|
|
| Author |
Message |
anomaly
none
Joined: 27 Feb 2004
Posts: 8
|
 Posted: May 10, 2006 3:55pm Post subject: To clarify |
 |
|
Just to clarify...
+I is no more dangerous than the services -debug option because +I is accessible only by those with the Senior Staff flag--and that flag can ONLY be given out by services, and can only be given out by services when assigned to someone by the services root.
Also, the Enhanced Override procedures affect only Senior Staff--Normal opers still have to follow the normal /invite procedure to do any sort of override. Another modification was that the /invite command will override anything, for example, a Senior Staff can invite a regular non-opped user into a SS-only channel and they will be able to join.
In summary, the enhanced overriding ability is given only to those who have Senior Staff status, which can only be given by the services root. |
|
| Back to top |
|
 |
Ozafy
none
Joined: 12 Sep 2004
Posts: 18
|
| Posted: May 10, 2006 3:58pm Post subject: |
|
|
No mather what ircd you run, you can spy on users just as easy. All you need is a socket, some connect lines, and a ping reply.
The only thing this +I does, is make the step easyer. Oper abuse isn't caused by the ircd as it's possible to do anything with a simple service.
I'm not saying the +I is a good thing though, since it makes the spying easy as pie for anyone that can compile some sourcecode, which basicly means any idiot with a shell can do it. But wether or not you like it, any network you connect to, this ircd or the next, they can spy on your every move without you knowing. At least when you connect to this ircd you're certain  |
|
| Back to top |
|
|
katsklaw
Guru
Joined: 28 Jun 2004
Posts: 1614
Location: Somewhere you're not.
|
| Posted: May 10, 2006 4:32pm Post subject: |
|
|
| Alek wrote: | | Most people store NS passwords in plain txt? You have to be kidding, right? |
Absolutely not kidding at all. it's done everyday by thousands of networks. Heres a hint. SENDPASS and GETPASS require plain text password storage. If you encrypt your NS passwords, retrieval becomes impossible since encryption is one way. So every single network that uses GETPASS and/or SENDPASS have unencrypted passwords.
Right from Anope's configure script.
| Code: |
Do you want to use the MD5 message-digest algorithm to encrypt passwords?
(Selecting "yes" protects your passwords from being stolen if someone
gains access to the Services databases, but makes it impossible to recover
forgotten passwords. There is no way to reverse this operation, so make
sure you really want to enable it.)
[no]
|
| Quote: | | My point is if someone gets a hold of a ircd config with an oline in it, they will have the oper password sooner or later. |
Not if the oper password is encrypted ... as I said before .. encryption is one way only. Even if you get the config .. you only have the encrypted password and you can't decrypt it because encryption works only one way.
| Quote: | | Once they have oper, services aren't gonna do jack because the guy can squit them, or kill all your users, or whatever. If people get a hold of the either password, you are basically screwed in the old system. (The old system has configs over multiple servers, if any 1 of those gets compromised, you are fucked, ULoper has the db in one place, only one thing to secure) |
No, it's not "only one thing secure" it's a centralized database where it only takes 1 good hack to get all the passwords in the db. Unlike the old system where 2 passwords stored in 2 locations are required.
1 password in 1 location is NOT more secure than requiring 2 passwords stored in 2 locations.
If I'm not mistaken, all the popular IRC Services packages like Anope or IRCServices require a person to be identified AND opered to use oper based commands, especially when using OperServ. If you id to NS and get both such as with ULoper, then your removing some of the checks and balances inherant in a 2 password system (the old system as you call it). Namely the fact that "the old system" requires 2 passwords.
I'd also like to hear how Services based opering works in the event that Services is missing. You know .. like the box Services is running from gets DDoSed for a few weeks.
| Quote: | | I don't think I can really change your opinion on +I, oh well. |
No your not going to change it. It's immoral .. period. Services in debug mode may do the same thing .. but debug mode isn't designed to be used all the time on a production network. It's a tool to be used to find exactlly why Services is messing up. It's meant ot be turned on only when needed and off when not needed. Saying that +I and debug mode are exactlly the same is crap as well.. That's like saying a car should be banned from being made/used because it can be used to crash into banks to gain quick access to the lobby. To that I'd say "sure it can .. and I can kill you with a spork .. but that doesn't make it a weapon by design".
| Quote: |
Also, the Enhanced Override procedures affect only Senior Staff--Normal opers still have to follow the normal /invite procedure to do any sort of override.
|
News Flash! in Unreal .. oper overrides do NOT require invites by default unless explicitly specified in the advanced config options. I'd bet that 95% of the Unreal networks have wide open oper override and require invite turned off. |
|
| Back to top |
|
|
magpie
Idler
Joined: 18 Jan 2004
Posts: 453
Location: Essex, UK
|
| Posted: May 10, 2006 5:29pm Post subject: |
|
|
| katsklaw wrote: | | Not if the oper password is encrypted ... as I said before .. encryption is one way only. Even if you get the config .. you only have the encrypted password and you can't decrypt it because encryption works only one way. |
Sorry to be pedantic, but encryption is not always one way. Granted, in the case of services they're likely to use a hashing algorithm, but still. I'd also say that whilst encrypted passwords decrease the chances of obtaining the plaintext password, depending on the algorithm used it's not always that hard to obtain it.
Oh, and as to services boxes getting DDoSed, this is easy to prevent. Don't give out any information as to the whereabouts or the address of the box. Sure, people can scan your netblocks if they have a hunch as to where it might be, but how are they to differentiate between it and some other random host? |
|
| Back to top |
|
|
katsklaw
Guru
Joined: 28 Jun 2004
Posts: 1614
Location: Somewhere you're not.
|
| Posted: May 10, 2006 5:48pm Post subject: |
|
|
| magpie wrote: | | katsklaw wrote: | | Not if the oper password is encrypted ... as I said before .. encryption is one way only. Even if you get the config .. you only have the encrypted password and you can't decrypt it because encryption works only one way. |
Sorry to be pedantic, but encryption is not always one way. Granted, in the case of services they're likely to use a hashing algorithm, but still. I'd also say that whilst encrypted passwords decrease the chances of obtaining the plaintext password, depending on the algorithm used it's not always that hard to obtain it. |
True, However in this scenario of ircd/services which use hashing algorithms as you stated, it's a valid point and safe to say it's only one way .. but your right .. level of security does indeed rely on the determination of the attacker
| Quote: |
Oh, and as to services boxes getting DDoSed, this is easy to prevent. Don't give out any information as to the whereabouts or the address of the box. Sure, people can scan your netblocks if they have a hunch as to where it might be, but how are they to differentiate between it and some other random host? |
Well there is always the keen eye that can remove alot of randomness, meaning that if someone knows that everytime xyz server splits .. so does services .. then it's less random. If services attacks were really so easy to prevent, large networks like UnderNet and DALnet would have never had their services DDoS'ed especially since both take extra steps to hide ulined servers ..
Also not to mention that even in todays IRC world where Servers are being hidden in many ways such as disabled commands like /map and /links as well as hiding servers in /whois outputs and split notices. Far too many nets still have only a very small number of servers. Which makes figuring out which server services is connected to easier. Bearing in mind that most networks run services on the same box as one of their servers and not a seperate box dedicated solely to services.
[offtopic]
I think the world will end tonight ... magpie and I agree on a topic and mouselike and I agree on a topic on the same day !!! O_O.
/me runs to get ready! ;P
[/offtopic] |
|
| Back to top |
|
|
anomaly
none
Joined: 27 Feb 2004
Posts: 8
|
| Posted: May 10, 2006 6:00pm Post subject: |
|
|
| Quote: | | Not if the oper password is encrypted ... as I said before .. encryption is one way only. Even if you get the config .. you only have the encrypted password and you can't decrypt it because encryption works only one way. |
And what do you use to encrypt oper passes? md5? That's a 45 minute crack--tops. Not that it matters, because chances are someone can engineer their way into getting write access to a server's oper config in which case they can add their own opers--and each server is a possible point of failure.
| Quote: | | If you id to NS and get both such as with ULoper, then your removing some of the checks and balances inherant in a 2 password system (the old system as you call it). Namely the fact that "the old system" requires 2 passwords. |
This is relevant only when discussing oper usage of the services -- if an intruder's aim is simply to screw over your network they might as well /squit services and start glining everyone on the network, no services passwords required.
| Quote: | I'd also like to hear how Services based opering works in the event that Services is missing. You know .. like the box Services is running from gets DDoSed for a few weeks.
|
In this scenario you'd have a screwed up network no matter what version of unreal you were running, but when services is not available then obviously it wont be there to remove nonidentified opers and so server-based oper'ing will function as it normally would.
| Quote: | | News Flash! in Unreal .. oper overrides do NOT require invites by default unless explicitly specified in the advanced config options. I'd bet that 95% of the Unreal networks have wide open oper override and require invite turned off. |
Then what are you bitching about as far as unreal-abducted is concerned? It's only the base unreal functionality.
Also, +I wasn't designed to be used all the time in production environments--it is a tool meant to be used only when most needed by the highest-ranking staff on a network. Just because it takes 5 seconds to use as compared to 20 seconds for restarting services in debug mode doesn't make it more likely to be abused. '
And as far as morality is concerned, I'd say keeping all of your users' passwords stored in unencrypted form is far more immoral--resetting passwords is not more difficult than resending them, and stupid users will always use their services password for other things that they do, and you're keeping a database handy that probably has passwords to some important accounts for people. So I "could" spy on people (in channels only, not PMs) and you "could" probably log into some random person's bank account, but neither of us are going to because we don't run a network like that, so chill out |
|
| Back to top |
|
|
katsklaw
Guru
Joined: 28 Jun 2004
Posts: 1614
Location: Somewhere you're not.
|
| Posted: May 10, 2006 6:28pm Post subject: |
|
|
1> my passwords ARE encrypted .. all 3 of them (ircd oper, channel services and oper services have seperate user accounts) that are required to obtain oper level commands! I also require all 3 to be different or opers don't get access .. period.
2> I'm not 'bitching' I'm sharing my opinion. I don't give a crap about what you do with your ircd on your network. For me to "bitch" you would have to do something that affects me. there is a difference between bitching and debating, please learn it!
3> You can't directly control everyones actions, therefore you can't say "we won't" You can say "I won't" .. you can also remove status after the fact. but YOU can't control someone elses actions with given access to highly abusable tools/toys.
4> last I checked .. typing: '/os set debug on' doesn't take 20 seconds unless you type with only 1 finger.
5> Perhaps YOU should chill out and not be so damned offended because a few people don't like something that you like!
6>If you want to help the irc community, write something more useful .. like perhaps an Anope module that makes it so IRCops have to be from a certain hostmask + be identified to nickserv + be opered before getting access to oper commands, that way it doesn't matter if a password has been guessed.
7> Overrides are NOT the same as chanmode +I nor is using overrides considered spying by the mass public.
8> in 10 years as an IRC admin of any sort .. I've NEVER seens a valid reason to spy on a channel. That includes on 140,000+ user networks! Unless you have users from other planets that use IRC for completely different reasons than any other of the 3800+ networks .. your just blowing smoke. |
|
| Back to top |
|
|
Aven
Idler
Joined: 05 Aug 2005
Posts: 393
|
| Posted: May 10, 2006 9:01pm Post subject: |
|
|
Unreal has enough features as it is, and mabye a little too much; but wow, adding abusive features sucks.
Why not adding features like extra security/stability, etc.? I dislike how people code an ircd and give it so many features to attract the newbs to use it.
It's pretty embarrassing to post an ircd like this.
I, and I'm sure many like the old days such as Efnet's ircds, etc. All nice and simple.
Future of ircds isn't looking very bright. |
|
| Back to top |
|
|
FuRiOuS
Lurker
Joined: 01 Feb 2006
Posts: 244
|
| Posted: May 10, 2006 9:09pm Post subject: |
|
|
| Aven wrote: |
It's pretty embarrassing to post an ircd like this.
|
I would say embarassing is being a prick over someone's hard work into coding etc. Just because you don't agree with it, doesn't make it embarassing. If you don't like it don't use it, simple as that, however it still took time and work into putting it together, which is not something that just anybody could do. Just because people don't agree with it doesn't mean it didn't take hard work, or at least effort to do. |
|
| Back to top |
|
|
Rob_
Idler
Joined: 13 Dec 2003
Posts: 309
|
| Posted: May 11, 2006 12:55am Post subject: |
|
|
I really didnt want to bother commenting on this thread, however...
a) stop saying "its just like services -debug". no really it isnt, for ./services -debug to pick up channel text, it requires a bot in the channel, i've never seen a service package which makes any type of bot have similiar porperties to +I. As such the user of the channel will _always_ be aware that something/someone else is in the channel with them.
b) Regarding the previous off-hand comment saying "just dont use anything that looks remotly like unreal". This is just silly, its common knowledge that all ircds can have this feature added to them, singeling out unreal as if it was only possible to add to unreal is plain rediculous. (not to mention that coming from another ircd author, so clearly they know what is/isnt possible, it can only been seen as attempted point scoring :/ )
c) people need to clam down, i personally dislike +I, but if they want it in there ircd then so be it. Argueeing about it, especially on here, is completely moot as its very cleary they like it and they are keeping it in there ircd.
Its very unlikly the ircd will become "main stream" as ircds that do tend to be those used by well established networks and someone copying them to a greater or less extent, this more often than not means picking the same software etc. Add to the fact the main features added to a base unreal are not all that impressive or appealing to the average user (yes some users will love them, others will hate them, but most wont care). |
|
| Back to top |
|
|
magpie
Idler
Joined: 18 Jan 2004
Posts: 453
Location: Essex, UK
|
| Posted: May 11, 2006 4:00am Post subject: |
|
|
| katsklaw wrote: | [offtopic]
I think the world will end tonight ... magpie and I agree on a topic and mouselike and I agree on a topic on the same day !!! O_O.
/me runs to get ready! ;P
[/offtopic] |
In the interests of world peace I hereby change my opinion entirely and fully support this wonderful ircd. |
|
| Back to top |
|
|
nenolod
Idler
Joined: 23 Jan 2004
Posts: 357
Location: A box!
|
| Posted: May 11, 2006 8:07am Post subject: |
|
|
| FuRiOuS wrote: | | my PLAYGROUND is there for my ops to use to train and see the other options that are out there and what is possible with the proper training in coding, if you don't like it that's your problem, not mine, the normal users are not there, so it's none of your business. Get off your holier than thou attitude because it sucks. |
Then you are offering a disservice to the community, because you are teaching people that things like +I are cool, when they are simply not. Infact, I hate to say it, but you are part of the problem.
Projects that try to educate IRC operators always take the wrong approach, they teach people about the toys available and do not stress concepts such as respect upon the trainee. Therefore, if you teach the operator about this super-cool +I feature, guess what! He or she will be very likely to use it!
You know, a lot of people take operhood from the approach of being a cop. This is not the way it should be done, instead it should be taken from the approach of being a devoted member of the community they serve. It simply doesn't work this way.
Based on the description of your `playground', I must say that it appears that you are concentrating on the toys and leaving the ethics to the side. +I is a serious ethical violation. Period. There's nothing more that can be said about this.
- nenolod |
|
| Back to top |
|
|
FuRiOuS
Lurker
Joined: 01 Feb 2006
Posts: 244
|
| Posted: May 11, 2006 8:30am Post subject: |
|
|
| nenolod wrote: | | FuRiOuS wrote: | | my PLAYGROUND is there for my ops to use to train and see the other options that are out there and what is possible with the proper training in coding, if you don't like it that's your problem, not mine, the normal users are not there, so it's none of your business. Get off your holier than thou attitude because it sucks. |
Then you are offering a disservice to the community, because you are teaching people that things like +I are cool, when they are simply not. Infact, I hate to say it, but you are part of the problem.
Projects that try to educate IRC operators always take the wrong approach, they teach people about the toys available and do not stress concepts such as respect upon the trainee. Therefore, if you teach the operator about this super-cool +I feature, guess what! He or she will be very likely to use it!
You know, a lot of people take operhood from the approach of being a cop. This is not the way it should be done, instead it should be taken from the approach of being a devoted member of the community they serve. It simply doesn't work this way.
Based on the description of your `playground', I must say that it appears that you are concentrating on the toys and leaving the ethics to the side. +I is a serious ethical violation. Period. There's nothing more that can be said about this.
- nenolod |
You dear child can sit there and act arrogant all you want, I however maintain my servers myself, so I know who has what powers, and quite franky letting my ops see the options available isn't part of the problem, it's educating them. If you are too uneducated to understand that, then it's your problem not mine. |
|
| Back to top |
|
|
nenolod
Idler
Joined: 23 Jan 2004
Posts: 357
Location: A box!
|
| Posted: May 11, 2006 8:58am Post subject: |
|
|
| FuRiOuS wrote: | | nenolod wrote: | | FuRiOuS wrote: | | my PLAYGROUND is there for my ops to use to train and see the other options that are out there and what is possible with the proper training in coding, if you don't like it that's your problem, not mine, the normal users are not there, so it's none of your business. Get off your holier than thou attitude because it sucks. |
Then you are offering a disservice to the community, because you are teaching people that things like +I are cool, when they are simply not. Infact, I hate to say it, but you are part of the problem.
Projects that try to educate IRC operators always take the wrong approach, they teach people about the toys available and do not stress concepts such as respect upon the trainee. Therefore, if you teach the operator about this super-cool +I feature, guess what! He or she will be very likely to use it!
You know, a lot of people take operhood from the approach of being a cop. This is not the way it should be done, instead it should be taken from the approach of being a devoted member of the community they serve. It simply doesn't work this way.
Based on the description of your `playground', I must say that it appears that you are concentrating on the toys and leaving the ethics to the side. +I is a serious ethical violation. Period. There's nothing more that can be said about this.
- nenolod |
You dear child can sit there and act arrogant all you want, I however maintain my servers myself, so I know who has what powers, and quite franky letting my ops see the options available isn't part of the problem, it's educating them. If you are too uneducated to understand that, then it's your problem not mine. |
I'm sorry that your social skills are lacking. Calling me a child (I'm likely older than you are, considering that your behaviour reflects something akin to a 16 year old girl with a sheep-like, do-nothing attitude), is entirely laughable. Infact I'm literally sitting here laughing at your horrid attempt at an intelligible retort. You have made my day.
You `run' your servers, with what? A whip? You seem like the type at any rate. *whiplash*
Please try harder at composing a retort next time. The average human being uses about 10 percent of the brain's capacity. Certaintly you can give it that full 10 percent if you try hard enough. 
In addition, do you fall back to unfounded insults and criticisms of people's behaviour every time they say something you disagree with? This thread seems to demonstrate that.
- nenolod |
|
| Back to top |
|
|
|
|
| |
Register
Log in
