tech-team
RocketChat ID: 4xBSWiLiQjEDjp5Gp
2,194 total messages. Viewing 100 per page.
Prev |
Page 9/22
| Next
Vincent is going to up the slots and then restart
Growing pains. Look at how epic we are we need more licenses!
Dropping N bombs during a meeting with half of the org :thinking:
@Vincent TX Can you take away the ability to type in the channel? For most people text-to-speech is enabled by default. It's very disruptive to the meeting.
I agree with the text to speech change.
Fixed text
Jason try to type
"Everybody please applaud!"
[Gates of hell are opened]
I had to put headphones in
Interview server needs to be restarted before interviews start, it’s flickering on and off for some reason.
I turned it off right as it fixed itself.
Going to be more hands off.
It needed a restart anyway, was going turning off and back on again for about an hour.
@all Antifa was in the meeting
https://twitter.com/afainatl/status/1469518891974078470?s=20
Man, they can't help themselves but immediately post about it.
I am not sure how hard it is to logon to Mumble as someone else, I know there is a certificate and registration involved. But if there are any mumble vulnerabilities might look into them since we all use the same password right?
Its just someone logging in that is an infil
Very likely, not a technical item. But why would they give themselves up?
Because they live off of hubris
Total lack of chill on their part. Stupid.
Ok, well I will leave you guys to it. I am sure there are logs to pull, and attendee lists to gather up.
Working on it now
If we don't come up with any new leads, we take Ben's idea and start over with a full list of the membership. Start interviewing Directors and POC's and marking names off until we're down low.
I'm messaging the directors/cluster leaders of the guys we have now.
Will provide the info tomorrow when I get it back
Given the reactionary nature of the methods we are using we don't have much to go off of
We shouldn't proactively collect tons of intel on the general membership. Security has to be preventative and then responsive. Proactive measures can be just as dangerous if the wrong people get into the position to conduct them.
The VPN user list is good. Using a VPN doesn't mean you're antifa, but I doubt antifa would connect without having a VPN on.
I would mention nothing regarding VPNs for members. Members are less likely to use them so it is a tipoff of a possible bad actor.
The 2 most suspicious guys being disabled is a really good start. If they make no attempt to email or contact their ND to get their account unlocked, they're probably an infil.
Tomorrow we start over with the full meeting attendee roster unless there's a breakthrough. Even if some weirdos get suspended in the crossfire, we're going to make up our losses with the new recruitment surge.
Listening to the recording on Twitter it seems like they were recording something playing over speaker with another device
If we mention to members to not use VPN's then that will get out and someone will really start calling us Feds. I agree that we shouldn't mention it. We can ban certain VPN's / vpn ranges though which might be worthwhile. People are going to typically connect through the fastest / closest regional server on their VPN. So if we have suspects from CA using say ProtonVPN, basically we can ban those specific servers and see what happens.
We should block all non-US addresses
Or we plan it out, ban the entire Proton range (in the example above) and then tell the person to get online ASAP. They will connect from something else that shows more info.
With ProtonVPN, they have an option called "secure core" that routes you out from the us, into a non-US country, then back into the US. So if someone wants to stay private they can still do that.
I am on Secure Core for RC, but regular VPN for everything else. Still fast too so if anyone is looking for a good VPN check that one out.
Was Norman CA NorCal or SoCal
@Jason NY the password Thomas made for for root user is not working? It may be because I have disabled logging into the server via password and as root. We may have to turn those settings off then clone.
@all For now we can assume the server is safe. Tonight the infiltrator revealed the attack is not technical in origin but personal. There is at least one infiltrator among us in the PNW area.
What we know.
- The current infiltrator knew about John's meeting on Monday (Only Johns network and California Regional members were aware)
- The current infiltrator was in this last meeting (Over 100 attendees)
- The infiltrator attended the event
I will be compiling this data further tomorrow to cross reference further. We continue to pick up more and more information so this is only a matter of time.
Also I joined mumble and was let into the room with no verification. Idk if that was not the normal process or not. I didn't know if every account in mumble has been verified as that user. I assume we'd see duplicates or someone who is no longer part of the org join if they weren't who they appeared to be
I verified you Jake
In this particular case Thomas asked me to verify everyone that I could while the meeting was going
Okay, but normally we message on RC?
You are correct though, we may want to check that. It was floated before as well.
Yes, always.
Either myself or Thomas
Okay, but this meeting was an exception. Gotcha
We could prevent non us ips, but I bet our own members use non us ips. I agree with using VPN users as a way to narrow down suspects
@Vincent TX did you try logging into clone server as root with password? I assume it didn't let you
Yes, purely password authentication did not work. I would imagine it is using the same key as the server it was cloned from, no?
I think it clears keys but kept my security settings
Alright
Is there any way for us to sort that out and make sure @Jason NY has access to the main rocketchat server and also the cloned one to start on upgrades
We definitely want to keep key as the only access
We should delete the clone and make a new one after I remove those security settings temporarily
Okay, hmm
I think Thomas may be able to create a clone and provide a key that is added
Thomas can do that whenever we want, just ask him
But you may need to help him with the key portion. I have never done it using the panel he has, only in cli on a server.
I'll disable security settings then have Thomas clone and then reenable them. I'll just have to plan it with @Thomas. For now, Thomas you can delete the newest server.
Jake just make sure to do this only when Thomas is ready and for a very short amount of time
Yes, it'll only be a few mins
Ok
Also when are we wanting to disable the app?
The users have been made aware, any time is fine I suppose.
The only risk of disabling that security is getting DDoS
@Thomas let's schedule a time to do the clone and to do the cloudflare change (disable app) so I can be present the entire time
https://mobile.twitter.com/afainatl/status/1469576254382911495 Audio recording was uploaded
They uploaded the full recording. The first but is Vincent saying “im going to move everyone to room 6”. That was pretty early in the meeting. Also I believe it was before the server restart. If true we can cross everyone off the vpn list who came after the restart.
Yes, it’s before the server restarted. That should cut a few off of our list.
Norman CA is 17, brand new, no real suspicions. Still deactivated.
@Jason NY It only shows last login.
Can you check last login of people on our list who still have interviewee accounts? Ethan OH is one
Last login
November 21, 2021
Okay, that’s to be expected for the average member. I would be suspicious of somebody who was accepted a month ago but logged in yesterday or something.
Vincent needs to do that.
That seems to be our best lead right now. I get that list and hand it over to the Directors, and they start checking off names. We start with the NW's, then work out way out.
Once we're down to five or fewer names, and we're still not sure, they get axed.
Imo we should start with the first 100 people to connect who were using a VPN. I’m pretty confident that any infiltrator would be on a VPN 24/7.
I think when the first 100 is cross referenced with the VPN list we can narrow it down to 10 names or less.
Both. Still need the list.
Yep, I messaged Vincent on telegram. Hopefully he can get the list to me so I can check it while he’s driving.
Also need a list of everyone who was verified last night so that we can message them on rocket to confirm it was actually them and not an impersonator.
James NC has been deactivated. Looked through his account. Nothing that far out of line. He backed out of event last minute, and is fat. Had some other suspicious acts, got doxxed by Asheville area antifa. Backed out of Mitchell hike last minute as well. Either way, he's gone.
Does a dox rule out that he's an infil or do you think they're blackmailing him?
No. I haven't delved into it.
Gotcha
@Jason NY You or someone else pour over the tweets and see if they left us any hints.
Sure thing
The person who recorded the meeting was most likely connected via a PC, with audio coming out of speakers, and recording it on their phone. It is definitely not a direct recording from the PC and I can hear clicking in some of the audio.
Then let's take the list of 100 down by what they were connected on. I know I can see that with Mumble accounts.
That's a much more certain factor than use of a VPN.
The full audio clip released by atlanta afa was recorded directly with no clicking noises. The shorter clip posted by IGD was recorded from a speaker with clicking noises. It may actually be that the IGD editor recorded the audio sent to them on their phone.
Work on that. I'm going through the vetting script and then going to start crossing names off that big list.
If you can, use the cryptpad sheet and change threat level to Cleared for the people you remove
"(Could have been deliberately sent to a different group/region as a red herring)"
Absolutely. They almost always do this.
2,194 total messages. Viewing 100 per page.
Prev |
Page 9/22
| Next