Sunday, May 19, 2013

Why IRC as corporate communication is a bad idea.

In a few companies I have worked. Programmers and DevOps seems to like using IRC as a communication system.

Usually they start using it in an informal way, along other solutions like Skype or Google hangout.

In the followings lines I will tell you why I belive is a very bad choice for communication in the corporate world.

1. Ancient

  The protocol was invented in 1988 by Jarkko Oikarinen. I'm don't saying old stuff is bad (quite the opposite, most of the time) but since not a lot of people use it nowadays you will impose an artificial limit in your abilities to comunicate with other people inside your company.

Also, since is not widely used. It will have a lower amount of eyes looking at it in the search of bugs and/or solutions.

2. Old problems are waiting to bite your ass.

  Even the biggest networks like Efnet or Dalnet (Even Freenode lately) have problems of connectivity like netsplits, lag, spam, identity hijacking, etc.

3. It's text based.

This fact is good and bad at the same time.

From the point of view of a programmer:

Making parsers for it it's a joy. Even if you do them on languages like C or C++.

I have spent hours, days, and years. rewriting them in every new language I learn.

They have evolved from simple nested if and elses to more elaborate dynamic dispatch systems, hot swappable modules, parsing logic on DDLs and a lot of other cool stuff.

From the point of view of a security enthusiast:

There is a lot of malware out there that comes with a rudimentary sniffing module.

For example the next piece of code belongs to a malware known as Agobot. It search for a substring of the IRC protocol on the incoming traffic of an infected machine:
if(strstr(szBuf, "JOIN #")) return true; 
if(strstr(szBuf, "OPER ")) return true; 
If that condition becomes true. It will send a warning to the operator of the malware network (Usually known as bot herder)

So, if any of the user of your network is infected with some sort of malware with that capability. You will expose the internal communication of the company to a group of script kiddies (if you have luck).

Yes I know. You can fix this by using SSL. But isn't enforced by default on most clients.

Take care and drop a comment if you like it!


Saturday, May 18, 2013