Archive for the 'Security' Category

Securing the version

Monday, July 10th, 2006

As DC++ 0.692, 0.693 and 0.694 has come out, DC++ has become more secure. Well, atleast in a use-ADC thing. If you look at the changelog, you’ll notice a myriad of ‘TLS‘ being mentioned. Well, this only work on ADC. So ha! you NMDC-something-something…

Anyway, the new versions… Well, there isn’t much in them (besides the TLS, which I haven’t tested by the way)… In any case, I’d skip DC++ 0.692 and 0.693 since they have some nasty bugs…

Security through obscurity is not security

Wednesday, May 10th, 2006

If you were around the release of 0.307, and browsed the forum / were in the, at that time, public DC dev hub, you probably saw a lot of noice concerning a feature cologic added to DC++; * Ip column in transfer list and later in 0.400; * Ip in search frame

The noice, being that people were complaining that people now were able to see other’s IP. The IP, the only knowledge required for ‘crackers’ (malicious hackers) to breach a computer.

While a lot of people jumped on the “oh my god, crackers now know my IP, so now can they hack me”-wagon, little understood why the IP columns were completely useless (from a safety point of view).

Basically, IP has a “simple” job; To let DC++ know where to send messages and where a message has come from. This means, without DC++ knowing the IP of someone else, it cannot make a connection. Thus, transfers are impossible if not both sides know each other’s IP. (For a full description of what IP really does, I suggest you use a search engine.)

You see, the IP is know by DC++ with or without that extra IP column. And crackers (well, perhaps not the script-kiddies, which I don’t consider a ‘cracker’) know this too. A tool I use semi-frequently is TCPview. In it, you can see exactly how many connections DC++ has made. And you can see everyone’s IP. (TCPview is only “cmd /k netstat” [write it in ‘Run’] with a GUI.)

DC++ contains spyware!

Thursday, March 9th, 2006
Er, no, it doesn’t.
In the past, a few people have complained that DC++ and its developers collect information about its users. If you believe that, then you’re stupid.
When DC++ starts, the file version.xml is accessed to check if you have the latest version (by looking at the ‘Version’ tag). If you don’t, a popup with the information in the ‘Message’ tag is displayed. If you do, nothing happens. Nothing. Nothing.
If you open up the About box, you can see at the bottom ‘Latest version’. Again, the above file is accessed and the information in the ‘Version’ tags is displayed. Unfortunately, you will have to re-compile DC++ with this string removed if you don’t want your version to be checked against SourceForge.
People also seem to affiliate spyware with registry keys. DC++ does create three registry keys. A ‘adc’-, a ‘dchub’- and a ‘magnet:’-key is created. These keys are of course not essential to make DC++ run. The adc and dchub keys are so DC++ can recognize that you’ve clicked a adc:// or a dchub:// link and act accordingly to open up respective hub. The magnet: is used by magnet.exe (which you might find in your DC++ directory) and it makes it possible for you to click on a magnet: link. This is used for files and not to connect to hubs. To disable these keys from being created (and used by DC++), simply uncheck ‘Register with Windows to Handle dchub:// and adc:// URL Links’ and ‘Register with Windows to handle magnet: URI links’. (Located under Settings → Advanced).