Practical Privacy Guide:IRC and Chatrooms

I believe everyone knows about IRC, an amazing communication tool that makes it possible to chat and exchange files with any Internet user no matter where he is physically located. IRC has left far behind such clumsy things as browser-based chats as well as chat-rooms offered by online services like AOL and MSN. The last two ones, totally controlled and moderated, where any user can be easily and unmistakably identified, are a real challenge to privacy. The guys don't even deny that they log all chats, public and private. It's like staying in a hotel that warns all visitors: everything you do in the room is photographed and filed for future reference; you must submit your social security number before entering the bathroom; all your conversations are recorded, no obscenities. Would you stay in a hotel like that? No? Than never subscribe to AOL or MSN. IRC is not like that, and yet there are chances that your privacy on IRC might be violated too. And since there are many people who spend more time chatting on IRC than browsing WWW, I think it reasonable that we talk about this issue.

Being hunted
Your privacy on IRC can be violated due to the following reasons:

1. Technical possibility of logging your private chats. The solution is pretty simple: if you think that the topic you discuss with someone is private, don't chat on the channel, even if there is no one else on it besides you and your friend. Also don't use /msg command or query window, which is the same thing. Instead use DCC (Direct Client to Client). When you use DCC information is transferred directly between you and the person you talk to bypassing the IRC server, which you can even disconnect from if you want. Note that even DCC is highly insecure because the text you type can be viewed at any of the hosts via which the information passes. If you want to make sure that your conversation is totally private, use the techniques described in the Secure Communication chapter.

2. Collecting information about the channels you are on with subsequent identification of the user. Let's assume there is a politician unwilling to disclose his homosexual orientation. Being quite sure of his anonymity, he's a frequent visitor of channels like #gay or #blackleather. He talks to people, than sends and receives mail from his cyber friends. And then one day he opens a tabloid newspaper and finds all his letters and chat logs published in it. Not very pleasant. But the situation is realistic. How can it be possibly done? Read Hunting section. And here are the tips about how you can reduce the risk of being identified.

Rule #1: don't give your real e-mail address in the Setup. Rule #2: become "invisible". This option makes it possible to hide from anyone who tries to find you by your domain name, userid or real name without knowing the exact spelling of your nick (such search can be done by /who or /names command, see below). To become invisible you need to type /mode $me +i. This command can also be included in the list of commands performed on connection (mIRC Options=>Perform). In the latest versions of mIRC 5.** you need to simply check invisible mode in the Setup menu. Rule#3: don't tell anybody your e-mail address unless you are sure of this person. Or at least give your second (alternative) address.

Well, seems to be all you can do. Now let's have a look at how other IRC users can get to know something about you (or you about them)

Hunting
Here we assume that it's not easy to fake a domain name or IP address and there are very few people who do it, although such methods exist and are considered below.
1. Listing users by their domain name, real name or userid. This can be performed by /who command. By the way, this command isn't mentioned in the mIRC help file, Strange, isn't it;) When one does a /whois commend, one gets a typical output like this:

ShowTime  ~mouse@ml1_12.linknet.net * May flower
ShowTime on #ircbar #newbies  
ShowTime using Oslo-R.NO.EU.Undernet.org [194.143.8.106] Scandinavia Online
AS
End of /WHOIS list.

/who command allows to make a search pattern using a person's domain name, real name or userid, or at least a part of it. Let's say we're looking for someone from global.de domain. The command line should look like that:

/who *global.de*

Or we want to list all users from Singapore:

/who *.sg*

Or we've talked to Mr. (or Mrs., you never know on IRC) Showtime and want to find him again:

/who *mouse*, or 
/who *flower*

You can be found like that too unless you use /mode $me +i command, as described above.

2. Finding out e-mail address. Generally it's a difficult task but sometimes one can succeed. Let's start with a "brute force" attack. Typing /ctcp ShowTime userinfo (or just using the menu) will show you the e-mail address given by the user. Since there are very few people who give their real addresses chances that we get a true address are low. If the domain that we get matches the one listed in /whois reply, than there is a hope we got the real address.

Another option is using the information that we got from doing /whois on a user. It's very difficult to fake the domain name, so we know for sure that Showtime is from linknet.net domain. That is the first step. It often happens that we get a digital IP address after the @ sign which due to a certain reason couldn't be resolved when the user was connecting to the server. Such digital address can be sometimes resolved by using /DNS ShowTime command. If we get a result, we can skip to the next paragraph. If not, another technique can be applied. For that you must have either CyberKit or any other Winsock application with TraceRoute function. This function makes it possible to trace the route from your IP address up to the IP address sought (ShowTime's one). The last address resolved by name will most probably give us his domain name.

Now next step. We have either got a user's full IP address (ml1_12.linknet.net in our case), or at least the domain name (linknet.net). In the first case we can try to use finger tool (either in one of the mentioned applications or right in the mIRC, where there is a Finger button on the Toolbar), and try to list all current users from linknet.net domain. For that we have to finger @linknet.net (no userid needed).If we're lucky, we get something like that:

Trying linknet.net
Attempting to finger @linknet.net

[linknet.net] 
Login       Name       TTY     When          Where
root     0000-Admin   console  Fri 16:27 
henroam  John Brown    pts/1   Tue 10:57  pckh68.linknet.net
pailead   Jack White   pts/2   Tue 11:03  ml4_17.linknet.net
oneguy  Michael Lee    pts/3   Tue 11:08  ml1_12.linknet.net
sirlead6 Joan Jackson  pts/4   Tue 11:05  ml4_16.linknet.net

End of finger session

Here is our ml1_12, belongs to oneguy@linknet.net. Please mind that sometimes you can get a reply to your finger query only if you belong to the same domain with the user you're looking for. The solution is simple: find someone from linknet.net (/who *linknet.net* ) and ask him to do the query for you.

In both of the cases there is one more option. If the "hunter" knows the real first or last name of the person, one can finger firstname@domain or lastname@domain. Foe example fingering helen@main.com2com.ru will give you the list of all users whose first name is Helen with their userids.

Well, seems that it's all a "hunter" can do. And once you know the e-mail address, you can possibly find out the person's name. How? Read Searching for People.

IP Address Hiding
How do I hide my IP address on IRC? Letting alone IP spoofing, which is a very complicated technique hardly possible on Windows 95 platform, we are left with using SOCKS firewalls.

SOCKS Firewalls
A SOCKS firewall is a special sort of server similar to standard HTTP proxy servers. While HTTP proxy servers allow connections only from browsers, SOCKS servers can be used by your favorite IRC program. A lot of SOCKS firewalls belong to Wingate uses. Wingate is a program that allows several users in a local network to access the Internet via one telephone line. Naturally most of the users use default setup settings not knowing that such settings let anyone use their SOCKS server. Now if you find an IP address of a SOCKS firewall you can try to connect to IRC via that firewall on port 1080 (it can be set in mIRC Setup, Firewall tab). The only practical issue is to find a SOCKS firewall. One should scan certain IP range looking for the addresses that accept connection on port 1080. There are a lot of scanners on the Net, choose the one you like. Usually there are a couple of Wingate users within 255 dialup addresses of a big ISP. Lazy people can check Proxys-4-All where you can find a long list of working firewalls.

Zero-Knowledge
Freedom by Zero-Knowledge Systems is one of the best options for maintaining your anonymity on IRC. It is a package of privacy tools which is described in more detail in the Anonymous Surfing section of this web site. Freedom establishes a private channel via one or more of its servers, completely hiding your IP address and encrypting the data stream between your PC and Freedom servers so that even your ISP cannot track your internet activities. You can use your preferred IRC client software, Freedom will route the traffic via its servers and encrypt it. All of this sounds very bright, but there is also a dark side of this option. Freedom is not a freeware or free service, it costs $49,95 and then the same amount annually. Another issue is that Freedom is really the best, but you have to have trust in the company. All of your traffic is passing through the servers controlled by Zero-Knowledge Systems, so there is always a chance that the company may be watching you for some reason.

Back to index

This Privacy Guide was originally written by Mr.Byte in 1997-1998.