-
MattJ
Hey folks, I won't be able to make the meeting today - sorry for the short notice
-
nyco
thx for telling
-
nyco
time?
-
nyco
ralphm Guus
-
Guus
I'm here
-
ralphm
Here
-
ralphm
set the topic to
XSF Board Meeting | Logs: http://logs.xmpp.org/xsf/ | Agenda https://trello.com/b/Dn6IQOu0/board-meetings
- ralphm bangs gavel
-
ralphm
0. Welcome + Agenda
-
ralphm
Hi all
-
Guus
o/
-
nyco
hey
-
ralphm
I think the primary things are Elections and ED
-
ralphm
So let's start with those.
-
ralphm
1. Elections
-
ralphm
I am happy to see voting has started.
-
ralphm
6 candidates for Board and 5 for Council
-
ralphm
So with that well on the way, and the general meeting on Nov 22, there will be at most two more meetings with the current Board.
-
Guus
Curious: assuming that Council will consist of 5 people again: why vote on exactly 5 candidates?
-
ralphm
Guus: because if the Members really don't want a certain candidate they could vote them out.
-
Guus
What's needed to vote someone out?
-
Guus
0 votes?
-
ralphm
Hmm, that's a good point.
-
Guus
I'm happy to have a vote, but I'm just curious what the point is š
-
nyco
switching to Condorcet method?
-
Zash
In theory you could have done a single "Accept these 5 as council?" vote, but that gets messy with bot voting if it falls.
-
ralphm
Well, in membership elections we have yes/no for each candidate
-
ralphm
I don't recall why we use this other method for Council / Board
-
nyco
do we have to improve? what would we be fixing?
-
Zash
Lack of an election committe that puts forward a coherent proposal?
-
ralphm
I think previous elections we always had 6 or more candidates
-
Guus
Assuming that council will have the exact same amount of seats as the number of candidates, a vote is nothing more than a popularity contest. We _might_ want to avoid that.
-
Guus
but I'm totally OK with just doing the dance, and be done with it.
-
nyco
even with more candidates than seats, it is a popularitt contest
-
ralphm
Section 3.13 Voting Procedure for Election of Board and Council. Election of individuals to serve on the Board of Directors and on the XMPP Council shall proceed as follows. First, the number of individuals to serve on each body shall be limited beforehand by the Members as specified in Section 4.4 and Section 8.1 of these Bylaws for the Board and Council, respectively. Second, the Members shall vote on the candidates standing for election in accordance with Section 3.9 of these Bylaws. Third, the individuals elected shall be those receiving the highest percentage of votes cast, up to the limit set by the Members and with the proviso that no individual receiving less than a majority of votes cast shall be elected. Fourth, in the case of a tie for the final remaining position, the final individual shall be chosen in accordance with the procedures defined in āRFC 3797: Publicly Verifiable Nominations Committee (NomCom) Random Selectionā published by the Internet Engineering Task Force.
-
ralphm
So yes, if there more than half of the voters abstain for a particular candidate, they don't get in
-
Guus
ok, good enough for me
-
Guus
thanks for checking
-
ralphm
Moving on then.
-
ralphm
2. Executive Director
-
ralphm
We still haven't had a meeting, I think.
-
Guus
nothing moved on that subject, afaik
-
ralphm
Guus: should we send an e-mail to Peter to find a slot?
-
Guus
yes
-
ralphm
Ok, I'll do so
-
Guus
tx
-
ralphm
3. AOB
-
ralphm
Anything?
-
ralphm
Other?
-
Guus
nothing here
-
ralphm
nyco: ?
-
nyco
nothing
-
ralphm
Good.
-
ralphm
4. Date of Next
-
ralphm
Our penultimate: +1W
-
Guus
wfm
-
ralphm
5. Close
-
ralphm
Thanks!
-
nyco
wow
-
nyco
that was fast
-
Guus
So, on an interesting XMPP tidbit
-
nyco
thx
- ralphm bangs gavel
-
ralphm
set the topic to
XSF Discussion | Logs: http://logs.xmpp.org/xsf/ | Agenda https://trello.com/b/Dn6IQOu0/board-meetings
-
Guus
Dutch police recently announced that they were able to read end-to-end encrypted chats between criminals, on a dedicated network. They announced this, as police started to show up so often, that criminals started to make plans to assassinate 'snitches'
-
Guus
from screenshots of the app that they use, it can be deduced that XMPP was used.
-
nyco
Ironthing?
-
Guus
the e2e technology was OTR
-
Guus
yeah, that's it
-
Zash
mod_otr?
-
Guus
dunno, I got this from news clippings only
-
Guus
https://arstechnica.com/information-technology/2018/11/police-decrypt-258000-messages-after-breaking-pricey-ironchat-crypto-app/ <-- first non-Dutch google hit (I have not read it)
-
nyco
is this a real screenshot of the real app? or just a journalist taking a picture he likes?
-
nyco
https://en.wikipedia.org/wiki/Off-the-Record_Messaging#Client_support
-
nyco
https://news.ycombinator.com/item?id=18401561
-
nyco
so, should we obsolete OTR?
-
nyco
not board's duty, but I demand a technical/ethical debate
-
Guus
The ironchat screenshots lists messages in Dutch that clearly are example / demo texts.
-
Guus
nyco, did the XSF ever standardize OTR-usage in the first place? I can find only one XEP, which is deferred: XEP-0364
-
nyco
good point
-
Zash
Isn't half the point of OTR that it works regardless of transport?
-
nyco
we should use double-rot13 algo
-
Guus
Zash, I'm just trying to make the point that maybe there's nothing for us, the XSF, to obsolete, even if we wanted to.
-
Zash
Guus: Correct.
-
Guus
I'm not sure by the way if Dutch police actually broke OTR - the article implies that it's just as likely that the implementation that was used was broken.
-
nyco
so any entity other than XSF should issue something? (oh gosh I am so clear and precise)
-
Zash
The XSF could issue an Informational XEP saying "OTR is bad and you should feel bad"
-
nyco
or humourous
-
Zash
:)
-
Guus
I'm not knowledgeable enough to tell if OTR is actually that bad.
-
Guus
I do think it's a bad idea to start writing XEPs on what not to do.
-
Guus
XEP-0999: "Don't do drugs"
-
nyco
what would be XEP-0666 ?
-
Zash
XEP-0666 Selling your soul over XMPP
-
nyco
š
-
daniel
> I'm not sure by the way if Dutch police actually broke OTR - the article implies that it's just as likely that the implementation that was used was broken. My understanding is that they man in the middled that
-
daniel
And key verification wasn't very strong
-
Zash
Magic crypto dust didn't save them?!
-
Guus
The irony of successfully doing MIM on a technology that's designed to run in a federated setup... š
-
moparisthebest
it's not like that's exactly a new or unknown problem https://www.ejabberd.im/mod_otr 2007-03-30
-
moparisthebest
I wouldn't be surprised if they simply installed an 11+ year old ejabberd module
-
moparisthebest
but that's not as good of a headline as DUTCH POLICE BREAK OTR
-
daniel
Given the amount of refactoring that went into ejabberd I'd be a little bit surprised
-
daniel
But I get your point
-
moparisthebest
given how shoddy the app was at not caring about keys changing, they probably were running an ejabberd from 2007 :)
-
Guus
https://web.archive.org/web/20180419140229/http://blackbox-security.com/index_new.php
-
Zash
https://news.ycombinator.com/item?id=18403477
-
Guus
that's the (now seized) website of the company that sold the solution.
-
Guus
index_new.php <-- meh.
-
moparisthebest
if you are looking for secure code and the website is served from index_new.php I think that should be a sign
-
Zash
Guus: index_new2.php
-
Guus
ah, yes.
-
Guus
So, an old Conversations? nice š
-
daniel
> I think it is a copy/fork of Conversations version 1.14.6 Far far from being the only one in that market fwiw
-
Zash
> I use PGP to say hi and hello, i use IronChat (OTR) to have a serious conversation Edward SnowdenĀ [More Info \>\>](index_new2.php)
-
moparisthebest
I don't think I used Conversations with OTR, how did it handle key changes?
-
daniel
moparisthebest: not at all. Lol
-
moparisthebest
well, there you go :P
-
daniel
(that's an oversimplification. It would display a warning Snackbar if you had previously verified a key. But chances are you didn't. And by that point it would technically have already been to late. It didn't block the sending like omemo would these days)
-
daniel
Also the old version was a xabber clone. So it's a little bit unclear if those people decompiling on hackernews and the police are talking about the same app
-
jonasā
15:05:19 Guus> The irony of successfully doing MIM on a technology that's designed to run in a federated setup... The irony for something like that to happen to *Iron*(y)chat. Sorry.
-
Andrew Nenakhov
I think they MitMed it after getting access to server console via hosting company.
-
jonasā
seems plausible
-
Andrew Nenakhov
Wanna hear a fascinating story?
-
jonasā
always, although Iāll have to leave in a few minutes (Iāll read the backlog :))
-
Andrew Nenakhov
I think it was me who discovered they are MitMed
-
Andrew Nenakhov
This guy made donations to Xabber development once in a couple of years, a year ago asked us to make file exchange into his extremely modified version of Xabber
-
Andrew Nenakhov
We did
-
Andrew Nenakhov
Since that time he asked me some xmpp related questions from time to time
-
Andrew Nenakhov
Then one day he asks, my otr fingerprints don't match each other
-
Andrew Nenakhov
I say hmm maybe you fucked up code, let me see
-
Andrew Nenakhov
His app was quite hardcore in geocities style
-
Andrew Nenakhov
So I connected to his server with Xabber. Okk. Otr established. Fingerprints don't match.
-
Andrew Nenakhov
I say hmm.
-
Andrew Nenakhov
Long story short, I started to suspect mitm (an idea I dismissed at first, because have to ever been MitMed, really?!)
-
Andrew Nenakhov
Especially telling was that when connected from another server xmpp clients have established separate otr sessions
-
Andrew Nenakhov
And messages did come through only after both client did establish sessions
-
Andrew Nenakhov
Aaaand the most fascinating part, once I told him, it's definitely fucked up, I was kicked from openfire console! (he gave me access), he was kicked from all his terminals and our xmpp axxouts were blocked.
-
daniel
Andrew Nenakhov: maybe *they* kicked you. Not him
-
Zash
THEY!
-
Andrew Nenakhov
Of course
-
Andrew Nenakhov
He connected to me over XMPP, said he had disagreement with ex admin, so I suggested him shut down server and establish new one, bit then he went silent
-
daniel
So there is an mod_otr for OpenFire as well. Not just ejabberd
-
daniel
Interesting...
-
Andrew Nenakhov
Next,I come here and hear this story.
-
Andrew Nenakhov
Oops.
-
Andrew Nenakhov
So I think it's nothing wrong with otr if you check fingerprints
-
Andrew Nenakhov
But. Perhaps I should talk to dutch police now. š±
-
Seve
Andrew Nenakhov, thaaaaaaat is a great story, quite enjoyable :D (given the coincidences)
-
Seve
Thanks for explaining us :D
-
Andrew Nenakhov
U r welcome
-
jonasā
Andrew Nenakhov, thatās a good campfire story :)
-
jonasā
I like it
-
Andrew Nenakhov
I actually liked the guy. So, hope he doesn't get jailed for long.
-
lovetox
lol 1500 euro phone and 100 euro per month for a mobile xmpp client with otr
-
lovetox
daniel, i think you should rethink your business strategy
-
Andrew Nenakhov
Yeah. And someone said no one can make money from XMPP
-
flow
if it is expensive it has to be good, right?
-
jonasā
somebody around to put https://github.com/xsf/xeps/pull/719 on the Board agenda?
-
Maranda
1500 euro phone? IPhone XS Max 256 :O?
-
Maranda
playing the guess game :P
-
Maranda
Guus, I told some Meetecho fellows to contact you about a possible issue with OpenFire, and maybe that could "help 'em" stop flooding my server with s2s attempts with their things.
-
Zash
Most likely a cheap android phone.
-
Guus
Maranda: k