Slashdot Mirror
Why do we still use IDENTD?
Wakko Warner asks: "So anyway, I was on IRC the other day (as I am often wont to do), and, as I was being banned from the network for not running 'identd', I thought to myself: 'Why do we still use this???' Can anyone come up with a valid reason why, in 2002, ident is still considered by some people to be a necessary component of the Internet? Most people use Windows for everything, and Windows has no identity services. Most UNIX folks I know disable it for security reasons. So, why do people still insist we run it in order to connect to their network? Is it still 1993 in some part of the world?"
http://identd.sourceforge.net/
http://freeware.teledanmark.no/identd/
http://sourceforge.net/projects/winidentd/
http://identd.dyndns.org/identd/
But on the other hand, here are some reasons why your question is valid...
SNL said it best : knock, knock Belushi : who's there ? voice on the other side of the door : candygram! (Belushi opens door) Belushi : Ahhhh! Landshark! (shark head consumes John Belushi) IOW , "identd" is only as trustworthy as the one who runs it; Odama's identd is not likely to respond "BinLadin".
Much abuse tends to come(or came) from commercial unix systems whos users would have purchased an account. Identd works well for keeping track of these people, even if it is of no use for individual users with thier own machines.
By enforcing identd usage on IRC, operators of channels can sucessfully ban abuse bots and users who use BNC relays or unix shells. has some sense of use in this case...
"What do you mean you have no ice? Do you expect me to drink this coffee hot?" - Random Customer, Clerks
No serious systems administrator running a public or private access unix system with user accounts allows such valuable user information out onto the net. Anyone who does (maybe the same idiots who run IRC servers that require ident?) deserve to have their user accounts 0wned. Everyone I know makes sure ident is at least faked, but usually plain dropped silently.
There is NO good reason for crappy old fake-able, spoof-able, deny-able ident to be a requirement anymore. Certain IRC admins just need to get their heads out of their asses.
Anyone who considers arithmetical methods of producing random numbers is, of course, in a state of sin.-John von Neumann
First of ident is not insecure by itself. Some implementations had buffer overflow problems, but then wich server software hasn't. It can also provide login information like the username but this depends on the setup. For correct working, IRC related, it just needs to return a string on query.
So why? IRC is well known for countless attacks against the servers and the users of it. It really seems to bring out the worst in a large group of people who, perhaps encouraged by anonymity(?), feel they can do anything to make other peoples use of the service a hassle.
So how to defend against it? Knowing who a user is is the easiest defence. You can then ban that person from entering youre chatroom/network. There are a couple of pieces of information that are known when you use IRC.
So why require ident to be running? Can't it be as easily changed as the nick? Yes it can, on certain setups. However if you are using/abusing a shell account then the Ident service should be fixed by the admin. It makes therefore the misuse of a certain kinda setup harder (University accounts). Shell accounts are popular for abuse since you are using someone elses IP for youre abuse.
Other posts have indicated that there are plenty of Ident servers for windows around. Saying just because windows does not support something it is obsolete is stupid. There are plenty of things on windows you need third party apps for.
Perhaps the real problem with this question is that to many people feel they have a right to use/abuse a service run by someone else. IRC is a free service run by people who out of their kindness of their hearts run one of the most attacked services on the net. If they then require you to run a tiny little program to make their live easier then so be it. Don't like the rules? Don't use the service. Think you can do better? Run youre own.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Identd is useless for trusting an outside host, however, it is exactly what you need when someone outside complains about something one of your hosts is doing. Or you are trying to track down a trouble user locally.
Identd is perfectly usable and mostly trustable when on hosts that you have control over.
Now, probably should run it in DES encrypted mode, but most sites do not.
As for why IRC does it? Who knows, doesn't seem to accomplish anything much to me.
Checkout the percentage of people using IRC. Remember 94-96? When IRC was the coolest reason to get online? Why did people stop using IRC since then? Security, and being blocked from channels you never offended/visited.
Effnet is packed due to the fast growing size of the Internet.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
postgresql can use ident for authentitication. useful for doing unattended maintainance activities, such as vacuuming the database. the other alternative is to have username/password information on the machine in cleartext somewhere. i run ident on postgresql machines, but use iptables to disallow remote access to the service.
--Lawrence Lessig for Congress!
No, it's more like end of 1990.
#include "coucou.h"
The reason identd is required is pretty straightforward, actually.
Say I get on an IRC server and start abusing it. It's pretty easy to just ban my IP (or in extreme cases, up to my class B if dynamic IPs are in use and there's no better solution). So single-user machines are pretty easy to handle.
A not-unreasonable people still use public access machines, however. And you can't just ban their IPs without potentially screwing a lot of people -- if I ban MITs or CMU's public access UNIX boxes, I'm going to hurt a lot of people to block one baddie. However, these machines can be trusted to run a legtimate identd, so I can say "Don't block *everyone* on these machines...just this one user".
Granted, the utility value of identd is less now that Windows machines and single-user UNIX machines are dominant, but it still does solve a nasty problem sometimes.
However, even given that identd helps, I don't see why it's *required*. You can just say "if the remote host isn't running identd, just ban the entire IP if we get a baddie on that machine".
May we never see th
There are loads of obsolete, insecure protocols that we still insist on using. Identd is the least of our worries. Let's take some examples:
SMTP! Mailbox filled with spam? Well, that's because we use a mail transfer protocol that makes it trivial to forge the from: address and to create thousands of messages from one!
FTP! Password in the cleartext? Carriage returns dropped? 3rd-party interceptible/forgeable downloads? That's FTP...
Identd is simple enough to fake, so it shouldn't really trouble anyone. But it's pretty hard to get by day-to-day without using SMTP.
it's just not being used for its original intended purpose. How many people do you know trading warez on AOL, Yahoo, or MSN Messenger? Sure, there's some, but not nearly as many as good old IRC. Along with usenet, they're the original napsters.
It increases accountability. Sure, Windows clients can generally change their identification, but Windows clients generally are run by the system administrator. So if I get hacked by bill_gates@1.2.3.4, I'm going to ignore the identd at first. If it turns out to be a dialup then I can proceed to sue whoever was using that IP address. But if on the other hand it's a multiuser unix box, I'm not going to sue the admin, as long as the admin tells me who owns that account.
Why is identd *REQUIRED*?
If it's running, then it may provide useful data.
If it's not running, then almost surely if it were running it wouldn't provide trustworthy data.
In short: If the user has the option of turning it on or off, the service can't be trusted. The ident data is nice to have in the case that it might actually be true, but it's too easy to fake.
retrorocket.o not found, launch anyway?
...(the USA) it is more like 1984.
-Derek
It is really interesting to travel back in time, by just traveling to some parts of the US where they are still 50 years behind the times.
Only 'flamers' flame!
with two answers.
A) Why do the servers require it?
Well, its their servers. If they want to say you must kill a dog before connecting and if you dont you are banned, that is their call.
b) Ident is useful to the server admin.
If i let users use my system, and i know my own ident server is reliable, i know which user did something by remote and local logs.
If someone else claims to have ident info, i can match the exact TCP connection in their logs with mine, and thus gain exact timestamps (as most people dont sync to the same clocks) as well as if it occoured at all or not, thus weather to believe anything else they claim or not.
Granetd one can do the same thing with a logging firewall, but again, its the admins choice on how to run a system.
The main reason identd is still used is to prevent people from overcoming their own ban by finding and using proxy servers with either open access or closed access but with known passwords. There are lists of these servers available in various places on the net, and many individuals who have worn out their welcome and been banned from an IRC network have tried hopping on a proxy.
IRC servers prevent this in a few ways; they will actively test if the address a connection comes from has an open proxy server on the standard port and will automatically disallow the connection. This doesn't help when the proxy server is closed but is still being hijacked, though. Further, some proxy servers don't use the standard port, and it's not efficient for the IRC server to scan all possible ports, while an attacker has the leisure to find and use these servers.
By checking for ident response, only people going through proxy servers whose admins also run ident can get through. These are few and far between, and are usually closed, private proxy servers run by people who have specific need of them. Those few which are abused can be individually k-lined.
There's the standard reason that everyone here talks about: there are tons of public shell servers that offer accounts. Many people buy shell accounts to run irc bots and the like. If there's someone abusive, you want to be able to ban them, not the entire shell server.
:)
Then, there's irc-enabled trojans/viruses. These things spread by means of email, newsgroups, outlook/IE exploits, open windows shares, and IRC itself. They come on IRC as a convenient spot for whoever wrote the virus to control them all and use for ddos attacks. They take up space, and they're generally not nice things to have lying around. However, the majority of these viruses were never coded with identd support, and they run on windows machines of users who never use IRC. Therefore, by banning users who do not have ident enabled, you are banning a huge amount of ddos attack drones.
I'm actively involved in this kind of thing.
If there's someone abusive, you want to be able to ban them, not the entire shell server.
If you ban the entire shell server, you force the legitimate users on that shell server to force the shell server's admin to force the misbehaving user not to misbehave. It works on the same principle as SPEWS banning a whole /24 or larger IPv4 address block.
Mail doesn't use identd.
Will I retire or break 10K?
You're making it harder for Windows users to connect to your irc server when you know it can't be trusted to give you any sort of identifying information about people who connect from a Windows box.
Make it optional, so UNIX admins can run identd for the reason you mentioned.
IRC is simply stated, dying. It is too insecure to begin with, plus people satisfy their needs with aol, yahoo and msn messenger; despite the fact that they install GATOR on people's computers.
Agreed on the security thing.
However, I think IRC is also dying because things like identd make it difficult for a lot of users, including those behind firewalls, to find a good irc server.
I agree with the poster that identd is kinda pointless but that doesn't change the fact that it's a headache trying to find an irc server (on some networks) which doesn't require you to have identd running. FakeIdentd is small and simple, you start it up and give it a text string which it will use to reply to any servers. No bells & whistles but it does the job and compiles on pretty much every UNIX-like operating system I've tried.
That is true only for non-NT based Microsoft OS's (ie: 95/98/ME) and the non-home version of XP (Pro/.NET Server/etc).
All other allow only processes operating under SYSTEM or members of the administrators groups to bind to ports 1024.
The OSI model is often extended to take human issues into account. In the most commonly seen extension, Layer 8 is Financial and layer 9 is Political [1, 2] although there is some variability as to the stacking order, and even mention of a possible Religious layer [3]. Although these informal layers are considered something of a joke, issues at these layers are frequently encountered when trying to actually get anything done.
...when you're writing a game...tweak the difficulty of "Easy" to something [your mother] can cope with. -- onion2k
A lot of people on IRC (for whatever reason) like to IRC from (brought) shell accounts. It's in these shell account owners best interest to run Ident, otherwise the only way to ban an abusive user is to ban the entire netblock of the shell provider, basically killing off their entire customer base. If we see that there are multiple people from the same IP with different Ident and only one of them is abusing we'll ban by ident. If they change ident and come back, we ban the entire IP (or netblock).
Many servers have different "connection classes" or different levels of service to different people. You can say for instance that you will allow 5,000 people from your country to connect, 2,000 other people from around the world that are on helpful and cooperative ISP's, and 1,000 people from elsewhere. Thus, if you're outside an IRC servers catchment area, they start placing harsh rules on you, like requiring ident. eg: If your server is in the US, and it's a lot easier to track down abusers within the US than outside it, so you require people outside the US to make a "better effort" to use your server.
Kinda going back to the previous point, a lot of boxes that are used on IRC are hacked, or people aren't supposed to be IRCing from (eg company machines). Running an ident server is trivial if you (legitmately) have root on the machine, if you don't then it starts making it more obvious that the machine is hacked ("Hmm, I don't remember that machine having ident enabled...")
Is it still 1993 in some part of the world?
[Some indeterminate music is heard in the background, probably Spin Doctors]
What? 1993? Um, dude...let me check Webcrawler on that.
Frankly, I ran identd because I always found it interesting to see who was requesting my ident. Now I'm behind a tight firewall, so it serves no purpose on my workstation, but my dial-up days were interesting in that regard.
I'm surprised that not a single post here mentioned this aspect of running the daemon. You guys are so friggin' busy trying to be anonymous you fail to see the obvious point of watching who's watching you. To me, that smacks of more time spent bein' a kiddie than an administrator.
IDENTD is helpful in preventing against mass-join attacks. I've never seen a mass-join channel attack where the clones have ident. Thus, it allows legit users to continue doing their thing while there's an evident attack.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Because it is better to run perl -pi -e 's/(?<=nullidentd\s)John/Dick/' /etc/inetd.conf; killall -HUP inetd; echo "This John won't bother you again, Sir." | mail admin@complaining.to.abuse.at.your.system.com
than it is to have your IP banned.
Isn't that obvious?
root@aio:~# nmap -sX -iR -p1- # Ho, ho, ho! Merry Xmas, everyone!