Freenode Network Hijacked, Passwords Compromised?

tmandry writes "The world's largest FOSS IRC network, FreeNode, was hijacked (for lack of a better term) by someone who somehow got a hold of the privileges of Robert Levin, AKA lilo, the head honcho of FreeNode and its parent organization, PDPC. To make matters worse, the passwords of many users may have been compromised by someone posing as NickServ, the service that most clients are configured to send a password to upon connecting, while they reconnected to the servers that hadn't been killed. Of course, if someone was able to nab lilo's password, every user password may have been ripe for the taking. The details are still unknown, but these events raise scary questions about the actual security of FreeNode and other organizations like it."

You know...

[demongeek]

There will probably be a wave of two major camps -- those who say "oh this is nothing! Look at what happens to closed-source leakages from banks, etc, ad nauseum!!1"; there will also be a wave of people who say "this is a major break and someone should be shot..." While I understand both camps' thoughts and opinions, I have a single comment: is there really an expectation (whether FOSS or Closed Source) that it should be secure?

Granted, that person/company is probably relying on the money from ads or what have you so he hopes that things are secure. Really, though, if you don't think the service is secure, go to another one or start your own!

I was there.

[Avillia]

Mass delinking.
Mass throttling.
Mass glining and killing.
Mass notices of DCC SEND.
GNAA denying fault.
Bantown claiming fault.
The hilarity of not being auto-removed from #wikipedia thanks to a lack of ChanServ.
Having up to 20 variations of one persons name.
Lilo being killed off with a hilarious message.
And the topic wars...

Good times.

I'm with the 'who cares' camp

[alex_vegas]

My freenode password only exists because of channels that strive to keep out spambots, and it's 'password'. If someone is lame enough that they have nothing better to do than impersonate me on freenode, that is in itself punishment for the crime... It might be fun to impersonate twkm and give icy answers to the entire western worlds obscure C questions, but in order to do that one would have to know as much obscure C crap as twkm does...

Re:Explaining the jargon...

[kaden]

YMMV, but IMHO, using possibly obscure acronyms ATT is a PITA, IYKWIM!!! Just write out the freaking acryonyms if you're writing (or "editing") a story thousands of people will read. After all, we aren't smarter-than-thou elitists at Slashdot, are we?

Not Sure

[Ajehals]

I am not really bothered at the prospect of my freenode nick or password being available to someone else. Mainly as its hardly going to do any lasting damage to me other than potentially being a little annoying. The only problem I see is that someone could theoretically impersonate me and make me look like a bit of a git, but that should be easily remedied over a short amount of time. Plus unless these username / password combinations are posted publicly and no one changes their passwords its unlikely to happen given the number of users... Oh and anyone using an important password with their freenode account probably needs a wakeup call anyway

It might be a bigger problem if this happened here on slashdot (someone gathering email addresses or similar would have a decent mailing list to sell - with a fairly specific target audience... but then I use a public mail address here anyway so it might actually imporve the quality of spam I get...) and it would be a catastrophe if it would have been a finance related system or similar.

On the other hand it sounds from the summary and the blog thats linked that the break of a single username / password combo from remote was the root cause of this breach. If I am accurate in my understanding and that is really the case then we need to take a long hard look at how we can change that. You should not be able to compromise a system from remote with a single set of credentials regardless of how non-sensitive (insensitive?) the system is.

But then I'd like to see more details about what happened, when it happened (if it really happened?) what was exposed (or could have been exposed) during the attack before I take too hard a line either way.

Re:This is why I prefer the anarchy of efnet

[weevlos]

In #bantown we have two EFnet server operators. As we sat there ruining freenet they were amazed how we had managed to get that far. On EFnet, oper blocks are for one specific host and all oper hosts are spoofed so you have to figure out the box that a given oper is on and root it before getting any further. lilo's host was bound to *@*, leaving his network ripe for our taking. EFnet, despite being what lilo calls a "normal IRC experience" is thousands of times safer and more stable than Freenode. The man should learn to run an IRC network before he asks people to pay him for it.
 
PS, lilo: I still have root on a server that's on the same switch as one of your precious Freenode servers. Next we'll be arpmitm'ing and spoofing the C/N lines to link in a hacked server. I'll let you have fun running around trying to guess which one that server is.
 
You have three days to post "I have been trolled by Bantown" on global notice.

Re:Good Riddance

[Doc Ruby]

What kind of auth protocol sends passwords in plaintext across the network, rather than hashing them at the client for comparison at the server? Especially among a complex 3-party auth?

There might be a technical difference in the topology, but the insecure design is just as bad, if not worse.

Why should NickServ have access to the clear passwords? What happens if FreeNode switches to another auth service, especially if a result of a dispute? That system is really too insecure to trust at all.

Trust No One

[ObsessiveMathsFreak]

"A trusted component is one which can break the security policy."

A truely secure system should have no trusted components. A Client's faith should never be placed in anyone expect themselves, and even then, only reluctantly. Freenode had a trusted component; namely, Robert Levin's privilages. This should never have been present in the system and was simlpy a disaster waiting to happen.

If you really want security you've got to accept three things. Trust No One. The Enemy Knows the System. The System Can Be Broken. If you think otherwise, you haven't got security, you've just got a fancy codec.

clear text passwords?

[maraist]

I'm not a big browser of IRC's, but do we honestly still use clear text passwords anywhere? I mean unless IRC is such an old service that it can't make use of any of the dozen some odd technologies that have been standardized on in the past 20 years.. come on!!

Re:So Levin is just another "peer"?

[Emmettfish]

Except that both lilo *and* Diablo-D3 are both utterly and completely useless. Lilo 'runs' an IRC network that totally sucks, and Diablo-D3 hits people up for money for his 'game' that has never, ever seen the light of day. I've managed a game project before, and it died (though people recently have indicated interest in bringing it back), but you don't see me spamming for money for it. You would also never see me spamming for money for a project that produces nothing.

When I was running Xiph.Org [xiph.org], both lilo and Diablo-D3 were spamming people for money. It's why Xiph (at least temporarily) left Freenode. Diablo-D3 waged a campaign against LinuxFund for their donations to Xiph which (did, and still does) created free and useful code for the community.

Matter of fact, back when Freenode had 'Freenode Radio,' I had given them a ton of original music to use. They played it for a while, and then took it off the air 'under mutual agreement with the artist,' which was simply a lie -- My music is public domain. The folks that made this claim were eventually caught, fessed up and apologized for lying to me and people that listened to the station. They sucked at this, too; They played my music long after they claimed to 'take it off the air,' they were just too dumb to look at the ID tags of the files.

Bob and Patrick are in the same boat. They're both useless, they're both stupid, they're both utterly ineffectual.

Don't know what to tell you, really. I don't have time for IRC anymore, but if I did, I wouldn't truck with *either* of those cats. Freenode is a black hole of idiocy, and if you really want to dive into it, go ahead -- Just don't expect logic, reason or honesty to win out over egotistical mania and deception. This may be true of *all* IRC networks, but Freenode is the only one where I've seen this kind of shit go down time and time again.

Freenode may be 'Animal Farm,' though without the Orwellian context. Lilo's just too damn stupid to play Napoleon. It's like a normal farm. Backward Farmer Bob Levin and his flock of sheep.

Couldn't have happened to a better guy

[irq]

lilo, hi, remember me?

What goes around, comes around.

Serves them right!

[onthost]

This is the SECOND time in a month this has happened. Anyone know why? Freenode uses OPEN O:Lines, meaning they can be accessed from any user@host instead of using proper O:Lines specifying the users ident (which is useless since it can be changed) and their hostname (which is harder to spoof/use).
Also during the whole thing lilo actually asked for donations. My questions is if their servers are donated, where does the money that is donated goto? They don't pay for bandwidth, servers, anything really. Curious really.

Re:What kind of auth protocol? I'll tell you...

[Doc Ruby]

Which is why HTTP clients tell users that such forms are insecure, right where the user is entering the password. While the HTTPS protocol is indicated to be secure by the client, because it is secure during the part of the transaction that includes the client.

That is of course not as secure as transmitting only a hash, which can help ensure the password doesn't get exposed. But it is a lot more secure than the nearly totally insecure IRC protocol we're talking about. And therefore a lot less vulnerable, therefore more trustworthy. IRC doesn't indicate how untrustworthy is its password authentication, so the public exposure of its failure in this case is valuable, in educating users. At higher cost, and lower return, than just making the protocol use hashes instead.

challenge authentication

[Spy der Mann]

If nickserv used some kind of challenge authentication (it sends you a random challenge, and you hash the password with it), we wouldn't have these problems. Of course, this is irc, and that might be somwehat difficult to implement.

Re:The IRCD could have helped with some of that...

[SailorFrag]

I'm used to ircu, where the juped nicks are in U lines and not even opers can /nick to them, so you'd have to edit a server's config file and rehash to free up the nick. Ah well, I guess such things vary.

Re:This is why I prefer the anarchy of efnet

[Anonymous Coward]

This is a dupe of "Immaturity Level Rising in Adults" http://science.slashdot.org/article.pl?sid=06/06/2 5/0456237 [slashdot.org].

Re:yeah well

[sbennett]

Unfortunately this won't work. The way Hyperion, Freenode's IRCD, is designed, server passwords not used as such get passed directly on to whoever happens to be using the nickname defined in the config as the 'identify service'. In Freenode's case, this just causes a PRIVMSG to be sent from your nick to NickServ, whichever server he happens to be using, with the identify command and password. It's no harder to hijack than a regular /msg. The same goes for the 'raw' nickserv commands, which are similarly translated to PRIVMSG.

This is compounded by the fact that due to the way Hyperion's server-hide works, it is in theory impossible for normal users to know which server another client is using, so '/msg NickServ@services.' doesn't work either.

OWNED BY BANTOWN

[Anonymous Coward]

Not a troll, but the culprits were bantown.

They prolly did some social engineering on lilo or one of his fellow staff members. AGAIN.

Like the incident a while back when grog from the GNAA tricked him.

That is kinda scary though, that freenode has fallen into GNAA/Bantown traps several times.

Seriously, Should we be trusting them with projects and chats if they cant even tell when someone is playing them like a card to get their info?

Re:Bull

[Lord Ender]

Well, in college, I did build a CPU (on paper) at the gate level. But my point is only that a person who is highly aware of every major component of his system is going to be able to wield it more effectively than a person who does not. Building (and selecting components) makes a person more aware of the machine's capabilities and more capable of fixing failures and bottlenecks.

And I don't mean to say it is OK for a kid to do this. I was answering the question "why are you a jackass?" That's why. It's not malice.

An excercise in free speech

[Legal]

An excerpt from the largely eneventful briefing session on #freenode-moderated tonight about said incident (brackets are mine, intended for illumination):

HedgeMage: We believe that 25 nickserv passwords were compromised during a limited window, but all concerned individuals are encouraged to change their nickserv passwords just in case.
HedgeMage: thanks, Astinus
HedgeMage: We'll open up the floor for questions, one at a time, in a moment. Please keep your question concise, and type it ahead of time so we can move as quickly as is practical.

          [several questions, answers, and no-comments]

HedgeMage: Since most of these seem to be repeats, we're going to close for now. I'd like to reiterate that we encourage all concerned users to change passwords

          [...]

Astinus: This room will go -m shortly, so ya'll can chat before we have another session.
HedgeMage: try not to get blood on the carpet
Astinus: Or we'll send in the cleaners, with pointy brooms
          Astinus has removed operator privileges to HedgeMage
          Astinus has de-activated the following mode : Moderated
nunsoup: DCC SEND "startkeylogger" 0 0 0
QuantumBeep: (o__o)
J: BACON
b33fc0d3: O.o
bureado hugs channel
enderst: heh
Naconkantari: ceiling cat is watching you.
WeblionX: First blood!
snorkle: !!!!!!LOLDONGS!!!!!VIVA EL CHE!!!!!!LOLDONGS!!!!!
rooly: spam
rooly: spam
rooly: spam
rooly: spam
rooly: spam
jeebusmobile: wewt
snorkle: !!!!!!LOLDONGS!!!!!VIVA EL CHE!!!!!!LOLDONGS!!!!!
snorkle: !!!!!!LOLDONGS!!!!!VIVA EL CHE!!!!!!LOLDONGS!!!!!
Eidolos: omg deluge
snorkle: !!!!!!LOLDONGS!!!!!VIVA EL CHE!!!!!!LOLDONGS!!!!!
snorkle: !!!!!!LOLDONGS!!!!!VIVA EL CHE!!!!!!LOLDONGS!!!!!
DosBubba: 'Grats out to the GNAA for their newly acquired property, irc.vaccus.com #chat . /server -m irc.vaccus.com -j #chat Attacks will continue if you don't join.
DosBubba: I would like to thank Freenode for taking the time to gather the whole of IRC, it has been our pleasure to take part in such a trolling opportunity.
DosBubba: Remember: /server -m irc.vaccus.com -j #chat Attacks will continue if you don't join. !startkeygen
DosBubba: IRC was founded on the principles of trolling, and we thank Freenode from the bottom of our hearts for carrying the fine tradition into the 21st century - hopefully beyond.
bitplane: wooo
          lilo has activated the following mode : Moderated
          lilo has activated the following mode : Invite Only
lilo: got to love that
HedgeMage: so much for that.
Astinus: some people need to grow up :/

          [and then the channel fell silent again]

Re:My thoughts..

[cortana]

Forgive me, I don't know anything about IRC on the server side. But this would have been prevented if the server-to-server links used SSL, right?