Slashdot Mirror

← Back to Stories (view on slashdot.org)

Freenode Network Hijacked, Passwords Compromised?

Posted by ryuzaki0 on from the hope-your-password-wasn't-important dept.

tmandry writes "The world's largest FOSS IRC network, FreeNode, was hijacked (for lack of a better term) by someone who somehow got a hold of the privileges of Robert Levin, AKA lilo, the head honcho of FreeNode and its parent organization, PDPC. To make matters worse, the passwords of many users may have been compromised by someone posing as NickServ, the service that most clients are configured to send a password to upon connecting, while they reconnected to the servers that hadn't been killed. Of course, if someone was able to nab lilo's password, every user password may have been ripe for the taking. The details are still unknown, but these events raise scary questions about the actual security of FreeNode and other organizations like it."

93 of 414 comments (clear)

  1. This is why I prefer the anarchy of efnet by Anonymous Coward · · Score: 5, Funny

    Even if someone hijacked it, who could ever tell the difference?

    1. Re:This is why I prefer the anarchy of efnet by kaden · · Score: 2, Funny

      We had great fun with nickserv down. I was Jimbo Wales (jwales) for a while!

    2. Re:This is why I prefer the anarchy of efnet by A+beautiful+mind · · Score: 3, Insightful

      I have one question.

      Why are you a jackass?

      --
      It takes a man to suffer ignorance and smile
      Be yourself no matter what they say
    3. Re:This is why I prefer the anarchy of efnet by mr_stinky_britches · · Score: 2, Informative

      EFnet now has chanfix...the days of lawlessness and channel raiding on EFnet are unfortunately things of the past :(

      --
      Censorship is obscene. Patriotism is bigotry. Faith is a vice. Slashdot 2.0 sucks.
    4. Re:This is why I prefer the anarchy of efnet by ronz0o · · Score: 4, Insightful

      And it is the type of people like YOU that piss me off. "All hackers write viruses break stuff omgwtf." Chill out. I have found many security flaws, and reported them to the proper authorities. (Fashion Bug...ie, Charming Enterprises) Making it public like this is wrong, but it should have been done on a 1 to 1 basis. People DO listen when things like this may be compromised...

    5. Re:This is why I prefer the anarchy of efnet by IamTheRealMike · · Score: 2, Insightful
      You have three days to post "I have been trolled by Bantown" on global notice.

      Or what? You'll attack FreeNode further?

      Wow. Big deal. A chat service populated by geeks mostly working on open source projects, some of which I bet you use. It ain't big, it ain't clever, and about the most serious effect it'll have will be to annoy some people who will use some other method to communicate for a while. At least until either FreeNode recovers or we all migrate somewhere else.

      Seriously. Of all the amazing things you could have done with your tick tick ticking time on this earth you choose to spend it kicking over sandcastles. Big waste. When the rest of us are 80 we'll look back on what we have achieved with life, the things we built, and we'll be proud. When you're 80 you'll look back on your life and think, man, that was so short! Why did I chuck my youth down the drain when I could have been getting shit done?

    6. Re:This is why I prefer the anarchy of efnet by IamTheRealMike · · Score: 5, Insightful

      In that case you are a hacker in the original sense of the word - a competent professional who Gets Things Done.

      The OP was complaining about "hackers" in the ZOMG HOLLYWOOD!! sense of the word, usually people who want the thrill of Beating The Man without actually having to do anything dangerous, like getting off their seats.

    7. Re:This is why I prefer the anarchy of efnet by ronz0o · · Score: 2, Insightful

      Damn straight. I will always "test security" and "reporting" when I find a flaw. And to the kids who enjoy destroying / defacing...I hope you are caught. =)

    8. Re:This is why I prefer the anarchy of efnet by AEton · · Score: 2, Informative

      I'm sure as a snarky comment poster on slashdot you are perfectly capable of auditing code for 0-day vulnerabilities and then writing exploits for said vulnerabilities. Then you'd be perfectly capable of using them to root a box on the same switch as a freenode server and using ARP spoofing to play man-in-the-middle to all incoming connections.

      The first step is fine. The second step might even be okay.

      The third step renders you essentially unemployable, should your employer find out.

      --
      We recently had heard in the office over one of the Yellow Machine that's made by Anthology Solutions.
    9. Re:This is why I prefer the anarchy of efnet by Anonymous Coward · · Score: 2, Interesting

      This is a dupe of "Immaturity Level Rising in Adults" http://science.slashdot.org/article.pl?sid=06/06/2 5/0456237.

    10. Re:This is why I prefer the anarchy of efnet by jonoid · · Score: 5, Funny

      So, you consider yourself a hacker but you have a LiveJournal?!

    11. Re:This is why I prefer the anarchy of efnet by KiloByte · · Score: 4, Insightful

      No, it's idiots from Hollywood stealing our word and our name for nothing but an attempt to squash yet another penny from Joe Sixpack and soccer moms.
      Bill's henchmen waging a rabid campaign against us don't help, too.

      And remember: being a hacker doesn't mean you exploit security holes (for good or ill). It means that you employ a certain approach to programming/doing sysadmin tasks/solving physics problems/etc.

      Just because a majority of the mindless part of the society fails to understand a word, the word doesn't change its meaning.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    12. Re:This is why I prefer the anarchy of efnet by Lord+Ender · · Score: 5, Insightful

      Have you ever been 15? Everything is a game. Especially everything on the computer. 0wning this guy's chat server feels about the same as making a slam dunk right over a bigger defender's head, then joking about his mother. Just a game.

      At that age, kids have never had responsability, and so are unable to feel empathy for those who they are harming.

      I was an ornry teenager once, too. I recall sending ATH0 pings, sending OOB packets, mounting unprotected file shares, and feeling a thrill every time I one-upped these older, smarter people. The internet was just a Nintendo game to me.

      This kid, like the others, is no more of a jackass than any other kid his age. He will just grow out of it with time, like everyone else.

      --
      A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
    13. Re:This is why I prefer the anarchy of efnet by Anonymous Coward · · Score: 5, Insightful

      At that age, kids have never had responsability, and so are unable to feel empathy for those who they are harming.

      Having responsibility and being able to feel empathy are two orthogonal things (their are plenty people with lots of responsibility and little or no empathy). And the ability to feel empathy (and to act upon it to a certain degree) comes a lot earlier than the age 15 for most people.

      This kid, like the others, is no more of a jackass than any other kid his age.

      What kind of silly overgeneralization is this? At 15, there were quite a few kids my age who weren't such assholes, and there were also some others who were. The latter were by far a minority in my case, although of course bullies always manage to get some following among the less strong-willed. I would at least never describe this sort of behaviour as "normal".

      He will just grow out of it with time, like everyone else.

      Probably, but not necessarily. Some people remain assholes all their life.

    14. Re:This is why I prefer the anarchy of efnet by Zarel · · Score: 2, Insightful
      Although I agree with the majority of your post, I don't agree with this sentence:
      Just because a majority of the mindless part of the society fails to understand a word, the word doesn't change its meaning.
      Words mean whatever people say they mean. It's the very definition of 'tautology'.
      --
      Want a high quality FOSS RTS game? Try Warzone 2100!
    15. Re:This is why I prefer the anarchy of efnet by shish · · Score: 4, Insightful
      No, it's "hackers" in the sense of the world that the vast majority of the world's population refers to it
      By that rule, the screen is "the computer", the big box to the side is "the hard drive", and the thing you stick CDs in is "the cup holder" :-/
      --
      I mod down anyone who says "I will be modded down for this", regardless of the rest of their comment
    16. Re:This is why I prefer the anarchy of efnet by pele_smk · · Score: 2, Funny

      You mean to tell me my password could have been compromised? Oh, boy; My IRC password was the "one". I need to change all of my passwords now, it's gonna be a long night at the server farm.

    17. Re:This is why I prefer the anarchy of efnet by SanityInAnarchy · · Score: 3, Insightful
      It's not "idiots from Hollywood" taking "our" name. It's the majority of the population using the word in a certain way.
      Just because a majority of the mindless part of the society fails to understand a word, the word doesn't change its meaning.
      In short, yes, it does.

      I agree. But, some parts of the language are always in flux: "LOL" becomes "roflmfao" or "zomg rofl", "elite hacker" becomes "leet hax0r" becomes "31337 h4x0rz", "Own" -> "0wn" -> "p0wn3d", "crap" -> "gay" -> "ghey", the list goes on. You know this stuff is always going to be in flux, because it's mostly people from the younger generation who use language alone to make them sound cool.


      In general, I acknowledge that both "convoluted cogitations" and "r0x0r your b0x0rs" are as correct as the English I'm using.


      But, there are a few evoutions (bastardizations) of English that bother me a lot. One is misuse of apostrophies. It's not that hard -- "it's" means "it is". If you can replace "it's" with "it is", use an apostrophie. If you can replace "its" with "your" and have the sentence still make sense, don't use an apostrophie.


      Another is the misuse of the word "hacker". Most of the time, when language evolves, the original meaning is not lost -- for instance, it's ok to use "shredder" to refer to a snowboarder, because most people won't be confused when you talk about the "shredder" that sits over a trash can and destroys documents. The problem is that while people haven't forgotten that "to hack" can also mean "to chop", people who know about the Hollywood Hacker will have completely forgotten about the MIT hacker and the Perl hacker. And we don't really have a better word for either of those.


      Really. Replacing the MIT hacker with the word "prankster" is akin to replacing the Perl hacker with the word "coder". It doesn't do justice -- hackers are fundamentally different than most "programmers" or "coders". Hackers are neither software engineers nor codemonkies, though they may act as one for work.


      I don't think nearly as much is lost when you replace "hacked in" with "broke in", or "hacker" with "cracker".


      I don't often evangelize, as much as I love Mac/Linux. I realize that even if I'm 100% right and Windows is utter crap, nothing I say beyond explaining what Linux is (to those who don't know what an OS is) will make them switch. But the Hollywood Hacker is something I take personal offense at. I frequently call myself a hacker and clarify the term shortly after -- "What you call a 'hacker' is really a 'cracker'. The word 'hacker' has to do with a specific kind of clever programmer, and how the same cleverness can apply to other things."


      Its as much a true mistake of language as the first word of this sentence.

      --
      Don't thank God, thank a doctor!
    18. Re:This is why I prefer the anarchy of efnet by stonecypher · · Score: 2, Informative

      No, it's "hackers" in the sense of the world that the vast majority of the world's population refers to it.

      Mmm hmm. Fusion bombs aren't nuclear because most people are too stupid to know the difference. Irony isn't cruel happenstance because most people are too stupid to know the difference. Translucent doesn't mean partially transparent just because most people are too stupid to know the difference.

      This word doesn't change because of popular dumb either. Descriptivists are apologists who don't understand the difference between a mistake and progress. Don't fall for their trap; common usage just doesn't shift that fast. Believe it or not, reporters can be mistaken. Note for example that the word "alleged" has a critical and specific meaning in law, that someone has been convicted of a crime. Now, pay attention to your local news, who will call someone who is held under suspicion or awaiting trial "alleged."

      If a whole bunch of people start calling your wife a boat, is that suddenly a new legitimate usage for the word "boat?"

      --
      StoneCypher is Full of BS
    19. Re:This is why I prefer the anarchy of efnet by stonecypher · · Score: 3, Insightful

      Words mean whatever people say they mean. It's the very definition of 'tautology'.

      This is simply false. Words have an important historical usage context which is not discarded simply because one generation makes the mistake of listening to one badly educated entertainer. I'm not sure where this myth comes from, exactly, but I know not one single linguist who falls short of disgust for the legion of armchair quarterbacks professing this supposed deep understanding of the nature of the lexicon without ever having taken a linguistics class.

      Grandparent is, in fact, correct. Words do not change simply because 1/4 of the population is a bunch of douchebags who don't know how to crack a book. When you're 50 and you watch these mistakes melt away in favor of the next generation's crop of errors, and begin to realize that these "changes" are impermanent, because they're merely errors, perhaps you'll begin to understand.

      Linguistics is a science with a statistical and mathematical underpinning. Please do not further comment on its nature until you have at least a passing familiarity therewith, thank you.

      --
      StoneCypher is Full of BS
    20. Re:This is why I prefer the anarchy of efnet by Ilgaz · · Score: 3, Insightful

      I bet there are non 15 years old people who can bring down Freenode to its knees in 5 minutes of time. I bet they hate lilo too.

      Thing is they WON'T do such a thing since Freenode is home of many open source projects including stuff Slashdot runs on.

      It is more like locking down a ER department for fun.

  2. Oh no! by Rendo · · Score: 2, Insightful

    Not my fake password I use for insecure places all over the internet! What ever will I do!

  3. Password on IRC and you're worried? by garcia · · Score: 5, Insightful

    Ok, seriously, who here uses an important password on Freenode (or any IRC network) for NickServ? I certainly don't. Hell, my Slashdot password is more important than the one I use on IRC and the one I use here isn't even that secure...

    I have no sympathy for someone that has an "at risk" password on IRC.

    1. Re:Password on IRC and you're worried? by _Sprocket_ · · Score: 2, Funny

      Amazing! I have the exact same password on my online storage account!

    2. Re:Password on IRC and you're worried? by Random832 · · Score: 2, Informative

      except a lot more people could be tapping the wire than just the government.

      --
      We've secretly replaced Slashdot with new Folgers Crystals - let's see if it notices.
    3. Re:Password on IRC and you're worried? by Breakfast+Pants · · Score: 2, Informative

      I hope you aren't in a dorm room.

      --

      --

      WHO ATE MY BREAKFAST PANTS?
    4. Re:Password on IRC and you're worried? by Silver+Gryphon · · Score: 2, Funny

      Not anymore :)

  4. yeah well by scenestar · · Score: 4, Insightful

    *Don't auto ident during connect
    *Don't use multiple passwords
    *Change password after someone got ahold of it
    *Realise that it's just a goddamn nickname

    --
    perpetually dwelling in the -1 pits
    1. Re:yeah well by A.K.A_Magnet · · Score: 4, Informative
      *Don't auto ident during connect
      And if you auto-identify in your perform, do something like : /identify *pass* which is a server-side macro for "PRIVMSG NickServ@<services-fakeserver-hostname> :password".

      The IRC protocol allows to send messages to Nick@server (means "send a message to 'Nick' if and only if he's on 'server'"), so you can do the same with services. Then if the Nickserv nickname is hijacked, it won't matter, because the services "fake server" cannot be hijacked without knowledge of hub configuration (C/N lines) and if ever it happens, IRC admins/opers will notice (that's not something you can't miss).

      So either choose the macro (/identify) or the whole command. Or identify manually :)
    2. Re:yeah well by sbennett · · Score: 3, Interesting

      Unfortunately this won't work. The way Hyperion, Freenode's IRCD, is designed, server passwords not used as such get passed directly on to whoever happens to be using the nickname defined in the config as the 'identify service'. In Freenode's case, this just causes a PRIVMSG to be sent from your nick to NickServ, whichever server he happens to be using, with the identify command and password. It's no harder to hijack than a regular /msg. The same goes for the 'raw' nickserv commands, which are similarly translated to PRIVMSG.

      This is compounded by the fact that due to the way Hyperion's server-hide works, it is in theory impossible for normal users to know which server another client is using, so '/msg NickServ@services.' doesn't work either.

  5. ircd's and security by proudhawk · · Score: 5, Insightful

    I am more that familiar with ircd and security
    (having run a server network for better than 5 years).

    Rule #1, the admin password is NEVER stored in nickserv.
    anyone who does this deserves whatever it is they get!

    its better to mod the conf file and do a command rehash
    from the cli.

    --
    Understanding is much like a 3-edged-sword. in this: there are always 2 sides and the truth.
    1. Re:ircd's and security by jZnat · · Score: 3, Insightful

      Rule #2: any important administrative tasks should be done via SSH in the first place, even for IRC.

      --
      'Yes, firefox is indeed greater than women. Can women block pops up for you? No. Can Firefox show you naked women? Yes.'
  6. You know... by demongeek · · Score: 2, Interesting

    There will probably be a wave of two major camps -- those who say "oh this is nothing! Look at what happens to closed-source leakages from banks, etc, ad nauseum!!1"; there will also be a wave of people who say "this is a major break and someone should be shot..." While I understand both camps' thoughts and opinions, I have a single comment: is there really an expectation (whether FOSS or Closed Source) that it should be secure?

    Granted, that person/company is probably relying on the money from ads or what have you so he hopes that things are secure. Really, though, if you don't think the service is secure, go to another one or start your own!

  7. Explaining the jargon... by kaden · · Score: 4, Funny

    FOSS = Free and Open Source Software, in case anyone was wondering...

    1. Re:Explaining the jargon... by leenks · · Score: 5, Funny

      You seriously felt the need to post that on Slashdot? :o

    2. Re:Explaining the jargon... by Anonymous Coward · · Score: 3, Funny

      TY. (That means 'thank you.') Since this is posted in the IT section of /. (that's slashdot, in case you were wondering), I figured I'd explain what IT stands for. It is an abbreviation of 'Information Technology,' a field that is concerned with managing network and data infrastructure within organizations.

    3. Re:Explaining the jargon... by kaden · · Score: 2, Interesting

      YMMV, but IMHO, using possibly obscure acronyms ATT is a PITA, IYKWIM!!! Just write out the freaking acryonyms if you're writing (or "editing") a story thousands of people will read. After all, we aren't smarter-than-thou elitists at Slashdot, are we?

    4. Re:Explaining the jargon... by capiCrimm · · Score: 5, Funny

      Slashdot is a popular technology-news website that can be found at slashdot.org. Just incase anyone was wondering.

    5. Re:Explaining the jargon... by Achra · · Score: 3, Funny

      IANAL, but I play one on TV. I've been told to RTFM and STFU FTW.

      OMGWTFBBQ.

      --
      Each processor would proceed sequentially as if it had been better for them not to rise against Saul.
    6. Re:Explaining the jargon... by A.K.A_Magnet · · Score: 5, Insightful
      After all, we aren't smarter-than-thou elitists at Slashdot, are we?
      Yes we are! :) And proud of it. I understand there was some irony in your comment, but it makes me think of something else.

      Something I hate on Digg is how in each thread of discussion someone feels obliged to explain everything (and how lame stories like "a super set of icons", "learning to program", etc. are posted). And why that?

      The cost of joining Digg is null. You join, you digg, you reply. That's how 14 years old are now ruling Digg (while it was originally populated with slashdotters and other tech-oriented websites readers). That's Digg so-called "democracy" (except, in democracy, one is supposed [only supposed] to be mature before voting, that's why there's a minimal age, which unfortunately cannot be implemented on Digg; something great would be "you can choose up to 20 domains of expertise, can change only one every two weeks or month, and you can vote only on stories regarding your level of expertise". Plus some incentive to only have one (1) account).

      Joining Slashdot is free, but there's a cost when you join: you're eaten alive by grammar and spelling nazis if you don't post correctly, you're eaten alive by an "expert" if you say something technically wrong, you receive negative mod points and get ignored, etc. That's why there are so many accounts and so few posters. And that's how Slashdot has been able to remain readable. I was no newbie when I first start reading Slashdot, but not being a newbie I already knew that you have to understand the subculture and the community first before participating (the same goes for IRC). So I actually registered and became myself a slashdotter years later. Most Diggers are newbies. That's why Digg is good for fresh news and lame for comments, while Slashdot is good for comments (but lame for fresh news). Because we're smarter-than-thou elitists.
    7. Re:Explaining the jargon... by EnsilZah · · Score: 5, Informative

      This really should have been moded informative, people need to work on their sense of meta-humour. =\

    8. Re:Explaining the jargon... by Anonymous Coward · · Score: 2, Informative

      TY. (That means 'thank you.')

      Don't be so fucking condescending.

      (Condescending is when you talk down to somebody.)

  8. spam by Punto · · Score: 5, Funny

    o noes, If someone got a hold of lilo's password, they could start spamming the users with useless server-wide notices nobody cares about!!1!

    --

    --
    Stay tuned for some shock and awe coming right up after this messages!

  9. So Levin is just another "peer"? by Baldrson · · Score: 3, Funny
    You've reached freenode, a service of Peer-Directed Projects Center (PDPC).

    But some "peers" are more "peer" than others, like Mr. Levin.

    Welcome to Animal Farm.

    --
    Seastead this.
    1. Re:So Levin is just another "peer"? by ZoFreX · · Score: 4, Insightful

      You may not know how right you are, I've been calling Freenode "Animal Farm" for weeks - Patrick McFarland (a.k.a. Diablo-D3) has been highlighting some of what's wrong with freenode and in doing so has become their "snowball" - he is literally blamed for everything that goes wrong on freenode, including the recent torbot attacks and no doubt this most recent one as well.

    2. Re:So Levin is just another "peer"? by Emmettfish · · Score: 3, Interesting
      Except that both lilo *and* Diablo-D3 are both utterly and completely useless. Lilo 'runs' an IRC network that totally sucks, and Diablo-D3 hits people up for money for his 'game' that has never, ever seen the light of day. I've managed a game project before, and it died (though people recently have indicated interest in bringing it back), but you don't see me spamming for money for it. You would also never see me spamming for money for a project that produces nothing.

      When I was running Xiph.Org, both lilo and Diablo-D3 were spamming people for money. It's why Xiph (at least temporarily) left Freenode. Diablo-D3 waged a campaign against LinuxFund for their donations to Xiph which (did, and still does) created free and useful code for the community.

      Matter of fact, back when Freenode had 'Freenode Radio,' I had given them a ton of original music to use. They played it for a while, and then took it off the air 'under mutual agreement with the artist,' which was simply a lie -- My music is public domain. The folks that made this claim were eventually caught, fessed up and apologized for lying to me and people that listened to the station. They sucked at this, too; They played my music long after they claimed to 'take it off the air,' they were just too dumb to look at the ID tags of the files.

      Bob and Patrick are in the same boat. They're both useless, they're both stupid, they're both utterly ineffectual.

      Don't know what to tell you, really. I don't have time for IRC anymore, but if I did, I wouldn't truck with *either* of those cats. Freenode is a black hole of idiocy, and if you really want to dive into it, go ahead -- Just don't expect logic, reason or honesty to win out over egotistical mania and deception. This may be true of *all* IRC networks, but Freenode is the only one where I've seen this kind of shit go down time and time again.

      Freenode may be 'Animal Farm,' though without the Orwellian context. Lilo's just too damn stupid to play Napoleon. It's like a normal farm. Backward Farmer Bob Levin and his flock of sheep.

  10. But I Thought Information WANTED to Be Free? by RobotRunAmok · · Score: 4, Funny

    D00d...?

    I say we strip the DRM from all passwords! Down With Evil Password IP!!

    Who's with me?

    OK, compromise: Everytime we use your password, we promise to give you credit and link to your blog. Deal?

    Face it, until people start making passwords available for a fair price in all nations everywhere, this kind of piracy will be rampant...

  11. The IRCD could have helped with some of that... by SailorFrag · · Score: 4, Insightful

    As an admin on another IRC network, I'm actually quite surprised that the ircd would let someone take the nick nickserv... or at least, if it's permitted to happen, that there isn't some alternate authentication mechanism that guarantees it only goes to a legitimate recipient (i.e. /nickserv or /msg nickserv@services.ircnetwork.net or whatever). Fortunately, my password on there is intentionally weak.

    On the other hand, I understand what it's like to have compromised servers on the IRC network. I wish them the best in their efforts to get things working smoothly again. Tracking down the culprits can be exceedingly hard and time intensive, and reloading rooted servers is never fun.

    1. Re:The IRCD could have helped with some of that... by epiphani · · Score: 2, Informative

      Assuming their nickserv handling on the server side is run the same way Bahamut does theirs...

      *serv nicknames are generally reserved through Qlines. Qlines can be used to restrict all kinds of pattern-matched nicknames, however they still allow opers to use them - this is quite intentional. If the compromised server allowed people to set up opers, it would have been trivial to oper up, remove the real services from the network, and change your nickname to *serv.

      I'm not sure how many networks have picked up on the /nickserv or /msg service@services, but bahamut uses that, and does not accept messages in any other method for services. Bahamut is generally built specifically to handle these types of things.

      If freenode was using Bahamut, I'd be interested in talking to them about this. If a freenode admin sees this, drop me an email.

      --
      .
    2. Re:The IRCD could have helped with some of that... by Draelen · · Score: 2, Informative

      What you refer to is called a Q:Line, which prevents non opers or non U:Lined services from using specified nicknames. If the attacker had lilo's oper pass, then the attacker could easilly then change their nick to "NickServ", thus facilitating the compromise.

    3. Re:The IRCD could have helped with some of that... by FooAtWFU · · Score: 2, Informative

      Freenode uses Hyperion. The preferred authentication technique at the moment, FYI, is to send your nick's password in the IRC server password field when you connected; this will serve to authenticate you to that nick, bypassing Nickserv or /nickserv or /quote nickserv or /msg nickserv@services. - and is probably the most secure option available, and one of the easiest to set up.

      --
      The World Wide Web is dying. Soon, we shall have only the Internet.
    4. Re:The IRCD could have helped with some of that... by SailorFrag · · Score: 2, Interesting

      I'm used to ircu, where the juped nicks are in U lines and not even opers can /nick to them, so you'd have to edit a server's config file and rehash to free up the nick. Ah well, I guess such things vary.

    5. Re:The IRCD could have helped with some of that... by Breakfast+Pants · · Score: 2, Informative

      Internally the server just sends a message to nickserv when you do this, so it wouldn't have helped.

      --

      --

      WHO ATE MY BREAKFAST PANTS?
  12. I was there. by Avillia · · Score: 5, Interesting

    Mass delinking.
    Mass throttling.
    Mass glining and killing.
    Mass notices of DCC SEND.
    GNAA denying fault.
    Bantown claiming fault.
    The hilarity of not being auto-removed from #wikipedia thanks to a lack of ChanServ.
    Having up to 20 variations of one persons name.
    Lilo being killed off with a hilarious message.
    And the topic wars...

    Good times.

  13. Re:Puts MS hat on by rmsmith · · Score: 2, Funny

    Nah, man. That's FLOSS*. * Free Libre Open Source Software

  14. from the hope-your-password-wasn't-important dept? by Anonymous Coward · · Score: 2, Funny
    Please somebody alert the who-gives-a-shit dept.


    The much more stoid moment that will be used to summarize the gravity of the matter came when our beloved lilo was taken down:
    * lilo has quit (Killed by ratbert (die ))


    Let's all have a moments silence.


    Woah! If someone did manage to gather people's NickServ passwords, it could mean major trouble, for the victims themselves and possibly for FreeNode as well.


    Woah! I fear a deluge of angst-ridden blogs are about to swamp cyberspace.
    /me runs away

  15. What questions? by supabeast! · · Score: 5, Funny

    "The details are still unknown, but these events raise scary questions about the actual security of FreeNode and other organizations like it."

    I don't think that there have been any questions about the security of anything involving IRC for a long time. Everyone with half a brain knows that IRC is a cesspool of hackers, phreakers, crackers, and script-kiddies just looking to stir up shit.

    1. Re:What questions? by LoadWB · · Score: 3, Informative

      Pretty much why I quit IRC a number of years back. Not to be mistaken, IRC has many valuable functions and features -- beyond downloading warez and moviez -- but not for casual chat. If you know the specific channel to go to, you are most likely fine. But for the casual chatter, browse around open channels and you will invariably end up with mass invites, notices, spam, DOS, MSG/CTCP/DCC floods, and my favorite, the mIRC scripts sent via DCC.

      I only used mIRC briefly in my IRC career. It had little to no built-in protection at the time and I went back to AmIRC (Amiga.) Using WildIRC and Kuang11, AmIRC could not be beat. Later scripts for mIRC became much more solid and advanced, and I am sure the program is much better today?

      Brings back some memories, actually. Back around 1997 we used to use a simple ICMP ECHO (ping) packet with a payload of "+++ATH0". Anyone with a modem which did not follow the Hayes specification for the escape sequence (+++ followed by two seconds of "silence") would immediately hang up as the TCP/IP stack sent an ICMP ECHO RESPONSE with the same payload. Was great fun for two or three times.

  16. Re:Good Riddance by SailorFrag · · Score: 4, Informative

    I was going to suggest something along those lines, but if you think about it... if the services database were compromised, even if there's hashing, then everyone's passwords might get out anyway. I don't think anything actually implied that they're stored plaintext.

    I hope not, at least.

  17. Re:Good Riddance by Sinbios · · Score: 4, Insightful

    I'm pretty sure the idea is that they replaced NickServ with something else that intercepts the passwords when users tried to identify.

    --
    Anyone can "stand up for what they believe", but it takes a very brave individual to change what they believe. - Loundry
  18. the cracker /nick'd to "nickserv" by ailaG · · Score: 3, Informative

    if you can pose as nickserv, some people will send you their password, thinking you're the real nickserv bot. the original identification command is to PM nickserv your password, assuming that nickserv is a nice bot that won't tell anyone. now, if someone poses as our nice little bot..

    --
    -= ailaG =-
  19. I'm with the 'who cares' camp by alex_vegas · · Score: 2, Interesting

    My freenode password only exists because of channels that strive to keep out spambots, and it's 'password'. If someone is lame enough that they have nothing better to do than impersonate me on freenode, that is in itself punishment for the crime... It might be fun to impersonate twkm and give icy answers to the entire western worlds obscure C questions, but in order to do that one would have to know as much obscure C crap as twkm does...

  20. Nothing new here, move along... by Shoten · · Score: 2, Insightful

    I don't understand why there would be any greater implications from this event than any other. All kinds of organizations have been compromised; this is far from news, and just another example of why most security experts recommend a "multi-tiered" password scheme for users. A set of passwords, of varying importance...for the most critical things, a longer and stronger password, another middle-level password to use at other sites of lesser importance (like webmail) and a throwaway password for things that don't matter to you so much. Best of all, use unique passwords for the high-importance site, if you use something like Password Safe for Windows, KeePass for Linux, or Keyring for PalmOS to keep track of them securely.

    --

    For your security, this post has been encrypted with ROT-13, twice.
  21. Not Sure by Ajehals · · Score: 2, Interesting

    I am not really bothered at the prospect of my freenode nick or password being available to someone else. Mainly as its hardly going to do any lasting damage to me other than potentially being a little annoying. The only problem I see is that someone could theoretically impersonate me and make me look like a bit of a git, but that should be easily remedied over a short amount of time. Plus unless these username / password combinations are posted publicly and no one changes their passwords its unlikely to happen given the number of users... Oh and anyone using an important password with their freenode account probably needs a wakeup call anyway

    It might be a bigger problem if this happened here on slashdot (someone gathering email addresses or similar would have a decent mailing list to sell - with a fairly specific target audience... but then I use a public mail address here anyway so it might actually imporve the quality of spam I get...) and it would be a catastrophe if it would have been a finance related system or similar.

    On the other hand it sounds from the summary and the blog thats linked that the break of a single username / password combo from remote was the root cause of this breach. If I am accurate in my understanding and that is really the case then we need to take a long hard look at how we can change that. You should not be able to compromise a system from remote with a single set of credentials regardless of how non-sensitive (insensitive?) the system is.

    But then I'd like to see more details about what happened, when it happened (if it really happened?) what was exposed (or could have been exposed) during the attack before I take too hard a line either way.

  22. Nickserv passwords. by me22 · · Score: 4, Insightful

    It says "the passwords of many users may have been compromised by someone posing as NickServ".

    This doesn't mean that someone found a plaintext list of all the passwords. If you want to find out if there even is one, then download the source code for hyperion and look for yourself.

    What it does suggest is that someone /nick'ed to NickServ and consequently could see all the passwords of people joining then they were /msd'ed.

  23. Use a different password on every site! by dmd · · Score: 2, Informative

    Nobody should be using the same password on ANY two sites. You have no control over what the remote side is doing with your password.

    Use something like http://www.hashapass.com/ to generate your passwords instead, and you only have to remember one thing, but your password is different on every site.

  24. Re:Good Riddance by Doc+Ruby · · Score: 2, Interesting

    What kind of auth protocol sends passwords in plaintext across the network, rather than hashing them at the client for comparison at the server? Especially among a complex 3-party auth?

    There might be a technical difference in the topology, but the insecure design is just as bad, if not worse.

    Why should NickServ have access to the clear passwords? What happens if FreeNode switches to another auth service, especially if a result of a dispute? That system is really too insecure to trust at all.

    --

    --
    make install -not war

  25. Trust No One by ObsessiveMathsFreak · · Score: 3, Interesting

    "A trusted component is one which can break the security policy."

    A truely secure system should have no trusted components. A Client's faith should never be placed in anyone expect themselves, and even then, only reluctantly. Freenode had a trusted component; namely, Robert Levin's privilages. This should never have been present in the system and was simlpy a disaster waiting to happen.

    If you really want security you've got to accept three things. Trust No One. The Enemy Knows the System. The System Can Be Broken. If you think otherwise, you haven't got security, you've just got a fancy codec.

    --
    May the Maths Be with you!
  26. clear text passwords? by maraist · · Score: 2, Interesting

    I'm not a big browser of IRC's, but do we honestly still use clear text passwords anywhere? I mean unless IRC is such an old service that it can't make use of any of the dozen some odd technologies that have been standardized on in the past 20 years.. come on!!

    --
    -Michael
    1. Re:clear text passwords? by FooAtWFU · · Score: 2, Informative
      It is, and it can't.

      Well, if you'd read the fine summary (maybe if you'd UNDERSTOOD the fine summary, I guess you read it) you'd know that it does not store the passwords in the clear but that someone logged on to impersonate the authentication service, which recieves passwords sent in the clear. But there's really not too much you can do about that, even when you have a secure connection. It's like someone who replaces the CGI script on your log-in page to capture everyone's <input type="password"> submissions. Which are also recieved in the clear, whether or not they are sent via SSL.

      Yeah, we have things like public key authentication. No, there's no real good way to use them on IRC. It is an old protocol. Sorry.

      --
      The World Wide Web is dying. Soon, we shall have only the Internet.
  27. WTF by Anonymous Coward · · Score: 4, Insightful

    If this had happened to a Microsoft Server the comments would be off the wall about how this PROVES BEYOND DOUBT THAT WINDOWS REALLY SUCKS. (Bold characters intended to fool moderation drones). The hypocrisy on Slashdot is incredible.

    1. Re:WTF by Cal+Paterson · · Score: 2, Insightful

      I don't know what you're talking about. Everybody is out here in force talking about how bad Freenode is. All the posts I've seen are negative. No one has said that Freenode has a good design, and people are talking about it's faults.

      There's no hypocrisy here. People are using the same standards of stupid security on Win32 as they are on Freenode. You're an idiot looking to score apologist points.

  28. Re:Good Riddance by Sinbios · · Score: 2, Informative

    Passwords on IRC are sent via plain messsages to NickServ, which acts just like any other client. I assume regularly NickServ does not log these messages, but if the server is hijacked these messages are probably easily viewable.

    --
    Anyone can "stand up for what they believe", but it takes a very brave individual to change what they believe. - Loundry
  29. Uh oh. by SwartKrans · · Score: 5, Funny

    Oh no! Someone stole my Freenode password! Now they can login and have no control over anything!

  30. My thoughts.. by paulmer2003 · · Score: 4, Insightful
    People should not use /msg nickserv pass on connect. They should be using scripts that check that nickserv is on a certain server (services.int, services.* etc etc) and its hostname matches.The IRC server should also have *serv juped/qlined so nobody can set their nick to *serv.
    Of course, if someone was able to nab lilo's password, every user password may have been ripe for the taking.
    What im wondering is, WHY THE FUCK ISNT HIS O:LINE IP RESTRICTED? Did he use one password for both the ircd ssh and his operline (if they were the same hacker could add himself a oline or add his ip to his oline..)? Either way, hes a moron.
    The details are still unknown, but these events raise scary questions about the actual security of FreeNode and other organizations like it."
    Not really. If he had his shit setup correctly this would have never happened in the first place.
    1. Re:My thoughts.. by nenolod · · Score: 5, Informative

      Hi! I used to be freenode staff, and I figured I would comment on this.

      You obviously have no idea how freenode's infrastructure is managed -- the infrastucture isn't a land of ZOMG I BOUGHT SHELLZ FROM SHELLFX.NET garbage. Most of these servers exist solely to host freenode, do not use ssh passwords (instead private keys are used), and do not use the same passwords as lilo's o:line password.

      The fact is that they rooted servers close to freenode servers (i.e., on the same switch); then used ettercap to sniff o:line passwords. This was exacerbated by the fact that o:lines are (NOT masked *@*, but masked ?=levin@*), so basically all that had to be done was use the username levin, and boom you're opered up.

      That is what the issue is, the o:lines are insecure masked. Nothing more.

      HOWEVER, since they were sniffing, it is possible that they may have lifted services passwords as well -- people should probably change them. Then again, how do you know that they still aren't sniffing. Quite simply, nobody except the people behind this know.

      Also, the group freenode is dealing with is known as Bantown, which has a reputation of causing whatever hell they wish wherever they feel like doing so. So no, none of what you said is truly relevant, as this group is a tad more unpleasant than the GNAA is. Infact the GNAA is a bunch of nice guys in comparison to Bantown.

    2. Re:My thoughts.. by cortana · · Score: 2, Interesting

      Forgive me, I don't know anything about IRC on the server side. But this would have been prevented if the server-to-server links used SSL, right?

  31. Couldn't have happened to a better guy by irq · · Score: 2, Interesting

    lilo, hi, remember me?

    What goes around, comes around.

  32. Serves them right! by onthost · · Score: 2, Interesting

    This is the SECOND time in a month this has happened. Anyone know why? Freenode uses OPEN O:Lines, meaning they can be accessed from any user@host instead of using proper O:Lines specifying the users ident (which is useless since it can be changed) and their hostname (which is harder to spoof/use).
    Also during the whole thing lilo actually asked for donations. My questions is if their servers are donated, where does the money that is donated goto? They don't pay for bandwidth, servers, anything really. Curious really.

  33. Re:What kind of auth protocol? I'll tell you... by Doc+Ruby · · Score: 2, Interesting

    Which is why HTTP clients tell users that such forms are insecure, right where the user is entering the password. While the HTTPS protocol is indicated to be secure by the client, because it is secure during the part of the transaction that includes the client.

    That is of course not as secure as transmitting only a hash, which can help ensure the password doesn't get exposed. But it is a lot more secure than the nearly totally insecure IRC protocol we're talking about. And therefore a lot less vulnerable, therefore more trustworthy. IRC doesn't indicate how untrustworthy is its password authentication, so the public exposure of its failure in this case is valuable, in educating users. At higher cost, and lower return, than just making the protocol use hashes instead.

    --

    --
    make install -not war

  34. challenge authentication by Spy+der+Mann · · Score: 3, Interesting

    If nickserv used some kind of challenge authentication (it sends you a random challenge, and you hash the password with it), we wouldn't have these problems. Of course, this is irc, and that might be somwehat difficult to implement.

  35. Re:Good Riddance by Doc+Ruby · · Score: 2, Informative

    Which is why good hash functions generate different hashes for every transaction from the same plaintext. Like including a timestamp.

    Hashes are proven deterrents to attacks that raise the cost of attacks much higher than their returns. Of course they have to be used correctly. That's how security works: you can't protect your house by taping a lock to the welcome mat.

    --

    --
    make install -not war

  36. It goes to lilo by a16 · · Score: 4, Insightful

    The money goes 100% to Lilo. *All* of their servers and hardware are donated. I believe they may pay for their web server, but even then, that's $99/month max?

    This is what annoys me most about Lilo's "donation" pledges - he has set up a non-profit organisation with himself as the only paid employee, and receives thousands in donations yearly which all go to him. Oh, and "supplies", which of course are used by the only employee of the organisation. Yet he doesn't make this clear, at all. I believe most people genuinely think they are donating to the network, not the guy who sits there all day running it.

    Lets also not forget his latest project, for us to all pay off his debt and buy him a new trailer to live in. Seriously, I'm not joking.

    Freenode really, really needs new leadership, fast. Something not controlled by one person, or even if it is, someone competent would be a nice change :)

    1. Re:It goes to lilo by ameyer17 · · Score: 2, Informative

      IANAL, but if that's true, it's fraud.

    2. Re:It goes to lilo by BoldAndBusted · · Score: 3, Insightful

      On some points, you are probably correct, but on the last one, on "Spinhome", what's the big deal? It's not like he says that the money is going to support the network and then turns around and spends it on his land yacht. That site makes it pretty clear what the money will go towards.

      And, do you think that Freenode would run as well as it does (today excepted) without some guy "who sits there all day running it"? Oh, people don't deserve money, but, yesyesyes buymoreservers/bandwidth? He's being paid for the service he provides. And so far, that's been a decent service.

      Wow, he recieves thousands in donations yearly. Literally *thousands*. Why, he could be... a Thousandaire! What a mogul.

  37. one problem... by verbatim_verbose · · Score: 2, Insightful

    It's not "just a goddamn nickname". It's how people on IRC identify you as you. If someone impersonates you successfully and talks to the right people, or uses some bot in your channel, all kinds of damage could be done. Suppose they convince someone to manipulate an account that you hold somewhere, because after all, they know "you". This is why nickserv exists.

  38. On the internet... by Poromenos1 · · Score: 2, Insightful

    ...the insecure places are more than the secure ones. Come to think of it, if someone got my password for the insecure places, he could do almost anything posing as me :P

    --
    Send email from the afterlife! Write your e-will at Dead Man's Switch.
  39. messages from my freenode status window: by RotJ · · Score: 2, Informative
    [01:26] -lilo- [Global Notice] Hi all. We just experienced a brief outage between our US and EU hubs....we're investigating. Apologies for the difficulties, and thank you for your patience.
    -
    [01:28] -lilo- [Global Notice] We're told that the service interruption affected EFNet as well....in the absence of further problems, we'll pass you any information we receive on wallops (/mode yournick +w)....thanks!
    -
    [23:44] -ratbert- [Global notice] I am a fat asshole, who loves abuse, die
    -
    [23:44] -ratbert- DCC SEND YOUAREALLJUDENLOL
    -
    [01:07] -lilo- [Global Notice] Hi all. As you may be aware, freenode has experienced a crack attack and we're working on tracking down the details. At this point, we cannot guarantee that more problems will not occur.
  40. I swear it was him! by Anonymous Coward · · Score: 3, Funny

    http://uncyclopedia.org/wiki/Peer
    Unfortunately he's still at large.

  41. Re:Watch as the Linux community eats it's own youn by Emmettfish · · Score: 2

    I have also known Rob on and off over the years, and I have *also* donated money. While I understand your interest in keeping the conversation civil, I wanted you to know that I have also been a vocal and financial supporter of Freenode.

  42. Re:Bull by Lord+Ender · · Score: 3, Interesting

    Well, in college, I did build a CPU (on paper) at the gate level. But my point is only that a person who is highly aware of every major component of his system is going to be able to wield it more effectively than a person who does not. Building (and selecting components) makes a person more aware of the machine's capabilities and more capable of fixing failures and bottlenecks.

    And I don't mean to say it is OK for a kid to do this. I was answering the question "why are you a jackass?" That's why. It's not malice.

    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
  43. An excercise in free speech by Legal · · Score: 2, Interesting

    An excerpt from the largely eneventful briefing session on #freenode-moderated tonight about said incident (brackets are mine, intended for illumination):

    HedgeMage: We believe that 25 nickserv passwords were compromised during a limited window, but all concerned individuals are encouraged to change their nickserv passwords just in case.
    HedgeMage: thanks, Astinus
    HedgeMage: We'll open up the floor for questions, one at a time, in a moment. Please keep your question concise, and type it ahead of time so we can move as quickly as is practical.

              [several questions, answers, and no-comments]

    HedgeMage: Since most of these seem to be repeats, we're going to close for now. I'd like to reiterate that we encourage all concerned users to change passwords

              [...]

    Astinus: This room will go -m shortly, so ya'll can chat before we have another session.
    HedgeMage: try not to get blood on the carpet
    Astinus: Or we'll send in the cleaners, with pointy brooms
              Astinus has removed operator privileges to HedgeMage
              Astinus has de-activated the following mode : Moderated
    nunsoup: DCC SEND "startkeylogger" 0 0 0
    QuantumBeep: (o__o)
    J: BACON
    b33fc0d3: O.o
    bureado hugs channel
    enderst: heh
    Naconkantari: ceiling cat is watching you.
    WeblionX: First blood!
    snorkle: !!!!!!LOLDONGS!!!!!VIVA EL CHE!!!!!!LOLDONGS!!!!!
    rooly: spam
    rooly: spam
    rooly: spam
    rooly: spam
    rooly: spam
    jeebusmobile: wewt
    snorkle: !!!!!!LOLDONGS!!!!!VIVA EL CHE!!!!!!LOLDONGS!!!!!
    snorkle: !!!!!!LOLDONGS!!!!!VIVA EL CHE!!!!!!LOLDONGS!!!!!
    Eidolos: omg deluge
    snorkle: !!!!!!LOLDONGS!!!!!VIVA EL CHE!!!!!!LOLDONGS!!!!!
    snorkle: !!!!!!LOLDONGS!!!!!VIVA EL CHE!!!!!!LOLDONGS!!!!!
    DosBubba: 'Grats out to the GNAA for their newly acquired property, irc.vaccus.com #chat . /server -m irc.vaccus.com -j #chat Attacks will continue if you don't join.
    DosBubba: I would like to thank Freenode for taking the time to gather the whole of IRC, it has been our pleasure to take part in such a trolling opportunity.
    DosBubba: Remember: /server -m irc.vaccus.com -j #chat Attacks will continue if you don't join. !startkeygen
    DosBubba: IRC was founded on the principles of trolling, and we thank Freenode from the bottom of our hearts for carrying the fine tradition into the 21st century - hopefully beyond.
    bitplane: wooo
              lilo has activated the following mode : Moderated
              lilo has activated the following mode : Invite Only
    lilo: got to love that
    HedgeMage: so much for that.
    Astinus: some people need to grow up :/

              [and then the channel fell silent again]

  44. Where's the Updates? by TheoMurpse · · Score: 2, Insightful

    What the hell is a "news" page for on http://www.freenode.net/ if you're not going to put, "WARNING: Do not identify with a password on IRC right now!!" on the page. The last news posted is from early May!