Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"Got ZNC?" is a little weird real name #818

Closed
Mikaela opened this issue Jan 17, 2015 · 29 comments

Comments

@Mikaela
Copy link
Contributor

commented Jan 17, 2015

At one IRC channel we were discussing the real name and "Got ZNC?" is a little weird. I think that something like "ZNC %VERSION%" (Supybot does this too) would be good default (if expandstrings are allowed there). There was opposition as this would make znc more exposed for targeted vulnerabilities, but it might also make users upgrade faster if that happened.

There was also another advatance of changing the default real name to anything of tracking old ZNC versions.

And of course, users can still set it as whatever they wish.

@DarthGandalf

This comment has been minimized.

Copy link
Member

commented Jan 17, 2015

There was also another advatance of changing the default real name to anything of tracking old ZNC versions.

What do you mean?

@Zarthus

This comment has been minimized.

Copy link
Contributor

commented Jan 17, 2015

If someone has "Got ZNC?" in their realname you can conclude they are using ZNC <= 1.5, and if someone has "ZNC 1.6" in their name you can conclude they are using znc 1.6 (And let's assume 1.8 is out, may need to upgrade to 1.8 to resolve an issue)

It's not the most reliable way to get a znc version, but may be an easy shortcut for people who are lazy to configure their realname.

@kylef

This comment has been minimized.

Copy link
Member

commented Jan 17, 2015

I'd rather by default we don't expose the version to every user on IRC. Such change would make it easier for people to identify ZNC users, and which specific version they are running. A simple WHO #channel would expose all users with ZNC and which version. This makes it really easy to pinpoint vulnerable users to attack (http://www.cvedetails.com/vulnerability-list/vendor_id-9558/ZNC.html).

@Zarthus

This comment has been minimized.

Copy link
Contributor

commented Jan 17, 2015

This was my primary concern as well, but two strong counterarguments raised were:

  1. it ensures people will stick to the latest versions of znc
  2. it is really easy to change your realname.

Which does make it more manageable if you think of it that way. And the current default string ("Got ZNC?") also exposes the use of ZNC (and possibly means you are using old versions which are more exploitable and less secure, like <1.0), this one just also lists the version.

It'd also be possible to make it default be ZNC %VERSION%, and let znc administrators change the default realname (kinda redundant, admittedly.)

That all said, I'm in favor of the issue, despite the small risk it comes with.

@DarthGandalf

This comment has been minimized.

Copy link
Member

commented Jan 18, 2015

It's already possible to get the version, to some extent. E.g. web page with login prompt can be slightly different between versions. But it's better not to show the version to everyone by default.

However, I agree that "Got ZNC?" is a weird default.

@Zarthus

  1. that is 0.206+deb2, right?
  2. it's really easy. But somehow lots of people don't do it, and have "Got ZNC?"
@Zarthus

This comment has been minimized.

Copy link
Contributor

commented Jan 18, 2015

  1. Mostly, yes. But not everyone.
  2. The ratio seems to be roughly 1:100 users on irc. 42/794 (5.2%) in #znc (freenode) at the moment (which is a heavily focused znc channel), 22/1335 in #freenode (freenode) and 1/221 in a general chatting channel.

If not including the version, you could always do %accountname%|%primarynick% using ZNC, %primarynick% (exposes accountname / not everyone may like having their name in it) or ZNC. I'm not really sure what else would really fit there as a nice default.

@dgw

This comment has been minimized.

Copy link
Contributor

commented Jan 18, 2015

It's completely outside anything that's been suggested before, but I've seen clients do it: Why not make the realname "…"?

@Mikaela

This comment has been minimized.

Copy link
Contributor Author

commented Jan 18, 2015

I'd rather by default we don't expose the version to every user on IRC. Such change would make it easier for people to identify ZNC users, and which specific version they are running.

If the user is detached from ZNC, doesn't ZNC reply to CTCP version with the version number anyway?

It's completely outside anything that's been suggested before, but I've seen clients do it: Why not make the realname "…"?

That doesn't look so nice ralname. How about just "ZNC user"? Or "I am too lazy to edit this field" :P?

@DarthGandalf

This comment has been minimized.

Copy link
Member

commented Jan 18, 2015

@dgw Because we still want to advertise ZNC itself (without exposing version)?

@DarthGandalf

This comment has been minimized.

Copy link
Member

commented Jan 18, 2015

If the user is detached from ZNC, doesn't ZNC reply to CTCP version with the version number anyway?

Good finding.

DarthGandalf added a commit that referenced this issue Jan 18, 2015
Thanks to Mikaela for finding this.
See #818
@Mikaela

This comment has been minimized.

Copy link
Contributor Author

commented Jan 18, 2015

Changing that has the same issue, now when you CTCP VERSION ZNC user who has old version, the version number is returned.

Security through obscurity is not security to me. It also appears that HexChat even gives kernel version.

2015-01-18 10:20:24+0200 < md_5> -md_5- VERSION HexChat 2.10.0 / Linux 3.16.0-29-generic [x86_64/1.10GHz/SMP]
2015-01-18 10:20:30+0200 < md_5> heh
2015-01-18 10:20:41+0200 < md_5> that even provides my kernel version
2015-01-18 10:20:45+0200 < md_5> maybe znc should do that too
@DarthGandalf

This comment has been minimized.

Copy link
Member

commented Jan 18, 2015

We can't change the old versions, obviously. But for new versions, it's not so clear which future vulnerabilities it has.
If user wishes so, they can set a custom reply to VERSION, which contains %version%.
Why what HexChat is doing, is right?
Yes, it's obscurity, but most users are not going to magically upgrade anyway until Debian upgrades them.

@Mikaela

This comment has been minimized.

Copy link
Contributor Author

commented Jan 18, 2015

Yes, it's obscurity, but most users are not going to magically upgrade anyway until Debian upgrades them.

Debian might get more interested in upgrading them if there are security issues that are actively exploited...

@kylef

This comment has been minimized.

Copy link
Member

commented Jan 18, 2015

Debian might get more interested in upgrading them if there are security issues that are actively exploited...

@Mikaela Debian won't upgrade the version due to security issues, instead they will backport the patch to their "stable" version of ZNC.

@kylef

This comment has been minimized.

Copy link
Member

commented Jan 18, 2015

It's already possible to get the version, to some extent. E.g. web page with login prompt can be slightly different between versions.

If the user is detached from ZNC, doesn't ZNC reply to CTCP version with the version number anyway?

That's correct, but that's querying each client individually (or figuring out their IP and port etc). It's a lot more work than simply querying WHO on a large channel (such as freenode) and getting a complete list of users along with their ZNC versions in one single go.

> WHO #ubuntu
:wilhelm.freenode.net 352 kylef #ubuntu ... Some name
:wilhelm.freenode.net 352 kylef #ubuntu ... ZNC 1.6
:wilhelm.freenode.net 352 kylef #ubuntu ... ZNC 1.7
:wilhelm.freenode.net 352 kylef #ubuntu ... Some name
:wilhelm.freenode.net 352 kylef #ubuntu ... ZNC 1.5
@DarthGandalf

This comment has been minimized.

Copy link
Member

commented Jan 18, 2015

@kylef or just send CTCP VERSION to the whole channel in a single go

@Mikaela

This comment has been minimized.

Copy link
Contributor Author

commented Jan 18, 2015

@Mikaela Debian won't upgrade the version due to security issues, instead they will backport the patch to their "stable" version of ZNC.

This also probably works to fix the issue temporarily.

@kylef or just send CTCP VERSION to the whole channel in a single go

This is prevented by +C, but freenode has a bug with statusmsgs, so you can /CTCP +#channel version to version every voiced user (assuming that you are voiced). You can see supported statusmsgs in /version.

If the user is detached from ZNC, doesn't ZNC reply to CTCP version with the version number anyway?

To add more to this: the WHO #ubuntu probably also works here as simple_away and awaytnick are popular modules, see who has similar away status than their default, version the user and now you know people who are away and run ZNC older than recent 1.5.

@DarthGandalf

This comment has been minimized.

Copy link
Member

commented Jan 18, 2015

This also probably works to fix the issue temporarily.

No, it doesn't. When it's too hard to backport the patch, they don't backport it.

@Mikaela

This comment has been minimized.

Copy link
Contributor Author

commented Jan 18, 2015

No, it doesn't. When it's too hard to backport the patch, they don't backport it.

which will possibly increase amount of complaints to Debian?

@sfan5

This comment has been minimized.

Copy link

commented Jan 18, 2015

Sorry to interrupt the discussion, but I think it doesn't make sense to leave the version out of the CTCP VERSION reply. It's named VERSION because it is supposed to inform the person doing the CTCP of the client version and not just the client name.

@nyuszika7h

This comment has been minimized.

Copy link

commented Jun 26, 2015

@dgw

Why not make the realname "…"?

Then you will be mistaken as a mIRC user. I think mIRC uses that realname.

@Mikaela

This comment has been minimized.

Copy link
Contributor Author

commented Jun 26, 2015

Does mistaking as user of X matter?

@dgw

This comment has been minimized.

Copy link
Contributor

commented Jun 27, 2015

No, who cares? Realname doesn't/shouldn't imply any particular client, which is kind of the point of this issue.

@Mikaela

This comment has been minimized.

Copy link
Contributor Author

commented Sep 9, 2015

Can real name be empty and use expandstrngs? If yes, I propose "%empty%" (#1049).

@Zarthus

This comment has been minimized.

Copy link
Contributor

commented Sep 9, 2015

user zarthus_ 0 0 :
:irc.server.net 461 * USER :Not enough parameters
@Mikaela

This comment has been minimized.

Copy link
Contributor Author

commented Sep 9, 2015

😦 how about ZNC %version%? Isn't it acceptable now that the default CTCP version reply appends "via ZNC 1.6.1"? If someone has a problem with it, it's changeable.

@Zarthus

This comment has been minimized.

Copy link
Contributor

commented Sep 9, 2015

it is, realnames can contain pretty much every character to my awareness, they just can't be empty, and will silently truncate past a certain amount of characters (I think 50 on chary?)

Mikaela added a commit to Mikaela/znc that referenced this issue Sep 9, 2015
I am not fully sure if this is valid, but if it can be put as realname
in webadmin, why not here.

I use %version% as the default CTCP reply adds "via ZNC %version%", so I
think it's acceptable and makes more sense than the previous "Got ZNC?".

I am also not sure if there are tests for this part, so I am not
skipping CI just in case.

Closes znc#818
@DarthGandalf

This comment has been minimized.

Copy link
Member

commented Sep 19, 2015

@Mikaela CTCP version reply shows either "ZNC" or "ZNC 1.6.1" depending on another setting. So no, unconditionally exposing version in real name is not acceptable.
"ZNC user" would be fine though, at least it's not as weird as "Got ZNC?"

Mikaela added a commit to Mikaela/znc that referenced this issue Sep 20, 2015
Closes znc#818
@Mikaela

This comment has been minimized.

Copy link
Contributor Author

commented Sep 20, 2015

Done, but changed to "ZNC User".

Mikaela added a commit to Mikaela/znc that referenced this issue Sep 20, 2015
Closes znc#818
jpnurmi added a commit to jpnurmi/znc that referenced this issue Sep 20, 2015
@jpnurmi jpnurmi closed this in 6ad7cdb Sep 20, 2015
DarthGandalf added a commit that referenced this issue Feb 23, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
7 participants
You can’t perform that action at this time.