Freenode Network Hijacked, Passwords Compromised? 414
tmandry writes "The world's largest FOSS IRC network, FreeNode, was hijacked (for lack of a better term) by someone who somehow got a hold of the privileges of Robert Levin, AKA lilo, the head honcho of FreeNode and its parent organization, PDPC. To make matters worse, the passwords of many users may have been compromised by someone posing as NickServ, the service that most clients are configured to send a password to upon connecting, while they reconnected to the servers that hadn't been killed. Of course, if someone was able to nab lilo's password, every user password may have been ripe for the taking. The details are still unknown, but these events raise scary questions about the actual security of FreeNode and other organizations like it."
This is why I prefer the anarchy of efnet (Score:5, Funny)
Re:This is why I prefer the anarchy of efnet (Score:3, Funny)
Re:This is why I prefer the anarchy of efnet (Score:3, Insightful)
Why are you a jackass?
Re:This is why I prefer the anarchy of efnet (Score:5, Insightful)
At that age, kids have never had responsability, and so are unable to feel empathy for those who they are harming.
I was an ornry teenager once, too. I recall sending ATH0 pings, sending OOB packets, mounting unprotected file shares, and feeling a thrill every time I one-upped these older, smarter people. The internet was just a Nintendo game to me.
This kid, like the others, is no more of a jackass than any other kid his age. He will just grow out of it with time, like everyone else.
Re:This is why I prefer the anarchy of efnet (Score:5, Insightful)
Having responsibility and being able to feel empathy are two orthogonal things (their are plenty people with lots of responsibility and little or no empathy). And the ability to feel empathy (and to act upon it to a certain degree) comes a lot earlier than the age 15 for most people.
What kind of silly overgeneralization is this? At 15, there were quite a few kids my age who weren't such assholes, and there were also some others who were. The latter were by far a minority in my case, although of course bullies always manage to get some following among the less strong-willed. I would at least never describe this sort of behaviour as "normal".
Probably, but not necessarily. Some people remain assholes all their life.
Re:This is why I prefer the anarchy of efnet (Score:4, Insightful)
Thing is they WON'T do such a thing since Freenode is home of many open source projects including stuff Slashdot runs on.
It is more like locking down a ER department for fun.
Re:Bull (Score:4, Interesting)
And I don't mean to say it is OK for a kid to do this. I was answering the question "why are you a jackass?" That's why. It's not malice.
Re:This is why I prefer the anarchy of efnet (Score:3, Informative)
The first step is fine. The second step might even be okay.
The third step renders you essentially unemployable, should your employer find out.
Re:This is why I prefer the anarchy of efnet (Score:3, Insightful)
Or what? You'll attack FreeNode further?
Wow. Big deal. A chat service populated by geeks mostly working on open source projects, some of which I bet you use. It ain't big, it ain't clever, and about the most serious effect it'll have will be to annoy some people who will use some other method to communicate for a while. At least until either FreeNode recovers or we all migrate somewhere else.
Seriously. Of all the amazing
Re:This is why I prefer the anarchy of efnet (Score:5, Funny)
Re:This is why I prefer the anarchy of efnet (Score:4, Insightful)
Re:This is why I prefer the anarchy of efnet (Score:5, Insightful)
In that case you are a hacker in the original sense of the word - a competent professional who Gets Things Done.
The OP was complaining about "hackers" in the ZOMG HOLLYWOOD!! sense of the word, usually people who want the thrill of Beating The Man without actually having to do anything dangerous, like getting off their seats.
Re:This is why I prefer the anarchy of efnet (Score:5, Insightful)
Bill's henchmen waging a rabid campaign against us don't help, too.
And remember: being a hacker doesn't mean you exploit security holes (for good or ill). It means that you employ a certain approach to programming/doing sysadmin tasks/solving physics problems/etc.
Just because a majority of the mindless part of the society fails to understand a word, the word doesn't change its meaning.
Re:This is why I prefer the anarchy of efnet (Score:3, Insightful)
Re:This is why I prefer the anarchy of efnet (Score:4, Insightful)
This is simply false. Words have an important historical usage context which is not discarded simply because one generation makes the mistake of listening to one badly educated entertainer. I'm not sure where this myth comes from, exactly, but I know not one single linguist who falls short of disgust for the legion of armchair quarterbacks professing this supposed deep understanding of the nature of the lexicon without ever having taken a linguistics class.
Grandparent is, in fact, correct. Words do not change simply because 1/4 of the population is a bunch of douchebags who don't know how to crack a book. When you're 50 and you watch these mistakes melt away in favor of the next generation's crop of errors, and begin to realize that these "changes" are impermanent, because they're merely errors, perhaps you'll begin to understand.
Linguistics is a science with a statistical and mathematical underpinning. Please do not further comment on its nature until you have at least a passing familiarity therewith, thank you.
Re:This is why I prefer the anarchy of efnet (Score:4, Insightful)
I agree. But, some parts of the language are always in flux: "LOL" becomes "roflmfao" or "zomg rofl", "elite hacker" becomes "leet hax0r" becomes "31337 h4x0rz", "Own" -> "0wn" -> "p0wn3d", "crap" -> "gay" -> "ghey", the list goes on. You know this stuff is always going to be in flux, because it's mostly people from the younger generation who use language alone to make them sound cool.
In general, I acknowledge that both "convoluted cogitations" and "r0x0r your b0x0rs" are as correct as the English I'm using.
But, there are a few evoutions (bastardizations) of English that bother me a lot. One is misuse of apostrophies. It's not that hard -- "it's" means "it is". If you can replace "it's" with "it is", use an apostrophie. If you can replace "its" with "your" and have the sentence still make sense, don't use an apostrophie.
Another is the misuse of the word "hacker". Most of the time, when language evolves, the original meaning is not lost -- for instance, it's ok to use "shredder" to refer to a snowboarder, because most people won't be confused when you talk about the "shredder" that sits over a trash can and destroys documents. The problem is that while people haven't forgotten that "to hack" can also mean "to chop", people who know about the Hollywood Hacker will have completely forgotten about the MIT hacker and the Perl hacker. And we don't really have a better word for either of those.
Really. Replacing the MIT hacker with the word "prankster" is akin to replacing the Perl hacker with the word "coder". It doesn't do justice -- hackers are fundamentally different than most "programmers" or "coders". Hackers are neither software engineers nor codemonkies, though they may act as one for work.
I don't think nearly as much is lost when you replace "hacked in" with "broke in", or "hacker" with "cracker".
I don't often evangelize, as much as I love Mac/Linux. I realize that even if I'm 100% right and Windows is utter crap, nothing I say beyond explaining what Linux is (to those who don't know what an OS is) will make them switch. But the Hollywood Hacker is something I take personal offense at. I frequently call myself a hacker and clarify the term shortly after -- "What you call a 'hacker' is really a 'cracker'. The word 'hacker' has to do with a specific kind of clever programmer, and how the same cleverness can apply to other things."
Its as much a true mistake of language as the first word of this sentence.
Re:This is why I prefer the anarchy of efnet (Score:5, Insightful)
Re:This is why I prefer the anarchy of efnet (Score:3, Informative)
Mmm hmm. Fusion bombs aren't nuclear because most people are too stupid to know the difference. Irony isn't cruel happenstance because most people are too stupid to know the difference. Translucent doesn't mean partially transparent just because most people are too stupid to know the difference.
This word doesn't change because of popular dumb either. Descriptivists are apologists who don't understa
Oh no! (Score:2, Insightful)
On the internet... (Score:3, Insightful)
Password on IRC and you're worried? (Score:5, Insightful)
I have no sympathy for someone that has an "at risk" password on IRC.
Re:Password on IRC and you're worried? (Score:3, Funny)
Re:Password on IRC and you're worried? (Score:3, Informative)
Re:Password on IRC and you're worried? (Score:3, Informative)
yeah well (Score:5, Insightful)
*Don't use multiple passwords
*Change password after someone got ahold of it
*Realise that it's just a goddamn nickname
Re:yeah well (Score:5, Informative)
The IRC protocol allows to send messages to Nick@server (means "send a message to 'Nick' if and only if he's on 'server'"), so you can do the same with services. Then if the Nickserv nickname is hijacked, it won't matter, because the services "fake server" cannot be hijacked without knowledge of hub configuration (C/N lines) and if ever it happens, IRC admins/opers will notice (that's not something you can't miss).
So either choose the macro (/identify) or the whole command. Or identify manually
Re:yeah well (Score:2)
Re:yeah well (Score:4, Interesting)
This is compounded by the fact that due to the way Hyperion's server-hide works, it is in theory impossible for normal users to know which server another client is using, so '/msg NickServ@services.' doesn't work either.
one problem... (Score:3, Insightful)
ircd's and security (Score:5, Insightful)
(having run a server network for better than 5 years).
Rule #1, the admin password is NEVER stored in nickserv.
anyone who does this deserves whatever it is they get!
its better to mod the conf file and do a command rehash
from the cli.
Re: (Score:2, Insightful)
Re:ircd's and security (Score:2)
Re:ircd's and security (Score:4, Insightful)
You know... (Score:2, Interesting)
Granted, that person/company is probably relying on the money from ads or what
Explaining the jargon... (Score:4, Funny)
Re:Explaining the jargon... (Score:5, Funny)
Re:Explaining the jargon... (Score:5, Funny)
Re:Explaining the jargon... (Score:5, Informative)
Re:Explaining the jargon... (Score:3, Funny)
Re:Explaining the jargon... (Score:3, Interesting)
Comment removed (Score:4, Funny)
Re:Explaining the jargon... (Score:5, Insightful)
Something I hate on Digg is how in each thread of discussion someone feels obliged to explain everything (and how lame stories like "a super set of icons", "learning to program", etc. are posted). And why that?
The cost of joining Digg is null. You join, you digg, you reply. That's how 14 years old are now ruling Digg (while it was originally populated with slashdotters and other tech-oriented websites readers). That's Digg so-called "democracy" (except, in democracy, one is supposed [only supposed] to be mature before voting, that's why there's a minimal age, which unfortunately cannot be implemented on Digg; something great would be "you can choose up to 20 domains of expertise, can change only one every two weeks or month, and you can vote only on stories regarding your level of expertise". Plus some incentive to only have one (1) account).
Joining Slashdot is free, but there's a cost when you join: you're eaten alive by grammar and spelling nazis if you don't post correctly, you're eaten alive by an "expert" if you say something technically wrong, you receive negative mod points and get ignored, etc. That's why there are so many accounts and so few posters. And that's how Slashdot has been able to remain readable. I was no newbie when I first start reading Slashdot, but not being a newbie I already knew that you have to understand the subculture and the community first before participating (the same goes for IRC). So I actually registered and became myself a slashdotter years later. Most Diggers are newbies. That's why Digg is good for fresh news and lame for comments, while Slashdot is good for comments (but lame for fresh news). Because we're smarter-than-thou elitists.
Re:Explaining the jargon... (Score:2)
Very well spoken, bro.
spam (Score:5, Funny)
Oh noes! Got my password?! (Score:2)
So Levin is just another "peer"? (Score:4, Funny)
But some "peers" are more "peer" than others, like Mr. Levin.
Welcome to Animal Farm.
Re:So Levin is just another "peer"? (Score:4, Insightful)
Re:So Levin is just another "peer"? (Score:3, Interesting)
When I was running Xiph.Org [xiph.org], both lil
Re:So Levin is just another "peer"? (Score:2)
OMG. Freenode sends server notices a couple times a day during fundraising season. Gasp.
Your calm, reflective tone reassures me of your cool and level-headed rationality.
Re:Watch as the Linux community eats it's own youn (Score:3)
But I Thought Information WANTED to Be Free? (Score:5, Funny)
I say we strip the DRM from all passwords! Down With Evil Password IP!!
Who's with me?
OK, compromise: Everytime we use your password, we promise to give you credit and link to your blog. Deal?
Face it, until people start making passwords available for a fair price in all nations everywhere, this kind of piracy will be rampant...
The IRCD could have helped with some of that... (Score:5, Insightful)
On the other hand, I understand what it's like to have compromised servers on the IRC network. I wish them the best in their efforts to get things working smoothly again. Tracking down the culprits can be exceedingly hard and time intensive, and reloading rooted servers is never fun.
Re:The IRCD could have helped with some of that... (Score:3, Informative)
*serv nicknames are generally reserved through Qlines. Qlines can be used to restrict all kinds of pattern-matched nicknames, however they still allow opers to use them - this is quite intentional. If the compromised server allowed people to set up opers, it would have been trivial to oper up, remove the real services from the network, and change your nickname to *serv.
I'm not sure how many networks have picked u
Re:The IRCD could have helped with some of that... (Score:3, Informative)
Re:The IRCD could have helped with some of that... (Score:3, Informative)
Re:The IRCD could have helped with some of that... (Score:2, Informative)
I was there. (Score:5, Interesting)
Mass throttling.
Mass glining and killing.
Mass notices of DCC SEND.
GNAA denying fault.
Bantown claiming fault.
The hilarity of not being auto-removed from #wikipedia thanks to a lack of ChanServ.
Having up to 20 variations of one persons name.
Lilo being killed off with a hilarious message.
And the topic wars...
Good times.
from the hope-your-password-wasn't-important dept? (Score:2, Funny)
The much more stoid moment that will be used to summarize the gravity of the matter came when our beloved lilo was taken down:
* lilo has quit (Killed by ratbert (die ))
Let's all have a moments silence.
Woah! If someone did manage to gather people's NickServ passwords, it could mean major trouble, for the victims themselves and possibly for FreeNode as well.
Woah! I fear a deluge of angst-ridden blogs are about to swamp cyberspace.
/me runs a
What questions? (Score:5, Funny)
I don't think that there have been any questions about the security of anything involving IRC for a long time. Everyone with half a brain knows that IRC is a cesspool of hackers, phreakers, crackers, and script-kiddies just looking to stir up shit.
Re:What questions? (Score:4, Informative)
I only used mIRC briefly in my IRC career. It had little to no built-in protection at the time and I went back to AmIRC (Amiga.) Using WildIRC and Kuang11, AmIRC could not be beat. Later scripts for mIRC became much more solid and advanced, and I am sure the program is much better today?
Brings back some memories, actually. Back around 1997 we used to use a simple ICMP ECHO (ping) packet with a payload of "+++ATH0". Anyone with a modem which did not follow the Hayes specification for the escape sequence (+++ followed by two seconds of "silence") would immediately hang up as the TCP/IP stack sent an ICMP ECHO RESPONSE with the same payload. Was great fun for two or three times.
I'm with the 'who cares' camp (Score:2, Interesting)
Nothing new here, move along... (Score:3, Insightful)
Not Sure (Score:3, Interesting)
It might be a bigger problem if this happened here on slashdot (someone gathering email addresses or similar would have a decent mailing list to sell - with a fairly specific target audience... but then I use a public mail address here anyway so it might actually imporve the quality of spam I get...) and it would be a catastrophe if it would have been a finance related system or similar.
On the other hand it sounds from the summary and the blog thats linked that the break of a single username / password combo from remote was the root cause of this breach. If I am accurate in my understanding and that is really the case then we need to take a long hard look at how we can change that. You should not be able to compromise a system from remote with a single set of credentials regardless of how non-sensitive (insensitive?) the system is.
But then I'd like to see more details about what happened, when it happened (if it really happened?) what was exposed (or could have been exposed) during the attack before I take too hard a line either way.
Re:Not Sure (Score:2)
Nickserv passwords. (Score:4, Insightful)
It says "the passwords of many users may have been compromised by someone posing as NickServ".
This doesn't mean that someone found a plaintext list of all the passwords. If you want to find out if there even is one, then download the source code for hyperion and look for yourself.
What it does suggest is that someone /nick'ed to NickServ and consequently could see all the passwords of people joining then they were /msd'ed.
Use a different password on every site! (Score:3, Informative)
Use something like http://www.hashapass.com/ [hashapass.com] to generate your passwords instead, and you only have to remember one thing, but your password is different on every site.
Trust No One (Score:4, Interesting)
A truely secure system should have no trusted components. A Client's faith should never be placed in anyone expect themselves, and even then, only reluctantly. Freenode had a trusted component; namely, Robert Levin's privilages. This should never have been present in the system and was simlpy a disaster waiting to happen.
If you really want security you've got to accept three things. Trust No One. The Enemy Knows the System. The System Can Be Broken. If you think otherwise, you haven't got security, you've just got a fancy codec.
Re:Trust No One (Score:2)
My web server has a trusted component too, it's my root login. Obviously this should never have been present in the system and is simply a disaster waiting to happen. Only one problem: If I remove it, how am I supposed to administer my computer?
I mean, SOMEBODY needs to have the permissions to administer the darned network, or the network isn't g
clear text passwords? (Score:3, Interesting)
Re:clear text passwords? (Score:3, Informative)
Well, if you'd read the fine summary (maybe if you'd UNDERSTOOD the fine summary, I guess you read it) you'd know that it does not store the passwords in the clear but that someone logged on to impersonate the authentication service, which recieves passwords sent in the clear. But there's really not too much you can do about that, even when you have a secure connection. It's like someone who replaces the CGI script on your log-in page to capture everyone's <input type="password"> s
WTF (Score:4, Insightful)
Re:WTF (Score:3, Insightful)
There's no hypocrisy here. People are using the same standards of stupid security on Win32 as they are on Freenode. You're an idiot looking to score apologist points.
Dalnet NickServ (Score:2)
Also, back in the day, on Dalnet one could use
I'm not certain if this is done on Freenode, but it helped prevent passwords from being hijacked via situations like this or a simple typo.
Uh oh. (Score:5, Funny)
My thoughts.. (Score:4, Insightful)
Re:My thoughts.. (Score:5, Informative)
You obviously have no idea how freenode's infrastructure is managed -- the infrastucture isn't a land of ZOMG I BOUGHT SHELLZ FROM SHELLFX.NET garbage. Most of these servers exist solely to host freenode, do not use ssh passwords (instead private keys are used), and do not use the same passwords as lilo's o:line password.
The fact is that they rooted servers close to freenode servers (i.e., on the same switch); then used ettercap to sniff o:line passwords. This was exacerbated by the fact that o:lines are (NOT masked *@*, but masked ?=levin@*), so basically all that had to be done was use the username levin, and boom you're opered up.
That is what the issue is, the o:lines are insecure masked. Nothing more.
HOWEVER, since they were sniffing, it is possible that they may have lifted services passwords as well -- people should probably change them. Then again, how do you know that they still aren't sniffing. Quite simply, nobody except the people behind this know.
Also, the group freenode is dealing with is known as Bantown, which has a reputation of causing whatever hell they wish wherever they feel like doing so. So no, none of what you said is truly relevant, as this group is a tad more unpleasant than the GNAA is. Infact the GNAA is a bunch of nice guys in comparison to Bantown.
Re:My thoughts.. (Score:3, Interesting)
challenge authentication (Score:4, Interesting)
messages from my freenode status window: (Score:3, Informative)
I swear it was him! (Score:3, Funny)
Unfortunately he's still at large.
Where's the Updates? (Score:3, Insightful)
Re:Puts MS hat on (Score:2, Funny)
Re:Good Riddance (Score:5, Informative)
I hope not, at least.
Re:Good Riddance (Score:2)
Re:Good Riddance (Score:2)
Re:Good Riddance (Score:3, Informative)
Hashes are proven deterrents to attacks that raise the cost of attacks much higher than their returns. Of course they have to be used correctly. That's how security works: you can't protect your house by taping a lock to the welcome mat.
Re:Good Riddance (Score:4, Insightful)
Mod parent up, grandparent down. (Score:2)
Re:Mod parent up, grandparent down. (Score:2)
Try getting a grip on the problem before shooting off your mouth about moderation demands. You might learn something.
Re:Good Riddance (Score:3, Interesting)
There might be a technical difference in the topology, but the insecure design is just as bad, if not worse.
Why should NickServ have access to the clear passwords? What happens if FreeNode switches to another auth service, especially if a result of a dispute? That system is really too insecure to trust at all.
Re:Good Riddance (Score:2)
Of course your technical comments are right on the spot, but there is something you don't mention, and that many people tend to forget with regards to nick/channelserv and similar services on IRC networks.
None of those services is intended to provide security, and more generally, IRC does not have any form o
Re:Good Riddance (Score:2)
That's why I said it was good that this crack was exposed publicly: now people know better than to trust it. Or at least know better than they did before.
Re:Good Riddance (Score:2, Informative)
Re: (Score:2)
Re:What kind of auth protocol? I'll tell you... (Score:3, Interesting)
That is of course not as secure as transmitting only a hash, which can help ensure the password doesn't get exposed. But it is a lot more secure than the nearly totally insecure IRC protocol we're talking about. And therefore a lot less vulnerable, th
Re:Good Riddance (Score:2)
Re:Good Riddance (Score:2)
So it's good that this thing went down in public, though it's bad that its loss damaged so many people. Rather than just get "fixed" secretly, without people revising their trust of it.
As I said. Which you would understand, if you weren't just yet another Anonymous idiot Coward.
the cracker /nick'd to "nickserv" (Score:3, Informative)
It goes to lilo (Score:5, Insightful)
This is what annoys me most about Lilo's "donation" pledges - he has set up a non-profit organisation with himself as the only paid employee, and receives thousands in donations yearly which all go to him. Oh, and "supplies", which of course are used by the only employee of the organisation. Yet he doesn't make this clear, at all. I believe most people genuinely think they are donating to the network, not the guy who sits there all day running it.
Lets also not forget his latest project, for us to all pay off his debt and buy him a new trailer to live in. Seriously, I'm not joking [spinhome.org].
Freenode really, really needs new leadership, fast. Something not controlled by one person, or even if it is, someone competent would be a nice change
Re:It goes to lilo (Score:4, Insightful)
And, do you think that Freenode would run as well as it does (today excepted) without some guy "who sits there all day running it"? Oh, people don't deserve money, but, yesyesyes buymoreservers/bandwidth? He's being paid for the service he provides. And so far, that's been a decent service.
Wow, he recieves thousands in donations yearly. Literally *thousands*. Why, he could be... a Thousandaire! What a mogul.