Matrix abuse protection model for community maintainers: security by obscurity
I am administrator or moderator in multiple communities in Matrix, the most sizable being 23 rooms + two spaces. I don’t have my own homeserver or Mjolnir. And I am tired.
If I was using Discord, I would make a guild, make roles within it and then right click people and assign them roles and they would be able to manage all channels those roles let them. Time estimate less than 15 minutes.
Sadly I am not using Discord, I am using Matrix. This means that while burnt out it feels like no one has thought of the case where a community with more than a couple of rooms wants to use Matrix.
Automaattinen sisällysluettelo / Automatically generated Table of Contents
- Setup
- Abuse finds you!
- Aminda, are you ok, has this happened to you?
- What is this community with 23 rooms and two spaces?
- Afterword
Setup
I am tired, so excuse me for not involving complete documentation and just smaller steps:
- Use https://develop.element.io/ (or have a config.json allowing you to use labs)
- Create a space.
- Through developer mode
/upgraderoom 11
. 2. WARNING You should check the Matrix spec for the latest stable room version. Or maybe the unstable spec? Or maybe you should just search GitHub? 3. WARNING! Always before executing/upgraderoom
check that everyone in your room has a recent Matrix server that supports your target room version, otherwise you may lock some of your users out. For example/invite @version:maunium.net
and once it joins, say!servers upgrade 11
to get a list of servers that don’t support room version 11 yet. - Clear cache and reload so the old space maybe disappears.
- See also Element-web#19208: Allow upgrading spaces
- Now that there is a space, right click it to create a new room under it and select that it can only be joined by space members. You will hopefully end up with room version 9 (the default at time of writing is 6 and has even worse situation with abuse pretention).
- Go to room settings and set the room to public join assuming it’s supposed to be public (14 of this worst case scenario are)
- Repeat steps 5-7 for all rooms you need, you can hopefully figure out how to handle a private space (9 rooms in this case).
Bus factor
As we are a serious organisation using Matrix here, even if we have no money or people or homeserver or Mjolnir, what happens if you somehow become unable to access your account or are asleep or something when you are needed? You add more people with power and also register yourself on multiple homeservers, so if your main account goes down, you have power somewhere else.
Let’s say you have 20 rooms (you get it a bit more easy than I do), I think you have three methods to promote your other accounts:
WARNING: administrator status cannot be removed by others.
- A. Using the graphical user interface, invite the other administrators to the room and click the buttons to make them administrators. I am too tired to check how to do this, but it’s a graphical user interface, good luck! Remember you will do this twenty times, once for every room/administrator.
- B. You can type
/invite @user:example.org
and then/op @user:example.org 100
and copy-paste it all the time! - C. My favourite, you can have a pre-formatted power-level event in json in a
git repository from which you can copy-paste it to all rooms, first
/devtools
, then “room state”, “m.room.power_levels”, “edit” and you can paste your new administrators there and press “send”! This is the only mass option you have, and you will have to do this in each twenty rooms.
Remember you will have to do this every time you add a new moderator (or they will be unable to act in the room when they are needed)!
We also have a matterbridge (which has it’s own configuration for every room, but offtopic here) which has administrator / power level 100 in every room, so if I am not available the administrator team can login as it and take care of the situation.
Abuse finds you!
Congratulations, if abuse has found you, the security through obscurity model
has failed and now you get to deal with it! That is very simple, you just check
the abuser MXID, and paste /ban @yourorgisbad:evil.example.invalid
to all
twenty rooms.
Did you find out that you have a lot of abuse from a single server and Matrix
doesn’t support wildcards in bans? No problem,
Matrix has your back with “Moderation in Matrix!”,
you simply use /devtools
and ban the entire server by sending a completely new
event m.room.server_acl
, luckily you are a professional /devtools
user at
this point so having to do this 20 times is nothing to you.
2022-01-10 addition: this becomes worse as Matrix Synapse alongside
the Matrix protocol itself will authorise everything done by servers that don’t honour the m.room.server_acl
event
so as per the guide, you will have to acl those servers too (or the ACL might as
well not exist).
Icing on the cake
Could this get any better? Yes, the abuse could happen when you are sleeping or otherwise out of the picture, so your fellow ICT team member (who has no interest in touching this mess with a long stick) has to step in for you and resolve the issue.
It’s a stress situation for them, will the ICT team be able to find the shared
password for the Matrix administrator account you hopefully have and speedlearn
to be a /devtools
professional or able to handle even easier forms of spamming
or flooding without you present? My money is on the spammer. Good luck,
high-five for the next team meeting where you wonder what happened, how to
prevent it from happening again and will you even support Matrix in the future?
I hope someone thanked you for ever having your organization there, I know that I have only gotten complaints about matterbridge looking ugly and not using matrix-appservice-irc, <redacted-for-similar-trouble>, matrix-whatever-discord, etc.
Aminda, are you ok, has this happened to you?
Thank you for asking, I am not ok, I have a burnout and xmas is poor time for me in general, and this whole issue is ridiculous, someone could have thought of it since 2014, everything I am saying is public knowledge, but no one cares.
It’s whoever is running Matrix without hosting their own homeserver and Mjölnir (which brings all reasonable management for organizations) who is at fault (me). I wonder how much would a Mjolnir help if abuse was sophiscated enough to DDoS it off the internet before beginning.
What is this community with 23 rooms and two spaces?
It’s Pirate Party of Finland. I cannot say
whether it’s us or Matrix that is obscure enough to have avoided the nightmare I
painted in this blog post, but as I am the only administrator at Matrix, I have
locked it down so the rest of the ICT team can continue not touching Matrix or
practicing /devtools
first without a stressful situation.
Our main space requires knocking before it can be joined. Don’t ask me what Matrix clients support knocking, it’s part of Matrix spec version 1.1, don’t even ask me what Matrix servers support it.
Our public rooms within that space require being a member of that space.
Our more sensitive rooms that desire working peace from spammers are in a
subspace, which again require belonging to it, and which requires knocking too.
We have similar system in place at Discord where we just grant people a role
once they have talked a bit and shown themselves to not be malicious and this is
the best we I can do at Matrix.
The above looks a bit weird as I was going to put the actual json events there, but I am too tired to bother with that.
Afterword
If I am wrong at anything I said, please contact me instantly either in
my discussion channels,
the GitHub issue for this post
or mention @Mikaela
in any GitHub.com/GitLab.com issue (I am not reading my
email actively though) as if I am wrong and there is a reasonable Discord-style
interface for this without additional money, you are improving my life greatly
as I am not just going to stop using Matrix.