Freenode Network Hijacked, Passwords Compromised? 414
tmandry writes "The world's largest FOSS IRC network, FreeNode, was hijacked (for lack of a better term) by someone who somehow got a hold of the privileges of Robert Levin, AKA lilo, the head honcho of FreeNode and its parent organization, PDPC. To make matters worse, the passwords of many users may have been compromised by someone posing as NickServ, the service that most clients are configured to send a password to upon connecting, while they reconnected to the servers that hadn't been killed. Of course, if someone was able to nab lilo's password, every user password may have been ripe for the taking. The details are still unknown, but these events raise scary questions about the actual security of FreeNode and other organizations like it."
You know... (Score:2, Interesting)
Granted, that person/company is probably relying on the money from ads or what have you so he hopes that things are secure. Really, though, if you don't think the service is secure, go to another one or start your own!
I was there. (Score:5, Interesting)
Mass throttling.
Mass glining and killing.
Mass notices of DCC SEND.
GNAA denying fault.
Bantown claiming fault.
The hilarity of not being auto-removed from #wikipedia thanks to a lack of ChanServ.
Having up to 20 variations of one persons name.
Lilo being killed off with a hilarious message.
And the topic wars...
Good times.
I'm with the 'who cares' camp (Score:2, Interesting)
Re:Explaining the jargon... (Score:3, Interesting)
Not Sure (Score:3, Interesting)
It might be a bigger problem if this happened here on slashdot (someone gathering email addresses or similar would have a decent mailing list to sell - with a fairly specific target audience... but then I use a public mail address here anyway so it might actually imporve the quality of spam I get...) and it would be a catastrophe if it would have been a finance related system or similar.
On the other hand it sounds from the summary and the blog thats linked that the break of a single username / password combo from remote was the root cause of this breach. If I am accurate in my understanding and that is really the case then we need to take a long hard look at how we can change that. You should not be able to compromise a system from remote with a single set of credentials regardless of how non-sensitive (insensitive?) the system is.
But then I'd like to see more details about what happened, when it happened (if it really happened?) what was exposed (or could have been exposed) during the attack before I take too hard a line either way.
Re:This is why I prefer the anarchy of efnet (Score:1, Interesting)
PS, lilo: I still have root on a server that's on the same switch as one of your precious Freenode servers. Next we'll be arpmitm'ing and spoofing the C/N lines to link in a hacked server. I'll let you have fun running around trying to guess which one that server is.
You have three days to post "I have been trolled by Bantown" on global notice.
Re:Good Riddance (Score:3, Interesting)
There might be a technical difference in the topology, but the insecure design is just as bad, if not worse.
Why should NickServ have access to the clear passwords? What happens if FreeNode switches to another auth service, especially if a result of a dispute? That system is really too insecure to trust at all.
Trust No One (Score:4, Interesting)
A truely secure system should have no trusted components. A Client's faith should never be placed in anyone expect themselves, and even then, only reluctantly. Freenode had a trusted component; namely, Robert Levin's privilages. This should never have been present in the system and was simlpy a disaster waiting to happen.
If you really want security you've got to accept three things. Trust No One. The Enemy Knows the System. The System Can Be Broken. If you think otherwise, you haven't got security, you've just got a fancy codec.
clear text passwords? (Score:3, Interesting)
Re:So Levin is just another "peer"? (Score:3, Interesting)
When I was running Xiph.Org [xiph.org], both lilo and Diablo-D3 were spamming people for money. It's why Xiph (at least temporarily) left Freenode. Diablo-D3 waged a campaign against LinuxFund for their donations to Xiph which (did, and still does) created free and useful code for the community.
Matter of fact, back when Freenode had 'Freenode Radio,' I had given them a ton of original music to use. They played it for a while, and then took it off the air 'under mutual agreement with the artist,' which was simply a lie -- My music is public domain. The folks that made this claim were eventually caught, fessed up and apologized for lying to me and people that listened to the station. They sucked at this, too; They played my music long after they claimed to 'take it off the air,' they were just too dumb to look at the ID tags of the files.
Bob and Patrick are in the same boat. They're both useless, they're both stupid, they're both utterly ineffectual.
Don't know what to tell you, really. I don't have time for IRC anymore, but if I did, I wouldn't truck with *either* of those cats. Freenode is a black hole of idiocy, and if you really want to dive into it, go ahead -- Just don't expect logic, reason or honesty to win out over egotistical mania and deception. This may be true of *all* IRC networks, but Freenode is the only one where I've seen this kind of shit go down time and time again.
Freenode may be 'Animal Farm,' though without the Orwellian context. Lilo's just too damn stupid to play Napoleon. It's like a normal farm. Backward Farmer Bob Levin and his flock of sheep.
Couldn't have happened to a better guy (Score:2, Interesting)
What goes around, comes around.
Serves them right! (Score:2, Interesting)
Also during the whole thing lilo actually asked for donations. My questions is if their servers are donated, where does the money that is donated goto? They don't pay for bandwidth, servers, anything really. Curious really.
Re:What kind of auth protocol? I'll tell you... (Score:3, Interesting)
That is of course not as secure as transmitting only a hash, which can help ensure the password doesn't get exposed. But it is a lot more secure than the nearly totally insecure IRC protocol we're talking about. And therefore a lot less vulnerable, therefore more trustworthy. IRC doesn't indicate how untrustworthy is its password authentication, so the public exposure of its failure in this case is valuable, in educating users. At higher cost, and lower return, than just making the protocol use hashes instead.
challenge authentication (Score:4, Interesting)
Re:The IRCD could have helped with some of that... (Score:2, Interesting)
Re:This is why I prefer the anarchy of efnet (Score:2, Interesting)
Re:yeah well (Score:4, Interesting)
This is compounded by the fact that due to the way Hyperion's server-hide works, it is in theory impossible for normal users to know which server another client is using, so '/msg NickServ@services.' doesn't work either.
OWNED BY BANTOWN (Score:1, Interesting)
They prolly did some social engineering on lilo or one of his fellow staff members. AGAIN.
Like the incident a while back when grog from the GNAA tricked him.
That is kinda scary though, that freenode has fallen into GNAA/Bantown traps several times.
Seriously, Should we be trusting them with projects and chats if they cant even tell when someone is playing them like a card to get their info?
Re:Bull (Score:4, Interesting)
And I don't mean to say it is OK for a kid to do this. I was answering the question "why are you a jackass?" That's why. It's not malice.
An excercise in free speech (Score:2, Interesting)
HedgeMage: We believe that 25 nickserv passwords were compromised during a limited window, but all concerned individuals are encouraged to change their nickserv passwords just in case.
HedgeMage: thanks, Astinus
HedgeMage: We'll open up the floor for questions, one at a time, in a moment. Please keep your question concise, and type it ahead of time so we can move as quickly as is practical.
[several questions, answers, and no-comments]
HedgeMage: Since most of these seem to be repeats, we're going to close for now. I'd like to reiterate that we encourage all concerned users to change passwords
[...]
Astinus: This room will go -m shortly, so ya'll can chat before we have another session.
HedgeMage: try not to get blood on the carpet
Astinus: Or we'll send in the cleaners, with pointy brooms
Astinus has removed operator privileges to HedgeMage
Astinus has de-activated the following mode : Moderated
nunsoup: DCC SEND "startkeylogger" 0 0 0
QuantumBeep: (o__o)
J: BACON
b33fc0d3: O.o
bureado hugs channel
enderst: heh
Naconkantari: ceiling cat is watching you.
WeblionX: First blood!
snorkle: !!!!!!LOLDONGS!!!!!VIVA EL CHE!!!!!!LOLDONGS!!!!!
rooly: spam
rooly: spam
rooly: spam
rooly: spam
rooly: spam
jeebusmobile: wewt
snorkle: !!!!!!LOLDONGS!!!!!VIVA EL CHE!!!!!!LOLDONGS!!!!!
snorkle: !!!!!!LOLDONGS!!!!!VIVA EL CHE!!!!!!LOLDONGS!!!!!
Eidolos: omg deluge
snorkle: !!!!!!LOLDONGS!!!!!VIVA EL CHE!!!!!!LOLDONGS!!!!!
snorkle: !!!!!!LOLDONGS!!!!!VIVA EL CHE!!!!!!LOLDONGS!!!!!
DosBubba: 'Grats out to the GNAA for their newly acquired property, irc.vaccus.com #chat .
DosBubba: I would like to thank Freenode for taking the time to gather the whole of IRC, it has been our pleasure to take part in such a trolling opportunity.
DosBubba: Remember:
DosBubba: IRC was founded on the principles of trolling, and we thank Freenode from the bottom of our hearts for carrying the fine tradition into the 21st century - hopefully beyond.
bitplane: wooo
lilo has activated the following mode : Moderated
lilo has activated the following mode : Invite Only
lilo: got to love that
HedgeMage: so much for that.
Astinus: some people need to grow up
[and then the channel fell silent again]
Re:My thoughts.. (Score:3, Interesting)