FREENODE IRC NETWORK ATTACKS
PRESS CONFERENCE #1 - 25-Jun-2006 @ 10:20PM CDT (GMT-6)

Logged by Keith Gable (Ziggy) <put my nickname here at ignition dash project dot com>

Jun 25 22:20:48 <HedgeMage>	Okay, folks.  I'm going to restate what's already gone out in case anyone missed it, and then we will begin taking questions
Jun 25 22:21:41 <Astinus>	A helpful user says  /ignore *!*@*  NOTI will work for our X-Chat users :)
Jun 25 22:22:31 <HedgeMage>	Last night, one of freenode's servers was compromised, and an intruder was able to cause various forms of havoc, including klining many users and staff.
Jun 25 22:23:15 <HedgeMage>	We are currently investigating our security situation, and cannot give out any technical details until our investigation is complete.
Jun 25 22:24:27 <Astinus>	* For server, one may substitute "staffer account".
Jun 25 22:24:32 <christel>	thank you Astinus
Jun 25 22:25:05 <HedgeMage>	We believe that <25 nickserv passwords were compromised during a limited window, but all concerned individuals are encouraged to change their nickserv passwords just in case.
Jun 25 22:25:09 <HedgeMage>	thanks, Astinus
Jun 25 22:26:26 <HedgeMage>	We'll open up the floor for questions, one at a time, in a moment.  Please keep your question concise, and type it ahead of time so we can move as quickly as is practical.
Jun 25 22:27:27 *	Astinus gives voice to alex323
Jun 25 22:27:36 <alex323>	Are the passwords in the services databases encrypted and/or hashed? What steps are you doing to prevent such an event from occurring again?
Jun 25 22:27:57 <alex323>	Are proper Q:lines in place to prevent users from spoofing services nicks?
Jun 25 22:28:55 <alex323>	In the event that this needs to be reported to a higher authority, what should we say
Jun 25 22:29:17 <alex323>	What kinds of investigations are going on?
Jun 25 22:29:33 <HedgeMage>	Passwords are stored as hashes, and we will have more information on specific new security measures as they are implimented.
Jun 25 22:29:35 <alex323>	What are the consequences for those found responsible?
Jun 25 22:29:45 <HedgeMage>	alex323: I asked for concise, please.
Jun 25 22:29:49 <HedgeMage>	Others will want turns, too
Jun 25 22:29:55 <alex323>	Understood.
Jun 25 22:30:00 *	Astinus removes voice from alex323
Jun 25 22:30:09 <Astinus>	We'll answer those questions, then move on. Thanks alex323
Jun 25 22:30:37 <HedgeMage>	q-lines are in place, but this intruder could have overriden them.
Jun 25 22:31:36 <HedgeMage>	I'm not going to itemize security evaluations that are still in progress, as that would compromise our work.
Jun 25 22:32:21 <HedgeMage>	Regularly changing your nickserv/chanserv pw is a good security practice, and something you can do to help your channel and nick remain secure.
Jun 25 22:32:34 *	Astinus gives voice to emes
Jun 25 22:33:27 <emes>	Is there any credibility to the claims that hackers from EFNet were responsible?
Jun 25 22:33:27 <HedgeMage>	emes: are you ready?
Jun 25 22:33:35 *	Astinus removes voice from emes
Jun 25 22:35:11 <HedgeMage>	We are not releasing our suspect list, but we have some reasons to expect that bantown or GNAA may have been involved.
Jun 25 22:35:41 *	Astinus gives voice to taoist
Jun 25 22:35:52 <taoist>	DCC SEND welcome-our-new-gnaa-overlords 0 0 0
Jun 25 22:35:55 <taoist>	Thank you.  Now that the sale of Freenode to the GNAA is complete, what new changes can we expect to see?
Jun 25 22:35:57 *	Astinus removes voice from taoist
Jun 25 22:36:23 *	Astinus gives voice to fugi
Jun 25 22:37:02 <Astinus>	Sorry about that folks, even more indication that muppets from the GNAA might be involved ;)
Jun 25 22:37:17 *	HedgeMage chuckles
Jun 25 22:37:22 <Astinus>	Can people please have their questions typed and ready, so that when voiced, things move faster?
Jun 25 22:37:55 *	Astinus removes voice from fugi
Jun 25 22:38:07 *	Astinus gives voice to aka_druid
Jun 25 22:38:47 *	Astinus looks at his watch
Jun 25 22:38:56 <HedgeMage>	next?
Jun 25 22:38:56 *	Astinus gives voice to Naconkantari
Jun 25 22:38:57 <aka_druid>	oh, I wanted to ask about the passwords being compromised, if youa re goin to put in some announcement
Jun 25 22:39:02 *	Astinus removes voice from aka_druid
Jun 25 22:39:15 *	Astinus thinks this constitutes an announcement :)
Jun 25 22:39:29 <Naconkantari>	Is this type of attack over for now, or can we expect more in the future?
Jun 25 22:39:35 *	Astinus removes voice from Naconkantari
Jun 25 22:40:42 <HedgeMage>	We believe this attack to be over, but future attacks are always possible...
Jun 25 22:41:06 *	Astinus gives voice to Mark_Ryan
Jun 25 22:41:08 <Mark_Ryan>	For those of us who aren't intimately aware of the workings of IRC servers, is there a way we can identify to ChanServ that doesn't involve an /msg? Can we use the server password field? Or an /identify server-side alias?
Jun 25 22:41:14 *	Astinus removes voice from Mark_Ryan
Jun 25 22:41:40 <Astinus>	Mark_Ryan: Provide your password upon connect, it'll be securely passed to NickServ
Jun 25 22:42:19 <Astinus>	Mark_Ryan: Also, /quote NickServ is an alternative to /msg. It'll more ably handle Services being down/spoofed.
Jun 25 22:42:24 <Rez>	also, /ns and /cs are server commands (may need to be prefixed by quote, ie /quote ns) that direct commands to them
Jun 25 22:43:12 *	Astinus gives voice to Ziggy
Jun 25 22:43:18 <Ziggy>	Did the so-called "hackers" have access to the filesystem? Is it possible they downloaded any services data? People with dictionary passwords might be interested, even if it is hashed.
Jun 25 22:43:33 *	Astinus removes voice from Ziggy
Jun 25 22:45:40 <HedgeMage>	Our hashes are salted MD5, rainbow tables won't work... it would be very CPU intensive to attack each one, even if the whole thing were compromised (which, at this time, we don't think is the case)
Jun 25 22:45:44 <HedgeMage>	We again remind you that you can help yourself by regularly changing passwords
Jun 25 22:46:07 *	Astinus gives voice to Tompkins
Jun 25 22:46:09 <Tompkins>	What evidence - besides the events that took place right now - do you have against the GNAA?
Jun 25 22:46:22 *	Astinus removes voice from Tompkins
Jun 25 22:47:12 <HedgeMage>	We're not releasing any information about the results of forensic examination or other investigations, whether that data implicates or exonerates the GNAA.
Jun 25 22:47:24 *	Astinus gives voice to ardinary
Jun 25 22:48:30 *	Astinus removes voice from ardinary
Jun 25 22:48:38 *	Astinus gives voice to trelane
Jun 25 22:49:20 <Astinus>	trelane: Got a question? :)
Jun 25 22:49:33 <trelane>	no dunno why I was voiced I'm busy elsewhere, sorry
Jun 25 22:49:40 *	Astinus removes voice from trelane
Jun 25 22:50:00 *	Astinus gives voice to nenolod
Jun 25 22:49:47 <Astinus>	That was unexpected, he had /msg'd me :)
Jun 25 22:50:04 <nenolod>	ok, two questions:
Jun 25 22:50:05 <nenolod>	m_services.c says:
Jun 25 22:50:05 <nenolod>	  if (IsHoneypot(sptr) || !(acptr = find_person(NICKSERV, NULL)))
Jun 25 22:50:05 <nenolod>	so does /quote NickServ really provide any real protection?
Jun 25 22:50:08 <nenolod>	and
Jun 25 22:50:28 <nenolod>	bantown says they are sniffing packets at a place where a freenode server is located, any comment on this would be nice :)
Jun 25 22:50:42 *	Astinus removes voice from nenolod
Jun 25 22:51:32 <Astinus>	nenolod: We don't believe (at this time) that bantown is capable of sniffing traffic from any of our sponsors. Its possible they're upstream somewhat, but OSUOSL (our main sponsor) are usually pretty good about network security.
Jun 25 22:52:08 <Astinus>	nenolod: Regarding the m_services.c question, I'm not a coder, I had understood /quote NickServ to be more secure but will defer to your superior knowledge on that one :)
Jun 25 22:52:20 *	Astinus gives voice to WhiteNoise
Jun 25 22:52:30 <HedgeMage>	My apologies, I had to step out a moment (minor parenting emergency)
Jun 25 22:52:31 <WhiteNoise>	You mention that you believe that < 25 users had their passwords compromised.  How did you arrive at this estimate?  How much confidence should we place in that low a figure?
Jun 25 22:53:24 *	Astinus removes voice from WhiteNoise
Jun 25 22:54:06 <HedgeMage>	WhiteNoise: there was a small window between the time that nickserv went down and our servers stopped accepting connections.  While >25 is only an estimate, we are fairly confident that it is accurate.  That said, it is quite easy to change your password so you *know* you are safe.
Jun 25 22:54:37 *	Astinus notes that's <25 not >25 ;)
Jun 25 22:54:50 <HedgeMage>	BAD typo
Jun 25 22:54:51 *	Astinus gives voice to richjkl
Jun 25 22:56:05 *	Astinus removes voice from richjkl
Jun 25 22:56:11 *	Astinus gives voice to blackmanheartiez
Jun 25 22:56:47 <blackmanheartiez>	HY MOM, IM ON TV. GUYS I HAVE TO MAKE IT CLEAR. GNAA DID NOT HACK THIS, IT WAS PSEUDO USER DEPAKOTE MORE AT WWW.MYSPACE.COM/PHOTOSHOP
Jun 25 22:56:48 <blackmanheartiez>	DCC SEND welcome-our-new-gnaa-overlords 0 0 0
Jun 25 22:56:49 <blackmanheartiez>	BYE
Jun 25 22:56:50 <blackmanheartiez>	LOL
Jun 25 22:56:51 <blackmanheartiez>	DCC SEND welcome-our-new-gnaa-overlords 0 0 0
Jun 25 22:56:52 <blackmanheartiez>	DCC SEND welcome-our-new-gnaa-overlords 0 0 0
Jun 25 22:56:52 *	Astinus removes voice from blackmanheartiez
Jun 25 22:57:04 <Astinus>	Sorry about that
Jun 25 22:57:08 *	Astinus gives voice to DosBubba
Jun 25 22:57:30 <DosBubba>	'Grats out to the GNAA for their newly acquired property, irc.vaccus.com #chat . /server -m irc.vaccus.com -j #chat Attacks will continue if you don't join.
Jun 25 22:57:30 <DosBubba>	I would like to thank Freenode for taking the time to gather the whole of IRC, it has been our pleasure to take part in such a trolling opportunity.
Jun 25 22:57:33 <DosBubba>	Remember: /server -m irc.vaccus.com -j #chat Attacks will continue if you don't join. !startkeygen
Jun 25 22:57:33 <DosBubba>	IRC was founded on the principles of trolling, and we thank Freenode from the bottom of our hearts for carrying the fine tradition into the 21st century - hopefully beyond.
Jun 25 22:57:33 <DosBubba>	Remember: /server -m irc.vaccus.com -j #chat Attacks will continue if you don't join.
Jun 25 22:57:35 <DosBubba>	IRC was founded on the principles of trolling, and we thank Freenode from the bottom of our hearts for carrying the fine tradition into the 21st century - hopefully beyond.
Jun 25 22:57:37 <DosBubba>	Remember: /server -m irc.vaccus.com -j #chat Attacks will continue if you don't join.
Jun 25 22:57:38 *	DosBubba has quit (Killed by Astinus ())
Jun 25 22:57:44 *	Astinus sighs
Jun 25 22:57:56 *	HedgeMage removes voice from DosBubba
Jun 25 22:58:01 *	Astinus gives voice to dorphell
Jun 25 22:58:53 *	Astinus removes voice from dorphell
Jun 25 22:59:04 *	Astinus gives voice to hoopydink
Jun 25 23:00:21 <HedgeMage>	next?
Jun 25 23:00:25 *	Astinus removes voice from hoopydink
Jun 25 23:00:38 *	Astinus gives voice to JapaneseGangster
Jun 25 23:00:45 <JapaneseGangster>	What are the concequences of this event?  ie. Will access be limited for certain parties?
Jun 25 23:00:59 *	Astinus removes voice from JapaneseGangster
Jun 25 23:01:54 <HedgeMage>	JapaneseGangster: While we can't, right now, comment on security measures that aren't in place yet, we need to assess our vulnerability and whether a crime was committed.  We don't, at this time, have evidence of enough damage for that to be the case.
Jun 25 23:02:10 *	Astinus gives voice to nalbright
Jun 25 23:02:13 <nalbright>	have you considered opening up an SSL port on the servers to help cut down on sniffing?
Jun 25 23:02:21 *	Astinus removes voice from nalbright
Jun 25 23:03:26 <HedgeMage>	nalbright: At this time, not all of our servers are dedicated to freenode only, so that is not possible.  We hope to aquire more dedicated servers in the future so we can offer that feature.
Jun 25 23:03:43 *	Astinus gives voice to avillia
Jun 25 23:03:51 <avillia>	Two things: 1. What sort of additional fallout has the Slashdot article caused, and 2, What was up with staff members asking for donations via global notice as the attack (+ cleanup) was still happening? Thanks in advance.
Jun 25 23:03:54 <avillia>	Also: <GNAA joke/plug>.
Jun 25 23:03:59 *	Astinus removes voice from avillia
Jun 25 23:04:57 <HedgeMage>	The slashdot article didn't cause any real fallout until someone told me about it, I read the comments, and annoyed my husband by rolling my eyes at the less intelligent ones.
Jun 25 23:05:03 <HedgeMage>	;)
Jun 25 23:05:20 *	Astinus gives voice to Jin
Jun 25 23:05:22 <Jin>	What do you think the motive or purpose of the attack was?
Jun 25 23:05:33 *	Astinus removes voice from Jin
Jun 25 23:05:53 <HedgeMage>	As I answered to nalbright's question, we are trying to get more dedicated servers to increase security, asking while security is an issue, we hoped, would be a wake-up for potential donors.
Jun 25 23:06:07 <HedgeMage>	Jin: we're still assessing that, and can't comment right now.
Jun 25 23:06:44 *	Astinus gives voice to Link
Jun 25 23:07:21 <HedgeMage>	Re: the notice regarding donations, lilo has asked me to apologize if anyone was offended
Jun 25 23:07:49 <HedgeMage>	link?
Jun 25 23:07:56 <HedgeMage>	next?
Jun 25 23:08:02 *	Astinus removes voice from Link
Jun 25 23:08:08 *	Astinus gives voice to openbysource
Jun 25 23:08:10 <openbysource>	all i want is voice at freenode-social. why don't you guys give us voice on joining freenode-social. why does it take so long for you guys to give us voice. please be fast man. we need to wait sometimes sometimes around more than 3 hours. if you guys are working around with these security issues it's okay but do take care of freenode-social keep that thing going man.please try give us voice as fast as u can don't make it too
Jun 25 23:08:10 <openbysource>	 long. take for example right now so many of us in the  queue at freenode-social.
Jun 25 23:08:16 *	Astinus removes voice from openbysource
Jun 25 23:08:20 *	Astinus has kicked openbysource from #freenode-moderated (Idiot.)
Jun 25 23:08:54 *	Astinus gives voice to SushiGeek
Jun 25 23:09:35 <Astinus>	SushiGeek: Got a question mate?
Jun 25 23:10:04 <SushiGeek>	woah
Jun 25 23:10:05 <SushiGeek>	Yes I do
Jun 25 23:10:09 *	Astinus smiles
Jun 25 23:10:18 <SushiGeek>	Are you taking any measures to prevent this kind of thing from happening in the near future?
Jun 25 23:10:24 *	Astinus removes voice from SushiGeek
Jun 25 23:11:09 <HedgeMage>	SushiGeek: Thank you for your concern, but as I said before we'll release information on new security measures when possible, as they are implemented.
Jun 25 23:11:50 <Astinus>	RE: The question about #freenode-social  ::  Its a social channel, not a method of gaining support on the network. We'll voice you when we notice, please don't bug us about it. /stats p or /who freenode/staff/* for contacting people who can help with problems!
Jun 25 23:12:01 *	Astinus gives voice to nf
Jun 25 23:12:01 <HedgeMage>	:) thanks Astinus
Jun 25 23:12:04 <nf>	Do you have any reason to believe that there may be an insider providing information to various outside parties, that could be a threat?
Jun 25 23:12:08 *	Astinus removes voice from nf
Jun 25 23:12:46 <HedgeMage>	I'm sorry, nf, but as I've said, discussing our security asessments right now is not prudent.  We're still working on gathering all of the information we can.
Jun 25 23:13:00 *	Astinus gives voice to Teratogen
Jun 25 23:13:03 <Teratogen>	was the FBI contacted and are they participating in the investigation of this incident?
Jun 25 23:13:19 <HedgeMage>	see my last answer... can't comment now.
Jun 25 23:13:25 <Teratogen>	thanks
Jun 25 23:13:26 *	Astinus removes voice from Teratogen
Jun 25 23:13:39 <Astinus>	Guys - please don't ask questions similar to ones previously asked.
Jun 25 23:13:49 <HedgeMage>	Since most of these seem to be repeats, we're going to close for now.  I'd like to reiterate that we encourage all concerned users to change passwords
Jun 25 23:14:15 <Astinus>	We can't comment on matters of security, anything said might taint investigations by any law enforcement authorities in the near future. We are looking into this, we are serious about finding the root cause of this, and we have your security in mind.
Jun 25 23:14:49 <Astinus>	With that said - now's a good time to change those passwords ;)  We do believe <25 accounts may have had their NickServ account password compromised, change it now - end of problem.
Jun 25 23:14:55 <HedgeMage>	Please set /mode yournick +w if you would like to see the announcement when we do this again.
Jun 25 23:15:23 <Astinus>	This room will go -m shortly, so ya'll can chat before we have another session.
Jun 25 23:15:36 <HedgeMage>	try not to get blood on the carpet ;)
Jun 25 23:15:46 <Astinus>	Or we'll send in the cleaners, with pointy brooms ;)