XSF Discussion - 2021-11-08


  1. Daniel max

    It's really nice meeting you here and I'm very willing to teach you about trading,coach you on how to invest and work with you dealing on cryptocurrencies

  2. wurstsalat

    ^ already banned elsewhere

  3. Daniel max

    Do you want to invest now

  4. wurstsalat

    I guess I'll be better off when I'm going to sleep now

  5. Daniel max

    Are you on telegram

  6. nuron

    As I told you in another muc Daniel max I prefere to burn my money in my own fireplace...

  7. nuron

    And we are on xmpp. Don't ask such stupid questions

  8. Daniel max

    I'm not talking with you my friend

  9. nuron

    meh

  10. nuron

    you didn't addressed a single person here so I thought you are talking to all of us šŸ™

  11. Daniel max

    Okay

  12. Daniel max

    Do you have any experience before

  13. nuron

    I'm very sad that I don't have the chance to learn how to become rich

  14. nuron

    yes. I've burned money allready before

  15. nuron

    with a small ligher, you know?

  16. nuron

    I guess this was more effective then all of your tipps I could expect

  17. Daniel max

    So have you earn

  18. nuron

    I've earned. Sure

  19. Daniel max

    Okay

  20. wurstsalat is implementing XEP-0425 for this

  21. nuron

    great

  22. jonasā€™

    uh, the applications are a tad disappointing.

  23. Sam

    Huh, assuming all directors are elected Ralph would get a tie breaker vote (I think? Isn't he the executive director?) but if Ralph is on the boardā€¦

  24. Sam

    Constitutional crisis time!

  25. jonasā€™

    Matt is ED

  26. jonasā€™

    IIRC

  27. Sam

    Either way

  28. Zash

    Is this not already the case, with one board member leaving?

  29. Sam

    One board member is leaving? I guess so then

  30. Zash

    Wasn't this many moons ago?

  31. jonasā€™

    Sam, I think one board member resigned some time during the last term

  32. jonasā€™

    so we've been running on four board members for a while now

  33. Sam

    Oh fun; looks like it will be the same thing all next term then.

  34. Zash

    It hasn't seemed to be a problem in practice

  35. Sam

    Yah, hopefully there are no split votes and everyone just works towards consensus, I'd be more worried if it were the council I guess.

  36. Zash

    Don't worry, be happy

  37. moparisthebest

    does anyone see any glaring problems with validating incoming SASL EXTERNAL s2s connections from .onion domains via initiating an outgoing connection to that .onion domain, and recording whatever TLS cert it sends as trusted for that domain ?

  38. moparisthebest

    as opposed to what all implementations I'm aware of would do now, which is dialback

  39. Zash

    You can do that even without .onion

  40. Zash

    IIRC dwd wrote about "same cert validation" long long ago

  41. dwd

    https://xmpp.org/extensions/xep-0344.html#samecert

  42. Sam

    I don't recall how hidden services work (and haven't been involved since before the v3 ones, so they may be different now anyways), but surely Tor would have its own thing you could look up on the network to verify the connection? It hides you and the location of the service, but I thought the address and some key stored on the network somewhere could be used to authenticate the service still. Maybe you just need a Tor specific version of SASL EXTERNAL.

  43. Zash

    Some way to derive or connect the certificate from the .onion would be neat.

  44. moparisthebest

    thanks! that's exactly what I meant.... so does anything implement this ?

  45. Zash

    There's half of same-cert validation as a Prosody module

  46. dwd

    I can't actually remember. I think I did this in M-Link, perhaps, and/or Metre.

  47. moparisthebest

    well, this still involves dialback a bit

  48. dwd

    Well, it's still dialling back, yes.

  49. dwd

    But not using the dialback key.

  50. Zash

    In Prosody, at that point, it's already started Dialback so might as well proceed with it ...

  51. dwd

    Well, my view is that it's stronger to use same-cert than the key, and it saves a round-trip, so...

  52. moparisthebest

    tor gives you the guarantee that if you try to contact example.onion you are actually connected to example.onion, so you can trust what cert it sends, can you then immediately trust whatever incoming connection also sends that same cert ?

  53. dwd

    Oh, so you're saying that if you connect outbound, blind, to example.onion then can you cache the cert?

  54. moparisthebest

    yes, but only for example.onion obviously

  55. Zash

    moparisthebest, enable https://modules.prosody.im/mod_s2s_auth_samecert.html and try it?

  56. Zash

    unless mod_onions already does that

  57. dwd

    That is, I think, a different question. "same cert dialback" does make the assumption that the cert is used by inbound and outbound sessions at the same time, I think when you introduce longer-term caching, then you also introduce TOCTOU issues.

  58. moparisthebest

    maybe you don't cache, maybe you make a new outgoing s2s connection for every incoming

  59. dwd

    moparisthebest, But then you're doing same-cert dialback.

  60. Zash

    what would it be if it just compares with the cert of an existing outgoing connection?

  61. moparisthebest

    it's like tor-specific dialback-without-sending-or-recieving any <db XML

  62. dwd

    Yes, that should work.

  63. dwd

    moparisthebest, Ah, well. If you know a-priori that the cert is currently in use, then you can indeed offer EXTERNAL then.

  64. jonasā€™

    moparisthebest, how is it tor specific?

  65. jonasā€™

    ah

  66. jonasā€™

    because normally your cert would match your hostname

  67. jonasā€™

    and hence you don't even need to do the dialback dance

  68. jonasā€™

    nevermind

  69. moparisthebest

    normally "do I trust a cert" is "is it signed by a CA I trust", but with tor it can be "does example.onion send me this cert when I connect to it"

  70. dwd

    jonasā€™, Well, no, do mind. You could do this without Tor just as well, I think.

  71. Zash

    Is it now we realize we're not actually authenticating the outgoing connection?

  72. moparisthebest

    with tor, connecting to example.onion is already validated when(before?) you connect

  73. dwd

    jonasā€™, Tor offers some additional protection against spoofing, so the outbound connection is in effect authenticated by Tor, so it's *better*, but if you have an outgoing connection over TLS/IP (not Tor) then you could choose to trust an inbound one from the same domain based on same-cert and EXTERNAL.

  74. moparisthebest

    other non-tor things probably have this same property, like .i2p ? but I don't know enough about it

  75. dwd

    moparisthebest, The problem is there's no channel binding between TLS and Tor, AFAIK. So you're still vulnerable to the remote domain spoofing in some cases. But as I say, it's more secure against such attacks than plain IP.

  76. moparisthebest

    in what way could it be spoofed ?

  77. Alex

    just started memberbot for our board&council elections

  78. jonasā€™

    voted :)

  79. Sam

    Me too (and it let me, but then I realized I don't think I technically can)

  80. Zash

    :O

  81. jonasā€™

    uh, indeed

  82. jonasā€™

    Alex, ^

  83. Alex

    will be dropped from the votes

  84. jonasā€™

    maybe give the list of allowed voters another look :)

  85. Alex

    I want to suggest some kind of whitelist in git of members, maybe based on hashes of jids or smth similar. This will make many things easier

  86. moparisthebest

    all the JIDs are public anyway?

  87. moparisthebest

    you know what this means, Sam needs prosecuted to the fullest extent of the law for hacking the XSF https://techcrunch.com/2021/10/15/f12-isnt-hacking-missouri-governor-threatens-to-prosecute-local-journalist-for-finding-exposed-state-data/ ;)

  88. Sam

    I don't live in Missouri; Georgia's governor is as much of a right wing asshole, but is also competent at being evil (unfortunately?)

  89. Zash

    JID is required in the membership application, so yeah

  90. jonasā€™

    Alex, we could just add them to members.json and not render them to the website

  91. jonasā€™

    (you can just add fields, they'll be ignored I guess)

  92. Alex

    jonasā€™ hashes? or real jids?

  93. moparisthebest

    I meant "jids are already public in membership applications so no use hashing them for this"

  94. Alex

    I am fine with that. Then we could ask every member to PR their Jid

  95. Alex

    or multiple

  96. Alex

    on the wiki they are public, but sometimes decoded with (at) and (dot)......

  97. moparisthebest

    I'll have a go at scraping them from there in a bit

  98. Alex

    šŸ‘

  99. moparisthebest

    https://burtrum.org/up/e9d06221-b6dd-48a8-95cd-00e43af1ccfa/memberjids.txt

  100. moparisthebest

    52 member jids here, some members had 2 etc, don't @ me for doing terrible things with html and regex: `curl https://wiki.xmpp.org/web/Membership_Applications_Q{1,2,3}_2021 https://wiki.xmpp.org/web/Membership_Applications_Q4_2020 | grep -Eo '/web/[^"]+Application_202[01]' apps.txt | sed 's@^@https://wiki.xmpp.org@' | xargs curl | sed -re 's/ \+ / /g' -e 's/ +at +/@/gi' -e 's/\[A\]/@/gi' -e 's/ *([(]|&lt;|\[)(at|ett|Ƥt)([)]|&gt;|\]) */@/gi' -e 's/ +([(]|\[)?(dot|tod)([)]|\])? +/./gi' | grep -Ei '(xmpp|jid|jabber)' | grep '@' | grep -Eio '[^ ><",?]+( at |@)[^ ><",?]+\.[^ ><",?]+' | sed 's@.*xmpp:@@i' | grep -v 'mailto:' | sort -u | tee memberjids.txt`

  101. moparisthebest

    https://wiki.xmpp.org/web/Florian_Schmaus_Application_2021 and https://wiki.xmpp.org/web/Arc_Riley_Application_2021 flow / arc get shamed for not including JID in their applications :)

  102. moparisthebest

    https://wiki.xmpp.org/web/Daniel_Gultsch_Application_2021 https://wiki.xmpp.org/web/Matthew_Wild_Application_2021 https://wiki.xmpp.org/web/Yvo_Meeres_Application_2021 were missed for having funky formats (need to add these manually)

  103. moparisthebest

    https://wiki.xmpp.org/web/Daniel_Gultsch_Application_2021 https://wiki.xmpp.org/web/Matthew_Wild_Application_2021 https://wiki.xmpp.org/web/Yvo_Meeres_Application_2021 https://wiki.xmpp.org/web/Kim_Alvefur_Application_2020 were missed for having funky formats (need to add these manually)

  104. moparisthebest

    https://wiki.xmpp.org/web/Bartosz_Malkowski_Application_2021 https://wiki.xmpp.org/web/Joachim_Lindborg_Application_2020 links to user pages and so were missed and needs added manually

  105. moparisthebest

    lastly https://wiki.xmpp.org/web/Davide_Conzon_Application_2021 has a @gmail.com JID which no longer exists right ?

  106. moparisthebest

    otherwise I manually went through all the rest and made sure they were in the dumped file above

  107. mdosch

    I get 'file not found'.

  108. moparisthebest

    oops, remnants of my testing in the command, the full thing anyone can run to reproduce is `curl https://wiki.xmpp.org/web/Membership_Applications_Q{1,2,3}_2021 https://wiki.xmpp.org/web/Membership_Applications_Q4_2020 | grep -Eo '/web/[^"]+Application_202[01]' | sed 's@^@https://wiki.xmpp.org@' | xargs curl | sed -re 's/ \+ / /g' -e 's/ +at +/@/gi' -e 's/\[A\]/@/gi' -e 's/ *([(]|&lt;|\[)(at|ett|Ƥt)([)]|&gt;|\]) */@/gi' -e 's/ +([(]|\[)?(dot|tod)([)]|\])? +/./gi' | grep -Ei '(xmpp|jid|jabber)' | grep '@' | grep -Eio '[^ ><",?]+( at |@)[^ ><",?]+\.[^ ><",?]+' | sed 's@.*xmpp:@@i' | grep -v 'mailto:' | sort -u | tee memberjids.txt`

  109. moparisthebest

    (first one had apps.txt which I had written to to avoid continuously hitting wiki.xmpp.org while tweaking regexen)

  110. Alex

    could we output them with names? Then we could add an issue for our website and add them as a PR to the memberlist json, ideally as an array becasue some members have multiple.

  111. moparisthebest

    ``` curl https://wiki.xmpp.org/web/Membership_Applications_Q{1,2,3}_2021 https://wiki.xmpp.org/web/Membership_Applications_Q4_2020 | grep -Eo '/web/[^"]+Application_202[01]' | sed 's@^@https://wiki.xmpp.org@' | xargs -n1 sh -c 'curl -o "$(echo "$1" | sed -e 's@https://wiki.xmpp.org/web/@@' -e 's@.Application_.*@@')" $1' -- for file in *; do sed -re 's/ \+ / /g' -e 's/ +at +/@/gi' -e 's/\[A\]/@/gi' -e 's/ *([(]|&lt;|\[)(at|ett|Ƥt)([)]|&gt;|\]) */@/gi' -e 's/ +([(]|\[)?(dot|tod)([)]|\])? +/./gi' "$file" | grep -Ei '(xmpp|jid|jabber)' | grep '@' | grep -Eio '[^ ><",?]+( at |@)[^ ><",?]+\.[^ ><",?]+' | sed 's@.*xmpp:@@i' | grep -v 'mailto:' | sed 's/\.$//' | sort -u | tr '\n' ' ' | sed -e 's/ $//' -e 's/ /", "/' -e 's/^/[ "/' -e 's/$/" ]/' | sponge "$file"; done; grep @ * > member_names_with_jids.txt ```

  112. moparisthebest

    https://burtrum.org/up/ba2c2d00-cb57-4974-bd5b-255ebe5a9af7/member_names_with_jids.txt

  113. moparisthebest

    some need some obvious cleaning up, `Waqas_Hussain:[ "jdev@muc.xmpp.org", "prosody@conference.prosody.im waqas@prosody.im xsf@muc.xmpp.org" ]`, but close enough

  114. moparisthebest

    it does have the nice side effect of telling you which applicants we *do not* have JIDs for: ``` $ grep -L @ * Arc_Riley Bartosz_Malkowski Florian_Schmaus Joachim_Lindborg Kim_Alvefur ```

  115. moparisthebest

    https://burtrum.org/up/68b35427-c621-4a7f-9b6f-03d7ffc1ff14/member_names_with_jids.txt

  116. moparisthebest

    there, I manually corrected and filled in everything that I could, only missing are Arc_Riley and Florian_Schmaus, feel free to run a diff against the autogenerated output to see what I manually edited

  117. Alex

    šŸ‘

  118. jonasā€™

    moparisthebest: parsing html with sed. I approve.

  119. moparisthebest

    I suspected you would :P it works, shipit

  120. moparisthebest

    (disclaimer: I wouldn't write production code like this but a one-off? absolutely)