-
Daniel max
It's really nice meeting you here and I'm very willing to teach you about trading,coach you on how to invest and work with you dealing on cryptocurrencies
-
wurstsalat
^ already banned elsewhere
-
Daniel max
Do you want to invest now
-
wurstsalat
I guess I'll be better off when I'm going to sleep now
-
Daniel max
Are you on telegram
-
nuron
As I told you in another muc Daniel max I prefere to burn my money in my own fireplace...
-
nuron
And we are on xmpp. Don't ask such stupid questions
-
Daniel max
I'm not talking with you my friend
-
nuron
meh
-
nuron
you didn't addressed a single person here so I thought you are talking to all of us š
-
Daniel max
Okay
-
Daniel max
Do you have any experience before
-
nuron
I'm very sad that I don't have the chance to learn how to become rich
-
nuron
yes. I've burned money allready before
-
nuron
with a small ligher, you know?
-
nuron
I guess this was more effective then all of your tipps I could expect
-
Daniel max
So have you earn
-
nuron
I've earned. Sure
-
Daniel max
Okay
- wurstsalat is implementing XEP-0425 for this
-
nuron
great
-
jonasā
uh, the applications are a tad disappointing.
-
Sam
Huh, assuming all directors are elected Ralph would get a tie breaker vote (I think? Isn't he the executive director?) but if Ralph is on the boardā¦
-
Sam
Constitutional crisis time!
-
jonasā
Matt is ED
-
jonasā
IIRC
-
Sam
Either way
-
Zash
Is this not already the case, with one board member leaving?
-
Sam
One board member is leaving? I guess so then
-
Zash
Wasn't this many moons ago?
-
jonasā
Sam, I think one board member resigned some time during the last term
-
jonasā
so we've been running on four board members for a while now
-
Sam
Oh fun; looks like it will be the same thing all next term then.
-
Zash
It hasn't seemed to be a problem in practice
-
Sam
Yah, hopefully there are no split votes and everyone just works towards consensus, I'd be more worried if it were the council I guess.
-
Zash
Don't worry, be happy
-
moparisthebest
does anyone see any glaring problems with validating incoming SASL EXTERNAL s2s connections from .onion domains via initiating an outgoing connection to that .onion domain, and recording whatever TLS cert it sends as trusted for that domain ?
-
moparisthebest
as opposed to what all implementations I'm aware of would do now, which is dialback
-
Zash
You can do that even without .onion
-
Zash
IIRC dwd wrote about "same cert validation" long long ago
-
dwd
https://xmpp.org/extensions/xep-0344.html#samecert
-
Sam
I don't recall how hidden services work (and haven't been involved since before the v3 ones, so they may be different now anyways), but surely Tor would have its own thing you could look up on the network to verify the connection? It hides you and the location of the service, but I thought the address and some key stored on the network somewhere could be used to authenticate the service still. Maybe you just need a Tor specific version of SASL EXTERNAL.
-
Zash
Some way to derive or connect the certificate from the .onion would be neat.
-
moparisthebest
thanks! that's exactly what I meant.... so does anything implement this ?
-
Zash
There's half of same-cert validation as a Prosody module
-
dwd
I can't actually remember. I think I did this in M-Link, perhaps, and/or Metre.
-
moparisthebest
well, this still involves dialback a bit
-
dwd
Well, it's still dialling back, yes.
-
dwd
But not using the dialback key.
-
Zash
In Prosody, at that point, it's already started Dialback so might as well proceed with it ...
-
dwd
Well, my view is that it's stronger to use same-cert than the key, and it saves a round-trip, so...
-
moparisthebest
tor gives you the guarantee that if you try to contact example.onion you are actually connected to example.onion, so you can trust what cert it sends, can you then immediately trust whatever incoming connection also sends that same cert ?
-
dwd
Oh, so you're saying that if you connect outbound, blind, to example.onion then can you cache the cert?
-
moparisthebest
yes, but only for example.onion obviously
-
Zash
moparisthebest, enable https://modules.prosody.im/mod_s2s_auth_samecert.html and try it?
-
Zash
unless mod_onions already does that
-
dwd
That is, I think, a different question. "same cert dialback" does make the assumption that the cert is used by inbound and outbound sessions at the same time, I think when you introduce longer-term caching, then you also introduce TOCTOU issues.
-
moparisthebest
maybe you don't cache, maybe you make a new outgoing s2s connection for every incoming
-
dwd
moparisthebest, But then you're doing same-cert dialback.
-
Zash
what would it be if it just compares with the cert of an existing outgoing connection?
-
moparisthebest
it's like tor-specific dialback-without-sending-or-recieving any <db XML
-
dwd
Yes, that should work.
-
dwd
moparisthebest, Ah, well. If you know a-priori that the cert is currently in use, then you can indeed offer EXTERNAL then.
-
jonasā
moparisthebest, how is it tor specific?
-
jonasā
ah
-
jonasā
because normally your cert would match your hostname
-
jonasā
and hence you don't even need to do the dialback dance
-
jonasā
nevermind
-
moparisthebest
normally "do I trust a cert" is "is it signed by a CA I trust", but with tor it can be "does example.onion send me this cert when I connect to it"
-
dwd
jonasā, Well, no, do mind. You could do this without Tor just as well, I think.
-
Zash
Is it now we realize we're not actually authenticating the outgoing connection?
-
moparisthebest
with tor, connecting to example.onion is already validated when(before?) you connect
-
dwd
jonasā, Tor offers some additional protection against spoofing, so the outbound connection is in effect authenticated by Tor, so it's *better*, but if you have an outgoing connection over TLS/IP (not Tor) then you could choose to trust an inbound one from the same domain based on same-cert and EXTERNAL.
-
moparisthebest
other non-tor things probably have this same property, like .i2p ? but I don't know enough about it
-
dwd
moparisthebest, The problem is there's no channel binding between TLS and Tor, AFAIK. So you're still vulnerable to the remote domain spoofing in some cases. But as I say, it's more secure against such attacks than plain IP.
-
moparisthebest
in what way could it be spoofed ?
-
Alex
just started memberbot for our board&council elections
-
jonasā
voted :)
-
Sam
Me too (and it let me, but then I realized I don't think I technically can)
-
Zash
:O
-
jonasā
uh, indeed
-
jonasā
Alex, ^
-
Alex
will be dropped from the votes
-
jonasā
maybe give the list of allowed voters another look :)
-
Alex
I want to suggest some kind of whitelist in git of members, maybe based on hashes of jids or smth similar. This will make many things easier
-
moparisthebest
all the JIDs are public anyway?
-
moparisthebest
you know what this means, Sam needs prosecuted to the fullest extent of the law for hacking the XSF https://techcrunch.com/2021/10/15/f12-isnt-hacking-missouri-governor-threatens-to-prosecute-local-journalist-for-finding-exposed-state-data/ ;)
-
Sam
I don't live in Missouri; Georgia's governor is as much of a right wing asshole, but is also competent at being evil (unfortunately?)
-
Zash
JID is required in the membership application, so yeah
-
jonasā
Alex, we could just add them to members.json and not render them to the website
-
jonasā
(you can just add fields, they'll be ignored I guess)
-
Alex
jonasā hashes? or real jids?
-
moparisthebest
I meant "jids are already public in membership applications so no use hashing them for this"
-
Alex
I am fine with that. Then we could ask every member to PR their Jid
-
Alex
or multiple
-
Alex
on the wiki they are public, but sometimes decoded with (at) and (dot)......
-
moparisthebest
I'll have a go at scraping them from there in a bit
-
Alex
š
-
moparisthebest
https://burtrum.org/up/e9d06221-b6dd-48a8-95cd-00e43af1ccfa/memberjids.txt
-
moparisthebest
52 member jids here, some members had 2 etc, don't @ me for doing terrible things with html and regex: `curl https://wiki.xmpp.org/web/Membership_Applications_Q{1,2,3}_2021 https://wiki.xmpp.org/web/Membership_Applications_Q4_2020 | grep -Eo '/web/[^"]+Application_202[01]' apps.txt | sed 's@^@https://wiki.xmpp.org@' | xargs curl | sed -re 's/ \+ / /g' -e 's/ +at +/@/gi' -e 's/\[A\]/@/gi' -e 's/ *([(]|<|\[)(at|ett|Ƥt)([)]|>|\]) */@/gi' -e 's/ +([(]|\[)?(dot|tod)([)]|\])? +/./gi' | grep -Ei '(xmpp|jid|jabber)' | grep '@' | grep -Eio '[^ ><",?]+( at |@)[^ ><",?]+\.[^ ><",?]+' | sed 's@.*xmpp:@@i' | grep -v 'mailto:' | sort -u | tee memberjids.txt`
-
moparisthebest
https://wiki.xmpp.org/web/Florian_Schmaus_Application_2021 and https://wiki.xmpp.org/web/Arc_Riley_Application_2021 flow / arc get shamed for not including JID in their applications :)
-
moparisthebest
https://wiki.xmpp.org/web/Daniel_Gultsch_Application_2021 https://wiki.xmpp.org/web/Matthew_Wild_Application_2021 https://wiki.xmpp.org/web/Yvo_Meeres_Application_2021 were missed for having funky formats (need to add these manually)✎ -
moparisthebest
https://wiki.xmpp.org/web/Daniel_Gultsch_Application_2021 https://wiki.xmpp.org/web/Matthew_Wild_Application_2021 https://wiki.xmpp.org/web/Yvo_Meeres_Application_2021 https://wiki.xmpp.org/web/Kim_Alvefur_Application_2020 were missed for having funky formats (need to add these manually) ✏
-
moparisthebest
https://wiki.xmpp.org/web/Bartosz_Malkowski_Application_2021 https://wiki.xmpp.org/web/Joachim_Lindborg_Application_2020 links to user pages and so were missed and needs added manually
-
moparisthebest
lastly https://wiki.xmpp.org/web/Davide_Conzon_Application_2021 has a @gmail.com JID which no longer exists right ?
-
moparisthebest
otherwise I manually went through all the rest and made sure they were in the dumped file above
-
mdosch
I get 'file not found'.
-
moparisthebest
oops, remnants of my testing in the command, the full thing anyone can run to reproduce is `curl https://wiki.xmpp.org/web/Membership_Applications_Q{1,2,3}_2021 https://wiki.xmpp.org/web/Membership_Applications_Q4_2020 | grep -Eo '/web/[^"]+Application_202[01]' | sed 's@^@https://wiki.xmpp.org@' | xargs curl | sed -re 's/ \+ / /g' -e 's/ +at +/@/gi' -e 's/\[A\]/@/gi' -e 's/ *([(]|<|\[)(at|ett|Ƥt)([)]|>|\]) */@/gi' -e 's/ +([(]|\[)?(dot|tod)([)]|\])? +/./gi' | grep -Ei '(xmpp|jid|jabber)' | grep '@' | grep -Eio '[^ ><",?]+( at |@)[^ ><",?]+\.[^ ><",?]+' | sed 's@.*xmpp:@@i' | grep -v 'mailto:' | sort -u | tee memberjids.txt`
-
moparisthebest
(first one had apps.txt which I had written to to avoid continuously hitting wiki.xmpp.org while tweaking regexen)
-
Alex
could we output them with names? Then we could add an issue for our website and add them as a PR to the memberlist json, ideally as an array becasue some members have multiple.
-
moparisthebest
``` curl https://wiki.xmpp.org/web/Membership_Applications_Q{1,2,3}_2021 https://wiki.xmpp.org/web/Membership_Applications_Q4_2020 | grep -Eo '/web/[^"]+Application_202[01]' | sed 's@^@https://wiki.xmpp.org@' | xargs -n1 sh -c 'curl -o "$(echo "$1" | sed -e 's@https://wiki.xmpp.org/web/@@' -e 's@.Application_.*@@')" $1' -- for file in *; do sed -re 's/ \+ / /g' -e 's/ +at +/@/gi' -e 's/\[A\]/@/gi' -e 's/ *([(]|<|\[)(at|ett|Ƥt)([)]|>|\]) */@/gi' -e 's/ +([(]|\[)?(dot|tod)([)]|\])? +/./gi' "$file" | grep -Ei '(xmpp|jid|jabber)' | grep '@' | grep -Eio '[^ ><",?]+( at |@)[^ ><",?]+\.[^ ><",?]+' | sed 's@.*xmpp:@@i' | grep -v 'mailto:' | sed 's/\.$//' | sort -u | tr '\n' ' ' | sed -e 's/ $//' -e 's/ /", "/' -e 's/^/[ "/' -e 's/$/" ]/' | sponge "$file"; done; grep @ * > member_names_with_jids.txt ```
-
moparisthebest
https://burtrum.org/up/ba2c2d00-cb57-4974-bd5b-255ebe5a9af7/member_names_with_jids.txt
-
moparisthebest
some need some obvious cleaning up, `Waqas_Hussain:[ "jdev@muc.xmpp.org", "prosody@conference.prosody.im waqas@prosody.im xsf@muc.xmpp.org" ]`, but close enough
-
moparisthebest
it does have the nice side effect of telling you which applicants we *do not* have JIDs for: ``` $ grep -L @ * Arc_Riley Bartosz_Malkowski Florian_Schmaus Joachim_Lindborg Kim_Alvefur ```
-
moparisthebest
https://burtrum.org/up/68b35427-c621-4a7f-9b6f-03d7ffc1ff14/member_names_with_jids.txt
-
moparisthebest
there, I manually corrected and filled in everything that I could, only missing are Arc_Riley and Florian_Schmaus, feel free to run a diff against the autogenerated output to see what I manually edited
-
Alex
š
-
jonasā
moparisthebest: parsing html with sed. I approve.
-
moparisthebest
I suspected you would :P it works, shipit
-
moparisthebest
(disclaimer: I wouldn't write production code like this but a one-off? absolutely)