That is a fantastic idea actually, but only if we have users login in from the website. Otherwise we would just get spam submissions

They have to log in to get into victory, right?

Yup

Sorry I was thinking of the main site for some reason

Also if we can make honeypots for infiltrators that's be helpful

Like a download all users data button

LMAO

Or a bit more subtle

Maybe like a hidden admin panel

That you can get to fairly easily

Yea

Some proactive defense

I like that for after we get everything secure

It'd let us know to keep an eye on someone

That's like the screenshot notifier

Priorities

- Create Test droplet from current rocketchat instance
- Update to latest version, confirm stable, and install updates on production
- Once stable, change activism upload procedure
- Create honeypot for bad actors on victory site

We also need to get off the app

The app be can use a WAF rule

Can we do that asap?

Setup mod security in front of nginx

I don't care if users lose access, we can sort that out

Write a custom rule with the OWASP rule set given

I can also do it by blocking all API calls that aren't local or from specific server

Via cloudflare rule. Browser uses sockets not api

That'd also block anyone from API raiding us, but we can also put limits on API calls I believe

Lets do that, that is better than doing it at the server layer. We would be hitting it before it even gets to the server

Jake when can you do that?

Thomas will have to since I don't have access to the almighty dns settings

Hey one other item to add, probably first on the list, can someone make sure everyone in this chat is active in the group and also not planning on leaving PF please?

Ok I can work with him if you tell me what needs to change @Jake AR

I am not active, but I am always reachable. Thomas can get a hold of me anytime.

Everyone else is active here

I removed Victor

Did Victor get any keys?

Let me mock up the cloudflare rule. It's pretty easy if I remember

Victor probably did

For which servers?

To at least victory

I am not sure, it was a long time ago

I think the main RC server was rekeyed after Paul was removed

Victor does not have access anymore. He only had access to victory for UI changes. Rotate keys when you can and its good.

Add all this to the list or edit it and pin it

We could test this first.

Jake are you adjusting these now or just showing us?

We already limited API calls to 10 a min

Just showing

Ok

But we could limit it 0 I think except for admins and bots

I like that, does the typical user ever make an API call?

Just when using the app right?

Which are the accounts the scripts use when doing API calls.

Yea, however, Victory probably does too

Victory uses the RC API to authenticate

I assume auth API is allowed otherwise how could it rate limit

Does anyone know the exact API call victory uses?

When I do, someone other than me will have to test app victory.

I would have to check when I get at my computer

Mobile browser should work

I can try hitting it

Thomas shut down the droplet

Victory?

@Jake AR Can we add 2 more items to the list. #1 would be a decoder script so they don't have to manually calculate the "code" values. #2 would be a post upgrade "test script" that outlines how we test the customizations. (you can determine the priority for those)

I thought someone wrote a debug script and uploaded it somewhere for us

The compute script is linked above

I double check it by hand via wolfram alpha

Quick question too since we removed Victor is he trustworthy in your opinions? I have not worked too much with him.

He only ever worked with Paul from my knowledge on one particular project for the UI on victory. I have never worked with him personally or met him.

He has essentially been AFK in here for months which is the exact opposite of what we need

Agreed

We should rekey victory

I suspect he is likely not a bad actor since the number script has been caught people. Antifa would avoid putting their own guys at risk.

In a side note of the server compromise theory they wouldn’t place infiltrators if they had god mode so go speak

Absolutely

They would sit back and do things like Vincent did last night. Just make fun of us.

Someone please create a google doc or cryptpad with our goals, to-do list, MOP, and information we have already gathered.

I will take care of it

I should ask Carter MO to try and meet Victor since that is his area

One more task, to add to the list @Jake AR . Last night late, me and Thomas were in a meeting room, basically nobody else on mumble. I swear I saw a "Victor.AB" or "Victor AB" come in to the lobby, go green, then immediately disconnect. I just want to throw that out there, if there is something you can check on that it might be worth making sure any old accounts are totally wiped and any connections terminated. I think it was like 11:30pm CST last night.

It was like 2 seconds, flashed up, went green and then the person was gone.

I just unauthenticated all accounts that havn't logged in for 25+ days

Looking at the directory, could have been Vincent AZ, but I swear it was AB at the end. Anyway just throwing it out there.

I can check the mumble logs I think

Thanks for all the effort guys, I appreciate it, I know Thomas appreciates it although he may not say it. This team is awesome, and has continually improved over the years. Things that were "impossible" are now in production. If you guys ever need anything related to tech junk, infrastructure, IT job / career related things just reach out to Uncle Ben.

I'll need to review this before we go too far into any projects or changes. The biggest priority was checking the server security. That was done well. If we want to update the server with associated tasks that's good too. However, I don't want to be running any huge changes while there's so much still in the air.

No plans for big changes as far as I know. Just need to update everything to most recent version so that we can’t be exploited against as easily.

Thanks Vincent, I don't have mumble admin access

Here we are @all
https://cryptpad.fr/kanban/#/2/kanban/view/u46aPYse3w0X3voyqYcLVDgqIc5P+ebBcB1Ex+Q+9Cw/

Thank you Jason

@Jason NY I assume I can turn V.pf.us back on and all that?

Let's take a look at this stuff and determine who can take what

I believe we have never been exploited through a lack of a security update, not saying we shouldn't update,but rather I'd put it at the bottom of priorities esp since it has the greatest effect on server uptime

Rekeying all severs would be good though, should do that occasionally anyways

I will work on the following when Thomas gets back
- Create test droplet, start update procedure with some help from Jake hopefully if he has done it before.
- Remove API access via ccloudflare

@Jason NY What on this list interests you

Unless @Matthew MN objects to turning it on, I don’t see why not.

I can do both of those

I mean the cryptpad list