[IRCServices] Follow up to LINK/REGISTER mail
Andrew Church
achurch at achurch.org
Sun Jun 10 21:50:23 PDT 2007
>Just as a follow up, the process for generating random nicks is
>weakened by only using rand() the first time - if that's in use, the
>nicks will be predictable in a series, meaning a malicious user can
>register or link the next N nicks that will pop up and splat the same
>person repeatedly.
This is intentional, to minimize the possibility of two users getting
assigned the same guest nick (which can be a real danger on networks with
9-character nicknames; the birthday paradox tells us that the chance of a
collision on 4-digit random numbers hits 50% at around 117 guest users,
which isn't out of the question on large networks). This does, of course,
leave open the possibility of users actively trying to collide guests, but
(1) that requires an active attack, not simply passive registration, and
(2) as I've always said, if you've got users actively trying to cause
trouble, that's what you, the administrator, are there to take care of.
--Andrew Church
achurch at achurch.org
http://achurch.org/