Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Repost of the security issues #371
Earlier today the attacker posted some insightful issues, but since Github has suspended their account, those are now gone. This is a repost.
GitHub issues of matrix.org pieced together as one "story":
EDIT: Add archive.org links:
Thank you for making this archive, all organizations can learn from this event and the statements shared with us. I'm not sure we would have seen/heard all of these details otherwise, but with these disclosures, we're all given an opportunity to be honest with ourselves, review our best practices, and revise/improve what we know should already have been changed a while ago.
Get help with those updates or changes if you need it, don't ignore the issues. Those nagging voices are there for a reason.
Kudos to the devs and sys admins hard at work to get things back in order, our thoughts are with you, it definitely isn't an experience any of us want.
But let us also realize: the times have seriously changed. We all need to up our game, significantly. If you aren't already thinking these thoughts, please reconsider your position of comfort before all your base are pwned.
I'd like to point out that the Matrix.org group I think do not place security as valuable as they should : matrix-org/synapse#4158
I know that they are busting their asses and trying to do as much as they can, including this and other security stuff, but when certain security issues (like above) are raised, and they don't get traction after months, it worries me.
I suspect this mentality is what lead to the original breach issue, as it sounds like nobody is doing any security auditing and asking "hey, why are we doing it this way? it's insecure". But I'm an outsider, and I can't be 100% sure.
I am a big fan of Matrix.org and Riot.im and all those people behind it. I want them to learn from this and hopefully plug some other serious security issues going on, because the world NEEDS Matrix.org and Riot.im. And if they don't learn from this, well that's just a modern tragedy.
referenced this issue
Apr 13, 2019
can you please give more information: