[Operators] Suspicion of Jabbim services being hacked

Dave Cridland dave at cridland.net
Fri Dec 19 22:55:35 UTC 2014


On 19 Dec 2014 22:12, "Waqas Hussain" <waqas20 at gmail.com> wrote:
>
> On Fri, Dec 19, 2014 at 3:18 PM, Kevin Smith <kevin.smith at isode.com>
wrote:
>>
>> On 19 Dec 2014, at 19:36, Mathieu Pasquet <mathieui at mathieui.net> wrote:
>> >
>> > On Fri, Dec 19, 2014 at 06:48:44PM +0000, Dave Cridland wrote:
>> >> On 19 Dec 2014 18:32, "Sam Whited" <sam at samwhited.com> wrote:
>> >>> On 12/19/2014 09:24 AM, Peter Viskup wrote:
>> >>>> Hi all,
>> >>>> thought it would be interesting to the audience of this mailinglist.
>> >>>>
>> >>>>
http://pinky.jabb.im/2014/12/jabbim-bezpecnostni-problem-security.html
>> >>>>
>> >>>> Best regards,
>> >>>>
>> >>> Another great example of why you should ditch DIGEST-MD5 and store
your
>> >>> passwords as SCRAM bits.
>> >>>
>> >>> —Sam
>> >>>
>> >> It feels like we should do something like the encryption push, but for
>> >> non-plaintext passwords.
>> >
>> > Do we have any statistics (e.g. on jabber.org) about what proportion of
>> > clients do not support any other mechanisms than PLAIN and DIGEST-MD5?
>> > (though yes, PLAIN works well with hashed passwords, but should still
be
>> > avoided whenever possible)
>> >
>> > That would be enlightening.
>>
>> While I can’t say anything about clients not supporting stuff,
obviously, clients choosing DIGEST are four times more numerous than
clients choosing SCRAM, six times more numerous than those choosing PLAIN,
and a small number do 78 auth and CRAM-MD5.
>>
>> /K
>
>
> Thanks Kev. How hard would it be to get metrics on clients and client
versions (either overall, or DIGEST-MD5 specific)?
>

I don't know how many of the digest clients would fall back to plain, but I
suppose we can find that out.

In any case, I think I could write a component that would watch the logs
and send version requests to the clients as they connect, sorting metrics
in a database. I suspect it's easy enough for anyone to do, given the log
format information.

> I expect only a handful of clients are likely responsible for 90% of the
user base. Depending on actual metrics, we could conceivably arrange
hackathons, bounties and general evangelism.
>

Indeed.

> A bigger issue than getting the code written would be getting the code
deployed. Note, SCRAM-hashed password storage does not require clients to
use SCRAM, as PLAIN is still possible (though expensive).
>
> I know that some smaller (few hundred users) deployments have seen
success with evangelism (just describing the issue and asking users to
upgrade apparently works well). A related issue is users being stuck on
older client versions because of using distro provided packages.
Particularly users who like LTS releases.
>

I suspect that users might be motivated quite well to encourage the distros
to upgrade clients. The combination of old specification and plaintext
passwords are easy concepts to get across. We have a board full of
technical marketing types, a clear message, and in theory we can use MOTD
based campaigns to ensure the message reaches users.

> --
> Waqas Hussain
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/operators/attachments/20141219/4118e3f9/attachment.html>


More information about the Operators mailing list