at hand

but anyway the information that matters most is the JID, all other information (stanza, exact reason, ...) should be optional IMHO

Sure.

Flow: yes, I think you're right - and let's keep the reporting as simple as possible

> Flow: don't we know that a JID is malicious based on a particular stanza? (message, presence invite, etc.) Not really. <body>Hi there!</body> isn't malicious. Once. By the hundredth time they probably are as a set.

I've started some conversations with people working on abuse handling problems on various social media, and have gotten some useful feedback that I'll write up and send to standards@

One of the interesting points is that blocking really needs a sharing component to really do the job of mitigating/preventing abuse. otherwise the user has to receive & react to everything. (Which could be a substantial amount on other networks)

So at minimum, opening up my blocklist to let people on my roster see it would be a big help. Even better would be a way to make incorporating friends' block lists automatic (subscriptions?)

huh interesting

federation makes things harder, of course :/, but there are other things to automatically filter on, such as age of accounts

most of that information would only be available inside each service, though

age of account... we tried that in psyc ~2003 lance :-)

fippo: as is tradition

it is still somewhat useful if the remote server is not evil. e.g. the case of a "public server" that gets abused

I don't think that most XMPP servers have kept track of that

although this account I'm using goes back to 1999 :P

:D

nice

I'm still intrigued by reputation systems but I don't know if they're truly useful in practice ... http://xmpp.org/extensions/xep-0275.html

look complicated but could be really accurate“>For each room in which the user is banned (XEP-0045 "outcast"), divide the room's reputation by 10 and decrement the user's score by the result”

my server always returns a score of 100 for me, naturally :p

but I think that aside from 1) making it easy for users to report and 2) making it easier to populate block lists based on my network of friends, its a service operations problem, and not a protocol one

as in, new protocols won't solve things. operational work is needed

so apparently i've been logged in five years with one account and four years with the other since that feature was implemented. but that is way too little, probably there is a bug in t he counting!

reputation systems can make sense if we assume that it is evil clients abusing an open server

fippo: I think we have a mix of evil servers (less common) and evil clients abusing open servers

e.g., I'm pretty sure that buycc.me was/is an evil server

right. but there is quite some value in "public servers" (I have a hard time avoiding the term "open relay") coordinating against spam from evil clients

yes

by public server you mean a server that allows essentially anyone to register an account?

yeah.

nod