Freenode Network Hijacked, Passwords Compromised?

tmandry writes "The world's largest FOSS IRC network, FreeNode, was hijacked (for lack of a better term) by someone who somehow got a hold of the privileges of Robert Levin, AKA lilo, the head honcho of FreeNode and its parent organization, PDPC. To make matters worse, the passwords of many users may have been compromised by someone posing as NickServ, the service that most clients are configured to send a password to upon connecting, while they reconnected to the servers that hadn't been killed. Of course, if someone was able to nab lilo's password, every user password may have been ripe for the taking. The details are still unknown, but these events raise scary questions about the actual security of FreeNode and other organizations like it."

This is why I prefer the anarchy of efnet

Even if someone hijacked it, who could ever tell the difference?

Re:This is why I prefer the anarchy of efnet

Have you ever been 15? Everything is a game. Especially everything on the computer. 0wning this guy's chat server feels about the same as making a slam dunk right over a bigger defender's head, then joking about his mother. Just a game.

At that age, kids have never had responsability, and so are unable to feel empathy for those who they are harming.

I was an ornry teenager once, too. I recall sending ATH0 pings, sending OOB packets, mounting unprotected file shares, and feeling a thrill every time I one-upped these older, smarter people. The internet was just a Nintendo game to me.

This kid, like the others, is no more of a jackass than any other kid his age. He will just grow out of it with time, like everyone else.

Re:This is why I prefer the anarchy of efnet

At that age, kids have never had responsability, and so are unable to feel empathy for those who they are harming.

Having responsibility and being able to feel empathy are two orthogonal things (their are plenty people with lots of responsibility and little or no empathy). And the ability to feel empathy (and to act upon it to a certain degree) comes a lot earlier than the age 15 for most people.

This kid, like the others, is no more of a jackass than any other kid his age.

What kind of silly overgeneralization is this? At 15, there were quite a few kids my age who weren't such assholes, and there were also some others who were. The latter were by far a minority in my case, although of course bullies always manage to get some following among the less strong-willed. I would at least never describe this sort of behaviour as "normal".

He will just grow out of it with time, like everyone else.

Probably, but not necessarily. Some people remain assholes all their life.

Re:Bull

Well, in college, I did build a CPU (on paper) at the gate level. But my point is only that a person who is highly aware of every major component of his system is going to be able to wield it more effectively than a person who does not. Building (and selecting components) makes a person more aware of the machine's capabilities and more capable of fixing failures and bottlenecks.

And I don't mean to say it is OK for a kid to do this. I was answering the question "why are you a jackass?" That's why. It's not malice.

Re:This is why I prefer the anarchy of efnet

I bet there are non 15 years old people who can bring down Freenode to its knees in 5 minutes of time. I bet they hate lilo too.

Thing is they WON'T do such a thing since Freenode is home of many open source projects including stuff Slashdot runs on.

It is more like locking down a ER department for fun.

Re:This is why I prefer the anarchy of efnet

So, you consider yourself a hacker but you have a LiveJournal?!

Re:This is why I prefer the anarchy of efnet

And it is the type of people like YOU that piss me off. "All hackers write viruses break stuff omgwtf." Chill out. I have found many security flaws, and reported them to the proper authorities. (Fashion Bug...ie, Charming Enterprises) Making it public like this is wrong, but it should have been done on a 1 to 1 basis. People DO listen when things like this may be compromised...

Re:This is why I prefer the anarchy of efnet

In that case you are a hacker in the original sense of the word - a competent professional who Gets Things Done.

The OP was complaining about "hackers" in the ZOMG HOLLYWOOD!! sense of the word, usually people who want the thrill of Beating The Man without actually having to do anything dangerous, like getting off their seats.

Re:This is why I prefer the anarchy of efnet

No, it's idiots from Hollywood stealing our word and our name for nothing but an attempt to squash yet another penny from Joe Sixpack and soccer moms.
Bill's henchmen waging a rabid campaign against us don't help, too.

And remember: being a hacker doesn't mean you exploit security holes (for good or ill). It means that you employ a certain approach to programming/doing sysadmin tasks/solving physics problems/etc.

Just because a majority of the mindless part of the society fails to understand a word, the word doesn't change its meaning.

Re:This is why I prefer the anarchy of efnet

Words mean whatever people say they mean. It's the very definition of 'tautology'.

This is simply false. Words have an important historical usage context which is not discarded simply because one generation makes the mistake of listening to one badly educated entertainer. I'm not sure where this myth comes from, exactly, but I know not one single linguist who falls short of disgust for the legion of armchair quarterbacks professing this supposed deep understanding of the nature of the lexicon without ever having taken a linguistics class.

Grandparent is, in fact, correct. Words do not change simply because 1/4 of the population is a bunch of douchebags who don't know how to crack a book. When you're 50 and you watch these mistakes melt away in favor of the next generation's crop of errors, and begin to realize that these "changes" are impermanent, because they're merely errors, perhaps you'll begin to understand.

Linguistics is a science with a statistical and mathematical underpinning. Please do not further comment on its nature until you have at least a passing familiarity therewith, thank you.

Re:This is why I prefer the anarchy of efnet

It's not "idiots from Hollywood" taking "our" name. It's the majority of the population using the word in a certain way.

Just because a majority of the mindless part of the society fails to understand a word, the word doesn't change its meaning.

In short, yes, it does.

I agree. But, some parts of the language are always in flux: "LOL" becomes "roflmfao" or "zomg rofl", "elite hacker" becomes "leet hax0r" becomes "31337 h4x0rz", "Own" -> "0wn" -> "p0wn3d", "crap" -> "gay" -> "ghey", the list goes on. You know this stuff is always going to be in flux, because it's mostly people from the younger generation who use language alone to make them sound cool.

In general, I acknowledge that both "convoluted cogitations" and "r0x0r your b0x0rs" are as correct as the English I'm using.

But, there are a few evoutions (bastardizations) of English that bother me a lot. One is misuse of apostrophies. It's not that hard -- "it's" means "it is". If you can replace "it's" with "it is", use an apostrophie. If you can replace "its" with "your" and have the sentence still make sense, don't use an apostrophie.

Another is the misuse of the word "hacker". Most of the time, when language evolves, the original meaning is not lost -- for instance, it's ok to use "shredder" to refer to a snowboarder, because most people won't be confused when you talk about the "shredder" that sits over a trash can and destroys documents. The problem is that while people haven't forgotten that "to hack" can also mean "to chop", people who know about the Hollywood Hacker will have completely forgotten about the MIT hacker and the Perl hacker. And we don't really have a better word for either of those.

Really. Replacing the MIT hacker with the word "prankster" is akin to replacing the Perl hacker with the word "coder". It doesn't do justice -- hackers are fundamentally different than most "programmers" or "coders". Hackers are neither software engineers nor codemonkies, though they may act as one for work.

I don't think nearly as much is lost when you replace "hacked in" with "broke in", or "hacker" with "cracker".

I don't often evangelize, as much as I love Mac/Linux. I realize that even if I'm 100% right and Windows is utter crap, nothing I say beyond explaining what Linux is (to those who don't know what an OS is) will make them switch. But the Hollywood Hacker is something I take personal offense at. I frequently call myself a hacker and clarify the term shortly after -- "What you call a 'hacker' is really a 'cracker'. The word 'hacker' has to do with a specific kind of clever programmer, and how the same cleverness can apply to other things."

Its as much a true mistake of language as the first word of this sentence.

Re:This is why I prefer the anarchy of efnet

No, it's "hackers" in the sense of the world that the vast majority of the world's population refers to it

By that rule, the screen is "the computer", the big box to the side is "the hard drive", and the thing you stick CDs in is "the cup holder" :-/

Oh no!

Not my fake password I use for insecure places all over the internet! What ever will I do!

Password on IRC and you're worried?

Ok, seriously, who here uses an important password on Freenode (or any IRC network) for NickServ? I certainly don't. Hell, my Slashdot password is more important than the one I use on IRC and the one I use here isn't even that secure...

I have no sympathy for someone that has an "at risk" password on IRC.

yeah well

*Don't auto ident during connect
*Don't use multiple passwords
*Change password after someone got ahold of it
*Realise that it's just a goddamn nickname

Re:yeah well

*Don't auto ident during connect

And if you auto-identify in your perform, do something like : /identify *pass* which is a server-side macro for "PRIVMSG NickServ@<services-fakeserver-hostname> :password".

The IRC protocol allows to send messages to Nick@server (means "send a message to 'Nick' if and only if he's on 'server'"), so you can do the same with services. Then if the Nickserv nickname is hijacked, it won't matter, because the services "fake server" cannot be hijacked without knowledge of hub configuration (C/N lines) and if ever it happens, IRC admins/opers will notice (that's not something you can't miss).

So either choose the macro (/identify) or the whole command. Or identify manually :)

Re:yeah well

Unfortunately this won't work. The way Hyperion, Freenode's IRCD, is designed, server passwords not used as such get passed directly on to whoever happens to be using the nickname defined in the config as the 'identify service'. In Freenode's case, this just causes a PRIVMSG to be sent from your nick to NickServ, whichever server he happens to be using, with the identify command and password. It's no harder to hijack than a regular /msg. The same goes for the 'raw' nickserv commands, which are similarly translated to PRIVMSG.

This is compounded by the fact that due to the way Hyperion's server-hide works, it is in theory impossible for normal users to know which server another client is using, so '/msg NickServ@services.' doesn't work either.

ircd's and security

I am more that familiar with ircd and security
(having run a server network for better than 5 years).

Rule #1, the admin password is NEVER stored in nickserv.
anyone who does this deserves whatever it is they get!

its better to mod the conf file and do a command rehash
from the cli.

Re:ircd's and security

Rule #2: any important administrative tasks should be done via SSH in the first place, even for IRC.

You know...

There will probably be a wave of two major camps -- those who say "oh this is nothing! Look at what happens to closed-source leakages from banks, etc, ad nauseum!!1"; there will also be a wave of people who say "this is a major break and someone should be shot..." While I understand both camps' thoughts and opinions, I have a single comment: is there really an expectation (whether FOSS or Closed Source) that it should be secure?

Granted, that person/company is probably relying on the money from ads or what have you so he hopes that things are secure. Really, though, if you don't think the service is secure, go to another one or start your own!

Explaining the jargon...

FOSS = Free and Open Source Software, in case anyone was wondering...

Re:Explaining the jargon...

You seriously felt the need to post that on Slashdot? :o

Re:Explaining the jargon...

Slashdot is a popular technology-news website that can be found at slashdot.org. Just incase anyone was wondering.

Re:Explaining the jargon...

This really should have been moded informative, people need to work on their sense of meta-humour. =\

Re:Explaining the jargon...

IANAL, but I play one on TV. I've been told to RTFM and STFU FTW.

OMGWTFBBQ.

Re:Explaining the jargon...

After all, we aren't smarter-than-thou elitists at Slashdot, are we?

Yes we are! :) And proud of it. I understand there was some irony in your comment, but it makes me think of something else.

Something I hate on Digg is how in each thread of discussion someone feels obliged to explain everything (and how lame stories like "a super set of icons", "learning to program", etc. are posted). And why that?

The cost of joining Digg is null. You join, you digg, you reply. That's how 14 years old are now ruling Digg (while it was originally populated with slashdotters and other tech-oriented websites readers). That's Digg so-called "democracy" (except, in democracy, one is supposed [only supposed] to be mature before voting, that's why there's a minimal age, which unfortunately cannot be implemented on Digg; something great would be "you can choose up to 20 domains of expertise, can change only one every two weeks or month, and you can vote only on stories regarding your level of expertise". Plus some incentive to only have one (1) account).

Joining Slashdot is free, but there's a cost when you join: you're eaten alive by grammar and spelling nazis if you don't post correctly, you're eaten alive by an "expert" if you say something technically wrong, you receive negative mod points and get ignored, etc. That's why there are so many accounts and so few posters. And that's how Slashdot has been able to remain readable. I was no newbie when I first start reading Slashdot, but not being a newbie I already knew that you have to understand the subculture and the community first before participating (the same goes for IRC). So I actually registered and became myself a slashdotter years later. Most Diggers are newbies. That's why Digg is good for fresh news and lame for comments, while Slashdot is good for comments (but lame for fresh news). Because we're smarter-than-thou elitists.

spam

o noes, If someone got a hold of lilo's password, they could start spamming the users with useless server-wide notices nobody cares about!!1!

Oh noes! Got my password?!

Now somebody else will be able to idle as sk8trgrl69!!!!11111one

So Levin is just another "peer"?

You've reached freenode, a service of Peer-Directed Projects Center (PDPC).

But some "peers" are more "peer" than others, like Mr. Levin.

Welcome to Animal Farm.

Re:So Levin is just another "peer"?

You may not know how right you are, I've been calling Freenode "Animal Farm" for weeks - Patrick McFarland (a.k.a. Diablo-D3) has been highlighting some of what's wrong with freenode and in doing so has become their "snowball" - he is literally blamed for everything that goes wrong on freenode, including the recent torbot attacks and no doubt this most recent one as well.

But I Thought Information WANTED to Be Free?

D00d...?

I say we strip the DRM from all passwords! Down With Evil Password IP!!

Who's with me?

OK, compromise: Everytime we use your password, we promise to give you credit and link to your blog. Deal?

Face it, until people start making passwords available for a fair price in all nations everywhere, this kind of piracy will be rampant...

The IRCD could have helped with some of that...

As an admin on another IRC network, I'm actually quite surprised that the ircd would let someone take the nick nickserv... or at least, if it's permitted to happen, that there isn't some alternate authentication mechanism that guarantees it only goes to a legitimate recipient (i.e. /nickserv or /msg nickserv@services.ircnetwork.net or whatever). Fortunately, my password on there is intentionally weak.

On the other hand, I understand what it's like to have compromised servers on the IRC network. I wish them the best in their efforts to get things working smoothly again. Tracking down the culprits can be exceedingly hard and time intensive, and reloading rooted servers is never fun.

uhh

Since when does any administrator have actual access to anyones password? I can see them having the ability to change their password to something else.. but comon. Shouldn't / wouldn't these be encrypted and only accessable remotely?

I was there.

Mass delinking.
Mass throttling.
Mass glining and killing.
Mass notices of DCC SEND.
GNAA denying fault.
Bantown claiming fault.
The hilarity of not being auto-removed from #wikipedia thanks to a lack of ChanServ.
Having up to 20 variations of one persons name.
Lilo being killed off with a hilarious message.
And the topic wars...

Good times.

Good Riddance

The largest FOSS IRC network stores all its user passwords in plaintext, not a hash against which incoming passwords can be checked? Its superuser could look at any password they wanted?

It's a good think that firetrap finally collapsed publicly. It should have happened much earlier, before its loss damaged so many people.

Re:Good Riddance

I was going to suggest something along those lines, but if you think about it... if the services database were compromised, even if there's hashing, then everyone's passwords might get out anyway. I don't think anything actually implied that they're stored plaintext.

I hope not, at least.

Re:Good Riddance

I'm pretty sure the idea is that they replaced NickServ with something else that intercepts the passwords when users tried to identify.

My password for everything is password who cares

Most just isnt that important

from the hope-your-password-wasn't-important dept?

Please somebody alert the who-gives-a-shit dept.

The much more stoid moment that will be used to summarize the gravity of the matter came when our beloved lilo was taken down:
* lilo has quit (Killed by ratbert (die ))

Let's all have a moments silence.

Woah! If someone did manage to gather people's NickServ passwords, it could mean major trouble, for the victims themselves and possibly for FreeNode as well.

Woah! I fear a deluge of angst-ridden blogs are about to swamp cyberspace.
/me runs away

What questions?

"The details are still unknown, but these events raise scary questions about the actual security of FreeNode and other organizations like it."

I don't think that there have been any questions about the security of anything involving IRC for a long time. Everyone with half a brain knows that IRC is a cesspool of hackers, phreakers, crackers, and script-kiddies just looking to stir up shit.

Re:What questions?

Pretty much why I quit IRC a number of years back. Not to be mistaken, IRC has many valuable functions and features -- beyond downloading warez and moviez -- but not for casual chat. If you know the specific channel to go to, you are most likely fine. But for the casual chatter, browse around open channels and you will invariably end up with mass invites, notices, spam, DOS, MSG/CTCP/DCC floods, and my favorite, the mIRC scripts sent via DCC.

I only used mIRC briefly in my IRC career. It had little to no built-in protection at the time and I went back to AmIRC (Amiga.) Using WildIRC and Kuang11, AmIRC could not be beat. Later scripts for mIRC became much more solid and advanced, and I am sure the program is much better today?

Brings back some memories, actually. Back around 1997 we used to use a simple ICMP ECHO (ping) packet with a payload of "+++ATH0". Anyone with a modem which did not follow the Hayes specification for the escape sequence (+++ followed by two seconds of "silence") would immediately hang up as the TCP/IP stack sent an ICMP ECHO RESPONSE with the same payload. Was great fun for two or three times.

I'm with the 'who cares' camp

My freenode password only exists because of channels that strive to keep out spambots, and it's 'password'. If someone is lame enough that they have nothing better to do than impersonate me on freenode, that is in itself punishment for the crime... It might be fun to impersonate twkm and give icy answers to the entire western worlds obscure C questions, but in order to do that one would have to know as much obscure C crap as twkm does...

Nothing new here, move along...

I don't understand why there would be any greater implications from this event than any other. All kinds of organizations have been compromised; this is far from news, and just another example of why most security experts recommend a "multi-tiered" password scheme for users. A set of passwords, of varying importance...for the most critical things, a longer and stronger password, another middle-level password to use at other sites of lesser importance (like webmail) and a throwaway password for things that don't matter to you so much. Best of all, use unique passwords for the high-importance site, if you use something like