[jitsi-users] Deleting history?_Proposal


#1

I agree not only with the change of this particular default behaviour.
I would suggest that every single privacy related config should be
defaulted to the most private possible mode. Encryption, e.g., should
be mandatory as default, not "if available". Or at least clients
should have a privacy button that someone can click, read a warning
like "Some functionalities and/or conectivity may be lost if you
proceed", hit "Proceed", and every single thing in the config becomes
privacy aimed.


#2

Agree that
* now with public awareness of PRISM jitsi is an important tool
* therefore privacy should be to DEFAULT at maximum
* suggestions by others earlier here are all good eg Derek, Earl
* finding a lost URL is less important than ending up tortured
* linux drives are not encrypted if logged in to session
* shocked to learn that chat history is on by default, didn't know!
* bad too to learn that deleting history is not a trivial affair
* glad that this is noticed and many are voicing support for change

Long live jitsi and the tireless struggling devs and founder, thank you

···

I agree not only with the change of this particular default behaviour.
I would suggest that every single privacy related config should be
defaulted to the most private possible mode. Encryption, e.g., should
be mandatory as default, not "if available". Or at least clients
should have a privacy button that someone can click, read a warning
like "Some functionalities and/or conectivity may be lost if you
proceed", hit "Proceed", and every single thing in the config becomes
privacy aimed.

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#3

Replied before saw Emil's responses. I suggest no options during install, it is hard for people to decide an either/or at that point, but make it obvious and always visible/accessible in the GUI. I'd have no problem with default to logging, so long as points suggested by others earlier could be implemented (sorry am also not a programmer). It matters less whether it defaults to on or off, than if it is made clear and easy to configure generally and/or on a contact/chat basis. Hopefully someone can open an issue summarizing some of the good points made here, and hopefully some with abilities can come forward and help. Always remember the bottom line: enable advanced options for geeks, but keep things KISS for average user, who may end up paying high prices through wrong assumptions about security.

Sorry but provisioning is not going to be relevant to most download users imhho, so should no be relied upon for this.

···

Agree that
* now with public awareness of PRISM jitsi is an important tool
* therefore privacy should be to DEFAULT at maximum
* suggestions by others earlier here are all good eg Derek, Earl
* finding a lost URL is less important than ending up tortured
* linux drives are not encrypted if logged in to session
* shocked to learn that chat history is on by default, didn't know!
* bad too to learn that deleting history is not a trivial affair
* glad that this is noticed and many are voicing support for change

Long live jitsi and the tireless struggling devs and founder, thank you

tuliouel@gmail.com wrote:

I agree not only with the change of this particular default behaviour.
I would suggest that every single privacy related config should be
defaulted to the most private possible mode. Encryption, e.g., should
be mandatory as default, not "if available". Or at least clients
should have a privacy button that someone can click, read a warning
like "Some functionalities and/or conectivity may be lost if you
proceed", hit "Proceed", and every single thing in the config becomes
privacy aimed.

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#4

You might be right about the options during install, although it could
be that the only users who'd want logging enabled would be those who
understand what it does and the risk associated, whilst everyone else
would be more than happy with leaving it on Default and having no
logging.

The same goes for default logging on/off. For most users, they'd
probably prefer not to have logs of their chats and it's a lot easier
for them to have this as default without them having to find out how
to switch logging off (KISS), whilst for those who actually want
logging, they're likely to be more advanced/technically-aware users
who would have no problem enabling it.

···

On 31 July 2013 02:29, BitMessage <BM-2DBVT9yeUEFhLR8Qg9vhqB7ZQE9Sf3gAgS@bitmessage.ch> wrote:

Replied before saw Emil's responses. I suggest no options during install, it
is hard for people to decide an either/or at that point, but make it obvious
and always visible/accessible in the GUI. I'd have no problem with default
to logging, so long as points suggested by others earlier could be
implemented (sorry am also not a programmer). It matters less whether it
defaults to on or off, than if it is made clear and easy to configure
generally and/or on a contact/chat basis. Hopefully someone can open an
issue summarizing some of the good points made here, and hopefully some with
abilities can come forward and help. Always remember the bottom line: enable
advanced options for geeks, but keep things KISS for average user, who may
end up paying high prices through wrong assumptions about security.

Sorry but provisioning is not going to be relevant to most download users
imhho, so should no be relied upon for this.

Agree that
* now with public awareness of PRISM jitsi is an important tool
* therefore privacy should be to DEFAULT at maximum
* suggestions by others earlier here are all good eg Derek, Earl
* finding a lost URL is less important than ending up tortured
* linux drives are not encrypted if logged in to session
* shocked to learn that chat history is on by default, didn't know!
* bad too to learn that deleting history is not a trivial affair
* glad that this is noticed and many are voicing support for change

Long live jitsi and the tireless struggling devs and founder, thank you

tuliouel@gmail.com wrote:

I agree not only with the change of this particular default behaviour.
I would suggest that every single privacy related config should be
defaulted to the most private possible mode. Encryption, e.g., should
be mandatory as default, not "if available". Or at least clients
should have a privacy button that someone can click, read a warning
like "Some functionalities and/or conectivity may be lost if you
proceed", hit "Proceed", and every single thing in the config becomes
privacy aimed.

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#5

[trimmed]

The same goes for default logging on/off. For most users, they'd

probably prefer not to have logs of their chats and it's a lot easier
for them to have this as default without them having to find out how
to switch logging off (KISS), whilst for those who actually want
logging, they're likely to be more advanced/technically-aware users
who would have no problem enabling it.

Just out of curiosity, do you know that most users would prefer not to log
their chats? e.g., has anyone surveyed the Jitsi userbase? That might be
the sort of thing that'd be useful to find out in making this kind of
decision about application defaults.

···

On Wed, Jul 31, 2013 at 5:20 AM, Derek Moss <dmts@stoptheviolence.co.uk>wrote:


#6

I don't know of course, which is why I said probably but I'm assuming
that most people using Jitsi are attracted to it because they're
concerned about privacy/security, so it seems a reasonable guess that
they'd prefer not to have logs or other security leaks.

It would probably be hard to get a useful survey done as most users
aren't on these lists and even a survey on the website might be
ignored by many users, so rather than waste time and effort doing that
it seems to make more sense to just go for a maximum security default
and let the more advanced users choose to weaken the security (such as
enabling logs) if they want, rather than take the risk of exposing
less-technical users to violations of their privacy or worse.

···

On 31 July 2013 16:19, Steve Havelka <yoshi@q7.com> wrote:

On Wed, Jul 31, 2013 at 5:20 AM, Derek Moss <dmts@stoptheviolence.co.uk> > wrote:

[trimmed]

The same goes for default logging on/off. For most users, they'd
probably prefer not to have logs of their chats and it's a lot easier
for them to have this as default without them having to find out how
to switch logging off (KISS), whilst for those who actually want
logging, they're likely to be more advanced/technically-aware users
who would have no problem enabling it.

Just out of curiosity, do you know that most users would prefer not to log
their chats? e.g., has anyone surveyed the Jitsi userbase? That might be the
sort of thing that'd be useful to find out in making this kind of decision
about application defaults.

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#7

Shocked to see that Nick is right, no way to turn of call and file transfer logs, though calls are secure with ZRTP but afaik file transfers are totally out in the open (as with other XMPP too as there is no easy way yet implemented for encrypted file transfers?). In any case, how to disable those logs?

2nd: I agree about the defaults Derek, but seems Emil prefers the other way around due to experiences he had. But either way, being able to disable/enable would be a great step forward.

3rd: there appears to be no way to clear the text from a current chat window scroll back buffer, something easily done in Pidgin. That would be also desirable feature for privacy e.g. when others are around.

···

You might be right about the options during install, although it could
be that the only users who'd want logging enabled would be those who
understand what it does and the risk associated, whilst everyone else
would be more than happy with leaving it on Default and having no
logging.

The same goes for default logging on/off. For most users, they'd
probably prefer not to have logs of their chats and it's a lot easier
for them to have this as default without them having to find out how
to switch logging off (KISS), whilst for those who actually want
logging, they're likely to be more advanced/technically-aware users
who would have no problem enabling it.

On 31 July 2013 02:29, BitMessage > <BM-2DBVT9yeUEFhLR8Qg9vhqB7ZQE9Sf3gAgS@bitmessage.ch> wrote:

Replied before saw Emil's responses. I suggest no options during install, it
is hard for people to decide an either/or at that point, but make it obvious
and always visible/accessible in the GUI. I'd have no problem with default
to logging, so long as points suggested by others earlier could be
implemented (sorry am also not a programmer). It matters less whether it
defaults to on or off, than if it is made clear and easy to configure
generally and/or on a contact/chat basis. Hopefully someone can open an
issue summarizing some of the good points made here, and hopefully some with
abilities can come forward and help. Always remember the bottom line: enable
advanced options for geeks, but keep things KISS for average user, who may
end up paying high prices through wrong assumptions about security.

Sorry but provisioning is not going to be relevant to most download users
imhho, so should no be relied upon for this.

Agree that
* now with public awareness of PRISM jitsi is an important tool
* therefore privacy should be to DEFAULT at maximum
* suggestions by others earlier here are all good eg Derek, Earl
* finding a lost URL is less important than ending up tortured
* linux drives are not encrypted if logged in to session
* shocked to learn that chat history is on by default, didn't know!
* bad too to learn that deleting history is not a trivial affair
* glad that this is noticed and many are voicing support for change

Long live jitsi and the tireless struggling devs and founder, thank you

tuliouel@gmail.com wrote:

I agree not only with the change of this particular default behaviour.
I would suggest that every single privacy related config should be
defaulted to the most private possible mode. Encryption, e.g., should
be mandatory as default, not "if available". Or at least clients
should have a privacy button that someone can click, read a warning
like "Some functionalities and/or conectivity may be lost if you
proceed", hit "Proceed", and every single thing in the config becomes
privacy aimed.

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#8

I don't know of course, which is why I said probably but I'm assuming
that most people using Jitsi are attracted to it because they're
concerned about privacy/security, so it seems a reasonable guess that
they'd prefer not to have logs or other security leaks.

In the realm of assumption, I'd assume that most people are worried about
snooping done on their over-the-wire transmissions, and aren't really
worried about the security implications of chat logs on a machine in their
possession.

I think it's a reasonable guess that the number of people who are
high-profile targets (i.e. who'd have chat logs worth snooping or seizing)
but who are not tech-savvy enough to turn off their own chat logs is a
vanishingly small number of people.

It would probably be hard to get a useful survey done as most users
aren't on these lists and even a survey on the website might be
ignored by many users, so rather than waste time and effort doing that
it seems to make more sense to just go for a maximum security default
and let the more advanced users choose to weaken the security (such as
enabling logs) if they want, rather than take the risk of exposing
less-technical users to violations of their privacy or worse.

Running surveys to find out what your users want out of your program is
almost never a waste of time and effort. Even something as simple as a poll
on the site could shed far more light on the subject than our assumptions
and speculations can.

···

On Wed, Jul 31, 2013 at 8:55 AM, Derek Moss <dmts@stoptheviolence.co.uk>wrote:


#9

I didn't realise file transfers weren't encrypted either. I imagine
most users would think that if they're in an encrypted/secure chat
that any file transfers they do with their contact will be over the
same secure channel, so if not I think a clear warning needs to be
shown to the user each time they go to use File Transfers.

I agree that it would be good to have a way to clear the current chat
window as well.

···

On 31 July 2013 14:33, BitMessage <BM-2DBVT9yeUEFhLR8Qg9vhqB7ZQE9Sf3gAgS@bitmessage.ch> wrote:

Shocked to see that Nick is right, no way to turn of call and file transfer
logs, though calls are secure with ZRTP but afaik file transfers are totally
out in the open (as with other XMPP too as there is no easy way yet
implemented for encrypted file transfers?). In any case, how to disable
those logs?

2nd: I agree about the defaults Derek, but seems Emil prefers the other way
around due to experiences he had. But either way, being able to
disable/enable would be a great step forward.

3rd: there appears to be no way to clear the text from a current chat window
scroll back buffer, something easily done in Pidgin. That would be also
desirable feature for privacy e.g. when others are around.

You might be right about the options during install, although it could
be that the only users who'd want logging enabled would be those who
understand what it does and the risk associated, whilst everyone else
would be more than happy with leaving it on Default and having no
logging.

The same goes for default logging on/off. For most users, they'd
probably prefer not to have logs of their chats and it's a lot easier
for them to have this as default without them having to find out how
to switch logging off (KISS), whilst for those who actually want
logging, they're likely to be more advanced/technically-aware users
who would have no problem enabling it.

On 31 July 2013 02:29, BitMessage >> <BM-2DBVT9yeUEFhLR8Qg9vhqB7ZQE9Sf3gAgS@bitmessage.ch> wrote:

Replied before saw Emil's responses. I suggest no options during install,
it
is hard for people to decide an either/or at that point, but make it
obvious
and always visible/accessible in the GUI. I'd have no problem with
default
to logging, so long as points suggested by others earlier could be
implemented (sorry am also not a programmer). It matters less whether it
defaults to on or off, than if it is made clear and easy to configure
generally and/or on a contact/chat basis. Hopefully someone can open an
issue summarizing some of the good points made here, and hopefully some
with
abilities can come forward and help. Always remember the bottom line:
enable
advanced options for geeks, but keep things KISS for average user, who
may
end up paying high prices through wrong assumptions about security.

Sorry but provisioning is not going to be relevant to most download users
imhho, so should no be relied upon for this.

Agree that
* now with public awareness of PRISM jitsi is an important tool
* therefore privacy should be to DEFAULT at maximum
* suggestions by others earlier here are all good eg Derek, Earl
* finding a lost URL is less important than ending up tortured
* linux drives are not encrypted if logged in to session
* shocked to learn that chat history is on by default, didn't know!
* bad too to learn that deleting history is not a trivial affair
* glad that this is noticed and many are voicing support for change

Long live jitsi and the tireless struggling devs and founder, thank you

tuliouel@gmail.com wrote:

I agree not only with the change of this particular default behaviour.
I would suggest that every single privacy related config should be
defaulted to the most private possible mode. Encryption, e.g., should
be mandatory as default, not "if available". Or at least clients
should have a privacy button that someone can click, read a warning
like "Some functionalities and/or conectivity may be lost if you
proceed", hit "Proceed", and every single thing in the config becomes
privacy aimed.

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#10

Sorry I have to disagree a little here. Many of us here in this thread, are indeed way above average tech savvy, but we also did not notice (for various reasons no doubt) that e.g. file xfers are plain, e.g. logging cannot be turned off, e.g. even after days of discussion, that calls/... are still logged, not only chats, etc!!! So please, you can NOT equate human rights defenders, freedom fighters, abused women, etc, with tech savvy. Not everyone can be. Even we who are, failed here. Jitsi, rightly or wrongly, is assumed as a privacy/security communications tool, and is now surely mentioned at e.g. prism-break.org -- so although it may not have started out that way, and got encouragement from the Guardian Project, the times-are-a-changing, people are now in larger numbers aware (yes some of us knew all this too many years ago, but the awareness is spreading thanks to Ed Snowden), and so, we also surely need to dev up.

As to surveys, I also have to agree, that is not an easy affair. It'd be far more easy for existing devs who know the base well, to come up with a solution that satisfies, the main (perhaps only) contention in this discussion appears to be whether default should be on or off. So long as it is clearly signposted wherever required, even that is not going to be a huge problem: what is the problem is ensuring people KNOW and can DO something, imho.

···

On Wed, Jul 31, 2013 at 8:55 AM, Derek Moss <dmts@stoptheviolence.co.uk <mailto:dmts@stoptheviolence.co.uk>> wrote:

    I don't know of course, which is why I said probably but I'm assuming
    that most people using Jitsi are attracted to it because they're
    concerned about privacy/security, so it seems a reasonable guess that
    they'd prefer not to have logs or other security leaks.

In the realm of assumption, I'd assume that most people are worried about snooping done on their over-the-wire transmissions, and aren't really worried about the security implications of chat logs on a machine in their possession.

I think it's a reasonable guess that the number of people who are high-profile targets (i.e. who'd have chat logs worth snooping or seizing) but who are not tech-savvy enough to turn off their own chat logs is a vanishingly small number of people.

    It would probably be hard to get a useful survey done as most users
    aren't on these lists and even a survey on the website might be
    ignored by many users, so rather than waste time and effort doing that
    it seems to make more sense to just go for a maximum security default
    and let the more advanced users choose to weaken the security (such as
    enabling logs) if they want, rather than take the risk of exposing
    less-technical users to violations of their privacy or worse.

Running surveys to find out what your users want out of your program is almost never a waste of time and effort. Even something as simple as a poll on the site could shed far more light on the subject than our assumptions and speculations can.

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#11

Sorry I have to disagree a little here. Many of us here in this thread,
are indeed way above average tech savvy, but we also did not notice (for
various reasons no doubt) that e.g. file xfers are plain, e.g. logging
cannot be turned off, e.g. even after days of discussion, that calls/...
are still logged, not only chats, etc!!! So please, you can NOT equate
human rights defenders, freedom fighters, abused women, etc, with tech
savvy. Not everyone can be. Even we who are, failed here. Jitsi, rightly or
wrongly, is assumed as a privacy/security communications tool, and is now
surely mentioned at e.g. prism-break.org -- so although it may not have
started out that way, and got encouragement from the Guardian Project, the
times-are-a-changing, people are now in larger numbers aware (yes some of
us knew all this too many years ago, but the awareness is spreading thanks
to Ed Snowden), and so, we also surely need to dev up.

I noticed that Jitsi logs by default, from the moment I fired up the
program for the second time, and saw that it had retained a chat message
from the first time I used it.

I'm a little lost as to how that could go unnoticed.

As to surveys, I also have to agree, that is not an easy affair. It'd be

far more easy for existing devs who know the base well, to come up with a
solution that satisfies, the main (perhaps only) contention in this
discussion appears to be whether default should be on or off. So long as it
is clearly signposted wherever required, even that is not going to be a
huge problem: what is the problem is ensuring people KNOW and can DO
something, imho.

How do you think the devs are going to get to know the userbase well, if
not with some sort of survey? Either formal, in the sense of a running
poll, or informal, in the sense of asking around among people they know who
use the program?

For my part--and I'm neither a dev nor am I about to submit a patch--I
think it'd be reasonable to have some sort of popup or tooltip when the
program starts, alerting the user, "Jitsi logs by default - if you want to
turn this off, click here, and otherwise you can close this notice."

Defaulting users into a theoretical "most secure" operation (no logging,
forced OTR encryption, things of that nature) seems like a good way to
frustrate people without a lot of real world gain. After all, if you're a
high-profile target, someone can always install a keylogger, or kidnap your
spouse or parents...

···

On Wed, Jul 31, 2013 at 9:52 AM, BitMessage < BM-2DBVT9yeUEFhLR8Qg9vhqB7ZQE9Sf3gAgS@bitmessage.ch> wrote:


#12

Ingo,

Thank you and your team for the continued contributions to listen to the
userbase and to provide solutions to our problems. Microsoft would never
listen to us if we were to complain about Skype so thank you for actively
listening to our needs.

All the best,
Jungle

···

On 31 July 2013 10:32, Ingo Bauersachs <ingo@jitsi.org> wrote:

Hey all

I think Emil, Boris and me made it clear that we won't change the default.
Also, changing the installer is not an option (and it only exists on
Windows
anyway).

What someone CAN do is:
- Create a feature request to set a specific log directory
- Create a feature request to disable logging of file transfers
- Create a feature request to disable logging of calls

What we could consider to add to the distribution if someone contributes
it:
- Add a tab-pane in the "Simple Account Registration Wizard" [1] that
allows
to configure some important options at once
- Add a a config pane in the options that concentrates all the logging
options together with a "Clear all" button. I already wrote such a thing
back in 2011 before I became a committer [2], but it is outdated and would
need a considerable refresh.

Options such as notifying the user in the chat window, turning logging
on/off per conversation, etc. would surely be nice to have. The problem is
that we have way to many other problems to solve. Like bringing the OTR
support up to date. If you'd like to start developing, then here's your
chance. Java is one of the easiest languages to start with.

Regards,
Ingo

[1] The thing that pops up if no account is configured yet
[2] http://lists.jitsi.org/pipermail/dev/2011-February/001246.html

> -----Original Message-----
> From: users-bounces@jitsi.org [mailto:users-bounces@jitsi.org] On Behalf
Of
> BitMessage
> Sent: Mittwoch, 31. Juli 2013 18:53
> To: Jitsi Users
> Subject: Re: [jitsi-users] Deleting history?_Proposal
>
> Sorry I have to disagree a little here. Many of us here in this thread,
are
> indeed way above average tech savvy, but we also did not notice (for
various
> reasons no doubt) that e.g. file xfers are plain, e.g. logging cannot be
> turned off, e.g. even after days of discussion, that calls/... are still
> logged, not only chats, etc!!! So please, you can NOT equate human rights
> defenders, freedom fighters, abused women, etc, with tech savvy. Not
everyone
> can be. Even we who are, failed here. Jitsi, rightly or wrongly, is
assumed
> as a privacy/security communications tool, and is now surely mentioned at
> e.g. prism-break.org -- so although it may not have started out that
way,
and
> got encouragement from the Guardian Project, the times-are-a-changing,
people
> are now in larger numbers aware (yes some of us knew all this too many
years
> ago, but the awareness is spreading thanks to Ed Snowden), and so, we
also
> surely need to dev up.
>
> As to surveys, I also have to agree, that is not an easy affair. It'd be
> far more easy for existing devs who know the base well, to come up with
> a solution that satisfies, the main (perhaps only) contention in this
> discussion appears to be whether default should be on or off. So long as
> it is clearly signposted wherever required, even that is not going to be
> a huge problem: what is the problem is ensuring people KNOW and can DO
> something, imho.
>
>
>> On Wed, Jul 31, 2013 at 8:55 AM, Derek Moss <dmts@stoptheviolence.co.uk > >> <mailto:dmts@stoptheviolence.co.uk>> wrote:
>>
>> I don't know of course, which is why I said probably but I'm
assuming
>> that most people using Jitsi are attracted to it because they're
>> concerned about privacy/security, so it seems a reasonable guess
that
>> they'd prefer not to have logs or other security leaks.
>>
>> In the realm of assumption, I'd assume that most people are worried
about
> snooping done on their over-the-wire transmissions, and aren't really
worried
> about the security implications of chat logs on a machine in their
> possession.
>>
>> I think it's a reasonable guess that the number of people who are high-
> profile targets (i.e. who'd have chat logs worth snooping or seizing) but
who
> are not tech-savvy enough to turn off their own chat logs is a
vanishingly
> small number of people.
>>
>>
>> It would probably be hard to get a useful survey done as most users
>> aren't on these lists and even a survey on the website might be
>> ignored by many users, so rather than waste time and effort doing
that
>> it seems to make more sense to just go for a maximum security
default
>> and let the more advanced users choose to weaken the security (such
as
>> enabling logs) if they want, rather than take the risk of exposing
>> less-technical users to violations of their privacy or worse.
>>
>> Running surveys to find out what your users want out of your program is
> almost never a waste of time and effort. Even something as simple as a
poll
> on the site could shed far more light on the subject than our assumptions
and
> speculations can.
>>
>>
>>
>>
>> _______________________________________________
>> users mailing list
>> users@jitsi.org
>> Unsubscribe instructions and other list options:
>> http://lists.jitsi.org/mailman/listinfo/users
>>
>
>
>
> _______________________________________________
> users mailing list
> users@jitsi.org
> Unsubscribe instructions and other list options:
> http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
-------
inum: 883510009902611
sip: jungleboogie@sip2sip.info
xmpp: jungle-boogie@jit.si


#13

Hi Ingo,

Thanks for the valuable input. I can throw those feature request tickets together once I get a moment later today.
Are you able to post a link to the source code for the logging options you made in 2011?
As for bringing OTR support up to date, from your perspective are the important points already on the tracker for anybody (e.g. myself) to try and get it up to snuff or would there be any other targets to hit first (maybe worth opening tickets if you do think of important ones?). I do understand part of the task may be to find out these problems in the first place, but if you have any pointers, I'll gladly have them : 3

Thanks,
Nick

···

From: ingo@jitsi.org
To: users@jitsi.org
Date: Wed, 31 Jul 2013 19:32:00 +0200
Subject: Re: [jitsi-users] Deleting history?_Proposal

Hey all

I think Emil, Boris and me made it clear that we won't change the default.
Also, changing the installer is not an option (and it only exists on Windows
anyway).

What someone CAN do is:
- Create a feature request to set a specific log directory
- Create a feature request to disable logging of file transfers
- Create a feature request to disable logging of calls

What we could consider to add to the distribution if someone contributes it:
- Add a tab-pane in the "Simple Account Registration Wizard" [1] that allows
to configure some important options at once
- Add a a config pane in the options that concentrates all the logging
options together with a "Clear all" button. I already wrote such a thing
back in 2011 before I became a committer [2], but it is outdated and would
need a considerable refresh.

Options such as notifying the user in the chat window, turning logging
on/off per conversation, etc. would surely be nice to have. The problem is
that we have way to many other problems to solve. Like bringing the OTR
support up to date. If you'd like to start developing, then here's your
chance. Java is one of the easiest languages to start with.

Regards,
Ingo

[1] The thing that pops up if no account is configured yet
[2] http://lists.jitsi.org/pipermail/dev/2011-February/001246.html

> -----Original Message-----
> From: users-bounces@jitsi.org [mailto:users-bounces@jitsi.org] On Behalf
Of
> BitMessage
> Sent: Mittwoch, 31. Juli 2013 18:53
> To: Jitsi Users
> Subject: Re: [jitsi-users] Deleting history?_Proposal
>
> Sorry I have to disagree a little here. Many of us here in this thread,
are
> indeed way above average tech savvy, but we also did not notice (for
various
> reasons no doubt) that e.g. file xfers are plain, e.g. logging cannot be
> turned off, e.g. even after days of discussion, that calls/... are still
> logged, not only chats, etc!!! So please, you can NOT equate human rights
> defenders, freedom fighters, abused women, etc, with tech savvy. Not
everyone
> can be. Even we who are, failed here. Jitsi, rightly or wrongly, is
assumed
> as a privacy/security communications tool, and is now surely mentioned at
> e.g. prism-break.org -- so although it may not have started out that way,
and
> got encouragement from the Guardian Project, the times-are-a-changing,
people
> are now in larger numbers aware (yes some of us knew all this too many
years
> ago, but the awareness is spreading thanks to Ed Snowden), and so, we also
> surely need to dev up.
>
> As to surveys, I also have to agree, that is not an easy affair. It'd be
> far more easy for existing devs who know the base well, to come up with
> a solution that satisfies, the main (perhaps only) contention in this
> discussion appears to be whether default should be on or off. So long as
> it is clearly signposted wherever required, even that is not going to be
> a huge problem: what is the problem is ensuring people KNOW and can DO
> something, imho.
>
>
>> On Wed, Jul 31, 2013 at 8:55 AM, Derek Moss <dmts@stoptheviolence.co.uk > >> <mailto:dmts@stoptheviolence.co.uk>> wrote:
>>
>> I don't know of course, which is why I said probably but I'm assuming
>> that most people using Jitsi are attracted to it because they're
>> concerned about privacy/security, so it seems a reasonable guess that
>> they'd prefer not to have logs or other security leaks.
>>
>> In the realm of assumption, I'd assume that most people are worried about
> snooping done on their over-the-wire transmissions, and aren't really
worried
> about the security implications of chat logs on a machine in their
> possession.
>>
>> I think it's a reasonable guess that the number of people who are high-
> profile targets (i.e. who'd have chat logs worth snooping or seizing) but
who
> are not tech-savvy enough to turn off their own chat logs is a vanishingly
> small number of people.
>>
>>
>> It would probably be hard to get a useful survey done as most users
>> aren't on these lists and even a survey on the website might be
>> ignored by many users, so rather than waste time and effort doing
that
>> it seems to make more sense to just go for a maximum security default
>> and let the more advanced users choose to weaken the security (such
as
>> enabling logs) if they want, rather than take the risk of exposing
>> less-technical users to violations of their privacy or worse.
>>
>> Running surveys to find out what your users want out of your program is
> almost never a waste of time and effort. Even something as simple as a
poll
> on the site could shed far more light on the subject than our assumptions
and
> speculations can.
>>
>>
>>
>>
>> _______________________________________________
>> users mailing list
>> users@jitsi.org
>> Unsubscribe instructions and other list options:
>> http://lists.jitsi.org/mailman/listinfo/users
>>
>
>
>
> _______________________________________________
> users mailing list
> users@jitsi.org
> Unsubscribe instructions and other list options:
> http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#14

Hey all

I think Emil, Boris and me made it clear that we won't change the default.
Also, changing the installer is not an option (and it only exists on Windows
anyway).

What someone CAN do is:
- Create a feature request to set a specific log directory
- Create a feature request to disable logging of file transfers
- Create a feature request to disable logging of calls

What we could consider to add to the distribution if someone contributes it:
- Add a tab-pane in the "Simple Account Registration Wizard" [1] that allows
to configure some important options at once
- Add a a config pane in the options that concentrates all the logging
options together with a "Clear all" button. I already wrote such a thing
back in 2011 before I became a committer [2], but it is outdated and would
need a considerable refresh.

Options such as notifying the user in the chat window, turning logging
on/off per conversation, etc. would surely be nice to have. The problem is
that we have way to many other problems to solve. Like bringing the OTR
support up to date. If you'd like to start developing, then here's your
chance. Java is one of the easiest languages to start with.

Regards,
Ingo

[1] The thing that pops up if no account is configured yet
[2] http://lists.jitsi.org/pipermail/dev/2011-February/001246.html

From: users-bounces@jitsi.org [mailto:users-bounces@jitsi.org] On Behalf

Of

BitMessage
Sent: Mittwoch, 31. Juli 2013 18:53
To: Jitsi Users
Subject: Re: [jitsi-users] Deleting history?_Proposal

Sorry I have to disagree a little here. Many of us here in this thread,

are

indeed way above average tech savvy, but we also did not notice (for

various

reasons no doubt) that e.g. file xfers are plain, e.g. logging cannot be
turned off, e.g. even after days of discussion, that calls/... are still
logged, not only chats, etc!!! So please, you can NOT equate human rights
defenders, freedom fighters, abused women, etc, with tech savvy. Not

everyone

can be. Even we who are, failed here. Jitsi, rightly or wrongly, is

assumed

as a privacy/security communications tool, and is now surely mentioned at
e.g. prism-break.org -- so although it may not have started out that way,

and

got encouragement from the Guardian Project, the times-are-a-changing,

people

are now in larger numbers aware (yes some of us knew all this too many

years

ago, but the awareness is spreading thanks to Ed Snowden), and so, we also
surely need to dev up.

As to surveys, I also have to agree, that is not an easy affair. It'd be
far more easy for existing devs who know the base well, to come up with
a solution that satisfies, the main (perhaps only) contention in this
discussion appears to be whether default should be on or off. So long as
it is clearly signposted wherever required, even that is not going to be
a huge problem: what is the problem is ensuring people KNOW and can DO
something, imho.

    I don't know of course, which is why I said probably but I'm assuming
    that most people using Jitsi are attracted to it because they're
    concerned about privacy/security, so it seems a reasonable guess that
    they'd prefer not to have logs or other security leaks.

In the realm of assumption, I'd assume that most people are worried about

snooping done on their over-the-wire transmissions, and aren't really

worried

about the security implications of chat logs on a machine in their
possession.

I think it's a reasonable guess that the number of people who are high-

profile targets (i.e. who'd have chat logs worth snooping or seizing) but

who

are not tech-savvy enough to turn off their own chat logs is a vanishingly
small number of people.

    It would probably be hard to get a useful survey done as most users
    aren't on these lists and even a survey on the website might be
    ignored by many users, so rather than waste time and effort doing

that

    it seems to make more sense to just go for a maximum security default
    and let the more advanced users choose to weaken the security (such

as

    enabling logs) if they want, rather than take the risk of exposing
    less-technical users to violations of their privacy or worse.

Running surveys to find out what your users want out of your program is

almost never a waste of time and effort. Even something as simple as a

poll

on the site could shed far more light on the subject than our assumptions

and

···

-----Original Message-----

On Wed, Jul 31, 2013 at 8:55 AM, Derek Moss <dmts@stoptheviolence.co.uk >> <mailto:dmts@stoptheviolence.co.uk>> wrote:

speculations can.

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#15

Thanks for the valuable input. I can throw those feature request tickets
together once I get a moment later today.
Are you able to post a link to the source code for the logging options you
made in 2011?

It's attached to the mail I referenced.

As for bringing OTR support up to date, from your perspective are the
important points already on the tracker for anybody (e.g. myself) to try

and

get it up to snuff or would there be any other targets to hit first (maybe
worth opening tickets if you do think of important ones?).

There are some OTR related tickets open, one of them is adding support for
the SMP. Adding that would likely lead into digging out the other bugs.

I do understand
part of the task may be to find out these problems in the first place, but

if

you have any pointers, I'll gladly have them : 3

It's not worth it to search for bugs or repro scenarios in the current
situation. The OTR library needs to be updated as the very first step.

Thanks,
Nick

Ingo


#16

I have to say it's disappointing that you guys don't seem to care
about making Jitsi focused on security, even by something as simple as
changing the defaults, as I always thought that the main ethos/vision
of Jitsi was to be a secure communications tool but it seems that's no
longer the case. I still appreciate the work you put in on this
project, don't get me wrong, but I think I'll have to keep looking for
a properly secure alternative as I don't feel that Jitsi is (or
appears likely to become) safe enough for me to use or recommend to
others.

···

On 31 July 2013 18:32, Ingo Bauersachs <ingo@jitsi.org> wrote:

Hey all

I think Emil, Boris and me made it clear that we won't change the default.
Also, changing the installer is not an option (and it only exists on Windows
anyway).

What someone CAN do is:
- Create a feature request to set a specific log directory
- Create a feature request to disable logging of file transfers
- Create a feature request to disable logging of calls

What we could consider to add to the distribution if someone contributes it:
- Add a tab-pane in the "Simple Account Registration Wizard" [1] that allows
to configure some important options at once
- Add a a config pane in the options that concentrates all the logging
options together with a "Clear all" button. I already wrote such a thing
back in 2011 before I became a committer [2], but it is outdated and would
need a considerable refresh.

Options such as notifying the user in the chat window, turning logging
on/off per conversation, etc. would surely be nice to have. The problem is
that we have way to many other problems to solve. Like bringing the OTR
support up to date. If you'd like to start developing, then here's your
chance. Java is one of the easiest languages to start with.

Regards,
Ingo

[1] The thing that pops up if no account is configured yet
[2] http://lists.jitsi.org/pipermail/dev/2011-February/001246.html

-----Original Message-----
From: users-bounces@jitsi.org [mailto:users-bounces@jitsi.org] On Behalf

Of

BitMessage
Sent: Mittwoch, 31. Juli 2013 18:53
To: Jitsi Users
Subject: Re: [jitsi-users] Deleting history?_Proposal

Sorry I have to disagree a little here. Many of us here in this thread,

are

indeed way above average tech savvy, but we also did not notice (for

various

reasons no doubt) that e.g. file xfers are plain, e.g. logging cannot be
turned off, e.g. even after days of discussion, that calls/... are still
logged, not only chats, etc!!! So please, you can NOT equate human rights
defenders, freedom fighters, abused women, etc, with tech savvy. Not

everyone

can be. Even we who are, failed here. Jitsi, rightly or wrongly, is

assumed

as a privacy/security communications tool, and is now surely mentioned at
e.g. prism-break.org -- so although it may not have started out that way,

and

got encouragement from the Guardian Project, the times-are-a-changing,

people

are now in larger numbers aware (yes some of us knew all this too many

years

ago, but the awareness is spreading thanks to Ed Snowden), and so, we also
surely need to dev up.

As to surveys, I also have to agree, that is not an easy affair. It'd be
far more easy for existing devs who know the base well, to come up with
a solution that satisfies, the main (perhaps only) contention in this
discussion appears to be whether default should be on or off. So long as
it is clearly signposted wherever required, even that is not going to be
a huge problem: what is the problem is ensuring people KNOW and can DO
something, imho.

On Wed, Jul 31, 2013 at 8:55 AM, Derek Moss <dmts@stoptheviolence.co.uk >>> <mailto:dmts@stoptheviolence.co.uk>> wrote:

    I don't know of course, which is why I said probably but I'm assuming
    that most people using Jitsi are attracted to it because they're
    concerned about privacy/security, so it seems a reasonable guess that
    they'd prefer not to have logs or other security leaks.

In the realm of assumption, I'd assume that most people are worried about

snooping done on their over-the-wire transmissions, and aren't really

worried

about the security implications of chat logs on a machine in their
possession.

I think it's a reasonable guess that the number of people who are high-

profile targets (i.e. who'd have chat logs worth snooping or seizing) but

who

are not tech-savvy enough to turn off their own chat logs is a vanishingly
small number of people.

    It would probably be hard to get a useful survey done as most users
    aren't on these lists and even a survey on the website might be
    ignored by many users, so rather than waste time and effort doing

that

    it seems to make more sense to just go for a maximum security default
    and let the more advanced users choose to weaken the security (such

as

    enabling logs) if they want, rather than take the risk of exposing
    less-technical users to violations of their privacy or worse.

Running surveys to find out what your users want out of your program is

almost never a waste of time and effort. Even something as simple as a

poll

on the site could shed far more light on the subject than our assumptions

and

speculations can.

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#17

Sorry Emil, accidentally sent this to you directly rather than the list.

···

-------------------------------------------------------------------------------------------------

I think I've presented several rational arguments. At this point I
feel like I'm whistling in the wind and those in a position to change
things have made their minds up that this isn't the way they want to
go.

It's not just about clicking on a checkbox, it's about having to make
sure that I explain to new users that they need to do this to be
secure and not being able to tell (without checking the settings
everytime I use it) if someone's re-enabled it behind my back.

I guess we just have different opinions as to what constitutes secure
but I suspect if a security website did an audit of Jitsi as it
currently is, it would probably lose some marks for the default
logging and even if it could be easily disabled, without a clear
indication at all times for the user as to whether it was currently
enabled or not, I think that would count against it as well.

Security may well be something that you still consider important but
it currently seems to be less important than the convenience for some
users of having logs of all their comms, which is clearly inconsistent
with security.

I don't see any misrepresentation or FUD in my post and I'll thank you
not to accuse me of such. Other people on this list are perfectly
capable of reading the arguments and deciding for themselves if the
logging is a problem for them or not. I've just made it clear that I
do see it as a problem (more for other potential users than myself)
and explained why.

On 31 July 2013 22:01, Emil Ivov <emcho@jitsi.org> wrote:

I have a very hard time making sense of this comment. You are saying that,
you'd rather migrate than click on a checkbox?

Also, what you are saying is quite a severe misrepresentation. Security has
always been something we consider important and that hasn't changed.

Several Jitsi developers and other users, including myself, already
explained how we don't believe that the current default of logging is a
compromise. We also pointed out that changing it is not going to bring a
substantial security gain while it could repesent a serious regression in
usability.

I didn't see you bringing any new arguments so at this point it almost seems
as if you are more interested in getting it your way rather than being
rational.

You are of course free to use whatever you want, but it would be nice if
this didn't involve spreading FUD on these lists.

--sent from my mobile
On Jul 31, 2013 10:10 PM, "Derek Moss" <dmts@stoptheviolence.co.uk> wrote:

I have to say it's disappointing that you guys don't seem to care
about making Jitsi focused on security, even by something as simple as
changing the defaults, as I always thought that the main ethos/vision
of Jitsi was to be a secure communications tool but it seems that's no
longer the case. I still appreciate the work you put in on this
project, don't get me wrong, but I think I'll have to keep looking for
a properly secure alternative as I don't feel that Jitsi is (or
appears likely to become) safe enough for me to use or recommend to
others.

On 31 July 2013 18:32, Ingo Bauersachs <ingo@jitsi.org> wrote:
> Hey all
>
> I think Emil, Boris and me made it clear that we won't change the
> default.
> Also, changing the installer is not an option (and it only exists on
> Windows
> anyway).
>
> What someone CAN do is:
> - Create a feature request to set a specific log directory
> - Create a feature request to disable logging of file transfers
> - Create a feature request to disable logging of calls
>
> What we could consider to add to the distribution if someone contributes
> it:
> - Add a tab-pane in the "Simple Account Registration Wizard" [1] that
> allows
> to configure some important options at once
> - Add a a config pane in the options that concentrates all the logging
> options together with a "Clear all" button. I already wrote such a thing
> back in 2011 before I became a committer [2], but it is outdated and
> would
> need a considerable refresh.
>
> Options such as notifying the user in the chat window, turning logging
> on/off per conversation, etc. would surely be nice to have. The problem
> is
> that we have way to many other problems to solve. Like bringing the OTR
> support up to date. If you'd like to start developing, then here's your
> chance. Java is one of the easiest languages to start with.
>
> Regards,
> Ingo
>
> [1] The thing that pops up if no account is configured yet
> [2] http://lists.jitsi.org/pipermail/dev/2011-February/001246.html
>
>> -----Original Message-----
>> From: users-bounces@jitsi.org [mailto:users-bounces@jitsi.org] On
>> Behalf
> Of
>> BitMessage
>> Sent: Mittwoch, 31. Juli 2013 18:53
>> To: Jitsi Users
>> Subject: Re: [jitsi-users] Deleting history?_Proposal
>>
>> Sorry I have to disagree a little here. Many of us here in this thread,
> are
>> indeed way above average tech savvy, but we also did not notice (for
> various
>> reasons no doubt) that e.g. file xfers are plain, e.g. logging cannot
>> be
>> turned off, e.g. even after days of discussion, that calls/... are
>> still
>> logged, not only chats, etc!!! So please, you can NOT equate human
>> rights
>> defenders, freedom fighters, abused women, etc, with tech savvy. Not
> everyone
>> can be. Even we who are, failed here. Jitsi, rightly or wrongly, is
> assumed
>> as a privacy/security communications tool, and is now surely mentioned
>> at
>> e.g. prism-break.org -- so although it may not have started out that
>> way,
> and
>> got encouragement from the Guardian Project, the times-are-a-changing,
> people
>> are now in larger numbers aware (yes some of us knew all this too many
> years
>> ago, but the awareness is spreading thanks to Ed Snowden), and so, we
>> also
>> surely need to dev up.
>>
>> As to surveys, I also have to agree, that is not an easy affair. It'd
>> be
>> far more easy for existing devs who know the base well, to come up with
>> a solution that satisfies, the main (perhaps only) contention in this
>> discussion appears to be whether default should be on or off. So long
>> as
>> it is clearly signposted wherever required, even that is not going to
>> be
>> a huge problem: what is the problem is ensuring people KNOW and can DO
>> something, imho.
>>
>>
>>> On Wed, Jul 31, 2013 at 8:55 AM, Derek Moss >> >>> <dmts@stoptheviolence.co.uk >> >>> <mailto:dmts@stoptheviolence.co.uk>> wrote:
>>>
>>> I don't know of course, which is why I said probably but I'm
>>> assuming
>>> that most people using Jitsi are attracted to it because they're
>>> concerned about privacy/security, so it seems a reasonable guess
>>> that
>>> they'd prefer not to have logs or other security leaks.
>>>
>>> In the realm of assumption, I'd assume that most people are worried
>>> about
>> snooping done on their over-the-wire transmissions, and aren't really
> worried
>> about the security implications of chat logs on a machine in their
>> possession.
>>>
>>> I think it's a reasonable guess that the number of people who are
>>> high-
>> profile targets (i.e. who'd have chat logs worth snooping or seizing)
>> but
> who
>> are not tech-savvy enough to turn off their own chat logs is a
>> vanishingly
>> small number of people.
>>>
>>>
>>> It would probably be hard to get a useful survey done as most
>>> users
>>> aren't on these lists and even a survey on the website might be
>>> ignored by many users, so rather than waste time and effort doing
> that
>>> it seems to make more sense to just go for a maximum security
>>> default
>>> and let the more advanced users choose to weaken the security
>>> (such
> as
>>> enabling logs) if they want, rather than take the risk of exposing
>>> less-technical users to violations of their privacy or worse.
>>>
>>> Running surveys to find out what your users want out of your program
>>> is
>> almost never a waste of time and effort. Even something as simple as a
> poll
>> on the site could shed far more light on the subject than our
>> assumptions
> and
>> speculations can.
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> users mailing list
>>> users@jitsi.org
>>> Unsubscribe instructions and other list options:
>>> http://lists.jitsi.org/mailman/listinfo/users
>>>
>>
>>
>>
>> _______________________________________________
>> users mailing list
>> users@jitsi.org
>> Unsubscribe instructions and other list options:
>> http://lists.jitsi.org/mailman/listinfo/users
>
>
> _______________________________________________
> users mailing list
> users@jitsi.org
> Unsubscribe instructions and other list options:
> http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#18

I have a very hard time making sense of this comment. You are saying that,
you'd rather migrate than click on a checkbox?

Also, what you are saying is quite a severe misrepresentation. Security has
always been something we consider important and that hasn't changed.

Several Jitsi developers and other users, including myself, already
explained how we don't believe that the current default of logging is a
compromise. We also pointed out that changing it is not going to bring a
substantial security gain while it could repesent a serious regression in
usability.

I didn't see you bringing any new arguments so at this point it almost
seems as if you are more interested in getting it your way rather than
being rational.

You are of course free to use whatever you want, but it would be nice if
this didn't involve spreading FUD on these lists.

--sent from my mobile

I have to say it's disappointing that you guys don't seem to care
about making Jitsi focused on security, even by something as simple as
changing the defaults, as I always thought that the main ethos/vision
of Jitsi was to be a secure communications tool but it seems that's no
longer the case. I still appreciate the work you put in on this
project, don't get me wrong, but I think I'll have to keep looking for
a properly secure alternative as I don't feel that Jitsi is (or
appears likely to become) safe enough for me to use or recommend to
others.

> Hey all
>
> I think Emil, Boris and me made it clear that we won't change the

default.

> Also, changing the installer is not an option (and it only exists on

Windows

> anyway).
>
> What someone CAN do is:
> - Create a feature request to set a specific log directory
> - Create a feature request to disable logging of file transfers
> - Create a feature request to disable logging of calls
>
> What we could consider to add to the distribution if someone

contributes it:

> - Add a tab-pane in the "Simple Account Registration Wizard" [1] that

allows

> to configure some important options at once
> - Add a a config pane in the options that concentrates all the logging
> options together with a "Clear all" button. I already wrote such a thing
> back in 2011 before I became a committer [2], but it is outdated and

would

> need a considerable refresh.
>
> Options such as notifying the user in the chat window, turning logging
> on/off per conversation, etc. would surely be nice to have. The problem

is

> that we have way to many other problems to solve. Like bringing the OTR
> support up to date. If you'd like to start developing, then here's your
> chance. Java is one of the easiest languages to start with.
>
> Regards,
> Ingo
>
> [1] The thing that pops up if no account is configured yet
> [2] http://lists.jitsi.org/pipermail/dev/2011-February/001246.html
>
>> From: users-bounces@jitsi.org [mailto:users-bounces@jitsi.org] On

Behalf

> Of
>> BitMessage
>> Sent: Mittwoch, 31. Juli 2013 18:53
>> To: Jitsi Users
>> Subject: Re: [jitsi-users] Deleting history?_Proposal
>>
>> Sorry I have to disagree a little here. Many of us here in this thread,
> are
>> indeed way above average tech savvy, but we also did not notice (for
> various
>> reasons no doubt) that e.g. file xfers are plain, e.g. logging cannot

be

>> turned off, e.g. even after days of discussion, that calls/... are

still

>> logged, not only chats, etc!!! So please, you can NOT equate human

rights

>> defenders, freedom fighters, abused women, etc, with tech savvy. Not
> everyone
>> can be. Even we who are, failed here. Jitsi, rightly or wrongly, is
> assumed
>> as a privacy/security communications tool, and is now surely mentioned

at

>> e.g. prism-break.org -- so although it may not have started out that

way,

> and
>> got encouragement from the Guardian Project, the times-are-a-changing,
> people
>> are now in larger numbers aware (yes some of us knew all this too many
> years
>> ago, but the awareness is spreading thanks to Ed Snowden), and so, we

also

>> surely need to dev up.
>>
>> As to surveys, I also have to agree, that is not an easy affair. It'd

be

>> far more easy for existing devs who know the base well, to come up with
>> a solution that satisfies, the main (perhaps only) contention in this
>> discussion appears to be whether default should be on or off. So long

as

>> it is clearly signposted wherever required, even that is not going to

be

>> a huge problem: what is the problem is ensuring people KNOW and can DO
>> something, imho.
>>
>>
>>>
>>> I don't know of course, which is why I said probably but I'm

assuming

>>> that most people using Jitsi are attracted to it because they're
>>> concerned about privacy/security, so it seems a reasonable guess

that

>>> they'd prefer not to have logs or other security leaks.
>>>
>>> In the realm of assumption, I'd assume that most people are worried

about

>> snooping done on their over-the-wire transmissions, and aren't really
> worried
>> about the security implications of chat logs on a machine in their
>> possession.
>>>
>>> I think it's a reasonable guess that the number of people who are

high-

>> profile targets (i.e. who'd have chat logs worth snooping or seizing)

but

> who
>> are not tech-savvy enough to turn off their own chat logs is a

vanishingly

>> small number of people.
>>>
>>>
>>> It would probably be hard to get a useful survey done as most

users

>>> aren't on these lists and even a survey on the website might be
>>> ignored by many users, so rather than waste time and effort doing
> that
>>> it seems to make more sense to just go for a maximum security

default

>>> and let the more advanced users choose to weaken the security

(such

> as
>>> enabling logs) if they want, rather than take the risk of exposing
>>> less-technical users to violations of their privacy or worse.
>>>
>>> Running surveys to find out what your users want out of your program

is

>> almost never a waste of time and effort. Even something as simple as a
> poll
>> on the site could shed far more light on the subject than our

assumptions

···

On Jul 31, 2013 10:10 PM, "Derek Moss" <dmts@stoptheviolence.co.uk> wrote:

On 31 July 2013 18:32, Ingo Bauersachs <ingo@jitsi.org> wrote:
>> -----Original Message-----
>>> On Wed, Jul 31, 2013 at 8:55 AM, Derek Moss < dmts@stoptheviolence.co.uk > >>> <mailto:dmts@stoptheviolence.co.uk>> wrote:
> and
>> speculations can.
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> users mailing list
>>> users@jitsi.org
>>> Unsubscribe instructions and other list options:
>>> http://lists.jitsi.org/mailman/listinfo/users
>>>
>>
>>
>>
>> _______________________________________________
>> users mailing list
>> users@jitsi.org
>> Unsubscribe instructions and other list options:
>> http://lists.jitsi.org/mailman/listinfo/users
>
>
> _______________________________________________
> users mailing list
> users@jitsi.org
> Unsubscribe instructions and other list options:
> http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#19

Hey Derek,

Sorry Emil, accidentally sent this to you directly rather than the list.

Thanks for resending here!

-------------------------------------------------------------------------------------------------

I think I've presented several rational arguments. At this point I
feel like I'm whistling in the wind and those in a position to change
things have made their minds up that this isn't the way they want to
go.

It's not just about clicking on a checkbox, it's about having to make
sure that I explain to new users that they need to do this to be
secure and not being able to tell (without checking the settings
everytime I use it) if someone's re-enabled it behind my back.

So, you see, this is FUD on several levels. I don't mean to be offensive and please don't take it that way but you are clearly not presenting things in an objective way:

1. Who would possibly change it behind your back? This isn't a cloud service. It's a client running on your machine. If someone can, behind your back, gain access to Jitsi's user interface and turn on logging again, then Jitsi chat logging is really the least of your security issues. For example, someone having access to your computer can very easily replace the Jitsi binaries with something that would not only log but even remotely upload logs of all your message.

2. We already agreed that it would be cool to add an indication in the chat window that makes it easier to see that logging is enabled, in case *you* mistakenly did this and then forgot about this.

3. Options is not the only way of noticing this. You would realise that logging is on, as soon as you reopen a window and see earlier chat messages. At that point, all that you would need to do is go and delete them. Again, this is not a cloud service so the damage isn't likely to be overwhelming.

Also:

4. In your previous mail you mentioned that: "I think I'll have to keep looking for a properly secure alternative as I don't feel that Jitsi is (or appears likely to become) safe enough for me to use". This is quite a misrepresentation: clearly you have already figured out that you feel better without the logging so all you need to do is uncheck that option. You are perfectly free to go and look for another client because you don't like us as a bunch, but that would be entirely orthogonal to how secure you actually are with Jitsi.

5. Jitsi is not a cloud service. All the logs are stored on *your* machine. *Your* own device. *You* are the one who controls access to them. *You* can delete them any time of day and night. If others have access to them a Jitsi default is unlikely to help in any significant way.

I guess we just have different opinions as to what constitutes secure

I don't think this is only about opinions. You have simply not shown how a default logging option is a major threat to the Jitsi user population.

Also, you have not explained how changing the default would protect people from the attack explained in 1. above.

Again, I apologise if I have been smug or offensive in any way. This was not my goal. But you have to agree that, users losing important information because of disabled logging is a *considerably* more likely scenario than the possibility that changing that specific Jitsi default would actually protect you in a significant way.

but I suspect if a security website did an audit of Jitsi as it
currently is, it would probably lose some marks for the default
logging

I am not sure what site you are referring to and how that matters more than objectively discussing attack scenarios. Sure, if you just have some sort of a grid that gives points based on an incomplete set of conditions, then any result is possible.

and even if it could be easily disabled, without a clear
indication at all times for the user as to whether it was currently
enabled or not, I think that would count against it as well.

Here you go misrepresenting again: we already agreed that we would be OK with integrating patches that allow users more fine grained control on logging ...

Security may well be something that you still consider important but
it currently seems to be less important than the convenience for some
users of having logs of all their comms, which is clearly inconsistent
with security.

No, it is not, for all the reasons I gave above.

I don't see any misrepresentation or FUD in my post

Hopefully the above clarifies this.

and I'll thank you
not to accuse me of such.

I would be very happy not to have to. However, I hope I have explained how your mails are significantly overplaying and misrepresenting security issues. You might not be doing that intentionally. I certainly hope that you aren't, but there shouldn't be any ambiguity here.

Emil

···

On 31.07.13, 23:57, Derek Moss wrote:

Other people on this list are perfectly
capable of reading the arguments and deciding for themselves if the
logging is a problem for them or not. I've just made it clear that I
do see it as a problem (more for other potential users than myself)
and explained why.

On 31 July 2013 22:01, Emil Ivov <emcho@jitsi.org> wrote:

I have a very hard time making sense of this comment. You are saying that,
you'd rather migrate than click on a checkbox?

Also, what you are saying is quite a severe misrepresentation. Security has
always been something we consider important and that hasn't changed.

Several Jitsi developers and other users, including myself, already
explained how we don't believe that the current default of logging is a
compromise. We also pointed out that changing it is not going to bring a
substantial security gain while it could repesent a serious regression in
usability.

I didn't see you bringing any new arguments so at this point it almost seems
as if you are more interested in getting it your way rather than being
rational.

You are of course free to use whatever you want, but it would be nice if
this didn't involve spreading FUD on these lists.

--sent from my mobile
On Jul 31, 2013 10:10 PM, "Derek Moss" <dmts@stoptheviolence.co.uk> wrote:

I have to say it's disappointing that you guys don't seem to care
about making Jitsi focused on security, even by something as simple as
changing the defaults, as I always thought that the main ethos/vision
of Jitsi was to be a secure communications tool but it seems that's no
longer the case. I still appreciate the work you put in on this
project, don't get me wrong, but I think I'll have to keep looking for
a properly secure alternative as I don't feel that Jitsi is (or
appears likely to become) safe enough for me to use or recommend to
others.

On 31 July 2013 18:32, Ingo Bauersachs <ingo@jitsi.org> wrote:

Hey all

I think Emil, Boris and me made it clear that we won't change the
default.
Also, changing the installer is not an option (and it only exists on
Windows
anyway).

What someone CAN do is:
- Create a feature request to set a specific log directory
- Create a feature request to disable logging of file transfers
- Create a feature request to disable logging of calls

What we could consider to add to the distribution if someone contributes
it:
- Add a tab-pane in the "Simple Account Registration Wizard" [1] that
allows
to configure some important options at once
- Add a a config pane in the options that concentrates all the logging
options together with a "Clear all" button. I already wrote such a thing
back in 2011 before I became a committer [2], but it is outdated and
would
need a considerable refresh.

Options such as notifying the user in the chat window, turning logging
on/off per conversation, etc. would surely be nice to have. The problem
is
that we have way to many other problems to solve. Like bringing the OTR
support up to date. If you'd like to start developing, then here's your
chance. Java is one of the easiest languages to start with.

Regards,
Ingo

[1] The thing that pops up if no account is configured yet
[2] http://lists.jitsi.org/pipermail/dev/2011-February/001246.html

-----Original Message-----
From: users-bounces@jitsi.org [mailto:users-bounces@jitsi.org] On
Behalf

Of

BitMessage
Sent: Mittwoch, 31. Juli 2013 18:53
To: Jitsi Users
Subject: Re: [jitsi-users] Deleting history?_Proposal

Sorry I have to disagree a little here. Many of us here in this thread,

are

indeed way above average tech savvy, but we also did not notice (for

various

reasons no doubt) that e.g. file xfers are plain, e.g. logging cannot
be
turned off, e.g. even after days of discussion, that calls/... are
still
logged, not only chats, etc!!! So please, you can NOT equate human
rights
defenders, freedom fighters, abused women, etc, with tech savvy. Not

everyone

can be. Even we who are, failed here. Jitsi, rightly or wrongly, is

assumed

as a privacy/security communications tool, and is now surely mentioned
at
e.g. prism-break.org -- so although it may not have started out that
way,

and

got encouragement from the Guardian Project, the times-are-a-changing,

people

are now in larger numbers aware (yes some of us knew all this too many

years

ago, but the awareness is spreading thanks to Ed Snowden), and so, we
also
surely need to dev up.

As to surveys, I also have to agree, that is not an easy affair. It'd
be
far more easy for existing devs who know the base well, to come up with
a solution that satisfies, the main (perhaps only) contention in this
discussion appears to be whether default should be on or off. So long
as
it is clearly signposted wherever required, even that is not going to
be
a huge problem: what is the problem is ensuring people KNOW and can DO
something, imho.

On Wed, Jul 31, 2013 at 8:55 AM, Derek Moss >>>>>> <dmts@stoptheviolence.co.uk >>>>>> <mailto:dmts@stoptheviolence.co.uk>> wrote:

     I don't know of course, which is why I said probably but I'm
assuming
     that most people using Jitsi are attracted to it because they're
     concerned about privacy/security, so it seems a reasonable guess
that
     they'd prefer not to have logs or other security leaks.

In the realm of assumption, I'd assume that most people are worried
about

snooping done on their over-the-wire transmissions, and aren't really

worried

about the security implications of chat logs on a machine in their
possession.

I think it's a reasonable guess that the number of people who are
high-

profile targets (i.e. who'd have chat logs worth snooping or seizing)
but

who

are not tech-savvy enough to turn off their own chat logs is a
vanishingly
small number of people.

     It would probably be hard to get a useful survey done as most
users
     aren't on these lists and even a survey on the website might be
     ignored by many users, so rather than waste time and effort doing

that

     it seems to make more sense to just go for a maximum security
default
     and let the more advanced users choose to weaken the security
(such

as

     enabling logs) if they want, rather than take the risk of exposing
     less-technical users to violations of their privacy or worse.

Running surveys to find out what your users want out of your program
is

almost never a waste of time and effort. Even something as simple as a

poll

on the site could shed far more light on the subject than our
assumptions

and

speculations can.

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
https://jitsi.org


#20

I think I've presented several rational arguments. At this point I
feel like I'm whistling in the wind and those in a position to change
things have made their minds up that this isn't the way they want to
go.

It's not just about clicking on a checkbox, it's about having to make
sure that I explain to new users that they need to do this to be
secure and not being able to tell (without checking the settings
everytime I use it) if someone's re-enabled it behind my back.

So, you see, this is FUD on several levels. I don't mean to be offensive and
please don't take it that way but you are clearly not presenting things in
an objective way:

1. Who would possibly change it behind your back? This isn't a cloud
service. It's a client running on your machine. If someone can, behind your
back, gain access to Jitsi's user interface and turn on logging again, then
Jitsi chat logging is really the least of your security issues. For example,
someone having access to your computer can very easily replace the Jitsi
binaries with something that would not only log but even remotely upload
logs of all your message.

I've already explained it could be an abusive father/husband who wants
to make a log of what their daughter/wife is saying to people and use
that as an excuse to further abuse or control them. Such a person is
much more likely to be able to tick a checkbox to enable logging
rather than replace the Jitsi binaries. Such a person would also
benefit from logging being enabled by default, which the daughter/wife
might not realise. I can't imagine many people would use helplines
like Childline if they were told there was even a possibility that the
call would be recorded and the abuser could get hold of a copy of the
recording.

The same could apply to an agent of an oppressive state, who the
target might believe is a friend, who could again more easily enable
logging rather than replace the binaries. Other security software can
also help protect/warn against binaries being changed but can't warn
the user if logging has been enabled in Jitsi.

I've already mentioned these two scenarios but I don't seem to be able
to convince you that they're realistic risks that can be avoided by
completely removing logging from Jitsi. Can you imagine what people
would say if something like TrueCrypt by default logged your password
in plaintext (or even had the option) to the HDD and they tried to say
it was OK as it could come in handy if you forgot your password and it
was possible to disable this logging if you were paranoid. The log
would be on the client's machine, so you could argue that it didn't
matter but I can't imagine many people supporting that point of view.

2. We already agreed that it would be cool to add an indication in the chat
window that makes it easier to see that logging is enabled, in case *you*
mistakenly did this and then forgot about this.

As described above, it's not just about the user mistakenly enabling
it. Anyway, you've already said that the default is going to stay
enabled, so clearly the indicator is needed (and an explanation of
what the indicator means) to alert new users to this from the outset,
even if they haven't touched the settings. It's a lot easier if
there's no logging at all, as then users don't have to have the
indicators and logging explained to them and be alert for it being
turned on.

3. Options is not the only way of noticing this. You would realise that
logging is on, as soon as you reopen a window and see earlier chat messages.
At that point, all that you would need to do is go and delete them. Again,
this is not a cloud service so the damage isn't likely to be overwhelming.

You're presuming that every user would make this connection, when they
might not even know that Jitsi does logging at all, or might just
think that the history is stored in RAM somehow, or might not even
know anything much about how computers work or even think about what
it means. You're looking at it from your own point of view and what
you would realise from seeing the chat history. Again, you dismiss any
risks that logging might expose people to, as you don't seem to be
able to appreciate these risks as real as they're unlikely to ever
affect you. They probably won't ever affect me either but I'm trying
to consider whether Jitsi is safe for someone in a more vulnerable
position.

4. In your previous mail you mentioned that: "I think I'll have to keep
looking for a properly secure alternative as I don't feel that Jitsi is (or
appears likely to become) safe enough for me to use". This is quite a
misrepresentation: clearly you have already figured out that you feel better
without the logging so all you need to do is uncheck that option. You are
perfectly free to go and look for another client because you don't like us
as a bunch, but that would be entirely orthogonal to how secure you actually
are with Jitsi.

Well to be fair, my personal circumstances/environment probably make
it safe enough for myself but I still couldn't recommend it to others
whilst it has these potential security issues, so I have to keep
looking for a client that I can recommend and potentially use that
myself (although I may still be able to use Jitsi and communicate with
whatever client they're using). It's quite strange that you are so
determined to dismiss the potential risks I've highlighted, that you'd
rather suggest that I must dislike you "bunch", which seems far more
like FUD than anything I've said.

5. Jitsi is not a cloud service. All the logs are stored on *your* machine.
*Your* own device. *You* are the one who controls access to them. *You* can
delete them any time of day and night. If others have access to them a Jitsi
default is unlikely to help in any significant way.

I guess we just have different opinions as to what constitutes secure

I don't think this is only about opinions. You have simply not shown how a
default logging option is a major threat to the Jitsi user population.

That's your opinion. In my opinion I think I have shown how logging
can be a serious potential risk to some users who might be relying on
Jitsi to keep their communications private.

Also, you have not explained how changing the default would protect people
from the attack explained in 1. above.

It's not intended to protect from having the binaries swapped, which
I've explained above I believe is less of a risk and easier to protect
against.

Again, I apologise if I have been smug or offensive in any way. This was not
my goal. But you have to agree that, users losing important information
because of disabled logging is a *considerably* more likely scenario than
the possibility that changing that specific Jitsi default would actually
protect you in a significant way.

I agree that users not being able to retrieve old information is of
course more likely if logging is disabled. I disagree that this is
important, compared to the potential risks logging could expose some
users to. I disagree that Jitsi should focus on enabling users to
retrieve information in old messages at the expense of security, as I
believe that most users look at Jitsi as a secure communications tool
and that logging is incompatible with that. It seems it's been decided
that being able to retrieve old messages is more important than being
as secure as possible though, which I find regretful but there's not
anything I can do about it.

but I suspect if a security website did an audit of Jitsi as it
currently is, it would probably lose some marks for the default
logging

I am not sure what site you are referring to and how that matters more than
objectively discussing attack scenarios. Sure, if you just have some sort of
a grid that gives points based on an incomplete set of conditions, then any
result is possible.

I don't have any particular one in mind but I recall there used to be
respected security experts and sites that would analyse various
software like browsers and rate them according to how secure/private
they were.

and even if it could be easily disabled, without a clear
indication at all times for the user as to whether it was currently
enabled or not, I think that would count against it as well.

Here you go misrepresenting again: we already agreed that we would be OK
with integrating patches that allow users more fine grained control on
logging ...

What was actually said was

"Options such as notifying the user in the chat window, turning
logging on/off per conversation, etc. would surely be nice to have.
The problem is that we have way to many other problems to solve. Like
bringing the OTR support up to date. If you'd like to start
developing, then here's your chance. Java is one of the easiest
languages to start with."

I don't doubt that you're all stretched for time but that tells me
that indications/warnings about logging aren't considered priorities
and aren't going to appear in Jitsi anytime soon, unless someone who
can code comes along and volunteers to implement them. So you're quite
out of order to accuse me of misrepresenting, Jitsi currently doesn't
have a logging indicator and there's no reason to think that it's
going to have one anytime soon.

Derek

···

On 31 July 2013 23:46, Emil Ivov <emcho@jitsi.org> wrote: