I&#39;ve seen a case where a malicious user was using a nick close to the target nick, on an ISP that appeared to be close (but wasn&#39;t) ask a channel op (who was an IRCop) in an official help channel for ops, explaining that they didn&#39;t want to ident due to another malicious user. What followed was the channel being promptly script kicked. <br>
<br>Moral of the story: Security always fails at some point. Rather than restricting every possible avenue for abuse (which will only limit what legitimate users can actually do), we should provide the options, and have a balanced set of defaults which permits ease of beginner use, and provides flexibility for users who understand the system better. We&#39;re doing a fairly decent job of that now, but there&#39;s always some room for improvement. <br>
<br>P.S. IRC itself can be considered a huge security risk, but I for one still love it.<br><br><DEFANGED_div class="gmail_quote">On Mon, Jan 4, 2010 at 6:36 PM, Kobi Shmueli <DEFANGED_span dir="ltr">&lt;<a href="mailto:kobi@dal.net">kobi@dal.net</a>&gt;</DEFANGED_span> wrote:<br>
<blockquote class="gmail_quote" DEFANGED_style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><DEFANGED_div class="im">James Hess wrote:<br>
<blockquote class="gmail_quote" DEFANGED_style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
The functionality is redundant.    If  you have IDENT   ON,  the<br>
entries by mask don&#39;t grant ops.  If you have IDENT OFF,   the<br>
individual channel operators  can use their NickServ Access lists for<br>
this,   and  there is no need to list the mask on the channel itself.<br>
<br>
In either case,  in the present internet,  it&#39;s a huge security risk,<br>
much larger than it was  16 years ago,  and the AOP/SOP  functionality<br>
has stayed basically the same all through this time,  despite changes<br>
in the threat environment;   present day prevalence of  botnets,<br>
zombies,  and  proxies-for-hire,  listing  access by  IP address is<br>
like hanging a  &quot;pwn me please&quot;  sign on your channel.<br>
</blockquote>
<br></DEFANGED_div>
I disagree with you, just because someone may use it too widely or incorrectly doesn&#39;t mean it&#39;s a security risk to all channels. Static IPs do exist and people can have legitimate reasons to use them on AOP/SOP lists and we should let them do it if they so wish.<DEFANGED_div class="im">
<br>
<br>
<blockquote class="gmail_quote" DEFANGED_style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
The default behavior at least  should  protect  channels against<br>
simple spoofing, and not  encourage  insecure practices.<br>
</blockquote>
<br></DEFANGED_div>
Furthermore, ChanServ SET IDENT is enabled by default so masks on AOP/SOP lists won&#39;t affect anything unless the founder specifically turns IDENT off.<br><font color="#888888">
<br>
-Kobi. <br>
</font></blockquote></DEFANGED_div><br>