November 6, 2011

Nick registration risks

Even though your ISP may allow you email accounts with fake names, the requirement by IRC networks to use your private ISP email address – not a web email – for registration purposes could poses more risks to your security than the reason you wanted registration and a host mask in the first place!


PRO

Nick registration protects you from nukers, hackers and crackers while you are on IRC by hiding your IP address; but, according to Freenode, it does not GUARANTEE this protection.

If you hope to become an OP one day, or to have your own channel, then nick registration is mandatory on networks that offer registration services.

If your privacy is breached, despite registration, you can always change your ISP and start all over again.

CON

The only Internet organizations which have a legitimate need to request your private email address are those requiring financial transactions. Web mail is sufficient to gain entry to most other Internet services, including Facebook, isn't it? So, unless the future of IRC is to become a paid service (and this move would definitely separate the lamers from genuine users) –and gaining your private email address is a precursor to this happening – then the networks should be upfront and say so. Until this happens, no network has a right to your private information.

If you do not normally give your private ISP email address to people you do not know, then why on earth would you be giving it to an IRC network whose servers are all over the world and whose administrators are many – usually keeping a very low profile in that they rarely appear in channels – and were likely to have started off their IT careers being nukers, hackers and crackers themselves? Remember, too, that when you register with a local network, your information does not stay local – it is shared with the entire network.

Although the vast majority of network admins are above reproach, be aware that there are going to be rogues among them; and because IRC is a voluntary hobby organization like HAM radio or pigeon fanciers there is no consumer body you can appeal to if your privacy gets breached. Network admins are not paid for their work, and you do not pay to gain access to IRC - but that may all change soon. Right now, it's supposed to be all about sharing information, making friends and having fun, but it's often nothing like that at all.

Also, IRC networks themselves are prone to massive attacks, and if a good hacker can crack into government and corporate systems in order to gain sensitive information then it would be a walk in the park for an average hacker to gain email lists from IRC networks – and then you risk being spammed to death at your private home email address.

Nick registration also comes with various niggles. You may receive memos from Nickserv – similar to the ones you receive from your ISP – that you don't particularly want to receive (although you can turn this feature off); and registrations expire after 30 days (so if you're away from home on extended leave you need to remember to show up in time, which could be difficult if you're on safari in deepest darkest Africa, laid up on a hospital bed or having such a good time in real life that you just forget).

Registration and subsequent identity log-ins also need a password – and do you really and truly want another password to worry about on to of the umpteen you already have? Also, some systems set exactly 60 seconds for you to identify yourself when you turn up, otherwise you lose your nick. Stress! Turn off your cellphone, lock up the cats, dogs and kids and stick a "please don't disturb" note on the front door to ensure absolutely nothing distracts you during that crucial 60 seconds!

And, when it's time to quit, you won't be able to say 'bye all' and buzz off. Oh, no, you need to go through a logout procedure. If you fail to logout, then theoretically your nick is still in the system and some clever dick can find some way to impersonate you. And God help you if you somehow lose connection in the middle of an IRC session.

It goes without saying that you can't change your nick easily once you are registered, so if you like mucking around in channel with different nicks then registration is not for you.

Also, if you are still grappling with all the regular IRC commands then be prepared for a whole list of new commands and mumbo-jumbo pertaining to registration.

Finally, since it usually takes a few months before you settle down in a channel and make it your 'IRC home', you are faced with the dilemma - "Do I register before I check the channel out, or after?" If security is your #1 concern, then you need to register before you even set foot in a channel, and unless the network has many trivia channels you can try out (Undernet has the best variety of the networks offering registration) then you may have to register with many networks before you find what you want. Do you really want to give your private ISP email address to a whole bunch of networks that you may never again visit?

On the other hand, if you wait until you settle down somewhere before registering, then everyone in the channel already knows your IP address and if there is a rogue among them then you will still be subject to attack with your new host-mask – and you won't know who is attacking you because everyone else had host-masks before you arrived!

More confusing than ever is that when you enter a channel where everyone has host-masks - e.g. iamconcealed @ J3MF553P.7Z0K2702.3M5J0A9.IP - you discover that when you do a /who #trivia (while you are in the channel) to see how the server shows everyone in the channel, what looks like a normal IP shows up - e.g. iamconcealed 61.325.209.36. Presumably this must be the IP of the server they registered with, but why they would all be on different servers for a trivia game is strange because everyone knows that to beat lag you must join the same server that the trivia Bot is on. Perhaps they didn't know this when they registered (which is why it is important to wait a while); or - OMG - they are really not concealed at all!

Why, oh why, can't the IRC networks do something simple like automatically concealing everyone's IP upon entry, without the necessity for all of this rigmarole and mumbo jumbo? Participating in all other Internet activities is a simple matter of registering with a web email and selecting a nickname (which is the only thing about you that's shown to other users).

Think about it: Networks encouraging registration have already logged our IPs in case of trouble - and they have scanned for bouncers and proxies and banned them - so why do they need our private email address?

Labels: , , ,