[9990] in bugtraq
Re: [Unet-Opers] abuse of nickserv (fwd)
daemon@ATHENA.MIT.EDU (danny)
Fri Mar 26 14:55:00 1999
Date: Thu, 25 Mar 1999 20:50:36 -0600
Reply-To: danny <danny@CHATSYSTEMS.COM>
From: danny <danny@CHATSYSTEMS.COM>
X-To: undernet-opers@undernet.org
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.GSO.3.96.990325202520.21373B-100000@enigma.uark.edu> from
Scott Fendley at "Mar 25, 99 08:25:36 pm"
Actually, Undernet IRC went a step further, and voted earlier as a team that
we would protect the nicknames of select services for dalnet. Every Undernet
server is required to have a configuration line which disables users from
being able to use the specified nicknames. It was brought to our attention
that McLean.va* was missing this configuration lines, and it has been notified
and requested to add it promptly.
When this is fully in place, it will not be possible to use the restricted
nicknames on an Undernet server. thus much more effective then trying to
use a pseudo client or fake bot to jupe the nickname.
Danny Mitchell.
Undernet Services Developer. <WildThang@undernet.org>
Scott Fendley was known to have stated:
> ---------- Forwarded message ----------
> Date: Tue, 23 Mar 1999 22:13:29 -0800
> From: Nelson Little <nel74@TIG.COM.AU>
> To: BUGTRAQ@NETSPACE.ORG
> Subject: abuse of nickserv
>
> Hi,
>
> Many people that IRC on Dalnet have scripts which automatically identify
> their nicknames via "/msg nickserv identify your_password" This works fine,
> however,if you also IRC on Undernet you can run into a problem. Undernet
> has no nickserv so if someone on Undenet decides to use the nick "nickserv"
> they will be exposed to countless passwords from all the people that
> automatically identify themselves. Once the evil user has these passwords
> they can jump on Dalnet and steal that person's nick and change the
> password. With a bit of brain power, and I won't go into how, they can also
> abuse op in any channels that person has op access in.
>
> Dalnet has been advised and starting on April 15th, you'll need to identify
> to NickServ using /msg NickServ@services.dal.net IDENTIFY instead of just
> using /msg NickServ IDENTIFY.
>
> All the other IRC networks that I tested have a nickserv bot which halts
> the abuse mentioned above.
>
> Regards
> Nelson
>
--
--------------------=================================--------------------------
DannyM -- http://www.chatsystems.com/danny/resume.html
Unix Administrator - TCP/IP client-server Programmer
--------------------=================================--------------------------
Everything that I post is of my personal opinion, and not that of my employer!
Mouse Potato: The on-line, wired generation's answer to the couch potato.
