Re: security question

From: Jonas M Luster (jluster@d-fensive.com)
Date: 07/12/02


Date: Fri, 12 Jul 2002 11:49:06 -0700
From: Jonas M Luster <jluster@d-fensive.com>
To: "Teodorski, Chris" <cteodorski@ppg.com>

Quoting Teodorski, Chris (cteodorski@ppg.com):

> Why is IRC considered such a security risk? I have heard people
> discussing IRC like it was made by the devil himself. Can anyone
> provide me with some insight into this. For the sake of discussion,
> let's assume that DCC is NOT set to Auto Get.....

Well, IRC itself is not very dangerous. The protocol does not provide
any means to launch effective attacks against endpoints (servers are a
different thing). The problem, once again, sits between monitor and
chair - both at the programmer's site and the user's location. What
makes IRC a bit more dangerous than, e.g. HTTP, is the bi-directional
nature of its communication (or poly-directional if you so will), and
the lack of safeguards in most software.

It is in fact easier to code an IRC client than, e.g. a web browser,
and some of the programs out there sport holes in form of buffer
overruns, the DCC/Autoget you mentioned or some kind of mechanism
designed to make life easier but effectively introducing backdoors.

It's just like AIM, eMail, Usenet, the Web, etc. - if the end user
does not exercise the needed security precautions, things can blow up
in his face. Unlike eMail, however, IRC is some nice protocol and it's
much easier to say "I don't do IRC, beacause it's insecure" than "I
don't do eMail because it's insecure".

That, and the fact that most people understand eMail, but ask them a
question or two about IRC and all they know is mIRC and EFNet.