Okay

For upgrading rocket chat I think we should try to make a clone of the server and we might be able to do that through our host. Then run an incremental script to upgrade rocket chat through all the minor releases which will upgrade the database schema

If everything checks out, then we implement here.

There's a good chance that all of our customization will be fine the main issue is does the database update and does our front end layout change a whole lot like the colors the order of things sometimes they add features and so we have to go in and disable them in the settings

If Thomas can make a clone of the server we'll get a new IP address but I'll need to go in there and disable the firewall that only allows you to access the front end from cloudflare. After that we should be able to go into the IP address to test it

Actually I forgot the firewall is through our host so when Thomas makes a clone we just need to disable the firewall settings for that clone server

I say we focus on the next 24 hours getting everybody onto the browser and making sure that's all working and then we can work on cloning a server because if this all gets messed up we're going to need Thomas to go in there and undo the cloudflare stuff so I don't want Thomas doing two things

No, it doesn't. It's all outside rules from cf, so simply delete rule and everything goes back to normal instantly

I just didn't want to rush it just in case we get bogged down helping ppl reset passwords and stuff

I'm cool with it either way. Glad we're getting changes done

Okay. Also just so we're on the same page the goal is to use the sandbox just to test the upgrading process and if that is all good then we will do that live on the actual production server because we don't want to lose messages that happened since the clone

And just as a reminder before we do anything on the production server, we have to have Thomas make a snapshot so worst case scenario we can just revert back to a few hours before. But we'll do that once we're done testing with the sandbox and know that everything works

If it's that fast we can consider swapping, but in the past we've just kept the same server.

Yea, I'd like to know what worked too. I keep docs on all RC processes

@Thomas Steps to clone server: power down main rc server, create a snapshot, power on main rc server, go to MORE next to latest snapshot and choose CREATE, choose the same configuration of memory, I think it's 3gb but check, create some root password and send that to Jason NY, go into the newly created server, choose networking then under firewalls it should say no firewalls applied

@Jason NY I am not sure if the clone copies over ssh meys, but if not the root password should work

Hey John

What can I help you with

Oh I'm barely doing anything. Been away, and got called in since stuff was going down. Vincent and Jason NY and Matthew and Benjamin are a good team. I trust them.

Yea we found the first one with our magic. I know they are looking through stuff as we speak.

Hopefully through all this we learn some new ways to strengthen our security. But these things inevitably happen. How are you dating?

Dang

It's bittersweet. I like to see our guys helping each other out. Like a wounded man on the battlefield.

You guys got a tough state. Gotta be harden to be in WA

Yea I saw the article. Honestly made them look good, cooking for everyone

Barefoot and pregnant, nice. Once you're doxxed though, you can sorta become invincible

Glad you're taking care of your men. Let us know if you got any more tips or ideas on how to prove there's another mole and who it might be.

You know what I just noticed, the secret hashes are not added to new messages

Idk how if it's when I left and came back it's like it didn't update the new messages. Let me know if you guys notice that. I might have to update the JS. Those hashes are critical

Yea it'll work then, but this is a bug

I'll look into it and see if there's a more reliable way to trigger the JS. Yes it may be unavoidable

For JS yes, but idk about mobile

I think this is a Mobile issue

I mean mobile browser because I think when you change tabs it might stop js events or something

Yea.

I added a timer that checks every second for any unhashed messages

Video is top notch.

I am not aware. I thought we could have but disabled them. I am not familiar with nginx

@Jason NY the password Thomas made for for root user is not working? It may be because I have disabled logging into the server via password and as root. We may have to turn those settings off then clone.

Do we need to increase ram to 3gb like main server?

Also I joined mumble and was let into the room with no verification. Idk if that was not the normal process or not. I didn't know if every account in mumble has been verified as that user. I assume we'd see duplicates or someone who is no longer part of the org join if they weren't who they appeared to be

Okay, but normally we message on RC?

Okay, but this meeting was an exception. Gotcha

We could prevent non us ips, but I bet our own members use non us ips. I agree with using VPN users as a way to narrow down suspects

@Vincent TX did you try logging into clone server as root with password? I assume it didn't let you

I think it clears keys but kept my security settings

We should delete the clone and make a new one after I remove those security settings temporarily

Okay, hmm

I think Thomas may be able to create a clone and provide a key that is added

I'll disable security settings then have Thomas clone and then reenable them. I'll just have to plan it with @Thomas. For now, Thomas you can delete the newest server.

Yes, it'll only be a few mins

Also when are we wanting to disable the app?

The only risk of disabling that security is getting DDoS

@Thomas let's schedule a time to do the clone and to do the cloudflare change (disable app) so I can be present the entire time

Getting rate limited when using API? I can try disabling that for you

@Jason NY I have given the Logs role permission to bypass rest api rate limits

I second this

I am not aware of that

We may be able to hide the user lists in the big channels like activism and announcements via JS to make it harder to impetsonate

Otherwise you'd have to manually use search feature for each letter to get all names. Also you can see who clicks on the emoji buttons I thought, so maybe it's hard to hide all user names

I just checked and the script was not activated. I just readded it. So we should get alerted when print screen key is pressed on PC.

Got the test

@Vincent TX let's add this to cryptpad. It may not be possible since the JS script I use only has access to front end stuff

Do we want to block the mobile app or upgraclde RC first?

Is getting server better now?

Yea I see the vetting server is still 2gb memory

First is main, second is vetting

Let me check

But vetting could use more memory, it looks like it has 2 cpus which probably isn't necessary

I'm not familiar with tg

Okay, cool. My account is @PineGangGang

@Thomas we are looking to disable the app via cloudflare tomorrow if possible. Let me know what time works best for you.

Lmao

Here are the notes I have on downloading the database

docker exec -it mongo bash
mongodump --db=rocketchat --gzip --archive=/dump --excludeCollection=rocketchat_message_read_receipt
exit
(download the archive.gz and delete it via SFTP)

I need to SFTP to also locate the folder with all the uploads. I forget but there was something in particular about migrating the database before or after you upload the uploads folder if you did it in the wrong order it actually deleted all the uploads

"rc should be turned off
import latest DB
move uploads contents to the app/uploads folder (change permissions to 777)". My notes say that the uploads come after the database is imported. So you might want to look in the server under the app folder and you may see the uploads folder

Do we have different login IPs for Tyler wa?

Do we want to work on getting IPs of users in RC? Or is that more of a liability

@Vincent TX can you add the task to test if any IPs are logged on server. And assign it to me. I'll use a VPN and then look for the IP on the server to see if it's logged anywhere. We could use a script that checked if an IP was from a VPN and what state IP is from and then forward that data to a monitored channel, so we would have a history of every time a user access the server and from what state and if it was from a VPN or not. Would that be a liability?

We would not save any specific IPs just state and time

We should have had an access log implemented a while back

Yea, that's an option.

Also another reason why the app needs to be discontinued is because it if I understand correctly saves messages even after they are pruned

We could turn the IP into a hash that couldn't go backwards

So let's add that to tasks: create access logs for user, date, time, IP, State, hashed IP, and if possible logging certain actions like opening a channel or searching for a username

Make that a second task and right now it can but unassigned

The first task I mentioned was mostly about making sure that we aren't unknowingly saving IP information and making sure that we clear it if we are

Thanks

No, that's all done with JS in browser

Push notifications are disabled

Maybe the webhooks has to do with the app? We could test to see if our messages appear when we use the browser or app

Did Thomas put SD card in his PC??