Re: [liberationtech] New secure XMPP server
2013-12-29 22:04 skrev Anthony Papillion: I'm definitely open to supporting XEP-0198. I'm not sure there's a plugin for the server I'm using (OpenFire) that supports it though. I'll look around. I thought OpenFire had problems with chained certificates[1], such as the ones I'm using with intermediate CAcert class3 cert. This causes my server's TLS connections to an OpenFire server to be regarded as insecure and (since there's no bidirectional server link support in OpenFire) the replying server connection is made in cleartext. My XMPP server's using Prosody[2]. That's so far the best XMPP server software I've found, especially if the goal - as with your setup - is to be secure. (best feature imho is server-specific verify-by-certificate-hash support the in latest versions, for servers with trusted admins but untrusted CAs or self-signed certs) Prosody also defaults to sane, recommended encryption settings, have insecure SSL versions, prefer TLSv1.2 etc. (except that there are problems with GNU/Linux distributions like Ubuntu where Canonical etc. disable TLSv1.2 in their system libs). As long as the chained certificates bug is still present, I would recommend scouting around for other serverside solutions than OpenFire. And it's dead-simple to configure Prosody, you essentially just need your certificates, vhost name and possible conference server setup. Not sure about any migration solutions with OpenFire-foo, though, but there's migration script for ejabberd-Prosody at least. So look around :) [1] http://issues.igniterealtime.org/browse/OF-405 [2] https://prosody.im/ -- Mikael Nordfeldth http://blog.mmn-o.se/ XMPP/mail: m...@hethane.se -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] New secure XMPP server
On 12/30/2013 04:39 AM, Mikael Nordfeldth wrote: My XMPP server's using Prosody[2]. That's so far the best XMPP server software I've found, especially if the goal - as with your setup - is to be secure. The Guardian Project / ChatSecure team agrees on Prosody! https://prosody.im/ -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
[liberationtech] To Protect and Infect - the edges of privacy-invading technology
This talk is divided into two parts. Morgan Marquis-Boire and Claudio Guarnieri talking about the militarization of the internet in part one, including both targeted and dragnet surveillance in deep-packet inspection. (See also Citizen Labs' work on BlueCoat). In part two, Jake Appelbaum talks about some of the most hardcore and cutting-edge NSA surveillance tactics and equipment. (See also yesterday's Der Spiegel articles). Part 1: http://www.youtube.com/watch?v=XZYo9TPyNko Part 2: https://www.youtube.com/watch?v=b0w36GAyZIA best, Griffin -- As always, opinions are mine and kittens are cuddly :3 Seriously, go take a kitten break: https://www.youtube.com/results?search_query=fluffy+kittens -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
Re: [liberationtech] To Protect and Infect - the edges of privacy-invading technology
On Mon, Dec 30, 2013 at 9:14 PM, Hannes Frederic Sowa han...@stressinduktion.org wrote: ... Actually, somehow, I have a feeling of relief to see that major hardware vendors don't seem to specifically work hand in hand with the NSA to implement backdoors. you're assuming this dump is exhaustive. this is a very specifically themed/focused release of top end tactics and exploits (essentially weaponized platforms for targeted attacks). Jake says as much about what they're dropping, which while impressive, has still gone through the best interest of public safety scrutinizing and censorship rigmarole. the indiscriminate, wholesale compromises are just getting started... these disclosures will have more impact: financially to the impacted vendors, effectively to IC as known vulnerable hardware and software is replaced, and to the public at large now exposed to even more essentially incomprehensible disclosures of vulnerability and compromise. I don't see that having a JTAG connector publicaly accessible on a RAID controller as a hint for that. The other disclosures also point to my conclusion that the NSA is mostly working on their own. Of course, not all of Snowden's documents are released yet and hence my feeling could be deceiving. this is just an example of how, when the NSA pursues all means and methods in parallel, without restraint seemingly innocuous oversights are intentionally leveraged and discouraged from remediation for use in tailored access (black bag / targeted) attacks. I thought it could be worse. it is worse. best regards, p.s. cryptome has lots of great docs on this and other 30C3 awesomeness: http://cryptome.org/ , http://cryptome.org/2013/12/nsa-catalog.zip -- Liberationtech is public archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.