[Fwd: Re: Ubuntu irssi 0.8.12-4ubuntu2]

Aaron Toponce atoponce at ubuntu.com
Sun Oct 12 19:36:53 UTC 2008 

On Sun, Oct 12, 2008 at 03:17:31PM +0100, Paul O'Malley - gnu's not unix - wrote:
> Aaron Toponce wrote:
> > Port 8001 is specific to Freenode. Not that hard to change.
> Depends on person running server, skills, time, interest - other 
> implications can therefore be understood as port changing.

Yes, port 8001 is specific to Freenode, and it will require education
to those wishing to connect and avoid the exploit. Thus, the reason it's
on the wiki, and documented elsewhere throughout the web.

> This does not solve any problems, it routes around them.

Right.

> >> speak to your irc server people
> > 
> > Wrong. Speak to your router hardware vendor, or just change your router.
> 
> Incorrect assumption, this is not a router issue alone.
> In fact it is a router and damage by exploit issue.

This is called cause and effect. The cause is broken router hardware.
The effect is people taking advantage of that, and causing mass parts
and quits to flood channels. The servers have nothing to do, other than
change their port people connect on, and educate those connecting, to
avoid the exploit, by either connecting on that port, or purchasing new
equipment.

> The real problem which my terse answer did not address this, it is not 
> where does the problem come from, it is a how to manage situation.

This has been discussed at length.

> More appropriate questions, and not very complete or very verbose:
> 
> What is the real problem to be solved?

Fixing the hardware. Back duing the days of XFree86, you could
physically fry your monitor if you set bad refresh rates. The hardware
got fixed, not the software. Now, with the latest kernel, you can hose
your Intel e100/e1000 NIC permanently. The hardware is getting fixed. You
connect on port 6667 with bad hardware, and are a victim of the exploit,
you either:

1) purchase new hardware
2) connect on a different port
3) upgrade your router firmware

> Can it be solved in a generic way?

Yes: education.

> This follows from the simple fact that you can't make people get new 
> routers or be better informed, as much as you might like to.
> (See bug 1 for a parallel proof, only time can improve the situation.)

Bug 1 has nothing to do with broken hardware, and dodging the exploit.
If we don't educate, then what is your proposed solution? Users
connecting to IRC should be educated in the exploit, and how to avoid
it.
 
> However, this leaves us with a real problem, if we actually document all 
> the bad stuff you get some silly programmer who copies the bad code to a 
> whole lot of new ports, now the use of 8001 and friends is of no use.

Port 8001 isn't affected. Port 6667 is.

> So I guess I stand by my original, implied, if not very verbose answer, 
> each of the servers will handle it in their own way, if we try to do a 
> global fix we will have programmers of bad firmware incorporating our 
> fix into their code and thus breaking the hack we use to fix it.

Again, Freenode and OFTC have already shown how to connect without
becoming a victim. So, it seems trivial to patch IRC client software to
take advantage of those standards.


-- 
 ,-O  Aaron Toponce
O   } Ubuntu Member
 `-O  http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 489 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-irc/attachments/20081012/b0176343/attachment.pgp>

More information about the Ubuntu-irc mailing list