XSF Discussion - 2018-11-08

Hey folks, I won't be able to make the meeting today - sorry for the short notice

thx for telling

time?

ralphm Guus

I'm here

Here

XSF Board Meeting | Logs: http://logs.xmpp.org/xsf/ | Agenda https://trello.com/b/Dn6IQOu0/board-meetings

0. Welcome + Agenda

Hi all

o/

hey

I think the primary things are Elections and ED

So let's start with those.

1. Elections

I am happy to see voting has started.

6 candidates for Board and 5 for Council

So with that well on the way, and the general meeting on Nov 22, there will be at most two more meetings with the current Board.

Curious: assuming that Council will consist of 5 people again: why vote on exactly 5 candidates?

Guus: because if the Members really don't want a certain candidate they could vote them out.

What's needed to vote someone out?

0 votes?

Hmm, that's a good point.

I'm happy to have a vote, but I'm just curious what the point is 🙂

switching to Condorcet method?

In theory you could have done a single "Accept these 5 as council?" vote, but that gets messy with bot voting if it falls.

Well, in membership elections we have yes/no for each candidate

I don't recall why we use this other method for Council / Board

do we have to improve? what would we be fixing?

Lack of an election committe that puts forward a coherent proposal?

I think previous elections we always had 6 or more candidates

Assuming that council will have the exact same amount of seats as the number of candidates, a vote is nothing more than a popularity contest. We _might_ want to avoid that.

but I'm totally OK with just doing the dance, and be done with it.

even with more candidates than seats, it is a popularitt contest

Section 3.13 Voting Procedure for Election of Board and Council. Election of individuals to serve on the Board of Directors and on the XMPP Council shall proceed as follows. First, the number of individuals to serve on each body shall be limited beforehand by the Members as specified in Section 4.4 and Section 8.1 of these Bylaws for the Board and Council, respectively. Second, the Members shall vote on the candidates standing for election in accordance with Section 3.9 of these Bylaws. Third, the individuals elected shall be those receiving the highest percentage of votes cast, up to the limit set by the Members and with the proviso that no individual receiving less than a majority of votes cast shall be elected. Fourth, in the case of a tie for the final remaining position, the final individual shall be chosen in accordance with the procedures defined in “RFC 3797: Publicly Verifiable Nominations Committee (NomCom) Random Selection” published by the Internet Engineering Task Force.

So yes, if there more than half of the voters abstain for a particular candidate, they don't get in

ok, good enough for me

thanks for checking

Moving on then.

2. Executive Director

We still haven't had a meeting, I think.

nothing moved on that subject, afaik

Guus: should we send an e-mail to Peter to find a slot?

yes

Ok, I'll do so

tx

3. AOB

Anything?

Other?

nothing here

nyco: ?

nothing

Good.

4. Date of Next

Our penultimate: +1W

wfm

5. Close

Thanks!

wow

that was fast

So, on an interesting XMPP tidbit

thx

XSF Discussion | Logs: http://logs.xmpp.org/xsf/ | Agenda https://trello.com/b/Dn6IQOu0/board-meetings

Dutch police recently announced that they were able to read end-to-end encrypted chats between criminals, on a dedicated network. They announced this, as police started to show up so often, that criminals started to make plans to assassinate 'snitches'

from screenshots of the app that they use, it can be deduced that XMPP was used.

Ironthing?

the e2e technology was OTR

yeah, that's it

mod_otr?

dunno, I got this from news clippings only

https://arstechnica.com/information-technology/2018/11/police-decrypt-258000-messages-after-breaking-pricey-ironchat-crypto-app/ <-- first non-Dutch google hit (I have not read it)

is this a real screenshot of the real app? or just a journalist taking a picture he likes?

https://en.wikipedia.org/wiki/Off-the-Record_Messaging#Client_support

https://news.ycombinator.com/item?id=18401561

so, should we obsolete OTR?

not board's duty, but I demand a technical/ethical debate

The ironchat screenshots lists messages in Dutch that clearly are example / demo texts.

nyco, did the XSF ever standardize OTR-usage in the first place? I can find only one XEP, which is deferred: XEP-0364

good point

Isn't half the point of OTR that it works regardless of transport?

we should use double-rot13 algo

Zash, I'm just trying to make the point that maybe there's nothing for us, the XSF, to obsolete, even if we wanted to.

Guus: Correct.

I'm not sure by the way if Dutch police actually broke OTR - the article implies that it's just as likely that the implementation that was used was broken.

so any entity other than XSF should issue something? (oh gosh I am so clear and precise)

The XSF could issue an Informational XEP saying "OTR is bad and you should feel bad"

or humourous

:)

I'm not knowledgeable enough to tell if OTR is actually that bad.

I do think it's a bad idea to start writing XEPs on what not to do.

XEP-0999: "Don't do drugs"

what would be XEP-0666 ?

XEP-0666 Selling your soul over XMPP

😈

> I'm not sure by the way if Dutch police actually broke OTR - the article implies that it's just as likely that the implementation that was used was broken. My understanding is that they man in the middled that

And key verification wasn't very strong

Magic crypto dust didn't save them?!

The irony of successfully doing MIM on a technology that's designed to run in a federated setup... 💕

it's not like that's exactly a new or unknown problem https://www.ejabberd.im/mod_otr 2007-03-30

I wouldn't be surprised if they simply installed an 11+ year old ejabberd module

but that's not as good of a headline as DUTCH POLICE BREAK OTR

Given the amount of refactoring that went into ejabberd I'd be a little bit surprised

But I get your point

given how shoddy the app was at not caring about keys changing, they probably were running an ejabberd from 2007 :)

https://web.archive.org/web/20180419140229/http://blackbox-security.com/index_new.php

https://news.ycombinator.com/item?id=18403477

that's the (now seized) website of the company that sold the solution.

index_new.php <-- meh.

if you are looking for secure code and the website is served from index_new.php I think that should be a sign

Guus: index_new2.php

ah, yes.

So, an old Conversations? nice 🙂

> I think it is a copy/fork of Conversations version 1.14.6 Far far from being the only one in that market fwiw

> I use PGP to say hi and hello, i use IronChat (OTR) to have a serious conversation Edward Snowden  [More Info \>\>](index_new2.php)

I don't think I used Conversations with OTR, how did it handle key changes?

moparisthebest: not at all. Lol

well, there you go :P

(that's an oversimplification. It would display a warning Snackbar if you had previously verified a key. But chances are you didn't. And by that point it would technically have already been to late. It didn't block the sending like omemo would these days)

Also the old version was a xabber clone. So it's a little bit unclear if those people decompiling on hackernews and the police are talking about the same app

15:05:19 Guus> The irony of successfully doing MIM on a technology that's designed to run in a federated setup... The irony for something like that to happen to *Iron*(y)chat. Sorry.

I think they MitMed it after getting access to server console via hosting company.

seems plausible

Wanna hear a fascinating story?

always, although I’ll have to leave in a few minutes (I’ll read the backlog :))

I think it was me who discovered they are MitMed

This guy made donations to Xabber development once in a couple of years, a year ago asked us to make file exchange into his extremely modified version of Xabber

We did

Since that time he asked me some xmpp related questions from time to time

Then one day he asks, my otr fingerprints don't match each other

I say hmm maybe you fucked up code, let me see

His app was quite hardcore in geocities style

So I connected to his server with Xabber. Okk. Otr established. Fingerprints don't match.

I say hmm.

Long story short, I started to suspect mitm (an idea I dismissed at first, because have to ever been MitMed, really?!)

Especially telling was that when connected from another server xmpp clients have established separate otr sessions

And messages did come through only after both client did establish sessions

Aaaand the most fascinating part, once I told him, it's definitely fucked up, I was kicked from openfire console! (he gave me access), he was kicked from all his terminals and our xmpp axxouts were blocked.

Andrew Nenakhov: maybe *they* kicked you. Not him

THEY!

Of course

He connected to me over XMPP, said he had disagreement with ex admin, so I suggested him shut down server and establish new one, bit then he went silent

So there is an mod_otr for OpenFire as well. Not just ejabberd

Interesting...

Next,I come here and hear this story.

Oops.

So I think it's nothing wrong with otr if you check fingerprints

But. Perhaps I should talk to dutch police now. 😱

Andrew Nenakhov, thaaaaaaat is a great story, quite enjoyable :D (given the coincidences)

Thanks for explaining us :D

U r welcome

Andrew Nenakhov, that’s a good campfire story :)

I like it

I actually liked the guy. So, hope he doesn't get jailed for long.

lol 1500 euro phone and 100 euro per month for a mobile xmpp client with otr

daniel, i think you should rethink your business strategy

Yeah. And someone said no one can make money from XMPP

if it is expensive it has to be good, right?

somebody around to put https://github.com/xsf/xeps/pull/719 on the Board agenda?

1500 euro phone? IPhone XS Max 256 :O?

playing the guess game :P

Guus, I told some Meetecho fellows to contact you about a possible issue with OpenFire, and maybe that could "help 'em" stop flooding my server with s2s attempts with their things.

Most likely a cheap android phone.

Maranda: k