Slashdot Mirror
Why do we still use IDENTD?
Wakko Warner asks: "So anyway, I was on IRC the other day (as I am often wont to do), and, as I was being banned from the network for not running 'identd', I thought to myself: 'Why do we still use this???' Can anyone come up with a valid reason why, in 2002, ident is still considered by some people to be a necessary component of the Internet? Most people use Windows for everything, and Windows has no identity services. Most UNIX folks I know disable it for security reasons. So, why do people still insist we run it in order to connect to their network? Is it still 1993 in some part of the world?"
And every self-respecting irc-client has one built-in. That's not the point. The question is: Why do we want users to have identd running when the majority of users is in full control of the client machine anyway? Identd only makes sense in scenarios with multiple users per client ip and identd can't be manipulated by the users.
By enforcing identd usage on IRC, operators of channels can sucessfully ban abuse bots and users who use BNC relays or unix shells. has some sense of use in this case...
"What do you mean you have no ice? Do you expect me to drink this coffee hot?" - Random Customer, Clerks
Almost every single ident response on IRC is faked. hell, even the stock identd daemons support .fakeid files these days. (at least FreeBSD's builtin identd does)
identd is a protocol which only works if every user is trusted. despite this, some very ignorant irc admins try to use the protocol to create trust. clearly this is a poorly thought out plan. add to that the fact that identd listens on a low port, so it needs to be a privileged process and you have ignorant admins exposing their network's users to unneccessary risk, for no gain.
The reason you are so confused is because you think that identd is supposed to help you in some way. It doesn't help you as the IRC server admin.
Then why do IRC server admins require it?
The ident information is to help the administrator of the client. You see, if your abusive user is on a shell account, and you go to report abuse to the service provider, that admin is going to ask you for the ident information. Without it he is not going to know which of his users is the abuser. If you turn it off identd checking, you will have no recourse against the abuse.
So, if I go to report an abusive user, and his ident string is "gofuckyourself@some.unix.box.somewhere", you're saying, chances are, it'll be helpful, even when 99% of ident responses are phony? Does anyone even read their "root@" or "abuse@" email? In my experience, these mailboxes go to
Why not just ditch ident, and simply ban the entire hostname, subnet, or domain of an abusive user, and let the admin sort it out once he starts receiving complaints from other, legit users? Hell, this is done all the time, anyway. When's the last time you saw a K-line for a single user@unix.box?
Requiring everyone to run ident simply because there are one or two abusive shell account users out there is downright retarded. It's like forcing backward compatibility for Netscape 1.1N users. The times, they have a-changed. Ident must die.
- A.P.
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
I agree with the poster that identd is kinda pointless but that doesn't change the fact that it's a headache trying to find an irc server (on some networks) which doesn't require you to have identd running. FakeIdentd is small and simple, you start it up and give it a text string which it will use to reply to any servers. No bells & whistles but it does the job and compiles on pretty much every UNIX-like operating system I've tried.
The OSI model is often extended to take human issues into account. In the most commonly seen extension, Layer 8 is Financial and layer 9 is Political [1, 2] although there is some variability as to the stacking order, and even mention of a possible Religious layer [3]. Although these informal layers are considered something of a joke, issues at these layers are frequently encountered when trying to actually get anything done.
...when you're writing a game...tweak the difficulty of "Easy" to something [your mother] can cope with. -- onion2k
ident isn't inheritantly insecure, just because most of the implementations were written by script kiddies who want to get on IRC, but can't code and are less secure than a naked freshman in a gay bar doesn't mean that all ident daemons are insecure.
I run an ident daemon, but first I audited the entire thing by hand, they're not complicated pieces of software, and are fairly trivial to audit.
I personally think that you shouldn't require ident to connect, and afaik no undernet server requires ident to connect, but I can understand the reasoning of why people would do it.