Official Kiwi Farms Riot/Matrix Server - pt 8: lol nm

[CrunkLord420]

@CrunkLord420 RABBLE RABBLE RABBLE where's the server @ already RABBLE RABBLE RABBLE

ITS UP AT MATRIX.KIWIFARMS.NET, MAKE A NEW ACCOUNT

For people not as involved, I've moved the matrix server from riot.kiwifarms.net to matrix.kiwifarms.net, and https://riot.kiwifarms.net will be used to host the webclient going forward.

There's a bug in the client which is fixed in the release candidiate where you can't log out of an offline server. Delete/move your old Riot directory: C:/Users/USER/AppData/Roaming/riot or ~/.config/Riot

 

[Marvin]

Oh damnit, I lost my avatar.

 

[CrunkLord420]

Dark theme is now in develop branch, deployed to https://riot.kiwifarms.net/ or use https://riot.im/develop/ . I see no reason to use the stable desktop app at this point, the RC's performance boost/memory reduction is significant.

 

[Stock Image Photographer]

I'm getting an error when I click the link that says "Unable to query for supported registration methods." I initially chalked it up to my overload of extensions on Firefox, but I'm getting the same error on my significantly less locked-down Chromium install, too.

 

[CrunkLord420]

I'm getting an error when I click the link that says "Unable to query for supported registration methods." I initially chalked it up to my overload of extensions on Firefox, but I'm getting the same error on my significantly less locked-down Chromium install, too.

I just fixed a bug in the client's default config, let me know if that helps.

 

[Stock Image Photographer]

I just fixed a bug in the client's default config, let me know if that helps.

That seems to have fixed it, registration works perfectly now.

 

[Desire Lines]

Dark theme is now in develop branch, deployed to https://riot.kiwifarms.net/ or use https://riot.im/develop/ . I see no reason to use the stable desktop app at this point, the RC's performance boost/memory reduction is significant.
View attachment 664677

so uh, how do you download the developer branch? or is it currently browser-only?

 

[CrunkLord420]

I fixed another bug, this time with federation, so if you were having issues joining to/from another homeserver it should be good now. This was due to matrix needing to be the default in nginx, instead of the webclient.

so uh, how do you download the developer branch? or is it currently browser-only?

Yes, it's currently browser only unless you build it yourself as an electron app.

The official Riot 1.0 client is now out as stable, you can download it at: https://riot.im/desktop.html
The web client has also been updated: https://riot.kiwifarms.net/

It performs and looks much better.

Synapse Update: https://matrix.org/blog/2019/02/14/synapse-0-99-1-1-released/

The server is effectively offline until Null gets home and can increase the memory of the server. The OOM Reaper is murdering Synapse over and over. Sorry fams.

The server now has double the RAM, that should stop synapse from getting killed by the kernel.

Synapse updated to 0.99.2: https://github.com/matrix-org/synapse/releases/tag/v0.99.2

 

[OhGoy]

i don't see a push to talk function anywhere

would much prefer that to automatic voice detection

 

[Remove Goat]

Shill this please

 

[CrunkLord420]

i don't see a push to talk function anywhere

would much prefer that to automatic voice detection

work in progress: https://github.com/vector-im/riot-web/issues/5993

Shill this please

https://riot.kiwifarms.net/ has been updated to 1.0.4 https://github.com/vector-im/riot-web/releases/tag/v1.0.4 / https://github.com/vector-im/riot-web/releases/tag/v1.0.4-rc.1

Update: I've taken some security steps with the Matrix server.

• Disabled Analytics in the Riot web client hosted at https://riot.kiwifarms.net/
• Disabled NGINX logging
• Purged the user_ips table in Synapse
• Broke meaningful IP logging in Synapse by withholding the user IP with NGINX.
• Added https://banter.city and https://disroot.org to the list of default servers in the room directory in the web client, to promote decentralization.
• Set the default theme of the web client to "dark"

I reserve the right to temporarily re-enable logging to deal with attacks.

Here's a fun graph: https://voyager.t2bot.io/#/graph
Also stats: https://voyager.t2bot.io/#/stats

Edit: now updated to 1.0.5: https://github.com/vector-im/riot-web/releases/tag/v1.0.5

Synapse updated to 0.99.3: https://matrix.org/blog/2019/04/01/synapse-0-99-3-released/
Riot web-client updated to 1.0.6: https://github.com/vector-im/riot-web/compare/v1.0.5...v1.0.6

 

[CrunkLord420]

The official Matrix.org homeserver was compromised https://matrix.org/blog/2019/04/11/security-incident/

We have discovered and addressed a security breach.
by Matthew Hodgson | Apr 11, 2019 | Uncategorized | 0 comments
Here's what you need to know.
TL;DR: An attacker gained access to the servers hosting Matrix.org. The intruder had access to the production databases, potentially giving them access to unencrypted message data, password hashes and access tokens. As a precaution, if you're a matrix.org user you should change your password now.
The matrix.org homeserver has been rebuilt and is running securely; bridges and other ancillary services (e.g. this blog) will follow as soon as possible. Modular.im homeservers have not been affected by this outage.
The security breach is not a Matrix issue.
The hacker exploited a vulnerability in our production infrastructure (specifically a slightly outdated version of Jenkins). Homeservers other than matrix.org are unaffected.
How does this affect me?
We have invalidated all of the active access tokens for users on Matrix.org - all users have been logged out.
Users with Matrix.org accounts should:

• Change your password now - no plaintext Matrix passwords were leaked, but weak passwords could still be cracked from the hashed passwords
• Change your NickServ password (if you're using IRC bridging) - there's no evidence bridge credentials were compromised, but if you have given the IRC bridges credentials to your NickServ account we would recommend changing this password

And as a reminder, it's good practice to:

• Review your device list regularly - make sure you recognise all of the devices connected to your account
• Always make sure you enable E2E encryption for private conversations

What user data has been accessed?
Forensics are ongoing; so far we've found no evidence of large quantities of data being downloaded. The attacker did have access to the production database, so unencrypted content (including private messages, password hashes and access tokens) may be compromised.
What has not been affected?

• Source code and packages have not been impacted based on our initial investigations. However, we will be replacing signing keys as a precaution.
• Modular.im servers are not affected, based on our initial analysis
• Identity server data does not appear to have been compromised

The target appeared to be internal credentials for onward exploits, not end user information from the matrix.org homeserver.
You might have lost access to your encrypted messages.
As we had to log out all users from matrix.org, if you do not have backups of your encryption keys you will not be able to read your encrypted conversation history. However, if you use server-side encryption key backup (the default in Riot these days) or take manual key backups, you’ll be okay.
This was a difficult choice to make. We weighed the risk of some users losing access to encrypted messages against that of all users' accounts being vulnerable to hijack via the compromised access tokens. We hope you can see why we made the decision to prioritise account integrity over access to encrypted messages, but we're sorry for the inconvenience this may have caused.
What happened?
We were using Jenkins for continuous integration (automatically testing our software). The version of Jenkins we were using had a vulnerability (CVE-2019-1003000, CVE-2019-1003001, CVE-2019-1003002) which allowed an attacker to hijack credentials (forwarded ssh keys), giving access to our production infrastructure. Thanks to @jaikeysarraf for drawing this to our attention.
Timeline
April 9th

• Jenkins vulnerability brought to our attention by @jaikeysarraf

April 10th

• Investigation identified the compromised machines and the full scope of the attack
• Jenkins was removed
• Attacker's access to compromised machines was removed

April 11th

• Matrix.org was taken offline and production infrastructure fully rebuilt
• Having fully flushed out the attacker, external communication was published informing users and advising on next steps
• Matrix.org homeserver restored, with bridges and ancillary services (e.g. this blog) following as soon as possible

What are we doing to prevent this in future?
Once things are back up and running we will retrospect on this incident in detail to identify the changes we need to make. We will provide a proper postmortem, including follow-up steps; meanwhile we are obviously going to take measures to improve the security of our production infrastructure, including patching services more aggressively and more regular vulnerability scans.

The KiwiFarms server is not compromised, but any unencrypted federated communication you had with a matrix.org room, or a matrix.org user, or had a matrix.org user in your kiwifarms rooms will be in the Matrix.org DB.

Matrix is fucking rekt https://matrix.org/ (https://archive.vn/qOrcE)

Time for actual transparency.

Linux ares.matrix.org 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07) x86_64 GNU/Linux
Linux hera.matrix.org 4.9.0-7-amd64 #1 SMP Debian 4.9.110-3+deb9u2 (2018-08-13) x86_64 GNU/Linux
Linux themis.matrix.org 3.16.0-5-amd64 #1 SMP Debian 3.16.51-3+deb8u1 (2018-01-0 x86_64 GNU/Linux
Linux hebe 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u4 (2018-08-21) x86_64 GNU/Linux
Linux nyx.matrix.org 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u2 (2018-02-21) x86_64 GNU/Linux
Linux hermes.matrix.org 3.16.0-4-amd64 #1 SMP Debian 3.16.51-2 (2017-12-03) x86_64 GNU/Linux
Linux aphrodite.matrix.org 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) x86_64 GNU/Linux
Linux pheme.matrix.org 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2+deb8u2 (2017-06-26) x86_64 GNU/Linux
Linux homonoia.matrix.org 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07) x86_64 GNU/Linux
Linux hephaestus.matrix.org 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2+deb8u3 (2017-08-15) x86_64 GNU/Linux
Linux clio.matrix.org 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u6 (2018-10-0 x86_64 GNU/Linux
Linux juventas.matrix.org 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u5 (2018-09-30) x86_64 GNU/Linux
Linux iris.matrix.org 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u6 (2018-10-0 x86_64 GNU/Linux
Linux hypnos.matrix.org 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u6 (2018-10-0 x86_64 GNU/Linux
Linux demeter.matrix.org 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u3 (2018-08-19) x86_64 GNU/Linux
Linux phobos.matrix.org 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u3 (2018-08-19) x86_64 GNU/Linux
Linux eris.matrix.org 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) x86_64 GNU/Linux

root@hebe:/var/lib/postgresql# df -h
df -h
Filesystem Size Used Avail Use% Mounted on
udev 63G 0 63G 0% /dev
tmpfs 13G 67M 13G 1% /run
/dev/vda1 505G 7.6G 492G 2% /
tmpfs 63G 28K 63G 1% /dev/shm
tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs 63G 0 63G 0% /sys/fs/cgroup
/dev/mapper/data--group-data--volume 9.5T 6.7T 2.4T 74% /mnt/data
tmpfs 13G 0 13G 0% /run/user/0
tmpfs 13G 0 13G 0% /run/user/1002

$ cat users.txt | grep arathorn | head -n1
@arathorn:matrix.org|$2a$12$u1ual.yp7rnSjXRgwZ5ZIOxa0D9txCT64i3Y/jmbtgQ6ByxVr59zu
$ wc -l users.txt
5493973

See you soon.

Who is Arathorn? https://news.ycombinator.com/item?id=19418111 (https://archive.vn/lvPJT)

There are several groups trying to replace/compete with the Matrix protocol, finding New Vector to be distasteful in their control over Matrix. These projects include "The Grid" and "Construct"

https://news.ycombinator.com/item?id=19365968 (https://archive.vn/lS76P)

This is clearly a highly targeted attack, and possibly hacktivism. For the record I also find New Vector to be distasteful, and the team has a CoC smell around them. I would seriously consider migrating to a competitive protocol, if that ever happens.

for comedy: https://github.com/matrixnotorg/matrixnotorg.github.io/pull/2 (https://archive.vn/71umB)

https://github.com/matrixnotorg/matrixnotorg.github.io/pull/1 (https://archive.vn/yRI3n)

Breaking up the posts, the attacker is now doing a live postmortem on the attack.

https://github.com/matrix-org/matrix.org/issues/357 (https://archive.vn/OYCyR)

https://github.com/matrix-org/matrix.org/issues/358 (https://archive.vn/7ZITv)

https://github.com/matrix-org/matrix.org/issues/359 (https://archive.vn/p1G9E)

https://github.com/matrix-org/matrix.org/issues/360 (https://archive.vn/uclcq)

https://github.com/matrix-org/matrix.org/issues/361 (https://archive.vn/ymZfc)

https://github.com/matrix-org/matrix.org/issues/362 (https://archive.vn/LbErS)

https://github.com/matrix-org/matrix.org/issues/363 (https://archive.vn/aOYRe)

https://github.com/matrix-org/matrix.org/issues/364 (https://archive.vn/j2GGK)

https://github.com/matrix-org/matrix.org/issues/365 (https://archive.vn/YuHUS)

We now have a functional Identity Server thanks to mxisd, you can seamlessly transition away from logging in with the vector.im identity server, to using matrix.kiwifarms.net. This now the default configuration for the web client. To quote Maximus, the developer of mxisd, you can email gdpr@matrix.org and/or support@matrix.org and request your 3PID bindings be removed under GDPR. New Vector is a UK based organization.

Reminder that 3PID and "Identity" is a weird concept in Matrix. It's not where your actual credentials are stored (which is in the homeserver/Synapse).

What is an identity server?
Users in Matrix are identified internally via their matrix user ID (MXID). However, existing 3rd party ID (3PID) namespaces such as email addresses or phone numbers should be used publicly to identify Matrix users, at least for invitation purposes. A Matrix "Identity" describes both the user ID and any other existing IDs from third party namespaces linked to their account.

Matrix users can link third-party IDs (3PIDs) to their user ID. Linking 3PIDs creates a mapping from a 3PID to a user ID. This mapping can then be used by Matrix users in order to discover the MXIDs of their contacts.

In order to ensure that the mapping from 3PID to user ID is genuine, the intention is for a globally federated cluster of trusted "Identity Servers" (IS) be used to verify the 3PID and persist and replicate the mappings. Usage of an IS is not required in order for a client application to be part of the Matrix ecosystem. However, without one clients will not be able to look up user IDs using 3PIDs.

The precise architecture of identity servers is currently in flux and subject to change as we work to fully decentralise them.

Reminder that if you spam other homeservers, I will deactivate your account. I got my first complaint from another homeserver admin today. There were some rather hysterical comments concerning a single user going into large channels and posting lemon party pictures.

Spoiler: autism

 

[robobobo]

So is Matrix actually clownshoes? I got a node running on one of my servers about a year ago just to mess with it, I liked the fact that it supported encryption and voice/video chat. Then I deleted it because the server is cheap and Matrix was being a heavy load on it. But now the team's looking kinda incompetent if they're getting hacked that badly.

 

[CrunkLord420]

tl;dr if you get an error de-activating your account, try a few times, and then complain to me after that.

Someone had problems de-activating their account. This was related to the removal of vector.im from the "trusted" identity servers. I've re-added it. According to the documentation an identity server is selected "arbitrarily", I don't know if this means de-activating might sometimes work, and sometimes not depending if you have your identity on vector.im.

I'm currently talking with the mxisd people on how to handle this, considering some users registered on vector.im. The web client is configured to prevent the use anything but the KF identity server, to prevent future data-leakage to New Vector.

MXISD has been updated to 1.4.2, please let me know if you have any registration issues. https://github.com/kamax-matrix/mxisd/releases/tag/v1.4.2

 

[Null]

 

[Ledian]

View attachment 744802

Not even remotely surprised, except by how long it took for this to even happen.

 

[AnOminous]

Discord is fucking garbage.

 

[Angry Shoes]

View attachment 744802

And here I thought I just got kicked from the server for shitposting.

 

[CrunkLord420]

-Synapse updated to 0.99.3.2: https://github.com/matrix-org/synapse/releases/tag/v0.99.3.1 / https://github.com/matrix-org/synapse/releases/tag/v0.99.3.2
-PostgreSQL updated to 9.6.12: https://www.postgresql.org/docs/9.6/release-9-6-12.html
-Applied performance optimizations to PostgreSQL relating to memory usage and increased number of connections from Synapse
-Reduced the rate-limiting (more concurrent connections allowed)
-Moved media directory off the main SSD and onto HDD, should improve DB performance and allow for more file storage.

I think the DB optimizations have really improved message confirmation time.

 

[Smith Banquod]

Riot seems like a good solution to the de-platforming bullshit that's going on right now. While I haven't participated in the Kiwi chat just yet (lurker for lyfe, boi), it feels like it could rival Discord when it comes to not being staffed with shallow furfags.
Also; On the latest version of Vivaldi, it's possible to dock Riot in the side-panel thingy. Which means that the F4 toggle button now opens up the Riot Kiwi server, and that's pretty fucken nifty if you ask me.