From otr at spectralmud.org Sun Jun 1 22:37:05 2008 From: otr at spectralmud.org (Richard Salts) Date: Mon, 2 Jun 2008 12:37:05 +1000 Subject: [OTR-users] OTR and multiple locations Message-ID: <200806021237.06034.otr@spectralmud.org> I leave my jabber account logged on with 2 resources, one at home and one at work. Whenever someone tries to send me an otr message and initiate a secure conversation it causes a loop between both clients answering with different public keys. The conversation window looks something like this: (18:53:13) Error setting up private conversation: Malformed message received (18:53:13) We received an unreadable encrypted message from teamplayer at blatantporn.com. (18:53:15) Error setting up private conversation: Malformed message received (18:53:15) We received an unreadable encrypted message from teamplayer at blatantporn.com. (18:53:17) Error setting up private conversation: Malformed message received (18:53:18) We received an unreadable encrypted message from teamplayer at blatantporn.com. (18:53:21) Attempting to refresh the private conversation with teamplayer at blatantporn.com/GaimB6EB6B1E... (18:53:22) Error setting up private conversation: Malformed message received I'm wondering the best workaround for this. From gdt at ir.bbn.com Mon Jun 2 08:57:07 2008 From: gdt at ir.bbn.com (Greg Troxel) Date: Mon, 02 Jun 2008 08:57:07 -0400 Subject: [OTR-users] OTR and multiple locations In-Reply-To: <200806021237.06034.otr@spectralmud.org> (Richard Salts's message of "Mon, 2 Jun 2008 12:37:05 +1000") References: <200806021237.06034.otr@spectralmud.org> Message-ID: I leave my jabber account logged on with 2 resources, one at home and one at work. Whenever someone tries to send me an otr message and initiate a secure conversation it causes a loop between both clients answering with different public keys. The conversation window looks something like this: I'm wondering the best workaround for this. Log out of the one you are not at. Back when I was young, we had to share VT52s, and we logged out when we were done! From js-otrim at webkeks.org Mon Jun 2 09:57:29 2008 From: js-otrim at webkeks.org (Jonathan Schleifer) Date: Mon, 2 Jun 2008 15:57:29 +0200 Subject: [OTR-users] OTR and multiple locations In-Reply-To: <200806021237.06034.otr@spectralmud.org> References: <200806021237.06034.otr@spectralmud.org> Message-ID: <20080602155729.2103a437@webkeks.org> Fix your resource priorities. Or tell the user to explicitly send to one resource. Auto-adjusting the resource priority to the status is a good idea and nearly every client supports that. In Jabber, a message always gets to the highest resource when sent to the bare JID. If there is no highest resource because for example two habe the same, it is sent to all that share the highest resource. For example, A is 50, B is 50 and C is 30, A and B will get the message when sent to the bare JID. -- Jonathan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: not available URL: From alexander.buchner at gmx.de Mon Jun 2 12:27:51 2008 From: alexander.buchner at gmx.de (Alexander Buchner) Date: Mon, 02 Jun 2008 18:27:51 +0200 Subject: [OTR-users] OTR and multiple locations In-Reply-To: <20080602155729.2103a437@webkeks.org> References: <200806021237.06034.otr@spectralmud.org> <20080602155729.2103a437@webkeks.org> Message-ID: <48441F87.6020205@gmx.de> Jonathan Schleifer wrote: > Fix your resource priorities. Or tell the user to explicitly send to > one resource. Auto-adjusting the resource priority to the status is a > good idea and nearly every client supports that. > In Jabber, a message always gets to the highest resource when sent to > the bare JID. If there is no highest resource because for example two > habe the same, it is sent to all that share the highest resource. For > example, A is 50, B is 50 and C is 30, A and B will get the message > when sent to the bare JID. > Couldn't he just use the same key at both places? -- Mein ?ffentlicher PGP-Key: http://www.rzuser.uni-heidelberg.de/~abuchner/pgp.asc -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 896 bytes Desc: OpenPGP digital signature URL: From js-otrim at webkeks.org Mon Jun 2 13:20:46 2008 From: js-otrim at webkeks.org (Jonathan Schleifer) Date: Mon, 2 Jun 2008 19:20:46 +0200 Subject: [OTR-users] OTR and multiple locations In-Reply-To: <48441F87.6020205@gmx.de> References: <200806021237.06034.otr@spectralmud.org> <20080602155729.2103a437@webkeks.org> <48441F87.6020205@gmx.de> Message-ID: <20080602192046.1335ad9e@webkeks.org> Alexander Buchner wrote: > Couldn't he just use the same key at both places? No, because OTR is a state machine. The other client wouldn't expect encrypted data. -- Jonathan -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: not available URL: From ian at cypherpunks.ca Tue Jun 3 08:48:30 2008 From: ian at cypherpunks.ca (Ian Goldberg) Date: Tue, 3 Jun 2008 08:48:30 -0400 Subject: [OTR-users] OTR and multiple locations In-Reply-To: <20080602192046.1335ad9e@webkeks.org> References: <200806021237.06034.otr@spectralmud.org> <20080602155729.2103a437@webkeks.org> <48441F87.6020205@gmx.de> <20080602192046.1335ad9e@webkeks.org> Message-ID: <20080603124830.GE28058@thunk.cs.uwaterloo.ca> On Mon, Jun 02, 2008 at 07:20:46PM +0200, Jonathan Schleifer wrote: > Alexander Buchner wrote: > > > Couldn't he just use the same key at both places? > > No, because OTR is a state machine. The other client wouldn't expect > encrypted data. Not to mention that the "shared key" would only be a shared authentication key. For security and privacy reasons, encryption keys are extremely short-lived, and never stored on disk at all, let alone shared. This all having been said, the "multiple logins" problem is one that's been bothering us for a really long time, and I'm happy to say that we've now got someone working on fixing exactly that issue. It won't be in the (imminent) 3.2.0 release, but will almost certainly be in v4. - Ian From paul at cypherpunks.ca Sun Jun 8 23:24:03 2008 From: paul at cypherpunks.ca (Paul Wouters) Date: Sun, 8 Jun 2008 23:24:03 -0400 (EDT) Subject: [OTR-users] OTR with PortableApps.com Pidgin In-Reply-To: <4832A38D.3070802@rant-central.com> References: <3869c3f00805200030m2855fc09l545a09f1a1f548b3@mail.gmail.com> <4832A38D.3070802@rant-central.com> Message-ID: > Check out the OTR-Portable installer. > http://sourceforge.net/project/showfiles.php?group_id=151265 Too bad it is binary only, with no source on sourceforce or portableapps.com, so that I cannot fold back the changes they made in the .nsi file back into the release for future portable releases..... Paul From marti at juffo.org Mon Jun 9 04:37:55 2008 From: marti at juffo.org (Marti Raudsepp) Date: Mon, 9 Jun 2008 11:37:55 +0300 Subject: [OTR-users] OTR with PortableApps.com Pidgin In-Reply-To: References: <3869c3f00805200030m2855fc09l545a09f1a1f548b3@mail.gmail.com> <4832A38D.3070802@rant-central.com> Message-ID: <54b33ccd0806090137h2a8d21bfv55bd51cb8ecc7761@mail.gmail.com> On Mon, Jun 9, 2008 at 6:24 AM, Paul Wouters wrote: > Too bad it is binary only, with no source on sourceforce or portableapps.com, Sure you can? Pidgin is GPL and OTR is LGPL. If they aren't giving away the source then you are entitled to ask for it. Marti From felix_schaefers at web.de Mon Jun 9 04:47:47 2008 From: felix_schaefers at web.de (FS) Date: Mon, 9 Jun 2008 10:47:47 +0200 Subject: [OTR-users] OTR with PortableApps.com Pidgin In-Reply-To: <54b33ccd0806090137h2a8d21bfv55bd51cb8ecc7761@mail.gmail.com> References: <3869c3f00805200030m2855fc09l545a09f1a1f548b3@mail.gmail.com> <4832A38D.3070802@rant-central.com> <54b33ccd0806090137h2a8d21bfv55bd51cb8ecc7761@mail.gmail.com> Message-ID: Well, since several versions now the download from portableapps.com is no longer necessary, all you need to do is to rename the file in pidgin-portable.exe http://developer.pidgin.im/wiki/Using%20Pidgin#RunningWindowsPidginFromaUSBDrivePortableMode As a consequence, all you need is the "normal" pidgin source-code :) 2008/6/9, Marti Raudsepp : > On Mon, Jun 9, 2008 at 6:24 AM, Paul Wouters wrote: > > Too bad it is binary only, with no source on sourceforce or portableapps.com, > > > Sure you can? Pidgin is GPL and OTR is LGPL. If they aren't giving > away the source then you are entitled to ask for it. > > > Marti > > _______________________________________________ > OTR-users mailing list > OTR-users at lists.cypherpunks.ca > http://lists.cypherpunks.ca/mailman/listinfo/otr-users > From michael_reichenbach at freenet.de Mon Jun 9 18:45:37 2008 From: michael_reichenbach at freenet.de (Michael Reichenbach) Date: Tue, 10 Jun 2008 00:45:37 +0200 Subject: [OTR-users] OTR with PortableApps.com Pidgin In-Reply-To: References: <3869c3f00805200030m2855fc09l545a09f1a1f548b3@mail.gmail.com> <4832A38D.3070802@rant-central.com> Message-ID: <484DB291.3000703@freenet.de> Paul Wouters schrieb: > >> Check out the OTR-Portable installer. >> http://sourceforge.net/project/showfiles.php?group_id=151265 > > Too bad it is binary only, with no source on sourceforce or portableapps.com, > so that I cannot fold back the changes they made in the .nsi file back into > the release for future portable releases..... > > Paul > _______________________________________________ > OTR-users mailing list > OTR-users at lists.cypherpunks.ca > http://lists.cypherpunks.ca/mailman/listinfo/otr-users > > Hello! Normally JTH (the owner of portableapps) is strictly following laws and licenses and such. If there is really no source I think he has just forgotten. I recommend to post in the forums and I am pretty sure he will not post something of his own creations on his site as closed source. -mr From tatuportin at gmail.com Fri Jun 13 11:35:58 2008 From: tatuportin at gmail.com (Tatu Portin) Date: Fri, 13 Jun 2008 18:35:58 +0300 Subject: [OTR-users] about how the otr works (what if password get stolen) Message-ID: <1213371359.21640.5.camel@tatu.tampereenpuhelin.net> So, I would like to get a bit clarification... Now I think that OTR works by encryping the current conversation, so that other's can't see... what if someone uses the same computer, having pass and login for the im account? But I guess it prevent such happening, if he steal your username and pass, and try use by his own computer.. because if he hasn't stolen the private key, he can't indentify as the original person. So if someone takes your private key, username, and password, and logins to your im account from different computer, he can show up as you, for the OTR of the person he wants talk to? From paul at cypherpunks.ca Fri Jun 13 13:09:27 2008 From: paul at cypherpunks.ca (Paul Wouters) Date: Fri, 13 Jun 2008 13:09:27 -0400 (EDT) Subject: [OTR-users] about how the otr works (what if password get stolen) In-Reply-To: <1213371359.21640.5.camel@tatu.tampereenpuhelin.net> References: <1213371359.21640.5.camel@tatu.tampereenpuhelin.net> Message-ID: > So if someone takes your private key, username, and password, > and logins to your im account from different computer, he can show up as > you, for the OTR of the person he wants talk to? Yes. Paul From esurnir at gmail.com Sun Jun 15 15:31:15 2008 From: esurnir at gmail.com (Jean-Baptiste Zeller) Date: Sun, 15 Jun 2008 15:31:15 -0400 Subject: [OTR-users] about how the otr works (what if password get stolen) In-Reply-To: <1213371359.21640.5.camel@tatu.tampereenpuhelin.net> References: <1213371359.21640.5.camel@tatu.tampereenpuhelin.net> Message-ID: <48556E03.3050802@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tatu Portin wrote: | So, I would like to get a bit clarification... Now I think that OTR | works by encryping the current conversation, so that other's can't | see... what if someone uses the same computer, having pass and login for | the im account? But I guess it prevent such happening, if he steal your | username and pass, and try use by his own computer.. because if he | hasn't stolen the private key, he can't indentify as the original | person. So if someone takes your private key, username, and password, | and logins to your im account from different computer, he can show up as | you, for the OTR of the person he wants talk to? | | _______________________________________________ | OTR-users mailing list | OTR-users at lists.cypherpunks.ca | http://lists.cypherpunks.ca/mailman/listinfo/otr-users If you think something phony is going on you can do a socialist millionaire exchange again asking the person what was the previous shared secret you used. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIVW4D5Zo8rPlqN+sRAr81AKCj8NY4aN5GHuppDBOkG3fTeEOCSACdEzW+ p25Ir/cpOvjkzvGJ1REcOy8= =wR9M -----END PGP SIGNATURE----- From ian at cypherpunks.ca Sun Jun 15 17:14:39 2008 From: ian at cypherpunks.ca (Ian Goldberg) Date: Sun, 15 Jun 2008 17:14:39 -0400 Subject: [OTR-users] pidgin-otr 3.2.0 released Message-ID: <20080615211439.GA11298@yoink.cs.uwaterloo.ca> We are pleased to announce the release of pidgin-otr 3.2.0 (along with libotr 3.2.0). New in 3.2.0: - The functionality of the OTR button has now moved to a menu. There's an "OTR" menu, as well as an icon showing the current OTR state of each active conversation in the window. The button can optionally be shown in addition, now in the conversation toolbar. - New OTR icons from - OTR icons show up inline in the conversation window when the OTR status changes. - Buddy authentication has been revamped, based on the user study published in SOUPS 2008. The default is now to choose a question and an answer only you and the buddy should know. The question is displayed to the buddy, who is prompted for the answer. The "shared secret" and "fingerprint" authentication methods are still available. - Translations for Arabic, German, Russian, Hungarian As usual, the software can be downloaded from http://otr.cypherpunks.ca/ - Ian From paul at cypherpunks.ca Sun Jun 15 22:41:11 2008 From: paul at cypherpunks.ca (Paul Wouters) Date: Sun, 15 Jun 2008 22:41:11 -0400 (EDT) Subject: [OTR-users] Re: [OTR-announce] pidgin-otr 3.2.0 released In-Reply-To: <20080615211439.GA11298@yoink.cs.uwaterloo.ca> References: <20080615211439.GA11298@yoink.cs.uwaterloo.ca> Message-ID: On Sun, 15 Jun 2008, Ian Goldberg wrote: > We are pleased to announce the release of pidgin-otr 3.2.0 (along with > libotr 3.2.0). While building libotr, I still get these: libotr.x86_64: E: binary-or-shlib-defines-rpath /usr/bin/otr_modify ['/usr/lib64'] libotr.x86_64: E: binary-or-shlib-defines-rpath /usr/bin/otr_sesskeys ['/usr/lib64'] libotr.x86_64: E: binary-or-shlib-defines-rpath /usr/bin/otr_parse ['/usr/lib64'] libotr.x86_64: E: binary-or-shlib-defines-rpath /usr/bin/otr_remac ['/usr/lib64'] libotr.x86_64: E: binary-or-shlib-defines-rpath /usr/bin/otr_readforge ['/usr/lib64'] libotr.x86_64: E: binary-or-shlib-defines-rpath /usr/bin/otr_mackey ['/usr/lib64'] Some GUI items: When you have the icon and text "not private", you can only right click on it. Can we make left click do "start new private conversation" ? When you are "private" (eg you have authenticated the other end), the menu shows "Authenticate user". It implies (wrongly) that the user was not yet authenticated. Can that be changed to "Re-authenticate user"? I tried twice to have a private+unverified conversation going with the same (pidgin) collapsed user, and see if it would fault back to the unverified instead of the private user but failed. So if that's part of the design, kudos! If it was just accident, please consider it a feature request :) Fedora packages have been build into devel, and should migrate into the releases over the next two days. Paul From bdm at fenrir.org.uk Mon Jun 16 06:49:55 2008 From: bdm at fenrir.org.uk (Brian Morrison) Date: Mon, 16 Jun 2008 11:49:55 +0100 Subject: [OTR-users] Re: [OTR-announce] pidgin-otr 3.2.0 released In-Reply-To: References: <20080615211439.GA11298@yoink.cs.uwaterloo.ca> Message-ID: <48564553.1030407@fenrir.org.uk> Paul Wouters wrote: > Fedora packages have been build into devel, and should migrate into the > releases over the next two days. Which distros will these be for Paul? F7 is about to go out of support, so I was wondering if the updated OTR packages will go into F7 updates? -- Brian From ian at cypherpunks.ca Mon Jun 16 07:42:15 2008 From: ian at cypherpunks.ca (Ian Goldberg) Date: Mon, 16 Jun 2008 07:42:15 -0400 Subject: [OTR-users] Re: [OTR-announce] pidgin-otr 3.2.0 released In-Reply-To: References: <20080615211439.GA11298@yoink.cs.uwaterloo.ca> Message-ID: <20080616114215.GB24909@yoink.cs.uwaterloo.ca> On Sun, Jun 15, 2008 at 10:41:11PM -0400, Paul Wouters wrote: > On Sun, 15 Jun 2008, Ian Goldberg wrote: > > >We are pleased to announce the release of pidgin-otr 3.2.0 (along with > >libotr 3.2.0). > > While building libotr, I still get these: > > libotr.x86_64: E: binary-or-shlib-defines-rpath /usr/bin/otr_modify > ['/usr/lib64'] > libotr.x86_64: E: binary-or-shlib-defines-rpath /usr/bin/otr_sesskeys > ['/usr/lib64'] > libotr.x86_64: E: binary-or-shlib-defines-rpath /usr/bin/otr_parse > ['/usr/lib64'] > libotr.x86_64: E: binary-or-shlib-defines-rpath /usr/bin/otr_remac > ['/usr/lib64'] > libotr.x86_64: E: binary-or-shlib-defines-rpath /usr/bin/otr_readforge > ['/usr/lib64'] > libotr.x86_64: E: binary-or-shlib-defines-rpath /usr/bin/otr_mackey > ['/usr/lib64'] I'm not actually sure what this indicates. There's a "-R /usr/lib64" being added to the link command somewhere? Is it the result of configure (with the Fedora arguments) or something else? > Some GUI items: > > When you have the icon and text "not private", you can only right click > on it. Can we make left click do "start new private conversation" ? That was actually a specific complaint people had in our user study. They couldn't figure out how to make the menu come up, since right-clicking isn't one of the "affordances" (in HCI-speak) of a button. So we made it left-click. But we put "Start private conversation" as the top thing in the menu, so it would be very easy to get to. > When you are "private" (eg you have authenticated the other end), the > menu shows "Authenticate user". It implies (wrongly) that the user was > not yet authenticated. Can that be changed to "Re-authenticate user"? We can probably do that. > I tried twice to have a private+unverified conversation going with the same > (pidgin) collapsed user, and see if it would fault back to the unverified > instead of the private user but failed. So if that's part of the design, > kudos! > If it was just accident, please consider it a feature request :) OTR doesn't override where pidgin wants to send the message (which is to whomever is selected in the "Send To" menu). But the appropriate status is highlighted in the menu bar, and indicated in the OTR button in the toolbar. Is that what you're asking? > Fedora packages have been build into devel, and should migrate into the > releases over the next two days. Thanks! - Ian From paul at cypherpunks.ca Mon Jun 16 09:41:06 2008 From: paul at cypherpunks.ca (Paul Wouters) Date: Mon, 16 Jun 2008 09:41:06 -0400 (EDT) Subject: [OTR-users] Re: [OTR-announce] pidgin-otr 3.2.0 released In-Reply-To: <20080616114215.GB24909@yoink.cs.uwaterloo.ca> References: <20080615211439.GA11298@yoink.cs.uwaterloo.ca> <20080616114215.GB24909@yoink.cs.uwaterloo.ca> Message-ID: On Mon, 16 Jun 2008, Ian Goldberg wrote: >> libotr.x86_64: E: binary-or-shlib-defines-rpath /usr/bin/otr_modify >> ['/usr/lib64'] > I'm not actually sure what this indicates. There's a "-R /usr/lib64" > being added to the link command somewhere? Is it the result of > configure (with the Fedora arguments) or something else? I'll send a seperate message to you and some NLnetlabs developers, who ran into the same issue with the ldns library. I am not sure what they did to fix it. I think your configure scripts ignores "--disable-rpath" >> When you have the icon and text "not private", you can only right click >> on it. Can we make left click do "start new private conversation" ? > > That was actually a specific complaint people had in our user study. > They couldn't figure out how to make the menu come up, Perhaps it needs an underline character underneath one of its letters so people recognise it more as a menu? > right-clicking isn't one of the "affordances" (in HCI-speak) of a > button. So we made it left-click. But we put "Start private > conversation" as the top thing in the menu, so it would be very easy to > get to. But it is really annoying. You go back to pidgin, the other end has ended the conversation, and now you want to talk to them (and you don't have them hardcoded on otr-only). You click on it, expecting it to go from finished to unverified/private with a mouse click, but a menu pops up instead. >> When you are "private" (eg you have authenticated the other end), the >> menu shows "Authenticate user". It implies (wrongly) that the user was >> not yet authenticated. Can that be changed to "Re-authenticate user"? > > We can probably do that. On a similar item. This morning I noticd some windows were in "Finished" mode. I am not sure whether that means I still need to "end private conversation on my end" or not. I guess not (but my brain is hampered by the old method where I DID have to end it myself manually). So I click on "Finished" and get two menu entries. One for "start" and one for "stop". So I cannot conclude my current state from that at all. And indeed, it turns out "finished" is not at all a finished state, it is an unfinished state that requires me to pick "end private conversation". And indeed, now the option is ghosted, and i cannot select it anymore. This is very confusing. I am not sure what the best fix for this issue is, but it is definately not very clear (even to me) >> I tried twice to have a private+unverified conversation going with the same >> (pidgin) collapsed user, and see if it would fault back to the unverified >> instead of the private user but failed. So if that's part of the design, >> kudos! >> If it was just accident, please consider it a feature request :) > > OTR doesn't override where pidgin wants to send the message (which is to > whomever is selected in the "Send To" menu). But the appropriate status > is highlighted in the menu bar, and indicated in the OTR button in the > toolbar. Is that what you're asking? Yes. So in that case, can we redirect/select/prefer an OTR private account within a merged IM identity over a unverified/not private connection? Paul From paul at cypherpunks.ca Mon Jun 16 09:48:07 2008 From: paul at cypherpunks.ca (Paul Wouters) Date: Mon, 16 Jun 2008 09:48:07 -0400 (EDT) Subject: [OTR-users] Re: [OTR-announce] pidgin-otr 3.2.0 released In-Reply-To: <48564553.1030407@fenrir.org.uk> References: <20080615211439.GA11298@yoink.cs.uwaterloo.ca> <48564553.1030407@fenrir.org.uk> Message-ID: On Mon, 16 Jun 2008, Brian Morrison wrote: >> Fedora packages have been build into devel, and should migrate into the >> releases over the next two days. > > Which distros will these be for Paul? F7 is about to go out of support, > so I was wondering if the updated OTR packages will go into F7 updates? F-7 went EOL 3 days ago, but it looks like I'm allowed to still update packages in it, so I will be pushing this into F-7 as well. Paul From bdm at fenrir.org.uk Mon Jun 16 09:50:15 2008 From: bdm at fenrir.org.uk (Brian Morrison) Date: Mon, 16 Jun 2008 14:50:15 +0100 Subject: [OTR-users] Re: [OTR-announce] pidgin-otr 3.2.0 released In-Reply-To: References: <20080615211439.GA11298@yoink.cs.uwaterloo.ca> <48564553.1030407@fenrir.org.uk> Message-ID: <48566F97.6010000@fenrir.org.uk> Paul Wouters wrote: > On Mon, 16 Jun 2008, Brian Morrison wrote: > >>> Fedora packages have been build into devel, and should migrate into the >>> releases over the next two days. >> >> Which distros will these be for Paul? F7 is about to go out of support, >> so I was wondering if the updated OTR packages will go into F7 updates? > > F-7 went EOL 3 days ago, but it looks like I'm allowed to still update > packages in it, so I will be pushing this into F-7 as well. Yes, excellent, thanks for that. There are still quite a few packages in updates-testing for F7, I wonder if they will put them all into updates before stopping maintenance work. -- Brian From esurnir at gmail.com Mon Jun 16 12:54:01 2008 From: esurnir at gmail.com (Jean-Baptiste Zeller) Date: Mon, 16 Jun 2008 12:54:01 -0400 Subject: [OTR-users] Plugin for Windows Live Plus! Message-ID: <48569AA9.9000604@gmail.com> Hello, In my quest to convert my friends to the use of Off the Record I came to the unfortunate conclusion that installing pidgin for them sound like the end of the world, and while pidgin is a good program it's shortfall like the absence of Webcam support, it's plain appearance compared to the flashy windows live interface made it difficult for them to make the switch... But those same people for I would qualify "immature teenager reason" don't mind to install Windows Live Plus! to do silly things like change the messenger appearance put color code in their text and other and feed whatever ad agency with precious data if they forgot during the installation to opt out of the advertising program. While at first programming off the record in JScript seemed borderly heretic, I discovered that the script could include call to external dlls library which could -just before sending a message- intercept it, pass it over to a otr.dll library who could return the processed message, leaving the encryption part to a dll and only leaving the UI to be scripted. I'm pretty certain that it would be one of the best solution yet to make it easier for off the record to be adopted by the growing MSN user population. -- Jean-Baptiste Zeller From paul at cypherpunks.ca Mon Jun 16 15:56:19 2008 From: paul at cypherpunks.ca (Paul Wouters) Date: Mon, 16 Jun 2008 15:56:19 -0400 (EDT) Subject: [OTR-users] finished state GUI Message-ID: Two other gui items 1) If we are in state "finished", and we type in the input box, we now get: (03:50:18 PM) Your message was not sent. Either end your private conversation, or restart it. Why can't it just attempt a new private conversation (and checking for the previous identity, don't allow it to use a random other key)? Is this just a coding effort, or a design decision? 2) When closing a chat window, the conv is not going to state finished/closed. Why not? With other people, I seem to be getting a lot of "finished conversation" messages, but presumably those people do that manually? Paul From mail at code.mmsources.de Tue Jun 17 05:58:38 2008 From: mail at code.mmsources.de (Michael Meier) Date: Tue, 17 Jun 2008 11:58:38 +0200 Subject: [OTR-users] Re: [OTR-announce] pidgin-otr 3.2.0 released In-Reply-To: <20080616114215.GB24909@yoink.cs.uwaterloo.ca> References: <20080615211439.GA11298@yoink.cs.uwaterloo.ca> <20080616114215.GB24909@yoink.cs.uwaterloo.ca> Message-ID: <48578ACE.5000800@code.mmsources.de> >> When you are "private" (eg you have authenticated the other end), the >> menu shows "Authenticate user". It implies (wrongly) that the user was >> not yet authenticated. Can that be changed to "Re-authenticate user"? >> > > We can probably do that. > Hello, attached is the latest revision of de.po to keep it up to date with this change. Regards, Michael -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: de.po URL: From ian at cypherpunks.ca Tue Jun 17 11:52:03 2008 From: ian at cypherpunks.ca (Ian Goldberg) Date: Tue, 17 Jun 2008 11:52:03 -0400 Subject: [OTR-users] Re: [OTR-announce] pidgin-otr 3.2.0 released In-Reply-To: <48578ACE.5000800@code.mmsources.de> References: <20080615211439.GA11298@yoink.cs.uwaterloo.ca> <20080616114215.GB24909@yoink.cs.uwaterloo.ca> <48578ACE.5000800@code.mmsources.de> Message-ID: <20080617155203.GG6787@thunk.cs.uwaterloo.ca> On Tue, Jun 17, 2008 at 11:58:38AM +0200, Michael Meier wrote: > > >>When you are "private" (eg you have authenticated the other end), the > >>menu shows "Authenticate user". It implies (wrongly) that the user was > >>not yet authenticated. Can that be changed to "Re-authenticate user"? > >> > > > >We can probably do that. > > > Hello, > > attached is the latest revision of de.po to keep it up to date with this > change. Thanks! - Ian From gdt at ir.bbn.com Tue Jun 17 13:28:53 2008 From: gdt at ir.bbn.com (Greg Troxel) Date: Tue, 17 Jun 2008 13:28:53 -0400 Subject: [OTR-users] pidgin-otr 3.2.0 released In-Reply-To: <20080615211439.GA11298@yoink.cs.uwaterloo.ca> (Ian Goldberg's message of "Sun, 15 Jun 2008 17:14:39 -0400") References: <20080615211439.GA11298@yoink.cs.uwaterloo.ca> Message-ID: We are pleased to announce the release of pidgin-otr 3.2.0 (along with libotr 3.2.0). I have updated pkgsrc (NetBSD and others) to 3.2.0, and it seems to run fine. nit: the word "OTR" and the icon in the chat window appear to each be a menu item, with the same contents, but I expected to have instead a single menu item with text and an icon. From ian at cypherpunks.ca Tue Jun 17 16:32:06 2008 From: ian at cypherpunks.ca (Ian Goldberg) Date: Tue, 17 Jun 2008 16:32:06 -0400 Subject: [OTR-users] pidgin-otr 3.2.0 released In-Reply-To: References: <20080615211439.GA11298@yoink.cs.uwaterloo.ca> Message-ID: <20080617203206.GP6787@thunk.cs.uwaterloo.ca> On Tue, Jun 17, 2008 at 01:28:53PM -0400, Greg Troxel wrote: > We are pleased to announce the release of pidgin-otr 3.2.0 (along with > libotr 3.2.0). > > I have updated pkgsrc (NetBSD and others) to 3.2.0, and it seems to run > fine. > > nit: the word "OTR" and the icon in the chat window appear to each be a > menu item, with the same contents, but I expected to have instead a > single menu item with text and an icon. It's that way because you might have multiple conversations going on at the same time in the same window (if you have a merged contact), with different OTR statuses. The "OTR" menu is the currently active conversation, but they'll all have their own menus, headed by the appropriate icon. - Ian From alex323 at gmail.com Wed Jun 18 10:07:04 2008 From: alex323 at gmail.com (Alex) Date: Wed, 18 Jun 2008 10:07:04 -0400 Subject: [OTR-users] OTR in jeopardy? Message-ID: <20080618100704.5f92aa33@mx.google.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 http://www.pcworld.com/businesscenter/article/147220/ibms_cellbased_roadrunner_supercomputer_is_worlds_fastest.html I think we have something to worry about now. I guess nothing beats a good ol' OTP. - -- Alex -----BEGIN PGP SIGNATURE----- iF4EAREKAAYFAkhZFp4ACgkQYOjBOUora20ikAD9Hi/6kNJDrRfoCcsddgiu7sJw bdRNArb1k3xI2qg3AQAA/3SSI6oX8ztMdoMNlMblr/2I4d0+0m9aDTamFvbm/qXG =y3g3 -----END PGP SIGNATURE----- From d235j.1 at gmail.com Wed Jun 18 16:34:17 2008 From: d235j.1 at gmail.com (David Ryskalczyk) Date: Wed, 18 Jun 2008 16:34:17 -0400 Subject: [OTR-users] OTR with PortableApps.com Pidgin Message-ID: <97a2442e0806181334hef038dfr60df725d376a1e1c@mail.gmail.com> You can extract the OTR-Portable installer with 7-zip to see what files are inside. Also, the installer nicely places the NSI script in PidginPortable\Other\Source\PidginPortable.nsi. hope this helps. -------------- next part -------------- An HTML attachment was scrubbed... URL: From joachim.lomeier at web.de Wed Jun 18 17:51:23 2008 From: joachim.lomeier at web.de (Joachim Lomeier) Date: Wed, 18 Jun 2008 23:51:23 +0200 Subject: [OTR-users] Plugin or scriptlet for SamePlace? Message-ID: <721176338@web.de> Hi, it would be great, if someone could provide an OTR extentions or scriptlet for SamePlace (IM extension for Firefox). Website: http://www.sameplace.cc/ Regards, Joachim _________________________________________________________________________ In 5 Schritten zur eigenen Homepage. Jetzt Domain sichern und gestalten! Nur 3,99 EUR/Monat! http://www.maildomain.web.de/?mc=021114 From ian at cypherpunks.ca Wed Jun 18 18:37:08 2008 From: ian at cypherpunks.ca (Ian Goldberg) Date: Wed, 18 Jun 2008 18:37:08 -0400 Subject: [OTR-users] OTR in jeopardy? In-Reply-To: <20080618100704.5f92aa33@mx.google.com> References: <20080618100704.5f92aa33@mx.google.com> Message-ID: <20080618223708.GD6417@yoink.cs.uwaterloo.ca> On Wed, Jun 18, 2008 at 10:07:04AM -0400, Alex wrote: > http://www.pcworld.com/businesscenter/article/147220/ibms_cellbased_roadrunner_supercomputer_is_worlds_fastest.html > I think we have something to worry about now. I guess nothing beats a > good ol' OTP. Even generously giving that computer the ability to search 2^50 keys per second, you do realize that 2^128 is much, much bigger than 2^50, right? :-) Lots of things beat good ol' OTP in practice, because of OTP's unreasonable keying requirements. - Ian From ian at cypherpunks.ca Wed Jun 18 18:39:50 2008 From: ian at cypherpunks.ca (Ian Goldberg) Date: Wed, 18 Jun 2008 18:39:50 -0400 Subject: [OTR-users] Plugin or scriptlet for SamePlace? In-Reply-To: <721176338@web.de> References: <721176338@web.de> Message-ID: <20080618223950.GE6417@yoink.cs.uwaterloo.ca> On Wed, Jun 18, 2008 at 11:51:23PM +0200, Joachim Lomeier wrote: > Hi, > > it would be great, if someone could provide an OTR extentions or > scriptlet for SamePlace (IM extension for Firefox). > > Website: http://www.sameplace.cc/ Wouldn't someone have to write OTR (and all the underlying crypto) in Javascript? That sounds like quite a task. :-) - Ian From a.sporto+bee at gmail.com Wed Jun 18 19:03:42 2008 From: a.sporto+bee at gmail.com (Uli M) Date: Wed, 18 Jun 2008 23:03:42 +0000 (UTC) Subject: [OTR-users] irssi-otr 0.1 released Message-ID: Hi everyone, irssi-otr[1] is a module for the irssi IRC client. It is most useful in combination with the IM-to-IRC-gateway bitlbee[2] but can also be used with standard IRC servers. You can download a snapshot or check out the git repo. Packages for various distros will be available soon. Thanks, Uli [1] http://projects.tuxfamily.org/group.pl?name=irssiotr [2] http://www.bitlbee.org From perrin at apotheon.com Thu Jun 19 03:29:41 2008 From: perrin at apotheon.com (Chad Perrin) Date: Thu, 19 Jun 2008 01:29:41 -0600 Subject: [OTR-users] irssi-otr 0.1 released In-Reply-To: References: Message-ID: <20080619072941.GA7989@kokopelli.hydra> On Wed, Jun 18, 2008 at 11:03:42PM +0000, Uli M wrote: > Hi everyone, > > irssi-otr[1] is a module for the irssi IRC client. It is most useful > in combination with the IM-to-IRC-gateway bitlbee[2] but can also be > used with standard IRC servers. You can download a snapshot or check > out the git repo. Packages for various distros will be available soon. Does that include a port for FreeBSD? -- Chad Perrin [ content licensed PDL: http://pdl.apotheon.org ] Thomas McCauley: "The measure of a man's real character is what he would do if he knew he would never be found out." -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 195 bytes Desc: not available URL: From a.sporto+bee at gmail.com Thu Jun 19 09:58:17 2008 From: a.sporto+bee at gmail.com (Uli M) Date: Thu, 19 Jun 2008 13:58:17 +0000 (UTC) Subject: [OTR-users] Re: irssi-otr 0.1 released References: <20080619072941.GA7989@kokopelli.hydra> Message-ID: On 2008-06-19, Chad Perrin wrote: > > --x+6KMIRAuhnl3hBn > Content-Type: text/plain; charset=us-ascii > Content-Disposition: inline > Content-Transfer-Encoding: quoted-printable > > On Wed, Jun 18, 2008 at 11:03:42PM +0000, Uli M wrote: >> Hi everyone, >> >> irssi-otr[1] is a module for the irssi IRC client. It is most useful >> in combination with the IM-to-IRC-gateway bitlbee[2] but can also be >> used with standard IRC servers. You can download a snapshot or check >> out the git repo. Packages for various distros will be available soon. > > Does that include a port for FreeBSD? Currently, I have no volunteers that would do a FreeBSD port. However, I can tell you that irssi-otr does work on FreeBSD 7, I know someone who's happy with it. If you want to compile it from source there are (besides irssi) two major dependencies: 1. libotr >= 3.1.0. FreeBSD port here [1]. 2. cmake >= 2.4. FreeBSD port here [2]. See also the INSTALL file [3]. Should be straight forward. Let me know if it works for you. Thanks, Uli [1] http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/libotr/ [2] http://www.freebsd.org/cgi/cvsweb.cgi/ports/devel/cmake/ [3] http://git.tuxfamily.org/irssiotr/irssiotr.git?p=gitroot/irssiotr/irssiotr.git;a=blob_plain;f=INSTALL;hb=HEAD From ian at cypherpunks.ca Thu Jun 19 10:14:59 2008 From: ian at cypherpunks.ca (Ian Goldberg) Date: Thu, 19 Jun 2008 10:14:59 -0400 Subject: [OTR-users] List of OTR-aware software Message-ID: <20080619141459.GI26418@thunk.cs.uwaterloo.ca> I'm making a web page of OTR-aware software: http://www.cypherpunks.ca/otr/software.php If you know of any that isn't on that list, please reply to this message and tell me about it. (Please include a URL.) Thanks! - Ian From mwgamera at gmail.com Thu Jun 19 10:23:47 2008 From: mwgamera at gmail.com (mwgamera) Date: Thu, 19 Jun 2008 16:23:47 +0200 Subject: [OTR-users] List of OTR-aware software In-Reply-To: <20080619141459.GI26418@thunk.cs.uwaterloo.ca> References: <20080619141459.GI26418@thunk.cs.uwaterloo.ca> Message-ID: On Thu, Jun 19, 2008 at 4:14 PM, Ian Goldberg wrote: > If you know of any that isn't on that list, please reply to this message > and tell me about it. (Please include a URL.) mcabber is a jabber client that supports otr out of the box. http://lilotux.net/~mikael/mcabber/ -- Kacper Gutowski. From ian at cypherpunks.ca Thu Jun 19 10:27:57 2008 From: ian at cypherpunks.ca (Ian Goldberg) Date: Thu, 19 Jun 2008 10:27:57 -0400 Subject: [OTR-users] List of OTR-aware software In-Reply-To: References: <20080619141459.GI26418@thunk.cs.uwaterloo.ca> Message-ID: <20080619142757.GJ26418@thunk.cs.uwaterloo.ca> On Thu, Jun 19, 2008 at 04:23:47PM +0200, mwgamera wrote: > On Thu, Jun 19, 2008 at 4:14 PM, Ian Goldberg wrote: > > If you know of any that isn't on that list, please reply to this message > > and tell me about it. (Please include a URL.) > > mcabber is a jabber client that supports otr out of the box. > http://lilotux.net/~mikael/mcabber/ Added, thanks! - Ian From paul at xelerance.com Thu Jun 19 10:40:51 2008 From: paul at xelerance.com (Paul Wouters) Date: Thu, 19 Jun 2008 10:40:51 -0400 (EDT) Subject: [OTR-users] irssi-otr 0.1 released In-Reply-To: References: Message-ID: On Wed, 18 Jun 2008, Uli M wrote: > irssi-otr[1] is a module for the irssi IRC client. It is most useful > in combination with the IM-to-IRC-gateway bitlbee[2] but can also be > used with standard IRC servers. You can download a snapshot or check > out the git repo. Packages for various distros will be available soon. Cool. I'll create an rpm for inclusion into fedora (as I'm already the maintainer for all other otr related packages :) I tried it, but seem to run into some issues: (10:33:41 AM) letootr: test (10:34:46 AM) LetoTo: test (10:35:43 AM) LetoTo: test (10:35:53 AM) Attempting to start a private conversation with letootr... (10:36:30 AM) letootr has not been authenticated yet. You should authenticate this buddy. [Image] (10:36:30 AM) Unverified conversation with letootr started. (10:36:37 AM) Successfully refreshed the unverified conversation with letootr. (10:37:22 AM) LetoTo: test (10:37:22 AM) OTR Error: You sent encrypted data to letootr at irc.freenode.net, who wasn't expecting it. (10:37:22 AM) LetoTo: test (10:37:31 AM) OTR Error: You sent encrypted data to letootr at irc.freenode.net, who wasn't expecting it. (10:37:40 AM) Successfully refreshed the unverified conversation with letootr. (10:37:40 AM) The last message to letootr was resent. (10:37:51 AM) The following message received from letootr was not encrypted: [test] (10:37:58 AM) OTR Error: You sent encrypted data to letootr at irc.freenode.net, who wasn't expecting it. I tried refreshing on gaim, and then i seem to get into a slow loop: (10:39:47 AM) The last message to letootr was resent. (10:39:52 AM) The following message received from letootr was not encrypted: [test] (10:39:54 AM) OTR Error: You sent encrypted data to letootr at irc.freenode.net, who wasn't expecting it. (10:40:02 AM) Attempting to refresh the private conversation with letootr... (10:40:11 AM) Successfully refreshed the unverified conversation with letootr. (10:40:11 AM) The last message to letootr was resent. (10:40:25 AM) OTR Error: You sent encrypted data to letootr at irc.freenode.net, who wasn't expecting it. (10:40:35 AM) Successfully refreshed the unverified conversation with letootr. (10:40:35 AM) The last message to letootr was resent. Paul From paul at xelerance.com Thu Jun 19 10:48:37 2008 From: paul at xelerance.com (Paul Wouters) Date: Thu, 19 Jun 2008 10:48:37 -0400 (EDT) Subject: [OTR-users] List of OTR-aware software In-Reply-To: <20080619141459.GI26418@thunk.cs.uwaterloo.ca> References: <20080619141459.GI26418@thunk.cs.uwaterloo.ca> Message-ID: On Thu, 19 Jun 2008, Ian Goldberg wrote: > I'm making a web page of OTR-aware software: > > http://www.cypherpunks.ca/otr/software.php > > If you know of any that isn't on that list, please reply to this message > and tell me about it. (Please include a URL.) The Fedora entry/url you post also lists the package for RHEL, and thus for CentOS too. Paul From paul at cypherpunks.ca Thu Jun 19 11:15:52 2008 From: paul at cypherpunks.ca (Paul Wouters) Date: Thu, 19 Jun 2008 11:15:52 -0400 (EDT) Subject: [OTR-users] List of OTR-aware software In-Reply-To: <20080619141459.GI26418@thunk.cs.uwaterloo.ca> References: <20080619141459.GI26418@thunk.cs.uwaterloo.ca> Message-ID: On Thu, 19 Jun 2008, Ian Goldberg wrote: > I'm making a web page of OTR-aware software: > > http://www.cypherpunks.ca/otr/software.php > > If you know of any that isn't on that list, please reply to this message > and tell me about it. (Please include a URL.) Also: Python bindings for OTR http://pyotr.pentabarf.de/ Paul From paul at cypherpunks.ca Thu Jun 19 11:19:34 2008 From: paul at cypherpunks.ca (Paul Wouters) Date: Thu, 19 Jun 2008 11:19:34 -0400 (EDT) Subject: [OTR-users] List of OTR-aware software In-Reply-To: <20080619141459.GI26418@thunk.cs.uwaterloo.ca> References: <20080619141459.GI26418@thunk.cs.uwaterloo.ca> Message-ID: > I'm making a web page of OTR-aware software: > > http://www.cypherpunks.ca/otr/software.php > > If you know of any that isn't on that list, please reply to this message > and tell me about it. (Please include a URL.) Sorry :) PSI plugin http://public.tfh-berlin.de/~s717689/ (PSi is http://psi-im.org/) Paul From david at graniteweb.com Thu Jun 19 11:29:25 2008 From: david at graniteweb.com (David Rock) Date: Thu, 19 Jun 2008 10:29:25 -0500 Subject: [OTR-users] List of OTR-aware software In-Reply-To: <20080619141459.GI26418@thunk.cs.uwaterloo.ca> References: <20080619141459.GI26418@thunk.cs.uwaterloo.ca> Message-ID: CenterIM (on gentoo, at least) compiles with the OTR library. I have not figured out exactly how to use it, though. http://www.centerim.org/index.php/Main_Page -- David Rock david at graniteweb.com On Jun 19, 2008, at 9:14 AM, Ian Goldberg wrote: > I'm making a web page of OTR-aware software: > > http://www.cypherpunks.ca/otr/software.php > > If you know of any that isn't on that list, please reply to this > message > and tell me about it. (Please include a URL.) > > Thanks! > > - Ian > _______________________________________________ > OTR-users mailing list > OTR-users at lists.cypherpunks.ca > http://lists.cypherpunks.ca/mailman/listinfo/otr-users From michael_reichenbach at freenet.de Thu Jun 19 12:13:45 2008 From: michael_reichenbach at freenet.de (Michael Reichenbach) Date: Thu, 19 Jun 2008 18:13:45 +0200 Subject: [OTR-users] List of OTR-aware software In-Reply-To: <20080619141459.GI26418@thunk.cs.uwaterloo.ca> References: <20080619141459.GI26418@thunk.cs.uwaterloo.ca> Message-ID: <485A85B9.2080100@freenet.de> Ian Goldberg schrieb: > I'm making a web page of OTR-aware software: > > http://www.cypherpunks.ca/otr/software.php > > If you know of any that isn't on that list, please reply to this message > and tell me about it. (Please include a URL.) > > Thanks! > > - Ian I think it would be good to mention that the Pidgin OTR plugin is the offical one from the original project. This is important. It's also the only one I would recommend. Only this plugin is made by developers who may be verified to have a clue about programming and cryptography. I have seen other encryption plugins for other messengers which had serious security bugs. See http://forums.miranda-im.org/showthread.php?t=4768&page=25 a bug where you could trick the encryption easily just by using another client and no more security updates. This plugin is still listed in lists with encryption plugins in the wiki and people use it... Therefore it's important to use plugins from serious programmers or at least if there was serious reviews. -mr From ian at cypherpunks.ca Thu Jun 19 14:08:59 2008 From: ian at cypherpunks.ca (Ian Goldberg) Date: Thu, 19 Jun 2008 14:08:59 -0400 Subject: [OTR-users] List of OTR-aware software In-Reply-To: References: <20080619141459.GI26418@thunk.cs.uwaterloo.ca> Message-ID: <20080619180859.GU26418@thunk.cs.uwaterloo.ca> On Thu, Jun 19, 2008 at 10:29:25AM -0500, David Rock wrote: > CenterIM (on gentoo, at least) compiles with the OTR library. I have > not figured out exactly how to use it, though. > http://www.centerim.org/index.php/Main_Page http://www.mail-archive.com/centerim-devel at centerim.org/msg00200.html suggests you use F7 to start an OTR session, but it only works with Jabber. - Ian From ian at cypherpunks.ca Thu Jun 19 14:14:57 2008 From: ian at cypherpunks.ca (Ian Goldberg) Date: Thu, 19 Jun 2008 14:14:57 -0400 Subject: [OTR-users] List of OTR-aware software In-Reply-To: <485A85B9.2080100@freenet.de> References: <20080619141459.GI26418@thunk.cs.uwaterloo.ca> <485A85B9.2080100@freenet.de> Message-ID: <20080619181457.GV26418@thunk.cs.uwaterloo.ca> On Thu, Jun 19, 2008 at 06:13:45PM +0200, Michael Reichenbach wrote: > Ian Goldberg schrieb: > >I'm making a web page of OTR-aware software: > > > >http://www.cypherpunks.ca/otr/software.php > > > >If you know of any that isn't on that list, please reply to this message > >and tell me about it. (Please include a URL.) > > > >Thanks! > > > > - Ian > > I think it would be good to mention that the Pidgin OTR plugin is the > offical one from the original project. This is important. It's also the > only one I would recommend. Fair enough. I've added such a note. - Ian From michael_reichenbach at freenet.de Thu Jun 19 14:59:44 2008 From: michael_reichenbach at freenet.de (Michael Reichenbach) Date: Thu, 19 Jun 2008 20:59:44 +0200 Subject: [OTR-users] List of OTR-aware software In-Reply-To: <20080619141459.GI26418@thunk.cs.uwaterloo.ca> References: <20080619141459.GI26418@thunk.cs.uwaterloo.ca> Message-ID: <485AACA0.2050508@freenet.de> There are also already nice articles in the wiki. http://en.wikipedia.org/wiki/Off-the-Record_Messaging http://en.wikipedia.org/wiki/Comparison_of_instant_messaging_clients -mr From perrin at apotheon.com Thu Jun 19 17:58:50 2008 From: perrin at apotheon.com (Chad Perrin) Date: Thu, 19 Jun 2008 15:58:50 -0600 Subject: [OTR-users] List of OTR-aware software In-Reply-To: References: <20080619141459.GI26418@thunk.cs.uwaterloo.ca> Message-ID: <20080619215850.GB10473@kokopelli.hydra> On Thu, Jun 19, 2008 at 10:29:25AM -0500, David Rock wrote: > CenterIM (on gentoo, at least) compiles with the OTR library. I have > not figured out exactly how to use it, though. > http://www.centerim.org/index.php/Main_Page I asked the CenterIM folks about this a few months ago. Unless something has changed in the interim, it seems that the OTR plugin for CenterIM only works with one protocol. I think it was ICQ, but I probably wouldn't bet money on that. If that has changed, please let me know -- I'd rather use CenterIM than Pidgin, except for the fact that OTR support works for all protocols in Pidgin. -- Chad Perrin [ content licensed PDL: http://pdl.apotheon.org ] Baltasar Gracian: "A wise man gets more from his enemies than a fool from his friends." -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 195 bytes Desc: not available URL: From bdm at fenrir.org.uk Thu Jun 19 18:09:25 2008 From: bdm at fenrir.org.uk (Brian Morrison) Date: Thu, 19 Jun 2008 23:09:25 +0100 Subject: [OTR-users] Re: [OTR-announce] pidgin-otr 3.2.0 released In-Reply-To: References: <20080615211439.GA11298@yoink.cs.uwaterloo.ca> <48564553.1030407@fenrir.org.uk> Message-ID: <20080619230925.278f9650@peterson.fenrir.org.uk> On Mon, 16 Jun 2008 09:48:07 -0400 (EDT) Paul Wouters wrote: > On Mon, 16 Jun 2008, Brian Morrison wrote: > > >> Fedora packages have been build into devel, and should migrate into the > >> releases over the next two days. > > > > Which distros will these be for Paul? F7 is about to go out of support, > > so I was wondering if the updated OTR packages will go into F7 updates? > > F-7 went EOL 3 days ago, but it looks like I'm allowed to still update > packages in it, so I will be pushing this into F-7 as well. Any update on these packages for Fedora Paul? I don't see anything in updates-testing yet.... -- Brian Morrison bdm at fenrir dot org dot uk "Arguing with an engineer is like wrestling with a pig in the mud; after a while you realize you are muddy and the pig is enjoying it." GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html From a.sporto+bee at gmail.com Thu Jun 19 19:48:26 2008 From: a.sporto+bee at gmail.com (Uli M) Date: Thu, 19 Jun 2008 23:48:26 +0000 (UTC) Subject: [OTR-users] Re: irssi-otr 0.1 released In-Reply-To: References: Message-ID: <20080619234833.GE8251@nets.rwth-aachen.de> On Thu 19.06.08 10:40, Paul Wouters wrote: > On Wed, 18 Jun 2008, Uli M wrote: > >> irssi-otr[1] is a module for the irssi IRC client. It is most useful >> in combination with the IM-to-IRC-gateway bitlbee[2] but can also be >> used with standard IRC servers. You can download a snapshot or check >> out the git repo. Packages for various distros will be available soon. > > Cool. I'll create an rpm for inclusion into fedora (as I'm already the > maintainer for all other otr related packages :) That's great thanks! You'll probably need a tarball for that which includes the three private irssi headers that cmake usually downloads. I'll put one up. > I tried it, but seem to run into some issues: So you're running irssi-otr against pidgin/IRC? I've never tried that combination although it should work. I have no idea what the problem is (there shouldn't be one) but I'll test it myself and see. Don't know why those refreshs occur, maybe that's where the problem lies... Uli > > (10:33:41 AM) letootr: test > (10:34:46 AM) LetoTo: test > (10:35:43 AM) LetoTo: test > (10:35:53 AM) Attempting to start a private conversation with letootr... > (10:36:30 AM) letootr has not been authenticated yet. You should authenticate this buddy. > [Image] (10:36:30 AM) Unverified conversation with letootr started. > (10:36:37 AM) Successfully refreshed the unverified conversation with letootr. > (10:37:22 AM) LetoTo: test > (10:37:22 AM) OTR Error: You sent encrypted data to letootr at irc.freenode.net, who wasn't expecting it. > (10:37:22 AM) LetoTo: test > (10:37:31 AM) OTR Error: You sent encrypted data to letootr at irc.freenode.net, who wasn't expecting it. > (10:37:40 AM) Successfully refreshed the unverified conversation with letootr. > (10:37:40 AM) The last message to letootr was resent. > (10:37:51 AM) The following message received from letootr was not encrypted: [test] > (10:37:58 AM) OTR Error: You sent encrypted data to letootr at irc.freenode.net, who wasn't expecting it. > > I tried refreshing on gaim, and then i seem to get into a slow loop: > > (10:39:47 AM) The last message to letootr was resent. > (10:39:52 AM) The following message received from letootr was not encrypted: [test] > (10:39:54 AM) OTR Error: You sent encrypted data to letootr at irc.freenode.net, who wasn't expecting it. > (10:40:02 AM) Attempting to refresh the private conversation with letootr... > (10:40:11 AM) Successfully refreshed the unverified conversation with letootr. > (10:40:11 AM) The last message to letootr was resent. > (10:40:25 AM) OTR Error: You sent encrypted data to letootr at irc.freenode.net, who wasn't expecting it. > (10:40:35 AM) Successfully refreshed the unverified conversation with letootr. > (10:40:35 AM) The last message to letootr was resent. > > Paul From paul at cypherpunks.ca Thu Jun 19 23:28:28 2008 From: paul at cypherpunks.ca (Paul Wouters) Date: Thu, 19 Jun 2008 23:28:28 -0400 (EDT) Subject: [OTR-users] Re: [OTR-announce] pidgin-otr 3.2.0 released In-Reply-To: <20080619230925.278f9650@peterson.fenrir.org.uk> References: <20080615211439.GA11298@yoink.cs.uwaterloo.ca> <48564553.1030407@fenrir.org.uk> <20080619230925.278f9650@peterson.fenrir.org.uk> Message-ID: On Thu, 19 Jun 2008, Brian Morrison wrote: > > F-7 went EOL 3 days ago, but it looks like I'm allowed to still update > > packages in it, so I will be pushing this into F-7 as well. > > Any update on these packages for Fedora Paul? > > I don't see anything in updates-testing yet.... I just requested a push to stable: https://admin.fedoraproject.org/updates/F7/pending/libotr-3.2.0-1.fc7 But I think pidgin-otr might not have made the cut (It was pending the new libotr becoming available in the build system). I am not getting: koji: error: Unknown build target: dist-fc7-updates-candidate Paul From paul at xelerance.com Thu Jun 19 23:29:43 2008 From: paul at xelerance.com (Paul Wouters) Date: Thu, 19 Jun 2008 23:29:43 -0400 (EDT) Subject: [OTR-users] Re: irssi-otr 0.1 released In-Reply-To: <20080619234833.GE8251@nets.rwth-aachen.de> References: <20080619234833.GE8251@nets.rwth-aachen.de> Message-ID: On Thu, 19 Jun 2008, Uli M wrote: > >> irssi-otr[1] is a module for the irssi IRC client. It is most useful > >> in combination with the IM-to-IRC-gateway bitlbee[2] but can also be > >> used with standard IRC servers. You can download a snapshot or check > >> out the git repo. Packages for various distros will be available soon. > > > > Cool. I'll create an rpm for inclusion into fedora (as I'm already the > > maintainer for all other otr related packages :) > > That's great thanks! You'll probably need a tarball for that which > includes the three private irssi headers that cmake usually downloads. > I'll put one up. Yes. I noticed that when I build it. It would make my life a lot easier if you can provide those, instead of me needing to write patches or sources for it. > So you're running irssi-otr against pidgin/IRC? I've never tried that > combination although it should work. I have no idea what the problem is > (there shouldn't be one) but I'll test it myself and see. Don't know why > those refreshs occur, maybe that's where the problem lies... Yes, that's what I tried. Paul From brian.mathis at gmail.com Fri Jun 20 09:42:19 2008 From: brian.mathis at gmail.com (Brian Mathis) Date: Fri, 20 Jun 2008 09:42:19 -0400 Subject: [OTR-users] pidgin-otr 3.2.0 released In-Reply-To: <20080615211439.GA11298@yoink.cs.uwaterloo.ca> References: <20080615211439.GA11298@yoink.cs.uwaterloo.ca> Message-ID: <183c528b0806200642k6cd1952aqef4bf5f07b5bb925@mail.gmail.com> On Sun, Jun 15, 2008 at 5:14 PM, Ian Goldberg wrote: > We are pleased to announce the release of pidgin-otr 3.2.0 (along with > libotr 3.2.0). > > New in 3.2.0: > > - The functionality of the OTR button has now moved to a menu. There's > an "OTR" menu, as well as an icon showing the current OTR state of > each active conversation in the window. The button can optionally > be shown in addition, now in the conversation toolbar. > - New OTR icons from > - OTR icons show up inline in the conversation window when the OTR > status changes. > - Buddy authentication has been revamped, based on the user study > published in SOUPS 2008. The default is now to choose a question and > an answer only you and the buddy should know. The question is > displayed to the buddy, who is prompted for the answer. The "shared > secret" and "fingerprint" authentication methods are still available. > - Translations for Arabic, German, Russian, Hungarian > > As usual, the software can be downloaded from http://otr.cypherpunks.ca/ > > - Ian It would be great if the Windows binaries were also available as a zip file. From ian at cypherpunks.ca Fri Jun 20 10:04:22 2008 From: ian at cypherpunks.ca (Ian Goldberg) Date: Fri, 20 Jun 2008 10:04:22 -0400 Subject: [OTR-users] pidgin-otr 3.2.0 released In-Reply-To: <183c528b0806200642k6cd1952aqef4bf5f07b5bb925@mail.gmail.com> References: <20080615211439.GA11298@yoink.cs.uwaterloo.ca> <183c528b0806200642k6cd1952aqef4bf5f07b5bb925@mail.gmail.com> Message-ID: <20080620140422.GF18999@thunk.cs.uwaterloo.ca> On Fri, Jun 20, 2008 at 09:42:19AM -0400, Brian Mathis wrote: > On Sun, Jun 15, 2008 at 5:14 PM, Ian Goldberg wrote: > > We are pleased to announce the release of pidgin-otr 3.2.0 (along with > > libotr 3.2.0). > > > > New in 3.2.0: > > > > - The functionality of the OTR button has now moved to a menu. There's > > an "OTR" menu, as well as an icon showing the current OTR state of > > each active conversation in the window. The button can optionally > > be shown in addition, now in the conversation toolbar. > > - New OTR icons from > > - OTR icons show up inline in the conversation window when the OTR > > status changes. > > - Buddy authentication has been revamped, based on the user study > > published in SOUPS 2008. The default is now to choose a question and > > an answer only you and the buddy should know. The question is > > displayed to the buddy, who is prompted for the answer. The "shared > > secret" and "fingerprint" authentication methods are still available. > > - Translations for Arabic, German, Russian, Hungarian > > > > As usual, the software can be downloaded from http://otr.cypherpunks.ca/ > > > > - Ian > > It would be great if the Windows binaries were also available as a zip file. You mean just a zip of all the files the installer installs, and you get to put them where they belong yourself? The zip file I build (as input to the nsi installer compiler) looks like this: Length Date Time Name -------- ---- ---- ---- 14605 06-17-08 17:28 README.txt 13064 06-17-08 17:28 README.Toolkit.txt 75464 06-17-08 17:28 Protocol-v2.html 18349 06-17-08 17:28 COPYING.txt 26934 06-17-08 17:28 COPYING.LIB.txt 290816 06-17-08 17:28 otr_mackey.exe 310272 06-17-08 17:28 otr_modify.exe 311296 06-17-08 17:28 otr_parse.exe 322560 06-17-08 17:28 otr_readforge.exe 291328 06-17-08 17:28 otr_remac.exe 291328 06-17-08 17:28 otr_sesskeys.exe 423936 06-17-08 17:28 pidgin-otr.dll 9125 06-15-08 15:16 pidgin-otr.nsi 0 06-17-08 17:28 locale/ 0 06-17-08 17:28 locale/ar/ 0 06-17-08 17:28 locale/ar/LC_MESSAGES/ 11608 06-17-08 17:28 locale/ar/LC_MESSAGES/pidgin-otr.mo 0 06-17-08 17:28 locale/de/ 0 06-17-08 17:28 locale/de/LC_MESSAGES/ 12170 06-17-08 17:28 locale/de/LC_MESSAGES/pidgin-otr.mo 0 06-17-08 17:28 locale/es/ 0 06-17-08 17:28 locale/es/LC_MESSAGES/ 10789 06-17-08 17:28 locale/es/LC_MESSAGES/pidgin-otr.mo 0 06-17-08 17:28 locale/fr/ 0 06-17-08 17:28 locale/fr/LC_MESSAGES/ 10732 06-17-08 17:28 locale/fr/LC_MESSAGES/pidgin-otr.mo 0 06-17-08 17:28 locale/hu/ 0 06-17-08 17:28 locale/hu/LC_MESSAGES/ 12901 06-17-08 17:28 locale/hu/LC_MESSAGES/pidgin-otr.mo 0 06-17-08 17:28 locale/nl/ 0 06-17-08 17:28 locale/nl/LC_MESSAGES/ 10774 06-17-08 17:28 locale/nl/LC_MESSAGES/pidgin-otr.mo 0 06-17-08 17:28 locale/ru/ 0 06-17-08 17:28 locale/ru/LC_MESSAGES/ 13104 06-17-08 17:28 locale/ru/LC_MESSAGES/pidgin-otr.mo 0 06-17-08 17:28 locale/sk/ 0 06-17-08 17:28 locale/sk/LC_MESSAGES/ 13404 06-17-08 17:28 locale/sk/LC_MESSAGES/pidgin-otr.mo Is that file what you're looking for? I can easily put that online: http://otr.cypherpunks.ca/binaries/windows/pidgin-otr-3.2.0.zip There's no .asc right now; my signing key is at home. - Ian From bdm at fenrir.org.uk Fri Jun 20 15:46:50 2008 From: bdm at fenrir.org.uk (Brian Morrison) Date: Fri, 20 Jun 2008 20:46:50 +0100 Subject: [OTR-users] Pidgin crash, appears to be in OTR plugin Message-ID: <20080620204650.63c01485@peterson.fenrir.org.uk> I'm seeing a stubborn crash in Pidgin on Win32, using OTR, with a buddy that is present in MSN and AIM, any attempt to start an IM with or without OTR enabled results in a crash, please see: http://developer.pidgin.im/ticket/6139 Is this an OTR bug? If so a fix would be appreciated. FWIW I could IM this buddy before I got MSN to work through my company firewall, using AIM only. Disabling MSN now does not fix the problem. -- Brian Morrison bdm at fenrir dot org dot uk "Arguing with an engineer is like wrestling with a pig in the mud; after a while you realize you are muddy and the pig is enjoying it." GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html From bdm at fenrir.org.uk Fri Jun 20 15:56:42 2008 From: bdm at fenrir.org.uk (Brian Morrison) Date: Fri, 20 Jun 2008 20:56:42 +0100 Subject: [OTR-users] Pidgin crash, appears to be in OTR plugin In-Reply-To: <20080620204650.63c01485@peterson.fenrir.org.uk> References: <20080620204650.63c01485@peterson.fenrir.org.uk> Message-ID: <20080620205642.72bd48e3@peterson.fenrir.org.uk> On Fri, 20 Jun 2008 20:46:50 +0100 Brian Morrison wrote: > I'm seeing a stubborn crash in Pidgin on Win32, using OTR, with a buddy > that is present in MSN and AIM, any attempt to start an IM with or > without OTR enabled results in a crash, please see: > > http://developer.pidgin.im/ticket/6139 > > Is this an OTR bug? If so a fix would be appreciated. > > FWIW I could IM this buddy before I got MSN to work through my company > firewall, using AIM only. Disabling MSN now does not fix the problem. > Whoa, false alarm, it seems that the dll with the problem is encrypt.dll which is not OTR, it's from Pidgin Encryption. My mistake! -- Brian Morrison bdm at fenrir dot org dot uk "Arguing with an engineer is like wrestling with a pig in the mud; after a while you realize you are muddy and the pig is enjoying it." GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html From konrad at tylerc.org Fri Jun 20 18:39:28 2008 From: konrad at tylerc.org (Konrad Meyer) Date: Fri, 20 Jun 2008 15:39:28 -0700 Subject: [OTR-users] Re: [OTR-announce] pidgin-otr 3.2.0 released In-Reply-To: References: <20080615211439.GA11298@yoink.cs.uwaterloo.ca> <20080619230925.278f9650@peterson.fenrir.org.uk> Message-ID: <200806201539.28397.konrad@tylerc.org> Quoth Paul Wouters: > On Thu, 19 Jun 2008, Brian Morrison wrote: > > > > F-7 went EOL 3 days ago, but it looks like I'm allowed to still update > > > packages in it, so I will be pushing this into F-7 as well. > > > > Any update on these packages for Fedora Paul? > > > > I don't see anything in updates-testing yet.... > > I just requested a push to stable: > https://admin.fedoraproject.org/updates/F7/pending/libotr-3.2.0-1.fc7 > > But I think pidgin-otr might not have made the cut (It was pending the > new libotr becoming available in the build system). I am not getting: > > koji: error: Unknown build target: dist-fc7-updates-candidate > > Paul F7 has been EOL for several days now. F7 updates don't exist any more. -- Conrad Meyer -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part. URL: From paul at cypherpunks.ca Fri Jun 20 19:35:41 2008 From: paul at cypherpunks.ca (Paul Wouters) Date: Fri, 20 Jun 2008 19:35:41 -0400 (EDT) Subject: [OTR-users] Re: [OTR-announce] pidgin-otr 3.2.0 released In-Reply-To: <200806201539.28397.konrad@tylerc.org> References: <20080615211439.GA11298@yoink.cs.uwaterloo.ca> <20080619230925.278f9650@peterson.fenrir.org.uk> <200806201539.28397.konrad@tylerc.org> Message-ID: On Fri, 20 Jun 2008, Konrad Meyer wrote: >> koji: error: Unknown build target: dist-fc7-updates-candidate > > F7 has been EOL for several days now. F7 updates don't exist any more. I know. But my updates were within the build/update system. But pidgin-otr was depending on libotr, so it was trailing a day and got cut off.... Paul From ian at cypherpunks.ca Fri Jun 20 20:36:18 2008 From: ian at cypherpunks.ca (Ian Goldberg) Date: Fri, 20 Jun 2008 20:36:18 -0400 Subject: [OTR-users] pidgin-otr 3.2.0 released In-Reply-To: <20080620140422.GF18999@thunk.cs.uwaterloo.ca> References: <20080615211439.GA11298@yoink.cs.uwaterloo.ca> <183c528b0806200642k6cd1952aqef4bf5f07b5bb925@mail.gmail.com> <20080620140422.GF18999@thunk.cs.uwaterloo.ca> Message-ID: <20080621003618.GM6417@yoink.cs.uwaterloo.ca> On Fri, Jun 20, 2008 at 10:04:22AM -0400, Ian Goldberg wrote: > Is that file what you're looking for? I can easily put that online: > > http://otr.cypherpunks.ca/binaries/windows/pidgin-otr-3.2.0.zip > > There's no .asc right now; my signing key is at home. The .asc is also up now: http://otr.cypherpunks.ca/binaries/windows/pidgin-otr-3.2.0.zip.asc - Ian From db.netres at gmail.com Wed Jun 25 10:51:29 2008 From: db.netres at gmail.com (db) Date: Wed, 25 Jun 2008 16:51:29 +0200 Subject: [OTR-users] List of OTR-aware software In-Reply-To: <485AACA0.2050508@freenet.de> References: <20080619141459.GI26418@thunk.cs.uwaterloo.ca> <485AACA0.2050508@freenet.de> Message-ID: On Thu, Jun 19, 2008 at 8:59 PM, Michael Reichenbach wrote: > There are also already nice articles in the wiki. > http://en.wikipedia.org/wiki/Off-the-Record_Messaging > http://en.wikipedia.org/wiki/Comparison_of_instant_messaging_clients In this article you can read > The primary motivation behind the protocol was providing deniability for the conversation participants while keeping conversations confidential, like a private conversation in real life, or off the record in journalism sourcing. This is in contrast with the majority of cryptography tools which resemble more a signed writing on paper, which can be used, at a later date, as a tool to demonstrate that the communication happened, who participated in it, and about what it was. Unfortunately, in most cases people using ordinary cryptography software are not aware of this and in most cases they would be better served by OTR tools instead. Hence the initial introductory paper was named "Off-the-Record Communication, or, Why Not To Use PGP".[1] I really don't understand the purpose with OTR in any regular context. Why do you want to be able to deny what you have written/said to friends/colleges? Besides, OTR can not live up to this promise in a more European legal system where courts typically can consider any type of evidence/they are free to sift evidence at their will (e.g., if you have backup copies of logs that are several years old, and these backups pre-dates a court case with a good margin, and these copies are identical to the logs in you IM client most court would consider these logs strong evidence). The only reasonable use for OTR is in contexts such as in Tibet. A typical user in a democratic society are probably much more interested in the type of confidentiality you are used to when you do online banking - that is, prevention of eaves dropping. In my case OTR even caused a lot of headache since most of my chat logs are trivial and I like to store them in my gmail account. Now I just have a lot of encrypted logs I never will be able to decode = phone numbers to friend's friends, e-mail addresses etc are lost forever. I am interested in deniability for the content on my Freenet node since my Freenet datastorage might contain information that I don't want to take responsibility for, possibly because the information is illegal. However this is due to the fact that I can't control what is on my Freenet node and control is the keyword: the content in my chat logs is controllable by me and hence the need for deniability disappears. From bdm at fenrir.org.uk Wed Jun 25 11:14:40 2008 From: bdm at fenrir.org.uk (Brian Morrison) Date: Wed, 25 Jun 2008 16:14:40 +0100 Subject: [OTR-users] List of OTR-aware software In-Reply-To: References: <20080619141459.GI26418@thunk.cs.uwaterloo.ca> <485AACA0.2050508@freenet.de> Message-ID: <486260E0.2000609@fenrir.org.uk> db wrote: > On Thu, Jun 19, 2008 at 8:59 PM, Michael Reichenbach > wrote: >> There are also already nice articles in the wiki. >> http://en.wikipedia.org/wiki/Off-the-Record_Messaging >> http://en.wikipedia.org/wiki/Comparison_of_instant_messaging_clients > > In this article you can read > >> The primary motivation behind the protocol was providing deniability for the conversation participants while keeping conversations confidential, like a private conversation in real life, or off the record in journalism sourcing. This is in contrast with the majority of cryptography tools which resemble more a signed writing on paper, which can be used, at a later date, as a tool to demonstrate that the communication happened, who participated in it, and about what it was. Unfortunately, in most cases people using ordinary cryptography software are not aware of this and in most cases they would be better served by OTR tools instead. Hence the initial introductory paper was named "Off-the-Record Communication, or, Why Not To Use PGP".[1] > > I really don't understand the purpose with OTR in any regular context. > Why do you want to be able to deny what you have written/said to > friends/colleges? Besides, OTR can not live up to this promise in a > more European legal system where courts typically can consider any > type of evidence/they are free to sift evidence at their will (e.g., > if you have backup copies of logs that are several years old, and > these backups pre-dates a court case with a good margin, and these > copies are identical to the logs in you IM client most court would > consider these logs strong evidence). If you are using OTR, you should not be keeping any logs. The point is plausible deniability. If the keys are ephemeral, then the content of your conversations is protected from compromise because *any* plaintext can result from ciphertext protected with an unknown and unknowable key. It makes no difference whether the authorities have your intercepted ciphertext, it could say anything and all they can assume from it is some kind of association with another person, they cannot prove anything and you cannot be forced to compromise or incriminate yourself because you do not have the session key(s) at the time or later. > > The only reasonable use for OTR is in contexts such as in Tibet. A > typical user in a democratic society are probably much more interested > in the type of confidentiality you are used to when you do online > banking - that is, prevention of eaves dropping. Everyone should take all possible steps to protect their private conversations, privacy is the root of a civilized society, no one else has any rights to know what I am talking about with anyone else. That especially includes governments and their agents, just because they can monitor electronic communication does not mean that it should be any easier for them than recording and transcribing ever voice conversation taking place in the entire country. > > In my case OTR even caused a lot of headache since most of my chat > logs are trivial and I like to store them in my gmail account. Now I > just have a lot of encrypted logs I never will be able to decode = > phone numbers to friend's friends, e-mail addresses etc are lost > forever. Then don't store these important pieces of information in these logs that you should not be keeping anyway, extract it and save it separately. But remember that it might be incriminating in itself. I'm very puzzled as to why you're using OTR, it appears to not do what you want at all. -- Brian From db.netres at gmail.com Wed Jun 25 11:34:48 2008 From: db.netres at gmail.com (db) Date: Wed, 25 Jun 2008 17:34:48 +0200 Subject: [OTR-users] List of OTR-aware software In-Reply-To: <486260E0.2000609@fenrir.org.uk> References: <20080619141459.GI26418@thunk.cs.uwaterloo.ca> <485AACA0.2050508@freenet.de> <486260E0.2000609@fenrir.org.uk> Message-ID: On Wed, Jun 25, 2008 at 5:14 PM, Brian Morrison wrote: > If you are using OTR, you should not be keeping any logs. But that does not prevent the other party from keeping clear text logs. > The point is > plausible deniability. Which you OTR does not provide if the other party keep logs. > Everyone should take all possible steps to protect their private > conversations, privacy is the root of a civilized society, no one else > has any rights to know what I am talking about with anyone else. That > especially includes governments and their agents, just because they can > monitor electronic communication does not mean that it should be any > easier for them than recording and transcribing ever voice conversation > taking place in the entire country. Yes, and that is what e.g., SSL offers. After using SSL (or PGP or similar) to secure the communication it is up to you to keep/delete the logs. SSL+no logs provides basically the same level of deniability as OTR, that is - the level of deniability depends on the other party keeping clear text logs or not. >> >> In my case OTR even caused a lot of headache since most of my chat >> logs are trivial and I like to store them in my gmail account. Now I >> just have a lot of encrypted logs I never will be able to decode = >> phone numbers to friend's friends, e-mail addresses etc are lost >> forever. > > Then don't store these important pieces of information in these logs > that you should not be keeping anyway, extract it and save it > separately. But remember that it might be incriminating in itself. I find it really funny that you recommend me to not keeps logs. I guess you immediately delete all e-mailsyou receive, burn all paper invoices (although the actual payment probably is traceable anyway), delete all browser cookies regularly etc. I on the other hand like to keep documentation (agreements, phone bills, personal letters) of some events for future reference. > I'm very puzzled as to why you're using OTR, it appears to not do what > you want at all. I don't use it any more, but I have subscribed to this mailing list for some time to find out a reason to start use it but the more I read, the more useless I consider it. I will probably start blocking people trying to use OTR with me in the near future since I see no reason for friends or people I work with to desire "deniability" about what they have written to me. If my manager would ask me to do something and then be able to deny that he sent me such a message - I can only see disadvantages with that situation. From lou at louspringer.com Wed Jun 25 11:50:16 2008 From: lou at louspringer.com (Lou Springer) Date: Wed, 25 Jun 2008 09:50:16 -0600 Subject: [OTR-users] List of OTR-aware software In-Reply-To: <486260E0.2000609@fenrir.org.uk> References: <20080619141459.GI26418@thunk.cs.uwaterloo.ca> <485AACA0.2050508@freenet.de> <486260E0.2000609@fenrir.org.uk> Message-ID: <5D130AC2-3267-4313-BE5A-5CB679964D0E@louspringer.com> Brian, Speaking for myself, the message content encryption is sufficient for my *current* needs. I also occasionally need the logs for the message content as db has outlined. My diminishing 52 year old memory requires the augmentation. The core requirement for OTR as you have outlined it is interesting, and I was unaware of this important distinction between OTR and conventional encryption like SSL. I personally have no *current* need for it. However, I would *strongly* stipulate it is an important and necessary capability, and would never suggest otherwise. I should say I'm not a big fan of anonymity in normal civil discourse, in person or on the web, particularly as a default mode of operation. However, there are unfortunately times and circumstances for it. The inherent tendency of all things on the web to be recorded in much greater mind-numbing totality does distinguish web communication from normal public discourse. Its rare that public conversations and phone calls are recorded unbeknownst to the participants. The same can't be said for email, chat and browsing behavior, which I always assume are meticulously recorded in every detail for all time, good bad or otherwise. Lou On Jun 25, 2008, at 9:14 AM, Brian Morrison wrote: > db wrote: >> On Thu, Jun 19, 2008 at 8:59 PM, Michael Reichenbach >> wrote: >>> There are also already nice articles in the wiki. >>> http://en.wikipedia.org/wiki/Off-the-Record_Messaging >>> http://en.wikipedia.org/wiki/Comparison_of_instant_messaging_clients >> >> In this article you can read >> >>> The primary motivation behind the protocol was providing >>> deniability for the conversation participants while keeping >>> conversations confidential, like a private conversation in real >>> life, or off the record in journalism sourcing. This is in >>> contrast with the majority of cryptography tools which resemble >>> more a signed writing on paper, which can be used, at a later >>> date, as a tool to demonstrate that the communication happened, >>> who participated in it, and about what it was. Unfortunately, in >>> most cases people using ordinary cryptography software are not >>> aware of this and in most cases they would be better served by OTR >>> tools instead. Hence the initial introductory paper was named "Off- >>> the-Record Communication, or, Why Not To Use PGP".[1] >> >> I really don't understand the purpose with OTR in any regular >> context. >> Why do you want to be able to deny what you have written/said to >> friends/colleges? Besides, OTR can not live up to this promise in a >> more European legal system where courts typically can consider any >> type of evidence/they are free to sift evidence at their will (e.g., >> if you have backup copies of logs that are several years old, and >> these backups pre-dates a court case with a good margin, and these >> copies are identical to the logs in you IM client most court would >> consider these logs strong evidence). > > If you are using OTR, you should not be keeping any logs. The point is > plausible deniability. If the keys are ephemeral, then the content of > your conversations is protected from compromise because *any* > plaintext > can result from ciphertext protected with an unknown and unknowable > key. > It makes no difference whether the authorities have your intercepted > ciphertext, it could say anything and all they can assume from it is > some kind of association with another person, they cannot prove > anything > and you cannot be forced to compromise or incriminate yourself because > you do not have the session key(s) at the time or later. > >> >> The only reasonable use for OTR is in contexts such as in Tibet. A >> typical user in a democratic society are probably much more >> interested >> in the type of confidentiality you are used to when you do online >> banking - that is, prevention of eaves dropping. > > Everyone should take all possible steps to protect their private > conversations, privacy is the root of a civilized society, no one else > has any rights to know what I am talking about with anyone else. That > especially includes governments and their agents, just because they > can > monitor electronic communication does not mean that it should be any > easier for them than recording and transcribing ever voice > conversation > taking place in the entire country. > >> >> In my case OTR even caused a lot of headache since most of my chat >> logs are trivial and I like to store them in my gmail account. Now I >> just have a lot of encrypted logs I never will be able to decode = >> phone numbers to friend's friends, e-mail addresses etc are lost >> forever. > > Then don't store these important pieces of information in these logs > that you should not be keeping anyway, extract it and save it > separately. But remember that it might be incriminating in itself. > > I'm very puzzled as to why you're using OTR, it appears to not do what > you want at all. > > -- > > Brian > _______________________________________________ > OTR-users mailing list > OTR-users at lists.cypherpunks.ca > http://lists.cypherpunks.ca/mailman/listinfo/otr-users From bdm at fenrir.org.uk Wed Jun 25 12:18:11 2008 From: bdm at fenrir.org.uk (Brian Morrison) Date: Wed, 25 Jun 2008 17:18:11 +0100 Subject: [OTR-users] List of OTR-aware software In-Reply-To: References: <20080619141459.GI26418@thunk.cs.uwaterloo.ca> <485AACA0.2050508@freenet.de> <486260E0.2000609@fenrir.org.uk> Message-ID: <48626FC3.8060007@fenrir.org.uk> db wrote: > On Wed, Jun 25, 2008 at 5:14 PM, Brian Morrison wrote: > >> If you are using OTR, you should not be keeping any logs. > > But that does not prevent the other party from keeping clear text logs. Then you need to be more careful about the people with whom you have OTR chats! > >> The point is >> plausible deniability. > > Which you OTR does not provide if the other party keep logs. See above.... > > >> Everyone should take all possible steps to protect their private >> conversations, privacy is the root of a civilized society, no one else >> has any rights to know what I am talking about with anyone else. That >> especially includes governments and their agents, just because they can >> monitor electronic communication does not mean that it should be any >> easier for them than recording and transcribing ever voice conversation >> taking place in the entire country. > > Yes, and that is what e.g., SSL offers. After using SSL (or PGP or > similar) to secure the communication it is up to you to keep/delete > the logs. SSL+no logs provides basically the same level of deniability > as OTR, that is - the level of deniability depends on the other party > keeping clear text logs or not. OTR provides authentication between people that know each other in a way that SSL does not and perhaps cannot. You never know whether your CA providers have been subverted (after all they are corporations and so have to do what governments and LEAs tell them to) and that a MITM attack is being run. Always think about ensuring further encryption above and beyond SSL when you can. VPNs are good as they can hide all the headers and other information inside the tunnel. Try to find exit points in jurisdictions where the state has included strong legal protections against arbitrary interception without warrant. > >>> In my case OTR even caused a lot of headache since most of my chat >>> logs are trivial and I like to store them in my gmail account. Now I >>> just have a lot of encrypted logs I never will be able to decode = >>> phone numbers to friend's friends, e-mail addresses etc are lost >>> forever. >> Then don't store these important pieces of information in these logs >> that you should not be keeping anyway, extract it and save it >> separately. But remember that it might be incriminating in itself. > > I find it really funny that you recommend me to not keeps logs. I > guess you immediately delete all e-mailsyou receive, burn all paper > invoices (although the actual payment probably is traceable anyway), > delete all browser cookies regularly etc. I on the other hand like to > keep documentation (agreements, phone bills, personal letters) of some > events for future reference. I do pretty much what you suggest, where sensible and practical. I don't keep extraneous crap (my house isn't big enough), and I try to ensure that anything remotely contentious is in my head and leaves as few traces as possible on my PCs. > >> I'm very puzzled as to why you're using OTR, it appears to not do what >> you want at all. > > I don't use it any more, but I have subscribed to this mailing list > for some time to find out a reason to start use it but the more I > read, the more useless I consider it. I will probably start blocking > people trying to use OTR with me in the near future since I see no > reason for friends or people I work with to desire "deniability" about > what they have written to me. If my manager would ask me to do > something and then be able to deny that he sent me such a message - I > can only see disadvantages with that situation. I doubt I would use it for what you are suggesting, but if I'm chatting with friends during work hours (at a low rate) then I don't for one minute believe that the company Jabber server logs don't contain all I have written so with some people I talk to I have OTR to keep things private. Am I paranoid? I don't think so, you can see the abuses cooked up by our insane politicians and policemen in the news every day of the week, don't let them delude you into thinking that spying on people in any way enhances our safety in exchange for freedom. It doesn't, your best defence of your freedom is to refuse to be conned and accept that a madman may kill a few people but that is insignificant in comparison with the danger posed by other things we accept without question. If we all encrypted anything, then the incompetents would have to work a lot harder to wreck what so many fought and died for in the past. -- Brian From ian at cypherpunks.ca Wed Jun 25 23:14:06 2008 From: ian at cypherpunks.ca (Ian Goldberg) Date: Wed, 25 Jun 2008 23:14:06 -0400 Subject: [OTR-users] List of OTR-aware software In-Reply-To: References: <20080619141459.GI26418@thunk.cs.uwaterloo.ca> <485AACA0.2050508@freenet.de> Message-ID: <20080626031406.GR6417@yoink.cs.uwaterloo.ca> On Wed, Jun 25, 2008 at 04:51:29PM +0200, db wrote: > Why do you want to be able to deny what you have written/said to > friends/colleges? Besides, OTR can not live up to this promise in a > more European legal system where courts typically can consider any > type of evidence/they are free to sift evidence at their will (e.g., > if you have backup copies of logs that are several years old, and > these backups pre-dates a court case with a good margin, and these > copies are identical to the logs in you IM client most court would > consider these logs strong evidence). This is a common misconception: OTR of course can't provide *more* deniability than plaintext. If an unauthenticated plaintext transcript of your IM conversation is admissible in court, the OTR logs would be as well. What OTR gives you is that you don't get *less* deniability, while at the same time you get strong authentication. That is, you know it really was Bob who sent you that message, but there's no mathematical proof of that fact. Contrast pidgin-encryption, for example, where every message is digitally signed. The advantage of using OTR over, say, Jabber+SSL is that OTR is end-to-end. With Jabber+SSL, the Jabber server has to be trusted not to read and/or modify your messages. - Ian From rick at rickv.com Thu Jun 26 16:40:06 2008 From: rick at rickv.com (Rick Valenzuela) Date: Thu, 26 Jun 2008 16:40:06 -0400 Subject: [OTR-users] List of OTR-aware software In-Reply-To: References: <20080619141459.GI26418@thunk.cs.uwaterloo.ca> <485AACA0.2050508@freenet.de> <486260E0.2000609@fenrir.org.uk> Message-ID: <4863FEA6.3060903@rickv.com> db wrote: > > I find it really funny that you recommend me to not keeps logs. I > guess you immediately delete all e-mailsyou receive, burn all paper > invoices (although the actual payment probably is traceable anyway), > delete all browser cookies regularly etc. I on the other hand like to > keep documentation (agreements, phone bills, personal letters) of some > events for future reference. [...] > I don't use it any more, but I have subscribed to this mailing list > for some time to find out a reason to start use it but the more I > read, the more useless I consider it. I will probably start blocking > people trying to use OTR with me in the near future since I see no > reason for friends or people I work with to desire "deniability" about > what they have written to me. If my manager would ask me to do > something and then be able to deny that he sent me such a message - I > can only see disadvantages with that situation. It might not be useful to you now or at most times, but does that mean there will never be a situation that you want that kind of privacy? Your argument about logs and paper reciepts -- the flip side of that can be just as extreme: keeping receipts for every candy bar or demanding the newsstand guy to write a bill for your newspaper. It brings to mind the phrase "horses for courses": applied here, you choose the mode of communication that is adequate and desirable for the situation at hand. I don't encrypt every email, and while i sign most email with gnupg, i don't sign all emails. I don't say my social security number over a cellphone, but i don't feel the need to whisper it into my bank manager's ear either. The time may come when I want to IM someone at their job about workroom politics. If I trust that person not to log that conversation, OTR would allow me to do that, instead of waiting to talk in person or on the phone later. Convenience when you need it. -- Rick Valenzuela photographer | reporter +1 267 694 3642 | www.rickv.com GnuPG ID: 0xD5644029 From Soccer55113n at wmconnect.com Thu Jun 26 21:54:16 2008 From: Soccer55113n at wmconnect.com (Soccer55113n at wmconnect.com) Date: Thu, 26 Jun 2008 21:54:16 EDT Subject: [OTR-users] (no subject) Message-ID: i want out of this thing--how do i do it? -------------- next part -------------- An HTML attachment was scrubbed... URL: From brian.mathis at gmail.com Fri Jun 27 01:20:15 2008 From: brian.mathis at gmail.com (Brian Mathis) Date: Thu, 26 Jun 2008 23:20:15 -0600 Subject: [OTR-users] pidgin-otr 3.2.0 released In-Reply-To: <20080621003618.GM6417@yoink.cs.uwaterloo.ca> References: <20080615211439.GA11298@yoink.cs.uwaterloo.ca> <183c528b0806200642k6cd1952aqef4bf5f07b5bb925@mail.gmail.com> <20080620140422.GF18999@thunk.cs.uwaterloo.ca> <20080621003618.GM6417@yoink.cs.uwaterloo.ca> Message-ID: <183c528b0806262220t40c788a4r5d520cf4db9046b7@mail.gmail.com> On Fri, Jun 20, 2008 at 6:36 PM, Ian Goldberg wrote: > On Fri, Jun 20, 2008 at 10:04:22AM -0400, Ian Goldberg wrote: >> Is that file what you're looking for? I can easily put that online: >> >> http://otr.cypherpunks.ca/binaries/windows/pidgin-otr-3.2.0.zip >> >> There's no .asc right now; my signing key is at home. > > The .asc is also up now: > > http://otr.cypherpunks.ca/binaries/windows/pidgin-otr-3.2.0.zip.asc > > - Ian Very cool. This will help anyone who is trying to add OTR to a portable pidgin installation. From bdm at fenrir.org.uk Fri Jun 27 03:17:23 2008 From: bdm at fenrir.org.uk (Brian Morrison) Date: Fri, 27 Jun 2008 08:17:23 +0100 Subject: [OTR-users] (no subject) In-Reply-To: References: Message-ID: <20080627081723.06805b0d@peterson.fenrir.org.uk> On Thu, 26 Jun 2008 21:54:16 EDT Soccer55113n at wmconnect.com wrote: > i want out of this thing--how do i do it? http://lists.cypherpunks.ca/mailman/listinfo/otr-users -- Brian Morrison bdm at fenrir dot org dot uk "Arguing with an engineer is like wrestling with a pig in the mud; after a while you realize you are muddy and the pig is enjoying it." GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html From tinbull at gmail.com Sat Jun 28 00:49:51 2008 From: tinbull at gmail.com (tinbull at gmail.com) Date: Sat, 28 Jun 2008 00:49:51 -0400 (EDT) Subject: [OTR-users] Encryption strength option In-Reply-To: <20080627081723.06805b0d@peterson.fenrir.org.uk> References: <20080627081723.06805b0d@peterson.fenrir.org.uk> Message-ID: Is there a way to select how strong the RSA encryption is? I was hoping to get 4096-bit keys. From esurnir at gmail.com Sat Jun 28 02:28:06 2008 From: esurnir at gmail.com (Jean-Baptiste Zeller) Date: Sat, 28 Jun 2008 02:28:06 -0400 Subject: [OTR-users] Encryption strength option In-Reply-To: References: <20080627081723.06805b0d@peterson.fenrir.org.uk> Message-ID: <4865D9F6.4040901@gmail.com> tinbull at gmail.com wrote: > Is there a way to select how strong the RSA encryption is? I was > hoping to get 4096-bit keys. > > _______________________________________________ > OTR-users mailing list > OTR-users at lists.cypherpunks.ca > http://lists.cypherpunks.ca/mailman/listinfo/otr-users Error 404: RSA not found in OTR. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5628 bytes Desc: S/MIME Cryptographic Signature URL: From bdm at fenrir.org.uk Sat Jun 28 03:12:04 2008 From: bdm at fenrir.org.uk (Brian Morrison) Date: Sat, 28 Jun 2008 08:12:04 +0100 Subject: [OTR-users] Re: [OTR-announce] pidgin-otr 3.2.0 released In-Reply-To: References: <20080615211439.GA11298@yoink.cs.uwaterloo.ca> <20080619230925.278f9650@peterson.fenrir.org.uk> <200806201539.28397.konrad@tylerc.org> Message-ID: <20080628081204.6fde42eb@peterson.fenrir.org.uk> On Fri, 20 Jun 2008 19:35:41 -0400 (EDT) Paul Wouters wrote: > On Fri, 20 Jun 2008, Konrad Meyer wrote: > > >> koji: error: Unknown build target: dist-fc7-updates-candidate > > > > F7 has been EOL for several days now. F7 updates don't exist any more. > > I know. But my updates were within the build/update system. But pidgin-otr > was depending on libotr, so it was trailing a day and got cut off.... > So far I've not seen any updates to either libotr or pidgin-otr make it through into any of the Fedora repos. I've not upgraded my F7 box to F9, but still nothing. Any ideas what's happening Paul? -- Brian Morrison bdm at fenrir dot org dot uk "Arguing with an engineer is like wrestling with a pig in the mud; after a while you realize you are muddy and the pig is enjoying it." GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html From ian at cypherpunks.ca Sat Jun 28 11:24:57 2008 From: ian at cypherpunks.ca (Ian Goldberg) Date: Sat, 28 Jun 2008 11:24:57 -0400 Subject: [OTR-users] Encryption strength option In-Reply-To: References: <20080627081723.06805b0d@peterson.fenrir.org.uk> Message-ID: <20080628152457.GD6417@yoink.cs.uwaterloo.ca> On Sat, Jun 28, 2008 at 12:49:51AM -0400, tinbull at gmail.com wrote: > Is there a way to select how strong the RSA encryption is? I was hoping to > get 4096-bit keys. Indeed, there's no RSA in OTR at all. But more generally, it doesn't make sense to increase the strength of one part of the system without doing the same to all of the parts. See this message, for example: http://lists.cypherpunks.ca/pipermail/otr-users/2008-May/001289.html - Ian From tinbull at gmail.com Sat Jun 28 11:51:23 2008 From: tinbull at gmail.com (noah ----) Date: Sat, 28 Jun 2008 11:51:23 -0400 Subject: [OTR-users] Encryption strength option In-Reply-To: <20080628152457.GD6417@yoink.cs.uwaterloo.ca> References: <20080627081723.06805b0d@peterson.fenrir.org.uk> <20080628152457.GD6417@yoink.cs.uwaterloo.ca> Message-ID: Ahh, I thought I had read somewhere otr used RSA, my bad. Thanks for the link, very informative! On Sat, Jun 28, 2008 at 11:24 AM, Ian Goldberg wrote: > On Sat, Jun 28, 2008 at 12:49:51AM -0400, tinbull at gmail.com wrote: > > Is there a way to select how strong the RSA encryption is? I was hoping > to > > get 4096-bit keys. > > Indeed, there's no RSA in OTR at all. But more generally, it doesn't > make sense to increase the strength of one part of the system without > doing the same to all of the parts. See this message, for example: > > http://lists.cypherpunks.ca/pipermail/otr-users/2008-May/001289.html > > - Ian > _______________________________________________ > OTR-users mailing list > OTR-users at lists.cypherpunks.ca > http://lists.cypherpunks.ca/mailman/listinfo/otr-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From D31Drcongressashokashok at jetair.co.in Sat Jun 7 20:52:39 2008 From: D31Drcongressashokashok at jetair.co.in (caesar melissa) Date: Sun, 08 Jun 2008 00:52:39 +0000 Subject: [OTR-users] MSG ID:50123 Rock bottom pricing for Chanel, Chloe, Hermes Message-ID: <000501c8c910$0502b543$52d4758a@cngwhmha> The world's largest luxury store for shoes and bags is just one click away. Recommended by thousands of satisfied customers worldwide, we carry dozens of famous brands including: ~ Louis Vuitton ~ Armani ~ Gucci ~ Prada ~ Hermes Here you will find thousands of stunning designs for shoes, and leather products, at rock bottom pricing. Prices range from just $39 to $199; quality is assured and satisfaction absolutely guaranteed. Sale ends this week, so visit us today and start pampering yourself and your loved ones! - Visit our site: www.shoesquality[DOT]com (copy this link and then replace "[DOT]" to ".")