Results 1 to 4 of 4

Thread: Enable +T Usermode

  1. #1
    Junior Member DrMacinyasha's Avatar
    Join Date
    Jul 2009
    Location
    California, USA
    Posts
    2

    Default Enable +T Usermode

    In the default Unreal IRCd config, the T usermode to block all inbound CTCP messages alone is enabled. Unfortunately, on Rizon it is disabled, and the closest thing is the +g or +G usermodes which filters out not only CTCP, but any messages you have not accepted or from people not in the same channels.

    That's nice, but it's a nag for people you DO want to chat with, and once you accept someone, they're free to CTCP you anyways.

    Go ahead and scoff, but blocking CTCP does have it's good purposes. For one, there's no really good reason to even HAVE CTCP enabled, but beyond that, by hiding your version number you're increasing your security.

    Say I'm down on a cruise for two weeks with no internet access, and during that time, Mozilla released Firefox 3.5.2 which covers a MAJOR security flaw that allows privileged remote command execution, but I use Chatzilla for my IRC client. If someone CTCP Version's me, they could see that I'm using the outdated version of Firefox, haven't updated yet, and could then direct me to a malicious site which is designed to exploit that particular flaw.

    In this example, it's not my fault that I don't have the newest version, as I *just* got back from no-internet for two weeks, and this person decided to be a total skiddie and use some milw0rm script to turn my computer into his latest bot zombie. Ten hours later, I'm back up and running, completely clean after three sweeps with Malwarebyte's Anti-Malware and God knows what other steps I've had to take, but the point is, all of that could have been avoided by just simply enabling the +T usermode.

    Believe it or not, Unreal did know what they were doing when they enabled it to be available by default, and in my opinion, it should be made default, just as +x is default on most IRC servers today.

    End of Rant.
    Last edited by mink; 07-25-2009 at 09:24 PM. Reason: removed signature to mystery file

  2. #2
    Rizon Staff mink's Avatar
    Join Date
    Jul 2003
    Posts
    336

    Default

    3 things -

    one, we don't run Unreal, it is not stable at our size, thus no +T and its not "disabled".

    two, don't follow links from people you don't trust or to places that don't seem legit.

    three, firefox should update immediately upon run, or at least notify you of a avalible update. Assuming they are getting your firefox version because of the chatzilla addon, you should have gotten the update to fix the flaw on launch.
    ~ mink / B
    Rizon Senior Network Administrator

  3. #3
    Junior Member DrMacinyasha's Avatar
    Join Date
    Jul 2009
    Location
    California, USA
    Posts
    2

    Default

    Quote Originally Posted by mink View Post
    one, we don't run Unreal, it is not stable at our size, thus no +T and its not "disabled".
    I apologize, for some reason I thought Rizon used a variant of Unreal.

    Quote Originally Posted by mink View Post
    two, don't follow links from people you don't trust or to places that don't seem legit.
    The problem with that is when you deal with someone who comes off as being nice, then slips you a URL that's masked using something like TinyURL or is.gd, in which case you have no idea what it is.

    Quote Originally Posted by mink View Post
    three, firefox should update immediately upon run, or at least notify you of a avalible update. Assuming they are getting your firefox version because of the chatzilla addon, you should have gotten the update to fix the flaw on launch.
    I don't know about others, but for me at least, Firefox takes a good five minutes to actually notify me of any updates to Firefox itself. It checks for plugin/add-on updates at launch, but for program updates it's always been delayed, and flaky at best for notifying me. For the whole 3.0.x series I had to check the Mozilla website manually, or get reminded by seeing a Chatzilla quit message. Additionally, if the flaw is with Firefox and not the add-on, then the update-at-startup window wouldn't even show up because of, once again, the delayed Firefox update.
    - Owner of Macinyasha.Blogspot.com

  4. #4
    Member SecretAgent's Avatar
    Join Date
    Jul 2008
    Location
    California, USA
    Posts
    68

    Default

    Quote Originally Posted by DrMacinyasha View Post
    In the default Unreal IRCd config, the T usermode to block all inbound CTCP messages alone is enabled. Unfortunately, on Rizon it is disabled, and the closest thing is the +g or +G usermodes which filters out not only CTCP, but any messages you have not accepted or from people not in the same channels.

    That's nice, but it's a nag for people you DO want to chat with, and once you accept someone, they're free to CTCP you anyways.

    Go ahead and scoff, but blocking CTCP does have it's good purposes. For one, there's no really good reason to even HAVE CTCP enabled, but beyond that, by hiding your version number you're increasing your security.

    Say I'm down on a cruise for two weeks with no internet access, and during that time, Mozilla released Firefox 3.5.2 which covers a MAJOR security flaw that allows privileged remote command execution, but I use Chatzilla for my IRC client. If someone CTCP Version's me, they could see that I'm using the outdated version of Firefox, haven't updated yet, and could then direct me to a malicious site which is designed to exploit that particular flaw.

    In this example, it's not my fault that I don't have the newest version, as I *just* got back from no-internet for two weeks, and this person decided to be a total skiddie and use some milw0rm script to turn my computer into his latest bot zombie. Ten hours later, I'm back up and running, completely clean after three sweeps with Malwarebyte's Anti-Malware and God knows what other steps I've had to take, but the point is, all of that could have been avoided by just simply enabling the +T usermode.

    Believe it or not, Unreal did know what they were doing when they enabled it to be available by default, and in my opinion, it should be made default, just as +x is default on most IRC servers today.

    End of Rant.
    This is probably one of the better feature requests I've seen in awhile. At least you gave your reasons for wanting it, heh.

    The goal of +T (and similar user modes on other ircds) is to stop CTCP floods at the server, instead of the client. As you mentioned, +g/G does block CTCP (and more), so that also makes it a useful mode against such attacks.

    I'm not sure if Chatzilla allows you to ignore CTCP requests like other clients, but that may be something worth looking into. If not, you might try submitting a feature request to its developers to provide support for such

Similar Threads

  1. How to enable Identd
    By guuchan in forum FAQ
    Replies: 0
    Last Post: 09-17-2008, 10:30 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •