Slashdot Mirror

← Back to Stories (view on slashdot.org)

Freenode Network Hijacked, Passwords Compromised?

Posted by ryuzaki0 on from the hope-your-password-wasn't-important dept.

tmandry writes "The world's largest FOSS IRC network, FreeNode, was hijacked (for lack of a better term) by someone who somehow got a hold of the privileges of Robert Levin, AKA lilo, the head honcho of FreeNode and its parent organization, PDPC. To make matters worse, the passwords of many users may have been compromised by someone posing as NickServ, the service that most clients are configured to send a password to upon connecting, while they reconnected to the servers that hadn't been killed. Of course, if someone was able to nab lilo's password, every user password may have been ripe for the taking. The details are still unknown, but these events raise scary questions about the actual security of FreeNode and other organizations like it."

4 of 414 comments (clear)

  1. Re:Good Riddance by SailorFrag · · Score: 4, Informative

    I was going to suggest something along those lines, but if you think about it... if the services database were compromised, even if there's hashing, then everyone's passwords might get out anyway. I don't think anything actually implied that they're stored plaintext.

    I hope not, at least.

  2. Re:yeah well by A.K.A_Magnet · · Score: 4, Informative
    *Don't auto ident during connect
    And if you auto-identify in your perform, do something like : /identify *pass* which is a server-side macro for "PRIVMSG NickServ@<services-fakeserver-hostname> :password".

    The IRC protocol allows to send messages to Nick@server (means "send a message to 'Nick' if and only if he's on 'server'"), so you can do the same with services. Then if the Nickserv nickname is hijacked, it won't matter, because the services "fake server" cannot be hijacked without knowledge of hub configuration (C/N lines) and if ever it happens, IRC admins/opers will notice (that's not something you can't miss).

    So either choose the macro (/identify) or the whole command. Or identify manually :)
  3. Re:Explaining the jargon... by EnsilZah · · Score: 5, Informative

    This really should have been moded informative, people need to work on their sense of meta-humour. =\

  4. Re:My thoughts.. by nenolod · · Score: 5, Informative

    Hi! I used to be freenode staff, and I figured I would comment on this.

    You obviously have no idea how freenode's infrastructure is managed -- the infrastucture isn't a land of ZOMG I BOUGHT SHELLZ FROM SHELLFX.NET garbage. Most of these servers exist solely to host freenode, do not use ssh passwords (instead private keys are used), and do not use the same passwords as lilo's o:line password.

    The fact is that they rooted servers close to freenode servers (i.e., on the same switch); then used ettercap to sniff o:line passwords. This was exacerbated by the fact that o:lines are (NOT masked *@*, but masked ?=levin@*), so basically all that had to be done was use the username levin, and boom you're opered up.

    That is what the issue is, the o:lines are insecure masked. Nothing more.

    HOWEVER, since they were sniffing, it is possible that they may have lifted services passwords as well -- people should probably change them. Then again, how do you know that they still aren't sniffing. Quite simply, nobody except the people behind this know.

    Also, the group freenode is dealing with is known as Bantown, which has a reputation of causing whatever hell they wish wherever they feel like doing so. So no, none of what you said is truly relevant, as this group is a tad more unpleasant than the GNAA is. Infact the GNAA is a bunch of nice guys in comparison to Bantown.