I barely use it, so maybe people can correct me on this one if I've got it wrong, but: It seems to me like it's now used almost exclusively for communication around underworld/illegal stuff. I would definitely be quite scared to hang around IRC not being anonymous (not talking about freenode here, of course, which is where open source developer folk hang out).
> UnrealIRCd (a popular IRC server implementation) have actively refused
That's really moot because operators can certainly and easily snoop the traffic on the wire. Therefore I agree with the statement above that one should take IRC for what it is: lightweight, convenient, but don't assume any privacy - and it can be perfectly fine.
As a joke, my roommate at university logged into a IRC channel with the nickname and said:
[01:59.16] * Stakkato (tricky_t@128.42.86.9) has joined #C++
[01:59.17] * ChanServ sets mode: +o Stakkato
[01:59.21] <Stakkato> look i made drudgereport headlines!
[01:59.26] <Stakkato> http://www.drudgereport.com
[02:01.09] * Stakkato (tricky_t@128.42.86.9) Quit (Quit: )
It was #C++ on DALnet, a small channel of mostly regular members, in 2005. Fast forward a while -- I don't recall how long, maybe a few weeks or months -- and my friend is contacted by the FBI. A member of FBI Houston Cyber Task Force (Houston being our city of residence at the time). The investigator began asking very vague, obscure questions. Eventually my friend and I piece together the subject of the FBI's line of inquiry: that specific IRC conversation. My roommate was completely up front with them about the IRC joke, and that was the end of it. I still have copies of the email conversations from @ic.fbi.gov, where some correspondence took place.
I suppose there is a chance that an informant reported the joke to the FBI, but due to the specifics of the situation, I think it is likely that the text conversation above was caught in a a general FBI dragnet of some kind (IRC server, ISP, etc.) and logged for eventual investigation. It did not seem to be a serious line of investigation by the FBI - more of a "follow all leads" situation. Someone had run a 'grep' for 'stakkato' and my friend's IP address showed up.
That was the day when it became clear to me that everything in plaintext transiting the Internet is probably available to the FBI. At the time it was shocking; even though the conversation happened over a public network, it was surprising to me that the conversation was actually logged and later found. I hesitate to share this story, but I hope it illustrates in harsh relief the probable capabilities of incentivized investigators. Keep in mind this was 2005 - investigative capabilities have surely grown since then.
> "... IRC has no real place in the world of someone hoping to preserve their privacy."
Why is that? IRC supports SSL, of course, and many IRC networks offer "cloaks" (to hide your IP address from other users) and/or permit connections via Tor.
> It forces attackers to use a active attack rather than a passive one.
The MITM or eavesdrop can happen on a bridge. If the client doesn't check the certificate and accepts any, its about as good as plaintext. It could be worse, even, due to the false sense of security.
> Which is the only security most IRC can have anyway, since the attacker could just join the channel and listen in that way, since most IRC networks are public.
IRC network private or public is irrelevant.
There were, for sure, private channels back in the days (90s). Back then you could set a channel secret (hidden) and set a password on it, effectively making it a private channel (would not show up in /whois or /list). Bots could kick people who are unknown based on filters. For example, without an auth to an Eggdrop, you could get insta kickbanned even _with_ the correct password.
Then there's PMs which are one on one (except for server(s)).
If one of the IRC servers is compromised though (or tapped, or whatever), that makes sniffing a channel or PMs child play.
There's also the problem of data integrity. If you are asking for (or giving) help in #linux and someone can change the data on the fly, [...]
FWIW, UnrealIRCd, even back then, innovated (or invented) a lot of new features on top of IRC. Some of these added security, though I don't know examples out of my head.
Unless one is a security expert I highly doubt that a home-grown IRC system will be more secure than a professionally-run operation, other than simply being more obscure and not on a hacker's radar.
This is a very contentious topic but looking into the relatively recent Freenode vs Librem.chat debacle I think signifies how important privacy is to the common IRC user.
> IRC never held a particular promise of "privacy"
True, like almost all nice network protocols and implementations in heavy use of the 90s (NNTP/Usenet, Mail, IRC amongst others) no one did foresee the privacy/spam wave that hit us when the internet became famous. I remember in Europes most used IRC network at that time - IRCnet - it was mandatory to run an identd server that would tell the user of the logged in system to the IRC server, and it would display it to all users (along with the IP address of course). Imagine such requirements today...
I don't think IRC ever had much of an expectation of privacy. Just because you didn't keep logs yourself does not mean the IRC server didn't. Using a bouncer does nothing for that.
There's only IRC loggers that you can see, though - if you know (practically) everyone in a channel at a given point in time, you're reasonably safe - not 100%, but reasonably. Which is about good enough for most things.
Definitely not. It has always been a public communications channel. I don't think anyone ever had any privacy expectations regarding IRC.
reply