[jitsi-users] The case for "log chat history" to be off by default (at least for OTR)


#1

Hello!

This is in response to emcho's post on
https://github.com/nylira/prism-break/issues/291#issuecomment-23770120

*Regarding history saving for OTR chats: we are going to make it easier for

a user to turn off logging for a specific chat session or contact and to
know whether it is being logged at any point. It is important to understand
that OTR is designed to protect one's communication over the Internet. The
question of whether or not this communication is also saved locally for
later availability to the user, is an entirely different matter and
completely orthogonal to the use of OTR. *

A bit about my background: Power-user, but not programmer. In the last few
weeks, I have helped translate and expand http://prism-break.org a bit. As
many of you maybe also do it, I go through the options/settings/preferences
of a freshly installed software, adjusting them to my liking. Helping
friends and family setting up Jitsi and other privacy tools in the last few
weeks, I realized that almost no regular user does that automatically.

Thus, they were often quite surprised to learn that self-described "secure"
tools (Jitsi among them, but not alone) log their chat history by default.
Their expectation (and experience from verbal communication) of course was
that whatever they want to remember later, they have to save/export from
the chat to a less transient medium.

Therefore, I would like to make the point (and plea) to switch Jitsi's "log
chat history"-setting off by default, or at least make it 2-tiered: default
on for unencrypted chats, default off for OTR. The latter combined with a
solution to the bug https://trac.jitsi.org/ticket/1075 could IMHO make
Jitsi much easier on novices and more confidently recommendable.

I mean, OTR actually spells "Off The Record". An automatically created log
file is a record, isn't it?

Granted, it's not OTR's business to take care of what happens to the
securely transmitted messages. But: Jitsi should incorporate OTR in a way
that best meets the promise of both tools to be secure and the expectations
of less tech-savvy users. IMHO this can best be done by turning "log chat
history" off.

Thanks and greetings!

Cathryne


#2

Hey Cathryne,

Hello!

This is in response to emcho's post on
https://github.com/nylira/prism-break/issues/291#issuecomment-23770120

Regarding history saving for OTR chats: we are going to make it easier for
a user to turn off logging for a specific chat session or contact and to
know whether it is being logged at any point. It is important to understand
that OTR is designed to protect one's communication over the Internet. The
question of whether or not this communication is also saved locally for
later availability to the user, is an entirely different matter and
completely orthogonal to the use of OTR.

A bit about my background: Power-user, but not programmer. In the last few
weeks, I have helped translate and expand http://prism-break.org a bit. As
many of you maybe also do it, I go through the options/settings/preferences
of a freshly installed software, adjusting them to my liking. Helping
friends and family setting up Jitsi and other privacy tools in the last few
weeks, I realized that almost no regular user does that automatically.

Thus, they were often quite surprised to learn that self-described "secure"
tools (Jitsi among them, but not alone) log their chat history by default.

Indeed. There seems to be a misconception among some users that
"secure" actually means "volatile". Worse, it is often assumed as a
result that "volatile" means "secure". This can have grave
consequences. Obviously these are very different things. We have
already had this discussion several times here but it is important to
explain the difference so I thought I would describe our position
again.

Their expectation (and experience from verbal communication) of course was
that whatever they want to remember later, they have to save/export from the
chat to a less transient medium.

I have personally seen a lot more evidence of the opposite problem.
Users are quite frustrated when a few minutes after a window was
closed they needed to get back to the content of their conversation
(e.g. to retrieve a phone number or other information that was
exchanged during the chat) but only found out that it was no longer
available.

Please understand that this is an *very* common case and that it
happens *substantially* more often than security compromises.

Therefore, I would like to make the point (and plea) to switch Jitsi's "log
chat history"-setting off by default, or at least make it 2-tiered: default
on for unencrypted chats, default off for OTR.

We are not going to do this. In addition to the main reason quoted
above there are a few more here:

* It is always possible to delete a chat after a user accidentally
neglected to turn off history
* it is impossible to restore a chat after a user accidentally
neglected to turn on history
* jitsi is a rich client. It is not a cloud service. Your chats are
kept only on your local device
* if an attacker has access to your hard drive / work station and can
retrieve your chat history, then simply tuning history off is NOT a
solution to this problem. In most cases there would be a number of
other ways for this attacker to retrieve the content of your
conversations, impersonate you and eavesdrop on your communication.
Believing that the default of the history logging option would fix
this is a dangerous misconception and is likely to create a false
sense of security.

What we are going to do in the near future, would be to make it very
easy to see at a glance whether history is being logged for a certain
conversation.

The latter combined with a
solution to the bug https://trac.jitsi.org/ticket/1075 could IMHO make Jitsi
much easier on novices and more confidently recommendable.

This is a rather subjective claim. You are free to consider that your
personal security depends on whether logging is turned on by default.
In some very specific cases you may even be right. You should however
be careful when spreading your beliefs around. You may be misleading
people.

I mean, OTR actually spells "Off The Record". An automatically created log
file is a record, isn't it?

This is a very misleading argument. OTR is an encryption mechanism. It
is not simply a name.

Take Gmail chats as an example.

The Gmail web client allows you to turn off logging for a specific
conversation. They use "Go off the record" as the name of this option.
Turning it on disables history logging.

Once you've activated the option your conversation is effectively off
the record, at least as far as you are concerned. Yet this has
*nothing* to do with OTR! Your communication is in no way secure. It
can be compromised by Google, the remote server and, given Google's
non-use of SSL in server-to-server connections, anyone in between
them.

So once again: not keeping a log does not in any way imply security or
lack thereof and claiming the opposite could be quite dangerous.

Granted, it's not OTR's business to take care of what happens to the
securely transmitted messages.

Indeed, it is not.

This is above all a usability matter.

But: Jitsi should incorporate OTR in a way
that best meets the promise of both tools to be secure and the expectations
of less tech-savvy users. IMHO this can best be done by turning "log chat
history" off.

In order to make this less of a problem, we are going to make it
visible when chats are logged so that users can turn history off. We
would be happy to have a discussion on the best ways of doing this but
this is the only direction we are willing to take.

Turning the default to off is likely to hurt users and we would not do that.

Hope this clarifies things a bit.

Cheers,
Emil

···

On Wed, Sep 4, 2013 at 11:50 AM, Cathryne Linenweaver <cathryne.linenweaver@gmail.com> wrote:

Thanks and greetings!

Cathryne

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
Emil Ivov, Ph.D. 67000 Strasbourg,
Project Lead France
Jitsi
emcho@jitsi.org PHONE: +33.1.77.62.43.30
https://jitsi.org FAX: +33.1.77.62.47.31


#3

For future reference:

https://jitsi.org/faq/otr-logging

···

On Wed, Sep 4, 2013 at 11:50 AM, Cathryne Linenweaver <cathryne.linenweaver@gmail.com> wrote:

Hello!

This is in response to emcho's post on
https://github.com/nylira/prism-break/issues/291#issuecomment-23770120

Regarding history saving for OTR chats: we are going to make it easier for
a user to turn off logging for a specific chat session or contact and to
know whether it is being logged at any point. It is important to understand
that OTR is designed to protect one's communication over the Internet. The
question of whether or not this communication is also saved locally for
later availability to the user, is an entirely different matter and
completely orthogonal to the use of OTR.

A bit about my background: Power-user, but not programmer. In the last few
weeks, I have helped translate and expand http://prism-break.org a bit. As
many of you maybe also do it, I go through the options/settings/preferences
of a freshly installed software, adjusting them to my liking. Helping
friends and family setting up Jitsi and other privacy tools in the last few
weeks, I realized that almost no regular user does that automatically.

Thus, they were often quite surprised to learn that self-described "secure"
tools (Jitsi among them, but not alone) log their chat history by default.
Their expectation (and experience from verbal communication) of course was
that whatever they want to remember later, they have to save/export from the
chat to a less transient medium.

Therefore, I would like to make the point (and plea) to switch Jitsi's "log
chat history"-setting off by default, or at least make it 2-tiered: default
on for unencrypted chats, default off for OTR. The latter combined with a
solution to the bug https://trac.jitsi.org/ticket/1075 could IMHO make Jitsi
much easier on novices and more confidently recommendable.

I mean, OTR actually spells "Off The Record". An automatically created log
file is a record, isn't it?

Granted, it's not OTR's business to take care of what happens to the
securely transmitted messages. But: Jitsi should incorporate OTR in a way
that best meets the promise of both tools to be secure and the expectations
of less tech-savvy users. IMHO this can best be done by turning "log chat
history" off.

Thanks and greetings!

Cathryne

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
Emil Ivov, Ph.D. 67000 Strasbourg,
Project Lead France
Jitsi
emcho@jitsi.org PHONE: +33.1.77.62.43.30
https://jitsi.org FAX: +33.1.77.62.47.31


#4

Sounds like a good solution Emil.

+1

FC

···

On Wed, Sep 4, 2013 at 7:44 AM, Emil Ivov <emcho@jitsi.org> wrote:

n order to make this less of a problem, we are going to make it
visible when chats are logged so that users can turn history off. We
would be happy to have a discussion on the best ways of doing this but
this is the only direction we are willing to take.

Turning the default to off is likely to hurt users and we would not do
that.

Hope this clarifies things a bit.

--
During times of Universal Deceit, telling the truth becomes a revolutionary
act
Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto
Revolucionario
- George Orwell


#5

Emil Ivov:

I have personally seen a lot more evidence of the opposite problem.
Users are quite frustrated when a few minutes after a window was
closed they needed to get back to the content of their conversation
(e.g. to retrieve a phone number or other information that was
exchanged during the chat) but only found out that it was no longer
available.

Please understand that this is an *very* common case and that it
happens *substantially* more often than security compromises.

Security compromises can have far more dramatic effects.

* if an attacker has access to your hard drive / work station and can
retrieve your chat history, then simply tuning history off is NOT a
solution to this problem.

Not true. If the attacker gets access to your hardware but no logs are
stored on it then that can be a _huge_ difference.

I suggest to have a look at this Adium issue (the Bradley Manning issue):
https://trac.adium.im/ticket/15722

I mean, OTR actually spells "Off The Record". An automatically created log
file is a record, isn't it?

This is a very misleading argument. OTR is an encryption mechanism. It
is not simply a name.

That mechanism has _specific_ features which for good reasons are
summarized as "Off The Record".

In order to make this less of a problem, we are going to make it
visible when chats are logged so that users can turn history off.

In addition to that I do think that users should be asked before OTR
chats are logged.

Cheers,
Andreas


#6

Hi Emil,

I strongly object to the conclusion you came to.

Indeed. There seems to be a misconception among some users that
"secure" actually means "volatile". Worse, it is often assumed as a
result that "volatile" means "secure". This can have grave
consequences.

Remember how Adium, ignoring Cyberpunk's recommendation to turn off
logging for OTR sessions, helped incriminating Bradley Manning because
he was used to sane security settings from other clients [1]?

I have personally seen a lot more evidence of the opposite problem.
Users are quite frustrated when a few minutes after a window was
closed they needed to get back to the content of their conversation
(e.g. to retrieve a phone number or other information that was
exchanged during the chat) but only found out that it was no longer
available.

Please understand that this is an *very* common case and that it
happens *substantially* more often than security compromises.

And has it ever appearead to you that 1 serious security compromise will
have a far bigger impact than 100 lost chat histories? Seriously,
loosing a chat history might upset a single user, but it does not serve
any purpose apart from adding to the user's convenience.

I am absolutely sure that Bradley Manning would have happily
reconstructed his chats from his mind should that be necessary than
being incriminated by accidentally created chatllogs.

As a security provider, you are taking responsibility for users to make
good decisions. Auto-enabling logging is not a good decision.

> Therefore, I would like to make the point (and plea) to switch Jitsi's "log
> chat history"-setting off by default, or at least make it 2-tiered: default
> on for unencrypted chats, default off for OTR.

+1!

We are not going to do this.

I kindly request you to hand this decision to the community. I will
happily create a vote somewhere. But IMHO this is not a decision you
should make on your own.

* It is always possible to delete a chat after a user accidentally
neglected to turn off history

Will you educate the users about how to securely erase data from their
machines, and will you do so in a prominent enough way?

* it is impossible to restore a chat after a user accidentally
neglected to turn on history

Keep it in memory until Jitsi is quit.

* jitsi is a rich client. It is not a cloud service. Your chats are
kept only on your local device

I hope so. When implementing XEP-0136, please do NOT ignore section 3.1
the way you are ignoring this issue [2].

* if an attacker has access to your hard drive / work station and can
retrieve your chat history, then simply tuning history off is NOT a
solution to this problem. In most cases there would be a number of
other ways for this attacker to retrieve the content of your
conversations, impersonate you and eavesdrop on your communication.
Believing that the default of the history logging option would fix
this is a dangerous misconception and is likely to create a false
sense of security.

There is so much wrong about this. Every single bit adds to the users'
security!

> I mean, OTR actually spells "Off The Record". An automatically
> created log file is a record, isn't it?

This is a very misleading argument.

It's a very misleading name the way you implement it. The argument is
valid.

OTR is an encryption mechanism. It is not simply a name.

It's a name as well, isn't it?

Take Gmail chats as an example.

The Gmail web client allows you to turn off logging for a specific
conversation. They use "Go off the record" as the name of this option.
Turning it on disables history logging.

Once you've activated the option your conversation is effectively off
the record, at least as far as you are concerned. Yet this has
*nothing* to do with OTR! Your communication is in no way secure. It
can be compromised by Google, the remote server and, given Google's
non-use of SSL in server-to-server connections, anyone in between
them.

So once again: not keeping a log does not in any way imply security or
lack thereof and claiming the opposite could be quite dangerous.

Didn't you just revert your point above? Didn't you just say that "off
the record" means "not logged"?

> Granted, it's not OTR's business to take care of what happens to the
> securely transmitted messages.

Indeed, it is not.

Beat me if I'm wrong, but I am absolutely certain that some document
over at Cyberpunks actually recommends that OTR chats are not logged by
clients, I readthat some time ago. I couldn't find that document when I
looked for it, however.

In order to make this less of a problem, we are going to make it
visible when chats are logged so that users can turn history off. We
would be happy to have a discussion on the best ways of doing this but
this is the only direction we are willing to take.

Again, please do not say "we" when you really mean "I". If Jitsi is your
project and you alone decide where it goes, please do not call it free
and open.

I suggest implementing it the other way round:

When OTR is enabled, auto-disable logging and place a prominent note
about that in the chat window.

Moreover, when OTR is enabled *and* the other chat party re-enables
logging, place a *VERY* prominent warning about that in the chat window.
Having the other party log an encrypted chat is a privacy and security
breach that has to be clearly visible!

Hope this clarifies things a bit.

It does, but not in the way you intended.

-nik

[1] http://www.bradleymanning.org/uncategorized/day-four-of-the-bradley-manning-trial-in-depth-notes-from-a-courtroom-viewer-in-bradley-mannings-article-32-hearing
[2] http://xmpp.org/extensions/xep-0136.html#otr-nego

···

--
* concerning Mozilla code leaking assertion failures to tty without D-BUS *
<mirabilos> That means, D-BUS is a tool that makes software look better
            than it actually is.

PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296


#7

Hello!

Whoa, if I knew what kind of stir this would create, I wouldn't have
written ;-D

[...]

Their expectation (and experience from verbal communication) of course was
that whatever they want to remember later, they have to save/export from the chat to a less transient medium.

I have personally seen a lot more evidence of the opposite problem.
Users are quite frustrated when a few minutes after a window was
closed they needed to get back to the content of their conversation
(e.g. to retrieve a phone number or other information that was
exchanged during the chat) but only found out that it was no longer
available.

Please understand that this is an *very* common case and that it
happens *substantially* more often than security compromises.

Accepted. The people I helped apparently were just very different from
your average users, I guess. Most of them hadn't used any chat software
before and Skype only for calling.

What we are going to do in the near future, would be to make it very
easy to see at a glance whether history is being logged for a certain
conversation.

Cool, thanks!

The latter combined with a
solution to the bug https://trac.jitsi.org/ticket/1075 could IMHO make Jitsi much easier on novices and more confidently recommendable.

This is a rather subjective claim. [...] You should however
be careful when spreading your beliefs around. You may be misleading
people.

I'm sure any reader of this well is aware that all my writing was
personal opinion. Marked even by "IMHO" and also informed by the
background info I gave initially.

Default settings on the other hand are _actually leading_ people, right?

So once again: not keeping a log does not in any way imply security or
lack thereof and claiming the opposite could be quite dangerous.

Like, the keyboard being mightier than the sword?!? :wink:

Well, let's just agree to disagree on the core question. Nonetheless, I
wish you all good luck with improving Jitsi in the way you find most
utilitarian :slight_smile:

In order to make this less of a problem, we are going to make it
visible when chats are logged so that users can turn history off. [...]

+1. I'd vote for the 2 "trade-off" points nik proposed in a branch of
this convo.

Kind regards and good bye!

Cathryne

···

Am 04.09.2013 12:44, schrieb Emil Ivov:


#8

Well done,thanks!

FC

···

On Wed, Sep 4, 2013 at 10:34 AM, Emil Ivov <emcho@jitsi.org> wrote:

For future reference:

https://jitsi.org/faq/otr-logging

--
During times of Universal Deceit, telling the truth becomes a revolutionary
act
Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto
Revolucionario
- George Orwell


#9

Hi Emil,

[snipped]

I kindly request you to hand this decision to the community. I will
happily create a vote somewhere. But IMHO this is not a decision you
should make on your own.

I look forward to your Jitsi fork that you intend to maintain, with the
default settings you prefer.

Steve

···

On Wed, Sep 4, 2013 at 5:00 AM, Dominik George <nik@naturalnet.de> wrote:


#10

What Snowden brought to light again was the government sniffing of comms.
As far as that is concerned, Jitsi is very secure, with encryption enabled.
If someone breaks into your computer or confiscates your PC you have bigger
problems to begin with.

Andreas, do you erase all the email you receive, from your computer and the
cloud, after reading it? Does that feel like a secure way to use your
computer? How about the My Documents folder? How about empty HD space? That
level of paranoia doesnt lead to much productivity...

There are solutions (Truecrypt) that allows one to secure the contents of
your PC. Its silly to hurt usability because of a few extreme scenarios...
FC

···

On Wed, Sep 4, 2013 at 8:40 AM, Andreas Kuckartz <a.kuckartz@ping.de> wrote:

In addition to that I do think that users should be asked before OTR
chats are logged.

--
During times of Universal Deceit, telling the truth becomes a revolutionary
act
Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto
Revolucionario
- George Orwell


#11

Emil Ivov:

I have personally seen a lot more evidence of the opposite problem.
Users are quite frustrated when a few minutes after a window was
closed they needed to get back to the content of their conversation
(e.g. to retrieve a phone number or other information that was
exchanged during the chat) but only found out that it was no longer
available.

Please understand that this is an *very* common case and that it
happens *substantially* more often than security compromises.

Security compromises can have far more dramatic effects.

Yes they can. They can also have less dramatic effects.

* if an attacker has access to your hard drive / work station and can
retrieve your chat history, then simply tuning history off is NOT a
solution to this problem.

Not true. If the attacker gets access to your hardware but no logs are
stored on it then that can be a _huge_ difference.

A person having access to your hardware could simply change your
config file. They could also "plant" a modified version of Jitsi or
any other application for that matter. There's no limit to what can be
achieved this way.

If you thought the security of your own device didn't matter because
logs are not being stored, then you'd need to think again.

I suggest to have a look at this Adium issue (the Bradley Manning issue):
https://trac.adium.im/ticket/15722

If log storage was indeed inadvertent then in that case then it sounds
as if a clear indication in the chat window as to whether or not a
chat is logged, would be enough to resolve this concern.

I mean, OTR actually spells "Off The Record". An automatically created log
file is a record, isn't it?

This is a very misleading argument. OTR is an encryption mechanism. It
is not simply a name.

That mechanism has _specific_ features which for good reasons are
summarized as "Off The Record".

I am not sure I grasp the point of this argument. Are you implying
that the *default* for history logging is part of OTR's signature?
Care to point me to the part of the spec where this claim is made?

In order to make this less of a problem, we are going to make it
visible when chats are logged so that users can turn history off.

In addition to that I do think that users should be asked before OTR
chats are logged.

Users will see an indication that the chat is logged. The would have
the option of turning that off.

Emil

···

On Wed, Sep 4, 2013 at 1:40 PM, Andreas Kuckartz <a.kuckartz@ping.de> wrote:

Cheers,
Andreas

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
Emil Ivov, Ph.D. 67000 Strasbourg,
Project Lead France
Jitsi
emcho@jitsi.org PHONE: +33.1.77.62.43.30
https://jitsi.org FAX: +33.1.77.62.47.31


#12

I look forward to your Jitsi fork that you intend to maintain, with the
default settings you prefer.

Is this the official pov of the Jitsi team?

"If you want to participate, either stick with the head's opinion or go
awaay and fork Jitsi."

Can I get that signed by Emil, please, so it is quotable?

-nik

···

--
<Natureshadow> Auf welchem Server liegt das denn jetzt…?
<mirabilos> Wenn es nicht übers Netz kommt bei Hetzner, wenn es nicht
            gelesen wird bei STRATO, wenn es klappt bei manitu.

PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296


#13

Hey Dominik,

Hi Emil,

I strongly object to the conclusion you came to.

Indeed. There seems to be a misconception among some users that
"secure" actually means "volatile". Worse, it is often assumed as a
result that "volatile" means "secure". This can have grave
consequences.

Remember how Adium, ignoring Cyberpunk's recommendation to turn off
logging for OTR sessions, helped incriminating Bradley Manning because
he was used to sane security settings from other clients [1]?

I guess the main problem I see with this whole thing is the
amalgamation of two separate things:

1. The readability of your messages over the network
2. Their availability for later reading by potentially non-trusted parties

They are separate things and any combination of them is possible in real life:

1. When you talk to your bank you you'd care about the network
protection of your messages but you wouldn't necessarily be protecting
from a judiciary search warrant. In that case you may have good
reasons to want to preserve the content of the conversations (and you
may also want to additionally encrypt your drive).

2. When you are talking to your secret lover secretly from your
spouse, you'd likely prefer for history not to be stored but you
wouldn't necessarily care about network encryption. As a matter of
fact you might explicitly prefer it to be off so that you could also
follow the conversation from a different client (e.g. facebook).

3. When you are whistle-blowing on your government you are very likely
to want your chats encrypted. You are also likely to want to remove
history logs ... at some point. Not necessarily immediately though.

So again, there are different configurations possible out there and it
is important that users can easily navigate through them. I have
repeatedly said that we are going to work on improving the indication
of the fact that history is on (don't count on a big red warning
though) and the possibility to turn it off.

As far as the default is concerned, it currently represents what we
believe to be the best compromise.

I have personally seen a lot more evidence of the opposite problem.
Users are quite frustrated when a few minutes after a window was
closed they needed to get back to the content of their conversation
(e.g. to retrieve a phone number or other information that was
exchanged during the chat) but only found out that it was no longer
available.

Please understand that this is an *very* common case and that it
happens *substantially* more often than security compromises.

And has it ever appearead to you that 1 serious security compromise will
have a far bigger impact than 100 lost chat histories? Seriously,
loosing a chat history might upset a single user, but it does not serve
any purpose apart from adding to the user's convenience.

Losing information can have consequences that are just as dire and
undesirable as failing to protect it. In this case for example, I
really don't care how many people get to read this message before it
hits your mailbox. However I wouldn't like it to be lost in the
archives.

If someone sends me important information over OTR, chances that I'd
need that information later are a lot higher than the chances that
this information may become the reason for a search warrant.

Finally, to end on an example of a Bradley-Manning scale,
pharmaceutical researchers that have a discussion which leads to the
discovery of a cancer-curing molecule are extremely likely to want to
keep their discussion logged for later (and potentially so would
humanity) even if they wanted to keep the communication private at the
time it took place.

So again, these are two different things and they should be controlled
and indicated separately.

I am absolutely sure that Bradley Manning would have happily
reconstructed his chats from his mind should that be necessary than
being incriminated by accidentally created chatllogs.

As a security provider, you are taking responsibility for users to make
good decisions. Auto-enabling logging is not a good decision.

> Therefore, I would like to make the point (and plea) to switch Jitsi's "log
> chat history"-setting off by default, or at least make it 2-tiered: default
> on for unencrypted chats, default off for OTR.

+1!

We are not going to do this.

I kindly request

Kind request? Where? :slight_smile:

I've only seen an angry demand. Rather offensive actually.

you to hand this decision to the community.

I will happily create a vote somewhere.

That could be very useful if we ever had a way of making sure that a
majority or at least a very representative minority of Jitsi's
potential and current users would take part. I don't see how this
could happen.

But IMHO this is not a decision you
should make on your own.

The very fact that we are having this discussion and that changes to
Jitsi will happen as a result is a good indication of an open process.

However people have different lives and different priorities and at
some point someone (or something) needs to call a decision. For
various reasons, in the Jitsi instance hosted by jitsi.org this
happens to be me.

If you feel that you or a different entity would do better at this
process (and I generally don't consider this possibility unlikely at
all) then forking Jitsi is a matter of a button click on GitHub.

* It is always possible to delete a chat after a user accidentally
neglected to turn off history

Will you educate the users about how to securely erase data from their
machines, and will you do so in a prominent enough way?

No, I was thinking that we could simply add an option in the newly
added chat button/menu that would allow users to erase history from
within the chat window.

* it is impossible to restore a chat after a user accidentally
neglected to turn on history

Keep it in memory until Jitsi is quit.

You seem to be comfortable handing tasks our way :slight_smile: (... or should I
say my way?)

* jitsi is a rich client. It is not a cloud service. Your chats are
kept only on your local device

I hope so. When implementing XEP-0136, please do NOT ignore section 3.1

When and if we choose to implement XEP-0136 we will take this into account.

the way you are ignoring this issue [2].

We are disagreeing, not ignoring. Given your strong accusations about
my "exaggerations", I would have expected you to be more careful with
words.

<snip>

So once again: not keeping a log does not in any way imply security or
lack thereof and claiming the opposite could be quite dangerous.

Didn't you just revert your point above? Didn't you just say that "off
the record" means "not logged"?

No I don't think I have contradicted my point above. What I was saying
was that the presence or absence of logs is not imply a secure
context. It would all depend on the use case and we have chosen a
policy that we believe would be the best compromise for the use cases
we are encountering.

We have also agreed to work on improving general awareness.

> Granted, it's not OTR's business to take care of what happens to the
> securely transmitted messages.

Indeed, it is not.

Beat me if I'm wrong,

Why would I want to do that?

but I am absolutely certain that some document
over at Cyberpunks actually recommends that OTR chats are not logged by
clients, I readthat some time ago. I couldn't find that document when I
looked for it, however.

That's OK. I can see how there could be recommendations for
considering this option (which is what we are doing).

In order to make this less of a problem, we are going to make it
visible when chats are logged so that users can turn history off. We
would be happy to have a discussion on the best ways of doing this but
this is the only direction we are willing to take.

Again, please do not say "we" when you really mean "I".

I actually do mean "we". It happens that I am the lead of the project
and I do believe I speak for most of the developers that actively work
on it. (Those who do not agree are of course welcome to speak up)

Of course this "we" does not mean "you" so I don't think you need to
worry that I am misrepresenting your opinion.

If Jitsi is your
project and you alone decide where it goes,

Already answered this above.

please do not call it free
and open.

Linus Torvalds is known for saying that "open source is not a
democracy". Meritocracy is often used instead but even this is not
always accurate.

I do believe that we are being open about this. We are having this
discussion and we have accepted to do something about the problem.

I don't believe your accusations are fair.

I suggest implementing it the other way round:

When OTR is enabled, auto-disable logging and place a prominent note
about that in the chat window.

Already discussed.

Moreover, when OTR is enabled *and* the other chat party re-enables
logging, place a *VERY* prominent warning about that in the chat window.
Having the other party log an encrypted chat is a privacy and security
breach that has to be clearly visible!

That would have been extremely neat if only there was a *reliable* way
of always telling when the remote party is recording something.

Hope this clarifies things a bit.

It does, but not in the way you intended.

Or did you mean: not in the way you would have liked it?

Emil

···

On Wed, Sep 4, 2013 at 2:00 PM, Dominik George <nik@naturalnet.de> wrote:

-nik

[1] http://www.bradleymanning.org/uncategorized/day-four-of-the-bradley-manning-trial-in-depth-notes-from-a-courtroom-viewer-in-bradley-mannings-article-32-hearing
[2] http://xmpp.org/extensions/xep-0136.html#otr-nego

--
* concerning Mozilla code leaking assertion failures to tty without D-BUS *
<mirabilos> That means, D-BUS is a tool that makes software look better
            than it actually is.

PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
Emil Ivov, Ph.D. 67000 Strasbourg,
Project Lead France
Jitsi
emcho@jitsi.org PHONE: +33.1.77.62.43.30
https://jitsi.org FAX: +33.1.77.62.47.31


#14

Participate? Have you been submitting patches?

···

On Wed, Sep 4, 2013 at 7:49 AM, Dominik George <nik@naturalnet.de> wrote:

> I look forward to your Jitsi fork that you intend to maintain, with the
> default settings you prefer.

Is this the official pov of the Jitsi team?

"If you want to participate, either stick with the head's opinion or go
awaay and fork Jitsi."


#15

Emil,

If you thought the security of your own device didn't matter because
logs are not being stored, then you'd need to think again.

Please get off that argumentation, really quick. It is ridiculous. Noone
ever said nothing else matters - it was only said that not logging
encrypted chats *does* matter *additionally*.

Please stop exagerating our claims to make your own point!

-nik

···

--
* concerning Mozilla code leaking assertion failures to tty without D-BUS *
<mirabilos> That means, D-BUS is a tool that makes software look better
            than it actually is.

PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296


#16

Hi Emil,

how about this trade-off:

1. Jitsi implements a big warning when OTR chats are logged, and keeps the default setting as decided by you.

2. I get clearance to file a feature request about encrypted log storage. I can try to implement it, but I am not a Java expert.

What do you think about this trade-oft?

-nik

Emil Ivov <emcho@jitsi.org> schrieb:

···

Hey Dominik,

On Wed, Sep 4, 2013 at 2:00 PM, Dominik George <nik@naturalnet.de> >wrote:

Hi Emil,

I strongly object to the conclusion you came to.

Indeed. There seems to be a misconception among some users that
"secure" actually means "volatile". Worse, it is often assumed as a
result that "volatile" means "secure". This can have grave
consequences.

Remember how Adium, ignoring Cyberpunk's recommendation to turn off
logging for OTR sessions, helped incriminating Bradley Manning

because

he was used to sane security settings from other clients [1]?

I guess the main problem I see with this whole thing is the
amalgamation of two separate things:

1. The readability of your messages over the network
2. Their availability for later reading by potentially non-trusted
parties

They are separate things and any combination of them is possible in
real life:

1. When you talk to your bank you you'd care about the network
protection of your messages but you wouldn't necessarily be protecting
from a judiciary search warrant. In that case you may have good
reasons to want to preserve the content of the conversations (and you
may also want to additionally encrypt your drive).

2. When you are talking to your secret lover secretly from your
spouse, you'd likely prefer for history not to be stored but you
wouldn't necessarily care about network encryption. As a matter of
fact you might explicitly prefer it to be off so that you could also
follow the conversation from a different client (e.g. facebook).

3. When you are whistle-blowing on your government you are very likely
to want your chats encrypted. You are also likely to want to remove
history logs ... at some point. Not necessarily immediately though.

So again, there are different configurations possible out there and it
is important that users can easily navigate through them. I have
repeatedly said that we are going to work on improving the indication
of the fact that history is on (don't count on a big red warning
though) and the possibility to turn it off.

As far as the default is concerned, it currently represents what we
believe to be the best compromise.

I have personally seen a lot more evidence of the opposite problem.
Users are quite frustrated when a few minutes after a window was
closed they needed to get back to the content of their conversation
(e.g. to retrieve a phone number or other information that was
exchanged during the chat) but only found out that it was no longer
available.

Please understand that this is an *very* common case and that it
happens *substantially* more often than security compromises.

And has it ever appearead to you that 1 serious security compromise

will

have a far bigger impact than 100 lost chat histories? Seriously,
loosing a chat history might upset a single user, but it does not

serve

any purpose apart from adding to the user's convenience.

Losing information can have consequences that are just as dire and
undesirable as failing to protect it. In this case for example, I
really don't care how many people get to read this message before it
hits your mailbox. However I wouldn't like it to be lost in the
archives.

If someone sends me important information over OTR, chances that I'd
need that information later are a lot higher than the chances that
this information may become the reason for a search warrant.

Finally, to end on an example of a Bradley-Manning scale,
pharmaceutical researchers that have a discussion which leads to the
discovery of a cancer-curing molecule are extremely likely to want to
keep their discussion logged for later (and potentially so would
humanity) even if they wanted to keep the communication private at the
time it took place.

So again, these are two different things and they should be controlled
and indicated separately.

I am absolutely sure that Bradley Manning would have happily
reconstructed his chats from his mind should that be necessary than
being incriminated by accidentally created chatllogs.

As a security provider, you are taking responsibility for users to

make

good decisions. Auto-enabling logging is not a good decision.

> Therefore, I would like to make the point (and plea) to switch

Jitsi's "log

> chat history"-setting off by default, or at least make it

2-tiered: default

> on for unencrypted chats, default off for OTR.

+1!

We are not going to do this.

I kindly request

Kind request? Where? :slight_smile:

I've only seen an angry demand. Rather offensive actually.

you to hand this decision to the community.

I will happily create a vote somewhere.

That could be very useful if we ever had a way of making sure that a
majority or at least a very representative minority of Jitsi's
potential and current users would take part. I don't see how this
could happen.

But IMHO this is not a decision you
should make on your own.

The very fact that we are having this discussion and that changes to
Jitsi will happen as a result is a good indication of an open process.

However people have different lives and different priorities and at
some point someone (or something) needs to call a decision. For
various reasons, in the Jitsi instance hosted by jitsi.org this
happens to be me.

If you feel that you or a different entity would do better at this
process (and I generally don't consider this possibility unlikely at
all) then forking Jitsi is a matter of a button click on GitHub.

* It is always possible to delete a chat after a user accidentally
neglected to turn off history

Will you educate the users about how to securely erase data from

their

machines, and will you do so in a prominent enough way?

No, I was thinking that we could simply add an option in the newly
added chat button/menu that would allow users to erase history from
within the chat window.

* it is impossible to restore a chat after a user accidentally
neglected to turn on history

Keep it in memory until Jitsi is quit.

You seem to be comfortable handing tasks our way :slight_smile: (... or should I
say my way?)

* jitsi is a rich client. It is not a cloud service. Your chats are
kept only on your local device

I hope so. When implementing XEP-0136, please do NOT ignore section

3.1

When and if we choose to implement XEP-0136 we will take this into
account.

the way you are ignoring this issue [2].

We are disagreeing, not ignoring. Given your strong accusations about
my "exaggerations", I would have expected you to be more careful with
words.

<snip>

So once again: not keeping a log does not in any way imply security

or

lack thereof and claiming the opposite could be quite dangerous.

Didn't you just revert your point above? Didn't you just say that

"off

the record" means "not logged"?

No I don't think I have contradicted my point above. What I was saying
was that the presence or absence of logs is not imply a secure
context. It would all depend on the use case and we have chosen a
policy that we believe would be the best compromise for the use cases
we are encountering.

We have also agreed to work on improving general awareness.

> Granted, it's not OTR's business to take care of what happens to

the

> securely transmitted messages.

Indeed, it is not.

Beat me if I'm wrong,

Why would I want to do that?

but I am absolutely certain that some document
over at Cyberpunks actually recommends that OTR chats are not logged

by

clients, I readthat some time ago. I couldn't find that document when

I

looked for it, however.

That's OK. I can see how there could be recommendations for
considering this option (which is what we are doing).

In order to make this less of a problem, we are going to make it
visible when chats are logged so that users can turn history off. We
would be happy to have a discussion on the best ways of doing this

but

this is the only direction we are willing to take.

Again, please do not say "we" when you really mean "I".

I actually do mean "we". It happens that I am the lead of the project
and I do believe I speak for most of the developers that actively work
on it. (Those who do not agree are of course welcome to speak up)

Of course this "we" does not mean "you" so I don't think you need to
worry that I am misrepresenting your opinion.

If Jitsi is your
project and you alone decide where it goes,

Already answered this above.

please do not call it free
and open.

Linus Torvalds is known for saying that "open source is not a
democracy". Meritocracy is often used instead but even this is not
always accurate.

I do believe that we are being open about this. We are having this
discussion and we have accepted to do something about the problem.

I don't believe your accusations are fair.

I suggest implementing it the other way round:

When OTR is enabled, auto-disable logging and place a prominent note
about that in the chat window.

Already discussed.

Moreover, when OTR is enabled *and* the other chat party re-enables
logging, place a *VERY* prominent warning about that in the chat

window.

Having the other party log an encrypted chat is a privacy and

security

breach that has to be clearly visible!

That would have been extremely neat if only there was a *reliable* way
of always telling when the remote party is recording something.

Hope this clarifies things a bit.

It does, but not in the way you intended.

Or did you mean: not in the way you would have liked it?

Emil

-nik

[1]

http://www.bradleymanning.org/uncategorized/day-four-of-the-bradley-manning-trial-in-depth-notes-from-a-courtroom-viewer-in-bradley-mannings-article-32-hearing

[2] http://xmpp.org/extensions/xep-0136.html#otr-nego

--
* concerning Mozilla code leaking assertion failures to tty without

D-BUS *

<mirabilos> That means, D-BUS is a tool that makes software look

better

            than it actually is.

PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
Emil Ivov, Ph.D. 67000 Strasbourg,
Project Lead France
Jitsi
emcho@jitsi.org PHONE: +33.1.77.62.43.30
https://jitsi.org FAX: +33.1.77.62.47.31

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.


#17

Hi Emil,

how about this trade-off:

1. Jitsi implements a big warning when OTR chats are logged, and
keeps the default setting as decided by you.

I suggest we finish what we have in mind. We can reopen the discussion at
that point.

2. I get clearance to file a feature request about encrypted log storage.

I don't mind. I can't commit to anyone in the core team working on this at
a specific time in the near future however.

I can try to implement it, but I am not a Java expert.

FWIW, I don' t think somehing lime this would require being a Java expert.

Emil

--sent from my mobile

What do you think about this trade-oft?

-nik

Emil Ivov <emcho@jitsi.org> schrieb:

Hey Dominik,

Hi Emil,

I strongly object to the conclusion you came to.

Indeed. There seems to be a misconception among some users that
"secure" actually means "volatile". Worse, it is often assumed as a
result that "volatile" means "secure". This can have grave
consequences.

Remember how Adium, ignoring Cyberpunk's recommendation to turn off
logging for OTR sessions, helped incriminating Bradley Manning because
he was used to sane security settings from other clients [1]?

I guess the main problem I see with this whole thing is the
amalgamation of two
separate things:

1. The readability of your messages over the network
2. Their availability for later reading by potentially non-trusted

parties

They are separate things and any combination of them is possible in real

life:

1. When you talk to your bank you you'd care about the network
protection of your messages but you wouldn't necessarily be protecting
from a judiciary search warrant. In that case you may have good
reasons to want to preserve the content of the conversations (and you
may also want to additionally encrypt your drive).

2. When you are talking to your secret lover secretly from your
spouse, you'd likely prefer for history not to be stored but you
wouldn't necessarily care about network encryption. As a matter of
fact you might explicitly prefer it to be off so that you could also
follow the conversation from a different client (e.g. facebook).

3. When you are
whistle-blowing on your government you are very likely
to want your chats encrypted. You are also likely to want to remove
history logs ... at some point. Not necessarily immediately though.

So again, there are different configurations possible out there and it
is important that users can easily navigate through them. I have
repeatedly said that we are going to work on improving the indication
of the fact that history is on (don't count on a big red warning
though) and the possibility to turn it off.

As far as the default is concerned, it currently represents what we
believe to be the best compromise.

I have personally seen a lot more evidence of the opposite problem.
Users are
quite frustrated when a few minutes after a window was
closed they needed to get back to the content of their conversation
(e.g. to retrieve a phone number or other information that was
exchanged during the chat) but only found out that it was no longer
available.

Please understand that this is an *very* common case and that it
happens *substantially* more often than security compromises.

And has it ever appearead to you that 1 serious security compromise will
have a far bigger impact than 100 lost chat histories? Seriously,
loosing a chat history might upset a single user, but it does not serve
any purpose apart from adding to the user's convenience.

Losing information can have consequences that are just as dire and
undesirable as failing to protect it. In this case for example, I
really don't care how many people get to read this message before it
hits your mailbox. However I
wouldn't like it to be lost in the
archives.

If someone sends me important information over OTR, chances that I'd
need that information later are a lot higher than the chances that
this information may become the reason for a search warrant.

Finally, to end on an example of a Bradley-Manning scale,
pharmaceutical researchers that have a discussion which leads to the
discovery of a cancer-curing molecule are extremely likely to want to
keep their discussion logged for later (and potentially so would
humanity) even if they wanted to keep the communication private at the
time it took place.

So again, these are two different things and they should be controlled
and indicated separately.

I am absolutely sure that Bradley Manning would have happily
reconstructed his chats from his
mind should that be necessary than
being incriminated by accidentally created chatllogs.

As a security provider, you are taking responsibility for users to make
good decisions. Auto-enabling logging is not a good decision.

Therefore, I would like to make the point (and plea) to switch

Jitsi's "log

chat history"-setting off by default, or at least make it 2-tiered:

default

on for unencrypted chats, default off for OTR.

+1!

We are not going to do this.

I kindly request

Kind request? Where? :slight_smile:

I've only seen
an angry demand. Rather offensive actually.

you to hand this decision to the community.

I will happily create a vote somewhere.

That could be very useful if we ever had a way of making sure that a
majority or at least a very representative minority of Jitsi's
potential and current users would take part. I don't see how this
could happen.

But IMHO this is not a decision you
should make on your own.

The very fact that we are having this discussion and that changes to
Jitsi will happen as a result is a good indication of an open process.

However people have different lives and different priorities and at
some point someone (or something) needs to
call a decision. For
various reasons, in the Jitsi instance hosted by jitsi.org this
happens to be me.

If you feel that you or a different entity would do better at this
process (and I generally don't consider this possibility unlikely at
all) then forking Jitsi is a matter of a button click on GitHub.

* It is always possible to delete a chat after a user accidentally
neglected to turn off history

Will you educate the users about how to securely erase data from their
machines, and will you do so in a prominent enough way?

No, I was thinking that we could simply add an option in the newly
added chat button/menu that would allow
users to erase history from
within the chat window.

* it is impossible to restore a chat after a user accidentally
neglected to turn on history

Keep it in memory until Jitsi is quit.

You seem to be comfortable handing tasks our way :slight_smile: (... or should I
say my way?)

* jitsi is a rich client. It is not a cloud service. Your chats are
kept only on your local device

I hope so. When implementing XEP-0136, please do NOT ignore
section 3.1

When and if we choose to implement XEP-0136 we will take this into

account.

the way you are ignoring this issue [2].

We are disagreeing, not ignoring. Given your strong accusations about
my "exaggerations", I would have expected you to be more careful with
words.

<snip>

So once again: not keeping a log does not in any way imply security or
lack thereof and claiming the opposite could be quite dangerous.

Didn't you just revert your point above? Didn't you just say that "off
the record" means "not
logged"?

No I don't think I have contradicted my point above. What I was saying
was that the presence or absence of logs is not imply a secure
context. It would all depend on the use case and we have chosen a
policy that we believe would be the best compromise for the use cases
we are encountering.

We have also agreed to work on improving general awareness.

Granted, it's not OTR's business to take care of what happens to the
securely transmitted messages.

Indeed, it is not.

Beat me if I'm wrong,

Why would I want to do
that?

but I am absolutely certain that some document
over at Cyberpunks actually recommends that OTR chats are not logged by
clients, I readthat some time ago. I couldn't find that document when I
looked for it, however.

That's OK. I can see how there could be recommendations for
considering this option (which is what we are doing).

In order to make this less of a problem, we are going to make it
visible when chats are logged so that users can turn history off. We
would be happy to have a discussion on the best ways of doing this but
this is the only direction
we are willing to take.

Again, please do not say "we" when you really mean "I".

I actually do mean "we". It happens that I am the lead of the project
and I do believe I speak for most of the developers that actively work
on it. (Those who do not agree are of course welcome to speak up)

Of course this "we" does not mean "you" so I don't think you need to
worry that I am misrepresenting your opinion.

If Jitsi is your
project and you alone decide where it goes,

Already answered this above.

please do not call it free
and open.

Linus Torvalds is known for saying that "open source is not a
democracy". Meritocracy is often
used instead but even this is not
always accurate.

I do believe that we are being open about this. We are having this
discussion and we have accepted to do something about the problem.

I don't believe your accusations are fair.

I suggest implementing it the other way round:

When OTR is enabled, auto-disable logging and place a prominent note
about that in the chat window.

Already discussed.

Moreover, when OTR is enabled *and* the other chat party re-enables
logging, place a *VERY* prominent warning about that in the chat window.
Having the other party log an encrypted chat is a privacy and security
breach that has to be clearly
visible!

That would have been extremely neat if only there was a *reliable* way
of always telling when the remote party is recording something.

Hope this clarifies things a bit.

It does, but not in the way you intended.

Or did you mean: not in the way you would have liked it?

Emil

-nik

[1]

http://www.bradleymanning.org/uncategorized/day-four-of-the-bradley-manning-trial-in-depth-notes-from-a-courtroom-viewer-in-bradley-mannings-article-32-hearing

[2] http://xmpp.org/extensions/xep-0136.html#otr-nego

--
* concerning Mozilla code leaking assertion failures to tty without

D-BUS *

<mirabilos> That means, D-BUS is a tool that makes software look better
than it actually is.

PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296

________________________________

users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

--
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail

gesendet.

···

On 4 Sep 2013 19:13, "Dominik George" <nik@naturalnet.de> wrote:

On Wed, Sep 4, 2013 at 2:00 PM, Dominik George <nik@naturalnet.de> wrote:


#18

Dominik,

I share your frustration with the developer's response to the OTR chat logging issue.

Following this issue for the past month or so, it seems they are not going to budge.

This is unfortunate as new and non-technical users choosing Jitsi with the expectation that it will keep their "Off The Record" encrypted chats off the record, and out of the hands of violent criminal organizations (yes this includes state actors) will be in for a rude awakening...it's only a matter of time.

I don't think it's a stretch to envision a scenario where someone documenting crimes against human rights ends up being tortured thanks to Jitsi's default logging of what they tragically assumed were truly "Off The Record" chats. Chats that were recorded to their hard drive for convenient forensic retrieval by state "security" forces.

I would be quite interested to see how the the Jitsi devs react such an event when it eventually does occur, as for example it did with Bradley Manning and the Adium chat client.

You can read the Adium bug report where much of the same back and forth occurs about default logging. In the end the surveillance slut camp wins out, keeping the logging of OTR chats on by default. https://trac.adium.im/ticket/15722

As you can imagine, now that an unsuspecting person using their software for OTR chats has actually been kidnapped and tortured, then imprisoned for 35 years thanks in part to the logs that Adium handily kept by default...

http://www.bradleymanning.org/uncategorized/day-four-of-the-bradley-manning-trial-in-depth-notes-from-a-courtroom-viewer-in-bradley-mannings-article-32-hearing

...the Adium devs responsible for this decision are falling all over themselves to apologize and correct the error.

Personally, I find it extremely bizarre there would be so much push back against turning off logging of JUST THE FREAKING OTR ENCRYPTED CHATS by default. This seems like a total no-brainer to me.

Then again, I'm a freedom and privacy nut and the probably the furthest thing you'll find from a digital pack-rat/hoarder, saving everything "just in case it might come in useful" some day. As in useful to torturers looking for an informational pretext to kidnap and torture people saying things they disapprove of.

In closing, I'm thinking the best way to solve this problem for the time being is the take up the cause with the people packaging Jitsi for various free *nix distributions. It won't help Windows and Mac users, but it's a start.

I'm working on a Jitsi PBI for PC-BSD and you can be damned sure chat logging will be disabled by default and the log dir is a symlink to /dev/null.

I'll brace myself for deluge of state security forensic investigators enraged that logging of every keystroke was not enabled by default.

Long live privacy,
Seth

···

On Wed, 04 Sep 2013 07:49:09 -0700, Dominik George <nik@naturalnet.de> wrote:

I look forward to your Jitsi fork that you intend to maintain, with the
default settings you prefer.a

Is this the official pov of the Jitsi team?

"If you want to participate, either stick with the head's opinion or go
awaay and fork Jitsi."

Can I get that signed by Emil, please, so it is quotable?

-nik

--
Saluting those who trim all the unnecessary CRAP from their replies, <cough, cough>


#19

Please, everyone, calm down. **I am logging this conversation**
<G>

The Anonymity Brigade has failed to prove how Emil's proposed solution of
having a clear indication of whether a certain chat window is being saved
or not AND a way to disable such logging with one click does NOT solve the
problem.

FC

···

On Wed, Sep 4, 2013 at 9:04 AM, Dominik George <nik@naturalnet.de> wrote:

Please stop exagerating our claims to make your own point!

--
During times of Universal Deceit, telling the truth becomes a revolutionary
act
Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto
Revolucionario
- George Orwell


#20

Do you erase all the email that comes your way after reading? Do you erase
address books as well? have you memorized your entire list of contacts and
manually type every address every time?

Do you think everyone lives under a repressive government or engages in
activities that, if exposed or known, might put them "in danger"?

Personally, Gmail saving of chats has saved my bacon several times, as I
was able to lookup for information I remembered someone gave me BACK IN
2008 but sure as heck I didnt remember the details, so I looked in GMail
and there it was, the full text of my chat. I also used that opportunity to
reconect with that person and retake some discussions we had five years
ago, and he was glad I remembered our old exchange. Thank the heavens for
technology and logging, I would never have been able to do any of that from
"memory" alone...

FC

···

On Thu, Sep 5, 2013 at 2:39 AM, Seth <list@sysfu.com> wrote:

Then again, I'm a freedom and privacy nut and the probably the furthest
thing you'll find from a digital pack-rat/hoarder, saving everything "just
in case it might come in useful" some day. As in useful to torturers
looking for an informational pretext to kidnap and torture people saying
things they disapprove of.

--
During times of Universal Deceit, telling the truth becomes a revolutionary
act
Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto
Revolucionario
- George Orwell