XSF Discussion - 2018-11-08


  1. MattJ

    Hey folks, I won't be able to make the meeting today - sorry for the short notice

  2. nyco

    thx for telling

  3. nyco

    time?

  4. nyco

    ralphm Guus

  5. Guus

    I'm here

  6. ralphm

    Here

  7. ralphm set the topic to

    XSF Board Meeting | Logs: http://logs.xmpp.org/xsf/ | Agenda https://trello.com/b/Dn6IQOu0/board-meetings

  8. ralphm bangs gavel

  9. ralphm

    0. Welcome + Agenda

  10. ralphm

    Hi all

  11. Guus

    o/

  12. nyco

    hey

  13. ralphm

    I think the primary things are Elections and ED

  14. ralphm

    So let's start with those.

  15. ralphm

    1. Elections

  16. ralphm

    I am happy to see voting has started.

  17. ralphm

    6 candidates for Board and 5 for Council

  18. ralphm

    So with that well on the way, and the general meeting on Nov 22, there will be at most two more meetings with the current Board.

  19. Guus

    Curious: assuming that Council will consist of 5 people again: why vote on exactly 5 candidates?

  20. ralphm

    Guus: because if the Members really don't want a certain candidate they could vote them out.

  21. Guus

    What's needed to vote someone out?

  22. Guus

    0 votes?

  23. ralphm

    Hmm, that's a good point.

  24. Guus

    I'm happy to have a vote, but I'm just curious what the point is šŸ™‚

  25. nyco

    switching to Condorcet method?

  26. Zash

    In theory you could have done a single "Accept these 5 as council?" vote, but that gets messy with bot voting if it falls.

  27. ralphm

    Well, in membership elections we have yes/no for each candidate

  28. ralphm

    I don't recall why we use this other method for Council / Board

  29. nyco

    do we have to improve? what would we be fixing?

  30. Zash

    Lack of an election committe that puts forward a coherent proposal?

  31. ralphm

    I think previous elections we always had 6 or more candidates

  32. Guus

    Assuming that council will have the exact same amount of seats as the number of candidates, a vote is nothing more than a popularity contest. We _might_ want to avoid that.

  33. Guus

    but I'm totally OK with just doing the dance, and be done with it.

  34. nyco

    even with more candidates than seats, it is a popularitt contest

  35. ralphm

    Section 3.13 Voting Procedure for Election of Board and Council. Election of individuals to serve on the Board of Directors and on the XMPP Council shall proceed as follows. First, the number of individuals to serve on each body shall be limited beforehand by the Members as specified in Section 4.4 and Section 8.1 of these Bylaws for the Board and Council, respectively. Second, the Members shall vote on the candidates standing for election in accordance with Section 3.9 of these Bylaws. Third, the individuals elected shall be those receiving the highest percentage of votes cast, up to the limit set by the Members and with the proviso that no individual receiving less than a majority of votes cast shall be elected. Fourth, in the case of a tie for the final remaining position, the final individual shall be chosen in accordance with the procedures defined in ā€œRFC 3797: Publicly Verifiable Nominations Committee (NomCom) Random Selectionā€ published by the Internet Engineering Task Force.

  36. ralphm

    So yes, if there more than half of the voters abstain for a particular candidate, they don't get in

  37. Guus

    ok, good enough for me

  38. Guus

    thanks for checking

  39. ralphm

    Moving on then.

  40. ralphm

    2. Executive Director

  41. ralphm

    We still haven't had a meeting, I think.

  42. Guus

    nothing moved on that subject, afaik

  43. ralphm

    Guus: should we send an e-mail to Peter to find a slot?

  44. Guus

    yes

  45. ralphm

    Ok, I'll do so

  46. Guus

    tx

  47. ralphm

    3. AOB

  48. ralphm

    Anything?

  49. ralphm

    Other?

  50. Guus

    nothing here

  51. ralphm

    nyco: ?

  52. nyco

    nothing

  53. ralphm

    Good.

  54. ralphm

    4. Date of Next

  55. ralphm

    Our penultimate: +1W

  56. Guus

    wfm

  57. ralphm

    5. Close

  58. ralphm

    Thanks!

  59. nyco

    wow

  60. nyco

    that was fast

  61. Guus

    So, on an interesting XMPP tidbit

  62. nyco

    thx

  63. ralphm bangs gavel

  64. ralphm set the topic to

    XSF Discussion | Logs: http://logs.xmpp.org/xsf/ | Agenda https://trello.com/b/Dn6IQOu0/board-meetings

  65. Guus

    Dutch police recently announced that they were able to read end-to-end encrypted chats between criminals, on a dedicated network. They announced this, as police started to show up so often, that criminals started to make plans to assassinate 'snitches'

  66. Guus

    from screenshots of the app that they use, it can be deduced that XMPP was used.

  67. nyco

    Ironthing?

  68. Guus

    the e2e technology was OTR

  69. Guus

    yeah, that's it

  70. Zash

    mod_otr?

  71. Guus

    dunno, I got this from news clippings only

  72. Guus

    https://arstechnica.com/information-technology/2018/11/police-decrypt-258000-messages-after-breaking-pricey-ironchat-crypto-app/ <-- first non-Dutch google hit (I have not read it)

  73. nyco

    is this a real screenshot of the real app? or just a journalist taking a picture he likes?

  74. nyco

    https://en.wikipedia.org/wiki/Off-the-Record_Messaging#Client_support

  75. nyco

    https://news.ycombinator.com/item?id=18401561

  76. nyco

    so, should we obsolete OTR?

  77. nyco

    not board's duty, but I demand a technical/ethical debate

  78. Guus

    The ironchat screenshots lists messages in Dutch that clearly are example / demo texts.

  79. Guus

    nyco, did the XSF ever standardize OTR-usage in the first place? I can find only one XEP, which is deferred: XEP-0364

  80. nyco

    good point

  81. Zash

    Isn't half the point of OTR that it works regardless of transport?

  82. nyco

    we should use double-rot13 algo

  83. Guus

    Zash, I'm just trying to make the point that maybe there's nothing for us, the XSF, to obsolete, even if we wanted to.

  84. Zash

    Guus: Correct.

  85. Guus

    I'm not sure by the way if Dutch police actually broke OTR - the article implies that it's just as likely that the implementation that was used was broken.

  86. nyco

    so any entity other than XSF should issue something? (oh gosh I am so clear and precise)

  87. Zash

    The XSF could issue an Informational XEP saying "OTR is bad and you should feel bad"

  88. nyco

    or humourous

  89. Zash

    :)

  90. Guus

    I'm not knowledgeable enough to tell if OTR is actually that bad.

  91. Guus

    I do think it's a bad idea to start writing XEPs on what not to do.

  92. Guus

    XEP-0999: "Don't do drugs"

  93. nyco

    what would be XEP-0666 ?

  94. Zash

    XEP-0666 Selling your soul over XMPP

  95. nyco

    šŸ˜ˆ

  96. daniel

    > I'm not sure by the way if Dutch police actually broke OTR - the article implies that it's just as likely that the implementation that was used was broken. My understanding is that they man in the middled that

  97. daniel

    And key verification wasn't very strong

  98. Zash

    Magic crypto dust didn't save them?!

  99. Guus

    The irony of successfully doing MIM on a technology that's designed to run in a federated setup... šŸ’•

  100. moparisthebest

    it's not like that's exactly a new or unknown problem https://www.ejabberd.im/mod_otr 2007-03-30

  101. moparisthebest

    I wouldn't be surprised if they simply installed an 11+ year old ejabberd module

  102. moparisthebest

    but that's not as good of a headline as DUTCH POLICE BREAK OTR

  103. daniel

    Given the amount of refactoring that went into ejabberd I'd be a little bit surprised

  104. daniel

    But I get your point

  105. moparisthebest

    given how shoddy the app was at not caring about keys changing, they probably were running an ejabberd from 2007 :)

  106. Guus

    https://web.archive.org/web/20180419140229/http://blackbox-security.com/index_new.php

  107. Zash

    https://news.ycombinator.com/item?id=18403477

  108. Guus

    that's the (now seized) website of the company that sold the solution.

  109. Guus

    index_new.php <-- meh.

  110. moparisthebest

    if you are looking for secure code and the website is served from index_new.php I think that should be a sign

  111. Zash

    Guus: index_new2.php

  112. Guus

    ah, yes.

  113. Guus

    So, an old Conversations? nice šŸ™‚

  114. daniel

    > I think it is a copy/fork of Conversations version 1.14.6 Far far from being the only one in that market fwiw

  115. Zash

    > I use PGP to say hi and hello, i use IronChat (OTR) to have a serious conversation Edward SnowdenĀ  [More Info \>\>](index_new2.php)

  116. moparisthebest

    I don't think I used Conversations with OTR, how did it handle key changes?

  117. daniel

    moparisthebest: not at all. Lol

  118. moparisthebest

    well, there you go :P

  119. daniel

    (that's an oversimplification. It would display a warning Snackbar if you had previously verified a key. But chances are you didn't. And by that point it would technically have already been to late. It didn't block the sending like omemo would these days)

  120. daniel

    Also the old version was a xabber clone. So it's a little bit unclear if those people decompiling on hackernews and the police are talking about the same app

  121. jonasā€™

    15:05:19 Guus> The irony of successfully doing MIM on a technology that's designed to run in a federated setup... The irony for something like that to happen to *Iron*(y)chat. Sorry.

  122. Andrew Nenakhov

    I think they MitMed it after getting access to server console via hosting company.

  123. jonasā€™

    seems plausible

  124. Andrew Nenakhov

    Wanna hear a fascinating story?

  125. jonasā€™

    always, although Iā€™ll have to leave in a few minutes (Iā€™ll read the backlog :))

  126. Andrew Nenakhov

    I think it was me who discovered they are MitMed

  127. Andrew Nenakhov

    This guy made donations to Xabber development once in a couple of years, a year ago asked us to make file exchange into his extremely modified version of Xabber

  128. Andrew Nenakhov

    We did

  129. Andrew Nenakhov

    Since that time he asked me some xmpp related questions from time to time

  130. Andrew Nenakhov

    Then one day he asks, my otr fingerprints don't match each other

  131. Andrew Nenakhov

    I say hmm maybe you fucked up code, let me see

  132. Andrew Nenakhov

    His app was quite hardcore in geocities style

  133. Andrew Nenakhov

    So I connected to his server with Xabber. Okk. Otr established. Fingerprints don't match.

  134. Andrew Nenakhov

    I say hmm.

  135. Andrew Nenakhov

    Long story short, I started to suspect mitm (an idea I dismissed at first, because have to ever been MitMed, really?!)

  136. Andrew Nenakhov

    Especially telling was that when connected from another server xmpp clients have established separate otr sessions

  137. Andrew Nenakhov

    And messages did come through only after both client did establish sessions

  138. Andrew Nenakhov

    Aaaand the most fascinating part, once I told him, it's definitely fucked up, I was kicked from openfire console! (he gave me access), he was kicked from all his terminals and our xmpp axxouts were blocked.

  139. daniel

    Andrew Nenakhov: maybe *they* kicked you. Not him

  140. Zash

    THEY!

  141. Andrew Nenakhov

    Of course

  142. Andrew Nenakhov

    He connected to me over XMPP, said he had disagreement with ex admin, so I suggested him shut down server and establish new one, bit then he went silent

  143. daniel

    So there is an mod_otr for OpenFire as well. Not just ejabberd

  144. daniel

    Interesting...

  145. Andrew Nenakhov

    Next,I come here and hear this story.

  146. Andrew Nenakhov

    Oops.

  147. Andrew Nenakhov

    So I think it's nothing wrong with otr if you check fingerprints

  148. Andrew Nenakhov

    But. Perhaps I should talk to dutch police now. šŸ˜±

  149. Seve

    Andrew Nenakhov, thaaaaaaat is a great story, quite enjoyable :D (given the coincidences)

  150. Seve

    Thanks for explaining us :D

  151. Andrew Nenakhov

    U r welcome

  152. jonasā€™

    Andrew Nenakhov, thatā€™s a good campfire story :)

  153. jonasā€™

    I like it

  154. Andrew Nenakhov

    I actually liked the guy. So, hope he doesn't get jailed for long.

  155. lovetox

    lol 1500 euro phone and 100 euro per month for a mobile xmpp client with otr

  156. lovetox

    daniel, i think you should rethink your business strategy

  157. Andrew Nenakhov

    Yeah. And someone said no one can make money from XMPP

  158. flow

    if it is expensive it has to be good, right?

  159. jonasā€™

    somebody around to put https://github.com/xsf/xeps/pull/719 on the Board agenda?

  160. Maranda

    1500 euro phone? IPhone XS Max 256 :O?

  161. Maranda

    playing the guess game :P

  162. Maranda

    Guus, I told some Meetecho fellows to contact you about a possible issue with OpenFire, and maybe that could "help 'em" stop flooding my server with s2s attempts with their things.

  163. Zash

    Most likely a cheap android phone.

  164. Guus

    Maranda: k