Slashdot Mirror

← Back to Stories (view on slashdot.org)

Freenode Network Hijacked, Passwords Compromised?

Posted by ryuzaki0 on from the hope-your-password-wasn't-important dept.

tmandry writes "The world's largest FOSS IRC network, FreeNode, was hijacked (for lack of a better term) by someone who somehow got a hold of the privileges of Robert Levin, AKA lilo, the head honcho of FreeNode and its parent organization, PDPC. To make matters worse, the passwords of many users may have been compromised by someone posing as NickServ, the service that most clients are configured to send a password to upon connecting, while they reconnected to the servers that hadn't been killed. Of course, if someone was able to nab lilo's password, every user password may have been ripe for the taking. The details are still unknown, but these events raise scary questions about the actual security of FreeNode and other organizations like it."

16 of 414 comments (clear)

  1. This is why I prefer the anarchy of efnet by Anonymous Coward · · Score: 5, Funny

    Even if someone hijacked it, who could ever tell the difference?

    1. Re:This is why I prefer the anarchy of efnet by IamTheRealMike · · Score: 5, Insightful

      In that case you are a hacker in the original sense of the word - a competent professional who Gets Things Done.

      The OP was complaining about "hackers" in the ZOMG HOLLYWOOD!! sense of the word, usually people who want the thrill of Beating The Man without actually having to do anything dangerous, like getting off their seats.

    2. Re:This is why I prefer the anarchy of efnet by jonoid · · Score: 5, Funny

      So, you consider yourself a hacker but you have a LiveJournal?!

    3. Re:This is why I prefer the anarchy of efnet by Lord+Ender · · Score: 5, Insightful

      Have you ever been 15? Everything is a game. Especially everything on the computer. 0wning this guy's chat server feels about the same as making a slam dunk right over a bigger defender's head, then joking about his mother. Just a game.

      At that age, kids have never had responsability, and so are unable to feel empathy for those who they are harming.

      I was an ornry teenager once, too. I recall sending ATH0 pings, sending OOB packets, mounting unprotected file shares, and feeling a thrill every time I one-upped these older, smarter people. The internet was just a Nintendo game to me.

      This kid, like the others, is no more of a jackass than any other kid his age. He will just grow out of it with time, like everyone else.

      --
      A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
    4. Re:This is why I prefer the anarchy of efnet by Anonymous Coward · · Score: 5, Insightful

      At that age, kids have never had responsability, and so are unable to feel empathy for those who they are harming.

      Having responsibility and being able to feel empathy are two orthogonal things (their are plenty people with lots of responsibility and little or no empathy). And the ability to feel empathy (and to act upon it to a certain degree) comes a lot earlier than the age 15 for most people.

      This kid, like the others, is no more of a jackass than any other kid his age.

      What kind of silly overgeneralization is this? At 15, there were quite a few kids my age who weren't such assholes, and there were also some others who were. The latter were by far a minority in my case, although of course bullies always manage to get some following among the less strong-willed. I would at least never describe this sort of behaviour as "normal".

      He will just grow out of it with time, like everyone else.

      Probably, but not necessarily. Some people remain assholes all their life.

  2. Password on IRC and you're worried? by garcia · · Score: 5, Insightful

    Ok, seriously, who here uses an important password on Freenode (or any IRC network) for NickServ? I certainly don't. Hell, my Slashdot password is more important than the one I use on IRC and the one I use here isn't even that secure...

    I have no sympathy for someone that has an "at risk" password on IRC.

  3. ircd's and security by proudhawk · · Score: 5, Insightful

    I am more that familiar with ircd and security
    (having run a server network for better than 5 years).

    Rule #1, the admin password is NEVER stored in nickserv.
    anyone who does this deserves whatever it is they get!

    its better to mod the conf file and do a command rehash
    from the cli.

    --
    Understanding is much like a 3-edged-sword. in this: there are always 2 sides and the truth.
  4. spam by Punto · · Score: 5, Funny

    o noes, If someone got a hold of lilo's password, they could start spamming the users with useless server-wide notices nobody cares about!!1!

    --

    --
    Stay tuned for some shock and awe coming right up after this messages!

  5. Re:Explaining the jargon... by leenks · · Score: 5, Funny

    You seriously felt the need to post that on Slashdot? :o

  6. I was there. by Avillia · · Score: 5, Interesting

    Mass delinking.
    Mass throttling.
    Mass glining and killing.
    Mass notices of DCC SEND.
    GNAA denying fault.
    Bantown claiming fault.
    The hilarity of not being auto-removed from #wikipedia thanks to a lack of ChanServ.
    Having up to 20 variations of one persons name.
    Lilo being killed off with a hilarious message.
    And the topic wars...

    Good times.

  7. What questions? by supabeast! · · Score: 5, Funny

    "The details are still unknown, but these events raise scary questions about the actual security of FreeNode and other organizations like it."

    I don't think that there have been any questions about the security of anything involving IRC for a long time. Everyone with half a brain knows that IRC is a cesspool of hackers, phreakers, crackers, and script-kiddies just looking to stir up shit.

  8. Re:Explaining the jargon... by capiCrimm · · Score: 5, Funny

    Slashdot is a popular technology-news website that can be found at slashdot.org. Just incase anyone was wondering.

  9. Re:Explaining the jargon... by A.K.A_Magnet · · Score: 5, Insightful
    After all, we aren't smarter-than-thou elitists at Slashdot, are we?
    Yes we are! :) And proud of it. I understand there was some irony in your comment, but it makes me think of something else.

    Something I hate on Digg is how in each thread of discussion someone feels obliged to explain everything (and how lame stories like "a super set of icons", "learning to program", etc. are posted). And why that?

    The cost of joining Digg is null. You join, you digg, you reply. That's how 14 years old are now ruling Digg (while it was originally populated with slashdotters and other tech-oriented websites readers). That's Digg so-called "democracy" (except, in democracy, one is supposed [only supposed] to be mature before voting, that's why there's a minimal age, which unfortunately cannot be implemented on Digg; something great would be "you can choose up to 20 domains of expertise, can change only one every two weeks or month, and you can vote only on stories regarding your level of expertise". Plus some incentive to only have one (1) account).

    Joining Slashdot is free, but there's a cost when you join: you're eaten alive by grammar and spelling nazis if you don't post correctly, you're eaten alive by an "expert" if you say something technically wrong, you receive negative mod points and get ignored, etc. That's why there are so many accounts and so few posters. And that's how Slashdot has been able to remain readable. I was no newbie when I first start reading Slashdot, but not being a newbie I already knew that you have to understand the subculture and the community first before participating (the same goes for IRC). So I actually registered and became myself a slashdotter years later. Most Diggers are newbies. That's why Digg is good for fresh news and lame for comments, while Slashdot is good for comments (but lame for fresh news). Because we're smarter-than-thou elitists.
  10. Re:Explaining the jargon... by EnsilZah · · Score: 5, Informative

    This really should have been moded informative, people need to work on their sense of meta-humour. =\

  11. Uh oh. by SwartKrans · · Score: 5, Funny

    Oh no! Someone stole my Freenode password! Now they can login and have no control over anything!

  12. Re:My thoughts.. by nenolod · · Score: 5, Informative

    Hi! I used to be freenode staff, and I figured I would comment on this.

    You obviously have no idea how freenode's infrastructure is managed -- the infrastucture isn't a land of ZOMG I BOUGHT SHELLZ FROM SHELLFX.NET garbage. Most of these servers exist solely to host freenode, do not use ssh passwords (instead private keys are used), and do not use the same passwords as lilo's o:line password.

    The fact is that they rooted servers close to freenode servers (i.e., on the same switch); then used ettercap to sniff o:line passwords. This was exacerbated by the fact that o:lines are (NOT masked *@*, but masked ?=levin@*), so basically all that had to be done was use the username levin, and boom you're opered up.

    That is what the issue is, the o:lines are insecure masked. Nothing more.

    HOWEVER, since they were sniffing, it is possible that they may have lifted services passwords as well -- people should probably change them. Then again, how do you know that they still aren't sniffing. Quite simply, nobody except the people behind this know.

    Also, the group freenode is dealing with is known as Bantown, which has a reputation of causing whatever hell they wish wherever they feel like doing so. So no, none of what you said is truly relevant, as this group is a tad more unpleasant than the GNAA is. Infact the GNAA is a bunch of nice guys in comparison to Bantown.