
IRC Networks Under Systematic Attack From Governments - meebi
https://www.quakenet.org/articles/102-press-release-irc-networks-under-systematic-attack-from-governments
======
rcfox
Freenode has very recently been under DDoS attack[1] and has been dealing with
them for at least a year or more[2]. It seems likely that they're getting the
same government treatment as Quakenet. Given that Freenode hosts channels for
many open source projects, these attacks aren't just annoying bystanders,
they're potentially affecting the progress of our technology.

[1]
[http://blog.freenode.net/2014/02/turbulence/](http://blog.freenode.net/2014/02/turbulence/)

[2] [http://blog.freenode.net/2013/05/the-good-the-bad-and-the-
ug...](http://blog.freenode.net/2013/05/the-good-the-bad-and-the-ugly/)

~~~
meebi
Most DDoS attacks directed at IRC networks are not government related. IRC
networks have a long and proud history of being one of the most DDoS-prone
targets on the internet.

~~~
baldfat
To my understanding to take down an IRC server doesn't even need to be a DDOS
(Distrubuted Denial of Service) AKA multiple of computers and connections. One
good DoS (Denial of Service) AKA one computer one connection, is all it takes
to take it down.

~~~
pixl97
Those are easy to block with a firewall policy. DDOS is the only way to
sustain an attack.

------
jlgaddis
Elsewhere in this thread, blibble linked to a (nearly five-year-old) blog post
on quakenet.org entitled "Trust is not transitive: or why IRC over SSL is
pointless" [0].

The article presents arguments that I've heard over and over again in the
months since the Snowden leaks began. The argument essentially boils down to
"we can't achieve 100% security even with SSL, so SSL is useless" and is
completely wrong. It also misses the point.

The argument in the blog post is that, paraphrasing, since Carol can be MITM'd
without her knowledge, everything is compromised.

It shouldn't be necessary to utter the phrase "defense in depth" here on HN as
I would hope that everyone here is familiar with it. As I commented just six
days ago:

 _> I have locks on my doors but that doesn't mean I don't have a pistol next
to my bed._

Let me say that I'm not familiar with QuakeNet. (For the last several years
I've only hung out on Freenode and two private IRC networks -- and I use SSL
when connecting to each of them.) Freenode, however, has "NickServ" and the
two private networks I use have similar functionality.

At the _very least_ , SSL protects my credentials from being "sniffed" when I
authenticate to NickServ. Anyone else on IRC can verify that the user with the
nickname "jlgaddis" is authenticated and is really me. Since sensitive
information is sometimes discussed, that authentication as well as the
encryption is critical. Without SSL, it would be much easier to sniff my
credentials, authenticate to NickServ using them, and impersonate me on the
networks, possibly gaining access to sensitive information that would
otherwise not be possible.

IRC over SSL is _not_ pointless. If QuakeNet can't understand that and
implement basic security precautions, I don't think they have much room to
complain about being attacked.

[0]: [https://www.quakenet.org/articles/99-trust-is-not-
transitive...](https://www.quakenet.org/articles/99-trust-is-not-transitive-
or-why-irc-over-ssl-is-pointless)

~~~
blibble
so we've had a solution to the credential sniffing for 10+ years: our services
support AUTH via something very similar to CRAM-MD5.

with that out of the way: you've missed the main point, and that is that it's
really really hard (I would use the word impossible but I'm not 100% certain)
to secure multiuser chat.

the sheer number of places that could be compromised is so high, that offering
a 'secure connection' (which users associate with actually secure online
commerce) is dangerously misleading.

we understand the threat model very well, and we recommend that you shouldn't
trust us to secure your communications, and suggest something like fish
instead.

~~~
ahf
Non-plaintext authentication mechanisms are a good start - it's an extra
_layer_ of security that you add to your system. Having SSL between your
servers is _also_ an extra _layer_ of security. Having client-to-server SSL
is, once again, also an extra _layer_ of security. And so on.

We are not asking the Quakenet staff to "fix" multiuser chat encryption -
leave that to the protocol developers, researchers and people working on
different experimental protocols to _try_ to "fix".

But, I still don't understand how much you refuse to step into reality and
face that SSL is nice to have on a modern IRC network - we agree that it's not
perfect, but do allow your users to understand the risk and let them take the
necessary step to enhance the privacy of their communication.

Right now you are just hindering it where every other network is way ahead of
you in this regard...

Your users are not dumb. I, as a user, want to be able to decide whether or
not I connect, to a network, over SSL, where I _assume_ that the network is
able to interconnect its servers over SSL encrypted links, then _I_ can make
the decision if I want to add an _extra_ layer of security by using software
like FiSH where I can share secrets with my closets friends using, say, a pre-
shared key.

Please, stop assuming that us users are idiots.

~~~
blibble
please stop putting words in my mouth: I never said it's not nice to have, I
said I don't think it adds much value, and that I believe that it's
dangerously misleading.

I've been part of running a large IRC network for more than a decade: I have
seen tens of thousands of users fall for various scams, get their passwords
stolen, hand their passwords out willingly, connect through 'free bouncers'
that perform operations as them, get DDoS'ed, install 'pingbooster.exe', you
name it.

I wouldn't call them stupid, just mostly unaware or naive, and ultimately if
we are going to attempt to protect their communications them we need to take
their behaviour into account.

There are also operational concerns with deploying TLS: OpenSSL is up there in
the top 10 list of 'software with the most security vulnerabilities', and if
our servers get hacked our users really aren't any better off.

We have a some plans (inspired by Chrome's architecture) to work around this
huge issue (restarting a webserver has no impact, but you can't do this with
an ircd), but it all takes time and we're volunteers.

Ultimately I am a pragmatist, I will do things that I think are necessary and
that I believe can work.

~~~
kyrra
If I understand your reasoning, TLS for HTTP should be considered useless as
well. Users do stupid things that lets their information get stolen. SSL/TLS
provides one layer of security, and at least prevents plaintext sniffing of
traffic.

------
valarauca1
Trying to shut down IRC on the internet feels a bit like the government is
running around attempting to cut telephone wires in the hopes it'll get enemy
agents to stop communicating, when all it'll really do is annoy a bunch of
innocent bystanders.

~~~
dan1234
IRC is also used as command and control for a lot of malware.

Bot-net owners can be disrupted if they can't access the channels their
compromised machines are connecting to.

~~~
valarauca1
Telephone networks can be used to command and control spies too. Does that
mean everyone who uses a public platform uses it for bad? No a subset of all
users do.

I don't see what your comment adds to this discussion other then trying to
justify their actions. I can use your logic for a few other examples:

Most terrorist enter the country by air travel, we need better airport
screening.

Some people who cross the boarder illegally don't do so to find a better life,
but to run drugs in america. We need better board protection and patrol.

Email is very useful to set up worm command and control networks, we should
monitor or DDoS public email servers.

Your logic can be used to justify basically anything. Its a logically fallacy,
the Strawman argument.

~~~
drjesusphd
That's actually _not_ an example of a strawman. It's certainly a ridiculous
position (X could be used for crime, therefore ban X), but I'm not sure what
you'd call it.

~~~
anigbrowl
It's called a fallacy of composition.

------
dmix
> Many of the charges being thrown at IRC users associated with the Anonymous
> movement are now clear to be identical to the actions of the agency itself.

The state not only has a monopoly on violence, but also apparently on
hacktivism.

------
Duhveed
"We urge the British government to initiate an immediate and thorough public
investigation..."

And now, for another caricature of British victim speak:

"Pardon me, Mr. Assailant, would you be a good chap and ask your right hand to
stop beating me thus about the face? It's rather painful and I fear it might
ruin my good humor."

~~~
GunlogAlm
humour* ;)

------
ahf
Albeit unrelated, I wonder when Quakenet is going to realise that SSL for IRC,
both server-to-server, but also client-to-server, is a must have in the year
2014, if you are truly care about your users privacy.

~~~
blibble
we believe it's better to not have it than to do it badly.

the other way to do it would be like freenode: do it quickly without
understanding the risks... they used the same SSL cert for every ircd, then
they got hacked, and with no PFS, all their past SSL'ed IRC is now effectively
in the clear.

we are now actively working on the problem for server links, but ultimately
believe that having ssl for client connections at this moment in time adds
little value: [https://www.quakenet.org/articles/99-trust-is-not-
transitive...](https://www.quakenet.org/articles/99-trust-is-not-transitive-
or-why-irc-over-ssl-is-pointless)

~~~
jlgaddis
Does QuakeNet runs services such as Freenode's ChanServ, NickServ, etc.?

At the very least, SSL helps protects a user's credentials when using such
services.

~~~
ahf
Not the same as Freenode does, but Quakenet does have services, yes.

------
acd
I think the government is behaving wrong when it doing the same thing as
organized crime that is to run DDOS attacks in order to bring down servers. So
when the government attacks platforms of free speech they have a problem with
running against the core values of democracy.

------
jostmey
Who would work for a government agency like the NSA or GCHQ? Anyone who is
intelligent and well-minded must realize that these government agencies stomp
on people's liberties in the name of security. I am sure that employees of
these agencies come to work every day telling themselves that they are keeping
the world safe. But their reassurances to themselves must sound hollow to
themselves. I hope everyone working at these agencies realizes that. At least
Edward Snowden did.

~~~
shocks
It saddens me to think that I once applied and actually wanted to work for
GCHQ. Fortunately they told me to "come back when you've graduated" and that
was enough time for me to come to my senses.

------
simias
To what end would the GCHQ DDoS IRC servers? What would they gain from that?

~~~
Cthulhu_
Basically, jamming communications between internet terrorists / freedom
fighters (depending on your stance on the matter)

~~~
ersii
And/or just regular people who chat with each other.

------
mschuster91
I wonder, why DDoS the IRC servers, if you can find out the IP addresses of
the "offending" users via /WHOIS and then inject TCP FIN packets to disrupt
their connections.

After all the NSA has the capability to do very deep going traffic
manipulation as proven with Quantum Insert, so why not use it here?

~~~
PavlovsCat
Even assuming there would have been a valid reason for law enforcement to
disrupt the communications of those individuals, how could an intelligence
agency be justified in doing so?

~~~
RamiK
Try to remember the NSA is an intelligence agency, not a law enforcement
agency. They're not interested in producing evidence and bringing anything to
trial.* Rather, they're targeting anonymity and privacy in all forms since
these oppose their core mission (Signals Intelligence (SIGINT) and Information
Assurance (IA)...
[http://www.nsa.gov/about/mission/index.shtml](http://www.nsa.gov/about/mission/index.shtml)).

* Though through inter-agency collaboration, they tip off other agencies when they have something...

~~~
PavlovsCat
I still don't see how disrupting the ability of individuals to communicate
with each other does anything to undermine anonymity and privacy.

~~~
RamiK
For this discussion's sake, there are two forms of communication: (1) The
public forum you can meet up with new people and talk. (2) And the direct
message sending kind like phones and emails. Though the NSA is actively
monitoring both, here we're discussing the latter.

With that out of the way, they're targeting the former in-order to make it
impossible for people to come together and organise privately and anonymously
around subversive ideas.

The specifics of targeting IRC are probably tied to the efficiency of the
protocol which allows very cheap hardware and minimal bandwidth to the extent
that non-complying private foreigners may provide a free forum the government
can't control.

------
diminoten
I don't understand - is QuakeNet saying it has unique evidence that it
specifically has been targeted by DoS attacks perpetrated by GCHQ, or are they
guessing it's the GCHQ based on the report done by NBC?

Specifically, this line:

> as well as wholesale attacks on the IRC servers hosting the network.

What is this?

------
n2j3
I don't really understand the point of bringing age into their argument
("overly eager teenagers"), but I tend to agree that DDoSing IRC servers is
the lowest form of low. Let us idle in peace!

~~~
jerf
It is unlikely that "overly eager teenagers" are doing anything other than
playing around or engaging in raw, unbacked braggadocio, as is especially the
way of the male teenager. It is unlikely that targeting these users, shutting
them down, or prosecuting and convicting them will do anything to enhance
security, but it will cost the government money, incur an opportunity cost as
these resources are wasted while more reasonable (if less sexy) things that
might actually have a positive effect are left undone, and, oh, last and most
assuredly least from the government's point of view, it may destroy young
lives which were quite likely on a track to be otherwise quite productive,
computer-savvy citizens. (How many people here can tell tales of early,
somewhat-less-than-legal activities before they became productive members of
the computer world?)

I've phrased it with "probably"s on purpose; every once in a while a teenager
will manage to escalate to the "true threat" level. However I think it is
likely such a teen will either A: tend to show up by other, more practical
measures or B: slip through a crack regardless; it doesn't justify harassing
relatively innocent and frankly _naive_ users, for what is probably little
more than the purpose of padding numbers to make your enforcement look good by
going for cheap, easy targets, regardless of whether that's good for anybody
else.

------
driverdan
Is there any actual evidence that QuakeNet is being attacked by governments?
Just because they did it in 2012 doesn't mean that's what's happening now.

~~~
ahf
No, nobody can easily know this - Quakenet's probably still the target of
DDoS.

Aren't we getting to the point where we more or less must assume that these
kind of things happens? I mean, taking into account all the news we have seen
during the past, err, year :-)

------
slipstream-
As an oper of a small IRC network, I agree with this blog post.

Not that i've really ever used quakenet myself.

------
lucb1e
Meanwhile they censor anyone running Tor internal relays on the same IP by
g-line banning them.

~~~
blibble
we actually don't, the only thing tor specific we do is set to their host to
something along the lines of 11223344.tor.gateway.quakenet.org.

OTOH a lot of people do naughty things through tor (e.g. mass flooding) and
get caught automatically by the network services, resulting in a large %age of
tor hosts being banned for short periods.

~~~
ptrf
yeah, I just tried to connect using irssi from my non-exit relay, works just
fine...

~~~
mst
As pointed out by blibble, the blocking is almost certainly due to Mr. Angry
having got himself onto a list of open proxies somewhere along the line; any
effort directed at tor, whether masking, restricting, or outright blocking, is
in my experience always aimed at exit nodes only - because there's simply
nothing to be gained by blocking relays.

Note that I have no particular insight into this specific case, but have
opered on irc.perl.org for some years now (and was freenode staff for a while)
and am working based on a >95% correlation with previous similar cases that
I've dealt with myself.

------
cobookman
Could we leverage a VPN tunnel over short band radio waves? This would allow
us to detect a Man in the middle attack, as well as provide decentralized
access. The speeds would be slow, and the network could be 'jammed' but it
could work for medium distance messaging.

------
nsxwolf
What's the point of governments attacking IRC? It's wide open for spying.

------
adeptus
Why the F __* don 't we have popular encrypted IRC systems yet? This
should/could have existed as of 10 years ago..at least. This is a serious
question.

~~~
Crito
Server-Server and Servier-Client SSL is a thing for IRC. Of course if you
_operate_ one of the servers then you naturally see everything that goes
through it. Any anybody in the same channel sees everything in that channel,
since that is the point of IRC.

IRC clients typically also support DCC, though I am unaware of what the
encryption options there are. There are are other forms of encrypted "IMing"
however, if you want secure peer-to-peer text chat you should probably look
outside what irssi has to offer.

------
Datsundere
So, these guys are extending on the irc protocol:
[http://ircv3.org/](http://ircv3.org/)

------
TrainedMonkey
I thought it was clear that those attacks are happening ever since LulzSec was
taken down by embedding operative wannabe on IRC.

------
fintler
Does anyone have a mobile friendly mirror? The site isn't readable on iOS 7
Safari.

~~~
paraboul
[https://gist.github.com/paraboul/8844618](https://gist.github.com/paraboul/8844618)

~~~
PavlovsCat
That's lacking linebreaks, so:
[http://pastebin.com/LPdkh5R5](http://pastebin.com/LPdkh5R5)

------
vehementi
It's pretty disingenuous to downplay attacks vs Anonymous as motivated by them
"engaging in such topics with an opinion contrary to that of the intelligence
agencies". No, that's not agencies go after Anon. Agencies go after anon
because of the actual criminal activity.

edit: I'm receiving disagreement downvotes. What's up?

~~~
fnordfnordfnord
>Agencies go after anon because of the actual criminal activity.

Where is the due process? There isn't any. Please tell me which actual crimes
that some Anons have committed whose consequences are so critical that it
justifies the abandonment of longstanding principles of fair governance, and
military action to sabotage IRC operations in order to halt the occurrence of
said crimes.

~~~
diminoten
You don't give due process to imminent threats.

It ends up fitting well into a battlefield metaphor - you don't try every
single enemy soldier before you shoot them on the battlefield.

The argument can be had whether or not this is indeed a battlefield, but to
cry, "due process" won't get much of a reaction out of the folks who are doing
this (GCHQ/NSA).

~~~
fnordfnordfnord
>You don't give due process to imminent threats.

We do, in fact. But I can agree that we rightly don't allow imminent threats
of grievous injury or disaster to proceed unchecked. Please, show me what
grievous injuries and disasters have been or would have been wrought by anon
via IRC. PS Defacing the DOJ website and sending black faxes to US attorneys
doesn't count.

>It ends up fitting well into a battlefield metaphor - you don't try every
single enemy soldier before you shoot them on the battlefield.

Except this isn't a battlefield and we're not at war.

>The argument can be had whether or not this is indeed a battlefield, but to
cry, "due process" won't get much of a reaction out of the folks who are doing
this (GCHQ/NSA).

Then they need to go. They have no function in a free/democratic society. If
we must keep them, then they cannot have any judicial influence.

~~~
diminoten
This argument is a non-starter, because you already begged the question. The
argument revolves around whether or not this is a battlefield, and if we are
or are not at war.

~~~
fnordfnordfnord
I see. Can we agree that Ian Fleming and Tom Clancy wrote fiction?

~~~
diminoten
Quite good fiction, I'd even say!

