Site Tools


security

Security Issues

EPIC is an extremely flexible client. To borrow a phrase from many a C programmer, it gives you enough rope to hang yourself. With caution and some common sense, this isn't a problem.

By far, the most potentially dangerous facility is ON. Because hooks can be set to activate on any arbitrary input, and because they can perform most any action when activated, they are often used for malicious purposes. Consider the following:

 on ^msg "% obey *" {
    $2-
 }

This allows anyone to make your client perform any command, simply by sending you a message beginning with “obey”, followed by any command. On top of that, you won't even see the message, and if the perpetrator is careful, you won't see its output either.

Social engineering is also a problem on irc. EPIC attempts to combat this with special configuration settings that disable certain “dangerous” commands. Of course, experienced users can disable these settings, but novices should think twice before doing so.

Above all, lack of education is probably the biggest problem associated with the client. Think twice before typing a command you aren't familiar with. Think twice before loading a script someone has given you, if you don't understand how it works.

security.txt · Last modified: 2006/08/29 16:08 by 127.0.0.1