XSF Discussion - 2018-02-20


  1. Guus

    If a server would like to be able to let its clients look up a semi-static, web-based resource, do we have a mechanism for that?

  2. Guus

    XEP-0215?

  3. jonasw

    I’m not sure

  4. jonasw

    HTTP over XMPP?

  5. jonasw

    what are you trying to achieve?

  6. Seve

    The MUC participants list?

  7. Guus

    I'm trying to let clients figure out the URL for a webrtc conference service that can be used

  8. jonasw

    ah

  9. jonasw

    hm

  10. jonasw

    no idea :-)

  11. Ge0rG

    put it into the server's disco#items

  12. flow

    I think the issue is that we have multiple mechanisms for that

  13. flow

    but basically a well-known location to lookup, if it's disco#info, xep215 or just a defined IQ

  14. jonasw

    Ge0rG, for it to be useful in disco#items it needs to reply to disco#info (to discover its identity and features)

  15. Ge0rG

    jonasw: right.

  16. flow

    is an external webrtc based conference really an identity of an XMPP entity?

  17. flow

    guess it depends on how tightly coupled they are

  18. jonasw

    flow, no

  19. jonasw

    but the issue is that the disco#items item has ~no information

  20. flow

    jonasw, you mean only crude hacks would allow the URL of the webrtc conference service to be included in disco#info?

  21. jonasw

    flow, I’m confused

  22. flow

    yeah, me too

  23. flow

    so you are actually takling about the item, hmm

  24. flow

    ok, sure you need a follow up disco#info on the item, as you already said, then you could possibly put the URL into a form field of the disco#info response

  25. jonasw

    the question is, what would be the JID+node of the item?

  26. flow

    well if you want MUCs to announce a related webrtc conference, then it would be simply the MUCs bare JID I'd say

  27. flow

    Guus, does that help?

  28. Guus

    Sorry, got dragged into a phone call

  29. Guus

    well, it's not always related to an existing MUC. I'd also like to use this for people to invite each-other into a new 1-on-1 call

  30. Guus

    Flow brought up the same alternatives as that I found

  31. Guus

    plain discovery doesn't feel quite right. I'd like to prevent running something custom, so that leaves 0215 - my concern there is that it's highly geared towards STUN/TURN - or at least, that's how I've used it.

  32. Guus

    I'll try to see where 0215 gets me, and work from there.

  33. Guus

    Thanks guys.

  34. jonasw

    \o/

  35. jonasw

    make sure to report back, so that we can maybe get that Un-Deferred

  36. Guus

    I've actually implemented it in Openfire

  37. Guus

    In some setups, Jitsi is also using it

  38. Guus

    so, yeah, maybe dusting that off isn't the worst idea

  39. Guus

    I think Prosody has two modules for it

  40. Tobias

    so what do people do against subscription spam?

  41. Holger

    One idea is requiring a CAPTCHA ...

  42. Tobias

    what clients support thatß

  43. Tobias

    what clients support that?

  44. Guus

    I've actually not had spam in along time

  45. Guus

    I did blacklist some domains though

  46. Tobias

    i get 2-3 spam requests a week or so

  47. Guus

    I'm also reaching out to server admins from where I see spam, with mixed results.

  48. Guus

    I've added xep-0157 support in the last release of Openfire, which should gradually start to help with that, in the future

  49. Zash

    I usually check if source servers have in-band registration enabled and if there's any 157 addrs, then block.

  50. Guus

    and yeah, I want to do the captch thing too, server-sided, but haven't found the time yet.

  51. Holger

    Tobias: Well you'd include an HTTP(S) URL in the <body/> for those clients that don't support it. (But quite a few do I think.)

  52. Zash

    captcha-like thing that's just an user-set question with a predefined answer sounded promising, anyone looked into having that serverside?

  53. Guus

    Zash, there's a XEP for it that appear to cover it pretty well

  54. Zash

    Oh?

  55. Guus

    I don't know if I like it's suggestion of tying it in with privacy lists, but at least it's a definition that we can already use, today.

  56. Guus

    let me find it

  57. Guus

    -0159

  58. Zash

    -xep 159

  59. Bunneh

    Zash: Spim-Blocking Control (Standards Track, Deferred, 2006-07-11) See: https://xmpp.org/extensions/xep-0159.html

  60. Guus

    it doesn't explicitly tell you to do CAPTCHA, but it does explain how the server-sided blocking process should work, and when it should start spim recognition procedures

  61. Seve

    I like user-set questions, but the problem on the other hand maybe providing several questions, one for each language you speak, for instance.

  62. Seve

    I haven't check the XEP though

  63. Zash

    -xep pars

  64. Bunneh

    Zash: Pre-Authenticated Roster Subscription (Standards Track, Experimental, 2017-02-16) See: https://xmpp.org/extensions/xep-0379.html

  65. Ge0rG

    Zash: can we have automatically maintained JID whitelist for all JIDs that a local user ever sent messages to?

  66. Ge0rG

    Also I really dislike the word "spim".

  67. Zash

    seriosuly pointless instant messages

  68. Guus

    Ge0rG, 0159 refers to those lists as 'correspondents lists'

  69. Zash

    Ge0rG: Technically, with MAM, you do.

  70. Zash

    `SELECT DISTINCT "with"` pretty much

  71. Ge0rG

    Zash: are we talking `SELECT DISTINCT with`?

  72. Ge0rG

    Eww.

  73. Ge0rG

    That has O(fail) complexity

  74. Zash

    Ge0rG: My point is, it can be derived from MAM data already.

  75. Ge0rG

    Zash: except for the "ever" part

  76. Holger

    Ge0rG: Privacy people won't like you keeping such metadata forever!

  77. Zash

    Ge0rG: Why tho?

  78. Ge0rG

    Holger: bloom filters everywhere!

  79. Ge0rG

    Zash: as a whitelist against incoming spam

  80. Holger

    Isn't the MAM data is good enough in practice for whitelisting people from anti-spam mechanisms? In case that was the idea.

  81. Ge0rG

    Holger: maybe, except if you don't use mam

  82. Holger

    Then you're an unhappy person anyway.

  83. Guus

    if you haven't talked to someone long enough for them to still be in your mam archive... yeah.

  84. Holger

    Ge0rG: I'm still bit undecided on whether to like how we can offer an IM solution with server-side storage being optional vs. hating this fact because we need to solve everything twice, for the MAM and for the non-MAM case.

  85. Zash

    Can't we be happy with rosters (and directed presence) as whitelist?

  86. Holger

    If I bug you with a Prosody question despite you not being on my roster, I'd prefer you not also having to cope with a CAPTCHA because you're probably annoyed by my question anyway.

  87. Zash

    We have a chatroom for that :)

  88. Holger

    But I'm a user, I prefer bugging you in private.

  89. Zash

    Not that I really believe in CAPTCHAs anyways

  90. Holger

    Yes they're not the proper solution. But a hack that works better than other hacks, in my book.

  91. Holger

    I still think the proper solution is SpamAssassin. Auto-classifying traffic based on as many factors as we can get hold of.

  92. Holger

    Well the proper solution is ditching capitalism.

  93. Guus

    does SpamAssassin work for non-email environments?

  94. Holger

    Guus: No I just meant the concept.

  95. Guus

    kk

  96. MattJ

    Holger, I'm less convinced that will work with IM, since messages are shorter

  97. MattJ

    All it takes is spammers to adapt to sending 'Hi' messages, although what they currently send is pretty email-like (whole advert in a self-contained message)

  98. Holger

    MattJ: But then again we have things email doesn't have, such as the roster, and proper s2s authentication.

  99. Guus

    There's no one silver bullet here. We'll likely need multiple, partial solutions.

  100. Holger

    MattJ: The email body is just one of *many* things SpamAssassin looks at.

  101. MattJ

    That is true, but in any "learning" anti-spam system, it's just going to learn that not being on the roster is a very high indicator of spam

  102. MattJ

    which is just what we knew already :)

  103. MattJ

    I can count the number of times I get legitimate out-of-roster messages in a year on the fingers of a single hand

  104. Holger

    Exactly? I'm just proposing to take all such indicators into account, add them up and divide by 42, look at the resulting score and decide.

  105. MattJ

    and for a normal user, I'd expect that to be even lower

  106. Holger

    So you'd rather not look at other indicators and just block strangers or what?

  107. Holger

    Single hand per year sounds realistic to me (actually it's a bit more for me I think), and I'd rather not kill that communication off.

  108. MattJ

    No, I'm just saying I don't think the added complexity is worth it compared to a human figuring out the same factors (and there aren't many)

  109. Holger

    I think there are actually quite a few factors a server can look at but a user can't.

  110. Holger

    Traffic frequency, blacklists, I don't know.

  111. Holger

    And I believe we could get a good classification rate without having to bother the user. Like we can for email. I might be wrong of course.

  112. Zash

    Stick all the classifiers we know into a tag on the message?

  113. Zash

    Wasn't one of the spam XEPs something like that?

  114. Zash

    -xep spim markers

  115. Bunneh

    Zash: Multiple matches: Spim Markers and Reports https://xmpp.org/extensions/inbox/spim.html Spim Markers and Reports https://xmpp.org/extensions/xep-0287.html

  116. Zash

    Bunneh: how about you skip the inbox one if it's published?

  117. Ge0rG

    Holger: the problem with a server-side classifier is that it needs to delay messages

  118. Holger

    Ge0rG: Because?

  119. Ge0rG

    Holger: to gain sufficient context to identify spam patterns

  120. Ge0rG

    Holger: like "(presence followed by message with a link) sent to ten users"

  121. Holger

    Well this sounds like just one of many things you could check, to me. If it seems too undesirable, don't do it.

  122. Holger

    I heard of someone getting good results with simpler mod_firewall rules.

  123. Ge0rG

    Holger: mod_firewall can't block presence that comes right before the spam message.

  124. Zash

    Holger, Ge0rG: It stops being Instant Messaging if you gotta hold on to stuff for checks before delivering.

  125. Ge0rG

    Zash: let me tell you about the irony of your response taking over three hours.

  126. Tobias

    :)

  127. Zash

    I was out

  128. Ge0rG

    Zash: with CSI, that presence subscription will be delayed anyway.

  129. Holger

    Subscription request should not be delayed.

  130. Ge0rG

    Still, I'm sure we could delay spammy looking things for like 10 seconds

  131. Ge0rG

    And that would give us a window of opportunity to detect spammy patterns

  132. Holger

    But imagine someone says something WRONG and you can't respond IMMEDIATELY.

  133. Zash

    THE HORROR

  134. Zash

    That would just violate the entire purpose of the Internet !

  135. Ge0rG

    I'll violate the purpose of the internet now and go offline.

  136. Guus

    Don't overreact guys. There will still be images of cats.

  137. moparisthebest

    well then spammers would just wait 11 seconds Ge0rG

  138. moparisthebest

    it's *always* going to be an arms race

  139. moparisthebest

    there is no solution, only 'good enough for now'

  140. Zash

    as long as the incentives and the roi are there

  141. Holger

    https://www.eveonline.com/article/p4g5k3/preparing-for-the-future-retirement-of-eve-voice

  142. Kev

    OK, this was not a channel I expected to see linking to Eve.

  143. Kev

    That ejabberd?

  144. Holger

    No idea.

  145. Holger

    Ah so I learnt from Neustradamus that this is old stuff. Wasn't aware and the article's date says 2018-02-20 ...

  146. SaltyBones

    not convinced

  147. SaltyBones

    the forum thread it links to is also recent

  148. Kev

    Holger: It's not old stuff, it's newly announced today.

  149. Kev

    And yes, it's a fork of ejabberd.

  150. Kev

    Or, at least, CCP have a fork of ejabberd on github.

  151. Neustradamus

    Kev: Yes but an upgrade of ejabberd, not a new service, XMPP is used since a long time :)

  152. Kev

    Why would CCP lie?

  153. Kev

    I think some sort of reference is in order here.

  154. Ge0rG

    That's something we need to put on our marketing banners either way!

  155. Ge0rG

    "listen, KDE dudes and dudettes! Eve Online is using xmpp, and you can too!"

  156. Guus

    as are riot games, right?

  157. Guus

    League of Legends (or what's it called)?

  158. Ge0rG

    Guus: yes and yes.

  159. Ge0rG

    Is there an online gaming imperium running in the matrix?

  160. SamWhited

    I suspect the KDE peoples use case is significantly different from an online game's chat system, unfortunately

  161. SamWhited

    Although it's probably still good marketing

  162. daniel

    Some other game engine (maybe unreal?) also has an xmpp client build in for team chat

  163. Ge0rG

    I think the strength is rather in match making, where you need to have a real time connection to many thousands users, and not so much for chats in a small team that's exchanging data all the time anyway

  164. daniel

    Oh yeah that might by right. Just stumbled over the api docs one days. Never really questioned what exactly they are using it for

  165. Guus

    daniel, game-wise, I know that Quake-live used it.

  166. Guus

    I'm actually considering parsing the user-input provided in our setup field named 'database URL' to drop [ and ]

  167. Guus

    The template that we provide is: jdbc:postgresql://[host-name]:5432/[database-name]

  168. Guus

    we just had someone with problems, connecting to [localhost]

  169. moparisthebest

    are those valid characters for the database-name part though?

  170. moparisthebest

    but you could also just change that to HOST-NAME-HERE

  171. Guus

    I'm guessing that we save more people from their own stupidity than bother those machosists that actually use [ or ] in a database name.

  172. moparisthebest

    you can change some stuff, but in the end, you can't fix stupid :)

  173. Guus

    maybe don't ask for the URL, but use explicit fields for hostname and databasename

  174. moparisthebest

    in my experience that's a bad time, unless you only ever support postgresql or something

  175. moparisthebest

    because different jdbc drivers take different crazy arguments you can only supply via URL

  176. Guus

    nah, a couple different ones. but all basically require a host, port and some kind of database identifier. We can change the input field label where needed.

  177. moparisthebest

    I have to do this for example jdbc:mysql://localhost:3306/rcrdit?user=rcrdit&amp;password=rcrdit&amp;serverTimezone=America/New_York

  178. Guus

    and the people that want to use a URL, are savvy enough to simply use our XML config instead.

  179. Guus

    databasename=username=password, nice :)

  180. moparisthebest

    oracle has a whole thing about using a host:port:instance-or-something vs host:port/service-name

  181. moparisthebest

    and you can't set those seperately without tying your code exclusively to oracle at compile-time, if you don't just use the URL

  182. moparisthebest

    yea as long as you keep a URL an option it should be fine

  183. moparisthebest

    also on everything matching this is example config :)

  184. moparisthebest

    my point being had to set the serverTimezone in the URL which is obnoxious

  185. Guus

    (on a side-note: can't you configure that server-side in mysql - something like: 'these are the default client connection params')

  186. moparisthebest

    you'd think, the jdbc driver still crashed though, didn't look into it much

  187. Neustradamus

    https://oldforums.eveonline.com/?a=topic&threadID=665867 :)

  188. moparisthebest

    it's probably like charset in mysql where you have to set it all 16 places

  189. Guus

    yeah, mysql is fun :)

  190. moparisthebest

    migrating to postgres has been on my todo list awhile now

  191. moparisthebest

    hard to fix what ain't broke though when other stuff needs fixing :)

  192. Guus

    I know the feeling all to well

  193. Kev

    Neustradamus: What's the relevance of that link?

  194. Kev

    That Eve corps commonly use XMPP servers for pings is common knowledge, and unrelated to Eve chat.

  195. moparisthebest

    it says "It's an Instant Messaging server for EVE players, with some EVE API integration."

  196. Kev

    Some player ran an XMPP server and sold access to Eve players.

  197. Kev

    I'm still missing the relevance.

  198. moparisthebest

    ah I see

  199. Neustradamus

    https://engineering.riotgames.com/news/chat-service-architecture-servers 2015 here

  200. pep.

    "and thanking opponents for a good game." haha

  201. pep.

    I'd be interested to have stats for that, I believe insults are more frequent

  202. Holger

    Neustradamus: Than one I'm aware of, but Riotgames is unrelated to CPP/Eve, no?

  203. Kev

    Yes.

  204. Neustradamus

    Kev: http://uu.diva-portal.org/smash/get/diva2:408940/FULLTEXT01.pdf maybe better here?

  205. jjrh

    If i'm making a online game why on earth would I roll my own chat system when something like XMPP already exists?

  206. jjrh

    with a long list of deployments serving huge numbers of users :)

  207. jjrh

    Did RIOT employees ever write or contribute any XEPs?

  208. Kev

    Is that important? If every user of XMPP needs to write a bunch of XEPs, we're probably not doing a great job.

  209. jjrh

    no certainly not - just interesting

  210. stefandxm

    riotgames .. same as riot entertainment? :D

  211. stefandxm

    "I survived riot entertainment" :o