69 comments

[ 1.7 ms ] story [ 106 ms ] thread
I could not find a definitive answer on Twitter, but does that mean Eve players will become one of the biggest XMPP users group? I wonder if Eve enables federation and chatting with outsiders using regular XMPP clients.
> I wonder if Eve enables federation and chatting with outsiders using regular XMPP clients.

It's not planned. To be precise in the beginning nothing will change for the players. They might be able to send messages which are four times as large.

As far as i know a modern more modular design was the main reason. And thus offload some of the CPU utilisation to not-game server.

More comments from the Dev here [0] and partly [1] here.

[0] https://forums.eveonline.com/t/dev-blog-new-chat-backend-com... [1] https://forums.eveonline.com/t/dev-blog-preparing-for-the-fu...

(Filter by clickning on the blue [DEV] avatar near "Frequent Posters" and select 'x post in this thread' to only see posts from that developer.

Yes, that makes sense. I guess they can focus on developing the core game that way.
I doubt it, EVE typically has ~10-20k concurrents players, that's actually relatively small to other xmpp-based services.
Depends on what you class as a group. It is unlikely that their unfederated server will come close to the number of users on even the 114 public federated servers, much less all the federated private servers.

I noticed something interesting while looking; it appears that at least one public XMPP server has experienced a recent large influx of new users.

>"The number of daily active users has increased more then three-fold in the last year alone." [1]

[1] https://jabber.at/b/temporary-suspension-of-registration/

On the increasing number of accounts, it could as well be due to a rise in spam that we have seen on XMPP.
That's interesting. How do you do spam on XMPP?
OK, thanks. I hadn't thought such a thing would be worth the bother, but I guess spam will find a way.

I guess the eventual problem here is that everyone affected will turn off reception of messages from strangers. That would make XMPP somewhat less useful as a general method of getting in touch with someone.

I am happy that XMPP gets some love. Centralised messengers are a real problem now. People on whatsapp are only reachable on whatsapp, same for viber, messenger, skype, ... We are in a really stupid situation. XMPP works now, is decentralised, has secure E2E encryption, is not controlled by a single entity, and has good clients for android and desktop (iOS is unfortunately missing).

I am rooting for an XMPP comeback.

What people seem to value is inline media, being able to vomit emojis everywhere, and chat syncs across multiple devices/OSs.
Sync is possible in xmpp with the carbon copies extension. for the rest, we have unicode.
WhatsApp, the most popular messenger, does not allow chat sync. It's single device even. I don't think that's part of the features the average user values.
Not true in all cases. They have a wonderful backdoor into your the phone app so you can use the webchat/desktop app. You scan a code and it will allow the website to connect to your phone and download all your messages/photos/etc and talk real time to friends.. Funcionally identical to telegrams desktop app (except, obviously, using your phone as a gateway of some kind).

This functionality makes me nervous honestly, because if the app allowed connections like this silently and downloads your details then wouldn't it be possible to just bypass the QR code for WhatsApp's server team?

(Also, when I point this out I always get downvotes, so, maybe a response this time?)

Out of curiosity why do you think this is a backdoor and not a valid cryptographic connection via your phone?
More likely - app is relatively secure but it collects and stores all that private info, then they need to work in some dictatorship or paranoid country (essentially a majority of all countries) and then those governments require storing info on their own local servers with which they can either comply or be banned, and then either government misuses this info or it gets hacked and malicious 3rd party misuses this info.
How is this different from e.g Telegram web client? I don't see a reason why this couldn't be done safely. I wonder if it's possible to prevent Whatsapp from serving some people a modified web client though.

Anyway, as much as I dislike Telegram, their desktop client is UX-wise miles ahead of web clients or electron trash.

Secret chats never leave the device basically.

The problem I have with telegram is that /by default/ it's security is very poor. It's stored and relayed by their servers so you can have a unified chat history.

However, if you hit the secret chat button I don't see a reason to think that this is stored in any way by them (and auditing the client I use confirms this for Qt linux desktop/iOS)

Your running into exactly the problem that Signal faced when people asked for a web client. It can't really be done securely unless you're willing to put ultimate trust in Signal's servers and the CA system.
Btw, the web app knows when the phone battery is low and warns about it. IMHO it's too much information going from my phone to WhatsApp and I don't know what's the real reason they need it. It's not like the phone doesn't have its own battery warning. Anything else going from the app to their servers?
You do know that the connection between the web app and the phone is E2E encrypted, right? You're doing a key exchange when you scan the QR code.

Unless you think FB is intentionally poisioning their web interface and serving malicious clients that break their own security you've got nothing to worry about with respect to these features.

Being able to know that the phone my chat is proxying through is about to die is pretty valuable.

Isn't a lot of it's popularity among users who only have one device? I've only met one person who I know used WhatsApp, and that was just to talk to his parents in India.
WhatsApp isn't really single device in practice; sure all the messages are routed through (usually) your phone but there's very little friction to using n devices. I'm logged in from 4 different machines right now.
Chat sync really isn't the best statement of the problem because the feature that people want is that all clients see the entire authoritative chat history. WhatsApp solves this problem in a way that is largely invisible to the user without relying on a central message store.
Fortunately none of that can't be done in a decentralized fashion. :) I think there's one big advantage for "people" in it too - being able to use your favorite client, whatever it is.

But I think the major hurdle in this situation is (as usual?) not about an well organized colorful emoji library, but offering something that is clearly better than what we have now in order to disrupt the status quo. :(

The major hurdle in this situation is that most XMPP clients are developed by FOSS volunteers or small underfunded developer groups. There is no VC monetization concept to be built on top of federated messaging, and there is no benevolent billionaire spending 50M USD for the development of awesome XMPP clients.

Matrix has created great clients for the major platforms with a dozen paid developers; Signal had a handful of developers as well. Conversations[0] on Android is a proof that a single dedicated developer can create a great and standards-compliant XMPP messenger.

[0] https://conversations.im/

Conversations has had frequent complaints about battery life issues, which to my knowledge have always been closed with some variation of "just ask about this on the chat" and/or "this is not something that can be fixed". In the past, I've noticed it doesn't work well for my battery life personally as well (so it's not just rumour).

For something that needs to run on a phone, battery life is one of the most important factors to make something actually useful. While the GUI looks great and I don't remember any usability warts, I don't think it's fair to recommend something with an issue this big.

Conversations is keeping its own TCP connection to the server. Battery usage depends on how many XMPP contacts you have, which modules your server has enables and whether you have the F-Droid or the Google Play version of the app. Come to the chat to find out what it is in your case ;-)
Disdain for the desires of the user is a quick way to ensure that a platform won't meet their needs.
Signal is also problematic.
Signal also requires biometrics to be shared with the govt for 1/6th of the world's population (India) by insisting on a phone number for registration.
How does India's government collect that information?
Best guess is that it is similar to Germany. In Germany, there are no anonymous prepaid SIM cards anymore. They're now registered to your name.

Thus, in theory, the gov has access to it too.

I wonder if there would be interest in sim swap parties. This is an idea I had with Oyster cards in London where you get together and swap Oyster cards with other people to confound the profile building.
I suppose a problem with that might be if someone who takes your SIM does something illegal with it. Then you are on the hook for it.
> Then you are on the hook for it.

This is a myth. If you didn't commit a crime, you aren't on the hook for it. For example: https://arstechnica.com/information-technology/2016/08/publi...

You might, however, get investigated (search warrant etc) because unless such mixing becomes really common, it's reasonable for the authorities to suspect you for the crime in the first instance.

Edit: perhaps a better example is https://torrentfreak.com/eu-court-open-wifi-operator-not-lia...

This is a myth. If you didn't commit a crime, you aren't on the hook for it.

This is a nice theory. In Germany, if you are the owner of a SIM card associated with a crime, it is well possible that a prosecutor will consider this sufficient for a warrant, and the police will visit you early in the morning, taking away all your digital devices for something between three months and some years.

Regarding the Wi-Fi hotspot examples you provided (which are not quite the same), in Germany there is a nice legal construct called the "Störerhaftung" (liability for interference), in which you have a civil liability for e.g. copyright violation commited over your uplink.

(IANAL)

> This is a nice theory. In Germany, if you are the owner of a SIM card associated with a crime, it is well possible that a prosecutor will consider this sufficient for a warrant, and the police will visit you early in the morning, taking away all your digital devices for something between three months and some years.

Like I already said: just because you aren't already on the hook for it doesn't mean that you won't be legitimately suspected of the crime in the first instance.

That's not "biometric." I assumed the OP had something in mind more specific.
In India, all SIM cards have to be linked to Aadhar card , which is a unique identifier of a person with biometrics attached
(comment deleted)
And if you are a foreigner the SIM linked to your passport, which is linked to your fingerprints that they take upon immigration.
Assuming that you elect to register with Signal using your Indian number of course, which you are in no way obliged to do.
Well, Moxie’s Signal gives you two options:

1. Use your phone number

2. Don’t use Signal.

I don’t see a "don’t use the phone number, but still use Signal" option there.

3. use a phone number from a semi-anonymous online VoIP service like https://jmp.chat/ (can be reached via Tor)
Which cost money or can be reused by anyone else. At which point Signal is basically $2.99 per month to use it securely.
3. Use a burner phone.
In many countries, burner phones require registration with biometrics as well.

For example, Germany requires registration of burner phones with ID or passport before any network is allowed to activate the SIM. The ID and passport obviously are linked to your fingerprints and face.

Signal is advertised to people in oppressive regimes as a solution to avoid the government from snooping on their messages (this security from nation states is further implied due to their framing of Snowden comments).

Requiring an identifier that’s linked to a government ID is the opposite of that.

Between a burner or a VOIP number there seem to be options, and I’m not sure that Signal dropping their requirement would improve the platform.
As I said, a burner isn’t an option, as that still requires registration, and a VOIP number costs money.

At the stated goal, of being a free app to allow people to avoid government surveillance, Signal is failing horribly.

It sounds like it works well for about 5/6ths of the world’s population.
A secure messenger that only works when you have a government that respects their citizens privacy isn't very useful, is it?
It works in the US where the govt doesn’t even understand the meaning of the word “privacy” so, yes it seems to work. It works elsewhere too, but understandably it might require money or effort to get going.
I'm wondering if this isn't a lost opportunity by not leveraging something a little more modern like the matrix protocol (which is still decentralized)??
As someone who's worked with ejabberd I was about to suggest they're in for a headache but it looks like the peak player count for Eve Online is something like 65k users. They might not even have to cluster.
Well, the most difficult part is to understand how the Erlang VM / Environment works. Once you have set it up, ejabberd just works. You can have massive scale and large uptime. This, ultimately, saves bigger headaches.
That's the promise but in my experience getting mnesia happy and keeping things clustered is huge pain for ops.
Well, in practice, it is more than a promise. You are not forced to use Mnesia. You can use other backends to simplify the ops. Yes, it is as simple and make managing the platform a breeze. You need to be as stateless as possible.
An interesting aside for the unfamiliar: Eve Online's server is a monolithic app built in Python 2.7 [0]. Anecdotally, it is a hellscape of spaghetti code, sparse documentation, and features whose implementation details are quite literally lost (in that no current maintainer knows how they work or where in the codebase they exist).

0 - https://www.eveonline.com/article/stackless-python-2.7/