I propose we take a look at LQ1 and subsequently continue filling the Wiki (though I have a little point we may have been forgetting)
jonasw
okay
jonasw
we aren’t lawyers, so how we’re supposed to deal with LQ1?
winfried
I must say, I haven't had time to update the wiki, don't know how up to date it is.
pep.
Sorry for the minutes last week, it's been a fun week
pep.
Maybe we want to start drafting a template data policy at some point?
winfried
pep.: I know the feeling... have double appointments on all days of this week
winfried
pep.: yes, I think so, but we first have to see what choices we can/have to make...
Ge0rG
I've had a chat with our GDPR expert, and he said that message content is similar to picture uploads. As long as we treat it as an opaque blob and don't analyze it, art9 doesn't apply. He is going to send me a reference to an according legal analysis some time today
jonasw
uh
pep.
nice
jonasw
that is amazing news.
winfried
Ge0rG: great
jonasw
--- except for your mod_firewall.
pep.
yes
pep.
I was thinking about that
jonasw
(which makes me wonder about bayes filters at big mail corps, but that’s another topic)
winfried
One reaction I got on LQ1 is art. 9.2e
winfried
but that one is without references
Ge0rG
From http://www.privacy-regulation.eu/en/recital-51-GDPR.htm
> The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person.
winfried
I propose to treat (for now) LQ1 as: "not subject to 9.1"
rtq3has left
jonasw
winfried, makes sense to me.
Ge0rG
winfried: 👍
pep.
mod_firewall is not making any derivative data from what it "analyses", and there's not way for us to know what triggered it right? I mean except it you log it
jonasw
with a huge "UNLESS you analyze the text in any way"
Ge0rG
jonasw: in a way that is allowed to extract art9 data✎
Ge0rG
jonasw: in a way that allows to extract art9 data ✏
winfried
Ge0rG: +1
jonasw
Ge0rG, did you ask your GDPR expert about the fact that MAM archives are unencrypted and thus operators may access (advertendl@ or inadvertendly) message content which contains art 9 data?✎
Ge0rG
my mod_firewall isn't deriving information about sexual / religious beliefs, merely about mass-messages.
jonasw
Ge0rG, did you ask your GDPR expert about the fact that MAM archives are unencrypted and thus operators may access (advertendly or inadvertendly) message content which contains art 9 data? ✏
jonasw
that was raised by Peter on list I think.
Ge0rG
jonasw: still pending.
jonasw
so you did ask, but not have a reply yet?
winfried
jonasw: does MAM have a consent mechanism? What is its default?
Ge0rG
jonasw: didn't have much time with him
jonasw
winfried, it is normally opt-in, except on Prosody ;-).✎
pep.
winfried, I don't think it has at all atm
Ge0rG
jonasw: we fixed that
pep.
jonasw, opt-in although most clients do it when available?
jonasw
winfried, it is normally opt-in (except on Prosody in the past ;-)). ✏
Ge0rG
winfried: there is no GDPR data consent dialog when you enable MAM. Servers and clients will auto-enable it on first use, typically
jonasw
pep., yes, although that’s a problem of the client then.
pep.
yeah..
Ge0rG
so it's rather opt-out
jonasw
not conceptually, and not on the server side.
marmistrzhas joined
pep.
Ge0rG, you fixed that in what version of prosody, and when is it going to be deployed :P
Zash
Opt-in by server operator
winfried
This may be a point for an implementation guide.... or so
jonasw
winfried, indeed, it should be mentioned in the MAM XEP.
jonasw
pep., can you add that to the technical TODO?
lskdjfhas joined
pep.
that?
Ge0rG
winfried: except that users don't like consent dialogs ;)
pep.
Ah, MAM
jonasw
pep., "Add a note to the MAM XEP about GDPR consent requirements."
lskdjfhas joined
Zash
And clients don't expose the settings
Ge0rG
> pep., "Add a note to the MAM XEP about GDPR consent requirements."
👍
pep.
Ge0rG, well.. they'll have no choice, everybody will want to cover their asses now
jonasw
Ge0rG, that message did not follow my reactions draft format!
jonasw
I know because JabberCat didn’t show it properly ;P
Ge0rG
Zash: and the XEP doesn't provide a way to differentiate between "explicitly set" and "enabled by default"
Ge0rG
jonasw: you mean my quote-with-yaxim format that you shamelessly copied?
okay, so LQ1 resolves to "Not 9.1, unless you extract 9.1-ish data from it somehow"
jonaswlooks at the wiki to find gaps to fill.
winfried
I was wondering if file transfer needs a special status in the processings XMPP does...
jonaswhas left
Ge0rG
winfried: I don't think so. it's a direct client-to-client transmission, and the server only sees metadata
Ge0rG
Were we done with Q1.1d S2S?
pep.
Ge0rG, unless BoB?
jonasw
Ge0rG, uhm. In-Band Bytestreams, BoB, HTTP Upload
Ge0rG
I'm pretty sure we have all of that covered by "user content"
jonasw
so unless you happen to do TURN-less jingle (rather rare), I don’t see how that’s client-to-client.
jonasw
possibly
Ge0rG
* typical: with account, MAM/files for a given amount of time
pep.
yeah
Marandahas joined
winfried
Ge0rG: adding that covers it all?
Ge0rG
winfried: it's in the wiki already
winfried
ah, switching back and forth on a small screen right now... (sitting in the middle of THE care ICT trade in NL right now)
winfried
Q1.1d s2s
pep.
hmm, there's a bit on 1.1d in the wiki, but that's not last week's
winfried
they are notes from earlier meetings
pep.
Also I propose we skip 1.1e, as I don't feel confident going into even more speculation
pep.
IANAL
winfried
looking at Q1.1d, I realized there are two things to cover
vanillahas joined
winfried
the transfer of the data itself
winfried
and the processing of the data on the other server
winfried
both need a legal ground
Ge0rG
winfried: I'd argue legitimate interest of the user to get messages delivered, for both points.
Ge0rG
winfried: that also implies that the other data processor may not apply processing to the data that goes beyond what's needed for that legitimate interest
alexishas left
alexishas joined
winfried
Ge0rG: what article do you mean by legitimate interest?
Ge0rG
winfried: 6(1)b
winfried
Ge0rG: yes agree
alexishas left
alexishas joined
winfried
and agree to the limitation you mention
pep.
But we can't assume that can we
Ge0rG
For Q1.1e we should probably write down all these things into a data processing policy
winfried
Ge0rG: exactly, this something we should cover in Q1.1e
winfried
pep.: in some way we need to 'safeguard' we can assume this
alexishas left
edhelashas left
alexishas joined
edhelashas joined
@Alacerhas left
@Alacerhas joined
pep.
There might be server admins that will want to assume the worst and ask consent for most things
Ge0rG
pep.: for third-country servers, Art. 49(1)b should apply in the same way as 6(1)b for intra-EU
winfried
Ge0rG: +1
Ge0rG
I'm pretty sure we can say that the user has a contract with the server operator, and that sending data to another user on another server is part of the contract
winfried
Ge0rG: +1
winfried
Do we have Q1.1d covered like this?
Ge0rG
winfried: is incoming s2s different from outgoing s2s?
What about spam protection?
winfried
That are two questions
danielhas left
winfried
lets brainstorm on the first one first
winfried
outgoing: the originating server operator is responsible for the transfer
Ge0rG
Are there any restrictions on data imported from third countries?
winfried
Ge0rG: no, because the EU has the best data protection laws :-D
pep.
yet
winfried
so outgoing the operator wants to know the incoming server stays to the 'legitimate interest'
Ge0rG
But there is COPA!
Andrew Nenakhovhas left
Ge0rG
winfried: I don't think we can enforce any kind of remote server processing restrictions at the protocol / logical level.
Ge0rG
winfried: it might be sane to assume all data sent over s2s as "third country"
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
winfried
incoming: though you may have a different contract with your own users (e.g. we publish everything) you *have* to assume incoming limits to legitimate interest
jonasw
so no storage in MAM?
winfried
Ge0rG: no, that is something that needs to be legally enforced
Ge0rG
winfried: MAM is covered by legitimate interest of the receiver, I'd say
jonasw
even MAM forever?
Ge0rG
jonasw: how is MAM forever different from the receiver putting logs of the chat up into the cloud?
jonasw
it may not be
Ge0rG
jonasw: MAM is controlled by the user(s client)
Ge0rG
so from a legal PoV, the receiving user is responsible for MAM.
jonasw
and that’s what I’ve been saying a few weeks ago but I got shot down here :)
Ge0rG
jonasw: but not by me, as I do agree with that interpretation
jonasw
not sure, maybe I was simply unclear.
winfriedchecks his guns if he accidently shot jonasw - oops, gun logs are purged
Ge0rG
so incoming s2s user data: might get stored in receiver's MAM
Ge0rG
also in offline storage, but I'd argue this is still part of the sender's legitimate interest
winfried
I am still chewing on:
» [13:11:05] <jonasw> even MAM forever?
vanillahas joined
Ge0rG
winfried: what's your issue with that?
moparisthebesthas joined
winfried
it is disproportionate in any way, but who's responsibility is it?
winfried
It is upon request of the user (hopefully)
jonasw
if it’s upon the request of the User, I’d argue that for the Purpose of storing the messages on the server, the User is the Controller and the Server (Operator) is merely the Processor.
Ge0rG
In theory, MAM should require consent from the user.
ludohas left
jonasw
and thus it’s the users responsibility
ludohas joined
Ge0rG
jonasw: that means the user needs to have full control over the data processing, including a way to purge the data.
pep.
As long as there is consent I don't think it's disproprotionate. Now, that means we also need to provide means to alter this history?
Ge0rG
pep.: consent from the receiving user?
winfried
user can't be the controller (in the legal sense) but a controller may process when the user wants him too
pep.
Ge0rG, or just prune parts
jonasw
Ge0rG, we need that for MAM anyways, I think?
pep.
Ge0rG, yes receiving
jonasw
tombstoning is at least provisioned. purging everything *up to a date* is possible, too.
winfried
yes
Valerianhas joined
Guushas left
Ge0rG
jonasw: will MAM auto-purge if you disable it?
jonasw
Ge0rG, I sure hope so :)
pep.
I find tombstones useless, as it will only be for this particular user, the rest don't have to respect that, but well. purging has different use-cases
jonaswhas left
winfried
Ge0rG: that should be added to the MAM-XEP too...
Ge0rG
winfried: I tend to agree.
pep.
Is there a way to disable even
pep.
Also MAM MUC is separate right?
Ge0rG
pep.: yes
Ge0rG
and yes
rtq3has joined
winfried
On a MAM MUC: policy of publishing logs should be published
> If the user is entering a room in which the discussions are logged to a public archive (often accessible via HTTP), the service SHOULD allow the user to enter the room but MUST also warn the user that the discussions are logged.
andyhas joined
winfried
(Yes, I can live with a tech todo on announcing log publication)
jonasw
winfried, MUC MAM access should be clearly defined (tech TODO), and there’s a presence status code for public logging (some clients already show that)
Andrew Nenakhovhas joined
Holgerhas left
pep.
Ge0rG, yes, so that's handled already which is good, but it is a concern
winfried
Spam handling for next meeting
pep.
I can't do +1, can do +2 and more
rtq3has left
rtq3has joined
Ge0rG
I can't do this time Wed or Thu.
winfried
this week is not possible for me... or it should be friday on 16:00 CEST
Ge0rG
+1 for Fri 1600CEST
pep.
Fine by me
winfried
jonasw: Friday 16:00 CEST?
pep.
The spam handling question is in relation to 9.1 right? or not just?
andyhas left
winfried
pep.: yes, we may enter the realms of 9.1 there, but we may also run into some different issues, like automated decision making
winfried
(to add more fun to it....)
pep.
Does that fall under anything? it's "analysing" right?
pep.
I mean worst that can happen to that is 9.1 right?
jonasw
winfried, hm, that’s tricky for me
jonasw
but I can arrange that once
winfried
jonasw: If possible, that would be great
jonasw
okay
Ge0rG
pep.: the question is probably whether we can do spam detection without going outside of 6.1
jonasw
will do
pep.
Ge0rG, yeah
winfried
jonasw: thanks
pep.
We should also try to see where we are with the goals at some point, regarding the "deadline"
pep.
Fri 1600CEST it is then
pep.
*bang*
winfried
I think we are chewing away slowly
winfried
but doing a great job, bit by bit things are getting clear
winfried
and I think we are closer then we expect!
pep.
I should try to come up with some requirements for the EULA XEP
winfried
keep up the job!
pep.
I have no idea what to use protocol-wise, but we can do that later
winfried
pep.: yes, think we are about at that point, Q1.1e
Ge0rG
pep.: I thik we should first create the general EULA/ToS structure, then see which parts of it need encoding
winfriedbangs the gavel once again, good work guys!
Ge0rG
There is also https://en.wikipedia.org/wiki/P3P
pep.
nice
pep.
I wonder why that is "obsolete"
winfried
yes, it is, but probably an overshoot for our purposes
Holgerhas joined
andyhas joined
pep.
"[..] P3P has not been implemented widely due to the difficulty and lack of value."
winfried
it is hard to uniquely encode legal stuf to computer code
pep.
Lack of value as in, every website has a privacy policy?
pep.
right
winfried
no pressing legal needs, not high enough fines ;-)
winfried
the GDPR may resurrect it...
pep.
nah I think everybody's got their own framework nowadays
pep.
At least the big ones
winfried
pep.: it tries to solve an esoteric problem that most people neatly try to ignore
danielhas left
Dave Cridlandhas left
winfried
even in the medical world (where legal status is a big issue), everybody loves to ignore the problems that come along with it
Dave Cridlandhas left
winfried
or to state it differently: if you can communicate about a problem, you also need to solve it...
Ge0rG
Ah, my coworker sent me some info re 9.1: profile photos of employees are not article9 related data as long as they are not analyzed
pep.
What does analyze mean here?
pep.
If they're displayed internally that's ..?
pep.
That requires consent I assume
marchas joined
winfried
pep.: categorized to categories like: 'gender, color of skin, skin-disorders, gaydar result' etc
winfried
displaying needs consent
winfried
have to go now, see you on friday
pep.
see you
UsL
gaydar haha
winfriedhas left
Dave Cridlandhas left
UsL
I guess its time to submerge in the gdpr stuff. Havn't really had the time yet. This metting made me curious
UsL
s/metting/meeting
pep.
Ge0rG, so if we regard messages as opaque, that means we can also do the same for emails right. That would definitely simplify things here at work
Dave Cridlandhas left
Guushas left
winfriedhas left
Ge0rG
pep.: yes, I'd say so
Ge0rG
pep.: same spam caveats apply
winfriedhas left
Holgerhas left
danielhas left
rtq3has left
Guushas left
Dave Cridlandhas left
Dave Cridlandhas left
tuxhas joined
Guushas left
Dave Cridlandhas left
pep.
Yeah
winfriedhas left
jjrhhas left
pep.
Though, for company emails that's different right? Maybe the company can assume that everything that's done under company email is for work (even if I know it's never always the case)
winfriedhas left
Holgerhas left
marchas left
winfriedhas left
winfriedhas left
Steve Killehas left
andyhas joined
winfriedhas left
Dave Cridlandhas left
winfriedhas left
winfriedhas left
Dave Cridlandhas left
Holgerhas left
winfriedhas left
winfriedhas left
vanitasvitaehas left
Dave Cridlandhas left
winfriedhas left
winfriedhas left
winfriedhas left
Dave Cridlandhas left
danielhas left
Holgerhas left
winfriedhas left
Dave Cridlandhas left
Dave Cridlandhas left
winfriedhas left
winfriedhas left
Dave Cridlandhas left
Ge0rGhas joined
winfriedhas left
winfriedhas left
vanillahas joined
vanillahas joined
Steve Killehas joined
rtq3has joined
Dave Cridlandhas left
Dave Cridlandhas left
winfriedhas left
jerehas joined
Dave Cridlandhas left
tahas joined
tahas joined
andyhas left
andyhas joined
Dave Cridlandhas left
vanillahas joined
andyhas left
andyhas joined
vanillahas joined
winfriedhas left
jubalhhas joined
jubalhhas left
Dave Cridlandhas left
lnjhas left
Dave Cridlandhas left
vanillahas joined
vanillahas joined
winfriedhas left
Dave Cridlandhas left
andyhas left
winfriedhas left
winfriedhas left
andyhas joined
Dave Cridlandhas left
andyhas left
andyhas joined
Dave Cridlandhas left
lskdjfhas left
p4kg866xxhas joined
p4kg866xxhas left
winfriedhas left
winfriedhas left
rtq3has left
winfriedhas left
winfriedhas left
andyhas left
andyhas joined
Guushas left
Guushas left
andyhas left
andyhas joined
Dave Cridlandhas left
winfriedhas left
rionhas left
rionhas joined
winfriedhas left
vanillahas joined
rtq3has joined
Dave Cridlandhas left
Guushas left
andyhas left
andyhas joined
vanillahas joined
alexishas left
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
winfriedhas left
@Alacerhas left
winfriedhas left
vanillahas joined
vanillahas joined
winfriedhas left
@Alacerhas joined
andyhas left
andyhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Dave Cridlandhas left
Dave Cridlandhas left
winfriedhas left
winfriedhas left
winfriedhas left
alexishas joined
winfriedhas left
Dave Cridlandhas left
Steve Killehas left
winfriedhas left
Valerianhas left
Maranda
> winfried: I don't think we can enforce any kind of remote server processing restrictions at the protocol / logical level.
> winfried: it might be sane to assume all data sent over s2s as "third country"
🕺
@Alacerhas left
@Alacerhas joined
Dave Cridlandhas left
alexishas left
lnjhas left
ThibGhas left
ThibGhas joined
alexishas joined
winfriedhas left
Dave Cridlandhas left
lnjhas joined
edhelashas left
winfriedhas left
mrdoctorwhohas left
edhelashas joined
winfriedhas left
jubalhhas joined
Valerianhas joined
jubalhhas left
jubalhhas joined
winfriedhas left
winfriedhas left
winfriedhas left
moparisthebesthas left
winfriedhas left
winfriedhas left
andyhas left
andyhas joined
moparisthebest
The watchdog’s actions prompted Kremlin officials to move from Telegram to the ICQ chat service, owned by billionaire Alisher Usmanov’s Mail.ru, for communications with Russian and international media.
Guushas left
Guushas left
moparisthebest
soooo, ICQ still exists? wow
jjrhhas left
jjrhhas left
Maranda
Yes
alexishas left
rtq3has left
alexishas joined
jjrhhas left
Dave Cridlandhas left
Ge0rG
ICQ is owned by Russia now? wow
winfriedhas left
vanitasvitae
Ge0rG: as is vKontakte :)
Dave Cridlandhas left
ThibGhas joined
lnjhas joined
alexishas left
alexishas joined
tahas joined
Dave Cridlandhas left
UsL
a far leap from the Israeli mirabilis..
Ge0rG
Mossad, CIA, FSB. It's been a long journey
moulhas joined
rtq3has joined
jubalhhas joined
UsL
indeed : )
j.rhas left
Steve Killehas joined
marmistrzhas left
j.rhas joined
andyhas left
efrithas left
Dave Cridlandhas left
SamWhitedhas left
Alexhas left
SamWhitedhas joined
Dave Cridlandhas left
jjrhhas left
Andrew Nenakhovhas left
jjrhhas left
Andrew Nenakhovhas joined
efrithas joined
Dave Cridlandhas left
jjrhhas left
Guushas left
jerehas left
tuxhas joined
Dave Cridlandhas left
jerehas joined
j.rhas left
alexishas left
alexishas joined
vanitasvitaehas left
vanitasvitaehas joined
Guushas left
ludohas left
ludohas joined
Dave Cridlandhas left
blablahas joined
Dave Cridlandhas left
Guushas left
rtq3has left
ludohas left
ludohas joined
Dave Cridlandhas left
lskdjfhas joined
Dave Cridlandhas left
winfriedhas left
winfriedhas joined
@Alacerhas left
@Alacerhas joined
Dave Cridlandhas left
blablahas left
Dave Cridlandhas left
efrithas left
SaltyBoneshas left
Steve Killehas left
rtq3has joined
waqashas joined
lskdjfhas joined
moparisthebesthas left
Dave Cridlandhas left
danielhas left
vanitasvitaehas joined
rtq3has left
rtq3has joined
Dave Cridlandhas left
matlaghas left
blablahas left
Steve Killehas joined
Dave Cridlandhas left
alexishas left
jjrhhas left
alexishas joined
jjrhhas left
Valerianhas left
jjrhhas left
lumihas left
jubalhhas joined
jubalhhas left
lovetoxhas joined
mrdoctorwhohas left
rionhas left
rionhas joined
rtq3has left
jubalhhas joined
waqashas left
waqashas joined
jerehas joined
sezuanhas left
ibikkhas joined
vanitasvitaehas left
Dave Cridlandhas left
andyhas joined
Timhas left
Timhas left
alexishas left
Dave Cridlandhas left
alexishas joined
Guushas left
Timhas joined
jerehas joined
marchas joined
alexishas left
alexishas joined
lskdjfhas left
alexishas left
alexishas joined
Guushas left
moparisthebest
The expert believes that another way to blackmail inattentive server owners is by creating snapshots of the exposed servers and contacting companies after May 25, asking for a Bitcoin ransom not to report the company to EU authorities, where they stand to receive a hefty fine.
Timhas joined
moparisthebest
ha who knew EU was introducing a new way to blackmail companies? thanks EU ! :)
jerehas left
jerehas joined
Timhas joined
Guushas left
Guushas left
Guushas left
rtq3has joined
Valerianhas joined
Valerianhas left
Valerianhas joined
ralphmhas left
Dave Cridlandhas left
edhelashas left
edhelashas joined
Dave Cridlandhas left
Dave Cridlandhas left
Maranda
well so Cisco Jabber is actually capable of STARTTLS on s2s streams 🤔
Maranda
why not enabling that on cisco.com then
Maranda
pft
Dave Cridlandhas left
Dave Cridlandhas left
rtq3has left
lovetoxhas left
j.rhas joined
ludohas left
ludohas joined
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
marchas left
ludohas left
ludohas joined
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
SamWhitedhas left
Dave Cridlandhas left
jubalhhas left
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
Dave Cridlandhas left
vanitasvitaehas joined
sezuanhas left
sezuanhas joined
rtq3has joined
rtq3has left
rtq3has joined
Dave Cridlandhas left
Dave Cridlandhas left
vanitasvitaehas left
vanitasvitaehas joined
Dave Cridlandhas left
Dave Cridlandhas left
marchas joined
Dave Cridlandhas left
Dave Cridlandhas left
Valerianhas left
rtq3has left
ralphmhas joined
vanitasvitaehas left
la|r|mahas joined
jerehas left
ibikkhas left
tuxhas joined
Dave Cridlandhas left
Valerianhas joined
lnjhas left
ralphmhas left
jerehas joined
Guushas left
Tobiashas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Dave Cridlandhas left
Andrew Nenakhovhas joined
fippo
maranda: it is. iirc you only get that if you talk to the people over there though
edhelashas left
Maranda
fippo I'm not sure I understand, a lot of users on my server have cisco.com contacts and cisco.com never encrypts, that's why I need to still have an exception for it.
Dave Cridlandhas left
Dave Cridlandhas left
Holger
Maranda: Same here. And yes Cisco Jabber does support STARTTLS on s2s.
fippo
maranda: s/people/admins/
Dave Cridlandhas left
vanitasvitaehas joined
lnjhas joined
rtq3has joined
Dave Cridlandhas left
Dave Cridlandhas left
ThibGhas left
ThibGhas joined
marchas left
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
Andrew Nenakhovhas left
Andrew Nenakhovhas joined
ludohas left
ludohas joined
Maranda
🤔
fippo
from what i heard they need to enable tls for a particular peer domain. but that was ~5 years ago
Maranda
fippo, and they don't enable it on cisco.com ? lol
waqas
I think he means they need to enable it for your domain
waqas
That seems like such a pain
Maranda
waqas, and I repeat: *and they don't enable it on cisco.com ? lol*
Maranda
😏
fippo
cisco.com admins have to enable tls for your domain.
Maranda
cisco.com *IS* the domain
fippo
you run cisco.com?
Maranda
No I don't
Maranda
But I'm connecting to it
Zash
...
Maranda
(via s2s)
Maranda
(and viceversa)
fippo
so cisco.com will look at your domain, check its config "is this guy trustworthy to enable tls?" and probably not find anything
Maranda
. . .
Zash
Maranda: Pretty sure you wrote a plugin that does exacly this.
lnjhas left
Maranda
Ok sorry I got it now, and it's hilarious.
Maranda
So,
Dave Cridlandhas left
Maranda
*they* have to enable tls for s2s on a particular *remote* domain? *REALLY*?
Dave Cridlandhas left
Marandaface desks.
fippo
job security for the admin. i've seen similar things in lync
Maranda
Zash, mine is an exception to make it work, this is just purely demented.
Dave Cridlandhas left
Maranda
fippo, and I didn't catch "peer" when reading, tired eyes/brain :)
marchas left
fippo
at least you don't start scratching your eyes out now that you understood it :-)
rtq3has left
rtq3has joined
lumihas joined
Alexhas joined
Valerianhas left
Valerianhas joined
moparisthebest
our lync only federates if the admins explicitly set it up for specific remote domains
moparisthebest
basically ruins the concept of federation, but ¯\_(ツ)_/¯
Maranda
that's fair
Maranda
not enabling tls *if offered* without admin intervention is dumb imho.
moparisthebest
yes that does seem far dumber
Valerianhas left
Valerianhas joined
Zash
What's wrong with per remote feature settings? Other than the usuall _encrypt all the things_
Alexhas left
Maranda
If I respond nothing other than, will that trigger some trap? 😎
Zash
You will be locked in a room along with a packet capture and not let out until you find the layer 8 problem in the encrypted stream.
Maranda
Disabling TLS does make sense if the other end does have issues with it or not support, the other way around: E_DOESNT_COMPUTE
Maranda
Hehe
j.rhas joined
Holger
You can enable TLS for all s2s connections in Cisco Jabber these days.
jjrhhas left
Maranda
Holger, yes I found out stumbling on buffalo.edu
Dave Cridlandhas left
jjrhhas left
Guushas left
jjrhhas left
jjrhhas left
lskdjfhas left
Ge0rG
Hm. The only contact I had on Cisco.com changed his job recently, so I can't care much any more
edhelas
That's maybe a sign
lskdjfhas joined
jjrhhas left
Dave Cridlandhas left
lnjhas joined
Maranda
Ge0rG, I still see traffic, also there some more contacts from I think hosted domains, also nike.com
lskdjfhas left
Tobiashas joined
lskdjfhas left
SamWhitedhas left
lskdjfhas joined
lskdjfhas left
Guushas left
Tobiashas joined
lskdjfhas joined
Marandahas joined
marmistrzhas joined
SamWhitedhas joined
waqas
Lync was the other service I was thinking of where I had to deal with this. I'm happy I haven't had to deal with Lync in a few years…it's great for job security though
@Alacerhas left
moparisthebest
it's "Skype for Business" now, and blue instead of green, still can't reliably send files though so at least some things don't change
Guushas left
Guushas left
@Alacerhas joined
waqas
It was very much enterprise, MS tech people helping us set it up failed (because we had a cloud based environment, and they had a very weird set of hardware and network topology requirements…)
Ge0rG
I'd love to know how to federate with Lync from my XMPP server. Or even how to login from XMPP as a given Lync user.
edhelashas left
moparisthebest
the lync admins have to set up a special XMPP federation bridge
moparisthebest
and in practice it seems no one does this
Dave Cridlandhas left
Ge0rG
What if our Lync is hosted in O365?
moparisthebest
I used to have a lync transport from xmpp, using libpurple-sipe and such, but it broke years ago
Ge0rG
libpurple. I'm not going down that road.
waqas
MattJ: Had we succeeded in the Prosody-Lync bridge, or did we never manage it? I recall it being a works-with-ejabberd product, not proper XMPP.
moparisthebest
ours is on O365 and federation is still something they have to turn on manually, maybe it's just an admin setting there? don't know
waqas
IIRC it was sensitive to e.g., certain consecutive parts of the stream being in the same TCP packet or not, etc. Lots of other fun things we ran into. Skype for Business UX also is terrible.
waqas
(dumb stuff like sending an XMPP message to someone wouldn't show a notification, so they'd never know)
Maranda
🤔
moparisthebest
all the time we get a popup in the corner 'PERSONX sent you a message [accept] [ignore]'
moparisthebest
and then you click accept, and you don't see the first few messages they sent before you clicked accept
moparisthebest
I honestly don't know how people think this is a good system
Maranda
didn't you need some Lync Edge Server vattelapesca thing for xmpp federation?
waqas
moparisthebest: Ask your admins :P
marchas joined
waqas
Yes, it's a bridge
moparisthebest
the best thing is just a braindead policy decision
waqas
We were annoyed enough that we were considering if it'd be saner to use a Prosody->SIP->Lync setup
moparisthebest
we must use contractors for new development, contractors can have VPN access to our systems, contractors cannot have lync accounts, so we can't IM them
moparisthebest
I ended up setting up an IRC server and https://kiwiirc.com/ on a dev server :'(
Maranda
I don't wanna know the usual CAL junk in le MS Fashion behind something like Lync though (one of the reason everyone needing M$ going cloudy these days)
tahas joined
Maranda
(the CALs are "included")
moparisthebest
now corporate is spamming us with these emails to use "Yammer" which as far as I can tell is a microsoft workplace facebook/twitter clone or something
moparisthebest
who would seriously want to do this?????
remkohas left
lovetoxhas joined
danielhas left
Ge0rG
So everyone agrees Lync is a horrible mess. But nobody has an XMPP-based drop-in replacement with screen sharing and VoIP
Dave Cridlandhas left
Zash
Jitsi?
moparisthebest
doesn't matter, lync screen sharing and voip never works
moparisthebest
we use webex for that
Ge0rG
moparisthebest: screen sharing works well here, voip mostly
moparisthebest
voip on lync has *never* worked for us, we use conference calls or webex
moparisthebest
screen sharing used to work until about a month ago
moparisthebest
then they decided to fix the terrible latency by reducing quality to a point where you can't read letters anymore
moparisthebest
so, now it is also useless
waqas
Ge0rG: An XMPP replacement wouldn't help. Those who could already jumped over to Slack (I know a few orgs which migrated to Slack from enterprise IM solutions).
waqas
I think the Lync team has learned that given how their product is sold to enterprise exec teams, usability and quality doesn't actually impact the bottom line.
Ge0rG
moparisthebest: hm. interesting point. I had bad lags with a coworker today, but I blamed his wifi
moparisthebest
that seems correct waqas , it's just part of the exchange/outlook package
Ge0rG
waqas: I don't care about Slack and I'd love to migrate our 20-person business away.
Ge0rG
waqas: unfortunately, the Outlook / calendar integration is a huge selling point
waqas
And integration with the MS stack in general, the admin tools, policies, etc
Guushas left
j.rhas joined
j.rhas left
j.rhas joined
Ge0rG
Yeah, but I suppose I could convince my coworkers with a better mobile UX if we keep screen sharing and possibly VoIP
waqas
How's skype for business on mobile? I've only seen it on desktop
j.rhas joined
j.rhas joined
j.rhas joined
blablahas joined
Valerianhas left
Valerianhas joined
Guushas left
Valerianhas left
jubalhhas joined
j.rhas joined
j.rhas joined
j.rhas left
j.rhas joined
j.rhas left
j.rhas joined
Guushas left
j.rhas left
j.rhas joined
Ge0rG
waqas: it sucks. Pretty bloated app, and you don't get messages to both Desktop and mobile
Ge0rG
So you have message loss along the way
j.rhas joined
Ge0rG
Kind of like xmpp without 0198 and carbons
Yagizahas left
Dave Cridlandhas left
j.rhas joined
j.rhas joined
j.rhas joined
jubalhhas left
j.rhas joined
Maranda
And crashes on startup sync in the best Skype tradition?
Maranda
:P
j.rhas joined
Maranda
or not?
Dave Cridlandhas left
j.rhas joined
j.rhas joined
tahas joined
j.rhas left
j.rhas joined
moparisthebest
our stuff is hosted on O365 but still only allows connections from the work VPN
moparisthebest
so it's the worst of both worlds
j.rhas joined
j.rhas joined
Dave Cridlandhas left
j.rhas joined
jerehas joined
j.rhas joined
j.rhas joined
j.rhas joined
jerehas joined
j.rhas joined
sezuanhas left
j.rhas joined
j.rhas joined
j.rhas left
j.rhas joined
ludohas left
lskdjfhas joined
lskdjfhas left
ibikkhas left
marmistrzhas left
andyhas left
ibikkhas joined
lumihas left
lumihas joined
lumihas left
lumihas joined
jjrh
Kinda surprised enterprises are going slack considering it's like $8 a seat.
jjrh
I mean $80 a month for 10 users is pretty steep
Zash
That's probably nothing for an ENTERPRISE
Ge0rG
Yeah, or they just stick to the free plan somehow
jjrh
I'm not sure it's a great deal for enterprises who need like 1000 seats.
MattJ
Any idea how much Lync costs?
Maranda
jjrh, for 5000 users with M$ Exchange you may arrive to pay like $800k a year
Zash
Any idea how much the coffee consumed by 1k people costs?
jjrh
Maranda, yeah but exchange provides a whole lot more than chat.
Maranda
(that's licensing)
lskdjfhas left
Dave Cridlandhas left
jjrh
I mean that's still nutty to me but considering email is in many cases more critical than even phones I can see businesses justifying it.
remkohas joined
Maranda
jjrh, hmm not really beside some very nutty cases of course :P
jjrhhas left
jjrhhas left
lovetoxhas left
lovetoxhas joined
Maranda
jjrh, and doesn't provide that much, spam wise for example Exchange doesn't support SPF, DMARC or DKIM iirc, only O365/OWA (Hotmail) does.
SamWhited
protip: enterprises don't care at all how much it costs as long as they can get a demo, good support, and a fixed and predictable price that includes the ability to expand service in the future. $8 per seat is *nothing* compared to the cost of the paycheck of all the people who will have to set it up and deal with it.
lskdjfhas left
Zashhas left
Maranda
SamWhited, not at that level :P, infact you won't see a single ISP (beside Microsoft itself) ever deploying Exchange.
jjrh
SamWhited, I mean I totally get that and i'm not suggesting enterprises deploy and support their own solution for chat, but it seems like $8 per seat (and their enterprise version is like $12) isn't a great deal when say https://about.mattermost.com/pricing/ has a $3.25 a seat and a 'custom pricing' for when you have a lot of users.
jjrh
I dunno maybe mattermost sucks never used it
Maranda
but of course 8*5000 = 40k so it's doable :P
Maranda
12 per seat as well
SamWhited
Does mattermost provide them with a person who flies out and does a demo?
SamWhited
Do they provide SLAs? Really good tech support?
jjrh
Probably
jubalhhas joined
Maranda
I wonder how people will do with the recent Slack introductions
SamWhited
I have no idea, they might, but the price just doesn't matter at all.
Maranda
in terms of privacy
jubalhhas left
jubalhhas joined
jjrh
I'd be curious how much profit slack is actually making. Maybe their pricing is to offset the free offerings and their hosting costs are dirt cheap so they don't really need many customers
Guushas left
SamWhited
Also, places that used to buy from a previous job I was in did heavy risk analysis: will mattermost go out of business tomorrow and we'll have to switch again? Not likely, but maybe. Will Slack? Probably not.
Maranda
(Like that a team owner or something has access to all the data, even private message)
SamWhited
Do you not have that with mattermost? Because that's also a plus for slack in the enterprise space if so
Zash
compliance logging and such, yeah
SamWhited
But anyways, point was that price doesn't matter at all. It's probably not even part of their considerations. Stuff like that does.
efrithas joined
rtq3has left
rtq3has joined
jjrh
I'm not sure I would bank on slack staying in business. Chat is fickle, and a logical thing for voip providers to start selling.
marchas left
remkohas left
jjrh
I would think that enterprises would be a little nervous about having their chat data hosted in datacenters they don't own. Maybe if you're dropping half a million a year slack will do whatever you want.
rtq3has left
SamWhited
Yah, that part is the tough one. Depending on who you are and what you do, a lot of places really have to have a behind-the-firewall version, which is why HipChat Server makes so much money.
rtq3has joined
fippo
cisco also had some fancy stuff about full encryption (including search) for spark. selling point apparently
Dave Cridlandhas left
SamWhited
oh nifty, I didn't know that; I really wanted to try to build something like that while at HipChat but couldn't convince anyone that it would be a selling point.
Most BigCorp have adopted the cloud by now so on premise chat servers are only interesting for medical and military services now
jjrh
They have adopted the cloud but their own cloud
jjrh
and on premise is more "on our vpn"
SaltyBoneshas left
ThibGhas joined
@Alacerhas left
@Alacerhas joined
Dave Cridlandhas left
remkohas left
Ge0rG
jjrh: not my experience with multiple big customers
jjrh
Interesting. I would have thought there would be legal implications depending on where the server is located and a risk that the SAS company could be compelled to give up your data if they run into issues.
Syndacehas joined
valohas left
SamWhited
Ge0rG: that's actually what I've found to be true for the most part. At ThreatGRID we couldn't do anything that wasn't a physical on-prem device because we serviced a lot of financial sector people, but at HipChat Server we *only* supported AWS, because basically everyone had their private networks hooked up to Amazon or entirely within Amazon.
Ge0rG
jjrh: that was my initial guess as well, but if you are an international company, you are susceptible to the laws of whoever wants your data anyway
efrithas left
SamWhited
So outside of finance and military stuff, everyone seemed to be fine with "private clouds"
Ge0rG
"private" networks.
SamWhited
They're private, because if they're not Amazon gets sued for billions of dollars. They have good insentive to make them as private as possible.
Ge0rG
Yeah, seeing an enterprise with 100k+ employees fully embracing O365 made my head spin.
SamWhited
0365?
Ge0rG
Microsoft Office 365, the cloud offering
Zash
0 or O
SamWhited
ahh,
Dave Cridlandhas left
SamWhited
I assumed you did not mean XEP-0365, or RFC 365, neither of which made sense but both of which I thought of in the context of this chat
jjrh
But isn't the difference here that if you use slack they are running 100% of the show - today they might be on AWS, tomorrow on some other service, but you as a customer really don't have any say regarding that.
Ge0rG
Zash: fix your font
SamWhited
heh, they look completely different in my terminal and I still didn't notice that that was an "O"