SheogorathApr 11, 2019

For those who run on Matrix.org and wonder why there is no connection:

Matrix announced an emergency maintenance… on Twitter:

https://twitter.com/matrixdotorg/status/1116304867683905537

Sadly @matrix didn't receive the love it deserves and informs the Fediverse.

Anyway, that's why we have a community. We compensate short coming of each other and together make sure the world becomes a better place!

#Matrix #matrixDown #riot

Matrix on Twitter

“We’ve taken down the servers which host https://t.co/y2YCHNIbgU and https://t.co/5f8JYAG3OA for emergency security maintenance - estimated downtime is several hours. More updates as we have them.”

Twitter
Show threadSheogorath

Matrix is coming back up! One of the first things happening was writing a new blog post about the incident which you can find here:

https://matrix.org/blog/2019/04/11/security-incident/

TL;DR: Some outdated software was discovered and cracked by an attack which then had access to various data points.

Important: Change your password ASAP (including NickServ when you used the IRC bridges)

Hint: The homeserver is not back up yet.

#matrix #matrixDown #Riot

Synapse: Deprecating Postgres 9.4 and Python 2.x | Matrix.org

Apr 12, 2019 at 12:21amWeb
Show threadSheogorathApr 12, 2019

The homeservers are back up 🎉

It seems like they are missing some pictures right now, I guess those will come back later.

Make sure you change your password (and NickServ passwords) and happy chatting!

See you around 👋

#matrix #matrixDown #matrixBackUp #Riot

Show threadSheogorathApr 12, 2019

Too early to be happy, seems like the attacker found their way in and is still around on Matrix's infrastructure.

The attack has proven themselves to have shell access on their synapse instance, which is definitely bad. It means that all user accounts are compromised and have to be reset.

https://twitter.com/matrixdotorg/status/1116593380102852608

There will go a lot of efforts into figuring out the details and fixing the vulnerability.

Meanwhile, send some love to the people behind matrix!

#matrix #matrixDown #riot

Matrix on Twitter

“https://t.co/y2YCHNZM8s down again, we know, we’re on it, more details to follow.”

Twitter
Show threadSheogorathApr 12, 2019

Matrix.org just announced they are back once more:

https://twitter.com/matrixdotorg/status/1116616382584475648

Let's hope things stay up as they are. There are definitely some new challenges to tackle, which came up in their issue tracker:

https://github.com/matrix-org/matrix.org/issues

Let's see if they got really rid of the attacker 🤞

#matrix #matrixDown #matrixBackUp #Riot

Matrix on Twitter

“https://t.co/y2YCHNZM8s is back. You may need to flush your browser cache to pick up the DNS change.”

Twitter
Show threadSheogorathApr 12, 2019

After Matrix has restored its major services, they noticed that the GPG keys used for signing packages where compromised.

The key IDs are:

AD0592FE47F0DF61 (synapse)
E019645248E8F4A1 (Riot/Web)

Please make sure to no longer use those keys.

#matrix #Riot #infosec #security

Show threadSheogorathApr 16, 2019

There are new keys for the official matrix repositories with the key ids:
CF45A512DE2DA058 (synapse)
D7B0B66941D01538 (riot)

Those come along with a new package that are build on fresh infrastructure. No details if they now sign packages offline, yet.

https://twitter.com/matrixdotorg/status/1118039725233909765

https://twitter.com/RiotChat/status/1118042015349051392

#matrix #Riot #GPG #OpenPGP #Debian #linux

Matrix on Twitter

“Entirely fresh packaging infrastructure is now up at https://t.co/Umy9fDXIya as of 02:00Z with new debian repository for synapse and new npm repo for olm, signed with fresh & secured GPG keys.”

Twitter
Show threadAlan 🎲 Apr 13, 2019
@sheogorath by "they noticed", you mean " the attacker told them"
Show threadDivertApr 13, 2019
@sheogorath
How do you get rid of these keys and get the new ones?
Show threadSheogorathApr 13, 2019

@Divert Since I guess you use some Debian base system:

apt-key del AD0592FE47F0DF61

or apt-key del E019645248E8F4A1

Show threadDivertApr 13, 2019
@sheogorath
Yes, thanks. that is what I did. I am wondering now how to get the correct ones..
Show threadSheogorathApr 13, 2019

@Divert As far as I know there aren't new ones yet. The keys along with the repositories where removed and will be rebuild during the upcoming week.

https://twitter.com/RiotChat/status/1117110823023984640

Riot.im on Twitter

“After the security incident on the https://t.co/g01j4u6O2e server (https://t.co/xh5uK0cAwy), Riot packages, download links and integrations are currently unavailable. We'll be restoring them asap.”

Twitter
Show threaddjender esensjuelistApr 19, 2019

@Divert @sheogorath What about on Arch?

I imagine you have to do some gpg --recv-keys --# # # commands to get Pacman to stop using those keys,

as its part of installation on many pkgs to trust developers' keys or pkg maintainers' keys directly.

Unless thats just for trusting downloads!

Heres a pkg where u do thet
https://web.archive.org/web/20180826203921/https://aur.archlinux.org/packages/ncurses5-compat-libs/

Show threadSheogorathApr 14, 2019

Since Matrix reset all logins recently, you may lost some of your E2EE keys. Those were erased when being forcefully logged out.

Those who used the Key Backup mechanism by Matrix.org can recover quite easily, those who didn't bother to set them up, might have a problem.

In #e2e:matrix.org we discussed that today and someone provided a detailed guide on how to recover using BTRFS:

https://matrix.to/#/!boLskYiwabbCQNNhlK:sw1v.org/$1555201130350465RNocm:matrix.org?via=matrix.org&via=chat.weho.st&via=disroot.org

#matrix #riot #megolm #infosec #backup

[matrix]