From daniel.carrera at zmsl.com Mon May 1 08:19:10 2006 From: daniel.carrera at zmsl.com (Daniel Carrera) Date: Mon, 01 May 2006 13:19:10 +0100 Subject: [OTR-users] OTR and Gaim on IRC Message-ID: <4455FCBE.8090401@zmsl.com> Hello, Does the OTR Gaim plugin work on private IRC chats? Yes, I know that OTR can't possibly work for a channel. But I don't know enough about the IRC protocol to know if it should work for a private IRC chat. I know it works with Jabber. Should I get a Jabber account instead of using IRC? Thanks for the help. Cheers, Daniel. -- /\/`) http://opendocumentfellowship.org /\/_/ /\/_/ ...and starting today, all passwords must \/_/ contain letters, numbers, doodles, sign / language and squirrel noises. From ian at cypherpunks.ca Wed May 3 08:00:04 2006 From: ian at cypherpunks.ca (Ian Goldberg) Date: Wed, 3 May 2006 08:00:04 -0400 Subject: [OTR-users] OTR and Gaim on IRC In-Reply-To: <4455FCBE.8090401@zmsl.com> References: <4455FCBE.8090401@zmsl.com> Message-ID: <20060503120004.GP8086@smtp.paip.net> On Mon, May 01, 2006 at 01:19:10PM +0100, Daniel Carrera wrote: > Hello, > > Does the OTR Gaim plugin work on private IRC chats? > > Yes, I know that OTR can't possibly work for a channel. But I don't know > enough about the IRC protocol to know if it should work for a private > IRC chat. > > I know it works with Jabber. Should I get a Jabber account instead of > using IRC? IRC is the only IM protocol (that I know of) that OTR doesn't work over, because of IRC's really really small message sizes. Once fragmentation support is in, though, it ought to work. - Ian From daniel.carrera at zmsl.com Wed May 3 08:12:55 2006 From: daniel.carrera at zmsl.com (Daniel Carrera) Date: Wed, 03 May 2006 13:12:55 +0100 Subject: [OTR-users] OTR and Gaim on IRC In-Reply-To: <20060503120004.GP8086@smtp.paip.net> References: <4455FCBE.8090401@zmsl.com> <20060503120004.GP8086@smtp.paip.net> Message-ID: <44589E47.4060704@zmsl.com> Ian Goldberg wrote: > IRC is the only IM protocol (that I know of) that OTR doesn't work over, > because of IRC's really really small message sizes. Once fragmentation > support is in, though, it ought to work. Thanks. Ok, I'll go and use Jabber. Thanks for making OTR! Cheers, Daniel. -- /\/`) http://opendocumentfellowship.org /\/_/ /\/_/ ...and starting today, all passwords must \/_/ contain letters, numbers, doodles, sign / language and squirrel noises. From alex323 at gmail.com Wed May 3 15:12:52 2006 From: alex323 at gmail.com (Alex) Date: Wed, 03 May 2006 15:12:52 -0400 Subject: [OTR-users] OTR and Gaim on IRC In-Reply-To: <20060503120004.GP8086@smtp.paip.net> References: <4455FCBE.8090401@zmsl.com> <20060503120004.GP8086@smtp.paip.net> Message-ID: <445900B4.4090201@gmail.com> Speaking of fragmentation support, what specifically needs to be fixed with my patch? I am still interested in implementing this feature and would like to do it correctly. Ian Goldberg wrote: >On Mon, May 01, 2006 at 01:19:10PM +0100, Daniel Carrera wrote: > > >>Hello, >> >>Does the OTR Gaim plugin work on private IRC chats? >> >>Yes, I know that OTR can't possibly work for a channel. But I don't know >>enough about the IRC protocol to know if it should work for a private >>IRC chat. >> >>I know it works with Jabber. Should I get a Jabber account instead of >>using IRC? >> >> > >IRC is the only IM protocol (that I know of) that OTR doesn't work over, >because of IRC's really really small message sizes. Once fragmentation >support is in, though, it ought to work. > > - Ian >_______________________________________________ >OTR-users mailing list >OTR-users at lists.cypherpunks.ca >http://lists.cypherpunks.ca/mailman/listinfo/otr-users > From ian at cypherpunks.ca Wed May 3 17:55:36 2006 From: ian at cypherpunks.ca (Ian Goldberg) Date: Wed, 3 May 2006 17:55:36 -0400 Subject: [OTR-users] OTR and Gaim on IRC In-Reply-To: <445900B4.4090201@gmail.com> References: <4455FCBE.8090401@zmsl.com> <20060503120004.GP8086@smtp.paip.net> <445900B4.4090201@gmail.com> Message-ID: <20060503215536.GR8086@smtp.paip.net> On Wed, May 03, 2006 at 03:12:52PM -0400, Alex wrote: > Speaking of fragmentation support, what specifically needs to be fixed > with my patch? I am still interested in implementing this feature and > would like to do it correctly. As I said, I'd take a look at it after CFP (where I am now). - Ian From noah_spam at cox.net Thu May 4 00:20:43 2006 From: noah_spam at cox.net (Noah Spam) Date: Wed, 03 May 2006 21:20:43 -0700 Subject: [OTR-users] configure: error: glib Message-ID: <1146716443.13328.28.camel@localhost> I am having a problem compiling gaim-otr-3.0.0 under SuSE 10.0. Here is what I am entering and what I get out: noah_spam at Susan:~/Downloads/gaim/gaim-otr-3.0.0> aclocal -I ./ noah_spam at Susan:~/Downloads/gaim/gaim-otr-3.0.0> ./configure --prefix=/usr --mandir=/usr/share/man ... ... ... checking for glib-2.0 >= 2.4 gtk+-2.0 >= 2.4 gaim >= 1.0... configure: error: glib ./configure: line 19502: exit: gtk: numeric argument required ./configure: line 19502: exit: gtk: numeric argument required noah_spam at Susan:~/My Downloads/gaim/gaim-otr-3.0.0> pkg-config --libs "glib-2.0 >= 2.4 gtk+-2.0 >= 2.4 gaim >= 1.0" Package gaim was not found in the pkg-config search path. Perhaps you should add the directory containing `gaim.pc' to the PKG_CONFIG_PATH environment variable No package 'gaim' found But I DO have the -devel packages installed. YaST2 reports: glib2-devel 2.1.8-3 gtk2-devel 2.8.3-4.3 and I have... gaim 1.5.0-3 Regarding line 19502, it looks like a bug to me.This is what it says: { (exit gtk and gaim required); exit gtk and gaim required; }; } I think that is buggy. It should (please correct me if I am wrong) say something like: { (echo "gtk and gaim required"); exit 1; }; } Going throught the email archinves, it appears that I am not the first with this issue: (http://lists.cypherpunks.ca/pipermail/otr-users/2005-December/000498.html ) Unfortuantely, I don't know what the solution is. Perhaps an environment variable not set correctly? (reference: http://lists.cypherpunks.ca/pipermail/otr-users/2006-February/000562.html ) What environment variables are wrong? My related ones, that I could find, are: GTK_PATH=/usr/local/lib/gtk-2.0:/opt/gnome/lib/gtk-2.0:/usr/lib/gtk-2.0 GTK2_RC_FILES=/etc/opt/gnome/gtk-2.0/gtkrc:/opt/gnome/share/themes//Qt/gtk-2.0/gtkrc:/home/noah_spam/.gtkrc-2.0-qtengine:/home/noah_spam/.kde/share/config/gtkrc-2.0 GTK_RC_FILES=/etc/opt/gnome/gtk/gtkrc:/home/noah_spam/.gtkrc:/home/noah_spam/.kde/share/config/gtkrc ACLOCAL_FLAGS=-I /opt/gnome/share/aclocal So how do I compile and install this plugin? Thanks, NS From ian at cypherpunks.ca Thu May 4 07:51:06 2006 From: ian at cypherpunks.ca (Ian Goldberg) Date: Thu, 4 May 2006 07:51:06 -0400 Subject: [OTR-users] configure: error: glib In-Reply-To: <1146716443.13328.28.camel@localhost> References: <1146716443.13328.28.camel@localhost> Message-ID: <20060504115106.GT8086@smtp.paip.net> On Wed, May 03, 2006 at 09:20:43PM -0700, Noah Spam wrote: > I am having a problem compiling gaim-otr-3.0.0 under SuSE 10.0. Here is > what I am entering and what I get out: > > noah_spam at Susan:~/Downloads/gaim/gaim-otr-3.0.0> aclocal -I ./ > noah_spam at Susan:~/Downloads/gaim/gaim-otr-3.0.0> ./configure > --prefix=/usr --mandir=/usr/share/man > ... > ... > ... > checking for glib-2.0 >= 2.4 gtk+-2.0 >= 2.4 gaim >= 1.0... configure: > error: glib > ./configure: line 19502: exit: gtk: numeric argument required > ./configure: line 19502: exit: gtk: numeric argument required > noah_spam at Susan:~/My Downloads/gaim/gaim-otr-3.0.0> pkg-config --libs > "glib-2.0 >= 2.4 gtk+-2.0 >= 2.4 gaim >= 1.0" > Package gaim was not found in the pkg-config search path. > Perhaps you should add the directory containing `gaim.pc' > to the PKG_CONFIG_PATH environment variable > No package 'gaim' found Do you have gaim.pc installed? I don't know about Suse, but on other systems, it's in the gaim-dev package (or something like that). - Ian From didier at dfr.ch Fri May 5 16:04:27 2006 From: didier at dfr.ch (Didier Frick) Date: Fri, 05 May 2006 22:04:27 +0200 Subject: [OTR-users] Gaim plugin and archiving Message-ID: <1146859467.785.8.camel@localhost.localdomain> Hi , first of all a big thanks to the developers for their work. I just installed the gaim-otr package on ubuntu and it works like charm. There is one small issue IMHO with the handling of gaim's logging feature. If an unsuspecting user uses the plugin and has the logging option activated, the private OTR conversations will be archived as well in clear text, breaking forward secrecy. Sure it's possible to disable the logging manually, but would it be hard to add an option allowing to disable the logging of OTR conversations even if the rest of the conversation is being logged ? Thanks for your feedback.... Didier From ian at cypherpunks.ca Fri May 5 18:03:48 2006 From: ian at cypherpunks.ca (Ian Goldberg) Date: Fri, 5 May 2006 18:03:48 -0400 Subject: [OTR-users] Gaim plugin and archiving In-Reply-To: <1146859467.785.8.camel@localhost.localdomain> References: <1146859467.785.8.camel@localhost.localdomain> Message-ID: <20060505220348.GZ8086@smtp.paip.net> On Fri, May 05, 2006 at 10:04:27PM +0200, Didier Frick wrote: > Hi , > > first of all a big thanks to the developers for their work. > I just installed the gaim-otr package on ubuntu and it works like charm. > > There is one small issue IMHO with the handling of gaim's logging > feature. > > If an unsuspecting user uses the plugin and has the logging option > activated, > the private OTR conversations will be archived as well in clear text, > breaking forward secrecy. It technically doesn't, because the logs are unauthenticated. But I agree that the option to disable logging of OTR conversations is a fine plan, and it's already on the todo list (and I'm pretty sure the request is already on sourceforge). - Ian From paul at cypherpunks.ca Sat May 6 13:28:28 2006 From: paul at cypherpunks.ca (Paul Wouters) Date: Sat, 6 May 2006 19:28:28 +0200 (CEST) Subject: [OTR-users] Gaim plugin and archiving In-Reply-To: <20060505220348.GZ8086@smtp.paip.net> References: <1146859467.785.8.camel@localhost.localdomain> <20060505220348.GZ8086@smtp.paip.net> Message-ID: On Fri, 5 May 2006, Ian Goldberg wrote: > > If an unsuspecting user uses the plugin and has the logging option > > activated, > > the private OTR conversations will be archived as well in clear text, > > breaking forward secrecy. > > It technically doesn't, because the logs are unauthenticated. But I > agree that the option to disable logging of OTR conversations is a fine > plan, and it's already on the todo list (and I'm pretty sure the request > is already on sourceforge). People want want to keep logging, especially if they are using disk encryption for their homedir (eg FileVault or something else). So please don't change logging without telling the user. eg Make it an explicit option in the OTR menu or something? Paul From didier at dfr.ch Sun May 7 11:07:50 2006 From: didier at dfr.ch (Didier Frick) Date: Sun, 07 May 2006 17:07:50 +0200 Subject: [OTR-users] Gaim plugin and archiving In-Reply-To: References: <1146859467.785.8.camel@localhost.localdomain> <20060505220348.GZ8086@smtp.paip.net> Message-ID: <1147014471.8620.2.camel@localhost.localdomain> Le samedi 06 mai 2006 ? 19:28 +0200, Paul Wouters a ?crit : > > People want want to keep logging, especially if they are using disk encryption > for their homedir (eg FileVault or something else). So please don't change > logging without telling the user. eg Make it an explicit option in the OTR > menu or something? I don't think disk encryption preserves forward secrecy, and the issue becomes the one I outlined in my last message: even if _you_ do it correctly, how can you be sure that your correspondents "get it" and do it correctly as well.... So I still contend that the only way to preserve forward secrecy without too many gaping holes that you can't control is to never log any OTR conversation in any way. From morty at gmx.net Sun May 7 13:51:39 2006 From: morty at gmx.net (=?UTF-8?B?TW9yaXR6ICdNb3J0eScgU3Ryw7xiZQ==?=) Date: Sun, 07 May 2006 19:51:39 +0200 Subject: [OTR-users] Gaim plugin and archiving In-Reply-To: <1147014471.8620.2.camel@localhost.localdomain> References: <1146859467.785.8.camel@localhost.localdomain> <20060505220348.GZ8086@smtp.paip.net> <1147014471.8620.2.camel@localhost.localdomain> Message-ID: <445E33AB.1030707@gmx.net> Didier Frick schrieb: > Le samedi 06 mai 2006 ? 19:28 +0200, Paul Wouters a ?crit : > >> People want want to keep logging, especially if they are using disk encryption >> for their homedir (eg FileVault or something else). So please don't change >> logging without telling the user. eg Make it an explicit option in the OTR >> menu or something? >> > > I don't think disk encryption preserves forward secrecy, and the issue > becomes the one I outlined in my last message: even if _you_ do it > correctly, how can you be sure that your correspondents "get it" and do > it correctly as well.... > > So I still contend that the only way to preserve forward secrecy without > too many gaping holes that you can't control is to never log any OTR > conversation in any way. > I agree with you. But I think that there are still a few people who'd like to use OTR and still log to disk (like me). I'd vote for an option to turn it on and of, and a warning-icon to show you that you are logging. And maybe some notice that the other one is logging, but I don't think it's too sensible. You can never go for sure that the other one is not logging. IMHO the user has to decide but has to be warned. Morty -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: morty.vcf Type: text/x-vcard Size: 673 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3221 bytes Desc: S/MIME Cryptographic Signature URL: From didier at dfr.ch Sun May 7 14:03:42 2006 From: didier at dfr.ch (Didier Frick) Date: Sun, 07 May 2006 20:03:42 +0200 Subject: [OTR-users] Gaim plugin and archiving In-Reply-To: <445E33AB.1030707@gmx.net> References: <1146859467.785.8.camel@localhost.localdomain> <20060505220348.GZ8086@smtp.paip.net> <1147014471.8620.2.camel@localhost.localdomain> <445E33AB.1030707@gmx.net> Message-ID: <1147025022.8620.6.camel@localhost.localdomain> Le dimanche 07 mai 2006 ? 19:51 +0200, Moritz 'Morty' Str?be a ?crit : .... > > > > I agree with you. But I think that there are still a few people who'd > like to use OTR and still log to disk (like me). I'd vote for an > option to turn it on and of, and a warning-icon to show you that you > are logging. And maybe some notice that the other one is logging, but > I don't think it's too sensible. You can never go for sure that the > other one is not logging. IMHO the user has to decide but has to be > warned. > Morty Well, OK. But my basic point is based on the blurb on the OTR website: > Off-the-Record (OTR) Messaging allows you to have private > conversations over instant messaging by providing: > > > Encryption > No one else can read your instant messages. > Authentication > You are assured the correspondent is who you think it is. > Deniability > The messages you send do not have digital signatures that are > checkable by a third party. Anyone can forge messages after a > conversation to make them look like they came from you. > However, during a conversation, your correspondent is assured > the messages he sees are authentic and unmodified. > Perfect forward secrecy > If you lose control of your private keys, no previous > conversation is compromised. If there is any kind of logging occuring then the last statement isn't true. From morty at gmx.net Sun May 7 14:20:40 2006 From: morty at gmx.net (=?UTF-8?B?TW9yaXR6ICdNb3J0eScgU3Ryw7xiZQ==?=) Date: Sun, 07 May 2006 20:20:40 +0200 Subject: [OTR-users] Gaim plugin and archiving In-Reply-To: <1147025022.8620.6.camel@localhost.localdomain> References: <1146859467.785.8.camel@localhost.localdomain> <20060505220348.GZ8086@smtp.paip.net> <1147014471.8620.2.camel@localhost.localdomain> <445E33AB.1030707@gmx.net> <1147025022.8620.6.camel@localhost.localdomain> Message-ID: <445E3A78.9090604@gmx.net> Didier Frick schrieb: > Le dimanche 07 mai 2006 ? 19:51 +0200, Moritz 'Morty' Str?be a ?crit : > [...] >> Off-the-Record (OTR) Messaging allows you to have private >> conversations over instant messaging by providing: >> >> >> Encryption >> No one else can read your instant messages. >> Authentication >> You are assured the correspondent is who you think it is. >> Deniability >> The messages you send do not have digital signatures that are >> checkable by a third party. Anyone can forge messages after a >> conversation to make them look like they came from you. >> However, during a conversation, your correspondent is assured >> the messages he sees are authentic and unmodified. >> Perfect forward secrecy >> If you lose control of your private keys, no previous >> conversation is compromised. >> > > If there is any kind of logging occuring then the last statement isn't > true. > > I do not agree with you. That's something different. The last point is about someone sniffing the traffic and getting your private keys (i.e. by force) and still not being able to decode anything. Logging is about the guy you're talking to. There is no _software_ that can tell you if you can trust him. You have to trust him, that he's not logging. You have to trust him that he keeps his computer free of spy ware, etc. Logging affects only the third statement anyway. And not even that, because you can always say the he edited the log with a editor. This stuff is all about "the others" not about the guy you're talking to. At least if I got it right. ;-) Morty -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: morty.vcf Type: text/x-vcard Size: 673 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3221 bytes Desc: S/MIME Cryptographic Signature URL: From didier at dfr.ch Sun May 7 14:50:05 2006 From: didier at dfr.ch (Didier Frick) Date: Sun, 07 May 2006 20:50:05 +0200 Subject: [OTR-users] Gaim plugin and archiving In-Reply-To: <445E3A78.9090604@gmx.net> References: <1146859467.785.8.camel@localhost.localdomain> <20060505220348.GZ8086@smtp.paip.net> <1147014471.8620.2.camel@localhost.localdomain> <445E33AB.1030707@gmx.net> <1147025022.8620.6.camel@localhost.localdomain> <445E3A78.9090604@gmx.net> Message-ID: <1147027806.8620.16.camel@localhost.localdomain> OK, we clearly have different opinions ;) Le dimanche 07 mai 2006 ? 20:20 +0200, Moritz 'Morty' Str?be a ?crit : > Didier Frick schrieb: > > ... > I do not agree with you. That's something different. The last point is > about someone sniffing the traffic and getting your private keys (i.e. > by force) and still not being able to decode anything. Logging is > about the guy you're talking to. There is no _software_ that can tell > you if you can trust him. > You have to trust him, that he's not logging. There _is_ software that can reasonably guarantee you the guy is not logging by not allowing him to, unless he goes out of his way, which you can't prevent anyway I agree. > You have to trust him that he keeps his computer free of spy ware, > etc. That's where the "forward secrecy" comes into play: if his machine is infected by spy ware at time T: a) if you're not logging messages at times greater than T are compromised b) if you're logging and have been for a while, ALL logged messages from the past are compromised > Logging affects only the third statement anyway. And not even that, > because you can always say the he edited the log with a editor. > This stuff is all about "the others" not about the guy you're talking > to. > At least if I got it right. ;-) > Morty I'm still not convinced though: the "guy you're talking to"'s machine can be compromised later by "the others" and the logged messages can be retrieved. To me "forward secrecy" means "the message you just sent cannot be retrieved, ever, no matter what happens". OK, maybe it's not the technical definition but I suspect it's the one most "end users" will understand. If you don't use logging, this condition is true thanks to the design of the OTR protocol. If you do use logging, this undermines the protection offered by the OTR protocol, both for you and for the party you're communicating with. From me at nikita.ca Sun May 7 15:13:02 2006 From: me at nikita.ca (Nikita Borisov) Date: Sun, 7 May 2006 14:13:02 -0500 Subject: [OTR-users] Gaim plugin and archiving In-Reply-To: <1147027806.8620.16.camel@localhost.localdomain> References: <1146859467.785.8.camel@localhost.localdomain> <20060505220348.GZ8086@smtp.paip.net> <1147014471.8620.2.camel@localhost.localdomain> <445E33AB.1030707@gmx.net> <1147025022.8620.6.camel@localhost.localdomain> <445E3A78.9090604@gmx.net> <1147027806.8620.16.camel@localhost.localdomain> Message-ID: <16f0378d0605071213w3383a0b6g19f11f80b9325795@mail.gmail.com> On 5/7/06, Didier Frick wrote: > There _is_ software that can reasonably guarantee you the guy is not > logging by not allowing him to, unless he goes out of his way, which you > can't prevent anyway I agree. A user doesn't necessarily have to go out of his way; he could instead be using a different OTR-enabled client that doesn't have this forced disabling of logging, or an simply older version of gaim-otr. So even if we disallowed logging of OTR conversations, the guarantees you get about what your conversation partner is doing with his logs are pretty weak. I would be not in favor of implementing this and inconveniencing a large number of users who *do* want to log their conversations and take the chance that their computers will be compromised and logs may be stolen, in exchange for the ability to later look at conversation logs. But I think a default option to disable logging whenever OTR is used would be a good idea, since to most people "off-the-record" intuitively means that no records should be kept, as long as we give people the option of turning the logs back on. - Nikita From jacob at appelbaum.net Sun May 7 15:35:32 2006 From: jacob at appelbaum.net (Jake Appelbaum) Date: Sun, 07 May 2006 15:35:32 -0400 Subject: [OTR-users] Re: OTR-users digest (regarding logging) In-Reply-To: <20060507185103.8389.94875.Mailman@brandeis.paip.net> References: <20060507185103.8389.94875.Mailman@brandeis.paip.net> Message-ID: <1147030532.20543.211.camel@localhost.localdomain> > Message: 1 > Subject: Re: [OTR-users] Gaim plugin and archiving > From: Didier Frick > To: Paul Wouters > Cc: Ian Goldberg , otr-users at lists.cypherpunks.ca > Date: Sun, 07 May 2006 17:07:50 +0200 > > Le samedi 06 mai 2006 19:28 +0200, Paul Wouters a crit : > > > > People want want to keep logging, especially if they are using disk encryption > > for their homedir (eg FileVault or something else). So please don't change > > logging without telling the user. eg Make it an explicit option in the OTR > > menu or something? > > I don't think disk encryption preserves forward secrecy, and the issue > becomes the one I outlined in my last message: even if _you_ do it > correctly, how can you be sure that your correspondents "get it" and do > it correctly as well.... > > So I still contend that the only way to preserve forward secrecy without > too many gaping holes that you can't control is to never log any OTR > conversation in any way. > Obviously disk encryption doesn't preserve forward secrecy. In theory it can keep thing secret under certain threats. (I'm not talking about the pile of junk that is filefault, that's a lost cause.) I agree that you probably shouldn't log conversations but I don't think this is easy to accomplish. In defense of loggers, Gaim logs aren't cryptographically sound. My gaim logs are just lines in a text file and anyone can add anything they like to them. If I'm away from the computer and they do it quickly enough, it would be possible to inject an entire conversation into my log files. I can inject data into log files that looks like it was sent by a given party when it was not. Here's an example: cat /home/error/.gaim/logs/aim/error23five/ioerrortype23/2006-05-07.150151.txt Conversation with ioerrortype23 at 2006-05-07 15:01:51 on error23five (aim) (15:01:53) error23five: hi (15:02:02) io error type23: hey (15:02:16) error23five: This is a GAIM log message being forged (15:02:21) io error type23: how so? (15:03:29) error23five: I will now copy your sent message to me, change the time stamp and paste two responses with different words to see how the text is formatted in the logs. (15:03:40) io error type23: You've put words in my mouth. (15:04:10) io error type23: You're so smart and sexy, will you be mine? The last three messages were actually a single message. All that's required to make the log look realistic is knowing the remote logging format with regard to dates and their system time. Pretty easy. Given the fact that OTR cannot control logging all of the time it seems difficult and perhaps a really good place for a mistake. Perhaps the plugin could contain a data leek flag that says: "Would you like to let people know you're logging this automatically?" And perhaps the client would say: "It appears that the remote party is logging automatically." And perhaps there could be a way to request logging was disabled. And likely, no one would enable that flag because it's a privacy nightmare. Practically speaking this would be unenforceable. Some clients already ship with logging enabled by default. I believe the user friendly adium for Mac OS X does this. I believe that people using the OTR proxy would also be out of the reach of such possible plugin features. Personally, I would ask the remote party to disable logging manually. It seems best because they learn how to do such a thing in their client of choice. Regardless of OTR, disk encryption or what have you, anyone can log messages in a way that could possibly be used against you. And either way, logging or not, you have to trust the person you're talking with to some degree. -- Jake Appelbaum -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 155 bytes Desc: This is a digitally signed message part URL: From lenz at cs.wisc.edu Mon May 8 01:49:28 2006 From: lenz at cs.wisc.edu (John Lenz) Date: Mon, 8 May 2006 00:49:28 -0500 (CDT) Subject: [OTR-users] Typo in protocal description Message-ID: <63065.24.158.15.229.1147067368.squirrel@www.wuzzeb.org> (I sent this before subscribing to the list, so it got caught for moderation. I am now resending it after subscribing) Hey, I was reading the protocal description on http://www.cypherpunks.ca/otr/Protocol-v2-3.0.0.html and I noticed in the section "Exchanging Data" near the top, Bob's third step says Uses ek and ctr to decrypt AES-CTRek,ctr(TA). I think it should read Uses ek and ctr to decrypt AES-CTRek,ctr(msg) Since that is what Alice encrypted to bob. In any case, thanks for creating a great encryption plugin for gaim! John From paul at cypherpunks.ca Mon May 8 16:19:04 2006 From: paul at cypherpunks.ca (Paul Wouters) Date: Mon, 8 May 2006 22:19:04 +0200 (CEST) Subject: [OTR-users] Gaim plugin and archiving In-Reply-To: <1147027806.8620.16.camel@localhost.localdomain> References: <1146859467.785.8.camel@localhost.localdomain> <20060505220348.GZ8086@smtp.paip.net> <1147014471.8620.2.camel@localhost.localdomain> <445E33AB.1030707@gmx.net> <1147025022.8620.6.camel@localhost.localdomain> <445E3A78.9090604@gmx.net> <1147027806.8620.16.camel@localhost.localdomain> Message-ID: On Sun, 7 May 2006, Didier Frick wrote: > There _is_ software that can reasonably guarantee you the guy is not > logging by not allowing him to, unless he goes out of his way, which you > can't prevent anyway I agree. Yes, it is called DRM. > To me "forward secrecy" means "the message you just sent cannot be > retrieved, ever, no matter what happens". OK, maybe it's not the > technical definition but I suspect it's the one most "end users" will > understand. If you cannot trust the person you are talking to, or the person's machine you are talking to, then you shouldn't be talking to him and trust OTR. > If you don't use logging, this condition is true thanks to > the design of the OTR protocol. Not really. Spyware can still see the decrypted text on his machine. You have got to trust it, or not talk. > the protection offered by the OTR protocol, both for you and for the > party you're communicating with. OTR is about protecting the message IN TRANSIT, not at either end. Paul -- Building and integrating Virtual Private Networks with Openswan: http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 From ian at cypherpunks.ca Tue May 9 10:08:55 2006 From: ian at cypherpunks.ca (Ian Goldberg) Date: Tue, 9 May 2006 10:08:55 -0400 Subject: [OTR-users] Typo in protocal description In-Reply-To: <63065.24.158.15.229.1147067368.squirrel@www.wuzzeb.org> References: <63065.24.158.15.229.1147067368.squirrel@www.wuzzeb.org> Message-ID: <20060509140855.GP8086@smtp.paip.net> On Mon, May 08, 2006 at 12:49:28AM -0500, John Lenz wrote: > Hey, I was reading the protocal description on > http://www.cypherpunks.ca/otr/Protocol-v2-3.0.0.html and I noticed in the > section "Exchanging Data" near the top, Bob's third step says > > Uses ek and ctr to decrypt AES-CTRek,ctr(TA). > > I think it should read > > Uses ek and ctr to decrypt AES-CTRek,ctr(msg) > > Since that is what Alice encrypted to bob. In any case, thanks for > creating a great encryption plugin for gaim! Good catch. I've made the change in the dev tree. Thanks! - Ian From jason at sjobeck.com Thu May 11 04:02:42 2006 From: jason at sjobeck.com (Jason SJOBECK) Date: Thu, 11 May 2006 01:02:42 -0700 Subject: [OTR-users] OTR plug-in for Trillian Message-ID: <1147334562.10993.18.camel@barcelona.sjobeck.com> > All, > > > FYI > > http://tinyurl.com/jb8rp > > Great new usage of OTR: a great new plug-in for Trillian (which we have all been jonesing for a long time for). > > Thanks very much. > > Peace. > > Jason Sj?beck -------------- next part -------------- An HTML attachment was scrubbed... URL: From Torsten.GroteNOSPAM at gmx.de Thu May 11 17:44:00 2006 From: Torsten.GroteNOSPAM at gmx.de (Torsten Grote) Date: Thu, 11 May 2006 23:44:00 +0200 Subject: [OTR-users] Problem with german umlauts Message-ID: <4463B020.7080806@gmx.de> Hello, A friend of mine is using Trillian basic 3.1 (build 121) with otrproxy-0.3.1 on socks5. I'm using Gaim2 beta3 with libotr 3.0.0 and gaim-otr 3.0.0 in linux. If he sends me a message over ICQ or AIM containing umlauts like ??????, I just get a blank message with no text in it. On the other hand, if I send him messages with umlauts everything works as desired. Greets and Thanks, Torsten From ian at cypherpunks.ca Thu May 11 18:03:09 2006 From: ian at cypherpunks.ca (Ian Goldberg) Date: Thu, 11 May 2006 18:03:09 -0400 Subject: [OTR-users] Problem with german umlauts In-Reply-To: <4463B020.7080806@gmx.de> References: <4463B020.7080806@gmx.de> Message-ID: <20060511220309.GF8086@smtp.paip.net> On Thu, May 11, 2006 at 11:44:00PM +0200, Torsten Grote wrote: > Hello, > > A friend of mine is using Trillian basic 3.1 (build 121) with > otrproxy-0.3.1 on socks5. I'm using Gaim2 beta3 with libotr 3.0.0 and > gaim-otr 3.0.0 in linux. > If he sends me a message over ICQ or AIM containing umlauts like ??????, > I just get a blank message with no text in it. On the other hand, if I > send him messages with umlauts everything works as desired. Are you sure your friend is using otrproxy 0.3.1? Because the problem you describe is exactly what was fixed in the change from 0.3.0 to 0.3.1. - Ian From Torsten.GroteNOSPAM at gmx.de Sun May 14 10:54:13 2006 From: Torsten.GroteNOSPAM at gmx.de (Torsten Grote) Date: Sun, 14 May 2006 16:54:13 +0200 Subject: [OTR-users] Re: Problem with german umlauts Message-ID: <44674495.2090908@gmx.de> > Are you sure your friend is using otrproxy 0.3.1? Because the problem > you describe is exactly what was fixed in the change from 0.3.0 to > 0.3.1. Yes, I'm sure. I asked him again and he confirmed that he installed 0.3.1 and that the version information is saying 0.3.1, too. Greets, Torsten From jmoschetti45 at gmail.com Tue May 30 17:50:52 2006 From: jmoschetti45 at gmail.com (Joe Moschetti) Date: Tue, 30 May 2006 17:50:52 -0400 Subject: [OTR-users] Gaim 2 beta 3 + otr Message-ID: I tried to compile OTR for gaim 2 beta 3, and at first it failed, so I applied the patch for beta 2, and then it compiled and installed, but it doesn't show up in the gaim plugin list. Ideas? -- Joe Moschetti http://jmoschetti45.ath.cx/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From ian at cypherpunks.ca Tue May 30 18:03:34 2006 From: ian at cypherpunks.ca (Ian Goldberg) Date: Tue, 30 May 2006 18:03:34 -0400 Subject: [OTR-users] Gaim 2 beta 3 + otr In-Reply-To: References: Message-ID: <20060530220334.GK10506@smtp.paip.net> On Tue, May 30, 2006 at 05:50:52PM -0400, Joe Moschetti wrote: > I tried to compile OTR for gaim 2 beta 3, and at first it failed, so I > applied the patch for beta 2, and then it compiled and installed, but it > doesn't show up in the gaim plugin list. Ideas? If you run "gaim -d", are there any helpful messages around where it looks for plugins? - Ian From jxbian at ualr.edu Wed May 31 09:35:34 2006 From: jxbian at ualr.edu (Jiang Bian) Date: Wed, 31 May 2006 08:35:34 -0500 Subject: [OTR-users] RE: OTR-users digest, Vol 1 #206 - 2 msgs In-Reply-To: <20060531102833.10034.8597.Mailman@brandeis.paip.net> Message-ID: <0J0400047TRCKSC0@hermes.ualr.edu> Can you use debug window under Gaim->Help->Debug Window? When you open the plugin list it will give you the messages about which plugins can be loaded, which can not and why? These may give you some idea. Most time because of wrong ld setting, and gaim-otr can not find dependency libotr.so.2 (maybe this name, I can not remember). Run ldd /usr/local/lib/gaim/gaim-otr.so if you install gaim into /usr instead of /usr/local please replace /usr/local with /usr it will tell you which module is missing and then try to locate that module and add the path into /etc/ld.so.conf, reran ldconfig -----Original Message----- From: otr-users-admin at lists.cypherpunks.ca [mailto:otr-users-admin at lists.cypherpunks.ca] On Behalf Of otr-users-request at lists.cypherpunks.ca Sent: Wednesday, May 31, 2006 5:29 AM To: otr-users at lists.cypherpunks.ca Subject: OTR-users digest, Vol 1 #206 - 2 msgs Send OTR-users mailing list submissions to otr-users at lists.cypherpunks.ca To subscribe or unsubscribe via the World Wide Web, visit http://lists.cypherpunks.ca/mailman/listinfo/otr-users or, via email, send a message with subject or body 'help' to otr-users-request at lists.cypherpunks.ca You can reach the person managing the list at otr-users-admin at lists.cypherpunks.ca When replying, please edit your Subject line so it is more specific than "Re: Contents of OTR-users digest..." Today's Topics: 1. Gaim 2 beta 3 + otr (Joe Moschetti) 2. Re: Gaim 2 beta 3 + otr (Ian Goldberg) --__--__-- Message: 1 Date: Tue, 30 May 2006 17:50:52 -0400 From: "Joe Moschetti" To: otr-users at lists.cypherpunks.ca Subject: [OTR-users] Gaim 2 beta 3 + otr ------=_Part_8337_3715128.1149025852532 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline I tried to compile OTR for gaim 2 beta 3, and at first it failed, so I applied the patch for beta 2, and then it compiled and installed, but it doesn't show up in the gaim plugin list. Ideas? -- Joe Moschetti http://jmoschetti45.ath.cx/ ------=_Part_8337_3715128.1149025852532 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline I tried to compile OTR for gaim 2 beta 3, and at first it failed, so I applied the patch for beta 2, and then it compiled and installed, but it doesn't show up in the gaim plugin list. Ideas?

--
Joe Moschetti
http://jmoschetti45.ath.cx/ ------=_Part_8337_3715128.1149025852532-- --__--__-- Message: 2 Date: Tue, 30 May 2006 18:03:34 -0400 From: Ian Goldberg To: otr-users at lists.cypherpunks.ca Subject: Re: [OTR-users] Gaim 2 beta 3 + otr On Tue, May 30, 2006 at 05:50:52PM -0400, Joe Moschetti wrote: > I tried to compile OTR for gaim 2 beta 3, and at first it failed, so I > applied the patch for beta 2, and then it compiled and installed, but it > doesn't show up in the gaim plugin list. Ideas? If you run "gaim -d", are there any helpful messages around where it looks for plugins? - Ian --__--__-- _______________________________________________ OTR-users mailing list OTR-users at lists.cypherpunks.ca http://lists.cypherpunks.ca/mailman/listinfo/otr-users End of OTR-users Digest