Slashdot Mirror
Freenode Network Hijacked, Passwords Compromised?
tmandry writes "The world's largest FOSS IRC network, FreeNode, was hijacked (for lack of a better term) by someone who somehow got a hold of the privileges of Robert Levin, AKA lilo, the head honcho of FreeNode and its parent organization, PDPC. To make matters worse, the passwords of many users may have been compromised by someone posing as NickServ, the service that most clients are configured to send a password to upon connecting, while they reconnected to the servers that hadn't been killed. Of course, if someone was able to nab lilo's password, every user password may have been ripe for the taking. The details are still unknown, but these events raise scary questions about the actual security of FreeNode and other organizations like it."
Even if someone hijacked it, who could ever tell the difference?
Not my fake password I use for insecure places all over the internet! What ever will I do!
Ok, seriously, who here uses an important password on Freenode (or any IRC network) for NickServ? I certainly don't. Hell, my Slashdot password is more important than the one I use on IRC and the one I use here isn't even that secure...
I have no sympathy for someone that has an "at risk" password on IRC.
*Don't auto ident during connect
*Don't use multiple passwords
*Change password after someone got ahold of it
*Realise that it's just a goddamn nickname
perpetually dwelling in the -1 pits
I am more that familiar with ircd and security
(having run a server network for better than 5 years).
Rule #1, the admin password is NEVER stored in nickserv.
anyone who does this deserves whatever it is they get!
its better to mod the conf file and do a command rehash
from the cli.
Understanding is much like a 3-edged-sword. in this: there are always 2 sides and the truth.
There will probably be a wave of two major camps -- those who say "oh this is nothing! Look at what happens to closed-source leakages from banks, etc, ad nauseum!!1"; there will also be a wave of people who say "this is a major break and someone should be shot..." While I understand both camps' thoughts and opinions, I have a single comment: is there really an expectation (whether FOSS or Closed Source) that it should be secure?
Granted, that person/company is probably relying on the money from ads or what have you so he hopes that things are secure. Really, though, if you don't think the service is secure, go to another one or start your own!
FOSS = Free and Open Source Software, in case anyone was wondering...
o noes, If someone got a hold of lilo's password, they could start spamming the users with useless server-wide notices nobody cares about!!1!
--
Stay tuned for some shock and awe coming right up after this messages!
Now somebody else will be able to idle as sk8trgrl69!!!!11111one
You are quite a bit off base. The reason freenode was hijacked wasn't because it was OpneSource. I hate it when useless drivel like this gets modded. Thank you and try trolling again on another article.
But some "peers" are more "peer" than others, like Mr. Levin.
Welcome to Animal Farm.
Seastead this.
D00d...?
I say we strip the DRM from all passwords! Down With Evil Password IP!!
Who's with me?
OK, compromise: Everytime we use your password, we promise to give you credit and link to your blog. Deal?
Face it, until people start making passwords available for a fair price in all nations everywhere, this kind of piracy will be rampant...
As an admin on another IRC network, I'm actually quite surprised that the ircd would let someone take the nick nickserv... or at least, if it's permitted to happen, that there isn't some alternate authentication mechanism that guarantees it only goes to a legitimate recipient (i.e. /nickserv or /msg nickserv@services.ircnetwork.net or whatever). Fortunately, my password on there is intentionally weak.
On the other hand, I understand what it's like to have compromised servers on the IRC network. I wish them the best in their efforts to get things working smoothly again. Tracking down the culprits can be exceedingly hard and time intensive, and reloading rooted servers is never fun.
Since when does any administrator have actual access to anyones password? I can see them having the ability to change their password to something else.. but comon. Shouldn't / wouldn't these be encrypted and only accessable remotely?
Mass delinking.
Mass throttling.
Mass glining and killing.
Mass notices of DCC SEND.
GNAA denying fault.
Bantown claiming fault.
The hilarity of not being auto-removed from #wikipedia thanks to a lack of ChanServ.
Having up to 20 variations of one persons name.
Lilo being killed off with a hilarious message.
And the topic wars...
Good times.
The largest FOSS IRC network stores all its user passwords in plaintext, not a hash against which incoming passwords can be checked? Its superuser could look at any password they wanted?
It's a good think that firetrap finally collapsed publicly. It should have happened much earlier, before its loss damaged so many people.
--
make install -not war
Nah, man. That's FLOSS*. * Free Libre Open Source Software
Most just isnt that important
The much more stoid moment that will be used to summarize the gravity of the matter came when our beloved lilo was taken down:
* lilo has quit (Killed by ratbert (die ))
Let's all have a moments silence.
Woah! If someone did manage to gather people's NickServ passwords, it could mean major trouble, for the victims themselves and possibly for FreeNode as well.
Woah! I fear a deluge of angst-ridden blogs are about to swamp cyberspace.
"The details are still unknown, but these events raise scary questions about the actual security of FreeNode and other organizations like it."
I don't think that there have been any questions about the security of anything involving IRC for a long time. Everyone with half a brain knows that IRC is a cesspool of hackers, phreakers, crackers, and script-kiddies just looking to stir up shit.
HAHAHAHA it is what a dork.
if you can pose as nickserv, some people will send you their password, thinking you're the real nickserv bot. the original identification command is to PM nickserv your password, assuming that nickserv is a nice bot that won't tell anyone. now, if someone poses as our nice little bot..
-= ailaG =-
My freenode password only exists because of channels that strive to keep out spambots, and it's 'password'. If someone is lame enough that they have nothing better to do than impersonate me on freenode, that is in itself punishment for the crime... It might be fun to impersonate twkm and give icy answers to the entire western worlds obscure C questions, but in order to do that one would have to know as much obscure C crap as twkm does...
I don't understand why there would be any greater implications from this event than any other. All kinds of organizations have been compromised; this is far from news, and just another example of why most security experts recommend a "multi-tiered" password scheme for users. A set of passwords, of varying importance...for the most critical things, a longer and stronger password, another middle-level password to use at other sites of lesser importance (like webmail) and a throwaway password for things that don't matter to you so much. Best of all, use unique passwords for the high-importance site, if you use something like Password Safe for Windows, KeePass for Linux, or Keyring for PalmOS to keep track of them securely.
For your security, this post has been encrypted with ROT-13, twice.
Seriously, the only thing differentiating lilo from any other freelode luser is that he spams "DONATE NOW" notices every half hour. Maybe he should get a real job and then he'll be able to afford all that pizza.
-- because the parent seems to have at least RTFS, unlike the grandparent.
The World Wide Web is dying. Soon, we shall have only the Internet.
I am not really bothered at the prospect of my freenode nick or password being available to someone else. Mainly as its hardly going to do any lasting damage to me other than potentially being a little annoying. The only problem I see is that someone could theoretically impersonate me and make me look like a bit of a git, but that should be easily remedied over a short amount of time. Plus unless these username / password combinations are posted publicly and no one changes their passwords its unlikely to happen given the number of users... Oh and anyone using an important password with their freenode account probably needs a wakeup call anyway
It might be a bigger problem if this happened here on slashdot (someone gathering email addresses or similar would have a decent mailing list to sell - with a fairly specific target audience... but then I use a public mail address here anyway so it might actually imporve the quality of spam I get...) and it would be a catastrophe if it would have been a finance related system or similar.
On the other hand it sounds from the summary and the blog thats linked that the break of a single username / password combo from remote was the root cause of this breach. If I am accurate in my understanding and that is really the case then we need to take a long hard look at how we can change that. You should not be able to compromise a system from remote with a single set of credentials regardless of how non-sensitive (insensitive?) the system is.
But then I'd like to see more details about what happened, when it happened (if it really happened?) what was exposed (or could have been exposed) during the attack before I take too hard a line either way.
It says "the passwords of many users may have been compromised by someone posing as NickServ".
This doesn't mean that someone found a plaintext list of all the passwords. If you want to find out if there even is one, then download the source code for hyperion and look for yourself.
What it does suggest is that someone /nick'ed to NickServ and consequently could see all the passwords of people joining then they were /msd'ed.
Nobody should be using the same password on ANY two sites. You have no control over what the remote side is doing with your password.
Use something like http://www.hashapass.com/ to generate your passwords instead, and you only have to remember one thing, but your password is different on every site.
That's what you get with open source software - anyone can easily exploit it. Come on kids! Use software that wasn't done by a pimple-faced basement dweller.
Parent reminded me of a specific scene from That 70's Show, if anyone used to watch that (yea, it's crap now):
[some executive announces the start of a Q&A round]
"Just so we're clear, the 'Q' stands for Questions and the 'A' for Answers."
I'm Rocco. I'm the +5 Funny man.
"A trusted component is one which can break the security policy."
A truely secure system should have no trusted components. A Client's faith should never be placed in anyone expect themselves, and even then, only reluctantly. Freenode had a trusted component; namely, Robert Levin's privilages. This should never have been present in the system and was simlpy a disaster waiting to happen.
If you really want security you've got to accept three things. Trust No One. The Enemy Knows the System. The System Can Be Broken. If you think otherwise, you haven't got security, you've just got a fancy codec.
May the Maths Be with you!
I'm not a big browser of IRC's, but do we honestly still use clear text passwords anywhere? I mean unless IRC is such an old service that it can't make use of any of the dozen some odd technologies that have been standardized on in the past 20 years.. come on!!
-Michael
If this had happened to a Microsoft Server the comments would be off the wall about how this PROVES BEYOND DOUBT THAT WINDOWS REALLY SUCKS. (Bold characters intended to fool moderation drones). The hypocrisy on Slashdot is incredible.
Funny, but why did you change it? He'll just retrieve it by email.
IRC4Life!
/quote nickserv identify [passwd] or on most clients just /nickserv identify [passwd]
Also, back in the day, on Dalnet one could use
I'm not certain if this is done on Freenode, but it helped prevent passwords from being hijacked via situations like this or a simple typo.
Comment removed based on user account deletion
Oh no! Someone stole my Freenode password! Now they can login and have no control over anything!
He didn't change it - he was going for a double +5 Funny :)
One can only hope that more incidents like this happen. It helps put the nails in IRCs coffin.
Use Jabber (XMPP) conference rooms instead. They are more secure and tie in with a modern personal messaging protocol. As an added bonus, we may soon have voice conference rooms once Google's Jingle (http://www.jabber.org/jeps/jep-0166.html/) XMPP extension is more complete and widely implemented.
[9:10pm] encro left the chat room. (Connection timed out)
[9:46pm] <samuraisam> back in the nam
[9:47pm] koan left the chat room. (clarke.freenode.net irc.freenode.net)
[9:47pm] Mike468_ left the chat room. (clarke.freenode.net irc.freenode.net)
[9:47pm] graphite left the chat room. (clarke.freenode.net irc.freenode.net)
[9:47pm] sdDistracted left the chat room. (clarke.freenode.net irc.freenode.net)
[9:47pm] wesley96 left the chat room. (clarke.freenode.net irc.freenode.net)
[9:47pm] imajes left the chat room. (clarke.freenode.net irc.freenode.net)
[9:47pm] khmer left the chat room. (clarke.freenode.net irc.freenode.net)
[9:47pm] feyth left the chat room. (clarke.freenode.net irc.freenode.net)
[9:47pm] SphinX left the chat room. (clarke.freenode.net irc.freenode.net)
[9:47pm] autoxr left the chat room. (clarke.freenode.net irc.freenode.net)
[9:47pm] CIA-3 left the chat room. (clarke.freenode.net irc.freenode.net)
[9:47pm] jruderman left the chat room. (clarke.freenode.net irc.freenode.net)
[9:47pm] xenon left the chat room. (clarke.freenode.net irc.freenode.net)
[9:47pm] Eridius left the chat room. (clarke.freenode.net irc.freenode.net)
[9:47pm] Mike left the chat room. (clarke.freenode.net irc.freenode.net)
[9:47pm] pat left the chat room. (clarke.freenode.net irc.freenode.net)
[9:47pm] omnivector__ left the chat room. (clarke.freenode.net irc.freenode.net)
[9:47pm] Rinoa left the chat room. (clarke.freenode.net irc.freenode.net)
[9:47pm] lisppaste left the chat room. (clarke.freenode.net irc.freenode.net)
[9:47pm] fdiv_bug left the chat room. (clarke.freenode.net irc.freenode.net)
[9:47pm] ScottM left the chat room. (clarke.freenode.net irc.freenode.net)
[9:47pm] |-- left the chat room. (clarke.freenode.net irc.freenode.net)
[9:47pm] bnovc left the chat room. (clarke.freenode.net irc.freenode.net)
[9:47pm] Parthos left the chat room. (clarke.freenode.net irc.freenode.net)
[9:47pm] prophile left the chat room. (clarke.freenode.net irc.freenode.net)
[9:47pm] janey left the chat room. (clarke.freenode.net irc.freenode.net)
[9:47pm] Minuo left the chat room. (clarke.freenode.net irc.freenode.net)
[9:47pm] vip left the chat room. (clarke.freenode.net irc.freenode.net)
[9:52pm] You left the chat by being disconnected from the server.
i believe the correct response to that is "HAHAHA DISREGARD THAT, I SUCK COCKS"
We used to have a store in the uk called C&A (Went belly up a few years ago) used to be a great joke about blondes always buying their knickers there as they had the instructions written on them.
For those who are a bit slow in social situation/or are humour impared the C goes at the front the A at the back
HTTP. Like the kind you use it to log into Slashdot, you know.
Sure, yes, you can tunnel that through SSL. You can IRC through SSL too. The server still gets the plaintext password on the other end.
The World Wide Web is dying. Soon, we shall have only the Internet.
lilo, hi, remember me?
What goes around, comes around.
AHAHAHAHA! That's okay, EFNet is use to taking other IRC networks refugees. Welcome back all you little run-aways. I just love anarchy! This is why it's better to war over a nick than to have a NickServ.
This sig intentionally left blank.
I'm not sure what algorythm, but I have Anope set up to use MySQL, I'm looking at the anope_ns_core table right now and passwords are stored as a 128-bit hash.
This is the SECOND time in a month this has happened. Anyone know why? Freenode uses OPEN O:Lines, meaning they can be accessed from any user@host instead of using proper O:Lines specifying the users ident (which is useless since it can be changed) and their hostname (which is harder to spoof/use).
Also during the whole thing lilo actually asked for donations. My questions is if their servers are donated, where does the money that is donated goto? They don't pay for bandwidth, servers, anything really. Curious really.
If nickserv used some kind of challenge authentication (it sends you a random challenge, and you hash the password with it), we wouldn't have these problems. Of course, this is irc, and that might be somwehat difficult to implement.
a person has to eat
The money goes 100% to Lilo. *All* of their servers and hardware are donated. I believe they may pay for their web server, but even then, that's $99/month max?
:)
This is what annoys me most about Lilo's "donation" pledges - he has set up a non-profit organisation with himself as the only paid employee, and receives thousands in donations yearly which all go to him. Oh, and "supplies", which of course are used by the only employee of the organisation. Yet he doesn't make this clear, at all. I believe most people genuinely think they are donating to the network, not the guy who sits there all day running it.
Lets also not forget his latest project, for us to all pay off his debt and buy him a new trailer to live in. Seriously, I'm not joking.
Freenode really, really needs new leadership, fast. Something not controlled by one person, or even if it is, someone competent would be a nice change
It's not "just a goddamn nickname". It's how people on IRC identify you as you. If someone impersonates you successfully and talks to the right people, or uses some bot in your channel, all kinds of damage could be done. Suppose they convince someone to manipulate an account that you hold somewhere, because after all, they know "you". This is why nickserv exists.
I think the Freenode community deserves to see a mention of this on freenode.net, and an explanation of the circumstances that led to it. I understand that compromises happen, but knowing how they happened will put a lot of people at ease, and the act of explaining it will make Freenode appear more professional, because they aren't trying to hide their mistakes.
In the middle of this, I would like to remind people that Freenode is an awesome service. It is a gigantic network, and a great facilitator of free software efforts.
ttuttle is a rankmaniac
...the insecure places are more than the secure ones. Come to think of it, if someone got my password for the insecure places, he could do almost anything posing as me :P
Send email from the afterlife! Write your e-will at Dead Man's Switch.
I can't think of what else that fat fuck is spending his cash on...certainly not a network security apprenticeship...
That's so awesome! You must have some pretty bad karma to start out modded -1. How did you get it so bad? I thought that was impossible? Trolling, obviously.. But you must have been trolling for _Serious_.
Each processor would proceed sequentially as if it had been better for them not to rise against Saul.
Do you 69 while on rollerskates?
Or are you an 69-year-old granny on rollerskates...69ing?
Picture please!
I am the nightmare of nightmares.
Unless things have changed recently, there IRC serves two purposes:
It sounds like this is a clear-cut case of the latter.
Nothing to see here. It seems that CmdrTaco has been trolled. :( :(
The possibility of passwords having been compromised is just that, a possibility. It is speculation based on possible facts. Please don't take it as more than that, though if you went through the ordeal last night then you should probably change your password(s).
Having admin privileges exist in-band is asking for trouble really.
IRC server's should have out of band control.
We don't even have anyone with OPs in "our" freenode channel.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
http://uncyclopedia.org/wiki/Peer
Unfortunately he's still at large.
You know, i've been watching this conversation, and decided to stop here..I feel a little bit compelled to defend Rob.
First of all, cards on the table, I've known Rob on and off for a few years, and i've even donated to PDPC when times were apparently a little rough. Rob has been nothing but kind to me, and supportive of the work that people do on his server(s). If he made a habit of intentionally pissing people off, PDPC and Freenode wouldn't be where it is, really, when you think about it. Whether you like the guy or not, Freenode is a valuable resource.
Now, regardless of what trouble you might have had with him in the past, there's one important thing to keep in mind. Rob doesn't have to do what he does. And without PDPC, alot of Linux projects would essentially be homeless. It might also benefit you to remember that you cant make everybody happy all the time. Thats not to dismiss your gripe against him, of course, but it's useful to keep in mind nonetheless.
There's a remarkable quality among open source geeks to absolutely skewer people who spent years working on something for other people without expecting a dime. One day they're considered generous and altruistic, the next day they're ripped open because you and other people stopped getting your milk through the fence. Having been on both sides of that equation, it's just not cool.
Don't be one of those people.
- Jabber has a built-in authentication method instead of relying on bad, afterthought hacks like NickServ.
- Jabber has built in multiuser chat management without having to rely on afterthought hacks like ChanServ.
- Jabber can't netsplit.
So why is Freenode still stuck in the stone age on this? Better, more reliable IM software exists than IRC these days.Help us build a better map!
Yeah, I noticed that it does the work on the client side. However, this behaviour could be changed at any time by the owner of the website, or anyone that could compromise the webserver, or carry out a man-in-the-middle attack. I think that the website is a neat idea but I'd never use it, and I wouldn't encourage anyone else to use it. If you're going to use something to manage your passwords, it should be fully controlled by yourself. What's wrong with running a hash program on your own machine?
Freenode wasn't hijacked, Jmax of gnaa just squit the network.
Slow Down, Cowboy! It's been 60 minutes since you last successfully posted a comment.
Everyone in #lisp was polite.
--- Hot Shot City is particularly good.
Im changeing my password now.
that's because IRC is not Instant Messaging software. IM is a scourge on the face of the net and I wish people had managed to kill it back in its infancy when Mirabilis brought AOL's IM to the rest of the internet (as ICQ). *shudder* There were already enough ways for people to annoy me as it was, without:
.... and nary a sign of what the hell was so god damn important from these freaking IM co-dependants. Do they even THINK to leave a message, when I'm clearly marked as "away" ? no. and if it were just one or two people, yeah they would have been easily ignored, but I seemed to be a magnet for them.
Dude?
YOu there?
Hello?
HEY I'm TALKING to you!!!!
Helllooooooooooooooo1!!11!1
wtf??!
IM hit my bit bucket shortly thereafter.
Seriously though, is it not the problem that so many FOSS projects rely on FN, a network what relies on a single point of failure to survive?
Tim Brown
Freenet isn't Freenode.
Please, for the good of Humanity, vote Obama.
huh? I don't get it.
The biggest problem with Jabber is that there's no really good console client for it like irssi is for IRC.
Please, for the good of Humanity, vote Obama.
I have also known Rob on and off over the years, and I have *also* donated money. While I understand your interest in keeping the conversation civil, I wanted you to know that I have also been a vocal and financial supporter of Freenode.
You can just die, right here, right now. Pull your head outta your ass, IRC is plenty secure (as long as it is deployed intelligently). Services rock, they arent 'afterthought hacks'. anope services includes all the options you need, hell, the ircd itself, without any services, has everything you need! And how can jabber not netsplit? Anything connected can split. And if jabber cannot link, its a piece of shit thats unscalable. And if it dosent split, it dies dies. Boom goes the whole thing. Good point asswipe.
And this makes it ok why? " Awww shucks he was just a kid " doesn't make it any less wrong. The kid should rot in jail. Age does not justify criminal behavior.
.. Until you build your own CPU out of discrete logic , you haven't built your *own* computer You just assembled someone else's.
And OT, on your sig: What do you define as 'build it yourself'? From someone your age i picture you buying a MB and some cards, 'look mom, i did it myself'
---- Booth was a patriot ----
Dude, if you think slashie comments are worth reading, I have a great job for you. I know this publisher, see, and he has this slush pile...
(yeah, I'm "reading" the comments on this article. First time in weeks as best I can recall, and frankly, so far I haven't seen one single thing that's worth half the time it's taking me to explain this to you. Mind you, I remember back when the slash wasn't 99% twits, but those days are long gone, and besides, the wench is dead...)
You inflict that problem on yourself. Write one.
Help us build a better map!
Rest of comment discarded until paulmer2003 can grow a brain.
Help us build a better map!
Does that make me a bad person?
If you mod me down, I shall become more powerful than you could possibly imagine.
Not a troll, but the culprits were bantown.
They prolly did some social engineering on lilo or one of his fellow staff members. AGAIN.
Like the incident a while back when grog from the GNAA tricked him.
That is kinda scary though, that freenode has fallen into GNAA/Bantown traps several times.
Seriously, Should we be trusting them with projects and chats if they cant even tell when someone is playing them like a card to get their info?
Sorry, I had to be pedantic. Old Fred was far more forgiving.
Rest of comment discarded until paulmer2003 can grow a brain.
Good retort. Now we know you are just a sycophant, not someone interested in technical merit.
But get the supremo versio and you get ALL your food groups all in one easy to eat meal.
On smaller networks, you see a lot fewer of those types. When you have a lot of people somewhere(tens to hundreds of thousands on Freenode) a lot of them tend to be bad.
Please, for the good of Humanity, vote Obama.
I'm interested in technical merit, but no such debate can start off with "Fuck this guy," as paulmer2003 essentially started with. If you're going to call someone a sychophant, it's paulmer. That being said, if he's interested in reassessing his statement and removing any and all ad hominem attacks, I would be happy to listen.
Help us build a better map!
Yeah, I have to step up here and speak my mind about Freenode and Levin. I too have used Freenode for years, and as a signal of my appreciatian for the service.. have donated as well. The funny thing is the voluntary donatations are just that. Purely voluntary.
We have a small, but civil channel on Freenode, and have had to ban/kick him many times. We don't allow cussing, etc, and have the rules of conduct clearly stated, but he could never come to terms with them in any sense.
In a lot of ways he acts like a troll. He is clearly masking his own personal ambitions and prejudices against the PDPC under the guise of freeing freenode..whatever. All I can say is this, if McFarlands actions in #space in the past are any indication of his character and I believe they are.. Then be prepared for more childish hijinks from him.
He won't learn, never will, and hates anyone that does not abide his bad behavoir.
The first 4 or 5 times we had to ban him, we thought he might learn something. Turns out that was overly optimistic. The open source community should not eat its own..
That just ain't right
An excerpt from the largely eneventful briefing session on #freenode-moderated tonight about said incident (brackets are mine, intended for illumination):
/server -m irc.vaccus.com -j #chat Attacks will continue if you don't join. /server -m irc.vaccus.com -j #chat Attacks will continue if you don't join. !startkeygen :/
HedgeMage: We believe that 25 nickserv passwords were compromised during a limited window, but all concerned individuals are encouraged to change their nickserv passwords just in case.
HedgeMage: thanks, Astinus
HedgeMage: We'll open up the floor for questions, one at a time, in a moment. Please keep your question concise, and type it ahead of time so we can move as quickly as is practical.
[several questions, answers, and no-comments]
HedgeMage: Since most of these seem to be repeats, we're going to close for now. I'd like to reiterate that we encourage all concerned users to change passwords
[...]
Astinus: This room will go -m shortly, so ya'll can chat before we have another session.
HedgeMage: try not to get blood on the carpet
Astinus: Or we'll send in the cleaners, with pointy brooms
Astinus has removed operator privileges to HedgeMage
Astinus has de-activated the following mode : Moderated
nunsoup: DCC SEND "startkeylogger" 0 0 0
QuantumBeep: (o__o)
J: BACON
b33fc0d3: O.o
bureado hugs channel
enderst: heh
Naconkantari: ceiling cat is watching you.
WeblionX: First blood!
snorkle: !!!!!!LOLDONGS!!!!!VIVA EL CHE!!!!!!LOLDONGS!!!!!
rooly: spam
rooly: spam
rooly: spam
rooly: spam
rooly: spam
jeebusmobile: wewt
snorkle: !!!!!!LOLDONGS!!!!!VIVA EL CHE!!!!!!LOLDONGS!!!!!
snorkle: !!!!!!LOLDONGS!!!!!VIVA EL CHE!!!!!!LOLDONGS!!!!!
Eidolos: omg deluge
snorkle: !!!!!!LOLDONGS!!!!!VIVA EL CHE!!!!!!LOLDONGS!!!!!
snorkle: !!!!!!LOLDONGS!!!!!VIVA EL CHE!!!!!!LOLDONGS!!!!!
DosBubba: 'Grats out to the GNAA for their newly acquired property, irc.vaccus.com #chat .
DosBubba: I would like to thank Freenode for taking the time to gather the whole of IRC, it has been our pleasure to take part in such a trolling opportunity.
DosBubba: Remember:
DosBubba: IRC was founded on the principles of trolling, and we thank Freenode from the bottom of our hearts for carrying the fine tradition into the 21st century - hopefully beyond.
bitplane: wooo
lilo has activated the following mode : Moderated
lilo has activated the following mode : Invite Only
lilo: got to love that
HedgeMage: so much for that.
Astinus: some people need to grow up
[and then the channel fell silent again]
I have better things to do with my time. If you do not wish to read my post, thats your biz - I couldent give a shit less. Have a good one, ~paulmer
Do what I do. Use irssi.
http://www.bitlbee.org/
after reading this, why does this story remind me of this -> http://video.google.com/videoplay?docid=6880888700 625496919
This could have easily been prevented if IRC wasn't being pushed to be what it isn't (namely secure and scalable).
IRC is way more scalable than Jabber, actually. That's one of the primary reasons for *not* switching.
StoneCypher is Full of BS
See? Now I'm happy I stopped using freenode. Back then the problem was that it was just consuming too much of my time. However, now after FreeNode's huge failure to protect its users, I actually have a VERY good reason to just stay away from it. By the way, I wonder where ##otw is going to be at now.. :P
o hai
o rly? Since when? Last I checked you didn't have to go through some absurd peering arrangement to get Jabber servers to peer. Jabber is at least as scalable as SMTP, which is far more scalable than IRC could ever dream to be.
Help us build a better map!
What the hell is a "news" page for on http://www.freenode.net/ if you're not going to put, "WARNING: Do not identify with a password on IRC right now!!" on the page. The last news posted is from early May!
I'm not sure what IRCd Freenode is using but most networks have what you call q-lined nicknames setup on the servers. NickServ would of course be one of those qlined nicknames. You can't use it unless you are a client connected from a services server, it doesn't allow incoming client connections, only pseudo clients from the services daemon itself. I'm guessing the NickServ hack was made by tricking the other servers thinking it was linking the services daemon.
I used bitlbee a while ago but it didn't work on Jabber.
Please, for the good of Humanity, vote Obama.
fuggahs done this? 'fess up! ...
There are several faults of freenode:
- First of all, the authentication mechanism freenode employs is not written down in any IRC protocol. It is freenode's decision to use this authentication mechanism. As a proof that this can be done in a much more secure way on IRC, just look for example at QuakeNet. They are using a challenge authentication mechanism to authenticate users, yet they are still fully IRC compilant.
- The second fault of freenode is the ability for IRC Operators to take the nickname of services bots without having access to the server computer. Other networks disallow the use of common IRC service nicks for everyone, without the possibility to override.
- Thirdly and fourthly, freenode supports authentication via the IRC PASS command as well as using the proprietary IRC NS or NICKSERV command extensions additionally to the PRIVMSG NickServ authentication mechanism.
Such extensions are usually supposed to be more secure than just a PRIVMSG, since the software can easily make sure that such commands are ONLY forwarded to services.
- Fifthly and lastly, using a hostmask of *@* in the IRC Operator line is just foolish. It serves the network head right to have been taught a lesson, but it is unfortunate that he put his users and their credentials in danger.
As such, it can be very well aid that the whole situation is at the sole fault of freenode alone, and the IRC protocol - be it flawed all the way - can not be blamed for this.Thus, using a weak authentication mechanism that can be easily sniffed is a fault of freenode.
Was freenode not using insecure server software, this security breach could have been avoided as well.
However, freenode server software will happily forward the passwords introduced via these alternate authentication comands to whichever person (service or IRC Operator) is currently carrying the correct nick.
Freenode fails to send messages to NickServ to NickServ@services.server, as well as promote this possibility (or even enforce it) like other networks do (example: Undernet, one of the largest networks).
Not only do they fail to promote this more secure alternative, but it is actually a broken server implementation that makes it impossible for them to use this additional security feature which would make sure that passwords end up only on the services servers.
Such situation could also be avoided by using a more strict and secure IRC server software, but most of all this could have been avoided by simply some more cautiousness on the Network Administrator's side. Not using a blank wildcard in your IRC Operator line is like the first bold warning found on every Beginner IRC Admin tutorial.
On a sidenote, I am amazed that despite the IRC question time there still is no official announcement about this on their website.