Please create an account to participate in the Slashdot moderation system


Forgot your password?

Freenode Network Hijacked, Passwords Compromised? 414

tmandry writes "The world's largest FOSS IRC network, FreeNode, was hijacked (for lack of a better term) by someone who somehow got a hold of the privileges of Robert Levin, AKA lilo, the head honcho of FreeNode and its parent organization, PDPC. To make matters worse, the passwords of many users may have been compromised by someone posing as NickServ, the service that most clients are configured to send a password to upon connecting, while they reconnected to the servers that hadn't been killed. Of course, if someone was able to nab lilo's password, every user password may have been ripe for the taking. The details are still unknown, but these events raise scary questions about the actual security of FreeNode and other organizations like it."
This discussion has been archived. No new comments can be posted.

Freenode Network Hijacked, Passwords Compromised?

Comments Filter:
  • by Anonymous Coward on Sunday June 25, 2006 @11:10AM (#15600546)
    Even if someone hijacked it, who could ever tell the difference?
    • We had great fun with nickserv down. I was Jimbo Wales (jwales) for a while!
  • Oh no! (Score:2, Insightful)

    by Rendo ( 918276 )
    Not my fake password I use for insecure places all over the internet! What ever will I do!
    • On the internet... (Score:3, Insightful)

      by Poromenos1 ( 830658 )
      ...the insecure places are more than the secure ones. Come to think of it, if someone got my password for the insecure places, he could do almost anything posing as me :P
  • by garcia ( 6573 ) on Sunday June 25, 2006 @11:12AM (#15600554)
    Ok, seriously, who here uses an important password on Freenode (or any IRC network) for NickServ? I certainly don't. Hell, my Slashdot password is more important than the one I use on IRC and the one I use here isn't even that secure...

    I have no sympathy for someone that has an "at risk" password on IRC.
  • yeah well (Score:5, Insightful)

    by scenestar ( 828656 ) on Sunday June 25, 2006 @11:13AM (#15600555) Homepage Journal
    *Don't auto ident during connect
    *Don't use multiple passwords
    *Change password after someone got ahold of it
    *Realise that it's just a goddamn nickname
    • Re:yeah well (Score:5, Informative)

      by A.K.A_Magnet ( 860822 ) on Sunday June 25, 2006 @11:46AM (#15600709) Homepage
      *Don't auto ident during connect
      And if you auto-identify in your perform, do something like : /identify *pass* which is a server-side macro for "PRIVMSG NickServ@<services-fakeserver-hostname> :password".

      The IRC protocol allows to send messages to Nick@server (means "send a message to 'Nick' if and only if he's on 'server'"), so you can do the same with services. Then if the Nickserv nickname is hijacked, it won't matter, because the services "fake server" cannot be hijacked without knowledge of hub configuration (C/N lines) and if ever it happens, IRC admins/opers will notice (that's not something you can't miss).

      So either choose the macro (/identify) or the whole command. Or identify manually :)
      • The preferred method to identify is to send your password in the "IRC server password" field when you connect. This method is a lot more "out of band" than the rest of your transactions in the IRC protocol and cannot be hijacked short of replacing the IRCD process itself.
        • Re:yeah well (Score:4, Interesting)

          by sbennett ( 448295 ) <spb.gentoo@org> on Sunday June 25, 2006 @04:16PM (#15601711)
          Unfortunately this won't work. The way Hyperion, Freenode's IRCD, is designed, server passwords not used as such get passed directly on to whoever happens to be using the nickname defined in the config as the 'identify service'. In Freenode's case, this just causes a PRIVMSG to be sent from your nick to NickServ, whichever server he happens to be using, with the identify command and password. It's no harder to hijack than a regular /msg. The same goes for the 'raw' nickserv commands, which are similarly translated to PRIVMSG.

          This is compounded by the fact that due to the way Hyperion's server-hide works, it is in theory impossible for normal users to know which server another client is using, so '/msg NickServ@services.' doesn't work either.
    • It's not "just a goddamn nickname". It's how people on IRC identify you as you. If someone impersonates you successfully and talks to the right people, or uses some bot in your channel, all kinds of damage could be done. Suppose they convince someone to manipulate an account that you hold somewhere, because after all, they know "you". This is why nickserv exists.
  • by proudhawk ( 124895 ) <.moc.liamg. .ta. .neyo.cire.> on Sunday June 25, 2006 @11:13AM (#15600559) Journal
    I am more that familiar with ircd and security
    (having run a server network for better than 5 years).

    Rule #1, the admin password is NEVER stored in nickserv.
    anyone who does this deserves whatever it is they get!

    its better to mod the conf file and do a command rehash
    from the cli.
  • You know... (Score:2, Interesting)

    by demongeek ( 977698 )
    There will probably be a wave of two major camps -- those who say "oh this is nothing! Look at what happens to closed-source leakages from banks, etc, ad nauseum!!1"; there will also be a wave of people who say "this is a major break and someone should be shot..." While I understand both camps' thoughts and opinions, I have a single comment: is there really an expectation (whether FOSS or Closed Source) that it should be secure?

    Granted, that person/company is probably relying on the money from ads or what
  • by kaden ( 535652 ) on Sunday June 25, 2006 @11:15AM (#15600566)
    FOSS = Free and Open Source Software, in case anyone was wondering...
    • by leenks ( 906881 ) on Sunday June 25, 2006 @11:26AM (#15600618)
      You seriously felt the need to post that on Slashdot? :o
    • by Anonymous Coward
      TY. (That means 'thank you.') Since this is posted in the IT section of /. (that's slashdot, in case you were wondering), I figured I'd explain what IT stands for. It is an abbreviation of 'Information Technology,' a field that is concerned with managing network and data infrastructure within organizations.
      • YMMV, but IMHO, using possibly obscure acronyms ATT is a PITA, IYKWIM!!! Just write out the freaking acryonyms if you're writing (or "editing") a story thousands of people will read. After all, we aren't smarter-than-thou elitists at Slashdot, are we?
        • by Achra ( 846023 ) on Sunday June 25, 2006 @12:05PM (#15600778) Journal
          IANAL, but I play one on TV. I've been told to RTFM and STFU FTW.

        • by A.K.A_Magnet ( 860822 ) on Sunday June 25, 2006 @12:20PM (#15600849) Homepage
          After all, we aren't smarter-than-thou elitists at Slashdot, are we?
          Yes we are! :) And proud of it. I understand there was some irony in your comment, but it makes me think of something else.

          Something I hate on Digg is how in each thread of discussion someone feels obliged to explain everything (and how lame stories like "a super set of icons", "learning to program", etc. are posted). And why that?

          The cost of joining Digg is null. You join, you digg, you reply. That's how 14 years old are now ruling Digg (while it was originally populated with slashdotters and other tech-oriented websites readers). That's Digg so-called "democracy" (except, in democracy, one is supposed [only supposed] to be mature before voting, that's why there's a minimal age, which unfortunately cannot be implemented on Digg; something great would be "you can choose up to 20 domains of expertise, can change only one every two weeks or month, and you can vote only on stories regarding your level of expertise". Plus some incentive to only have one (1) account).

          Joining Slashdot is free, but there's a cost when you join: you're eaten alive by grammar and spelling nazis if you don't post correctly, you're eaten alive by an "expert" if you say something technically wrong, you receive negative mod points and get ignored, etc. That's why there are so many accounts and so few posters. And that's how Slashdot has been able to remain readable. I was no newbie when I first start reading Slashdot, but not being a newbie I already knew that you have to understand the subculture and the community first before participating (the same goes for IRC). So I actually registered and became myself a slashdotter years later. Most Diggers are newbies. That's why Digg is good for fresh news and lame for comments, while Slashdot is good for comments (but lame for fresh news). Because we're smarter-than-thou elitists.
  • spam (Score:5, Funny)

    by Punto ( 100573 ) <> on Sunday June 25, 2006 @11:19AM (#15600580) Homepage
    o noes, If someone got a hold of lilo's password, they could start spamming the users with useless server-wide notices nobody cares about!!1!
  • Now somebody else will be able to idle as sk8trgrl69!!!!11111one
  • by Baldrson ( 78598 ) * on Sunday June 25, 2006 @11:29AM (#15600635) Homepage Journal
    You've reached freenode, a service of Peer-Directed Projects Center (PDPC).

    But some "peers" are more "peer" than others, like Mr. Levin.

    Welcome to Animal Farm.

    • by ZoFreX ( 961960 ) on Sunday June 25, 2006 @11:39AM (#15600679)
      You may not know how right you are, I've been calling Freenode "Animal Farm" for weeks - Patrick McFarland (a.k.a. Diablo-D3) has been highlighting some of what's wrong with freenode and in doing so has become their "snowball" - he is literally blamed for everything that goes wrong on freenode, including the recent torbot attacks and no doubt this most recent one as well.
      • Except that both lilo *and* Diablo-D3 are both utterly and completely useless. Lilo 'runs' an IRC network that totally sucks, and Diablo-D3 hits people up for money for his 'game' that has never, ever seen the light of day. I've managed a game project before, and it died (though people recently have indicated interest in bringing it back), but you don't see me spamming for money for it. You would also never see me spamming for money for a project that produces nothing.

        When I was running Xiph.Org [], both lil

        • When I was running Xiph.Org, both lilo and Diablo-D3 were spamming people for money.

          OMG. Freenode sends server notices a couple times a day during fundraising season. Gasp.

          Freenode is a black hole of idiocy, and if you really want to dive into it, go ahead -- Just don't expect logic, reason or honesty to win out over egotistical mania and deception. ... Freenode may be 'Animal Farm,' though without the Orwellian context.

          Your calm, reflective tone reassures me of your cool and level-headed rationality.

  • by RobotRunAmok ( 595286 ) on Sunday June 25, 2006 @11:30AM (#15600637)

    I say we strip the DRM from all passwords! Down With Evil Password IP!!

    Who's with me?

    OK, compromise: Everytime we use your password, we promise to give you credit and link to your blog. Deal?

    Face it, until people start making passwords available for a fair price in all nations everywhere, this kind of piracy will be rampant...
  • by SailorFrag ( 231277 ) on Sunday June 25, 2006 @11:30AM (#15600638) Homepage
    As an admin on another IRC network, I'm actually quite surprised that the ircd would let someone take the nick nickserv... or at least, if it's permitted to happen, that there isn't some alternate authentication mechanism that guarantees it only goes to a legitimate recipient (i.e. /nickserv or /msg or whatever). Fortunately, my password on there is intentionally weak.

    On the other hand, I understand what it's like to have compromised servers on the IRC network. I wish them the best in their efforts to get things working smoothly again. Tracking down the culprits can be exceedingly hard and time intensive, and reloading rooted servers is never fun.
    • Assuming their nickserv handling on the server side is run the same way Bahamut does theirs...

      *serv nicknames are generally reserved through Qlines. Qlines can be used to restrict all kinds of pattern-matched nicknames, however they still allow opers to use them - this is quite intentional. If the compromised server allowed people to set up opers, it would have been trivial to oper up, remove the real services from the network, and change your nickname to *serv.

      I'm not sure how many networks have picked u
    • What you refer to is called a Q:Line, which prevents non opers or non U:Lined services from using specified nicknames. If the attacker had lilo's oper pass, then the attacker could easilly then change their nick to "NickServ", thus facilitating the compromise.
  • I was there. (Score:5, Interesting)

    by Avillia ( 871800 ) on Sunday June 25, 2006 @11:33AM (#15600651)
    Mass delinking.
    Mass throttling.
    Mass glining and killing.
    Mass notices of DCC SEND.
    GNAA denying fault.
    Bantown claiming fault.
    The hilarity of not being auto-removed from #wikipedia thanks to a lack of ChanServ.
    Having up to 20 variations of one persons name.
    Lilo being killed off with a hilarious message.
    And the topic wars...

    Good times.
  • by Anonymous Coward
    Please somebody alert the who-gives-a-shit dept.

    The much more stoid moment that will be used to summarize the gravity of the matter came when our beloved lilo was taken down:
    * lilo has quit (Killed by ratbert (die ))

    Let's all have a moments silence.

    Woah! If someone did manage to gather people's NickServ passwords, it could mean major trouble, for the victims themselves and possibly for FreeNode as well.

    Woah! I fear a deluge of angst-ridden blogs are about to swamp cyberspace.
    /me runs a

  • by supabeast! ( 84658 ) on Sunday June 25, 2006 @11:40AM (#15600684)
    "The details are still unknown, but these events raise scary questions about the actual security of FreeNode and other organizations like it."

    I don't think that there have been any questions about the security of anything involving IRC for a long time. Everyone with half a brain knows that IRC is a cesspool of hackers, phreakers, crackers, and script-kiddies just looking to stir up shit.
    • Re:What questions? (Score:4, Informative)

      by LoadWB ( 592248 ) * on Sunday June 25, 2006 @11:57AM (#15600755) Journal
      Pretty much why I quit IRC a number of years back. Not to be mistaken, IRC has many valuable functions and features -- beyond downloading warez and moviez -- but not for casual chat. If you know the specific channel to go to, you are most likely fine. But for the casual chatter, browse around open channels and you will invariably end up with mass invites, notices, spam, DOS, MSG/CTCP/DCC floods, and my favorite, the mIRC scripts sent via DCC.

      I only used mIRC briefly in my IRC career. It had little to no built-in protection at the time and I went back to AmIRC (Amiga.) Using WildIRC and Kuang11, AmIRC could not be beat. Later scripts for mIRC became much more solid and advanced, and I am sure the program is much better today?

      Brings back some memories, actually. Back around 1997 we used to use a simple ICMP ECHO (ping) packet with a payload of "+++ATH0". Anyone with a modem which did not follow the Hayes specification for the escape sequence (+++ followed by two seconds of "silence") would immediately hang up as the TCP/IP stack sent an ICMP ECHO RESPONSE with the same payload. Was great fun for two or three times.
  • My freenode password only exists because of channels that strive to keep out spambots, and it's 'password'. If someone is lame enough that they have nothing better to do than impersonate me on freenode, that is in itself punishment for the crime... It might be fun to impersonate twkm and give icy answers to the entire western worlds obscure C questions, but in order to do that one would have to know as much obscure C crap as twkm does...
  • by Shoten ( 260439 ) on Sunday June 25, 2006 @11:43AM (#15600693)
    I don't understand why there would be any greater implications from this event than any other. All kinds of organizations have been compromised; this is far from news, and just another example of why most security experts recommend a "multi-tiered" password scheme for users. A set of passwords, of varying importance...for the most critical things, a longer and stronger password, another middle-level password to use at other sites of lesser importance (like webmail) and a throwaway password for things that don't matter to you so much. Best of all, use unique passwords for the high-importance site, if you use something like Password Safe [] for Windows, KeePass [] for Linux, or Keyring [] for PalmOS to keep track of them securely.
  • Not Sure (Score:3, Interesting)

    by Ajehals ( 947354 ) <> on Sunday June 25, 2006 @11:53AM (#15600742) Homepage Journal
    I am not really bothered at the prospect of my freenode nick or password being available to someone else. Mainly as its hardly going to do any lasting damage to me other than potentially being a little annoying. The only problem I see is that someone could theoretically impersonate me and make me look like a bit of a git, but that should be easily remedied over a short amount of time. Plus unless these username / password combinations are posted publicly and no one changes their passwords its unlikely to happen given the number of users... Oh and anyone using an important password with their freenode account probably needs a wakeup call anyway

    It might be a bigger problem if this happened here on slashdot (someone gathering email addresses or similar would have a decent mailing list to sell - with a fairly specific target audience... but then I use a public mail address here anyway so it might actually imporve the quality of spam I get...) and it would be a catastrophe if it would have been a finance related system or similar.

    On the other hand it sounds from the summary and the blog thats linked that the break of a single username / password combo from remote was the root cause of this breach. If I am accurate in my understanding and that is really the case then we need to take a long hard look at how we can change that. You should not be able to compromise a system from remote with a single set of credentials regardless of how non-sensitive (insensitive?) the system is.

    But then I'd like to see more details about what happened, when it happened (if it really happened?) what was exposed (or could have been exposed) during the attack before I take too hard a line either way.
    • I'm a little worried as I have ops in a few channels. And the security is going to change. I know that one of the staffers is going to push for host based O-line privs for all staffers as that seems to have been the way in. There are many channels and many ops in those channels so even if freenode staffers have recovered all their access rights that doesn't mean that some others with ops in some channels haven't been taken to be used later.
  • by me22 ( 984903 ) on Sunday June 25, 2006 @11:59AM (#15600763)

    It says "the passwords of many users may have been compromised by someone posing as NickServ".

    This doesn't mean that someone found a plaintext list of all the passwords. If you want to find out if there even is one, then download the source code for hyperion and look for yourself.

    What it does suggest is that someone /nick'ed to NickServ and consequently could see all the passwords of people joining then they were /msd'ed.

  • by dmd ( 404 ) <dmd@3e.FREEBSDorg minus bsd> on Sunday June 25, 2006 @12:03PM (#15600773) Homepage
    Nobody should be using the same password on ANY two sites. You have no control over what the remote side is doing with your password.

    Use something like [] to generate your passwords instead, and you only have to remember one thing, but your password is different on every site.
  • "A trusted component is one which can break the security policy."

    A truely secure system should have no trusted components. A Client's faith should never be placed in anyone expect themselves, and even then, only reluctantly. Freenode had a trusted component; namely, Robert Levin's privilages. This should never have been present in the system and was simlpy a disaster waiting to happen.

    If you really want security you've got to accept three things. Trust No One. The Enemy Knows the System. The System Can Be Broken. If you think otherwise, you haven't got security, you've just got a fancy codec.
    • Freenode had a trusted component; namely, Robert Levin's privilages. This should never have been present in the system and was simlpy a disaster waiting to happen.

      My web server has a trusted component too, it's my root login. Obviously this should never have been present in the system and is simply a disaster waiting to happen. Only one problem: If I remove it, how am I supposed to administer my computer?

      I mean, SOMEBODY needs to have the permissions to administer the darned network, or the network isn't g

  • by maraist ( 68387 ) * <michael.maraistN ... .com ['pam' in g> on Sunday June 25, 2006 @12:07PM (#15600795) Homepage
    I'm not a big browser of IRC's, but do we honestly still use clear text passwords anywhere? I mean unless IRC is such an old service that it can't make use of any of the dozen some odd technologies that have been standardized on in the past 20 years.. come on!!
    • It is, and it can't.

      Well, if you'd read the fine summary (maybe if you'd UNDERSTOOD the fine summary, I guess you read it) you'd know that it does not store the passwords in the clear but that someone logged on to impersonate the authentication service, which recieves passwords sent in the clear. But there's really not too much you can do about that, even when you have a secure connection. It's like someone who replaces the CGI script on your log-in page to capture everyone's <input type="password"> s

  • WTF (Score:4, Insightful)

    by Anonymous Coward on Sunday June 25, 2006 @12:11PM (#15600806)
    If this had happened to a Microsoft Server the comments would be off the wall about how this PROVES BEYOND DOUBT THAT WINDOWS REALLY SUCKS. (Bold characters intended to fool moderation drones). The hypocrisy on Slashdot is incredible.

    • Re:WTF (Score:3, Insightful)

      I don't know what you're talking about. Everybody is out here in force talking about how bad Freenode is. All the posts I've seen are negative. No one has said that Freenode has a good design, and people are talking about it's faults.

      There's no hypocrisy here. People are using the same standards of stupid security on Win32 as they are on Freenode. You're an idiot looking to score apologist points.
  • IRC4Life!

    Also, back in the day, on Dalnet one could use /quote nickserv identify [passwd] or on most clients just /nickserv identify [passwd]

    I'm not certain if this is done on Freenode, but it helped prevent passwords from being hijacked via situations like this or a simple typo.

  • Uh oh. (Score:5, Funny)

    by SwartKrans ( 758994 ) on Sunday June 25, 2006 @01:03PM (#15601019) Homepage
    Oh no! Someone stole my Freenode password! Now they can login and have no control over anything!
  • My thoughts.. (Score:4, Insightful)

    by paulmer2003 ( 922657 ) on Sunday June 25, 2006 @01:09PM (#15601046)
    People should not use /msg nickserv pass on connect. They should be using scripts that check that nickserv is on a certain server (, services.* etc etc) and its hostname matches.The IRC server should also have *serv juped/qlined so nobody can set their nick to *serv.
    Of course, if someone was able to nab lilo's password, every user password may have been ripe for the taking.
    What im wondering is, WHY THE FUCK ISNT HIS O:LINE IP RESTRICTED? Did he use one password for both the ircd ssh and his operline (if they were the same hacker could add himself a oline or add his ip to his oline..)? Either way, hes a moron.
    The details are still unknown, but these events raise scary questions about the actual security of FreeNode and other organizations like it."
    Not really. If he had his shit setup correctly this would have never happened in the first place.
    • Re:My thoughts.. (Score:5, Informative)

      by nenolod ( 546272 ) <> on Sunday June 25, 2006 @10:09PM (#15603054) Homepage
      Hi! I used to be freenode staff, and I figured I would comment on this.

      You obviously have no idea how freenode's infrastructure is managed -- the infrastucture isn't a land of ZOMG I BOUGHT SHELLZ FROM SHELLFX.NET garbage. Most of these servers exist solely to host freenode, do not use ssh passwords (instead private keys are used), and do not use the same passwords as lilo's o:line password.

      The fact is that they rooted servers close to freenode servers (i.e., on the same switch); then used ettercap to sniff o:line passwords. This was exacerbated by the fact that o:lines are (NOT masked *@*, but masked ?=levin@*), so basically all that had to be done was use the username levin, and boom you're opered up.

      That is what the issue is, the o:lines are insecure masked. Nothing more.

      HOWEVER, since they were sniffing, it is possible that they may have lifted services passwords as well -- people should probably change them. Then again, how do you know that they still aren't sniffing. Quite simply, nobody except the people behind this know.

      Also, the group freenode is dealing with is known as Bantown, which has a reputation of causing whatever hell they wish wherever they feel like doing so. So no, none of what you said is truly relevant, as this group is a tad more unpleasant than the GNAA is. Infact the GNAA is a bunch of nice guys in comparison to Bantown.
      • Re:My thoughts.. (Score:3, Interesting)

        by cortana ( 588495 )
        Forgive me, I don't know anything about IRC on the server side. But this would have been prevented if the server-to-server links used SSL, right?
  • If nickserv used some kind of challenge authentication (it sends you a random challenge, and you hash the password with it), we wouldn't have these problems. Of course, this is irc, and that might be somwehat difficult to implement.
  • by RotJ ( 771744 ) on Sunday June 25, 2006 @03:27PM (#15601574) Journal
    [01:26] -lilo- [Global Notice] Hi all. We just experienced a brief outage between our US and EU hubs....we're investigating. Apologies for the difficulties, and thank you for your patience.
    [01:28] -lilo- [Global Notice] We're told that the service interruption affected EFNet as the absence of further problems, we'll pass you any information we receive on wallops (/mode yournick +w)....thanks!
    [23:44] -ratbert- [Global notice] I am a fat asshole, who loves abuse, die
    [23:44] -ratbert- DCC SEND YOUAREALLJUDENLOL
    [01:07] -lilo- [Global Notice] Hi all. As you may be aware, freenode has experienced a crack attack and we're working on tracking down the details. At this point, we cannot guarantee that more problems will not occur.
  • by Anonymous Coward on Sunday June 25, 2006 @03:35PM (#15601592) []
    Unfortunately he's still at large.
  • by TheoMurpse ( 729043 ) on Monday June 26, 2006 @12:20PM (#15606208) Homepage
    What the hell is a "news" page for on [] if you're not going to put, "WARNING: Do not identify with a password on IRC right now!!" on the page. The last news posted is from early May!

The absence of labels [in ECL] is probably a good thing. -- T. Cheatham