|
|
| Author |
Message |
Steve_
Guest
|
 Posted: Jun 23, 2004 5:05pm Post subject: Quakenet and +x |
 |
|
Quakenet does not force +x on connect to its network, for any one that dont know what +x is, in simple terms its hides your host/IP address and stops users from being able to get your host/IP.
Alot of networks force mode +x or at least mode the user that on connect to stop users being attacked, from what ive seen quakenet do not seem to care about proteching its users.
Any new users or newbies that join there network may not have any understanding of how important it is to hide your host/IP address on connect to quakenet there is not warning for any users about mode +x.
They do offer a Q account once you have one of them you can mode your self +x but alot new users connecting there wont know about that, and Quakenet dont really seem to care to inform them about it, and for the "they could read the website" reply how meny users fully read the web site before connecting to quakenet?
Not alot how meny new users would know where Qnets web site is not alot..... I cant really see any point in not having mode +x on connect would it be the end of the world if they done that, users that dident want it could simple /mode nick -x .
As it is a great number of users on Qnet are wide open to attack, and is it not the reposneabilty of the Quakenet operators to protech the users on there servers ? the reply probley to this will be if the user does not know about +x there its his fault, witch really saddens me to see. |
|
| Back to top |
|
 |
mouselike
Idler
Joined: 09 Dec 2003
Posts: 261
|
| Posted: Jun 26, 2004 7:26am Post subject: Re: Quakenet and +x |
|
|
| Steve_ wrote: | Quakenet does not force +x on connect to its network, for any one that dont know what +x is, in simple terms its hides your host/IP address and stops users from being able to get your host/IP.
Alot of networks force mode +x or at least mode the user that on connect to stop users being attacked, from what ive seen quakenet do not seem to care about proteching its users. |
QuakeNet has a lot of protection for its users, i.e spam scan, trojanscan, proxyscan etc. Taking into consideration undernet, dal, efnet, ircnet also dont force mode +x on connect so why single it out to be just quakenet that doesnt force +x?
| Quote: | | Any new users or newbies that join there network may not have any understanding of how important it is to hide your host/IP address on connect to quakenet there is not warning for any users about mode +x. |
Its not entirely important and any user who isnt on irc long enough shouldnt need to worry about +x, with the protection of a nice firewall and a virus scanner troublesome users can be faught off. There is pleanty of warning in the faq's along on the message board though of how to properly secure a pc, so +x is just an alternative fall back method for those who need it.
| Quote: | | They do offer a Q account once you have one of them you can mode your self +x but alot new users connecting there wont know about that, and Quakenet dont really seem to care to inform them about it, and for the "they could read the website" reply how meny users fully read the web site before connecting to quakenet? |
If users fail to read how quakenet is operated through the website and its features then they run the risk of but not limited to being compromised. In general every network requires users to read and understand its rules and faq's before connecting or continuing to stay on irc. As mentioned above QuakeNet run a large variety of services to protect the users so they have done their part, it is up to the users to do their part to finalise the saftey of their stay on irc.
| Quote: | | Not alot how meny new users would know where Qnets web site is not alot..... I cant really see any point in not having mode +x on connect would it be the end of the world if they done that, users that dident want it could simple /mode nick -x . |
They are connected to xxx.xx.quakenet.org its not rocket science to guess that www.quakenet.org would be the obvious place to look seeing as every other server ends in quakenet.org. Would it be the end of the world todo the complete opposite and type /mode nick +x either? It doesnt become functional until they have successfully authed anyhow, so there isnt any need to force it on connect. Though they could force it on AUTH if the user desires to; set in an option via Q which I would agree on.
| Quote: | | As it is a great number of users on Qnet are wide open to attack, and is it not the reposneabilty of the Quakenet operators to protech the users on there servers ? the reply probley to this will be if the user does not know about +x there its his fault, witch really saddens me to see. |
The user doesnt have to be on irc to get attacked, other sources of chat are at large where users ip's can be got at/from. It is the responsibility of quakenet to protect their users to a certain extent, which they do, they offer as said above good services todo so, with the option of letting the user to +x if need be. If the user cannot be bothered to fix security on their side then yes i agree the user is at fault and irc / quakenet is not the place for them.
However +x doesnt totally eliminate the possibility of users getting attacked, they could easily be tricked into clicking an url that is supposingly a image but is actually a virus, accepting a file, downloading a script with a backdoor, visiting a website at random which they arnt aware contains an irc virus and so on, all these would retrieve a users ip/host or auth user/pass or all at once, so it seems unfair to say quakenet doesnt do their part and users arnt to blame, when users can be if they arnt made aware of the consiquences of doing the above, which is stated in the faq's somewhere if they only but read them fully.
We also run the same as quakenet on our network, we let users decide for themselfs if they want +x or not, this being they either set +x manually or they dont. We dont want to force anything on the users that they dont want, irc is meant to be a place to chat and fun, not a place to protect the users 100% while they cannot be bothered to setup and configure a firewall though we do offer some services to help them. |
|
| Back to top |
|
|
magpie
Idler
Joined: 18 Jan 2004
Posts: 454
Location: Essex, UK
|
| Posted: Jun 26, 2004 10:21am Post subject: |
|
|
Why do you assume QuakeNet doesn't care about protecting its users because we don't force usermodes on people? If QuakeNet didn't care then +x wouldn't be provided at all.
Forcing +x is pretty dumb anyway, as it will simply encourage the use of auto authentication scripts, something which QuakeNet tries to discourage for the protection of its users.
As for users not knowing the URL to QuakeNet's website, perhaps they should learn to read. The URL to the website as well as the support channels provided by the network are clearly mentioned at the end of the MOTD. QuakeNet also provides (roughly) weekly tutorials where users are introduced to IRC, QuakeNet and Security (including the use of usermode +x). These tutorials are also broadcast to the whole network prior to beginning.
You mention that users that don't want the mode set can simply unset it, this is incorrect. It's not possible to remove the mode once set.
Surprisingly it's not the responsibility of QuakeNet to protect users connected to their servers, even though the network provides as best protection as they can. |
|
| Back to top |
|
|
uchat
Idler
Joined: 17 Mar 2004
Posts: 335
|
| Posted: Jun 26, 2004 11:56am Post subject: |
|
|
| Quote: |
As for users not knowing the URL to QuakeNet's website, perhaps they should learn to read. The URL to the website as well as the support channels provided by the network are clearly mentioned at the end of the MOTD.
|
Most people don't read which end of a cereal box to open .. what makes you think they will read an MOTD? 
Also, auto +x don't *HAVE* to have authentication. Your Net chose to code it so. |
|
| Back to top |
|
|
mouselike
Idler
Joined: 09 Dec 2003
Posts: 261
|
| Posted: Jun 26, 2004 12:43pm Post subject: |
|
|
| uchat wrote: |
Also, auto +x don't *HAVE* to have authentication. Your Net chose to code it so. |
Unless undernet / quakenet dev-com chose to code it otherwise you have to be authenticated for +x to work, when authed with Q it would then obviously change your host to authname.users.quakenet.org otherwise setting +x without a Q acccount/auth is rather pointless.
Sorry if this what you meant and was trying to say if they chose to code it that +x would change the host regardless if they are authed or not. |
|
| Back to top |
|
|
uchat
Idler
Joined: 17 Mar 2004
Posts: 335
|
| Posted: Jun 26, 2004 1:01pm Post subject: |
|
|
That's exactly what I'm saying ... your network coders CHOSE to code it so auth is required for +x .. by doing so your net has elected to protect authenticated users and un-authenticated users are to fend for them selves. Secondly, anyone with 3 brain cells can jot down a users IP address BEFORE they auth (if they are in a channel when they get around to auth'ing) ... which is why some user write auto-authing scripts(myself being one such person) .. from that point of view, your net is indirectly causing these auto-auth scripts you claim that you dont endorse to be created. If you auto +x then users really don't have a reason to write an auto-auth script other than laziness.
This opposed to say my network where all users are protected by +x. First by a general hidden host mask like @uchat-CFH563.someISP.com then @their-nick.u-chat.org after they authenticate. |
|
| Back to top |
|
|
magpie
Idler
Joined: 18 Jan 2004
Posts: 454
Location: Essex, UK
|
| Posted: Jun 26, 2004 2:20pm Post subject: |
|
|
I'm well aware of what coders chose to code.
Auto authentication scripts don't help at all. The only way to be 100% 'safe' is to use the +x mode like you described on your network, however I don't think that's a good idea as it makes it much harder to ban people from channels (without hitting a whole ISP).
Users aren't _that_ much at risk anyway. |
|
| Back to top |
|
|
uchat
Idler
Joined: 17 Mar 2004
Posts: 335
|
| Posted: Jun 26, 2004 2:44pm Post subject: |
|
|
| Quote: |
Auto authentication scripts don't help at all.
|
If networks didn't require authentication to get a hidden host, then there is less of a chance that the script would be needed. If you are against auto-authentication scripts .. then get rid of Services. Because even on nets that don't hide hosts, DALnet for example, there is still a need for an auto-login/auth/identify script. Otherwise it's a losing battle.
| Quote: |
however I don't think that's a good idea as it makes it much harder to ban people from channels (without hitting a whole ISP).
|
No it's not any harder. It doesn't even limit bans either if the hostmasking is done correctly, with the acception of the IP/host it's self is the ban mask. In which case all forms of hostmasking prevents, including yours.
Example: host user@hidden-host.someisp.com can still be dynamiclly banned using all known bantypes except banning the host it's self. |
|
| Back to top |
|
|
magpie
Idler
Joined: 18 Jan 2004
Posts: 454
Location: Essex, UK
|
| Posted: Jun 26, 2004 3:20pm Post subject: |
|
|
Auto-authentication scripts aren't needed full stop, with or without services. It's a simple matter to authenticate manually.
It is harder if you want to ban a range of hosts and not the whole ISP, given most alternative host hiding methods tend to crypt part of the host. |
|
| Back to top |
|
|
uchat
Idler
Joined: 17 Mar 2004
Posts: 335
|
| Posted: Jun 26, 2004 3:49pm Post subject: |
|
|
| magpie wrote: | Auto-authentication scripts aren't needed full stop, with or without services. It's a simple matter to authenticate manually.
|
Nothing IRC related is "needed". Actually nothing internet related is needed either. Do it manually .. sit down write out a letter, put it in an envelop, walk to the post office (don't drive because we are doing this manually). However, so long as humans remain the lazy species of this planet, auto-insert-anything scripts/programs will remain in existance whether you like it or not. |
|
| Back to top |
|
|
mouselike
Idler
Joined: 09 Dec 2003
Posts: 261
|
| Posted: Jun 27, 2004 11:11am Post subject: |
|
|
my god how long does it take to type....
/MSG Q@CServe.quakenet.org AUTH <name> <password>
or
/NS IDENTIFY <pass>
being a oper uchat or admin as it could be of a network you should be aware of auto authentication scripts should be avoided at all costs, regardless if you coded it into your client or not, you still run that 50/50 chance of being compromised whilst online even if its never happened be it a trojan/virus, a remote added into a script you trial at one time or a site your visit that retrieves things like this, it happens and i totally agree with magpie shouldnt be used.
Ive had it, had my passwords stolen all through being careless, now id rather not be so lazy and manually do the auth/identify in the status window to prevent anything like this becoming a more frequent problem. |
|
| Back to top |
|
|
uchat
Idler
Joined: 17 Mar 2004
Posts: 335
|
| Posted: Jun 27, 2004 11:22am Post subject: |
|
|
whereas I've never seen it as a problem ... I've used auto-identify for nearly as long as DALnet style services has been around .. I've never identified to the wrong user ... my script knows better .. I've never been compromized (probably because I know what I'm doing).
There are scripts that cause alot more damage than a simple auto-id script .. it's silly to me that you waste so much time on the irrelevent. So what if you lose your precious nick password ... common sense would tell you not to use the same password for IRC related things as you would for really important stuff like your bank account.
There are websites that you can accidently hit that causes alot more damage to your PC and others for that fact than lil ol IRC .. It's up to the users to protect themselves. I can see the point of thinking that passwords stored in a plain text file on your PC as a bad idea .. but I think that worrying so much about an IRC password is like bailing a sinking ship with a teaspoon. |
|
| Back to top |
|
|
magpie
Idler
Joined: 18 Jan 2004
Posts: 454
Location: Essex, UK
|
| Posted: Jun 27, 2004 12:10pm Post subject: |
|
|
If you have the capacity to think before acting, it will never be a problem for you. How many IRC users on the large networks do you know that have common sense and the ability to think things through?
I agree people shouldn't be so upset if they lose a channel, but they are. |
|
| Back to top |
|
|
uchat
Idler
Joined: 17 Mar 2004
Posts: 335
|
| Posted: Jun 27, 2004 12:22pm Post subject: |
|
|
| magpie wrote: | If you have the capacity to think before acting, it will never be a problem for you. How many IRC users on the large networks do you know that have common sense and the ability to think things through?
I agree people shouldn't be so upset if they lose a channel, but they are. |
Then they should learn from their mistakes. IMO you shouldn't babysit/hold their hand. You can't help how they are .. if they learn from their mistakes then they won't do it again .. if they don't learn from their mistakes then there isn't anything you can do about it. So why worry? It's better to focus on teaching the users to do things the correct way than to try to stop them from doing something you don't like. Because they will do it anyway, if not on your net ... someone elses. If a user insists on using auto-auth, support it .. even if you hate the idea. Because you aren't going to prevent them from using it. That's a fact. So teach them how to do it wisely.
No need to worry or forbid something that will happen anyways, try to lessen the impact by educating your users.
Be it known that I was an Services Admin on a large network (Big Four) before Quakenet was formed. I have a clue as to what users are like.
| Quote: |
Everyone thinks they know what they are doing until it happens to them, yes that includes you too.
|
This is true. I host no illusions that I'm immune to anything. However after 10 years of being on IRC. I think I know a little bit about it .. and my track record supports that I do know what I'm doing.
Last edited by uchat on Jun 27, 2004 12:31pm; edited 4 times in total |
|
| Back to top |
|
|
mouselike
Idler
Joined: 09 Dec 2003
Posts: 261
|
| Posted: Jun 27, 2004 12:24pm Post subject: |
|
|
| uchat wrote: | | whereas I've never seen it as a problem ... I've used auto-identify for nearly as long as DALnet style services has been around .. I've never identified to the wrong user ... my script knows better .. I've never been compromized (probably because I know what I'm doing). |
Everyone thinks they know what they are doing until it happens to them, yes that includes you too. No one is smart nor me, you or the next bill gates, we like to think we are intelligent, but every other person has the intelligence to out smart another, so no you THINK you know what your doing, but what maybe what you THINK is right and what actually is the right thing is a total different kettle of fish.
| Quote: | | There are scripts that cause alot more damage than a simple auto-id script .. it's silly to me that you waste so much time on the irrelevent. So what if you lose your precious nick password ... common sense would tell you not to use the same password for IRC related things as you would for really important stuff like your bank account. |
Its not irrelevant, i can vouch for quakenet staff as well as other networks of how silly users complain about stolen accounts to the staff of those networks, of how many i wonder actually lost it honestly through auto-id scripts, esp ones built into these mass available scripts that do just as me and magpie said. I dont care if my nick gets stolen, if it becomes a problem on my net I can recover it quite easily, though amongst networks like quakenet where I am owner on some channels would wreak havoc and id lose those channels due to quakenets rules being states quite clearly.
For the bank account passwords etc, where did i mention i use the same password for the same thing, i clearly did not, though I dont use the same password other things and yes i agree on that point passwords shouldnt be the same for things such as this.
| Quote: | | There are websites that you can accidently hit that causes alot more damage to your PC and others for that fact than lil ol IRC .. It's up to the users to protect themselves. I can see the point of thinking that passwords stored in a plain text file on your PC as a bad idea .. but I think that worrying so much about an IRC password is like bailing a sinking ship with a teaspoon. |
Quite and i agree they can cause damage, but there people out there who have nothing todo but write scripts to cause problems on irc only, you see it happen all the time, be it onjoin spam, decode etc etc, you know the score and yes i agree again its upto the users to protect themselfs, thanks for pointing that out, a step in the right direction to this would be simply not to use auto-id, not entirely pc related but why give the script kiddies the chance to get at you or others? it seems irrelevant for YOU to argue against this as it seems otherwise you are in favor of them as it quite seems you arnt the least bit worried about it.
Tbh this isnt worth arguing about, though from reading through this board you like to have the last say, so be it uchat as i cant really justify how you identify or how lazy for that matter, i expressed my opinion like magpie did and i totally agree with magpie and rather waste that extra few seconds doing something manually rather than let the little kids out there on irc ruin it, though not just limited to irc lamers its irrelevant to bring in outside chat mediums into this topic. |
|
| Back to top |
|
|
|
|
| |
Register
Log in
