New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rocket.Chat for Cryptocurrency Communities #8284

Open
engelgabriel opened this Issue Sep 25, 2017 · 25 comments

Comments

Projects
None yet
@engelgabriel
Member

engelgabriel commented Sep 25, 2017

We invite all member of cryptocurrency communities to help us create a wishlist of new features, integrations apps and preset configurations that would make Rocket.Chat best suited for this use case.

  • URL filtering (what spam/phish filtering services should be supported?)
  • IP based user banning
  • E2E message encryption, DM or group, supporting offline users
  • Custom roles and permissions for cryptocurrency use cases
  • Improved administrative tools
  • Robust support for multiple servers on native mobile apps
  • Ability to disable user name changes
  • Ability to 100% disable DMs
  • Ability to disable users from posting URLs (Golem's modification of Rocket already solved this)
  • Totally hiding other users' email addresses from other users

REF: aragon/governance#7


Update on November 14th

Follow the issues to check the progress on RC for Crypto Communities

  • Allow User Profile Change without changing Name field #7126
    • Related to "Ability to disable user name changes"
  • Anti-abuse features need to improve (logging and access control) #8026
    • Related to "IP based user banning" and "Improved administrative tools"
  • Improvements to message filtering #8860
    • Related to "URL Filtering, disable users from posting URLs"
  • Administration Roles Hierarchy #8865
@lunitic

This comment has been minimized.

Show comment
Hide comment
@lunitic

lunitic Sep 25, 2017

The IP based user banning and storage of IP addess is a super needed function.

lunitic commented Sep 25, 2017

The IP based user banning and storage of IP addess is a super needed function.

@onbjerg

This comment has been minimized.

Show comment
Hide comment
@onbjerg

onbjerg Sep 25, 2017

If we could expand URL filtering with address filtering as well, that would be neat. Some phishing attempts do not use URLs, they just paste a public address posing as a "hidden" contribution wallet.

onbjerg commented Sep 25, 2017

If we could expand URL filtering with address filtering as well, that would be neat. Some phishing attempts do not use URLs, they just paste a public address posing as a "hidden" contribution wallet.

@luisivan

This comment has been minimized.

Show comment
Hide comment
@luisivan

luisivan Sep 25, 2017

I'd also add a secure way to sign up that empowers users vs spammers. Login methods like Twitter or Google already do that, but I think a universal, open, anonymous method such as staking some ETH would be a wonderful way to prevent spammers. This could get really complex easily, so I wouldn't say this is urgent for now, just something to keep in mind.

luisivan commented Sep 25, 2017

I'd also add a secure way to sign up that empowers users vs spammers. Login methods like Twitter or Google already do that, but I think a universal, open, anonymous method such as staking some ETH would be a wonderful way to prevent spammers. This could get really complex easily, so I wouldn't say this is urgent for now, just something to keep in mind.

@ludmila-omlopes

This comment has been minimized.

Show comment
Hide comment
@ludmila-omlopes

ludmila-omlopes Sep 25, 2017

Instead of address filtering, it could be a keywords blacklist.

ludmila-omlopes commented Sep 25, 2017

Instead of address filtering, it could be a keywords blacklist.

@onbjerg

This comment has been minimized.

Show comment
Hide comment
@onbjerg

onbjerg Sep 25, 2017

@ludmila-omlopes This wouldn't work, as we'd have to blacklist every address that could ever exist.

onbjerg commented Sep 25, 2017

@ludmila-omlopes This wouldn't work, as we'd have to blacklist every address that could ever exist.

@ludmila-omlopes

This comment has been minimized.

Show comment
Hide comment
@ludmila-omlopes

ludmila-omlopes Sep 25, 2017

@onbjerg you don't need to block every address, just block hash codes in general.

ludmila-omlopes commented Sep 25, 2017

@onbjerg you don't need to block every address, just block hash codes in general.

@ludmila-omlopes

This comment has been minimized.

Show comment
Hide comment
@ludmila-omlopes

ludmila-omlopes Sep 25, 2017

And making it general for adding keywords we could also block (or at least alert) some common words used for phishing

ludmila-omlopes commented Sep 25, 2017

And making it general for adding keywords we could also block (or at least alert) some common words used for phishing

@onbjerg

This comment has been minimized.

Show comment
Hide comment
@onbjerg

onbjerg Sep 25, 2017

Sure, if your proposed mechanism supports regular expressions, then it could work.

onbjerg commented Sep 25, 2017

Sure, if your proposed mechanism supports regular expressions, then it could work.

@Smokyish

This comment has been minimized.

Show comment
Hide comment
@Smokyish

Smokyish Sep 25, 2017

One thing i would like to see either as Rocket Chat functionality or as a app/bot, would be to blacklist/remove all links/addresses that are confirmed as phishing/scamming at https://etherscamdb.info/, https://github.com/409H/EtherAddressLookup and/or https://github.com/MyEtherWallet/ethereum-lists or a cross-reference of all.

Smokyish commented Sep 25, 2017

One thing i would like to see either as Rocket Chat functionality or as a app/bot, would be to blacklist/remove all links/addresses that are confirmed as phishing/scamming at https://etherscamdb.info/, https://github.com/409H/EtherAddressLookup and/or https://github.com/MyEtherWallet/ethereum-lists or a cross-reference of all.

@janferme

This comment has been minimized.

Show comment
Hide comment
@janferme

janferme Sep 26, 2017

I would like to see KYC implementation and then we give users some rewards and that's that :)

janferme commented Sep 26, 2017

I would like to see KYC implementation and then we give users some rewards and that's that :)

@crsCR

This comment has been minimized.

Show comment
Hide comment
@crsCR

crsCR Sep 27, 2017

A way to block registering with temp/disposable emails - scammers and esp' trolls love them.

crsCR commented Sep 27, 2017

A way to block registering with temp/disposable emails - scammers and esp' trolls love them.

@cyclops24

This comment has been minimized.

Show comment
Hide comment
@cyclops24

cyclops24 Sep 27, 2017

Contributor

I also suggest SMS based KYC approach. Like Telegram messenger. It's send SMS verification code to mobile number that got from user sign up and use that for verification, password recovery,...
Maybe related to: #8322

Contributor

cyclops24 commented Sep 27, 2017

I also suggest SMS based KYC approach. Like Telegram messenger. It's send SMS verification code to mobile number that got from user sign up and use that for verification, password recovery,...
Maybe related to: #8322

@janferme

This comment has been minimized.

Show comment
Hide comment
@janferme

janferme Sep 27, 2017

I wouldn't suggest SMS but Google Authenticator or Authy instead. It's much more secure just like MEW said https://myetherwallet.groovehq.com/knowledge_base/topics/protecting-yourself-and-your-funds

janferme commented Sep 27, 2017

I wouldn't suggest SMS but Google Authenticator or Authy instead. It's much more secure just like MEW said https://myetherwallet.groovehq.com/knowledge_base/topics/protecting-yourself-and-your-funds

@ethereater

This comment has been minimized.

Show comment
Hide comment
@ethereater

ethereater Sep 27, 2017

The ability for blocking certain types of usernames, for example, 'golem-team', 'golem.ico'or 'golem(...something)' etc. for Golem Project Chat.

ethereater commented Sep 27, 2017

The ability for blocking certain types of usernames, for example, 'golem-team', 'golem.ico'or 'golem(...something)' etc. for Golem Project Chat.

@ethereater

This comment has been minimized.

Show comment
Hide comment
@ethereater

ethereater Sep 27, 2017

I would like to have 2FA option for login

ethereater commented Sep 27, 2017

I would like to have 2FA option for login

@rasos

This comment has been minimized.

Show comment
Hide comment
@rasos

rasos Oct 3, 2017

Contributor

The FairCoin community is currently evaluating Rocket.Chat. They have monthly general assemblies and would need a non-anonymous voting tool to support consensus decisions.

Contributor

rasos commented Oct 3, 2017

The FairCoin community is currently evaluating Rocket.Chat. They have monthly general assemblies and would need a non-anonymous voting tool to support consensus decisions.

@skoria

This comment has been minimized.

Show comment
Hide comment
@skoria

skoria Oct 3, 2017

Can you allow for payment in crypto via chat?

skoria commented Oct 3, 2017

Can you allow for payment in crypto via chat?

@dgsus

This comment has been minimized.

Show comment
Hide comment
@dgsus

dgsus Oct 13, 2017

building on to url filtering -> a possibility to configure regex expressions to filter out/delete messages that match the regex... we could create regex that could match ethereum wallet addresses, or ethereum wallet private keys, bitcoin wallet addresses, etc...

thanks!

dgsus commented Oct 13, 2017

building on to url filtering -> a possibility to configure regex expressions to filter out/delete messages that match the regex... we could create regex that could match ethereum wallet addresses, or ethereum wallet private keys, bitcoin wallet addresses, etc...

thanks!

@gdelavald

This comment has been minimized.

Show comment
Hide comment
@gdelavald

gdelavald Nov 14, 2017

Contributor

Issue updated to add the issues created to track development.

Contributor

gdelavald commented Nov 14, 2017

Issue updated to add the issues created to track development.

@Sing-Li

This comment has been minimized.

Show comment
Hide comment
@Sing-Li

Sing-Li Nov 14, 2017

Member

We are attempting to gather enough ideas and issues (feature requests and enhancements) that will allow us to define a Phase 1 for the Rocket.Chat for Cryptocurrency Communities project.

Please feel free to add your input to the individual issues that are created and tracked - in order to help us to better scope this phase of work.

We hope to freeze the Phase I requirements by early December (3rd).

Member

Sing-Li commented Nov 14, 2017

We are attempting to gather enough ideas and issues (feature requests and enhancements) that will allow us to define a Phase 1 for the Rocket.Chat for Cryptocurrency Communities project.

Please feel free to add your input to the individual issues that are created and tracked - in order to help us to better scope this phase of work.

We hope to freeze the Phase I requirements by early December (3rd).

@Gandalf-the-Grey

This comment has been minimized.

Show comment
Hide comment
@Gandalf-the-Grey

Gandalf-the-Grey Nov 17, 2017

Aside from already listed features like:

  • IP based user banning
  • Improved administrative tools

We would love to see also features like:

  • Way better logging (including IP)
  • Anti-spam / anti-flood features (like on IRC realized by eggdrop bots, i.e. 5 messages in 60 seconds is considered as flood and user is temporarily muted, etc)

In our use case scenario we are fighting with various abuse like phishing / scam / impersonating (easy do to as it's super easy to register using disposable e-mail provider) and try to impersonate usernames that exist on the blockchain, even if names are slightly different it still might work.
What could help?
Different levels of user authentication / verification.
We have currently 30k users on chat and 400k on the blockchain.
We have working test instance that can do OAuth against posting authorities stored on the blockchain but then it doesn't require working e-mail.
Ideally it would be to have trusted accounts that are able to authenticate via OAuth (prove that they have control over specific account name on the blockchain) AND then being able to use standard e-mail verification. Both required to be verified user with a nickname from the blockchain/OAuth.

Existing users (with e-mail verification only, without confirmed blockchain identity) would be migrated to something like: ~~~unverified~~~nickname. That would also allow guest users to register (prior to having blockchain level verification)

Gandalf-the-Grey commented Nov 17, 2017

Aside from already listed features like:

  • IP based user banning
  • Improved administrative tools

We would love to see also features like:

  • Way better logging (including IP)
  • Anti-spam / anti-flood features (like on IRC realized by eggdrop bots, i.e. 5 messages in 60 seconds is considered as flood and user is temporarily muted, etc)

In our use case scenario we are fighting with various abuse like phishing / scam / impersonating (easy do to as it's super easy to register using disposable e-mail provider) and try to impersonate usernames that exist on the blockchain, even if names are slightly different it still might work.
What could help?
Different levels of user authentication / verification.
We have currently 30k users on chat and 400k on the blockchain.
We have working test instance that can do OAuth against posting authorities stored on the blockchain but then it doesn't require working e-mail.
Ideally it would be to have trusted accounts that are able to authenticate via OAuth (prove that they have control over specific account name on the blockchain) AND then being able to use standard e-mail verification. Both required to be verified user with a nickname from the blockchain/OAuth.

Existing users (with e-mail verification only, without confirmed blockchain identity) would be migrated to something like: ~~~unverified~~~nickname. That would also allow guest users to register (prior to having blockchain level verification)

@PhABC

This comment has been minimized.

Show comment
Hide comment
@PhABC

PhABC Nov 23, 2017

Things that have been mentioned that I want to emphasize ;

  • Anti-spam / Anti-flood
  • 2 FA (very very important)
  • Prevent certain words for usernames

For URL filtering, I am personally more of a fan of whitelists instead of blacklists, since it's impossible apriori to know what new phishing domains will appear. You can only react to new phishing domains, but it might already be too late. Some permissions could allow to post any links (like admins or moderators), but others would only be able to post from a list of URLs that the team built over time. When a user post a new URL, it could be reported in a private channels and admins could click on whether to allow this URL domain or not. This is just a suggestion, there might be simpler and just as efficient solution.

PhABC commented Nov 23, 2017

Things that have been mentioned that I want to emphasize ;

  • Anti-spam / Anti-flood
  • 2 FA (very very important)
  • Prevent certain words for usernames

For URL filtering, I am personally more of a fan of whitelists instead of blacklists, since it's impossible apriori to know what new phishing domains will appear. You can only react to new phishing domains, but it might already be too late. Some permissions could allow to post any links (like admins or moderators), but others would only be able to post from a list of URLs that the team built over time. When a user post a new URL, it could be reported in a private channels and admins could click on whether to allow this URL domain or not. This is just a suggestion, there might be simpler and just as efficient solution.

@gdelavald

This comment has been minimized.

Show comment
Hide comment
@gdelavald

gdelavald Nov 27, 2017

Contributor

@Gandalf-the-Grey @PhABC Awesome to hear the suggestions.
Rocket.Chat already supports a number of requested features, some of them:

  • Keyword blacklist (your can check the badwords list on Admin panel)
  • New users only from enabled domains (Allowed/Blocked domains list inside the Accounts menu on Admin Panel)
  • Block certain usernames (Blocked Username List from the Accounts menu also)
  • Two-Factor Authentication (although we still need some improvements in the mobile apps for this)
  • Anti-Flood, only allowing certain amount of messages within a space of time

We'll continue to hear your feedback on this until we have a starting point for the project.
Thanks.

Contributor

gdelavald commented Nov 27, 2017

@Gandalf-the-Grey @PhABC Awesome to hear the suggestions.
Rocket.Chat already supports a number of requested features, some of them:

  • Keyword blacklist (your can check the badwords list on Admin panel)
  • New users only from enabled domains (Allowed/Blocked domains list inside the Accounts menu on Admin Panel)
  • Block certain usernames (Blocked Username List from the Accounts menu also)
  • Two-Factor Authentication (although we still need some improvements in the mobile apps for this)
  • Anti-Flood, only allowing certain amount of messages within a space of time

We'll continue to hear your feedback on this until we have a starting point for the project.
Thanks.

@Gandalf-the-Grey

This comment has been minimized.

Show comment
Hide comment
@Gandalf-the-Grey

Gandalf-the-Grey Dec 30, 2017

Guys, lack of anti abuse features makes it unusable at scale because such chat is simply becoming scam-nest. Apache-style flat file logs would help and should be fairly simple to implement for core team. Please make this high priority.

Gandalf-the-Grey commented Dec 30, 2017

Guys, lack of anti abuse features makes it unusable at scale because such chat is simply becoming scam-nest. Apache-style flat file logs would help and should be fairly simple to implement for core team. Please make this high priority.

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Apr 24, 2018

Add reCAPTCHA - IP LOGGING for DMCA requests #10542

ghost commented Apr 24, 2018

Add reCAPTCHA - IP LOGGING for DMCA requests #10542

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment