XSF Discussion - 2021-06-08

https://www.nextinpact.com/article/46148/anom-cryptophone-dont-fbi-avait-clef

(in french, but you can find the same news in english)

basically the company that was selling those "cryptophone" was based on OMEMO

literally or a similar concept?

https://www.europol.europa.eu/newsroom/news/800-criminals-arrested-in-biggest-ever-law-enforcement-operation-against-encrypted-communication

no no, literally if I read correctly

Ge0rG, literally, but probably backdoored to an extent

I don't see mention of that in https://archive.is/yOVBN

https://upload.movim.eu/files/9d94237298995552fa13436420195fbca436dce7/DgJiRUXTGfbI/Capture_d_%C3%A9cran_2021-06-08_16-00-33.png

Ge0rG: read the court documents

That blog post is weird or only somewhat related

> The lead architect for OMEMO’s integration into Anøm is Daniel Gultsch.

> […] mentor to Andreas Straub, the creator of OMEMO.

now that’s something to have your nametag on

if it was a conversations fork, did they release the code GPL or not ?

Sue the FBI?

For GPL violation

now you are talking Daniel !

Note to self: Restock on popcorn.

jonas’, where did you find that text?

Daniel maybe you can just ask them to do a PR in the Conversations sourcecode

#EverythingWentBetterThanExpected

to get the backdoor?

moparisthebest, in the screenshot from edhelas

jonas’ (don't say it out loud)

Daniel, are court documents available?

flow, https://www.documentcloud.org/documents/20799201-operation-trojan-shield-court-record

jonas’, thanks

https://upload.movim.eu/files/9d94237298995552fa13436420195fbca436dce7/G3USPUN6663d/image.png

so looks like they have a weird JID naming convention

what which court and why?

What did I miss?

eevvoor, https://www.vice.com/en/article/akgkwj/operation-trojan-shield-anom-fbi-secret-phone-network

uh thunderstorm coming

the app screenshots seems really different from Conversations, looks like they did some work on the fork

where do you know from that it is a conv fork?

wild guess, but you're true, we don't know

I see

Sadly, I do not sell or consume cocaine, so I have not see Anon in real /s.

Stupid criminals, who uses encryption propagated as "ultra" secure 😂️?

"military grade"

ultra is for loosers

supermegaultra

There is also this video https://twitter.com/AusFedPolice/status/1402150051762171904

"hyper secure", to give it a frech touch ;)

quantum is missing!

AI quantum super hyper ulta mega cool secure and safe encryption

* with a tiny backdoor for the five eyes and friendz

they didn't even used the latest Gajim release with the nice UI changes

I think the video is fairly old

I don't really understand what the video is supposed to tell us

yeah

ausis don't wear shoes at home?

I'm disappointed that they didn't used Matrix in the end

maybe we can complete the https://xmpp.org/uses/social.html page :D

> eevvoor wrote: > eevvoor knows why they did not use matrix. XD Why?

quality ...

because the FBI would only be able to arrest 16 guys and not 800

XMPP: trusted by thousands of criminals

FBI: violates copyright over 12,000 times!

We need good lawyers.

This should be a gold mine.

That's an odd spelling for "marketing department"

Daniel, be prepared to be rich.

XD

hopefully they didn't used the name Jabber

Cisco Lawyers Department enter the chat

we probably don't want them in here... :)

I am scary

...

:D

> I am scary > ... Your avatar doesn't scare me. 😜

😂

Probably you meant 'I am scared.'

No.

Never!

He wants to be scary in order to protect XMPP 🤣️

Don't violate the license with your five eyes forks or şişio will come after you!

😂😂

🤣️☠️

🤯

wonder what server they used

moparisthebest I'll be on ejabberd

*bet

what server would like to advertise "trusted by the FBI for their stings"

Maybe we can ask the FBI to do a nice presentation for the next CCC ?

special invitation to the next XMPP Summit ?

me too edhelas

The real question is, did they leave federation on?

why not, maybe they caught some Conversations users too?

It being a federal network

and the second real question is, did they also get spammed by russian bots ?

It is possible they would attend. ~propaganda~ PR to be "hip" and attract qualified computer specialists

the third real question: Did they do it right, or did they accidentally overwrite the OMEMO node name breaking interop?

the video shows it working with gajim, so I'd guess they did it right ?

Jokes aside, this is probably a good example of how simple XMPP is to operationalize and scale, and how easy it is to extend the app ecosystem with additional functionality.

I'm guessing the encryption itself wasn't compromised, but the app (having access to the plain-text) would simply forward discussions as they were received.

deuill, that is why I meant Matrix was not used.

deuill, it explicitly says that's what happened (they also encrypted to a master key the FBI had)

Because XMPP is easily extendable and adjustable which Matrix does not allow.

eevvoor yes but "everything in XMPP is XML and there is hundreds of XEPs !!!"

yeah terrible!

we are so unhip and oldschool and grey that even the FBI likes our stuf ::D

It'd be interesting to learn what the operational aspects of this were -- I wouldn't be surprised if they just ran this on some modest, single-node ejabberd setup.

eevvoor so unhype that even IBM is now interested to invest money in XMPP

no, on an ultrasingled core single-node ejabberd out-of-the-box installation ;-D

on a RPI

edhelas, exactly, you got it.

on Rasp I perhaps XD

they said only 12,000 phones and 27 million messages ?

easy

that could fit on a cheap 20€/month server

ejabberd handled 10 million devices sending 2 billion messages per day back in 2019 https://www.process-one.net/blog/ejabberd-nintendo-switch-npns/

I'm more wondering if they actually had a network of servers

HPC

HPC cluster

> Jokes aside, this is probably a good example of how simple XMPP is to operationalize and scale, and how easy it is to extend the app ecosystem with additional functionality. Just skimmed through and I thought they simply had a bad server used for their app which added an omemo id so they could read all messages. Did they do more? I'm only on mobile now so I didn't dig deeper.

mdosch, the same method you descibe was used for whatsapp, so yeah, why not reuse it? possible. likely.

What is the result?

the police can read vai the extra key.

şişio‎ the trick is just that people do not check their keys. If they do, the problem does not occur.

So it is a trick on the people not on the technique.

And not on the encryption.

or maybe they just patched that out and/or hardcoded the key into the app

An English Talk tomorrow 18 CEST online in the Berlin Meetup: https://mov.im/?node/pubsub.movim.eu/berlin-xmpp-meetup/acb235de-69bf-470f-8c5d-c7984f636d6c . Topic: Curated list of XMPP servers.

(I would’ve done the latter I guess)

that would be really laughing at the people :D. You can hardly call it encryption then. :D Thats why FLOSS is so important - review, review, review the code.

emus and melvo will give the talk. We are happy if *you* join. 😀️

mdosch, at a glance the court document says "master key" so I assume backdoored client

much easier than writing a server module

eevvoor, as if anyone ever does that (reviewing the code)

🍻️ drinking beer after the talk is a requirement to join. Virtual beer.

moparisthebest, more importantly, more reliable

eevvoor, oh, good to know, then I won’t appear :)

perfect :)

eevvoor: What is a virtual beer? I want it physically!

yours is physical, the ones from the others is virtual

Good. 😃

I hate beer

Poor guy. Efes is tasty.

I'm thinking about Teleportation XEP

Teleport whom to where and how?

Anywhere

John, https://xmpp.org/extensions/xep-0183.html

moparisthebest: I think that was one of the possibly best answers

Don't you know telepathy is a series of tubes? https://telepathy.freedesktop.org/xmpp/tubes.html

tubes huh

"Telepathy, direct transference of thought from one person"

i wonder if there's a working collaborative text editing solution that's not webshit these days

I want to teleport myself not my thoughts

John: so did you solve the Theseus paradox?

L29Ah: I never heard about it, I will look but I don't promise that I'll solve it

But I read that quantum teleportation is possible now

https://xkcd.com/465/

John: if you can teleport your mind anywhere, you don't even need a body at all

moparisthebest: I agree

moparisthebest: when you teleport with your body https://m.imgur.com/gallery/zFMFzlW

John: If you're seeing this message, that means JavaScript has been disabled on your browser, please enable JS to make Imgur work.

L29Ah, https://i.imgur.com/zFMFzlW.mp4