They see us movin'. They hatin'.17 Nov 2016
Running a simple, solid, stable service has the ‘downside’ that nothing much noteworthy ever happens, so our blog section is relatively quiet. But for once, there’s something we’d like to give you a heads-up about: We’re moving sometime (tm) soon (tm).
We’ve been with Vultr ever since we started, and while they have been great so far, both in terms of speed and stability, there are some things that made us consider moving, already a while ago.
We’re paying around 25$ every month four our server, and we don’t even fully utilize the resources we have at our disposal. At the same time, we could easily get the same hardware, in physical form, for half of the money. While we are fine with paying what we pay, it makes sense to cut down the monthly costs, since we’re a bunch of hobbyists, paying this out of our own pocket. Additionally, switching to dedicated hardware would prevent a whole class of attacks from being effective, effectively making us the only potential rouge operator.
Besides that there are some software and design choices we need to re-evaluate - nothing related to our choice of XMPP-server, but rather the way our monitoring and backups work, in order to make the whole thing a bit more resilient.
When we started this service, StartSSL was the only (really) viable option for free TLS-certificates, so we went down that route. That was drastically changed by the appearance of Let’s Encrypt, and since our certificate will expire at the beginning of 2017 we’ll use the upcoming move to switch certificate authority.
We can’t exactly tell you when the move is going to happen, we’re anticipating it to be somewhere around December 8th - the point is though: It should barely be noticeable, nothing will change for you except the certificate. We’ll post an update once the move is finished.
Generally speaking, and last but not least, feel free to talk to us. We’re home to several dozen users by now, and while we’re happy that they are happily, quietly chatting away - we’d like to have some feedback. So if there’s something you want to see or want to see done better .. hit us up, fam.
Published on 17 Nov 2016 • by dot|not
mod_require_otr enabled soon08 Jun 2016
The important part of this entry first: Starting from Friday, the 10th of June 2016, the XMPP-server for slothkrew.com will require you to use OTR for all of your messages. Plaintext chat won’t work any longer. That also means that there will be a downtime of a few seconds when we restart the server to load the new module. Sorry for the inconvenience.
The main upsides are obvious - no we really don’t have any possibility to peek into your private conversations without doing some very complicated OTR-MitM-attack that isn’t, as far as I am aware, feasible due to the very specific design of OTR. And if we can’t see what your dank memes, that means that the chances aren’t that bad that an adversary can’t either. That’s a win!
(I hope it’s as painful to look at as it was painful to make.)
The downside is that groupchats obviously won’t work anymore. We are aware of that, but since groupchats are, generally speaking, only a fraction of traffic, we think it’s worth the the risk.
We’re also aware that not all clients out there actually support OTR. We did some research and came to the same conclusion as we did back then when we had to decide on ciphersets and the lot. The gros of clients, especially the popular ones (such as Pidgin, Adium, Miranda), support OTR. Some of them do it out of the box, all of them via plugin. Even several mobile clients support OTR. To be brutally honest, .. in this day and age, if your client does not support OTR it’s wise to switch to a saner one.
As usual: If you have any problems, don’t hesitate to drop us a note.
Update 12th of June: The plugin has been enabled for a few days now. No problems so far. We’ve updated the description page on this site to reflect these changes.
Published on 08 Jun 2016 • by dot|not
Registration closed once again15 Mar 2016
Somebody (tm) is once again trying to massively register accounts that look like they are about to be used as part of a C2-infrastructure. We won’t even bother looking into it this time. The accounts have been locked and will be deleted in 48 hours unless somebody comes forward. We’ve closed public registration for now to stop the flow of probably abusive accounts, we’ll reopen tomorrow, when the storm has passed. If you want an account in the meantime, just drop by in the IRC.
Sorry for the inconvenience, we’re working on a solution so that this won’t happen again.
Published on 15 Mar 2016 • by dot|not