Skip Navigation

InitialsDiceBearhttps://github.com/dicebear/dicebearhttps://creativecommons.org/publicdomain/zero/1.0/„Initials” (https://github.com/dicebear/dicebear) by „DiceBear”, licensed under „CC0 1.0” (https://creativecommons.org/publicdomain/zero/1.0/)S

StarkZarn

@ starkzarn @infosec.pub

Posts
18
Comments
109
Joined
3 yr. ago

  • End-to-End Encrypted Chat that YOU Control: Hosting XMPP (Jabber) with Prosody

    Jump

  • This is also a great article! Thanks for the link.

    One cool point in favor of XMPP is that in a public setting (MUCs), there's community. Moparisbest is an active participant in several of the MUCs that I'm in. Very cool!

  • End-to-End Encrypted Chat that YOU Control: Hosting XMPP (Jabber) with Prosody

    Jump

  • Yeah they just redid their container image pipeline and these containers are the result!

  • End-to-End Encrypted Chat that YOU Control: Hosting XMPP (Jabber) with Prosody

    Jump

  • Super true. I think this was best exemplified by SignalGate

  • End-to-End Encrypted Chat that YOU Control: Hosting XMPP (Jabber) with Prosody

    Jump

  • This is great, I have not seen this post before. Thank you for sharing.

    You make an excellent point here, that the burden of security and privacy is put on the user, and that means that the other party in which you're engaged in conversation with can mess it up for the both of you. It's far from perfect, absolutely. Ideally you can educate those that are willing to chat with you on XMPP and kill two birds with one stone, good E2EE, and security and privacy training for a friend. XMPP doesn't tick the same box as Signal though, certainly. I still rely heavily on Signal, but that data resides on and transits a lot of things that I don't control. There's a time and a place for concerns with both, but I wanted to share my strategy for an internal chat server that also meets some of those privacy and security wickets.

  • End-to-End Encrypted Chat that YOU Control: Hosting XMPP (Jabber) with Prosody

    Jump

  • Yes, absolutely. It all depends on implementation. I am using VLANs for L2 isolation. I have a specific DMZ VLAN that has my XMPP server and only my XMPP server on it. My network core applies ACLs that prevent any inter-VLAN traffic from there, so even if STUN/TURN pokes holes, the most that is accessible is that single VLAN, which happens to contain only the single host that I want to be accessible.

    Great question.

  • What's the best chat to self host?

    Jump

  • What's the best chat to self host?

    Jump

  • What's the best chat to self host?

    Jump

  • Arch wiki never fails to deliver!

  • What's the best chat to self host?

    Jump

  • XMPP most definitely! Especially if you want to have connectivity to other servers at all (like simplex). It's much simpler, more well-known, battle hardened, and still supports E2EE and video calling very well.

    I recommend prosody. I recently went through the process of setting up a server and have a draft blog on it half way finished if you want an account of the experience.

    EDIT: Blog post is live at https://roguesecurity.dev/blog/xmpp

  • Security camera recommendations?

    Jump

  • There is not a mobile app, no. You can pseudo install it as a PWA if using a chromium based browser though.

    I do use HomeAssistant so I let it do the notifications for me, but you could easily setup pubsub and use that to hook gotify or something. Maybe it even has native webhooks at this point, I'm not sure.

    Notably though I don't run frigate in HomeAssistant, it's just plugged in via API. That's to support hardware passthrough for my coral TPU.

    I highly recommend it over the others. the only one I haven't tested is blue iris because it's windows only and I refuse to have a windows machine on my network. Frigate outperforms all the others that I tested. Zoneminder is a runner up but it feels dated and the object detection is a kludge.

  • Security camera recommendations?

    Jump

  • I have some reolink and some amcrest, and I'd choose the amcrest (or dahua) any day tbh. Similar workload. Tensor and frigate for software NVR and object detection, all to a zfs dataset.

  • save the planet 🌎

    Jump

  • Says who? I give all my billionaire best friends shit every day.

  • save the planet 🌎

    Jump

  • The irony of using AI to make this image...

    Humanity really is a lost cause

  • What was your last “impulse buy” and was it worth it?

    Jump

  • Oh buddy, let me tell you about amateur radio... If you're having a good time on gmrs, consider exploring the ham hobby. So much fun. There's a lot more landscape to explore than just gmrs gives you. And welcome to the world of RF!

  • Linkwarden v2.12 - open-source collaborative bookmark manager to collect, read, annotate, and fully preserve what matters (tons of new features!) 🚀

    Jump

  • Fair enough! I toyed with the idea of doing it that way because the systemd component would just reference a single yaml file for each service, which feels portable. That said though, my quadlets as they are are pretty portable too. Thanks for sharing!

  • Linkwarden v2.12 - open-source collaborative bookmark manager to collect, read, annotate, and fully preserve what matters (tons of new features!) 🚀

    Jump

  • Just curious why you chose a kube quadlet instead of the typical podman container quadlets?

  • #FGLAE

    Jump

  • Slime mold is so god damn cool man

  • Why are anime catgirls blocking my access to the Linux kernel?

    Jump

  • That's because they just terminate TLS at their end. Your DNS record is "poisoned" by the orange cloud and their infrastructure answers for you. They happen to have a trusted root CA so they just present one of their own certificates with a SAN that matches your domain and your browser trusts it. Bingo, TLS termination at CF servers. They have it in cleartext then and just re-encrypt it with your origin server if you enforce TLS, but at that point it's meaningless.

  • Systemd Service Hardening

    Jump

  • Good callout! You're absolutely right, and here I was primarily focused on publicly accessible services. Thanks for the addition.