It is currently Thu Sep 21, 2017 11:30 am

All times are UTC [ DST ]




 Page 3 of 5 [ 64 posts ]  Go to page Previous  1, 2, 3, 4, 5  Next
Author Message
 Post subject: Re: Annyoing "security" policy
PostPosted: Sat Feb 12, 2011 10:53 am 

Joined: Sat Feb 12, 2011 10:14 am
Posts: 2
I'm with Xplo on this... though he has a rather blunt way of expressing himself that might have distracted you from the good information he was giving you. Tor may be a great tool... in fact, it may be the best tool for what you want to use it for. Unfortunately, it's also the best tool for people that want to cause grief on any IRC network.

I'm not an Undernet Official, but Let me say that again quite clearly: Tor, while it is a great idea, got used to do harm... so it got banned. I think it's a good decision on the part of Undernet and I applaud them for stepping up and taking a decidedly effective shot against those that would do harm to IRC.

You say you can easily evade a ban by resetting your router? perhaps once or twice, but a bright Op will notice that you're connecting from a specific IP class/range and just ban that class/range. A tor user just click to get new host and they get a different host from the thousands of exit nodes available (with no IP class/range limitation) so it makes it impossible to ban a specific Tor user that doesn't want to be banned. This same problem applies to individuals trying to /ignore a specific tor user that doesn't want to be ignored.

Your suggestions (captcha, auto-masking, etc) don't address the above problems at all... banning all Tor users does.

By the way... In addition to purchasing a shell account, you can run Linux at home and run a bouncer there for free. You will always appear to be connecting from home, regardless of where you actually are. Just about any older computer you're not using primarily anymore, will likely be plenty powerful enough to run Linux and a bouncer.


Offline
 Profile  
 
 Post subject: Re: Annyoing "security" policy
PostPosted: Sat Feb 19, 2011 2:55 pm 

Joined: Sat Feb 19, 2011 2:31 pm
Posts: 11
@Carolyn34

I think you're wrong with your conclusions.

Evading by resetting your router works as long as you're using a big ISP. Most ops won't ban Verizon/Comcast/AT&T because that would effectively block too many innocent users.

I welcome tor users on my channel and I never had a single problem with one of them. I regularly suggest using it to people who are concerned about their privacy.

Having said that, I'm on a network which does autocloak tor users and thus lets me, being the chanop, decide who to ban and who not.

And are you seriously suggesting to leave a computer running 24/7 at home just to have a bouncer? You'd pay more for its power consumption than for a shell account. Not to mention it's not eco-friendly at all.

So, tl;dr: imo a cloak would be the most intelligent way to handle this.


Offline
 Profile  
 
 Post subject: Re: Annyoing "security" policy
PostPosted: Mon Feb 21, 2011 8:37 am 

Joined: Sat Feb 12, 2011 10:14 am
Posts: 2
SteveC wrote:
@Carolyn34

I think you're wrong with your conclusions.

Evading by resetting your router works as long as you're using a big ISP. Most ops won't ban Verizon/Comcast/AT&T because that would effectively block too many innocent users.

You're entitled to think anything you want... however, an op doesn't have to ban ALL of a large ISP just to stop one abusive user since they won't get a random IP address from that ISP's entire pool... they'll get a random IP address from the much smaller pool of available IP addresses from that provider, in their geographical area.

SteveC wrote:
I welcome tor users on my channel and I never had a single problem with one of them. I regularly suggest using it to people who are concerned about their privacy.

Having said that, I'm on a network which does autocloak tor users and thus lets me, being the chanop, decide who to ban and who not.

I'm glad you haven't had a problem with Tor users... I wouldn't wish problems on anyone. That doesn't change the fact that many others have had many problems with many Tor users. If this wasn't the case, we wouldn't be having this discussion.

SteveC wrote:
And are you seriously suggesting to leave a computer running 24/7 at home just to have a bouncer? You'd pay more for its power consumption than for a shell account. Not to mention it's not eco-friendly at all.


Yes, I'm suggesting leaving a Linux server running. The one I run, uses a 5 watt power supply (I've seen one that uses 2 watts). I pay less for it's power consumption than I would for a shell... if you're still concerned about it, you could run one like this and turn it off when you're at home (saving even more).

Also, I'm not sure why "Eco-Friendly" came into this discussion, but my Linux server is more Eco-Friendly (even leaving it on 24/7) than the computer you use most often (even as little as you use it).

SteveC wrote:
So, tl;dr: imo a cloak would be the most intelligent way to handle this.

It's obvious that this is your favorite solution... but I'm honestly not sure why. No offense, but it sounds like you made up your mind before you did the research.


Offline
 Profile  
 
 Post subject: Re: Annyoing "security" policy
PostPosted: Thu Feb 24, 2011 9:21 pm 

Joined: Sat Feb 19, 2011 2:31 pm
Posts: 11
@Carolyn34

The question bascially boils down to this: why doesn't Undernet give chanops the freedom to decide who to ban?

If a channel doesn't want tor users, an op just needs to ban the hostmask of the cloak. Simple as that. Just like he would ban an ISP block.

All other channels still could welcome tor users.

Maybe I made up my mind because I see tor as a legal tool of free speech and not as evil software. Treating all tor users as hostile users gives a bad feeling.


Offline
 Profile  
 
 Post subject: Re: Annyoing "security" policy
PostPosted: Thu Mar 10, 2011 2:38 pm 

Joined: Wed Jul 21, 2010 9:24 am
Posts: 3
Torman:

I agree, Undernet should be left to the drones. Its unattended carcass is starting to reek.

Which other networks have rational and committed people behind them?


Offline
 Profile  
 
 Post subject: Re: Annyoing "security" policy
PostPosted: Sun Mar 13, 2011 1:32 am 
Senior Cservice Admin
User avatar

Joined: Sun Jul 06, 2003 2:47 am
Posts: 564
Location: Hamilton, New Zealand
SteveC wrote:
@Carolyn34

The question bascially boils down to this: why doesn't Undernet give chanops the freedom to decide who to ban?

To answer the obviously silly question, they do, this thread is about who can connect to the network, not who can join a channel.



_________________
xplora @ undernet.org
Past Co-ordinator
Undernet Channel Services Committee
Offline
 Profile  
 
 Post subject: Re: Annyoing "security" policy
PostPosted: Thu Mar 17, 2011 8:38 pm 

Joined: Sat Feb 19, 2011 2:31 pm
Posts: 11
@xplora

I have to admit that you gave me a good laugh with that silly nitpickery.
A k/g-line is a ban, no? You can argue about that if you want, but I'll stick to the Wikipedia definitions.
For the affected user and chanop the result is the same. A channel cannot be joined.
You're just evading my question. And I thought evasion is not liked on Undernet ;)
So, still waiting for a serious answer...


@jumpdriver

I'm on Freenode most of the time. Not only is tor allowed, but it also provides ssl.
Also Quakenet. I'm not sure right now if they provide ssl though.
Oftc also allows tor (#tor is there) and has ssl.
Freenode/Quakenet are considerably larger than Undernet and yet they allow tor and hostcloak them; makes you wonder about how evil tor really is, huh?


Offline
 Profile  
 
 Post subject: Re: Annyoing "security" policy
PostPosted: Sun Mar 27, 2011 2:05 pm 

Joined: Sun Jul 11, 2010 1:23 pm
Posts: 14
A chanop I know told me that this thread is still active and suggested I take a look at it again.


Spidel wrote:
If you're no longer using UnderNet as your main network or not at all, why are you even making such remarks?

It's sad if you really do not understand what this means for Undernet. You may say he's just one user, but actually he's a user who bothered to register here and tell you. You have no idea how many don't care at all and just flee.


Carolyn34 wrote:
The one I run, uses a 5 watt power supply

I'm curious, is it a Sheevaplug? They consume 5 watts from what I've read.


jumpdriver wrote:
Which other networks have rational and committed people behind them?

SteveC already listed the most well-known ones. I moved to Quakenet (it has no ssl btw). I almost picked Freenode, especially because they have ssl, their own .onion server and are growing fast, but it's primarly for open source projects.
It's been more than 8 months now since I left Undernet, and everything works fine. A few users got a little confused, but things worked out in the end.

I think, even more than before now, that Undernet is just sticking its head into the sand and tries to ignore the reality. Other big networks are realizing the wish of their users for more privary and security (Tor/ssl) and offer it; Undernet instead decides to simply block. Shells with bouncers or a 24x7 running computer at home may work, but that's quite a waste when others do not require such workarounds. Of course IRC is a privilege and a free service, but that does not mean you are not allowed to improve the service; and that's what the others do. Free does not justify stagnation. Other free services (GMail, Facebook, Twitter, you name it) are starting to provide more security by offering ssl. They are not telling users that "it's free, so deal with it of gtfo". They listened like Quakenet/Freenode did: they realized that Tor/ssl is nothing evil.

In the long run, this attitude will kill the network. Even more, I believe Undernet is at a point where it can't really ban all the drones, because it would make their herders angry: they have enough capacity at their fingertips to cause some serious problems for the network. Having said that, banning Tor looks more like a "look, we're trying at least something" move.


Offline
 Profile  
 
 Post subject: Re: Annyoing "security" policy
PostPosted: Sun Apr 03, 2011 12:11 am 
Senior Cservice Admin
User avatar

Joined: Sun Jul 06, 2003 2:47 am
Posts: 564
Location: Hamilton, New Zealand
SteveC wrote:
@xplora

I have to admit that you gave me a good laugh with that silly nitpickery.
A k/g-line is a ban, no? You can argue about that if you want, but I'll stick to the Wikipedia definitions.
For the affected user and chanop the result is the same. A channel cannot be joined.
You're just evading my question. And I thought evasion is not liked on Undernet ;)
So, still waiting for a serious answer...


A channel operator should not have the ability to stop someone from connecting to the network, otherwise they have the ability to block anyone and everyone they want, even if the user is not causing problems, not to mention you can become a channel op simply by joining an empty channel, so enabling such as idea could backfire on your well intentioned thought, as a hacker would simply create a command to join a channel and then ban all the ops from your channel... (now whose evading the question? and whose being silly?).

I really find it interesting what some people will say without thinking it through first. My answer about bans should not have needed this further explanation.

And to hi-light my point, what you are suggesting is similar to "Why don't we just give channel ops the ability to shut down your internet access?", no ISP will go for that, for all of the same reason's no irc/chat network, will go for the idea of allowing channel ops the ability to ban from the network.


-- fixed some typos


Last edited by xplora on Sun Apr 10, 2011 3:13 am, edited 1 time in total.


_________________
xplora @ undernet.org
Past Co-ordinator
Undernet Channel Services Committee
Offline
 Profile  
 
 Post subject: Re: Annyoing "security" policy
PostPosted: Sun Apr 03, 2011 1:14 pm 

Joined: Sat Feb 19, 2011 2:31 pm
Posts: 11
@xplora

I did not want to suggest to let a chanop ban someone from connecting to Undernet. That indeed would be silly and abused instantly. A chanop should never be able to set server/network-wide bans.

My suggestion was that Undernet lifts the network-wide tor block (or k-line, g-line or however you want to call it) and let them back onto the network. Since Undernet knows if a connecting host is a tor exit or not, it can simply set a cloak instead. This gives each and every chanop the option to block all tor users from joining their channel if they want, by banning e.g. "*!*@*.tor.undernet.org".

So:
1. tor user joe connects, gets cloak joe!bob@whatever.tor.undernet.org
2. joe joins #channel1
3. @channel1op says "go away", kicks joe and sets +b *!*@*.tor.undernet.org
4. joe joins #channel2
5. @channel2op says "oh hi, welcome"

That way, chanops who hate tor can keep such users easily out of their channels, while those users can still join all other channels. Trolls cannot harass #room1 since they cannot evade via tor once @room1op banned the cloak.


Offline
 Profile  
 
 Post subject: Re: Annyoing "security" policy
PostPosted: Sun Apr 10, 2011 3:15 am 
Senior Cservice Admin
User avatar

Joined: Sun Jul 06, 2003 2:47 am
Posts: 564
Location: Hamilton, New Zealand
That then comes back to why doesn't undernet just hide all hosts, and is really another thread here somewhere.



_________________
xplora @ undernet.org
Past Co-ordinator
Undernet Channel Services Committee
Offline
 Profile  
 
 Post subject: Re: Annyoing "security" policy
PostPosted: Sun Apr 10, 2011 11:05 am 

Joined: Sat Feb 19, 2011 2:31 pm
Posts: 11
@xplora

That then comes back to why networks like Quakenet and Freenode have no problem to allow tor.

Why the hate?

Evasion? My suggestion would stop evasion while giving the freedom to decide to each and every chanop.

Hiding? That also can't be much of a reason, since others here suggested +x or bouncers to do that. Also, assinging a cloak does not imply that you have to hide the host. The cloak may very well be joe!bob@123.124.125.126.tor.undernet.org

And if you argue that tor per se hides you, why does Undernet care? It's not like Undernet sniffs for the government, or does it? As a tool for free speech, tor is a perfectly legal service and there is no offical reason for it to be blocked (Iran and China may think different about that though).


Offline
 Profile  
 
 Post subject: Re: Annyoing "security" policy
PostPosted: Wed May 04, 2011 4:54 pm 

Joined: Wed May 04, 2011 4:10 pm
Posts: 5
This is a really good example of a reason why it is a very good thing that TORs are banned from the undernet:

I am a long term user (since 1996) and the current manager of an undernet channel with a long history going back to at least 1995. I'm struggling with a stalker who lives nearby, who is known to me and who knows my identity, and who is stalking me on the undernet. This has been going on intermittently for several years and he has now started using tors to evade channel bans. He has previously successfully used this method to evade bans on freenode and has forced the abandonment of a channel there.

While the current pool of regulars in our channel is relatively small, we have an enormous pool of old members going right back to 1995 who drop by from time to time, who we do not want to lock out by setting a key.

Until recently, the tors he used were only very occasionally automatically G-lined by the undernet, but today the system seems to have suddenly become much more effective, detecting about 90% to 95% of my stalker's attempts at entry.

Unfortunately he succeeds in joining the channel before getting G-lined a couple of seconds later. This leads to an ongoing series of joins and G-lines at intervals of a few minutes as well as allowing him access, albeit very briefly, to the channel.

As you might imagine, just as he intends, this is really getting on my nerves and is seriously cheesing off other channel users too. As far as he is concerned, IRC is a public space, and anything he can find a way to do is acceptable behaviour. Not surprisingly, he describes himself as an anarchist too.


One more measure would pretty much eliminate this issue:

If there were a way to prevent clients from joining our channel until they have been logged into a server for long enough to have been detected as a Tor, say 5 seconds or so, then my stalker would never gain entry to the channel.

Is this something I can implement on a channel level, or would it have to be implemented at server level?

Is there a cat in hells chance of anyone implementing it?

You can get an idea of the scale of the problem from how frequently he joins our channel:

[21:55] * nephrodinic has quit IRC (G-lined (AUTO [1] DNSBL listed. TORs are forbidden on this network. Your IP is 212.74.233.43))
[21:57] * awardment has quit IRC (G-lined (AUTO [1] DNSBL listed. TORs are forbidden on this network. Your IP is 68.206.36.124))
[22:03] * overhonesty has quit IRC (G-lined (AUTO [1] DNSBL listed. TORs are forbidden on this network. Your IP is 75.30.97.142))
[22:11] * intercircle has quit IRC (G-lined (AUTO [1] DNSBL listed. TORs are forbidden on this network. Your IP is 128.233.94.137))
[22:16] * ventromyel has quit IRC (G-lined (AUTO [1] DNSBL listed. TORs are forbidden on this network. Your IP is 98.212.204.40))
[22:21] * freckleproof has quit IRC (G-lined (AUTO [1] DNSBL listed. TORs are forbidden on this network. Your IP is 80.79.125.131))
[22:22] * dogal has quit IRC (G-lined (AUTO [1] DNSBL listed. TORs are forbidden on this network. Your IP is 77.41.78.126))
[22:24] * shamefacedly has quit IRC (G-lined (AUTO [1] DNSBL listed. TORs are forbidden on this network. Your IP is 217.211.78.184))
[22:26] * executively has quit IRC (G-lined (AUTO [1] DNSBL listed. TORs are forbidden on this network. Your IP is 213.9.93.174))
[22:27] * reluctant has quit IRC (G-lined (AUTO [1] DNSBL listed. Check http://www.swiftbl.org/lookup for removal. Your IP is 83.227.30.29))
[22:29] * phaeophycean has quit IRC (G-lined (AUTO [1] DNSBL listed. TORs are forbidden on this network. Your IP is 76.5.40.10))
[22:29] * unspiced has quit IRC (G-lined (AUTO [1] DNSBL listed. TORs are forbidden on this network. Your IP is 31.163.103.161))
[22:33] * unwalkable has quit IRC (G-lined (AUTO [1] DNSBL listed. TORs are forbidden on this network. Your IP is 180.149.96.69))
[22:36] * Campodea has quit IRC (G-lined (AUTO [1] DNSBL listed.
TORs are forbidden on this network. Your IP is 98.113.149.36))
[22:37] * mandibulosus has quit IRC (G-lined (AUTO [1] DNSBL listed. TORs are forbidden on this network. Your IP is 82.183.140.104))
[22:37] * arthrocarcin has quit IRC (G-lined (AUTO [1] DNSBL listed. TORs are forbidden on this network. Your IP is 62.107.252.144))
[22:41] * unweddedly has quit IRC (G-lined (AUTO [1] DNSBL listed. TORs are forbidden on this network. Your IP is 94.50.106.109))
[22:58] * unhooper has quit IRC (G-lined (AUTO [1] DNSBL listed. TORs are forbidden on this network. Your IP is 87.18.45.7))

(channel key set from 22:58 to 00:02)

[00:38] * gastrula has quit IRC (G-lined (AUTO [1] DNSBL listed. TORs are forbidden on this network. Your IP is 173.0.52.171))
[01:03] * rhodizite has quit IRC (G-lined (AUTO [1] DNSBL listed. TORs are forbidden on this network. Your IP is 77.65.144.81))
[01:16] * phthisiogeni has quit IRC (G-lined (AUTO [1] DNSBL listed. TORs are forbidden on this network. Your IP is 83.233.187.231))
[01:27] * thyreoiditis has quit IRC (G-lined (AUTO [1] DNSBL listed. TORs are forbidden on this network. Your IP is 109.107.35.128))
[01:34] * rejecter has quit IRC (G-lined (AUTO [1] DNSBL listed. TORs are forbidden on this network. Your IP is 78.107.237.16))
[01:38] * inconsonantl has quit IRC (G-lined (AUTO [1] DNSBL listed. TORs are forbidden on this network. Your IP is 91.66.3.127))

(channel key set again at 01:38)


Offline
 Profile  
 
 Post subject: Re: Annyoing "security" policy
PostPosted: Thu May 05, 2011 9:09 am 

Joined: Sat Feb 19, 2011 2:31 pm
Posts: 11
@zebedee

Actually, it is not a good example. You could have better results if Undernet would cloak tor users like I've suggested and explained before. You can then simply ban the tor-cloak from your channel, while other channels can still allow tor users. Besides, there are still other proxies which are not yet blacklisted, so it's only a matter of time until he switches to those if he's serious enough. Then Undernet's tor g-line will not help you anymore and just block more innocent users. But for now, a cloak would solve your problem better.

This problem would be easy for you to solve if Undernet would provide a nickserv like other networks. Then you could block all unregistered nicks from joining your channel, or redirect them to another channel. Freenode for example offers this and some channels there forward you to #channel-unregistered to let you know that you need to auth to nickserv. Of course your troll can register a nick and auth, but it's more work for him than banning them is for you.

The problem is bascially Undernet's refusal to improve its network with cloaks and a nickserv.


Offline
 Profile  
 
 Post subject: Re: Annyoing "security" policy
PostPosted: Thu May 05, 2011 6:09 pm 
Senior Cservice Admin

Joined: Mon May 11, 2009 11:15 am
Posts: 14
zebedee wrote:
This is a really good example of a reason why it is a very good thing that TORs are banned from the undernet:
I am a long term user (since 1996) and the current manager of an undernet channel with a long history going back to at least 1995. I'm struggling with a stalker who lives nearby, who is known to me and who knows my identity, and who is stalking me on the undernet. This has been going on intermittently for several years and he has now started using tors to evade channel bans. He has previously successfully used this method to evade bans on freenode and has forced the abandonment of a channel there.

If there were a way to prevent clients from joining our channel until they have been logged into a server for long enough to have been detected as a Tor, say 5 seconds or so, then my stalker would never gain entry to the channel.

Is this something I can implement on a channel level, or would it have to be implemented at server level?

Is there a cat in hells chance of anyone implementing it?


Something like this would have to be implemented at a server level and probably would be unlikely to be done globally given that since the service needs to check dnsbl's for every client connecting to the network(which at times can be quite a lot) and also some time would need to be allowed for lag between the different servers..while I'm not sure the exact amount of time that would be needed to reliably ensure that clients are checked before being able to join, it would likely be significantly more than 5 seconds and long enough to be annoying to the majority of users who are not on tors or other banned hosts. Individual servers can of course set klines on known tor hosts or use other methods to locally block them which would prevent them from connecting in the first place or allow for them to be glined locally much faster once they do connect, however this is up to each individual server admin to implement or not on their particular server. As was noted in another post though, the effectiveness of any of these will be limited by the fact that not all proxies will be known and blacklisted.

As for what you can do about them, there are a few options. First of all, if there is any pattern to the nicks or idents that this person uses, you could try setting bans based on those rather than the ip/host. Second and probably far more effective, while undernet does not have nick registration, we do have username registrations along with channel mode +r to prevent unregistered users from joining the channel. Although new username registrations are currently unavailable due to severe ongoing ddos attacks(hoping to have this resolved soon though), if most/all of your users already have usernames, this might be an option. Also note that if someone without a username wishes to join, an op can invite them which allows them to bypass this(and any other channel modes preventing them from joining). You can also try emailing abuse@undernet.org with those logs(preferably with full whois info on this person as well) and see if they may be able to provide additional assistance.

Finally, especially given that this person lives nearby and knows who you are, if they are continually stalking you like this, you might also try contacting their internet servicde provider(if known) or even your local law enforcement agency(particularly if they are making any threats against you or stalking in any ways other than merely joining your channel) and provide the same logs/whois information to them to find out if they can take further action based on that.


Offline
 Profile  
 
Display posts from previous:  Sort by  
 Page 3 of 5 [ 64 posts ]  Go to page Previous  1, 2, 3, 4, 5  Next

All times are UTC [ DST ]


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  

cron