Instructions for using Jabber with Systemli on Pidgin
1.) Why use Jabber via the Systemli server?
The Jabber-server of Systemli is maintained by a techie-collective belonging to the radical political left. The server itself is encrypted. Connections to the Jabber-server of Systemli are only possible with SSL-encryption. This means that your Jabber-conversations with other Systemli users (address ending in …@jabber.systemli.org) is completely encrypted through SSL. This equates the encryption standard of online-banking and is said to be safe. There are also other Jabber-servers: jabber.ccc.de of the Chaos Computer Club can be recommended as well as long as the SSL-encryption is enabled. (Advice: if you don't completely trust SSL (and/or the Systemli-peeps) and you wish additional encryption: use Off-the-record-encryption (OTR) or GPG additional to SSL: OTR/Pidgin . Here at Systemli we use it as well!)
b.) Against surveillance:
Whoever tries to watch you can find out what times you go online encrypted with systemli.org. They can also see who else is doing this and when. They can monitor your encrypted traffic and make out if you use it more frequently at certain times. But they can't see who you are communicating with or about what. This results in very minor findings during a surveillance. (When using pgp-encrypted e-mails the findings are more interesting as they can see who you are talking to!) (Advice: if you don't want anyone to be able to find out when you are connecting to systemli.org and how much traffic you have, use the additional tool called TOR (see further down) to anonymise your conversations).
2.) Download Pidgin:
http://www.pidgin.im/download/windows/ or chose your corresponding operating system. (With Linux you can just use the general software download pool)
3.) Checking the download:
If you're techno-savvy enough you should check if you really downloaded the right software (when using Linux this is not necessary). If you're not…. pray to Bakunin that the cops or other fuckwits didn't just send you a fake Pidgin that turns out to be a 'federal trojan' (a spyware sent by the government).
4.) Install Pidgin
Install Pidgin as your operating system demands it.
5.) Set up account on server:
Visit https://www.systemli.org/service/xmpp.html and click „Einen neuen Account anlegen“ to register a new account.
5.) Start Pidgin, set up account:
a) Tab: Basic:
Protocol: XMPP User: choose a name that is random enough so you can't be identified through it Resource: leave that one blank (this is important as it could reveal information about your computer) Domain: jabber.systemli.org Password: insert your password here (special characters, numbers, upper and lower case; at least 12 digits long; don't use it for anything else). DON'T tick the box 'save password' (you should only ever consider this if your computer is completely encrypted). Rest: leave blank
Tick box: 'create this new account on server' and press 'Add'.
b.) Tab: Advanced:
DON'T tick box: 'Allow plaintext auth over unencrypted streams'
Connect port: 5222 Connect server: leave blank [in case you use TOR you should insert the IP-address of the jabber server here (Command: tor-resolve jabber.systemli.org) In Windows you can find tor-resolve under %PROGRAMFILES%\Vidalia Bundle\Tor\] File transfer proxies: there is something pre-chosen, make it empty
BOSH URL: leave blank Show Custom Smilys: why not,they're quite funny and useful
c.) Tab: PROXY:
If you don't use TOR, you can leave this as it is. If you would like to use TOR, you firstly have to get it up and running: https://www.torproject.org/ Then adjust the settings as follows:
- Proxy type: SOCKS 5
- Host: 127.0.01
- Port: 9050 (if you're using Tor standalone), 9150 (with TorBrowser)
- Rest: leave blank
sudo /etc/init.d/tor stop
If you lost the connection to the jabberserver after it, you set up tor and pidgin correct. Now you can start tor again and login to you jabberaccount:
sudo /etc/init.d/tor start
This is very important to do it right! If you got something wrong in the earlier steps, your jabber is quite likely to just not work. But if you make a mistake now, jabber works but you endanger you and other users!
a.) Disable Logging
Logging Tools → Preferences → Logging YOU HAVE TO TURN OFF ALL LOGGING!!! Make sure that non of the 'Log'-boxes are ticked. It is crucial that you do that before starting the first chat! Afterwards you can 'go online'
b.) Test SSL certificate
Now you get a message about a the SSL certificate. Look at the fingerprint before your first chat! Compare the SHA-1 fingerprint with the one you can see on https://www.systemli.org If the two fingerprints are similar, you can click on 'accept' or a respective button. Pidgin might tell you that it can't validate the fingerprint, but you can ignore that, as you have just done that yourself. The fingerprint expires at some point and a new one will be issued, which you can find under https://www.systemli.org/ or https://twitter.com/systemli. You will be notified before the certificate is renewed. At all times you can view the fingerprint of your account at: tools → certificate → info, to compare it with the ones displayed on the website. In case you are notified about a changing certificate and you can't find any hint on the Systemli website, please let us know immediately (mailto:email@example.com, you can find the pgp key on the website)!
To be able to encrypt your messages, download OTR (off-the-record-messaging) from this page: www.cypherpunks.ca/otr/ you will find it then in pidgin under 'tools' → 'plugins' enable the plugin 'off-the-record-messaging' close and restart Pidgin once you have added buddies, double-click on one of them as if wanting to write a message; go to 'conversation' → 'more' → 'OTR settings' and make sure that the box 'don't log OTR conversations' is ticked.
8.) Looking for your chat partners
When you are online, you can add buddies to your list with 'Buddies' → 'Add Buddies'. If you are being added, you get a message asking you to confirm that buddy. To start a chat, double-click on the buddy. If the one you want to talk to is not online, you can leave a message that they will receive when they go online. Once the messages have been delivered, they are not on the Systemli server anymore. Because no-one uses logging (hopefully), the messages are gone after you have logged off from Pidgin. The one thing that remains on your computer though is the list of your buddies. If your computer is not completely encrypted and it gets confiscated/ stolen, who ever did it can access the buddy-list (including all of the infos your buddies have attached to their online appearance, and also anything you have renamed their nicks!). Therefore, please consider the following point!
9.) Don't do anything stupid!
- If there is some kind of emergency and you need to use jabber via a browser, use:
https://systemli.org/jabber/, never anything different (like meebo, imo.im etc.).
- °Take care that no-one can access your computer while you are logged in to jabber and log out once you leave the house/flat.
- Don't save your password on your non encrypted computer or on the computer of someone else. ° Don't change the nicks of your buddies into their real names and also don't give any other hints on their identity.
- Don't attach any personal information to your own account, e.g. don't use your photo as an avatar.
- Regularly update the security of your operating system and of Pidgin and use an anti virus program if you have MS Windows.
- Be aware that the software you use could be hacked by a 'federal trojan' or the actual hardware could be bugged. Someone could also listen in to your conversations via capturing the signals of your screen or keyboard, quite similar to acoustic surveillance. Keep that in mind when communicating and don't be careless.
- Ask your chat partners if they know about these security measures, e.g. if they deactivated the logging.