Well, I’ve got good new and bad news.
The operation that was conducted pretty much all day today to break the feedback loop for Freenode and OFTC staff unveiled a minor but critical vulnerability in the data shape produced by tenta.
Now that it’s mostly over, or mitigated at least, I can reveal the details.
Problem
Technically it’s not a bug, as the issue is in the “negative spaces” in the data that’s created. When the tenta client joins it currently omits its own user from the logs. This is actually bad, as, it can be used to root out the runners. I’ll explain more below.
Certainty
I’ve been able to confirm that this is the method the staff were using to identify the “bait bots”. I’d originally thought they were processing some server-side information, and I’m sure they did in some cases, but was able to conduct thorough A:B and isolation tests to verify that they are also cross-referencing local logs with presenta logs; this was found by making minor adjustments in their field of vision and then waiting for a bait to hook in a controlled manner repeatedly by comparing page views to klined bots in a predetermined manner after assessing what their visible data points were. They were processing the joins listed in the presenta logs and also checking for missing user data there, and comparing to local logs.
Impact
This has to be fixed before we can use any more runner data. I went ahead when I first suspected and deleted random rows from the database early on to obfuscate already existing data so we dont have to lose the whole database but I will not be turning the feeds back on until the next update to tenta. All pooled data is useless without compromising the runners.
Otherwise, A Relative Success
In other, better news, the staff used approximately 6,086 IP Addresses total during the operation to view the logs. I think we’ve just about got their loop compromised.
Here is a list of those IP addresses in case you’d like to do something similar if you host a rogue clone of IRCTHULU PRESENTA on your PHP-APACHE server — dropping this in an include should pretty must ghost out the whole TOR network, most vpn’s known for being abused, and almost all the relevant staff’s various proxies and owned IP addresses:
The process for adding them to the ban list was automated about 10 minutes in, but, I needed to disable the banning for a good long stretch or they’d have caught on to what was really going on. One of them was really smart and added in some well crafted characters to try to slide through a grep and I didn’t see what they were doing until about an hour in — whoever that was knew exactly what what was up.
There will still be some of them that can access, but, it’s pretty straight forward now. This will buy plenty of time since I can’t use runners until the Tenta update. New version of Nerve will accompany to add the feature of clearing out the pooled messages on restart.
I’m pretty excited — this was a total blast. This whole project’s been like that.
Recap
- This operation did indeed confirm the OFTC and FNODE network is actively targeting the runners.
- FNODE and OFTC Feedback Loop is mostly broken so they won’t be able to for much longer.
- They did my bug testing and risk analysis for me today which identified the vulnerability they’d use to find the runners.
- Unfortunately it was significant enough that I can’t turn them back on without compromising their identities.
- I obtained excellent data leverage-able to conduct “further WTF”. Which I will certainly be doing.
N, R and E are separate hosts.
