Matthew Hodgson ara4n

We consider three attackers:

A malicious third party trying to discover the identity server mappings in the homeserver.

The malicious third party scenario can only be protected against by rate limiting lookups, given otherwise it looks identical to legitimate traffic.

An attacker who has stolen an IS db

In theory the 3PIDs could be stored hashed with a static salt to protect a stolen DB. This has been descoped from this MSC, and is largely an orthogonal problem. XXX: is this the right thing to have done?

A compromised or malicious identity server, who may be trying to determine the contents of a user's addressbook (including non-Matrix users)

I once wrote one of these before for @NegativeMjark but I think I lost it. So here's another.

All you need to know is:

$foo is a scalar (i.e. a single dimensional variable)
@foo is an array. $foo[n] is the element of an array.
%foo is a hash. $foo{'moo'} aka $foo{moo} is the value in the hash for key 'foo'.
\ is the reference operator. it returns a scalar which points to the address of the variable (like & in C).
(1, 2, 3) is a list. (an array is a variable which contains a list).
[1, 2, 3] (rarely: \(1,2,3)) is a reference to a list - aka arrayref
$foo->[n] gives an element of an arrayref

matrixCal: a saner(?) mapping of iCal into JSON than jCal

BEGIN:VCALENDAR
PRODID:-//Apple Inc.//Mac OS X 10.11.6//EN
VERSION:2.0
METHOD:REQUEST
CALSCALE:GREGORIAN
BEGIN:VTIMEZONE
TZID:Europe/London

	<html>
	<script src="https://cdn.jsdelivr.net/npm/preact/dist/preact.min.js"></script>
	<script type="text/javascript">

	const h = preact.h;

	class Timeline extends preact.Component {
	render() {
	return ( // we manually convert JSX into h() to avoid depending on babel or similar
	h('ol', null,

	<html>

	<style type="text/css">
	#timeline ol {
	list-style: none;
	}

	.sender {
	float: left;
	width: 200px;

	<html>

	<style type="text/css">
	#timeline {
	list-style: none;
	}

	.sender {
	float: left;
	width: 200px;

	random interesting factoid:

	lazyloading reduces most of my accounts initial sync by about 4-5x
	i was wondering about ways to shrink further (short of paginated sync)
	and so tried expressing it as CBOR
	doing something like:

	perl -MJSON::XS -MCBOR::XS -MFile::Slurp -e '$z=read_file(\*STDIN); print encode_cbor(decode_json($z));'

	turns out for @matthew2's initial sync, this reduces 4.5MB of JSON to 3.7MB of CBOR.

	@matthew:matrix.org

	Riot/Web (Chrome, new MBP)
	Device ID: QEOYHMYOKQ
	Device key: fHP8 sbsK KgNy dwgS Smtr ipQA Y21+ 8eC9 UIXB 0ut/ BOk

	Riot/iOS (iPhone 7+)
	Device ID: KONWLQRIIC
	Device key: 4/A4 1wrI xZX3 GSiY pME1 aZqP 7iGs ifi9 79UC oNyL JO8

	# Moving subtitles 4 seconds into the future:

	cat subs.txt \| perl -ne 'sub fix { $t=$_[0]601000 + $_[1]1000 + $_[2]; $t+=4000; return sprintf("%02d:%02d.%03d", int($t/(601000)), int($t/1000) % 60, $t % 1000); } if (/^0:(..):(..).(...),0:(..):(..).(...)$/) { $a=fix($1,$2,$3); $b=fix($4,$5,$6); print "0:$a,0:$b\n" } else { print $_ }' > subs2.txt

	#!/usr/bin/env python

	# see https://docs.google.com/document/d/1m4VTRqclB3JEMZBjbr4t5cvIMQUNSGxy6rYN4YtopIk/edit#heading=h.92ptkhvsmxtd

	def recognised(type):
	# a smart client who understands indexed types will strip off any indexing:
	# import re
	# type = re.sub(r'\.\d+$', '', type)

	# a typical smart client: