Our investigations commenced immediately and we found that the attacker had been able to log in to a number of freenode accounts.
If your account was affected, we are in the process of contacting you directly with information to reset your password and restore access to your account.
That Freenode had the operational capacity to detect this attack down to the account level, enabling them to reach out individually to those affected, is praiseworthy. With GDPR this year, along with AB-375, one area I’ve had to focus on is the line between privacy and abuse. I’ve broadly been concerned about using privacy law to hide abuse, fraud, or malicious activity–the risk being that one becomes a customer or user as a means of gaining the protection necessary to simultaneously act (hide) in bad faith.
Have any of you at Freenode grappled with this issue?
I’m not at Freenode, but +1 that it’s possible for there to be a tension between privacy and protecting systems against abuse. I run into that a lot, and it requires a lot of care to design appropriate protections which respect both needs. (I’m intentionally not going into detail because the above is all I feel it’s appropriate to say.)
Regarding not intentionally going in to detail, one bit of received wisdom in email spam filtering is that you can’t (shouldn’t) disclose in too much detail how you filter, as it gives too much information to the attacker. One example of this is a class of attack against SpamAssassin or other Bayesian classification systems. You send messages designed to perturb the message scoring sufficient to allow your real message to go through. It borders on trivial when you have perfect information about the filter you’re trying to circumvent. Here lack of detail on how one classifies can go a reasonably long way preventing it, due to restoring information asymmetry.
That Freenode had the operational capacity to detect this attack down to the account level, enabling them to reach out individually to those affected, is praiseworthy. With GDPR this year, along with AB-375, one area I’ve had to focus on is the line between privacy and abuse. I’ve broadly been concerned about using privacy law to hide abuse, fraud, or malicious activity–the risk being that one becomes a customer or user as a means of gaining the protection necessary to simultaneously act (hide) in bad faith.
Have any of you at Freenode grappled with this issue?
I’m not at Freenode, but +1 that it’s possible for there to be a tension between privacy and protecting systems against abuse. I run into that a lot, and it requires a lot of care to design appropriate protections which respect both needs. (I’m intentionally not going into detail because the above is all I feel it’s appropriate to say.)
Regarding not intentionally going in to detail, one bit of received wisdom in email spam filtering is that you can’t (shouldn’t) disclose in too much detail how you filter, as it gives too much information to the attacker. One example of this is a class of attack against SpamAssassin or other Bayesian classification systems. You send messages designed to perturb the message scoring sufficient to allow your real message to go through. It borders on trivial when you have perfect information about the filter you’re trying to circumvent. Here lack of detail on how one classifies can go a reasonably long way preventing it, due to restoring information asymmetry.