I'll be at FOSDEM on saturday, if anybody wants an OMEMO fish sticker :P
SamWhited
andy: Now I'm really sad I won't be there!
bjchas joined
andy
SamWhited, give me your address and I'll mail you some
SamWhited
andy: Appreciated, but that's okay, probably not worth it to mail them all the way from the other side of the pond :)
SamWhited
(and I'm moving this weekend and am not entirely sure what my new address is anyways…)
kalkin
andy: they look awesome!
ralphm
SamWhited: never to late to book a ticket
ralphm
too late
SamWhitedtries to decide if an OMEMO sticker and some ribs are worth ~900 USD…
kalkin
SamWhited: Yeah we all could share a beer in bruessel on saturday :)
kalkin
SamWhited: let your company pay it. It's hmm .... an educational trip!
kalkin
:)
SamWhited
kalkin: They might, I haven't asked; I'm actually just really busy right now. I probably should have asked at least a month in advance though
artyhas left
ralphm
SamWhited: so no hipchat people at all?
SamWhited
ralphm: I don't think so; I was hoping the Jitsi guys were going to go, but I think they said something about doing something else that week too
SamWhited
We'll see; I'll ask my boss about it.
kalkin
SamWhited: 👍
ralphm
Jitsi used to do the Lounge with us, really sad they cancelled for this year
SamWhited
ralphm: Yah, I think they were pretty upset about that too. I know Emil was looking forward to it.
ralphmnods
winfried
ralphm: who will be contacting aloft?
thorsten
Is here a party planning?
ralphm
I'd be happy to do that, but the list on the wiki isn't really filling up. Unless this is all, which would be disappointing
winfried
last call on the mailing list?
stpeterhas joined
ralphm
winfried: yeah
ralphm
I'll try to do that today
intosihas left
andy
SamWhited, international postage is literally under 1 euro. I don't mind. It would probably just take a while to get there. But I've printed up way more stickers than I can possibly use anyway ;)
SamWhited
andy: Awesome! Sounds good then.
thorsten
andy: omemo stickers? ;)
intosi has joined
Lancehas joined
intosi has left
intosi has joined
Lancehas joined
dwdhas left
winfriedhas left
foss81405971has joined
foss81405971has joined
Flow
dwd: how are PEP nodes with access-model roster related to privacy lists? Or did I get your comment in council@ wrong?
danielhas left
Lance
Flow: servers generally already have an implementation for doing access controls based on roster groups, because of pep/pubsub. so it shouldn't be too much additional complexity for a server to also implement roster group blocking if that is added to the blocking xep
Flow
Lance: I see, the question still is if we want that
Lancenods
Flow
I'd like the idea of an ad-hoc based blocking xep
Flow
so servers can implement what they want
Flow
and the client UI would be more or less similar, no matter which client is used
Flow
that, and remove the "list" from privacy lists and then most people would be happy I believe
Jake1984has left
Jake1984has joined
soulhas left
soulhas joined
Flow
What I wonder is, if we need a mechanism to inform the user about blocked stanzas/messages, and if so, how it should look like
Flowhas left
Zash
Flow: What direction?
Lance
that is already in the blocking xep, iirc, for outgoing things that are to blocked users
Lance
i would not expect to be informed that someone blocked you, if you try sending a stanza to them
Flow
Zash: incoming
Flow
i.e. a blocked entity send you a message
Lance
oh, that direction
Zash
That ... that's weird
Flow
but I always believe that the solution should be similar to what we do with email these days
Flow
i.e. a spam folder
Flow
and that's most likely not related to blocking
Zash
Did y'all see my post to the list?
Flow
because if you block someone you usually really do not want to receive anything from him/her
Flow
Zash: hard to tell :)
Zash
well, it was to operators becasue I replied to stpeter who posted to operators
Zash
Probably would have made sense to reply to standards@ too
Lance
Zash: +1, the current reporting mechanisms are not really aimed for use by end users
Zash
XEP-0287 which was mentioned seems to assume we already have the filtering in place
waqashas joined
Flow
Zash: I do believe you can use xep287 without filtering
Flow
a server could always add <report/> and let the client report spim
Flow
or maybe even report spim over s2s
Flow
isn't that what you wanted? an easy way to report spim?
Zash
I'm a bit tired but it is not obvious to me how that would work
Zash
I was thinking something simple like this https://www.zash.se/simply-report-spam.html
Lance
+1. Add a user enterable description/reason, and maybe allow forwarding the original stanza
Flow
or use the stanza-id to link the original stanza
Flow
Zash: that does look similar to xep287 spim report
Zash
I wrote this before I saw 287
Flow
(which should also use xep359 IDs to link the spim stanza)
Ashley Wardhas left
Zash
Flow: IDs assume that the server has those stored.
Zash
I don't want to assume that
dwdhas left
Zash
I also don't want to attach more data to every stanza if it can be avoided
Flow
optional
dwdhas left
Lance
The main thing lacking from 287 is optional user provided feedback, and ability to send a report without requiring a server to stamp additional data into stanzas for that purpose.
Lance
Its about more than just spam, we need a way for users to report harassment and other policy violations that aren't strictly spim
Lance
Which might not be the result of a single, particular stanza
Zash
Yeah
Lance
Arguably covered by http://xmpp.org/extensions/xep-0157.html
dwdhas left
Lance
but it would be nice to have a more structured query, to ensure that the abuser jid is included correctly
Zash
Sounds like what I had in mind for the thing above :)
Lance
yep! just add a user comment field and i'd +1 it
Lance
the remaining question would be where to send it
Lancehas left
soulhas left
Lancehas joined
Zash
To something that supports it
Zash
Either the bare server jid, your own account or maybe a remote thing that accepts reports
intosi has joined
dwd
Flow, You've got to do group-lookup by jid to do the access-model anyway, so the privacy list additions in terms of code would not be huge.
winfriedhas left
dwd
Zash, Lance - I'd seriously look at STIX/IODEF for the reporting. I really don't like reinventing the wheel, and given they're both XML anyway it makes sense.
Flowhas joined
Zash
dwd: But NIH!! And huge XML spec
fippo
dwd: but isn't xml out of fashion?
Lance
yeah, i'd prefer to keep things simpler for clients to implement / users to use. use iodef/stix for inter-server reporting
Zash
You could write an informational spec that describes the absolute minimum of IODEF you would need as a client
SouLhas left
SouLhas joined
tim@boese-ban.dehas joined
tim@boese-ban.dehas left
hexa-has left
foss81405971has joined
thorstenhas left
thorstenhas joined
foss81405971has joined
intosi has joined
Lancehas joined
Lancehas joined
foss81405971has joined
Martinhas left
Lancehas joined
Lancehas joined
goffihas left
dwdhas left
thorstenhas left
Lancehas joined
Lancehas joined
thorstenhas joined
boothj5has joined
intosi has left
Flow
I guess that absolut minimum would be something like xep287 reporting or simply-report-spam.
intosi has joined
Alexhas left
ralphm
and/or creating a mapping to it from a custom protocol you define. We did something similar with things like geoloc
Jake1984has joined
stpeter
I'll note that we did have a bespoke format for the inter-server reporting earlier on and I changed it to IODEF because of standards compliance & existing code libraries. Zash is right that we could define a slimmed down profile of IODEF for client-to-server reporting, although a simple command that forwards a message and flags it as abusive doesn't seem completely wrong.
ralphmnods
Flow
don't forget about the use case where you just want to report a malicious jid
Lancehas joined
Lance
Given the importance of the feature, I'm in favor of whatever will lead to clients and servers actually implementing it, and a simpler spec seems best for that.
Flow
such report should come optionally with a stanza in question (or a link to it's id) and a more detailed reason (spam, harrasment, fraud, ...)
Flow
Lance: exactly my thought
sezuanhas left
stpeter
sure, I don't disagree
stpeter
Flow: don't we know that a JID is malicious based on a particular stanza? (message, presence invite, etc.)
Flow
stpeter: not sure, if there is always a stanza to report at hand
Zashhas joined
Flow
but anyway the information that matters most is the JID, all other information (stanza, exact reason, ...) should be optional IMHO
stpeter
Sure.
dwdhas left
artyhas joined
Ashley Wardhas joined
sezuanhas joined
SamWhitedhas left
danielhas left
intosi has joined
stpeter
Flow: yes, I think you're right - and let's keep the reporting as simple as possible
moparisthebesthas left
Kev
> Flow: don't we know that a JID is malicious based on a particular stanza? (message, presence invite, etc.)
Not really. <body>Hi there!</body> isn't malicious. Once. By the hundredth time they probably are as a set.
SamWhitedhas left
danielhas joined
Flowhas left
danielhas joined
moparisthebesthas joined
tim@boese-ban.dehas joined
tim@boese-ban.dehas joined
danielhas joined
intosi has joined
boothj5has left
Lance
I've started some conversations with people working on abuse handling problems on various social media, and have gotten some useful feedback that I'll write up and send to standards@
danielhas left
Lance
One of the interesting points is that blocking really needs a sharing component to really do the job of mitigating/preventing abuse. otherwise the user has to receive & react to everything. (Which could be a substantial amount on other networks)
Lance
So at minimum, opening up my blocklist to let people on my roster see it would be a big help. Even better would be a way to make incorporating friends' block lists automatic (subscriptions?)
foss81405971has joined
stpeter
huh interesting
Lance
federation makes things harder, of course :/, but there are other things to automatically filter on, such as age of accounts
Lance
most of that information would only be available inside each service, though
fippo
age of account... we tried that in psyc ~2003 lance :-)
Lance
fippo: as is tradition
fippo
it is still somewhat useful if the remote server is not evil. e.g. the case of a "public server" that gets abused
danielhas joined
stpeter
I don't think that most XMPP servers have kept track of that
intosi has joined
stpeter
although this account I'm using goes back to 1999 :P
danielhas left
danielhas joined
narcode
:D
narcode
nice
stpeter
I'm still intrigued by reputation systems but I don't know if they're truly useful in practice ... http://xmpp.org/extensions/xep-0275.html
SamWhitedhas left
narcode
look complicated but could be really accurate“>For each room in which the user is banned (XEP-0045 "outcast"), divide the room's reputation by 10 and decrement the user's score by the result”
Lance
my server always returns a score of 100 for me, naturally :p
moparisthebesthas joined
tim@boese-ban.dehas left
Lance
but I think that aside from 1) making it easy for users to report and 2) making it easier to populate block lists based on my network of friends, its a service operations problem, and not a protocol one
Lance
as in, new protocols won't solve things. operational work is needed
fippo
so apparently i've been logged in five years with one account and four years with the other since that feature was implemented. but that is way too little, probably there is a bug in t he counting!
fippo
reputation systems can make sense if we assume that it is evil clients abusing an open server
stpeter
fippo: I think we have a mix of evil servers (less common) and evil clients abusing open servers
stpeter
e.g., I'm pretty sure that buycc.me was/is an evil server
boothj5has joined
boothj5has left
foss81405971has joined
stpeterhas left
boothj5has joined
goffihas left
goffihas left
fippo
right. but there is quite some value in "public servers" (I have a hard time avoiding the term "open relay") coordinating against spam from evil clients
intosi has joined
stpeterhas joined
waqashas left
foss81405971has joined
waqashas joined
Ashley Wardhas left
stpeter
yes
stpeter
by public server you mean a server that allows essentially anyone to register an account?