From rdfsmits at cs.uwaterloo.ca Wed Feb 1 10:57:51 2012 From: rdfsmits at cs.uwaterloo.ca (Rob Smits) Date: Wed, 01 Feb 2012 10:57:51 -0500 Subject: [OTR-users] Pidgin-OTR Logging Behaviour Message-ID: <20120201105751.39393q5mbka7amw4@www.nexusmail.uwaterloo.ca> Hello, We've had some suggestions to change Pidgin-OTR's default behaviour with respect to logging OTR conversations. We would appreciate some feedback and ideas. Pidgin-OTR has an option to disable logging for OTR conversations. This option by default is not enabled. As I understand it, Pidgin for Windows has IM logging enabled by default (and so the default behaviour is that OTR conversations would be logged). Pidgin for Linux does not have IM logging enabled by default (so the default behaviour is that OTR conversations wouldn't be logged). In this case, someone who is used to having their IM conversations logged (either because they run Windows with the default behaviour or they explicitly enabled the IM logging option) will see consistent behaviour between OTR conversations and non-OTR conversations. This behaviour is especially useful for people who may not realize or remember that OTR is running. If you expect conversations to be logged you can be certain they will be logged. However, someone who is familiar with Google Talk's "go off the record" functionality (or simply someone who believes that OTR is making their conversations completely private) may not realize that logging behaviour, by default, is not affected. Here are some possible changes: -Keep current default behaviour, but always output a message like the following when an OTR conversation is started: This conversation is being saved/not being saved (depending on current settings). -Change current default behaviour to explicitly disable logging for OTR conversations, and output the above message. -When an OTR conversation starts, explicitly ask the user whether they wish to log OTR conversations (if no Pidgin-OTR logging preference is found), and perhaps output the above message. Once the user provides an answer, future OTR conversations will not trigger this prompt. If you have an opinion on this or another idea please share it! Our main criteria are: -OTR's behaviour here should be consistent with most users' expectations -We should not introduce something that would be annoying (to both experienced users, and people who may not even realize they are running Pidgin-OTR) Regards, Rob From gdt at ir.bbn.com Wed Feb 1 11:20:09 2012 From: gdt at ir.bbn.com (Greg Troxel) Date: Wed, 01 Feb 2012 11:20:09 -0500 Subject: [OTR-users] Pidgin-OTR Logging Behaviour In-Reply-To: <20120201105751.39393q5mbka7amw4@www.nexusmail.uwaterloo.ca> (Rob Smits's message of "Wed, 01 Feb 2012 10:57:51 -0500") References: <20120201105751.39393q5mbka7amw4@www.nexusmail.uwaterloo.ca> Message-ID: This is a tough situation, because using OTR can be about everything on the net, and especially everything handled by $ISP ought to be encrypted, but I'm not super paranoid privacy really is important, and putting bits on disk is a major security risk So I'd say: definitely have OTR put out a notice that the conversation is being logged *every time*, if logging is on I would default to not logging OTR, and make people change it. it would be cool if there is some way (I know not enforceable) for an OTR peer to assert that it is or isn't logging, and to warn the user if the remote side is logging and they aren't. Or perhaps if one disables logging to have that flow across and disable. Again, I realize people can code around this, or cut/paste, etc. But it would set social expectations. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 194 bytes Desc: not available URL: From bdm at fenrir.org.uk Wed Feb 1 11:28:10 2012 From: bdm at fenrir.org.uk (Brian Morrison) Date: Wed, 1 Feb 2012 16:28:10 +0000 Subject: [OTR-users] Pidgin-OTR Logging Behaviour In-Reply-To: <20120201105751.39393q5mbka7amw4@www.nexusmail.uwaterloo.ca> References: <20120201105751.39393q5mbka7amw4@www.nexusmail.uwaterloo.ca> Message-ID: <20120201162810.3e77287a@peterson.fenrir.org.uk> On Wed, 01 Feb 2012 10:57:51 -0500 Rob Smits wrote: > -Change current default behaviour to explicitly disable logging for > OTR conversations, and output the above message. I would prefer this, with an option to enable logging via a checkbox on the conversation window unless a preference for "never log OTR conversations" is set. Ideally the preference would allow Log OTR conversations? [Yes/No/Never] with No being the default on both Windows and Linux. > -When an OTR conversation starts, explicitly ask the user whether they > wish to log OTR conversations (if no Pidgin-OTR logging preference is > found), and perhaps output the above message. Once the user provides > an answer, future OTR conversations will not trigger this prompt. That's quite neat, but assumes that everyone always has the same needs for logging when using OTR. This is not necessarily the case. -- Brian Morrison "I am not young enough to know everything" Oscar Wilde From bdm at fenrir.org.uk Wed Feb 1 11:34:01 2012 From: bdm at fenrir.org.uk (Brian Morrison) Date: Wed, 1 Feb 2012 16:34:01 +0000 Subject: [OTR-users] Pidgin-OTR Logging Behaviour In-Reply-To: References: <20120201105751.39393q5mbka7amw4@www.nexusmail.uwaterloo.ca> Message-ID: <20120201163401.0ead9378@peterson.fenrir.org.uk> On Wed, 01 Feb 2012 11:20:09 -0500 Greg Troxel wrote: > it would be cool if there is some way (I know not enforceable) for an > OTR peer to assert that it is or isn't logging, and to warn the user > if the remote side is logging and they aren't. Or perhaps if one > disables logging to have that flow across and disable. Again, I > realize people can code around this, or cut/paste, etc. But it would > set social expectations. An excellent suggestion, maybe explicitly disallow automatic remote logging if a particular preference is set and have a default of No while allowing Yes and Always (and perhaps Never if you're the trusting kind). Again in the decide-per-conversation mode there could be a checkbox on the conversation window to set this on the fly. Or maybe a pop-up before the conversation window opens if either local or remote logging is to be selectable per conversation. -- Brian Morrison "I am not young enough to know everything" Oscar Wilde From gmaxwell at gmail.com Wed Feb 1 11:34:33 2012 From: gmaxwell at gmail.com (Gregory Maxwell) Date: Wed, 1 Feb 2012 11:34:33 -0500 Subject: [OTR-users] Pidgin-OTR Logging Behaviour In-Reply-To: <20120201105751.39393q5mbka7amw4@www.nexusmail.uwaterloo.ca> References: <20120201105751.39393q5mbka7amw4@www.nexusmail.uwaterloo.ca> Message-ID: On Wed, Feb 1, 2012 at 10:57 AM, Rob Smits wrote: > -When an OTR conversation starts, explicitly ask the user whether they wish > to log OTR conversations (if no Pidgin-OTR logging preference is found), and > perhaps output the above message. Once the user provides an answer, future > OTR conversations will not trigger this prompt. Please no! It's very important that OTR be as transparent and painless as possible. For almost everyone risk of attack is very low? if you make OTR at all annoying the rational behavior for the user will be to _disable it_, denying protection to both them and their chat partners. (and because an eavesdropper is invisible people often underestimate the risk in any case) It's also important to not send a confusing message? so you'd give a scary this is being logged warning when OTR is in use, but not otherwise? That would be misleading. There should be a smooth security graduation that maps to users effort and paranoia. By default everything should be ephemerally encrypted because we can do that at _no_ cost to the user. Then if the user has do enough to enable authentication, everything should be reputably authenticated... and so on. Logging is greatly valuable to me and my threat models don't place it at all on my priority list. I'm concerned with mass surveillance, automated analysis, data collection, etc. Someone who has my disk (and its decryption keys) or my chat-partners has already "won". I understand needs differ? but I'll be keeping logging on unless my friends ask for it off. Could there potentially be another axis added to the private / not-private authenticated/not-authenicated to give logging/not-logging and to communicate that over the channel? And allow either party to request logging be disable by hitting that button? I think it's okay that the logging status could be cheated by a deceptive chat partner. They could be recording the screen or whatever too. Long in the past I'd proposed (on the OTR list, IIRC) that there be a feature where the logs are encrypted with a secret which is shared by both parties to the conversation... so then you could only read your logs if your partner was online. If you believed your partner became compromised you'd hit some button and destroy your half of the key. Didn't seem anyone thought the idea was too exciting, and it's not the sort of feature that would be worth writing for your personal use. From pete at heypete.com Wed Feb 1 11:45:16 2012 From: pete at heypete.com (Pete Stephenson) Date: Wed, 1 Feb 2012 17:45:16 +0100 Subject: [OTR-users] Pidgin-OTR Logging Behaviour In-Reply-To: References: <20120201105751.39393q5mbka7amw4@www.nexusmail.uwaterloo.ca> Message-ID: On Wed, Feb 1, 2012 at 5:34 PM, Gregory Maxwell wrote: > Please no! > > It's very important that OTR be as transparent and painless as > possible. ?For almost everyone risk of attack is very low? if you make > OTR at all annoying the rational behavior for the user will be to > _disable it_, denying protection to both them and their chat partners. > (and because an eavesdropper is invisible people often underestimate > the risk in any case) For what it's worth, I second this position: OTR should be transparent and non-intrusive as much as possible. (My apologies to Gregory: I mistakenly sent my reply to him directly, as opposed to the list, so he'll get this message twice.) -Pete -- Pete Stephenson From breaux at users.sourceforge.net Wed Feb 1 13:29:12 2012 From: breaux at users.sourceforge.net (Doug Breaux) Date: Wed, 01 Feb 2012 12:29:12 -0600 Subject: [OTR-users] Pidgin-OTR Logging Behaviour In-Reply-To: <20120201105751.39393q5mbka7amw4@www.nexusmail.uwaterloo.ca> References: <20120201105751.39393q5mbka7amw4@www.nexusmail.uwaterloo.ca> Message-ID: <4F298478.3060707@users.sourceforge.net> On 2/1/2012 9:57 AM, Rob Smits wrote: > We've had some suggestions to change Pidgin-OTR's default behaviour with > respect to logging OTR conversations. We would appreciate some feedback > and ideas. > > Pidgin-OTR has an option to disable logging for OTR conversations. This > option by default is not enabled. As I understand it, Pidgin for Windows > has IM logging enabled by default (and so the default behaviour is that > OTR conversations would be logged). Pidgin for Linux does not have IM > logging enabled by default (so the default behaviour is that OTR > conversations wouldn't be logged). > > Regards, > Rob Many good comments so far. I agree that I care almost entirely about encrypted communication, not about logs on my drive. So as long as I can default to what I'm doing today - always logging without having to be prompted for it - I'll be content. That said, if it was easy and non-intrusive to see and change whether a particular conversation was being logged, I'd probably like that and occasionally use it. (For me, that would most likely be unrelated to OTR specifically, but I can understand why it logically "belongs to" OTR for others.) If possible, I'd vote for an iconic indicator, beside or combined with the current privacy status icon, and another menu item there to toggle whatever is the user's default setting. Doug From Byrd.B at insightcom.com Wed Feb 1 13:45:10 2012 From: Byrd.B at insightcom.com (Byrd, Brendan) Date: Wed, 1 Feb 2012 18:45:10 +0000 Subject: [OTR-users] Pidgin-OTR Logging Behaviour In-Reply-To: <20120201105751.39393q5mbka7amw4@www.nexusmail.uwaterloo.ca> References: <20120201105751.39393q5mbka7amw4@www.nexusmail.uwaterloo.ca> Message-ID: -----Original Message----- From: otr-users-bounces at lists.cypherpunks.ca [mailto:otr-users-bounces at lists.cypherpunks.ca] On Behalf Of Rob Smits Sent: Wednesday, February 01, 2012 10:58 AM To: OTR-users at lists.cypherpunks.ca Subject: [OTR-users] Pidgin-OTR Logging Behaviour > We've had some suggestions to change Pidgin-OTR's default behaviour with respect to logging OTR conversations. We would > appreciate some feedback and ideas. Speaking from my personal usage, I have (and want) everything logged, but I also have a TrueCrypt volume to put all of my Pidgin data into. > Here are some possible changes: > -Keep current default behaviour, but always output a message like the following when an OTR conversation is started: This > conversation is being saved/not being saved (depending on current settings). May or may not be annoying, since it's yet another line of information in the chat window. On the flip side, a reminder that the conversation is being saved or not might be useful to some. > -Change current default behaviour to explicitly disable logging for OTR conversations, and output the above message. That would be a change from what is currently there and would be annoying, especially if people have a hard time finding the option to turn it back on. > -When an OTR conversation starts, explicitly ask the user whether they wish to log OTR conversations (if no Pidgin-OTR > logging preference is found), and perhaps output the above message. Once the user provides an answer, future OTR > conversations will not trigger this prompt. I think this is the best solution. The wording should be clear enough to indicate that you're asking about logging ALL conversations from OTR. -- Brendan Byrd System Integration Analyst (NOC Web Developer) From ben at bridts.be Thu Feb 2 04:26:56 2012 From: ben at bridts.be (Ben Bridts) Date: Thu, 2 Feb 2012 10:26:56 +0100 Subject: [OTR-users] Pidgin-OTR Logging Behaviour In-Reply-To: <20120201105751.39393q5mbka7amw4@www.nexusmail.uwaterloo.ca> References: <20120201105751.39393q5mbka7amw4@www.nexusmail.uwaterloo.ca> Message-ID: On Wed, Feb 1, 2012 at 16:57, Rob Smits wrote: > Here are some possible changes: > -Keep current default behaviour, but always output a message like the > following when an OTR conversation is started: This conversation is being > saved/not being saved (depending on current settings). > -Change current default behaviour to explicitly disable logging for OTR > conversations, and output the above message. > -When an OTR conversation starts, explicitly ask the user whether they > wish to log OTR conversations (if no Pidgin-OTR logging preference is > found), and perhaps output the above message. Once the user provides an > answer, future OTR conversations will not trigger this prompt. > > I don't think outputting a message like "this conversation is not being saved" is a good idea, because it gives a false sense of security. We don't know the client that is used by the chat partner and whether he is logging the conversation or not. Saying it is not logged would make a lot of people assume that it isn't logged anywhere, not that it isn't logged on their PC. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Byrd.B at insightcom.com Thu Feb 2 11:09:50 2012 From: Byrd.B at insightcom.com (Byrd, Brendan) Date: Thu, 2 Feb 2012 16:09:50 +0000 Subject: [OTR-users] Pidgin-OTR Logging Behaviour In-Reply-To: References: <20120201105751.39393q5mbka7amw4@www.nexusmail.uwaterloo.ca> Message-ID: Hence, we should be careful on our wording. ?? Brendan Byrd > System Integration Analyst (NOC Web Developer) From: otr-users-bounces at lists.cypherpunks.ca [mailto:otr-users-bounces at lists.cypherpunks.ca] On Behalf Of Ben Bridts Sent: Thursday, February 02, 2012 4:27 AM To: Rob Smits Cc: OTR-users at lists.cypherpunks.ca Subject: Re: [OTR-users] Pidgin-OTR Logging Behaviour On Wed, Feb 1, 2012 at 16:57, Rob Smits > wrote: Here are some possible changes: -Keep current default behaviour, but always output a message like the following when an OTR conversation is started: This conversation is being saved/not being saved (depending on current settings). -Change current default behaviour to explicitly disable logging for OTR conversations, and output the above message. -When an OTR conversation starts, explicitly ask the user whether they wish to log OTR conversations (if no Pidgin-OTR logging preference is found), and perhaps output the above message. Once the user provides an answer, future OTR conversations will not trigger this prompt. I don't think outputting a message like "this conversation is not being saved" is a good idea, because it gives a false sense of security. We don't know the client that is used by the chat partner and whether he is logging the conversation or not. Saying it is not logged would make a lot of people assume that it isn't logged anywhere, not that it isn't logged on their PC. -------------- next part -------------- An HTML attachment was scrubbed... URL: From anonymouscr at riseup.net Tue Feb 28 18:31:08 2012 From: anonymouscr at riseup.net (anonymouscr at riseup.net) Date: Tue, 28 Feb 2012 15:31:08 -0800 Subject: [OTR-users] help: pure-python-otr for custom protocol Message-ID: <9b38410c1cdca6a2fd115ee5a219c3a6.squirrel@fulvetta.riseup.net> Greetings, Cypherpunks We, Anonymous Costa Rica have been working on a custom protocol called SpiderMonkey and we decided to implement it on Python. Basically, a computer running the protocol is able to send messages through the TOR network using the .onion address of the receiving computer. but, for sake of confidentially in the TOR network, we need to encrypt the sending data. We decided first to use GnuPG, but, now we decided to deploy OTR on our code. The problem is, there isn't enough documentation about deploying OTR with any protocol and/or custom protocols like our project SpiderMonkey as far as we searched through the web. May can anybody in the otr-user list gave us documentation about this issues and/or code examples deploying pure-python-otr? thanks -- We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us! ?Facebook? No, gracias!. Twitter: @anonymousCRI identi.ca: @anonymouscri Diaspora*: http://diasp.org/u/anonymouscr Youtube: http://youtube.com/user/MrAnonymousCR From paul at cypherpunks.ca Tue Feb 28 22:54:01 2012 From: paul at cypherpunks.ca (Paul Wouters) Date: Tue, 28 Feb 2012 22:54:01 -0500 (EST) Subject: [OTR-users] Pidgin-OTR Logging Behaviour In-Reply-To: <20120201163401.0ead9378@peterson.fenrir.org.uk> References: <20120201105751.39393q5mbka7amw4@www.nexusmail.uwaterloo.ca> <20120201163401.0ead9378@peterson.fenrir.org.uk> Message-ID: On Wed, 1 Feb 2012, Brian Morrison wrote: >> it would be cool if there is some way (I know not enforceable) for an >> OTR peer to assert that it is or isn't logging, and to warn the user >> if the remote side is logging and they aren't. Or perhaps if one >> disables logging to have that flow across and disable. Again, I >> realize people can code around this, or cut/paste, etc. But it would >> set social expectations. > > An excellent suggestion, maybe explicitly disallow automatic remote > logging if a particular preference is set and have a default of No while > allowing You cannot decide what the other party does. What is next? Not allowing copy and paste in the window? Direct memory access to the binary? Where do you end? Note that for me, AFAIK logging is enabled per default using Fedora and pidgin-otr, though I never actually verified it, which I will do. To me OTR is about network security. What you do on your own machine, and what you log is something generic, and not OTR specific. I don't see why OTR conversaions should not get logged when non OTR conversations are logged. I think both should be treated the same. What would you do with Jabber SSL connections? Log them? not log them? What if the log disk is an encrypred volume like mine is? Log it or not? OTR provides encryption, authentication and repudiation. I don't think it should be in the business of logging auditor, just like I don't think it should dictate colours for text and background to make it harder to eavesdrop my screen :) Paul From paul at cypherpunks.ca Tue Feb 28 23:05:54 2012 From: paul at cypherpunks.ca (Paul Wouters) Date: Tue, 28 Feb 2012 23:05:54 -0500 (EST) Subject: [OTR-users] help: pure-python-otr for custom protocol In-Reply-To: <9b38410c1cdca6a2fd115ee5a219c3a6.squirrel@fulvetta.riseup.net> References: <9b38410c1cdca6a2fd115ee5a219c3a6.squirrel@fulvetta.riseup.net> Message-ID: On Tue, 28 Feb 2012, anonymouscr at riseup.net wrote: > We, Anonymous Costa Rica have been working on a custom protocol called > SpiderMonkey and we decided to implement it on Python. Basically, a > computer running the protocol is able to send messages through the TOR > network using the .onion address of the receiving computer. but, for sake > of confidentially in the TOR network, we need to encrypt the sending data. > We decided first to use GnuPG, but, now we decided to deploy OTR on our > code. I don't know what this protocol is supposed to send, so it is hard to advise you. But when you think you need a protocol, you should really think twice. You're not the first to resolve certain problems. You are either doing something with high latency, low traffic, like IM chats, in which case why not use OTR over Jabber to a .onion. Or you are using something high latency with bulk traffic, in which case TLS might be better suited. Whether those solutions are again tunneled over TOR should not matter, as long as you're using TCP. > The problem is, there isn't enough documentation about deploying OTR with > any protocol and/or custom protocols like our project SpiderMonkey as far > as we searched through the web. May can anybody in the otr-user list gave > us documentation about this issues and/or code examples deploying > pure-python-otr? I believe there is some python otr code floating around? Paul From anonymouscr at riseup.net Tue Feb 28 23:58:30 2012 From: anonymouscr at riseup.net (anonymouscr at riseup.net) Date: Tue, 28 Feb 2012 20:58:30 -0800 Subject: [OTR-users] help: pure-python-otr for custom protocol In-Reply-To: References: <9b38410c1cdca6a2fd115ee5a219c3a6.squirrel@fulvetta.riseup.net> Message-ID: <8210c52ebcebe85fcd1d9e80958c1a41.squirrel@fruiteater.riseup.net> Thanks for your reply. > We, Anonymous Costa Rica have been working on a custom protocol called > > SpiderMonkey and we decided to implement it on Python. Basically, a > > computer running the protocol is able to send messages through the TOR > > network using the .onion address of the receiving computer. but, for sake > > of confidentially in the TOR network, we need to encrypt the sending data. > > We decided first to use GnuPG, but, now we decided to deploy OTR on our > > code. > > I don't know what this protocol is supposed to send, so it is hard to > advise you. The protocol will deal with encrypted data, that's for sure, the data to encrypt is a dict object type converted to a JSON string with json.dumps(), basically, that's all the "magic" If you have something to say about that, please let us know. Be aware, We need to change some parts in the specifications of the protocol and translate it to English in order to share it here if any one is curious about SpiderMonkey, but it will take some time to be accomplished. > But when you think you need a protocol, you should really > think twice. You're not the first to resolve certain problems. > > You are either doing something with high latency, low traffic, like > IM chats, in which case why not use OTR over Jabber to a .onion. Or you > are using something high latency with bulk traffic, in which case TLS > might be better suited. Thanks for the warning, but, our protocol is more than a IM Chat. We are actually dealing with the encryption issue, and reading the Wikipedia, looks like TLS is a very good option, we gonna study the possibility of use it to our proposes. > Whether those solutions are again tunneled over TOR should not matter, > as long as you're using TCP. > We are aware of that issue, thanks. Thanks for your time and help, Paul Wouters. -- We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us! ?Facebook? No, gracias!. Twitter: @anonymousCRI identi.ca: @anonymouscri Diaspora*: http://diasp.org/u/anonymouscr Youtube: http://youtube.com/user/MrAnonymousCR