Slashdot Mirror
Why do we still use IDENTD?
Wakko Warner asks: "So anyway, I was on IRC the other day (as I am often wont to do), and, as I was being banned from the network for not running 'identd', I thought to myself: 'Why do we still use this???' Can anyone come up with a valid reason why, in 2002, ident is still considered by some people to be a necessary component of the Internet? Most people use Windows for everything, and Windows has no identity services. Most UNIX folks I know disable it for security reasons. So, why do people still insist we run it in order to connect to their network? Is it still 1993 in some part of the world?"
http://identd.sourceforge.net/
http://freeware.teledanmark.no/identd/
http://sourceforge.net/projects/winidentd/
http://identd.dyndns.org/identd/
But on the other hand, here are some reasons why your question is valid...
Even if on hacked machine or on Windows you can report any identity you want, it's one of the ways to tell that the visitor is coming from civilized part of the world. From a machine that tries to play nicely with others, and runs identd. Many sites or FTP servers refuse access if you don't have correct reverse DNS, again, not so much for security reasons as to enforce that administrators on the other end take elementary care for their machines.
SNL said it best : knock, knock Belushi : who's there ? voice on the other side of the door : candygram! (Belushi opens door) Belushi : Ahhhh! Landshark! (shark head consumes John Belushi) IOW , "identd" is only as trustworthy as the one who runs it; Odama's identd is not likely to respond "BinLadin".
Much abuse tends to come(or came) from commercial unix systems whos users would have purchased an account. Identd works well for keeping track of these people, even if it is of no use for individual users with thier own machines.
By enforcing identd usage on IRC, operators of channels can sucessfully ban abuse bots and users who use BNC relays or unix shells. has some sense of use in this case...
"What do you mean you have no ice? Do you expect me to drink this coffee hot?" - Random Customer, Clerks
No serious systems administrator running a public or private access unix system with user accounts allows such valuable user information out onto the net. Anyone who does (maybe the same idiots who run IRC servers that require ident?) deserve to have their user accounts 0wned. Everyone I know makes sure ident is at least faked, but usually plain dropped silently.
There is NO good reason for crappy old fake-able, spoof-able, deny-able ident to be a requirement anymore. Certain IRC admins just need to get their heads out of their asses.
Anyone who considers arithmetical methods of producing random numbers is, of course, in a state of sin.-John von Neumann
First of ident is not insecure by itself. Some implementations had buffer overflow problems, but then wich server software hasn't. It can also provide login information like the username but this depends on the setup. For correct working, IRC related, it just needs to return a string on query.
So why? IRC is well known for countless attacks against the servers and the users of it. It really seems to bring out the worst in a large group of people who, perhaps encouraged by anonymity(?), feel they can do anything to make other peoples use of the service a hassle.
So how to defend against it? Knowing who a user is is the easiest defence. You can then ban that person from entering youre chatroom/network. There are a couple of pieces of information that are known when you use IRC.
So why require ident to be running? Can't it be as easily changed as the nick? Yes it can, on certain setups. However if you are using/abusing a shell account then the Ident service should be fixed by the admin. It makes therefore the misuse of a certain kinda setup harder (University accounts). Shell accounts are popular for abuse since you are using someone elses IP for youre abuse.
Other posts have indicated that there are plenty of Ident servers for windows around. Saying just because windows does not support something it is obsolete is stupid. There are plenty of things on windows you need third party apps for.
Perhaps the real problem with this question is that to many people feel they have a right to use/abuse a service run by someone else. IRC is a free service run by people who out of their kindness of their hearts run one of the most attacked services on the net. If they then require you to run a tiny little program to make their live easier then so be it. Don't like the rules? Don't use the service. Think you can do better? Run youre own.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
the word "youre" is incorrect. If something is mine, then you could say it is yours. If I'm being a total jerk, you could say, "You are a jerk", or as the contraction, "You're a jerk."
Compose the sentence without contractions. "That is you are car" makes no sense, thus "that is you're car" makes equally no sense.
There's also "yore", but that is used in discussing things long before either of us was born, in the time of yore.
IRC is simply stated, dying. It is too insecure to begin with, plus people satisfy their needs with aol, yahoo and msn messenger; despite the fact that they install GATOR on people's computers.
IRC should be improved drastically, if only to increase the security so you wouldnt be banned from channels you never visited. Ident should be one of the things removed completely from the next version of the protocol should it ever arrive. For now I'll stick to newsgroups, yahoo messenger and mailing lists.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
The main reason ident is required is due to script kiddies
who like to run clone bots on different machines (usually a
hacked cable modem computer) and use those to flood
channels. They always connect without ident on.
Unfortunately because of the numbers of people who love
to be assholes, the rest of us get stuck having to pay.
Realistically, if it wasn't for insecure proxy servers and
hacked cable/dsl connections, odds are ident wouldn't be
needed anymore.
Identd is useless for trusting an outside host, however, it is exactly what you need when someone outside complains about something one of your hosts is doing. Or you are trying to track down a trouble user locally.
Identd is perfectly usable and mostly trustable when on hosts that you have control over.
Now, probably should run it in DES encrypted mode, but most sites do not.
As for why IRC does it? Who knows, doesn't seem to accomplish anything much to me.
postgresql can use ident for authentitication. useful for doing unattended maintainance activities, such as vacuuming the database. the other alternative is to have username/password information on the machine in cleartext somewhere. i run ident on postgresql machines, but use iptables to disallow remote access to the service.
--Lawrence Lessig for Congress!
No, it's more like end of 1990.
#include "coucou.h"
The solution to any problem with IRC is simple:
It's a layer 8 problem.
Everyone remembers the 7 layer ISO model for networks right... and what's just above layer 7 -- the human (ie: layer 8) and in my years of IRCing, I have yet to meet a sane IRC layer 8. I'm sure there must be one, or at a stretch, two sane ircadmins, but I've certainly never encountered them.
Think that netsplit is due to some massive connectivity problem on the internet -- nope, it's a netadmin doing layer 8 routing. Having trouble with a jerk and want to have a ban placed -- except *.com gets banned -- that's a layer 8 problem.
rant on These people think that identd will save them from the world... when really, the only solution is getting the hell off of IRC and getting a life rant off.
Sigh Some days, it's just not worth thinking about.
Basically, it's just one final defense against annoying/troublesome users. Many users who are connecting via unauthorized proxies will not have ident. So, doing an ident check keeps these people off the server. That's a good thing for the server operator.
Yes, if you have control of a machine, you can change the ident. That's fine. It's the machines you don't have control of that are the problem.
The reason identd is required is pretty straightforward, actually.
Say I get on an IRC server and start abusing it. It's pretty easy to just ban my IP (or in extreme cases, up to my class B if dynamic IPs are in use and there's no better solution). So single-user machines are pretty easy to handle.
A not-unreasonable people still use public access machines, however. And you can't just ban their IPs without potentially screwing a lot of people -- if I ban MITs or CMU's public access UNIX boxes, I'm going to hurt a lot of people to block one baddie. However, these machines can be trusted to run a legtimate identd, so I can say "Don't block *everyone* on these machines...just this one user".
Granted, the utility value of identd is less now that Windows machines and single-user UNIX machines are dominant, but it still does solve a nasty problem sometimes.
However, even given that identd helps, I don't see why it's *required*. You can just say "if the remote host isn't running identd, just ban the entire IP if we get a baddie on that machine".
May we never see th
There are loads of obsolete, insecure protocols that we still insist on using. Identd is the least of our worries. Let's take some examples:
SMTP! Mailbox filled with spam? Well, that's because we use a mail transfer protocol that makes it trivial to forge the from: address and to create thousands of messages from one!
FTP! Password in the cleartext? Carriage returns dropped? 3rd-party interceptible/forgeable downloads? That's FTP...
Identd is simple enough to fake, so it shouldn't really trouble anyone. But it's pretty hard to get by day-to-day without using SMTP.
it's just not being used for its original intended purpose. How many people do you know trading warez on AOL, Yahoo, or MSN Messenger? Sure, there's some, but not nearly as many as good old IRC. Along with usenet, they're the original napsters.
It increases accountability. Sure, Windows clients can generally change their identification, but Windows clients generally are run by the system administrator. So if I get hacked by bill_gates@1.2.3.4, I'm going to ignore the identd at first. If it turns out to be a dialup then I can proceed to sue whoever was using that IP address. But if on the other hand it's a multiuser unix box, I'm not going to sue the admin, as long as the admin tells me who owns that account.
Why is identd *REQUIRED*?
If it's running, then it may provide useful data.
If it's not running, then almost surely if it were running it wouldn't provide trustworthy data.
In short: If the user has the option of turning it on or off, the service can't be trusted. The ident data is nice to have in the case that it might actually be true, but it's too easy to fake.
retrorocket.o not found, launch anyway?
...(the USA) it is more like 1984.
-Derek
So, it's been mentioned at least twice in comments on this Ask Slashdot post, we need new protocols. So, what about it? Is anyone working on any improvements to our dusty old technology?
Encryption/PKI seems to be where it's at now, and P2P as well. P2P IRC? P2P email? How about it?
If the old toys are broken and laying in the corner, perhaps it's time to build some new ones.
Gabriel Ricard
It is really interesting to travel back in time, by just traveling to some parts of the US where they are still 50 years behind the times.
Only 'flamers' flame!
Without it, people could irc from multi-user systems with complete impunity.
with two answers.
A) Why do the servers require it?
Well, its their servers. If they want to say you must kill a dog before connecting and if you dont you are banned, that is their call.
b) Ident is useful to the server admin.
If i let users use my system, and i know my own ident server is reliable, i know which user did something by remote and local logs.
If someone else claims to have ident info, i can match the exact TCP connection in their logs with mine, and thus gain exact timestamps (as most people dont sync to the same clocks) as well as if it occoured at all or not, thus weather to believe anything else they claim or not.
Granetd one can do the same thing with a logging firewall, but again, its the admins choice on how to run a system.
The main reason identd is still used is to prevent people from overcoming their own ban by finding and using proxy servers with either open access or closed access but with known passwords. There are lists of these servers available in various places on the net, and many individuals who have worn out their welcome and been banned from an IRC network have tried hopping on a proxy.
IRC servers prevent this in a few ways; they will actively test if the address a connection comes from has an open proxy server on the standard port and will automatically disallow the connection. This doesn't help when the proxy server is closed but is still being hijacked, though. Further, some proxy servers don't use the standard port, and it's not efficient for the IRC server to scan all possible ports, while an attacker has the leisure to find and use these servers.
By checking for ident response, only people going through proxy servers whose admins also run ident can get through. These are few and far between, and are usually closed, private proxy servers run by people who have specific need of them. Those few which are abused can be individually k-lined.
There's the standard reason that everyone here talks about: there are tons of public shell servers that offer accounts. Many people buy shell accounts to run irc bots and the like. If there's someone abusive, you want to be able to ban them, not the entire shell server.
:)
Then, there's irc-enabled trojans/viruses. These things spread by means of email, newsgroups, outlook/IE exploits, open windows shares, and IRC itself. They come on IRC as a convenient spot for whoever wrote the virus to control them all and use for ddos attacks. They take up space, and they're generally not nice things to have lying around. However, the majority of these viruses were never coded with identd support, and they run on windows machines of users who never use IRC. Therefore, by banning users who do not have ident enabled, you are banning a huge amount of ddos attack drones.
I'm actively involved in this kind of thing.
If there's someone abusive, you want to be able to ban them, not the entire shell server.
If you ban the entire shell server, you force the legitimate users on that shell server to force the shell server's admin to force the misbehaving user not to misbehave. It works on the same principle as SPEWS banning a whole /24 or larger IPv4 address block.
Mail doesn't use identd.
Will I retire or break 10K?
You're making it harder for Windows users to connect to your irc server when you know it can't be trusted to give you any sort of identifying information about people who connect from a Windows box.
Make it optional, so UNIX admins can run identd for the reason you mentioned.
I agree with the poster that identd is kinda pointless but that doesn't change the fact that it's a headache trying to find an irc server (on some networks) which doesn't require you to have identd running. FakeIdentd is small and simple, you start it up and give it a text string which it will use to reply to any servers. No bells & whistles but it does the job and compiles on pretty much every UNIX-like operating system I've tried.
It's not enough to bounce them when they try to connect :-)
----
"NO! Then they'll call you back when the problem recurs. Your job is to make them FEAR calling you. How can you work when people are calling? So, you make them pay for calling in the first place. What would you do?"
"Delete their files?"
"Yeah, it's a start, but then they may call back when they get new files. You want them NEVER to call back. What could you do?"
"Swear at them?"
"No. I can see we'll have to demonstrate. Have you got a metal ballpoint?"
"Yes"
"See that wallsocket over there. Take the refill out of the pen and poke in into the wallsocket."
"But it's live!"
"Would I really make you do it if it were live?"
"Oh" >fiddlefiddleBZZZZZZZEEEEERT!THUD!
Of course I would.
Government IS the problem.
the same reason that Internet Explorer is required for some web sites. RETARDED ADMIN !
get used to it.
"Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe." --Albert Einstein
Everyone keeps mentioning the following 2 reasons for identd.
1) Proxies
Proxies are scanned for and blocked on connect to most major irc networks, so that isn't a good reason.
2) Shells
Shell users are already running identd, this means that no matter what username i try to use it will be superseded by the identd response sent by the box.
3) Multiple connects
When running a legit shell on any host that doesn't have it's own domain name, ie a cable or dsl user, they still block multiple connects even when you have a legit identd.
Let's face it, requiring identd is stupid and doesn't make sense.
Can I get an eye poke?
Dog House Forum
Years ago, Gerrit Hiddink (now doctor in Computer Sience) designed the World Wide Conferencing Protocol so he could build a World Wide Conferencing Network, designed for scalability, security and productivity.
It lacks 'bans' and 'kicks' but does allow for a group consented ignore.
It was far superior than IRC in 1994 and it still is, though everyone seems to stick with IRC. Then again there is something cool about being able to 'kick' someone. ;)
sig not found
That is true only for non-NT based Microsoft OS's (ie: 95/98/ME) and the non-home version of XP (Pro/.NET Server/etc).
All other allow only processes operating under SYSTEM or members of the administrators groups to bind to ports 1024.
The OSI model is often extended to take human issues into account. In the most commonly seen extension, Layer 8 is Financial and layer 9 is Political [1, 2] although there is some variability as to the stacking order, and even mention of a possible Religious layer [3]. Although these informal layers are considered something of a joke, issues at these layers are frequently encountered when trying to actually get anything done.
...when you're writing a game...tweak the difficulty of "Easy" to something [your mother] can cope with. -- onion2k
A lot of people on IRC (for whatever reason) like to IRC from (brought) shell accounts. It's in these shell account owners best interest to run Ident, otherwise the only way to ban an abusive user is to ban the entire netblock of the shell provider, basically killing off their entire customer base. If we see that there are multiple people from the same IP with different Ident and only one of them is abusing we'll ban by ident. If they change ident and come back, we ban the entire IP (or netblock).
Many servers have different "connection classes" or different levels of service to different people. You can say for instance that you will allow 5,000 people from your country to connect, 2,000 other people from around the world that are on helpful and cooperative ISP's, and 1,000 people from elsewhere. Thus, if you're outside an IRC servers catchment area, they start placing harsh rules on you, like requiring ident. eg: If your server is in the US, and it's a lot easier to track down abusers within the US than outside it, so you require people outside the US to make a "better effort" to use your server.
Kinda going back to the previous point, a lot of boxes that are used on IRC are hacked, or people aren't supposed to be IRCing from (eg company machines). Running an ident server is trivial if you (legitmately) have root on the machine, if you don't then it starts making it more obvious that the machine is hacked ("Hmm, I don't remember that machine having ident enabled...")
Is it still 1993 in some part of the world?
[Some indeterminate music is heard in the background, probably Spin Doctors]
What? 1993? Um, dude...let me check Webcrawler on that.
While in the majority of cases now, ident information can't be trusted, there are still systems (universities, etc...) that run the real deal. The problem is, requiring ident is just an exercise in futility. If someone has control of the box and doesn't want to give you their username, they aren't going to. The outcome is the same whether they disable ident, or simply have it serve up fake information.
Now thats not saying ident can't be useful. If you run a large system with multiple users, running ident can help you track down the 1 or 2 abusers since you know your ident is offering the correct information. If the server is logging ident, then when problems arise you can ask them for it and make your life a hell of a lot easier.
So ident isn't something you should be using to authenticate your clients, but keeping track of it (when it is available on the client) can prove useful when working with the administration of the client's host.
I think i've rambled enough to get to the point now:
Don't REQUIRE ident, it'll just get spoofed 99.9% of the time. However, if it is available, you might as well use it to your advantage when the friendly sysadmin asks you for it so he can cut off the jerk who's abusing you.
now, cunt casket motherfucker, it would probably be in /home somewhere, like /home/stinkingraghead
your fucking geek poor person humor is gay.
Yes, which nine out of ten times happens to be the person using the OS anyways.. At least in Linux we try to beat in the idea that doing normal stuff as root is bad. Try telling your mother she has to login as "Mom" and then install software as "Administrator". I think not. I'd rather just let her login to her linux box as "Mom" and I'll ssh over to it if she wants something installed. :P
Frankly, I ran identd because I always found it interesting to see who was requesting my ident. Now I'm behind a tight firewall, so it serves no purpose on my workstation, but my dial-up days were interesting in that regard.
I'm surprised that not a single post here mentioned this aspect of running the daemon. You guys are so friggin' busy trying to be anonymous you fail to see the obvious point of watching who's watching you. To me, that smacks of more time spent bein' a kiddie than an administrator.
I spent a long time on IRC, in fact I have to admit that when chat channels interested me, they were quite exciting. However I have to say that I remember a few interesting facts about identd.
See at the time I was a regular IRC'er (about 5 years back), I was sharing a house with 2 other IRC'ers. At the time while waiting for my ISP to provide us with a subnet, we used programs such as Wingate to act as a firewall. All communications occured over SOCKS4 and worked rather well.
The greatest drawback to this method was that identd was a flawed technology. Often with servers which demanded strict identd responses, I needed to regularly change the pidentd response on the 'gateway' in order to correctly response based on which user was relogging in. With a small HTTP server and a CGI I was able to make this web accessable to the users, but needless to say this was a terrible nucense.
The end result which I prepared was to disable wingate's SOCKS and instead modify NEC SOCK5. I prepared an automated demon which would return an identd respose for the last person to attempt connection to the requesting site. This made it so that I or a room mate would log into the IRC server via SOCKS, the server would identd, then the machine running the SOCKS5 server would respond by relaying the incoming identd port to the last internal system to request connection to the IRC server.
This worked very well, however once we received our subnet, everything was much better.
In short, identd is probably a useful protocol under extremely odd circumstances where the users you don't trust can be trusted to respond with valid information, but realistically, the design of the protocol makes it useless for users behind firewalls in many circumstances. For IRC server which accept any identd as long as there is a response, then there is absolutely no reasoning behind running it.
Identd gives out valid usernames usually, which have been harvested for spam...
On an unsecured machine, there is no point since it provides misleading at best information.
Identd is blocked at our firewall (because of spam harvesting), and our sendmail servers are all set with a 0s identd timeout.
IDENTD is helpful in preventing against mass-join attacks. I've never seen a mass-join channel attack where the clones have ident. Thus, it allows legit users to continue doing their thing while there's an evident attack.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
This is +5 Insightful! If any of you moderators don't know why, then maybe read some books, for God's sake! It is surely much more insightful than all of this crap about ident.
Because it is better to run perl -pi -e 's/(?<=nullidentd\s)John/Dick/' /etc/inetd.conf; killall -HUP inetd; echo "This John won't bother you again, Sir." | mail admin@complaining.to.abuse.at.your.system.com
than it is to have your IP banned.
Isn't that obvious?
root@aio:~# nmap -sX -iR -p1- # Ho, ho, ho! Merry Xmas, everyone!