The Liberation of Freenode, Part 13
Wednesday, June 28th, 2006 at 5:56 am
So, it seems, Rob got a beat down not unlike what what the US military did to Nagisaki on August 6, 1945. Lots of collateral damage, lots of /kills, and lots of people running for cover and/or leaving the network.
The attack was perpetrated by user named Jmax, who is a member of Bantown. For those that have never heard of Bantown, think of them as the GNAA on steroids.
So, Jmax somehow acquired the ircd.conf from one of the volunteer servers (presumably the admin of that machine sent it to him), which contains the password hashes for all the oper accounts, including Rob’s.
Now, a one-way hash produced by MD5 is quite useless. You can get the password out of it, but it requires a lot of CPU power to do, as you have to guess every possible combination that fits the hash.
One of the Bantown members claims they have access to a giant Cray machine deep in a research facility somewhere that has 2048 CPUs, in addition to a few racks of dual Opteron machines. If this is true or not, I don’t know… but it does explain how they cracked it so quickly.
So, getting on with the show, Jmax cracks the hash, and notices one gigantic security flaw in Rob’s oper account… mainly that it uses levin@* as the hostmask. For those that don’t get hostmasks. Now, normally, this should be levin@*.isp.he.connects.to.com, so at least Jmax would have to compromise a computer that matched that hostmask.
Jmax logs into lilo’s oper accounts, and then proceeds to /squit and otherwise delink the entire network, /kill half the network, and set new topics for a bunch of big channels. He also delinked services and/or compromised hundreds of nickserv and chanserv passwords. (Which reminds me, its time to change your passwords, everyone.)
What Jmax did is basically legal according to Federal law. Will the FBI go after him? No. Jmax, Freenode, and Rob are all small fries. There was no money lost, there was no actual damage done, and stuff was fixed within a few hours.
Now, does this mean I condone such actions? No. What Jmax did was still wrong, yet unfortunately legal. Does this mean I still want to see changes in how Freenode is operated? Yes. Does this mean I still think Rob should drop Spinhome, and actually earn his pay from PDPC? Yes.
So when Rob said that spinhome was the best way Freenode could be helped…
And when Rob later said he can’t afford a shell account so that his host is static and he can lose the @* o:line…
Whatever you think about lilo and about Freenode, this is shoddy network management and there is absolutely no excuse, the attack has exposed a number of very serious (and incredibly n00bish) security flaws and they really need to get their acts together!
Theres a difference between @* and @dynamic.ip.range.at.a.specific.isp (ex: @*.port.east.verizon.net), which was the whole issue. It adds another step to cracking security.
If Rob Levin can’t afford a shell for his o:line, why can he afford a VPS for spinhome.org? Or why can’t he use that VPS? Oh, and if he’s so tight on cash, why did he bother to buy spinhome.org, spinhome.net, and spinhome.com? http://www.domaintools.com/reverse-ip/?hostname=spinhome.org
Yes, he could have used an @*.his.isp.com o:line but with the information the hackers had, in this instance it probably wouldn’t have helped much. Generally speaking it’s a very good idea.
Patrick McFarland, what to say other than you rock
I hate lilo as much as the next person. The man is an idiot.