Jake AR
@PF-3320 RocketChat ID: 6AZpoAX3J8Pbm3aNr
653 total messages. Viewing 100 per page.
Prev |
Page 2/7
| Next
Okay
For upgrading rocket chat I think we should try to make a clone of the server and we might be able to do that through our host. Then run an incremental script to upgrade rocket chat through all the minor releases which will upgrade the database schema
If everything checks out, then we implement here.
There's a good chance that all of our customization will be fine the main issue is does the database update and does our front end layout change a whole lot like the colors the order of things sometimes they add features and so we have to go in and disable them in the settings
If Thomas can make a clone of the server we'll get a new IP address but I'll need to go in there and disable the firewall that only allows you to access the front end from cloudflare. After that we should be able to go into the IP address to test it
Actually I forgot the firewall is through our host so when Thomas makes a clone we just need to disable the firewall settings for that clone server
I say we focus on the next 24 hours getting everybody onto the browser and making sure that's all working and then we can work on cloning a server because if this all gets messed up we're going to need Thomas to go in there and undo the cloudflare stuff so I don't want Thomas doing two things
No, it doesn't. It's all outside rules from cf, so simply delete rule and everything goes back to normal instantly
I just didn't want to rush it just in case we get bogged down helping ppl reset passwords and stuff
I'm cool with it either way. Glad we're getting changes done
Okay. Also just so we're on the same page the goal is to use the sandbox just to test the upgrading process and if that is all good then we will do that live on the actual production server because we don't want to lose messages that happened since the clone
And just as a reminder before we do anything on the production server, we have to have Thomas make a snapshot so worst case scenario we can just revert back to a few hours before. But we'll do that once we're done testing with the sandbox and know that everything works
If it's that fast we can consider swapping, but in the past we've just kept the same server.
Yea, I'd like to know what worked too. I keep docs on all RC processes
@Thomas Steps to clone server: power down main rc server, create a snapshot, power on main rc server, go to MORE next to latest snapshot and choose CREATE, choose the same configuration of memory, I think it's 3gb but check, create some root password and send that to Jason NY, go into the newly created server, choose networking then under firewalls it should say no firewalls applied
@Jason NY I am not sure if the clone copies over ssh meys, but if not the root password should work
Hey John
What can I help you with
Oh I'm barely doing anything. Been away, and got called in since stuff was going down. Vincent and Jason NY and Matthew and Benjamin are a good team. I trust them.
Yea we found the first one with our magic. I know they are looking through stuff as we speak.
Hopefully through all this we learn some new ways to strengthen our security. But these things inevitably happen. How are you dating?
Dang
It's bittersweet. I like to see our guys helping each other out. Like a wounded man on the battlefield.
You guys got a tough state. Gotta be harden to be in WA
Yea I saw the article. Honestly made them look good, cooking for everyone
Barefoot and pregnant, nice. Once you're doxxed though, you can sorta become invincible
Glad you're taking care of your men. Let us know if you got any more tips or ideas on how to prove there's another mole and who it might be.
You know what I just noticed, the secret hashes are not added to new messages
Idk how if it's when I left and came back it's like it didn't update the new messages. Let me know if you guys notice that. I might have to update the JS. Those hashes are critical
Yea it'll work then, but this is a bug
I'll look into it and see if there's a more reliable way to trigger the JS. Yes it may be unavoidable
For JS yes, but idk about mobile
I think this is a Mobile issue
I mean mobile browser because I think when you change tabs it might stop js events or something
Yea.
I added a timer that checks every second for any unhashed messages
Video is top notch.
I am not aware. I thought we could have but disabled them. I am not familiar with nginx
@Jason NY the password Thomas made for for root user is not working? It may be because I have disabled logging into the server via password and as root. We may have to turn those settings off then clone.
Also I joined mumble and was let into the room with no verification. Idk if that was not the normal process or not. I didn't know if every account in mumble has been verified as that user. I assume we'd see duplicates or someone who is no longer part of the org join if they weren't who they appeared to be
Okay, but normally we message on RC?
Okay, but this meeting was an exception. Gotcha
We could prevent non us ips, but I bet our own members use non us ips. I agree with using VPN users as a way to narrow down suspects
@Vincent TX did you try logging into clone server as root with password? I assume it didn't let you
I think it clears keys but kept my security settings
We should delete the clone and make a new one after I remove those security settings temporarily
Okay, hmm
I think Thomas may be able to create a clone and provide a key that is added
I'll disable security settings then have Thomas clone and then reenable them. I'll just have to plan it with @Thomas. For now, Thomas you can delete the newest server.
Yes, it'll only be a few mins
Also when are we wanting to disable the app?
The only risk of disabling that security is getting DDoS
@Thomas let's schedule a time to do the clone and to do the cloudflare change (disable app) so I can be present the entire time
@Jason NY I have given the Logs role permission to bypass rest api rate limits
We may be able to hide the user lists in the big channels like activism and announcements via JS to make it harder to impetsonate
Otherwise you'd have to manually use search feature for each letter to get all names. Also you can see who clicks on the emoji buttons I thought, so maybe it's hard to hide all user names
I just checked and the script was not activated. I just readded it. So we should get alerted when print screen key is pressed on PC.
Screenshot_20211212-211051_Gmail.jpg
Got the test
@Vincent TX let's add this to cryptpad. It may not be possible since the JS script I use only has access to front end stuff
Do we want to block the mobile app or upgraclde RC first?
Is getting server better now?
Yea I see the vetting server is still 2gb memory
Screenshot_20211212-224009_Chrome.jpg
Screenshot_20211212-223942_Chrome.jpg
First is main, second is vetting
Let me check
But vetting could use more memory, it looks like it has 2 cpus which probably isn't necessary
Screenshot_20211212-224320_Chrome.jpg
Screenshot_20211212-224259_Chrome.jpg
I'm not familiar with tg
Okay, cool. My account is @PineGangGang
@Thomas we are looking to disable the app via cloudflare tomorrow if possible. Let me know what time works best for you.
Lmao
Here are the notes I have on downloading the database
docker exec -it mongo bash
mongodump --db=rocketchat --gzip --archive=/dump --excludeCollection=rocketchat_message_read_receipt
exit
(download the archive.gz and delete it via SFTP)
I need to SFTP to also locate the folder with all the uploads. I forget but there was something in particular about migrating the database before or after you upload the uploads folder if you did it in the wrong order it actually deleted all the uploads
"rc should be turned off
import latest DB
move uploads contents to the app/uploads folder (change permissions to 777)". My notes say that the uploads come after the database is imported. So you might want to look in the server under the app folder and you may see the uploads folder
Do we have different login IPs for Tyler wa?
Do we want to work on getting IPs of users in RC? Or is that more of a liability
@Vincent TX can you add the task to test if any IPs are logged on server. And assign it to me. I'll use a VPN and then look for the IP on the server to see if it's logged anywhere. We could use a script that checked if an IP was from a VPN and what state IP is from and then forward that data to a monitored channel, so we would have a history of every time a user access the server and from what state and if it was from a VPN or not. Would that be a liability?
We would not save any specific IPs just state and time
We should have had an access log implemented a while back
Yea, that's an option.
Also another reason why the app needs to be discontinued is because it if I understand correctly saves messages even after they are pruned
We could turn the IP into a hash that couldn't go backwards
So let's add that to tasks: create access logs for user, date, time, IP, State, hashed IP, and if possible logging certain actions like opening a channel or searching for a username
Make that a second task and right now it can but unassigned
The first task I mentioned was mostly about making sure that we aren't unknowingly saving IP information and making sure that we clear it if we are
Thanks
Push notifications are disabled
Maybe the webhooks has to do with the app? We could test to see if our messages appear when we use the browser or app
Did Thomas put SD card in his PC??
653 total messages. Viewing 100 per page.
Prev |
Page 2/7
| Next