On Wed, 26 Feb 1997, Gordy Thompson wrote:
> Unix boxes -- only Win95 Pentiums, Macs and Power Macs? Are there similar
> exploits and vulnerabilities that put those platforms at risk also,
> regardless of the client software? Is it a reasonable training/usage
> requirement that no IRC user should type in a command if he doesn't know
> what it would do?
>
Win95, and mac systems can also exploit the same vulnerabilities as was
described for ircII (unix type systems) yet this probably wont be as much
of a problem unless the person useing irc has sensitive data on the local
machine. One of the things that most long time users of irc recomend to
the new users is "do not *ever* run a script that you havent checked over
yourself and *understood* exactly what it does". Many irc clients
themselves (not even looking at the scripts) have contained backdoors that
users should be aware of. One good rule of thumb is "dont upgrade to the
latest version till it has been tested by fire" this means, if you *must*
run IRC (is it really a good work promoter) - if a new version of the
client comes out and the old one works just fine, wait to upgrade till
the /lusers complain :) and in the mean time keep an eye out for bugs.
> (I'm not dealing with a request to make IRC available to the entire
> user community, but rather to a small subset of users who have an
> honest-to-God business need [we're a newspaper, they're reporters] to be
> able to use it. And I'm hopeful that close-order-drill training can protect
> them from the temptation to type something bizarre like "/on ctcp * $1-"
> just because somebody they're IRCing with asked them to.
ok, try this one, download a script (depending on the irc network -
undernet has a few good scripts they promote as "backdoor free" notably
the UUS scrips ) - check it out yourself (it looks an reads much like C -
any programming exp and you shouldnt have a problem), then mark this as
"the script thou shalt use" and leave it at that. many of the modern
versions of irc dont even need scripts to operate at a reasonable level.
If irc is run by responsable people that recognise the need for security
then a quick tutorial may suffice, otherwise i would say "remove it" it
will become more of a headache than is needed.
Steve.
Follow-Ups:
References:
|
|
