The dangers of relying on others

I use bitlbee for talking on MSN
and other IM protocols. It is a irc to IM gateway so I can use my
normal irc client to talk to people that insist on using silly
protocols. (Predictably I use irssi) The reason I use bitlbee over
something like gaim that when I used to use gaim or kopete I found
that having a second window to check for activity meant that I would
either ignore stuff on irc or on msn while talking on the other.
Using bitlbee fixed this problem as an MSN chat just appeared as
another privmsg. Plus I could use the same logging system for both.

For the last few months I’ve been using a public bitlbee server at
im.bitlbee.org, which had been working perfetcly find until the tail
end of last week when it kept getting connection refused.
Suddenly on Saturday morning, that machine changed from running a
bitlbee server to running an ircd for the Net24 irc network. As
bitlbee works by joining you to your own private #bitlbee channel
where you talk to a bot to control the client, when a proper ircd
appeared, everyone using that server suddenly joined the global
#bitlbee and several people auto-authenticated to the channel,
revealing their passwords.

It’s times like this when I’m glad I never get round to doing things
like setting up auto-identifying to bitlbee.

4 thoughts on “The dangers of relying on others

  1. Somebody pointed me at this post, so I’ll just add a little comment.

    The owner of the server where im.bitlbee.org was running until last Thursday pulled the plug because BitlBee was causing troubles on the server. After looking for a new home for more than a day, I got an offer from a friend to host im on his machine. He gave me the login data and I started working.

    However, I failed to notice that he gave me two IP addresses. One to use to get in through SSH and one to run BitlBee on. So when I got in, I updated the DNS zone for bitlbee.org so that everyone could start using the server again by the time I’d have bitlbee compiled, up and running.

    So I started downloading, compiling and configuring when someone entered the help channel  on OFTC and told me that the public server was acting funny. It turned out that there was another IRC server running on the primary IP of the machine already (which I put in the DNS record), and I didn’t know that. When I joined the channel to check it out, there were about 40 people already. (Those were the people with #bitlbee in their autojoin, there were probably many more people who weren’t in any channel because they weren’t force-joined)

    I immediately got rid of the DNS record so no more people would come in, but for some people it was already too late and their BitlBee password wasn’t as secure as it was supposed to be anymore.

    The trouble became even worse when, soon after I removed the DNS record, lots of floodbots joined and caused a huge traffic peak of about 67GB in less than an hour. It’s a bit sad to see that BitlBee also attracts this kind of people these days, but well, that’s something I’ll have to live with.

    Anyway, I’m just writing this to explain this incident. Some people thought it was a dirty trick from someone to steal passwords. Obviously this isn’t the case, since nobody would be able to alter the bitlbee.org zone to make it point at a non-BitlBee server on purpose, besides me. And well, I never thought of an IRC daemon already running on the machine, but obviously I’ll check twice next time. My apologies for the mistake, and I’ll do my very best to make sure this will never happen again.

  2. Yeah, sorry I did mean to mention at how quickly you turned up and fixed the DNS. I didn’t mean to bitch about the service, which I’m very greatful for. Thank you for bitlbee.

  3. hey,

    thanks for posting about this.  it sucks that it happened, but it would have sucked worse if you hadn’t posted the details of what happened.  i imagine a lot of people would have been too embarrased to reveal their culpability.  it’s people like you that make it all worthwhile.

    doug

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>