Freenode IRC operators now engaging in routine abuses of power
There have been several allegations of this since the handover of the Freenode infrastructure to its new custodians, but I can now provide a first-hand account of one incident — because I am the victim of it.
A channel which I registered, ##hntop, has been taken over by Andrew
Lee (rasengan) without my knowledge or consent.
Timeline.
On 2021-04-02, I launched the
##hntopservice on Freenode, which lists HN Top Stories in an IRC channel on a live basis. I was the sole registrant of this channel and the only one with ChanServ permissions over it. The bot used the nickegobot.On 2021-05-13, I was messaged by
rasenganon Freenode notifying me that he had set up a similar bot in##hnnew, which posts stories from the HN new page rather than the HN top page.I had never been messaged by
rasenganbefore and while I knew of Andrew Lee, I did not know thatrasenganwas Andrew Lee at this time.Having no reason to distrust this individual, I happily took their suggestion of mentioning
##hnnewin the##hntoptopic.2021-05-13 19:05:38 <rasengan> I setup a bot in ##hnnew (let's call it a "sister" bot so to speak) 2021-05-13 19:05:47 <hl> What is it? 2021-05-13 19:05:53 <hl> Oh, new posts? Nice. 2021-05-13 19:06:03 <rasengan> New posts! :-) 2021-05-13 19:06:11 <hl> I was thinking of doing that but it seemed like it would be a bit of a firehose 2021-05-13 19:06:24 <rasengan> It's a bit of a firehose for sure. Let me know if you'd like op in ##hnnew xD 2021-05-13 19:06:45 <hl> Go ahead and do that. Same codebase I assume? 2021-05-13 19:07:02 <rasengan> It's actually just a nodejs feed but I matched all the colors and everything :O 2021-05-13 19:07:05 <hl> Aah. 2021-05-13 19:07:11 <rasengan> (I mean tried to use a same theme for colours) 2021-05-14 01:22:42 <rasengan> Is there any possibility of putting ##hnnew in the ##hntop title xD [like how it is in ##hnnew] 2021-05-14 01:22:54 <hl> sure, gimme a sec 2021-05-14 01:23:00 <rasengan> Nice thank you! :-) 2021-05-14 01:23:22 <rasengan> Thanks again! 2021-05-14 01:23:24 <hl> nprasenganalso made me a channel operator in##hnnew, but I did not grantrasenganany access to##hntop.On 2021-05-20, 18:10 London time, I decided to move my channel,
##hntop, to Liberachat. I therefore changed the channel topic:2021-05-20 18:10:34 -- hl has changed topic for ##hntop from "HN Top Stories Live | Bot posts any story the instant it hits the top 30. | Messages sent in this channel can only be seen by operators | New stories: ##hnnew" to "This channel has moved to Liberachat, effective immediately: irc.libera.chat ##hntop"Of course, I also removed the
##hntopbot,egobot, from the channel.On 2021-05-22, I received a tip-off that the topic of the Freenode channel
##hntop(which I had parted) had had its topic changed back. I rejoined the channel to confirm this. The following changes had taken place:- the topic had been changed back to the previous topic;
rasenganhad operator status, which I never authorized or intended;- I no longer had operator status;
egobothad been replaced withrasengan's bot which he previously used in his channel##hnnew,humblebot, which had voice.
Examination of ChanServ records also reveals that I am no longer the founder of the channel:
2021-05-22 14:37:53 <hl> info ##hntop 2021-05-22 14:37:53 -- ChanServ: Information on ##hntop: 2021-05-22 14:37:53 -- ChanServ: Founder : freenode-placeholder-account 2021-05-22 14:37:53 -- ChanServ: Registered : May 22 06:01:30 2021 (7h 36m 23s ago) 2021-05-22 14:37:53 -- ChanServ: *** End of Info ***I no longer have any authority or ChanServ flags for this channel.
Conclusions. In other words, it appears that a Freenode services admin, presumably rasengan,
- forcibly dropped the channel and reregistered it so as to put themselves in control of it, and render me no longer in control of it;
- clearly did this with the express purpose of frustrating an attempt by that channel's founder (me) to relocate it to another IRC network; and
- cover up the fact that I had sought to do so.
##hntop on Freenode is no longer being served by the true bot, egobot, and
the codebase which powers it, which uses the HN API and its Server-Sent Events
support to announce new entries on the HN front page the very instant they
reach it, no polling needed. If the log above is to be believed, humblebot is
probably just some RSS feed, a pale imitation. The true egobot is found now
only on Liberachat, in ##hntop.
(It's rather ironic that I named my bot egobot (really, E-Go-Bot, since it's
written in Go) and Lee the converse, given that this seems rather the reverse
of reality.)
Important safety advice for Freenode users
Advice for all users. Being that the Freenode infrastructure is now clearly under the control of an abusive power, I'd like to note that while I do not know this to be the case, there's a serious risk or really even a likelihood that Freenode PMs will come under surveillance. I base this both on the above, on the other reports of abuses of power which have been made, and on private sources which I cannot disclose for their own protection, and what all of those say about the attitude of Freenode's new custodians. In my view this risk is sufficiently high that the only reasonable course of action at this point is to assume out of caution that all Freenode PMs are tapped.
This works to your benefit even if it ultimately turns out that they aren't; if you simply assume Freenode PMs are compromised as a communications channel, no harm will befall you even if this turns out to be wrong. Of course, IRC PMs are not E2E encrypted and in reality, nobody should be trusting in their security — but having used IRC, I know that people communicate confidential information via PMs due to their convenience rather more than they should.
For this reason, in the abundance of caution I would suggest people adopt a simple operational policy: Do not use Freenode PMs for any purpose whatsoever. The reason I suggest this is because often, people will start a conversation in PMs about something which is not at all sensitive; they might think therefore that they don't need a secure channel, and reach for the easy, convenient option; but as human conversation flows naturally, discussion will often turn to something more sensitive. Vanishingly few people will take this moment to do the socially weird thing of insisting on stopping the conversation and arranging a secure channel, so one essentially fools oneself into discussing sensitive matters over an insecure channel.
To work around this, I suggest adopting a simple protocol of never using Freenode PMs for any conversation at all. This protocol is both easy and convenient; if you want to talk to someone, you can simply PM them on another IRC network, since most people are connected to more than one network. If you don't know whether they're on another network, simply ask. This gets your mind out of the trap of thinking “oh, this conversation isn't sensitive”; by setting an indiscriminate “no Freenode PMs at all” rule inside your own head, you avoid accidentially socially engineering yourself into having sensitive conversations over Freenode PMs.
Advice for all channel founders. The above clearly demonstrates that the new custodians of Freenode will have no regard for your channel if you displease them. Quite simply, move to a new network as a matter of urgency — any network. I have been moving my own channels to Liberachat, though I make no specific endorsement of any network.
When moving, there is now even a real possibility that the new Freenode staff will try to cover up the move and essentially create a “counterfeit” channel in the place of the old one, even if you keep it registered. You may wish to warn your channel's users of this and to be wary of it.
Bootnote
Since this was about to make the HN front page, I rejoined Freenode ##hntop,
so that I could watch Andrew Lee get owned by his own bot: