Slashdot Mirror

← Back to Stories (view on slashdot.org)

Freenode Network Hijacked, Passwords Compromised?

Posted by ryuzaki0 on from the hope-your-password-wasn't-important dept.

tmandry writes "The world's largest FOSS IRC network, FreeNode, was hijacked (for lack of a better term) by someone who somehow got a hold of the privileges of Robert Levin, AKA lilo, the head honcho of FreeNode and its parent organization, PDPC. To make matters worse, the passwords of many users may have been compromised by someone posing as NickServ, the service that most clients are configured to send a password to upon connecting, while they reconnected to the servers that hadn't been killed. Of course, if someone was able to nab lilo's password, every user password may have been ripe for the taking. The details are still unknown, but these events raise scary questions about the actual security of FreeNode and other organizations like it."

6 of 414 comments (clear)

  1. I was there. by Avillia · · Score: 5, Interesting

    Mass delinking.
    Mass throttling.
    Mass glining and killing.
    Mass notices of DCC SEND.
    GNAA denying fault.
    Bantown claiming fault.
    The hilarity of not being auto-removed from #wikipedia thanks to a lack of ChanServ.
    Having up to 20 variations of one persons name.
    Lilo being killed off with a hilarious message.
    And the topic wars...

    Good times.

  2. Trust No One by ObsessiveMathsFreak · · Score: 3, Interesting

    "A trusted component is one which can break the security policy."

    A truely secure system should have no trusted components. A Client's faith should never be placed in anyone expect themselves, and even then, only reluctantly. Freenode had a trusted component; namely, Robert Levin's privilages. This should never have been present in the system and was simlpy a disaster waiting to happen.

    If you really want security you've got to accept three things. Trust No One. The Enemy Knows the System. The System Can Be Broken. If you think otherwise, you haven't got security, you've just got a fancy codec.

    --
    May the Maths Be with you!
  3. Re:So Levin is just another "peer"? by Emmettfish · · Score: 3, Interesting
    Except that both lilo *and* Diablo-D3 are both utterly and completely useless. Lilo 'runs' an IRC network that totally sucks, and Diablo-D3 hits people up for money for his 'game' that has never, ever seen the light of day. I've managed a game project before, and it died (though people recently have indicated interest in bringing it back), but you don't see me spamming for money for it. You would also never see me spamming for money for a project that produces nothing.

    When I was running Xiph.Org, both lilo and Diablo-D3 were spamming people for money. It's why Xiph (at least temporarily) left Freenode. Diablo-D3 waged a campaign against LinuxFund for their donations to Xiph which (did, and still does) created free and useful code for the community.

    Matter of fact, back when Freenode had 'Freenode Radio,' I had given them a ton of original music to use. They played it for a while, and then took it off the air 'under mutual agreement with the artist,' which was simply a lie -- My music is public domain. The folks that made this claim were eventually caught, fessed up and apologized for lying to me and people that listened to the station. They sucked at this, too; They played my music long after they claimed to 'take it off the air,' they were just too dumb to look at the ID tags of the files.

    Bob and Patrick are in the same boat. They're both useless, they're both stupid, they're both utterly ineffectual.

    Don't know what to tell you, really. I don't have time for IRC anymore, but if I did, I wouldn't truck with *either* of those cats. Freenode is a black hole of idiocy, and if you really want to dive into it, go ahead -- Just don't expect logic, reason or honesty to win out over egotistical mania and deception. This may be true of *all* IRC networks, but Freenode is the only one where I've seen this kind of shit go down time and time again.

    Freenode may be 'Animal Farm,' though without the Orwellian context. Lilo's just too damn stupid to play Napoleon. It's like a normal farm. Backward Farmer Bob Levin and his flock of sheep.

  4. challenge authentication by Spy+der+Mann · · Score: 3, Interesting

    If nickserv used some kind of challenge authentication (it sends you a random challenge, and you hash the password with it), we wouldn't have these problems. Of course, this is irc, and that might be somwehat difficult to implement.

  5. Re:yeah well by sbennett · · Score: 3, Interesting

    Unfortunately this won't work. The way Hyperion, Freenode's IRCD, is designed, server passwords not used as such get passed directly on to whoever happens to be using the nickname defined in the config as the 'identify service'. In Freenode's case, this just causes a PRIVMSG to be sent from your nick to NickServ, whichever server he happens to be using, with the identify command and password. It's no harder to hijack than a regular /msg. The same goes for the 'raw' nickserv commands, which are similarly translated to PRIVMSG.

    This is compounded by the fact that due to the way Hyperion's server-hide works, it is in theory impossible for normal users to know which server another client is using, so '/msg NickServ@services.' doesn't work either.

  6. Re:Bull by Lord+Ender · · Score: 3, Interesting

    Well, in college, I did build a CPU (on paper) at the gate level. But my point is only that a person who is highly aware of every major component of his system is going to be able to wield it more effectively than a person who does not. Building (and selecting components) makes a person more aware of the machine's capabilities and more capable of fixing failures and bottlenecks.

    And I don't mean to say it is OK for a kid to do this. I was answering the question "why are you a jackass?" That's why. It's not malice.

    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.