Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why do we still use IDENTD?

Posted by Cliff on from the I've-been-wondering-the-same-thing dept.

Wakko Warner asks: "So anyway, I was on IRC the other day (as I am often wont to do), and, as I was being banned from the network for not running 'identd', I thought to myself: 'Why do we still use this???' Can anyone come up with a valid reason why, in 2002, ident is still considered by some people to be a necessary component of the Internet? Most people use Windows for everything, and Windows has no identity services. Most UNIX folks I know disable it for security reasons. So, why do people still insist we run it in order to connect to their network? Is it still 1993 in some part of the world?"

3 of 102 comments (clear)

  1. Plenty of identd servers for Win32 by aderuwe · · Score: 5, Informative
    There are plenty of identd servers for Win32:

    http://identd.sourceforge.net/
    http://freeware.teledanmark.no/identd/
    http://sourceforge.net/projects/winidentd/
    http://identd.dyndns.org/identd/

    But on the other hand, here are some reasons why your question is valid...

    1. Re:Plenty of identd servers for Win32 by Wakko+Warner · · Score: 5, Informative

      Now, which do you think is the more likely scenario: All the l-users here that have never run an IRC server and are taking out of their ass know best, or that hundreds of experienced server and network ops know what they're doing and require identd for a reason?

      I've run several IRC servers since 1996. I am an "experienced server and network op", and I still can't figure it out. Speaking as an admin, I can assure you that ident buys me absolutely nothing in terms of dealing with problematic users. Every single one of them has spoofed a valid ident response, either by changing their "Username" value in mIRC, or by running a randomizing ident server. The commonly-held belief among IRC admins that ident provides security and some sort of audit trail is unquestionably false.

      I turned off ident checking on my servers a few months ago, and encourage others I know to do the same.

      - A.P.

      --
      "Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
  2. Pretty Simple by SmallFurryCreature · · Score: 5, Informative

    First of ident is not insecure by itself. Some implementations had buffer overflow problems, but then wich server software hasn't. It can also provide login information like the username but this depends on the setup. For correct working, IRC related, it just needs to return a string on query.

    So why? IRC is well known for countless attacks against the servers and the users of it. It really seems to bring out the worst in a large group of people who, perhaps encouraged by anonymity(?), feel they can do anything to make other peoples use of the service a hassle.

    So how to defend against it? Knowing who a user is is the easiest defence. You can then ban that person from entering youre chatroom/network. There are a couple of pieces of information that are known when you use IRC.

    1. Youre nick. Obviously needs to be there but can be easily randomly changed or be changed to the nicks of other people. Useless for identification therefore. Ban on nick is useless except to stop unwanted nicknames.
    2. Youre IP/hostname. Not really unique, think proxy situations and for some people extremely easy to change. Modem users and users of shell accounts. Ban on IP doesn't work since it could also affect a large group of innocent users who use the same network.
    3. Ident. This is an extra service run on port 113 it reports on query a string containing data corresponding to user information. In fact all you can be really certain of is that if it runs it will return something when you connect to it. Mine for instance always responds the same info. It can also be setup to return a random string each time. Pretty useless therefore as well.

    So why require ident to be running? Can't it be as easily changed as the nick? Yes it can, on certain setups. However if you are using/abusing a shell account then the Ident service should be fixed by the admin. It makes therefore the misuse of a certain kinda setup harder (University accounts). Shell accounts are popular for abuse since you are using someone elses IP for youre abuse.

    Other posts have indicated that there are plenty of Ident servers for windows around. Saying just because windows does not support something it is obsolete is stupid. There are plenty of things on windows you need third party apps for.

    Perhaps the real problem with this question is that to many people feel they have a right to use/abuse a service run by someone else. IRC is a free service run by people who out of their kindness of their hearts run one of the most attacked services on the net. If they then require you to run a tiny little program to make their live easier then so be it. Don't like the rules? Don't use the service. Think you can do better? Run youre own.

    --

    MMO Quests are like orgasms:

    You may solo them, I prefer them in a group.