The post-mortem... as written by the attacker.


@fribbledom I stopped wanting to be involved with matrix when I realized its leadership was behaving like a tech company and the architecture of the protocol reflected that. It already suffers from a mountain of technical debt and they don't even have the resources to address that to move forward with stabilization. Too much, too fragile, too fast.


Heh, I still love and heavily rely on IRC. More than any other chat infrastructure, actually!

@FimbulFlower @shaderphantom

@XavierJulep @shaderphantom @fribbledom I wish everyone had IRC with a bouncer but in this day and age people expect slack or discord

They're also really not good at managing anything. Long standing security issues are ignored, the development is moving glacially slow... His many millions of dollars have they got now?
Seriously, I've been there when someone kept nagging for a critical bug that completely destroys rooms to be fixed, only to be dismissed as a troll and an annoyance. And when they finally got fed up and exploited that bug, it was yet again blamed on "a troll".

Any suggestions for a replacement usable by non-geeks?

@skyguy i don't think "for non-geeks" is a useful way to categorize communications technology. the reason "non-geeks" use stuff like slack is being of concerted marketing efforts, not because they are functionally better.

matrix is attempting to be a competitor to slack. but slack was designed to centralize and replace IRC. they even pulled embrace, extend, extinguish by taking down their IRC protocol support a while back.

if i had a choice, the "replacement" would be IRC or XMPP.

@skyguy the reason being that both of those work fine and have always worked fine. XMPP even has widely supported extensions for mobile clients. they had install bases and they were willfully ripped apart by Slack, Discord, Google Talk et al for capitalistic reasons.

we don't need to reinvent the wheel for text chat every few years when these protocols worked.

@skyguy but ultimately, we're subject to the whims of wealthy capitalists that want us to keep moving from centralized platform to centralized platform for their own benefit. we just need society to recognize that these companies are bad actors and are not acting in our interests.

@fribbledom it's interesting reading this after watching a video about villain monologues

@fribbledom i get why they just deleted the matrixnotorg account but i really wish they didn't, or just froze it somehow

@fribbledom This whole episode is going to be a great addition to my repertoire of DevOps ghost stories.

@fribbledom that looks almost like a free public security audit....

@fribbledom Believe me, most people who do paid security audits are not half as good as this guy

@FNB_Japan so... when that is my, uh, home server or what it's called, I'm potentially fucked? or was it just referring to the website itself?


You should change your password.

Encrypted chats are safe.

Idk about unencrypted ones, but worst case scenario, the attacker still appeared non-malicious.

@foks @FNB_Japan ty! I was logged out of my account, do you think that's related to the incident?

@anarchiv Yes, it is. Everyone was logged out as damage control.

Sign in to participate in the conversation

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!