XMPP Operators Begin Requiring Encryption, Google Still Not Allowing TLS 121
Via El Reg comes news that major XMPP (formerly known as Jabber, likely the only widely used distributed instant messaging protocol other than IRC) operators have all begun requiring encryption for client-to-server and server-to-server connections. Quoting the Prosidy developers: "Last year Peter Saint-Andre laid out a plan for strengthening the security of the XMPP network. The manifesto, to date signed by over 70 XMPP service operators and software developers, offered a rallying point for those interested in ensuring the security of XMPP for its users. Today is the date that the manifesto gave for the final 'flip of the switch': as of today many XMPP services will begin refusing unencrypted connections. If you run an XMPP service, we encourage you to do the same. On the xmpp.org wiki you can find instructions for all the popular XMPP server software. While XMPP is an open distributed network, obviously no single entity can 'mandate' encryption for the whole network — but as a group we are moving in the right direction."
There is a handy tool to test your server. A result worth noting is Google's: they still do not support TLS for server-to-server connections, and their sudden dropping of TLS s2s connections a few years ago is likely the primary reason operators switched off mandatory TLS for s2s (I know that's why I did it). Although Google Hangouts offers no federation, GTalk still does, but it appears that the XMPP network-at-large will now cease to federate with Google voluntarily.
Google is dropping XMPP and Talk/Chat anyway (Score:5, Informative)
So their lack of support for TLS with it is sort of a moot point.
http://tech.slashdot.org/story... [slashdot.org]
Re:Google is dropping XMPP and Talk/Chat anyway (Score:5, Insightful)
You know, I can understand why Google might decide that XMPP isn't sufficient for the kinds of features they'd like to support, and so deciding to develop something new in-house with their desired feature set. I really wish, though, they they would open a protocol that still allowed outside people to communicate.
I just find it insane how much we're moving back in the direction of "walled gardens" everywhere. There was a time when most people's exposure to online interaction were services like Compuserve, AOL, and Prodigy, and those services couldn't talk to each other. I think we're headed back in that direction, except that soon we'll all be on services like Google+, Facebook, and Twitter, and those services won't talk to each other.
We really need a revolution soon, or I think we're going to find that we don't like where we end up. I know it sounds trivial because these are all free services, and most of what's communicated on them is trivial anyway. Still, it's transforming the Internet into a less free place, where we're all at the whim of a small handful of companies. I think it's a bigger problem than we've yet realized.
Re: (Score:3)
It's about choice. I can understand that we should always have choice. But the idea that we shouldn't be able to "choose" a walled garden if we want one seems ass-backward to me. Do you remember CompuServe, AOL and prodigy? There were plenty of others as well... some of them were Awesome. I loved CompuServe. I wouldn't go back now... but if some people want to, why shouldn't they have the choice to do so? Googles pretty darned open compared to most other modern tech companies. If they want to offer some ser
Re:Google is dropping XMPP and Talk/Chat anyway (Score:5, Insightful)
That's BS. All this achieves is pushes you into the same zoo of IM clients that stretches from the 90-s. ICQ, Odigo, MSN, Gadu, Skype, XMPP and now all the mobile IMs are all dreaming of being The One. I'm so glad all this corporate "there can be only one and it should be us" broke out after email was standartized. Because right now, several decades from it's invention, we're still stuck with it. No matter how ugly or unsuitable for modern needs the protocol is and how many ugly hacks have been applied to it. Just because this is the only universal communication method. You can send a message and receiver will get it regardless of what mail service it uses.
Back in the day google's tech team though that something similar should be done for IM market and supported XMPP. But then, they decided that this product was too good, to let other people, who don't use google's services to use it to contact the ones already in the Google's web of services. "Everyone should get a google ID." And now hopes of other players are even dimmer than they ever were. Looks like my dream, where people from facebook, google, univercity network and some corporate IM system can get into one conference and chat is a pipe dream.
I don't care for internal protocols, features and such. I just want interoperability between servers. Let john@google.com message jane@facebook.com and any other server that has supported XMPP server. I worked great for email, by the hell do you try to introduce walled gardens and cause pain to your users?
Re: (Score:2)
Go ahead and choose your walled garden, I won't stop you.
But from where I sit, it looks like everything that connects to the home is going to walled gardens, and open as an option is fading away.
Serious proposal: Allow a "fast lane" by any/all ISPs. They've got such a hard-on for a fast lane that they're going to keep buying legislators until they get one. Then place a limit on it. The fast lane can only be X times faster than the "neutral net lane", and NO traffic shaping or limits are allowed on that
Re: (Score:2)
Go ahead and choose your walled garden, I won't stop you.
But from where I sit, it looks like everything that connects to the home is going to walled gardens, and open as an option is fading away.
Serious proposal: Allow a "fast lane" by any/all ISPs. They've got such a hard-on for a fast lane that they're going to keep buying legislators until they get one. Then place a limit on it. The fast lane can only be X times faster than the "neutral net lane", and NO traffic shaping or limits are allowed on that lane, other than being 1/X the speed of the fast lane. Plus X needs to be a legally asserted and testable value.
Congrats on joining the chorus of uninformed on the net neutrality topic. That's not what they are proposing and not what will happen. Don't get me wrong, I think it's a terrible idea for other reasons... but the ISPs can't simply use it to block content. They could try but they'd end up in court so fast their heads would snap back.
Traffic shaping will give some content priority. This will increase latency to content that doesn't pay. As you likely already know, for a normal website like slashdot, the laten
Re: (Score:2)
Good point on latency, I forgot about that. What's worse is that streaming media can readily compensate for latency, as long as it's reasonably consistent. On the other hand, I work from home a fair amount, sometimes with vnc, sometimes with remote X. I'm a heck of a lot more sensitive to latency.
But even if you regulate Netflix like a content provider, it still leaves Comcast jealous, because none of the effects of that regulation wind up in Comcast's pockets. The reality is that Comcast doesn't want t
Re: (Score:2)
I'm not talking about taking away your choice to be in a walled garden. I haven't suggested any method to stop you from logging onto Facebook and only using Facebook.
But going with that example, I'm just suggesting that, as more and more of our communications get rammed into Facebook, and if Facebook doesn't have protocols to connect without outside systems, we're going to have a problem.
Re: (Score:2)
They never really explained why federation wouldn't work or why XMPP wasn't sufficient for their needs. As far as I can tell, this was purely to thicken the walls on the garden.
This is the problem with anyone becoming too big within an otherwise open space: there is no reason for them to play nice when they have de facto control. Let's just hope that E-Mail doesn't suffer the same fate at the hands of GMail.
I have said almost word-for-word what you just said about walled gardens (even using Compuserve and
Walled E-Mail: Facebook (Score:3)
Let's just hope that E-Mail doesn't suffer the same fate at the hands of GMail.
You haven't been using Facebook Messaging, recently ?
The only reason it's not considered such by all is that they still tactfully manage to avoid calling it "E-Mail".
But the set of functionality is very similar to any other webmail system (including attachement, etc.) minus the interoperability.
Re: (Score:2)
Yes, and I don't get flooded with Spam and Phishing, so I'm okay with it. And to be clear, there is a huge difference between spam and advertising. I don't mind advertising. It's clean and often targeted to something I may actually be interested in seeing or learning about. Spam on the other hand is a constant barrage of things that rarely even make sense, are only occasionally in a language I speak, and promise that a beautiful 10 right down the street from me is totally in to nerdy 5's, and I need to mess
Re: (Score:2)
Didn't they say they're going to drop it recently?
Re: (Score:1)
They did explain. You just didn't listen good enough. XMPP interoperability wouldn't let google force people into their services and would let people run third-party services and yet enjoy the luxury of communicating with those, who used Google as their one-stop-shop for all online needs. Clearly that had to be stopped. I'm expecting a similar move for GMail, only much swifter (those damn users are too used to the stupid idea of email being cross-server, not being locked-in).
Re: (Score:2)
I think it's obvious isn't it? The "Hangouts" product works in a fundamentally different way to XMPP. In particular, it's trying to be a WhatsApp competitor, which means users are identified by things which are not JIDs, like verified phone numbers and Google+ profiles. What's more the entire thing on mobile runs over the C2DM system
Re: Google is dropping XMPP and Talk/Chat anyway (Score:2)
Anonymity? In this age of spying on everyone, perhaps a verified name or phone number is a liability.
Re: (Score:2)
That and by using OTR or trusting your own ser
Re: (Score:2)
Some employers provide on-site supported XMPP servers. Until recently, I've been able to use ours to collaborate with external partners on GTalk, using federation.
Some vendors provide built-in XMPP servers as part of other products. I'm aware of one telephony platform that does so and one IT helpdesk service that does so. Using their servers enables certain useful features, like "they look like tex
Re: (Score:2)
They never really explained why federation wouldn't work or why XMPP wasn't sufficient for their needs.
I'm not asserting that was why they did it. I'm just saying that I could understand if that was why.
It may be that if you could talk to the decision-maker inside of Google who made this decision, they'd tell you that XMPP is somehow inefficient, or it didn't offer features that they wanted. They might say that XMPP is poorly architected or something, and we might debate about whether their explanation made sense.
What I'm saying is that, if there's some technical explanation like that, then I don't objec
Re: (Score:3)
Re: (Score:1)
Sure I could install my own XMPP server, no problem.
Of course, if I want to have a conversation with anyone other than myself, then I'll still need Google/Apple/Skype whatever, because let's face it, nobody uses XMPP. Sad but true.
Re: (Score:1)
Universities, a lot of businesses, non-profits, all use XMPP because it's pretty mush the only solution that doesn't make you give up your information and can host inhouse (without costing an arm and a leg and forcing you into a vendor lock-in).
Even if you give up and drop XMPP, you will still need to use Skype, Google, WhatsApp and whatnot (all of them, not just one), because my communication circle stretches across target audiences of all those messengers and there is no silver bullet (one ideal messenger
Re: (Score:1)
Like it or not, but it's not a silver bullet. There is a lot of people who are disconent with Facebook as IM. Believe it or not, but around here people use Skype, WhatsApp and XMPP for IMs, facebook being the last place you'd think to reach a person.
As much as you (and Facebook execs) 'd like Facebook to be "one size fits all" - it's far from that.
Tell any decent IT security manager that you would like to use facebook as company IM and watch him laugh his behind off.
Re: (Score:1)
>> Anyway, I guess people like the comfort and convenience of walled gardens.
People like comfort and convenience. Corporations love walled gardens, because they can use vendor lock-in to try and leverage their userbase into bringing more people into the same trap.
Most people won't care who pays for the services they use until the information they provided will be used against them, or until they'll lose everything at a blink of an eye for violating some ToS, it'll be too late by then, but, well, some
Re: (Score:2)
What really bums me out isn't that the large majority of people like them, but that highly technical people do as well. I know people who, no question, can install anything including an XMPP server...
Not everyone wants to be technician or engineer 24-7-365.
Re: (Score:2)
365? (Score:2)
Re: (Score:2)
I actually think there's a bit of a cultural problem in the tech community, in that the issue of "openness" has become polarized. On one side, you have people who think openness absolutely doesn't matter, and they seem to have no problem with the "walled gardens". On the other side, you have FOSS advocates who seem to have a militant agenda to replace everything with Debian.
I would take the position that closed source software is fine, and in fact, it's good to have a diverse software ecosystem with diff
Re: (Score:2)
We really need a revolution soon, or I think we're going to find that we don't like where we end up. I know it sounds trivial because these are all free services, and most of what's communicated on them is trivial anyway. Still, it's transforming the Internet into a less free place, where we're all at the whim of a small handful of companies. I think it's a bigger problem than we've yet realized.
(Shrug) The next revolution will be co-opted to sell ads, just like the last one was. I don't know what we need,
Re: (Score:2)
You know, I can understand why Google might decide that XMPP isn't sufficient for the kinds of features they'd like to support, and so deciding to develop something new in-house with their desired feature set. I really wish, though, they they would open a protocol that still allowed outside people to communicate.
I just find it insane how much we're moving back in the direction of "walled gardens" everywhere. There was a time when most people's exposure to online interaction were services like Compuserve, AOL, and Prodigy, and those services couldn't talk to each other. I think we're headed back in that direction, except that soon we'll all be on services like Google+, Facebook, and Twitter, and those services won't talk to each other.
We really need a revolution soon, or I think we're going to find that we don't like where we end up. I know it sounds trivial because these are all free services, and most of what's communicated on them is trivial anyway. Still, it's transforming the Internet into a less free place, where we're all at the whim of a small handful of companies. I think it's a bigger problem than we've yet realized.
Nobody has really made a service or software where an open standard was easy to use. Case in point- video calls. There are a lot of free alternatives out there, some seem to work OK, other seem to not work so well. None of the alternatives are easy to use however, so Skype is what we use. I would prefer to use a more open platform, but I have better things to do with my time than troubleshoot such a system for hours.
Re: (Score:2)
You're conflating a lot of different issues. First, video calls are notoriously painful for various reasons. So let's just get that out of the way: it wouldn't be weird if you were having lots of problems with Skype, too.
Second, there's nothing inherently inferior about "open". If Skype were to publish a spec for how they negotiate video calls, then suddenly we have an open protocol that's as good as Skype. It's not suddenly worse because it's "open".
Third, there's a difference between a "protocol" an
Re: (Score:2)
SIP is a good protocol. There aren't very many great clients, but ekiga always worked fine for me.
Re: Do the same for EMAIL (Score:2)
Re: (Score:2)
It makes it easier to identify the source of the SPAM.
Re: (Score:2)
There are proposed systems that require expensive-to-generate signatures - something where sending an email might require a minute or so of processor time. Not a real problem for most uses, but a serious hold-up for spammers. Never took off though, and there are some issues - it just gives spammers an incentive to control a botnet, and the calculation intended to be a minor inconvenience for desktops can be a serious problem for mobile devices.
Hashcash, now known as Bitcoin (Score:2)
There are proposed systems that require expensive-to-generate signatures - something where sending an email might require a minute or so of processor time.
The keyword is "hashcash".
the calculation intended to be a minor inconvenience for desktops can be a serious problem for mobile devices.
At first, I thought a mobile device could start generating hashcash once it charges past 80%. But then I tried Google hashcash mobile which brought up this article [cdixon.org] as the first result: "It seems plausible that if a system like stored Hashcash were developed, some people would prefer to purchase stored Hashcash directly instead of generating it themselves. A market for stored Hashcash would emerge, with the value being some function of the supply and demand of scarce Internet resour
Hashcash is bad for e-mail (Score:2)
Not a real problem for most uses
It is, it's only "not a real problem" for user sending one-to-one e-mails.
As soon as you send one-to-many e-mails (newsletter, mailing-list, announcement, or just corresponding with lots of friends) this starts to be a problem, as you need to recalculate a new hash for all mail recipient.
but a serious hold-up for spammers.
Not a hold-up, at all.
No true spammer does still mail all his/her spam from home using a single mail server (the spam will be immediately detected and blacklisted).
Spammer do routinely use botnets. As each single bot doesn'
Re: (Score:2)
> As soon as you send one-to-many e-mails (newsletter, mailing-list, announcement, or just corresponding with lots of friends) this starts to be a problem, as you need to recalculate a new hash for all mail recipient.
This is a plus.
If you have a legitimate use for such an amount of recipients, it will be worth the computing power. If not, it will stop your silly newsletter i do not want to receive anyway.
Re: (Score:2)
Re: (Score:2)
That would come from requiring valid certificates, not from encryption. A common part of it, but not necessarily required.
Re: (Score:2)
And by valid, I mean signed by a trusted CA.
Re: (Score:1)
Re: (Score:2)
If you like being on an island in the Pacific of the Internet, I'm sure that's fine. It would certainly stop the spam.
Not evil, but definitely rotting from within (Score:4, Interesting)
Google is acquiring all of the arrogant bullshit attitudes and implementing arbitrary rules and standards just the same way that microsoft did.
It's a sad shame. But an evil empire smells not different from an empire that's rotting.
Re: (Score:1)
You're gonna have to explain that. They currently are behind development of the most popular (And open source!) mobile OS out there, the most popular (and "mostly" open source) desktop browser out there, the most popular (in the west) search engine out there, and one of the most popular (and very open) email systems out there.
It's notable that they continue to be a voice of reason in the security world (with this being a notable exception), having given very solid reasons for why they dont do security thea
Re: (Score:2)
Thats disappointing. I guess PR wins over well-reasoned policy every time.
Sure, I'll explain. (Score:1)
They currently are behind development of the most popular (And open source!) mobile OS out there
... which is getting progressively less open, as more and more things move from the OS proper to Play Services (which is both closed and heavily license encumbered.)
, the most popular (and "mostly" open source) desktop browser out there
... which has forked its rendering engine, no longer uses standard widget toolkits, and incorporates a number of proprietary extensions (like DRM for HTML5 video).
and one of the most popular (and very open) email systems out there.
... which is a meaningless phrase, since it's just as "open" as every other functional e-mail service. Outlook.com is every bit as open, and every bit as closed as GMail.
Re: (Score:1)
... which is getting progressively less open, as more and more things move from the OS proper to Play Services (which is both closed and heavily license encumbered.)
Utter bull. Play store is included with AOSP. THe service itself is hosted, and most certainly not a "part of the OS" (particularly as you are able to side load and install third party stores, like Amazon's).
The Blink rendering engine was forked because it was being developed by Apple with a lot of apple-specific stuff, like the Safari-only JS engine (which chrome never used), and it made zero sense to continue to be tied down. Blink does, however, remain open source, so im not clear what your beef is.
Re: (Score:1)
Looks like I was wrong-- there actually isnt a way to export from Outlook.com. You can use the Outlook client to pull everything and then create a PST, but they dont actually offer a way out without a client.
The comparison is ridiculous.
Google Play Store in AOSP? (Score:2)
Play store is included with AOSP
Since when? I thought the Google Play Store client was the one app not included with AOSP. As I understand it, the Google Play Store client is lawfully available only as a preinstalled app on devices manufactured by OHA member companies. If you're an OHA member, you can't manufacture Android-fork for other companies, and all Android devices that you make must conform to the CDD. In the early days of Android (1.x and I think early 2.x), all devices had to include a working cellular modem, which ruled out an
Re: (Score:2)
Im running cyanogenmod with Play services. Theres a cryptographically-signed zip file you install which provides the services. I believe the restriction is on distributing it as a whole, and /or based on the fact that Cyanogenmod ISNT signed.
The restriction on android, AFAIK, is that you cant label a phone as "Android by Google' or anything like that without signing onto their program.
Restrictions on hardware dont bother me: theyre attempting to make it reasonable to create apps. Compromises over screen
To sell twice as many devices (Score:3)
Compromises over screen size are hardly an indication of being "less open"; im not even sure what "evil" spin you could put on that.
If the screen size never changes, then it's impossible to have two applications on the screen at once. This means apps run all maximized all the time despite a 7" tablet's screen being big enough for two phone apps, and if you want to see two apps running at the same time, you have to pay for twice as many devices.
Re: (Score:3)
In short, Play Store is NOT included with AOSP.
CM received a pretty nasty cease-and-desist letter from Google regarding gapps a few years ago. The "workaround" was that users could exctract the gapps suite from their device and reinstall it.
And yes, the current approach doesn't quite meet that legal definition, but what is protecting CM (and other projects) is that *they are not hosting gapps* - have you noticed that for any project, when you're instructed to get gapps, you're routed *elsewhere*?
Kinda scre
Re: (Score:1)
Well, google sued CM to stop them distributing GPlay. And you can't sell any device with GPlay on it, if Google doesn't give OK for that and you don't negotiate some secret terms and pass their "certification".
And yes - Google Play Store is NOT included in AOSP and doesn't ship with AOSP or any derivatives, unless manufacturer passed the certifications, details of which are discussed on a per-case basis with Google and are subject to NDA.
Re: (Score:2)
You are running Play because your phone came with Play, and the Cyanogenmod installer copies it from the stock image before installation.
Play most assuredly is not part of AOSP.
Re: (Score:2)
Cyanogen does ship Cyanogenmod 11 with Playstore by default, on the OnePlus One, as those devices are certified. So, your answer used to be true, but no longer is.
Re: (Score:2)
I thought the Google Play Store client was the one app not included with AOSP.
Not the one, one of many.
I meant it in the sense of being the linchpin. As I understand it, the other Gapps are available through, and exclusive to, Google Play Store.
All 2.x devices had to have a cellular modem to be CDD compliant.
Was Google aware at the time that this policy was granting essentially the entire pocket personal media player market to Apple?
Re: (Score:2)
Was Google aware at the time that this policy was granting essentially the entire pocket personal media player market to Apple?
Probably, but Google's whole thing is always connected, cloud dependent appliances. Searching, streaming, and advertising/tracking wouldn't consistently work, which would make that whole market less interesting to them.
They don't really sell many physical products, like Apple, so there's no big push for Android on standalone devices. Then again, in the 2.x days they were still desperate for Android market penetration, so it is a little surprising that they didn't chase any market they could.
Re: (Score:2)
Was Google aware at the time that this policy was granting essentially the entire pocket personal media player market to Apple?
Probably, but Google's whole thing is always connected, cloud dependent appliances. Searching, streaming, and advertising/tracking wouldn't consistently work, which would make that whole market less interesting to them.
They don't really sell many physical products, like Apple, so there's no big push for Android on standalone devices. Then again, in the 2.x days they were still desperate for Android market penetration, so it is a little surprising that they didn't chase any market they could.
It is a silly rule. There's no reason that such standalone devices couldn't use bluetooth to connect to a smartphone data plan. I'm dying to get my hands on a good car stereo based on Android, but all of the chinese units have flaws or are more expensive than what I want to pay for a chinese brand with no support. Putting a cell modem into a car stereo is prohibitively expensive and dumb when most people in such a market have a smartphone anyway.
Re: (Score:2)
Utter bull. Play store is included with AOSP.
Utter bull, indeed.
You're referring to the entirely closed-source bundle that you download from the not-at-all-sketchy-sounding site, goo-inside.me, right? The one that's signed with a self-signed certificate?
The same Google Apps that increasingly contains closed source versions of what used to be open source OS components [arstechnica.com]? Yeah, I'm not sure what "evil" spin you could put on this totally "open" behavior of Google's...
Re: (Score:2)
Can you show how to export from Outlook.com? Because everything I found says you cant, except through the Outlook client and a PST export.
Re: (Score:2)
Re: (Score:2)
Same is available with GMAIL as well.
Re: (Score:2)
Re: (Score:2)
Pretty sure that doesnt cover contacts and calendar. That just does mail.
Re: (Score:2)
Can you show how to export from Outlook.com? Because everything I found says you cant, except through the Outlook client and a PST export.
google: outlook.com export calendar
Re: (Score:2)
According to the results in the Microsoft forum,
* Its not an official method-- nor is really supported (the mods recommend you ask for it in feedback tho!)
* Its pretty roundabout,... and..
* It doesnt actually fully work-- all imported events become read only and uneditable. You have to modify each event in the source calendar prior to export.
Gee, that sure is a lot more open than Google's "download archive" button.
Re: (Score:2)
Would you mind elaborating what you are trying to do? I've never needed to export my calendar, but the ui behind the sharing seemed to be rather simple.[*] You probably have some valid criticism, but going from 'you can only get a pst file' to imported events (imported to where?) become read only (and uneditable) sounds like a non sequitur. And I wonder where you got the 'a lot more open' claim... Sorry if trying (and managing) to export my calendar from Outlook offended you.
[*]And yet, to prevent causing f
Re: (Score:2)
The whole point is that Google makes it easy to say "screw you guys, I want to take my data and go somewhere else". With just about every one of their services-- including the ones they close down-- they provide an exit strategy.
AOL, Outlook.com, and others tend to make it DIFFICULT to leave their ecosystems-- its called lock in, and its kind of a crummy strategy because no one really thinks about it until years of their data are locked up on someone's servers. The fact that theres an unofficial-and-only-p
Re: (Score:2)
While I understand your point, I still don't get what is so difficult with Outlook.com export.:
Calendar (the ics is the one you want). Access to sharing is in the top bar of the page:
Links to "[xxxxx] calendar" with event details Anyone with these links can view event details on this calendar View in a web browser (HTML) Import into other calendar applications (ICS) View in a feed reader (XML)
The ICS is a http://en.wikipedia.org/wiki/W... [wikipedia.org] uri, but if you want to import your calendar somewhere that doesn't understand it (most calendars do...), you can simply replace the webcal with https and do things manually...
Mail: IMAP
People / Contacts: There's an export function directly in the top-bar of the people page, w
Re: (Score:2)
In a lot of ways, Google continues to be a prime example of a company that "gets it" (when its not pushing failed social networks). Theyre embracing security, encryption, mobile computing, and wearable tech (which is coming whether anyone wants it or not). Im not clear in what sense you could consider them to be "rotting".
The GP was comparing Google too Microsoft. He meant that Microsoft is "rotting", not Google. But was making the point that Google "smells" the same, because while they may not be rotting, they are clearly just as evil.
Re: (Score:2)
Yea, opensourcing all of that stuff, contributing to Linux, and offering exit strategies from their ecosystem ("heres a zipfile with all of your data!") is super evil.
Re: (Score:2)
I just get upset when geeks insist on shooting themselves in the foot by decrying the only major internet company that actually FIGHTS requests for data from the government.
But hey if you want to run crying to Microsoft (who reports Skype calls to Chinese authorities) or Yahoo (who outs dissident bloggers in China), go right ahead. Myself, Id rather stick with the camp who actually has some degree of integrity. Have fun with whoever else you choose, and dont come crying to me when you end up in trouble wi
Re: (Score:2)
I just get upset when geeks insist on shooting themselves in the foot by decrying the only major internet company that actually FIGHTS requests for data from the government.
Shows how gullible you are to think that Google actual does that. What, you didn't buy the exact same marketing from other companies making the same claim? Even Zuckerburg tried to imply that he did, too.
What about how Google puts your website behind a big red WARNING SECURITY VIOLATOR BAD WEBSITE banner because you linked to an image that was hosted on a site that Google claimed (unilaterally with no hope of appeal) violated their insane TOS?
Don't even get me started about Google's compliance with censor
Re: (Score:1)
Their browser may be mostly open source, but they certainly have evil intentions within (ie. search from address bar)
Their search engine being the most popular has nothing to do with their evil motives. Nothing about the search engine is "open" and it is certainly driven by ads and data mining.
How is gmail very "open"? Open in the sense that the content of every message is waded through for valuable statistics/data on you and the other
Re: (Score:2)
Re: (Score:1)
>> They currently are behind development of the most popular (And open source!) mobile OS out there,
And they are quietly dragging all the open source parts into closed source framework called Google Services, trying to create a vendor lock-in for the apps, so that it's impossible to run software on AOSP without Google Services Framework, which is closed source and completely controled by google. Messaging app is gone (hangouts to the rescue), so is Gallery (hello Google+ Photos, yuck) and a lot of oth
End to End is the goal (Score:5, Interesting)
Why is why Google will drop XMPP. You can use plugins for true end-to-end encryption. This disallows Google from reading your chats which it will never stand for.
Re: (Score:1)
I got the impression that they were dropping XMPP because it wasnt "Google+".
I also wonder whether theyre gonna change their stance now that theyre no longer going whole-hog on G+ integration with everything.
Re: (Score:2)
Because I already have one Facebook profile, and it's more than enough. I don't want to have to maintain another one just to keep rating Android apps or commenting on Youtube cat videos.
Re: (Score:2)
one word: realnames
End-to-End vs. Server (Score:2)
They both server different goals.
Server encryption, helps securing the service.
But it doesn't address privacy. (the channel is only secured between 2 servers, or between a client and a server).
End-to-End encryption (like OTR) is for privacy.
It make sure that, no matter what, the message will stay encrypted during the whole transit between one user to the other user.
Even during the time spent on servers, an OTR-encrypted message is still useless and not eavesdropable.
Re: Catching up to Microsoft (Score:1)
Fuck beta. When I press BACK from the Twitter login page you took me to against my will, it doesn't mean I want to immediately send my partially complete post anonymously.
Comment removed (Score:3, Informative)
Re: (Score:2)
Unless NSA stands for National Sales and Advertising I'm not sure they are the ones I would worry about. Google does an awful lot of targeted advertising.
Catching up to Microsoft fast (Score:1)
Re: (Score:1)
You're going to have to explain how being behind the most popular
* Smartphone OS
* Desktop browser, and
* Search engine
Makes one incompetent. Their market share of those things isnt declining, either.
Re: (Score:1)
You are going to have to explain how popularity precludes incompetence.
Trust no-one. (Score:2)
Use Retroshare.
Re: (Score:2)
But that's OK, she doesn't have my retroshare pgp pubkey. Nobody has the precious retroshare pgp pubkey. Trust no-one. My precious.
--
hobbitses:
find $(HOME) -name '*.gpg' -exec sudo tar --remove-files rf
Re: (Score:2)
but you're supposed to share the precious gpg pubkeys! At one time, Slashdot made it easy to for slashdotters to share the precious pubkeys with a field in the profile for them. You can access them at http://slashdot.org/~username/... [slashdot.org], but apparently they removed the field from the profile, so you can't change it if you revoke the old key and new users can't add theirs.
question (Score:2)
Re: (Score:2)
If this is a serious question, it only means you can't sniff the messages from any network port in promiscuous mode. If work owns the server, then they have access to everything.
Re: (Score:1)
The encryption you are talking about is client-to-server, the encryption the article is talking about is server-to-server. If both are on, the only parties who know about the content of chats is:
1 You
2 Whoever you are messaging
3 Server
To drop the server from the list, you will need end-to-end encryption. Like OTR or GPG.
Certificate validation? (Score:2)
How is certificate validation done? The server setup documentation mention no CA repository is to be configured, which suggests no validation is done.
And TLS without certificate validation is vulnerable to easy Man In The Middle attacks. It is barely more secure than plain text commuications