Saturday, June 24, 2006

The world's largest FOSS IRC network, FreeNode, has been (for lack of a better word) hijacked. The culprit, who went by the nickname ratbert, seems to have nabbed the privleges of Robert Levin, President and Executive Director of Peer-Directed Projects Center (FreeNode's parent organization), AKA lilo. Whew! As if that wasn't enough in itself, ratbert pushed out an offensive global message and attempted a DCC SEND exploit. He then proceded to kill and/or k-line every staff member in sight, including lilo, and brought down quite a few of FreeNode's servers. This log shows the ominous beginning of the mess:
-ratbert- [Global notice] I am a fat asshole, who loves abuse, die
The rest is too broad and too long to log in full, but mainly consists of FreeNode staff members being killed (with some colorfully interesting reason messages) and cries of "MAYDAY! MAYDAY!" and other expressions of terror throughout the many channels of FreeNode.

Everyone seemed to be making the most of the situation. Humorous allusions to Star Trek and other movies were thrown into the chaotic pandemonium that was the chat in many of the larger channels that I happened to be in (such as #freenode-social and #gentoo-amd64). The situation really did make one feel rather excited and giddy; it was hard to take the situation seriously, with no real danger to ourselves, a subtle underlying self-assurance that FreeNode was indeed, in the long run, invincible, and no responsibilities of our own to the network (the FreeNode staff, on the other hand, may tell you otherwise). The servers going down (which looked just like a lot of netsplits to those whose servers were spared) seemed to add a bit more terror to the thrilling mix, but in hindsight it didn't amount to much.

The much more stoid moment that will be used to summarize the gravity of the matter came when our beloved lilo was taken down:
* lilo has quit (Killed by ratbert (die ))
Thankfully, our self-assurances have indeed proven themselves: the situation seems to be clearing up as I write. Most, if not all, of the servers have been recovered and relinked to the network, and yes, lilo made his way back. His words do little to clear up the situation further, but are better than nothing:
-lilo- [Global Notice] Hi all. As you may be aware, freenode has experienced a crack attack and we're working on tracking down the details. At this point, we cannot guarantee that more problems will not occur.
This raises some major questions about security. If this guy got lilo's password, could he have ours? This is not just pure speculation:
<dbo> lilo, is there any chance he was capturing passwords from people that were reconnecting or was the attack not aimed at that? there have been 3 or 4 people who said the registered with nickserv even when it was down
<lilo> DBO: it is possible someone turned off the jupes
Woah! If someone did manage to gather people's NickServ passwords, it could mean major trouble, for the victims themselves and possibly for FreeNode as well. Still, this is for the most part speculation at the moment. (EDIT: This is no longer the case; see the UPDATE.) ratbert comes across more to me as some clown that wanted his hour and a half of infamy more than anything else. If he really wanted to steal passwords, he most likely would have done away with the servers quickly and as soon as he got his privleges, rather than spend all that glory time k-lining staff members and risk getting k-lined himself by one that was paying attention. Nothing can be said for sure, however.

Well, looks like we're just going to have to wait this one out. Hopefully we'll get more details in the near future. I'll keep you posted...

The freenode staffers just finished a Q&A session about the matter. Special thanks to Keith Gable (AKA Ziggy on freenode) for hosting the log in full at his site here. Summary of points:
  • Yes, passwords were likely compromised, but they estimate that only 25 or less were actually stolen. Change your password anyway. In the words of a staffer:
<hedgemage> WhiteNoise: there was a small window between the time that nickserv went down and our servers stopped accepting connections. While <25 is only an estimate, we are fairly confident that it is accurate. That said, it is quite easy to change your password so you *know* you are safe.
  • They can't give any specifics on security, how the attacker was able to compromise the network, or suspects.
<hedgemage> We are not releasing our suspect list, but we have some reasons to expect that bantown or GNAA may have been involved.
  • Freenode is still analyzing the matter and will release the above information when they can. They don't want to compromise the network or any possible future law enforcement investigations.
<astinus> We can't comment on matters of security, anything said might taint investigations by any law enforcement authorities in the near future. We are looking into this, we are serious about finding the root cause of this, and we have your security in mind
  • They're still looking into the matter of whether or not a crime was actually committed. I got the feeling that they were looking to press charges, but we'll see.
<HedgeMage> JapaneseGangster: While we can't, right now, comment on security measures that aren't in place yet, we need to assess our vulnerability and whether a crime was committed. We don't, at this time, have evidence of enough damage for that to be the case.
  • (EDIT: Added) lilo apologizes for his request for donations right after the servers went up, if you wanted one. I personally think he was trying to add humor to the situation, but obviously it didn't come across too well for some people.
<HedgeMage> Re: the notice regarding donations, lilo has asked me to apologize if anyone was offended

This is just about all we could get out of them. Unfortunately, the staff decided to cut the session short due to several trolls (including, it seems, our friends at GNAA), and questions that kept being repeated. Sorry guys, but it looks like they weren't going to release much more information anyway. I'll still be keeping you posted as this develops further. Until next time...

Note: Before you comment, pease refrain from continuing the groundless attacks on lilo and the unnecessary vulgar and offensive language. We don't need it and we don't want it here. Any posts violating this may be rejected by me. Don't "flame" people without the necessary factual support, and keep your language clean. I don't want to be a big bad control-freak moderator. Unfortunately, the amount of comments that are on the level that I have described is incredible. The blog has obviously been targeted. I've been forced to have all comments pass through me before being posted; it should prevent you from having to register. Basically, if your comment doesn't add to the story, don't post it. Thank you.