mIRC Homepage
Posted By: theAncinetOne an idea, but not suggestion yet - 13/02/03 04:31 AM
mIRC is very similar in nature to MS Outlook. What I mean by this? It is very good for the primary function it was designed for (chatting and e-mail respectively), It also comes with powerful scripting and thus it is exploitable and used to pass on viruses.

What if DCC send/receive would work only if both sides had each other in the address book set by default to ON?

What if the firewall support would only work if the firewall was on the same IP range (depending on class A B C) or on the same domain if the name was resolvable? After all, the feature is called "firewall" it is only meant to get you trough your local firewall, and not for exploiting other connections.

What if mIRC used some serial number as ident? After all you are not doing anything wrong thus you don't get banned right?
And no, serial numbers do not affect your privacy any more than any other information in nickname/ident/fullname. Perhaps this feature could be turned on by 005 numeric, at the network's request (REQUESTMIRCIDENT=YES).

What if mIRC would allow you to set a password to protect your scripts from being modified, perhaps using MD5 values for the scripts? The same feature would also mean you cannot load

What if I stop for now, LOL.
Posted By: Skip Re: an idea, but not suggestion yet - 13/02/03 01:24 PM
What if people took responsibility for their actions and let those that do the right thing continue doing it unimpeded?

Could you imagine if the next mIRC came out without url support to stop misguided people clicking spam that infects their machines, without firewall support to stop people hiding behind comprimised hosts, without /timer to stop people turning channels into markets, without dcc send because some people use mIRC for file trading, without sockets because some tool decided to write a trojan, without /amsg, /ame or colours because some people use automated away and mp3 scripts with hideous colour schemes more then they actually chat, a mIRC that restricted people to only connect to servers in mIRCs server list because we all know what people get up to on those private servers, and an autopart of +s channels for good measure! ..... I couldn't :P

I don't think mIRC should be designed for the imbeciles, kiddies, bad-guys, and just misguided people. Adding extra security 'for the user' never hurts, but impeding functionality because some people ruin it for everyone else does. Would it really work anyway? The bad guy is the last person drastic measures will effect.

I think your dcc address book idea is a good idea, but how long before people blindly add others to their address book?

Just my 2 cents anyhow.. smile
Posted By: Algorithms Re: an idea, but not suggestion yet - 13/02/03 07:49 PM
In response to scripts, if you don't want someone to modify it, don't make it publically available or create a compiled DLL or COM object. (btw, you can add MD5 support using a DLL, I just use an on text and we start our encoded sentences with [MD5]).

As for the other things you mentioned, I would have to disgaree, malicious users are going to find ways around things, implementing these annoying detourants will only stop maybe .. 10 people, Ok, 11. wink But it will hurt the average user more than it will effect the "l33t h4x0rs"
Posted By: codemastr Re: an idea, but not suggestion yet - 13/02/03 11:31 PM
Quote:
What if DCC send/receive would work only if both sides had each other in the address book set by default to ON?

And for the several dozen clients that don't support address books? Just prevent mIRC from dcc send/receive'ing with these clients? And how should mIRC know if you are listed on the other users address list?

Quote:
What if the firewall support would only work if the firewall was on the same IP range (depending on class A B C) or on the same domain if the name was resolvable? After all, the feature is called "firewall" it is only meant to get you trough your local firewall, and not for exploiting other connections.

Well, there are SEVERAL companies that sell access to firewalls. These firewalls are NOT owned by your ISP and therefore may have not a single similarity to your IP address. Why should people who use these services be penalized? Also, I have access to several machines not run off my ISPs lines. I have access to install a socks4/5 server on these machines. Why shouldn't I be allowed to use my own server?

Quote:
What if mIRC used some serial number as ident? After all you are not doing anything wrong thus you don't get banned right?
And no, serial numbers do not affect your privacy any more than any other information in nickname/ident/fullname. Perhaps this feature could be turned on by 005 numeric, at the network's request (REQUESTMIRCIDENT=YES).

If mIRC implemented such a feature, I know I (and probably everyone else) would disable identd support in mIRC and just download an identd.exe and set it to use whatever you want. It's a bad idea and one that can't even be implemented correctly. For example, how do you propose this serial number be generated? And how can it not give out more info? Thats a ridiculous statement. Nick/ident/fullname you can change, this serial number you can not. I can set my nick to "Bill", my realname to "Bill", and my ident to "bill" well my name isn't bill, so no information is given. But if a serial number is given some unwanted info is distributed. For example, one of the most effective serials is generated from the hardware installed on the system. If someone can determine how mIRC generates this hash they now know all the hardware installed in my system. Such a thing could lead to people being able to exploit your system (hardware is not immune to exploits, the Pentium 3 for example had a feature that could allow someone to track websites you viewed, etc). So how is knowing every piece of hardware on my system and possibly knowing ways to compromise my system in no way compromise security? How can you possibly compare knowing such information to seeing my nick as the fake name "bill"? Then assuming you do come up with some hash that provides no information and is unique, your 005 idea isn't possible at all. The 005 numeric is sent AFTER the ident response is already received. So how can mIRC send the serial rather than the regular ident only when it receives this token if it only receives this token after it has already sent the regular ident?

Quote:
What if mIRC would allow you to set a password to protect your scripts from being modified, perhaps using MD5 values for the scripts? The same feature would also mean you cannot load

MD5 is a hash, NOT encryption. If something is hashed with MD5, well you can't reverse it. It is 1 way, thats how hashes work. As for using a two way algorithm, well if mIRC can decrypt it, that means anyone can, as long as they know how mIRC decrypts and encrypts. And based on the fact that people have discovered the method mIRC uses to generate serial numbers, I'm quite sure someone could break this protection in a matter of minutes. And if you meant it can't be viewed in the editor because the user didn't enter a passowrd, what is to stop someone from opening it in notepad or some other text editor that would completely ignore this password because it knows nothing about it?
Posted By: theAncinetOne Re: an idea, but not suggestion yet - 14/02/03 12:35 AM
Before I address couple of your points, as the topic says these are ideas only.

1. I take your point about 005. Well spotted. The ident, as its word indicates is to identify. you have that in so many other programs in one way or another (ICQ's UIN for example) I just <emphasis>feel</emphasis> eventually IRC will need that.

2. DCC send/receive idea. I think you misunderstood the concept. To send a file over DCC you would have to add the target user to the address book. To receive a DCC file transfer you would have to have sender in your address book. This doesn't exclude other clients, just increases protection of mIRC users. mIRC doesn't check both ends, just your own.

3. md5 - again I think you misunderstood the intention. This is not to prevent people from modifing, adding, reading, creating etc. Nor is it to be used as encryption. This is a thing to give you the ultimate control over what mIRC starts. Lets say you have something.mrc, best srcipt in the world. An external virus happens to distribute the same file. Your mirc would warn you the md5 does not match the last one used and give you the option to start it or not.

4. proxy/firewall. Point taken. I still think open proxies contribute to enormous levels of problems on IRC alternative suggestions welcome.
Posted By: Watchdog Re: an idea, but not suggestion yet - 14/02/03 01:02 AM
Thats a ridiculous statement.

For someone that has spoken out against ban evaders as much as you have I would have thought that this is the last thing you would have said.

the Pentium 3 for example had a feature that could allow someone to track websites you viewed

Yes, it did, and had other hidden nasties too, but only because the WinHell syndicate wanted it that way. And that drove people in their thousands to AMD.

I can sympathise with the ident issue mentioned by the original poster. It's a long overdue feature that I know works because I, and people I know, have seen it work.

I feel, from a personal viewpoint, that many people on this board do not enjoy broadening their experiences or using a bit of nous to think about suggestions put here. It's all too easy to get into this 'I'll only ever believe in what has taken place on my own little world' and just bag everything else.

In short, unless you've tried it, don't bag it.

Well, there are SEVERAL companies that sell access to firewalls. These firewalls are NOT owned by your ISP and therefore may have not a single similarity to your IP address. Why should people who use these services be penalized?

You may have a valid point here but why is it necessary to access IRC servers this way?
Posted By: starbucks_mafia Re: an idea, but not suggestion yet - 14/02/03 01:53 PM
Quote:
I can sympathise with the ident issue mentioned by the original poster. It's a long overdue feature that I know works because I, and people I know, have seen it work.

- Sorry? You've seen a popular IRC client implement serial ident's? When did that happen? My point is that it hasn't happened with mIRC, or any major IRC client for that matter (that I know of anyway), so whether serial-type ident's works in any other area of computing is irrelevant. As codemastr stated, it would not be hard to circumvent, and the idea that people would then think that this was a foolproof way to ban someone would in fact make ban evasion so much worse because of the common user's trust in a feature that simply doesn't work.
Posted By: Watchdog Re: an idea, but not suggestion yet - 14/02/03 08:06 PM
Yes, I have seen it added to mIRC and yes it does work and yes, if you are adept with either programming or scripting you would be able to find out how it works and disable it. This isn't the point at this stage though, as you could enable or disable anything you like with further scripting, removal of scripting or hacking mIRC.

The fact is however that such a system can not only be set up to work but also remain that way 99% of the time after deployment.
Posted By: codemastr Re: an idea, but not suggestion yet - 14/02/03 08:12 PM
Well you just proved my point. This doesn't stop ban evading, it encourages spoofing! Your ID is 123456. I use a client that doesn't use serial-idents, I connect with WatchDog!123456@something.yourisp.com well now, to everyone online, I look like you. I have your "unique" serial number. But in any case, as I said, you show me the algorithm you want to use to generate this serial number, and I'll show you 10 ways to break it.
Posted By: Watchdog Re: an idea, but not suggestion yet - 14/02/03 08:55 PM
I hardly think that ban evasion applies to any great majority in the IRC world, most users log in, enjoy themselves and mind their own business. About 75% of those that know evading any ban is easy is more likely to find a new proxy before they realise that changing other details in mIRC *might* help them.

There's one other thing to, and I am not referring to or quoting something you mentioned, it's a general comment - alot of ideas and feature suggestions made here are replied with "then other programmes would have to have the same system for this or that to work". Yes and No... mIRC is by far the most popular chat programme in the world. That is why there are so many contributors to this forum and why everywhere you go there is likely to be a substantial majority using mIRC over other clients such as Pirch or the newer Klient, dIRC, Bersirc, etc or clients made for 2 or more operating systems such as Bitch X, X Chat, KVirc or the programmes made for Apple systems. On this note is there any harm in letting mIRC lead the way here? Vendors of Ident server software could easily follow suit here too.

Would you refuse to log into IRC just because you would have to hack into mIRC or an ident server to alter it's output for an ident request? I know I wouldn't. The USER part of your details is, usually, ten characters. I am sure therefore that privacy issues arn't a concern.

No-one has claimed here that it's a foolproof way of being able to ban people. One day with some positive thought the system, if implemented, could work well. A copper doesn't consign his ink pad to the bin just because his prisoner sands the prints off his fingers, does he....

Hmm, BTW, as I said before, generally the system does work reasonably well, as I have taken part in an initiative to help make it work. I'm by no means the only one. Before I give you your ten ways of defeating this idea (like it's really a challenge isn't it) can you please suggest a fairer way of doing it?
Posted By: starbucks_mafia Re: an idea, but not suggestion yet - 14/02/03 09:18 PM
Quote:
Hmm, BTW, as I said before, generally the system does work reasonably well, as I have taken part in an initiative to help make it work.

- How can it work well if it can be broken so easily? How can you help 'make it work'? If the point of this fictional ident is to make something which uniquely identifies someone and can't be changed or faked then by the very fact that it can be changed and faked it is immediately useless.
Posted By: Watchdog Re: an idea, but not suggestion yet - 14/02/03 09:24 PM
It's no more or less fictional that you using the first word or number that you think of.
Posted By: starbucks_mafia Re: an idea, but not suggestion yet - 15/02/03 12:12 AM
Except that those aren't supposed to be, nor do they claim to be, permanent unique identifiers for a given person.
Posted By: codemastr Re: an idea, but not suggestion yet - 15/02/03 12:27 AM
Well I can honestly say I saw NO point whatsoever to your post. I didn't bring up ban evasion, you did. Then when I reply, you dismiss the idea of ban evasion prevention. Well then why did you bring it up in the first place? As for mIRC "leading the way," yea it would be, if we are talking about "leading the way to the graveyard." If mIRC was setup in such a way that there was NO way to disable such a feature, I wouldn't use mIRC. I'm sure others feel the same way. I don't want people knowing information about me that I don't want them to know. If I don't want to give it out, then it shouldn't be given out, end of story.

"No-one has claimed here that it's a foolproof way of being able to ban people" Umm didn't you say at the begining of your post that ban evasion wasn't an issue? And now you imply that it is? Care to make up your mind?

Quote:
Would you refuse to log into IRC just because you would have to hack into mIRC or an ident server to alter it's output for an ident request?

Yes, I would. In fact I already don't use mIRC for my ident serving needs. But in any case I wouldn't "hack" anything. If mIRC didn't let you disable it's identd server, I would use a firewall to prevent mIRC from replying to the requests and my router from ever letting it receive them. And on the off chance that all ident servers implemented this feature, I'd simply write my own ident server.
Posted By: codemastr Re: an idea, but not suggestion yet - 15/02/03 01:52 AM
Well I now understand what you mean when you say use md5. I don't think this is a bad idea, but it is not a perfect solution. It really only protects from a small number of attacks. Also a "true" trojan wouldn't even come close to being stopped by this. mIRC supports DDE, all a trojan has to do is send a command via DDE to mIRC and tell it to load script.mrc, mIRC If it is sent as /.load -rs script.mrc mIRC will not even give you any indication that a script has been loaded. I'm not saying don't add what you said, I'm just saying it would prolly protect from 3-4 trojans out of a sea of thousands.
Posted By: theAncinetOne Re: an idea, but not suggestion yet - 15/02/03 03:21 AM
the way I had the feature in mind, it would stop any "load" unless it is authorised by you, or the MD5 matches to last load. Even if that was a DDE request.
Posted By: Watchdog Re: an idea, but not suggestion yet - 15/02/03 03:52 AM
Where did I mention the word 'permanent'? Now you are just putting words in my mouth - again. I've already conceded in my second post that it can be worked around in many ways, though only by those that know how to do it. Not everyone that gets banned does infact know.

Nothing is perfect but I've seen this work and it continues to work as we speak. We can sit here and dispute this for another five pages but that is the most pointless thing we could do. My last comment in this thread is 'seeing is believing'.
Posted By: theAncinetOne Re: an idea, but not suggestion yet - 15/02/03 03:57 AM
[20030215 14:55] * Connecting to irc.axenet.org (6660)
[20030215 14:55] -void.axenet.org- *** Looking up your hostname...
[20030215 14:55] -void.axenet.org- *** Checking ident...
* Identd request from 217.96.54.3
* Identd replied: 4528, 6660 : USERID : UNIX : T74B7F503
[20030215 14:55] -void.axenet.org- *** Received identd response
Welcome to the Axenet IRC Network Ancient!T74B7F503@******.net.au
Your host is void.axenet.org, running version UnrealAxe2.6c
This server was created Mon Jan 20 2003 at 21:56:09 CET
void.axenet.org UnrealAxe2.6c iowghraAsORVSxNCWqBzvdHtG lvhopsmntikrRcaqOALQbSeKVfHGCuzN
MAP KNOCK SAFELIST HCN MAXCHANNELS=15 MAXBANS=60 NICKLEN=30 TOPICLEN=307 KICKLEN=307 MAXTARGETS=20 AWAYLEN=307 are supported by this server
WALLCHOPS WATCH=128 SILENCE=5 MODES=12 CHANTYPES=# PREFIX=(ohv)@%+ CHANMODES=ohvbeqa,kfL,l,psmntirRcOAQKVHGCuzN NETWORK=Axenet are supported by this server

I take it you coded it. And I take it you will drop ident requests from the very next version as you have strong views about IDENTifing people. Or could that be that ident is useful and would be even more useful if it was really identifing the connection without giving out any personal info?
Posted By: codemastr Re: an idea, but not suggestion yet - 15/02/03 06:32 PM
Yes I wrote it, and the only reason ident is supported is because mIRC doesn't let you configure the username. It simply uses your nickname for the username. mIRC only allows you to configure the ident username. Therefore if users want to be able to change their username, they must have ident enabled and so must the server. I don't care if it identifies the connection, all I know is my users are going to complain if they are forced to use their nickname as their username as well. Plus the fact that if I disable ident many users will be banned, for example, since mIRC uses the nickname, if the nick is "[^]" (a legal nickname) the user will be disconnected for not specifying a valid username, since none of those characters are allowed in a username.

Don't make such big assumptions, when you do, you are generally wrong. And in this case you are 100% wrong. It has NOTHING to do with identifying a user, thats not at all why I use it.
Posted By: theAncinetOne Re: an idea, but not suggestion yet - 15/02/03 09:12 PM
I made no assumptions, I just stated it is useful and it would be more useful if it was meaningful.

I am sure you have come against countless number of chatters that deserved a perm ban and you only got very frustrated because the person was a) on dial-up b) changed nickname/ident/fullname on each connection. So you contacted his ISP and they told you "they will deal with it" or simply ignored you.

I cannot say I would feel insecure by the fact that my ident would be the same. I use the same 2 nicknames for last 7 years. How identifying is that?

I know it is a difficult concept for many to deal with. Yes, it would not stop every "problem" out there, but it would stop a fair few, giving you the time to deal with the others.

The ideas I presented in the original post are for protection of chatters and networks alike. There is nothing sinister there.

I'm just sick and tired of innocent people getting infected by new Trojans, and secondly by having to kill few hundred connections a day because some one just found another web site with free "l337" script. If there is a way to reduce it by a big margin I would like to see it done. mIRC being the most popular client out there can make it happen. I don't see why it would suddenly loose on popularity.

You may find that more people would use IRC if it lost the stigma of being infested with viruses, flooders and all the other nonsense.

frown
Posted By: MonoSex Re: an idea, but not suggestion yet - 15/02/03 09:12 PM
Quote:
because mIRC doesn't let you configure the username. It simply uses your nickname for the username.


Huh??

Welcome to the Axenet IRC Network MonoSex!~blah@******

Why my username is 'blah' and not MonoSex? :tongue:
mIRC gets username from email address in connect dialog, part before @.
Posted By: Collective Re: an idea, but not suggestion yet - 15/02/03 09:36 PM
Only if "Use ID from email address" is checked.
Posted By: theAncinetOne Re: an idea, but not suggestion yet - 15/02/03 10:09 PM
current implementations of ident are totally irrelevant. We all know it. It makes little difference if you set the ident or the ident from email address.

Most common use of ident by an ircd is a very simple proxy block as most proxies will not reply to ident requests. The hocus pockus with name/ident can be left out of this discussion as it benefits no security features and this is what I'd like this to concentrate on.

No matter how many smokes and mirrors are used in the end the ident protocol's intention was to IDENTIFY.

I quote from the RFC931 (ident rfc)
"The Authentication Server Protocol provides a means to determine the identity of a user of a particular TCP connection. Given a TCP port number pair, it returns a character string which identifies the owner of that connection on the server's system. Suggested uses include
automatic identification and verification of a user during an FTP session, additional verification of a TAC dial up user, and access verification for a generalized network file server."

Posted By: starbucks_mafia Re: an idea, but not suggestion yet - 15/02/03 10:20 PM
An ident, any ident, will only be useful for identifying someone if they choose to let it. Obviously anyone who's looking to dodge a ban won't choose this and attempting to force the ident on them will make no difference whatsoever. It doesn't require a genius to stop the ident, and within an hour of release of something like this there would be a dozen webpages dedicated to telling people how to do it if they didn't already know. Anything on the client's end is ultimately controllable only by one person - the client.
Posted By: theAncinetOne Re: an idea, but not suggestion yet - 15/02/03 10:35 PM
You are absolutely right, as I said it would not stop every problem but it stop many.

Consider this option.
mIRC assigns and ident of "F7C46543" and appends the same value at the end of the FULLNAME (non-editable).
If you have a real problem user, who is just abusinve but not technically savvy this could be easily used to verify the person as his WHOIS details would return contradicting values.

I'm not suggesting this is the solution but it could be, as it stands now ident is so irrelevant that any improvement on it becomes a major improvement.
Posted By: _D3m0n_ Re: an idea, but not suggestion yet - 15/02/03 11:53 PM
ok correct me if im wrong but when u use a socket connect u just fill in whatever info u want to be sent dont u??? i mean where do u get this non editable field ur proposing???
and more for that matter why is this even being discussed when someone with as little intelligence as me is asking how to get around this unedible field in a socket connection where the user simply puts what ever they want to in it??? its not a security feature ur suggesting ..... is a feature with absolutly no sense whatsoever to it of course thats just my opinion ...... but like i said if im wrong then hell i just learned something..... if not well u know
Posted By: theAncinetOne Re: an idea, but not suggestion yet - 16/02/03 12:17 AM
we are talking mIRC here, not other clients or telnet connections. It is very easy for mIRC to append such value beyond your control when it sends USER data.

Say your fullname reads "D3m0n rox" and say assigned ident would be some value T74B7F503
mIRC would send USER data would look like this:
USER T74B7F503 "yourisp.net" "irc.some.org" laugh3m0n rox T74B7F503
If there was an ident request later on the same value of T74B7F503 would be sent by mIRC.

This is not aimed at you in particular, but how about the next reply in this threat concentrates on ideas on how to improve the security and not on "this would not work".

It can all stay as it is, and there will be more drones, more floods, more abuse.
It can all stay as it is, and "educated" reccomendations on this very forum will be for users to disable firewalls cos they don't know how to configure it for ident replies.
It can all stay as it is, there is nothing that can be done.
Posted By: _D3m0n_ Re: an idea, but not suggestion yet - 16/02/03 12:27 AM
threat?? u say that as if im threatening ur intelligence and as i clearly said if im wrong so be it ...... but what ur not seeing is where i said a "soccket connection" that is clearly a mirc capability .......and i may not be as all knowing of mirc scripting as most of u ...... but i think i have a general idea of how things work ....... im not insulting ur intelligence as u clearly have me beat in mirc scripting abilites ....... but what ur suggesting is so easily gotten around that its not even worth mentioning ...... thats like suggesting khaled forces a specific nick upon u and doesnt let u edit the connection dialog box ...... but if u simply type in:
/server irc.server.name 6667 mypass -i mynick myalternatenick myemail myname

u will be connected under any name u want

FROM HELP FILE:
/server [-mnsar] <server/groupname> [port] [password] [-i nick anick email name] [-j #channel pass]
Connects you to a server, first disconnecting you from the current server.

ok i know thats not the case in ur suggestion , but with a socket connect isnt all ur connection info then sent by u and u make it all up yourself ..... so how can u suggest an uneditable field??? it would require rewritting mirc to take control of the script out of the users hands ....... something i for one wouldnt aggree with ....... even if i know nothing about scripting.

again dont take this as a personal attack on ur intelligence and or ability its my opinion to think what ur suggesting is completely useless and completely not what id want in my mirc
Posted By: theAncinetOne Re: an idea, but not suggestion yet - 16/02/03 12:37 AM
LOL, i cannot spell "thread". My apologies if that was taken wrong way. it was an honest mistake.
Posted By: theAncinetOne Re: an idea, but not suggestion yet - 16/02/03 12:41 AM
/server command is translated to a set number of commands that IRC protocol understands. Type /debug @debug
then type in your /server command and see how it works.
/debug off to stop it.

It would be possible for mIRC internal works to append stuff to USER command that is sends. And again as I said this is only AN idea. If you can trhink of better I'd be glad to read about it.
Posted By: MonoSex Re: an idea, but not suggestion yet - 16/02/03 12:50 AM
You can even stop mIRC from sending it's connection data by using on LOGON event wink
Posted By: _D3m0n_ Re: an idea, but not suggestion yet - 16/02/03 01:09 AM
well exactly what is it u think any idea will prevent??? i mean if ur asking me a way to solve all this ddos from warbots and all this well ur asking the wrong person ...... i didnt actually invent the internet just know the guy who did ...... LMFAO .
seriously there is no way u can implement any idea at this point that will work in all or any scenario ...... just cant be done in my opinion ...... unless of course some of these lil kids parents start keeping em off the damn internet unsupervised letting them wreak havoc whenever they have a temper tantrun ove some issue ....... its like having a brand new paintjob on a car ..... u cant stop someone from keying the damn thing if u dont sit there and watch ur car 24/7

in essance if u allow any user to connect to something then ur asking to accept traffic from all of the lowlifes in the world as well as the quality ppl....... its just the way it is
© mIRC Discussion Forums