Freenode Network Hijacked, Passwords Compromised? 414
tmandry writes "The world's largest FOSS IRC network, FreeNode, was hijacked (for lack of a better term) by someone who somehow got a hold of the privileges of Robert Levin, AKA lilo, the head honcho of FreeNode and its parent organization, PDPC. To make matters worse, the passwords of many users may have been compromised by someone posing as NickServ, the service that most clients are configured to send a password to upon connecting, while they reconnected to the servers that hadn't been killed. Of course, if someone was able to nab lilo's password, every user password may have been ripe for the taking. The details are still unknown, but these events raise scary questions about the actual security of FreeNode and other organizations like it."
Re:Good Riddance (Score:5, Informative)
I hope not, at least.
the cracker /nick'd to "nickserv" (Score:3, Informative)
Re:yeah well (Score:5, Informative)
The IRC protocol allows to send messages to Nick@server (means "send a message to 'Nick' if and only if he's on 'server'"), so you can do the same with services. Then if the Nickserv nickname is hijacked, it won't matter, because the services "fake server" cannot be hijacked without knowledge of hub configuration (C/N lines) and if ever it happens, IRC admins/opers will notice (that's not something you can't miss).
So either choose the macro (/identify) or the whole command. Or identify manually
Re:The IRCD could have helped with some of that... (Score:3, Informative)
*serv nicknames are generally reserved through Qlines. Qlines can be used to restrict all kinds of pattern-matched nicknames, however they still allow opers to use them - this is quite intentional. If the compromised server allowed people to set up opers, it would have been trivial to oper up, remove the real services from the network, and change your nickname to *serv.
I'm not sure how many networks have picked up on the
If freenode was using Bahamut, I'd be interested in talking to them about this. If a freenode admin sees this, drop me an email.
Re:The IRCD could have helped with some of that... (Score:2, Informative)
Re:What questions? (Score:4, Informative)
I only used mIRC briefly in my IRC career. It had little to no built-in protection at the time and I went back to AmIRC (Amiga.) Using WildIRC and Kuang11, AmIRC could not be beat. Later scripts for mIRC became much more solid and advanced, and I am sure the program is much better today?
Brings back some memories, actually. Back around 1997 we used to use a simple ICMP ECHO (ping) packet with a payload of "+++ATH0". Anyone with a modem which did not follow the Hayes specification for the escape sequence (+++ followed by two seconds of "silence") would immediately hang up as the TCP/IP stack sent an ICMP ECHO RESPONSE with the same payload. Was great fun for two or three times.
Use a different password on every site! (Score:3, Informative)
Use something like http://www.hashapass.com/ [hashapass.com] to generate your passwords instead, and you only have to remember one thing, but your password is different on every site.
Re:Explaining the jargon... (Score:5, Informative)
Re:clear text passwords? (Score:3, Informative)
Well, if you'd read the fine summary (maybe if you'd UNDERSTOOD the fine summary, I guess you read it) you'd know that it does not store the passwords in the clear but that someone logged on to impersonate the authentication service, which recieves passwords sent in the clear. But there's really not too much you can do about that, even when you have a secure connection. It's like someone who replaces the CGI script on your log-in page to capture everyone's <input type="password"> submissions. Which are also recieved in the clear, whether or not they are sent via SSL.
Yeah, we have things like public key authentication. No, there's no real good way to use them on IRC. It is an old protocol. Sorry.
Re:Good Riddance (Score:2, Informative)
Re:The IRCD could have helped with some of that... (Score:3, Informative)
Re:Good Riddance (Score:3, Informative)
Hashes are proven deterrents to attacks that raise the cost of attacks much higher than their returns. Of course they have to be used correctly. That's how security works: you can't protect your house by taping a lock to the welcome mat.
Re:Password on IRC and you're worried? (Score:1, Informative)
/quote nickserv identify foo
...instead, if your IRC server supports it. It reduces the risk of an imposter snagging your password if Services should crash.
Re:This is why I prefer the anarchy of efnet (Score:2, Informative)
Re:This is why I prefer the anarchy of efnet (Score:3, Informative)
The first step is fine. The second step might even be okay.
The third step renders you essentially unemployable, should your employer find out.
Re:Explaining the jargon... (Score:2, Informative)
TY. (That means 'thank you.')
Don't be so fucking condescending.
(Condescending is when you talk down to somebody.)
Re:It goes to lilo (Score:2, Informative)
messages from my freenode status window: (Score:3, Informative)
Re:Password on IRC and you're worried? (Score:3, Informative)
Re:Password on IRC and you're worried? (Score:3, Informative)
Re:The IRCD could have helped with some of that... (Score:3, Informative)
Re:My thoughts.. (Score:5, Informative)
You obviously have no idea how freenode's infrastructure is managed -- the infrastucture isn't a land of ZOMG I BOUGHT SHELLZ FROM SHELLFX.NET garbage. Most of these servers exist solely to host freenode, do not use ssh passwords (instead private keys are used), and do not use the same passwords as lilo's o:line password.
The fact is that they rooted servers close to freenode servers (i.e., on the same switch); then used ettercap to sniff o:line passwords. This was exacerbated by the fact that o:lines are (NOT masked *@*, but masked ?=levin@*), so basically all that had to be done was use the username levin, and boom you're opered up.
That is what the issue is, the o:lines are insecure masked. Nothing more.
HOWEVER, since they were sniffing, it is possible that they may have lifted services passwords as well -- people should probably change them. Then again, how do you know that they still aren't sniffing. Quite simply, nobody except the people behind this know.
Also, the group freenode is dealing with is known as Bantown, which has a reputation of causing whatever hell they wish wherever they feel like doing so. So no, none of what you said is truly relevant, as this group is a tad more unpleasant than the GNAA is. Infact the GNAA is a bunch of nice guys in comparison to Bantown.
Re:This is why I prefer the anarchy of efnet (Score:3, Informative)
Mmm hmm. Fusion bombs aren't nuclear because most people are too stupid to know the difference. Irony isn't cruel happenstance because most people are too stupid to know the difference. Translucent doesn't mean partially transparent just because most people are too stupid to know the difference.
This word doesn't change because of popular dumb either. Descriptivists are apologists who don't understand the difference between a mistake and progress. Don't fall for their trap; common usage just doesn't shift that fast. Believe it or not, reporters can be mistaken. Note for example that the word "alleged" has a critical and specific meaning in law, that someone has been convicted of a crime. Now, pay attention to your local news, who will call someone who is held under suspicion or awaiting trial "alleged."
If a whole bunch of people start calling your wife a boat, is that suddenly a new legitimate usage for the word "boat?"
Re:Use a different password on every site! (Score:1, Informative)
http://passwordmaker.org/ [passwordmaker.org]