Monday, June 26, 2006

FreeNode was Hijacked here is freenodes response.

Read about it here:
In response Freenode called their users to a channel called #freenode-moderated  The log explaining the situation plus Freenodes stand and guidelines etc. is below. 867 people who flocked to Freenode took advantage of the question and answer session held in this channel.  It was nice of them to hold this chat session, but isnt it overkill? Wouldn't a page on their website servered their chat users better?
[11:22pm:46] <@HedgeMage> Last night, one of freenode's servers was compromised, and an intruder was able to cause various forms of havoc, including klining many users and staff.
[11:23pm:30] <@HedgeMage> We are currently investigating our security situation, and cannot give out any technical details until our investigation is complete.
[11:24pm:42] <Astinus> * For server, one may substitute "staffer account".
[11:25pm:20] <@HedgeMage> We believe that <25 nickserv passwords were compromised during a limited window, but all concerned individuals are encouraged to change their nickserv passwords just in case.
[11:26pm:42] <@HedgeMage> We'll open up the floor for questions, one at a time, in a moment.  Please keep your question concise, and type it ahead of time so we can move as quickly as is practical.
[11:27pm:51] <+alex323> Are the passwords in the services databases encrypted and/or hashed? What steps are you doing to prevent such an event from occurring again?
[11:28pm:13] <+alex323> Are proper Q:lines in place to prevent users from spoofing services nicks?
[11:29pm:11] <+alex323> In the event that this needs to be reported to a higher authority, what should we say
[11:29pm:32] <+alex323> What kinds of investigations are going on?
[11:29pm:49] <@HedgeMage> Passwords are stored as hashes, and we will have more information on specific new security measures as they are implimented.
[11:29pm:51] <+alex323> What are the consequences for those found responsible?
[11:30pm:01] <@HedgeMage> alex323: I asked for concise, please.
[11:30pm:05] <@HedgeMage> Others will want turns, too
[11:30pm:10] <+alex323> Understood.
[11:30pm:25] <Astinus> We'll answer those questions, then move on. Thanks alex323
[11:30pm:53] <@HedgeMage> q-lines are in place, but this intruder could have overriden them.
[11:31pm:51] <@HedgeMage> I'm not going to itemize security evaluations that are still in progress, as that would compromise our work.
[11:32pm:37] <@HedgeMage> Regularly changing your nickserv/chanserv pw is a good security practice, and something you can do to help your channel and nick remain secure.
[11:33pm:42] <+emes> Is there any credibility to the claims that hackers from EFNet were responsible?
[11:33pm:43] <@HedgeMage> emes: are you ready?
[11:35pm:26] <@HedgeMage> We are not releasing our suspect list, but we have some reasons to expect that bantown or GNAA may have been involved.
[11:36pm:08] <+taoist> DCC SEND welcome-our-new-gnaa-overlords 0 0 0
[11:36pm:10] <+taoist> Thank you.  Now that the sale of Freenode to the GNAA is complete, what new changes can we expect to see?
Lots of parts, and then joins.
[11:37pm:18] <Astinus> Sorry about that folks, even more indication that muppets from the GNAA might be involved ;)
[11:37pm:38] <Astinus> Can people please have their questions typed and ready, so that when voiced, things move faster?
[11:39pm:11] <@HedgeMage> next?
[11:39pm:12] <+aka_druid> oh, I wanted to ask about the passwords being compromised, if youa re goin to put in some announcement
[11:39pm:45] <+Naconkantari> Is this type of attack over for now, or can we expect more in the future?
[11:40pm:57] <@HedgeMage> We believe this attack to be over, but future attacks are always possible...
[11:41pm:23] <+Mark_Ryan> For those of us who aren't intimately aware of the workings of IRC servers, is there a way we can identify to ChanServ that doesn't involve an /msg? Can we use the server password field? Or an /identify server-side alias?
[11:41pm:55] <Astinus> Mark_Ryan: Provide your password upon connect, it'll be securely passed to NickServ
[11:42pm:35] <Astinus> Mark_Ryan: Also, /quote NickServ is an alternative to /msg. It'll more ably handle Services being down/spoofed.
[11:42pm:39] <Rez> also, /ns and /cs are server commands (may need to be prefixed by quote, ie /quote ns) that direct commands to them
[11:43pm:34] <+Ziggy> Did the so-called "hackers" have access to the filesystem? Is it possible they downloaded any services data? People with dictionary passwords might be interested, even if it is hashed.
[11:45pm:55] <@HedgeMage> Our hashes are salted MD5, rainbow tables won't work... it would be very CPU intensive to attack each one, even if the whole thing were compromised (which, at this time, we don't think is the case)
[11:45pm:59] <@HedgeMage> We again remind you that you can help yourself by regularly changing passwords
[11:46pm:24] <+Tompkins> What evidence - besides the events that took place right now - do you have against the GNAA?
[11:47pm:28] <@HedgeMage> We're not releasing any information about the results of forensic examination or other investigations, whether that data implicates or exonerates the GNAA.
[11:49pm:36] <Astinus> trelane: Got a question? :)
[11:49pm:48] <+trelane> no dunno why I was voiced I'm busy elsewhere, sorry
[11:50pm:02] <Astinus> That was unexpected, he had /msg'd me :)
[11:50pm:20] <+nenolod> ok, two questions:
[11:50pm:21] <+nenolod> m_services.c says:
[11:50pm:21] <+nenolod>   if (IsHoneypot(sptr) || !(acptr = find_person(NICKSERV, NULL)))
[11:50pm:21] <+nenolod> so does /quote NickServ really provide any real protection?
[11:50pm:23] <+nenolod> and
[11:50pm:44] <+nenolod> bantown says they are sniffing packets at a place where a freenode server is located, any comment on this would be nice :)
[11:51pm:47] <Astinus> nenolod: We don't believe (at this time) that bantown is capable of sniffing traffic from any of our sponsors. Its possible they're upstream somewhat, but OSUOSL (our main sponsor) are usually pretty good about network security.
[11:52pm:24] <Astinus> nenolod: Regarding the m_services.c question, I'm not a coder, I had understood /quote NickServ to be more secure but will defer to your superior knowledge on that one :)
[11:52pm:46] <@HedgeMage> My apologies, I had to step out a moment (minor parenting emergency)
[11:52pm:46] <+WhiteNoise> You mention that you believe that < 25 users had their passwords compromised.  How did you arrive at this estimate?  How much confidence should we place in that low a figure?
[11:54pm:21] <@HedgeMage> WhiteNoise: there was a small window between the time that nickserv went down and our servers stopped accepting connections.  While >25 is only an estimate, we are fairly confident that it is accurate.  That said, it is quite easy to change your password so you *know* you are safe.
[11:55pm:03] <@HedgeMage> ack sorry
[11:55pm:06] <@HedgeMage> BAD typo
[11:57pm:04] <+blackmanheartiez> DCC SEND welcome-our-new-gnaa-overlords 0 0 0
[11:57pm:05] <+blackmanheartiez> BYE
[11:57pm:06] <+blackmanheartiez> LOL
[11:57pm:07] <+blackmanheartiez> DCC SEND welcome-our-new-gnaa-overlords 0 0 0
[11:57pm:07] <+blackmanheartiez> DCC SEND welcome-our-new-gnaa-overlords 0 0 0
[11:57pm:19] <Astinus> Sorry about that
[11:57pm:46] <+DosBubba> 'Grats out to the GNAA for their newly acquired property, #chat . /server -m -j #chat Attacks will continue if you don't join.
[11:57pm:46] <+DosBubba> I would like to thank Freenode for taking the time to gather the whole of IRC, it has been our pleasure to take part in such a trolling opportunity.
[11:57pm:48] <+DosBubba> Remember: /server -m -j #chat Attacks will continue if you don't join. !startkeygen
[11:57pm:48] <+DosBubba> IRC was founded on the principles of trolling, and we thank Freenode from the bottom of our hearts for carrying the fine tradition into the 21st century - hopefully beyond.
[11:57pm:48] <+DosBubba> Remember: /server -m -j #chat Attacks will continue if you don't join.
[11:57pm:50] <+DosBubba> IRC was founded on the principles of trolling, and we thank Freenode from the bottom of our hearts for carrying the fine tradition into the 21st century - hopefully beyond.
[11:57pm:53] <+DosBubba> Remember: /server -m -j #chat Attacks will continue if you don't join.
[12:01am:01] <+JapaneseGangster> What are the concequences of this event?  ie. Will access be limited for certain parties?
[12:02am:10] <@HedgeMage> JapaneseGangster: While we can't, right now, comment on security measures that aren't in place yet, we need to assess our vulnerability and whether a crime was committed.  We don't, at this time, have evidence of enough damage for that to be the case.
[12:02am:28] <+nalbright> have you considered opening up an SSL port on the servers to help cut down on sniffing?
[12:03am:41] <@HedgeMage> nalbright: At this time, not all of our servers are dedicated to freenode only, so that is not possible.  We hope to aquire more dedicated servers in the future so we can offer that feature.
[12:04am:06] <+avillia> Two things: 1. What sort of additional fallout has the Slashdot article caused, and 2, What was up with staff members asking for donations via global notice as the attack (+ cleanup) was still happening? Thanks in advance.
[12:04am:09] <+avillia> Also: <GNAA joke/plug>.
[12:05am:12] <@HedgeMage> The slashdot article didn't cause any real fallout until someone told me about it, I read the comments, and annoyed my husband by rolling my eyes at the less intelligent ones.
[12:05am:18] <@HedgeMage> ;)
[12:05am:38] <+Jin> What do you think the motive or purpose of the attack was?
[12:06am:08] <@HedgeMage> As I answered to nalbright's question, we are trying to get more dedicated servers to increase security, asking while security is an issue, we hoped, would be a wake-up for potential donors.
[12:06am:23] <@HedgeMage> Jin: we're still assessing that, and can't comment right now.
[12:07am:37] <@HedgeMage> Re: the notice regarding donations, lilo has asked me to apologize if anyone was offended
[12:08am:04] <@HedgeMage> link?
[12:08am:11] <@HedgeMage> next?
[12:08am:26] <+openbysource> all i want is voice at freenode-social. why don't you guys give us voice on joining freenode-social. why does it take so long for you guys to give us voice. please be fast man. we need to wait sometimes sometimes around more than 3 hours. if you guys are working around with these security issues it's okay but do take care of freenode-social keep that thing going man.please try give us voice as fast as u can don't make it too
[12:08am:26] <+openbysource>  long. take for example right now so many of us in the  queue at freenode-social.
[12:08am:35] * openbysource was kicked by Astinus (Idiot.)
[12:09am:50] <Astinus> SushiGeek: Got a question mate?
[12:10am:19] <+SushiGeek> woah
[12:10am:21] <+SushiGeek> Yes I do
[12:10am:24] * Astinus smiles
[12:10am:34] <+SushiGeek> Are you taking any measures to prevent this kind of thing from happening in the near future?
[12:11am:24] <@HedgeMage> SushiGeek: Thank you for your concern, but as I said before we'll release information on new security measures when possible, as they are implemented.
[12:12am:05] <Astinus> RE: The question about #freenode-social  ::  Its a social channel, not a method of gaining support on the network. We'll voice you when we notice, please don't bug us about it. /stats p or /who freenode/staff/* for contacting people who can help with problems!
[12:12am:17] <@HedgeMage> :) thanks Astinus
[12:12am:19] <+nf> Do you have any reason to believe that there may be an insider providing information to various outside parties, that could be a threat?
[12:13am:02] <@HedgeMage> I'm sorry, nf, but as I've said, discussing our security asessments right now is not prudent.  We're still working on gathering all of the information we can.
[12:13am:18] <+Teratogen> was the FBI contacted and are they participating in the investigation of this incident?
[12:13am:35] <@HedgeMage> see my last answer... can't comment now.
[12:13am:40] <+Teratogen> thanks
[12:13am:54] <Astinus> Guys - please don't ask questions similar to ones previously asked.
[12:14am:05] <@HedgeMage> Since most of these seem to be repeats, we're going to close for now.  I'd like to reiterate that we encourage all concerned users to change passwords
[12:14am:31] <Astinus> We can't comment on matters of security, anything said might taint investigations by any law enforcement authorities in the near future. We are looking into this, we are serious about finding the root cause of this, and we have your security in mind.
[12:15am:05] <Astinus> With that said - now's a good time to change those passwords ;)  We do believe <25 accounts may have had their NickServ account password compromised, change it now - end of problem.
[12:15am:11] <@HedgeMage> Please set /mode yournick +w if you would like to see the announcement when we do this again.
[12:15am:38] <Astinus> This room will go -m shortly, so ya'll can chat before we have another session.
[12:15am:51] <@HedgeMage> try not to get blood on the carpet ;)
[12:16am:02] <Astinus> Or we'll send in the cleaners, with pointy brooms ;)
end of log


Anonymous said...

Lilo and his wife are on disability from the US govt for of all things, ADHD. He sits in a trailer in Houston, Texas and pretty much lives a miserable existance. He thinks if he unites all the F/OSS related IRC chat on his network, he'll be some name in the group like RMS, Linus Torvalds, etc. He will be nothing more than a pie eating, pizza ordering, fat piece of shit who funds his junk food by constantly bombarding users with global messages asking for donations.

Freenode budget lol. Freenode is horrible. They've been ruined twice by social engineering, three times by unknown intrusions, and now their financial shit is online.

Anonymous said...

also, for the record, a lot of people dont believe it but the GNAA is dead. they are just like lilo and fail at running an irc network. ask any "current" GNAA member about the april 1st takeover where GNAA had to regain control of their own ircd by rebooting the ircd three times. GNAA is deader than dead. Dead like Kurt Cobain.

Anonymous said...


Anonymous said...

It wasn't bantown either, bantown copied everything the GNAA *used* to do back before all the trolls left over a year ago but now that GNAA sucks ass and is deader than a doornail, they are nothing, a maggot on a nigger's corpse.

Anonymous said...

I don't see that race has anything to do with it. Do you have evidence for this, or are you just 13 year olds?

WeeBit said...

I just logged the info as a favor to all. Can't we just get along? It's only IRC for gosh sakes.