How to Escape the OOC Game
-
@Sunny That's...not entirely accurate, either.
Were someone skilled and malicious were so inclined, having your name and email address provides a vector for an entirely different set of attacks. It provides a location for email information to pen test, your name and surname which could be used to affect family or other contacts gleamed through a successful pen test against your email. Background checks are cheap. In some cases this is how elderly family members are identified as targets for phone scams. Facebook runs this risk, too.
With decent network protection, your IP could still be backtraced for attempts on your router, but could be blocked and your devices kept safe. Howeeeeeeever. Default telnet use isnt just dangerous because of sniffing. It's also a port that you have told your system is an acceptable pipe in and out of your device.
Telnet is insecure because with some know-how (and mushes aren't tokenized), a spoofed signal with port information that you have approved could be used as an attack vector, as well. At that point it's approved communication through your router, so could potentially go unnoticed. At that point any virus or malware software would be your last line of defense.
In the end, it all comes down to:
- How much information you're willing to share over an insecure protocol
- Your level of trust in the mushing community as a whole that some RANDO wolf with some knowledge and capability doesn't feel like being a motherfucker
Not tryin' to scare, but thems facts.
-
@Ghost said in How to Escape the OOC Game:
@Sunny That's...not entirely accurate, either.
Were someone skilled and malicious were so inclined, having your name and email address provides a vector for an entirely different set of attacks. It provides a location for email information to pen test, your name and surname which could be used to affect family or other contacts gleamed through a successful pen test against your email. Background checks are cheap. In some cases this is how elderly family members are identified as targets for phone scams. Facebook runs this risk, too.
With decent network protection, your IP could still be backtraced for attempts on your router, but could be blocked and your devices kept safe. Howeeeeeeever. Default telnet use isnt just dangerous because of sniffing. It's also a port that you have told your system is an acceptable pipe in and out of your device.
Telnet is insecure because with some know-how (and mushes aren't tokenized), a spoofed signal with port information that you have approved could be used as an attack vector, as well. At that point it's approved communication through your router, so could potentially go unnoticed. At that point any virus or malware software would be your last line of defense.
In the end, it all comes down to:
- How much information you're willing to share over an insecure protocol
- Your level of trust in the mushing community as a whole that some RANDO wolf with some knowledge and capability doesn't feel like being a motherfucker
Not tryin' to scare, but thems facts.
Placing my picture, name, and hometown on Facebook without privacy settings locking them down and making them !searchable puts me at far more risk than anything else you have mentioned.
-
@Roz said in How to Escape the OOC Game:
I am pretty damn particular with my email/RL name because I am literally the only person with it. Both first and last name are very uncommon, so the combination is entirely unique. The idea of sharing that casually is totally unnerving to me just because of that.
Smart call. I know of a handful of people who know my real name, but once that's out I don't really have control over who shares it, but whatevs. Security isn't a thing you are. Like tai chi, it's a practice ya gotta upkeep. Everyone lets bits of information trickle here and there.
-
@Sunny said in How to Escape the OOC Game:
@Ghost said in How to Escape the OOC Game:
@Sunny That's...not entirely accurate, either.
Were someone skilled and malicious were so inclined, having your name and email address provides a vector for an entirely different set of attacks. It provides a location for email information to pen test, your name and surname which could be used to affect family or other contacts gleamed through a successful pen test against your email. Background checks are cheap. In some cases this is how elderly family members are identified as targets for phone scams. Facebook runs this risk, too.
With decent network protection, your IP could still be backtraced for attempts on your router, but could be blocked and your devices kept safe. Howeeeeeeever. Default telnet use isnt just dangerous because of sniffing. It's also a port that you have told your system is an acceptable pipe in and out of your device.
Telnet is insecure because with some know-how (and mushes aren't tokenized), a spoofed signal with port information that you have approved could be used as an attack vector, as well. At that point it's approved communication through your router, so could potentially go unnoticed. At that point any virus or malware software would be your last line of defense.
In the end, it all comes down to:
- How much information you're willing to share over an insecure protocol
- Your level of trust in the mushing community as a whole that some RANDO wolf with some knowledge and capability doesn't feel like being a motherfucker
Not tryin' to scare, but thems facts.
Placing my picture, name, and hometown on Facebook without privacy settings locking them down and making them !searchable puts me at far more risk than anything else you have mentioned.
Cool. Do your thing.
-
@Roz said in How to Escape the OOC Game:
I am pretty damn particular with my email/RL name because I am literally the only person with it. Both first and last name are very uncommon, so the combination is entirely unique. The idea of sharing that casually is totally unnerving to me just because of that.
This. Very much this. Same boat completely.
There is a reason that when a guest on a game paged me with my real first and last name from out of nowhere, I had one hell of a panic attack.
-
Someone dropped another player's RL name in conversation with me the other day. I don't know the other player and it was a real "yikes" moment. Like I would not feel comfortable if someone did that to me. Thankfully I came up in the days of internet handles, so there's very few people in the mushing world that know my real name. And both of them are Facebook friends!
-
@surreality said in How to Escape the OOC Game:
@Roz said in How to Escape the OOC Game:
I am pretty damn particular with my email/RL name because I am literally the only person with it. Both first and last name are very uncommon, so the combination is entirely unique. The idea of sharing that casually is totally unnerving to me just because of that.
This. Very much this. Same boat completely.
There is a reason that when a guest on a game paged me with my real first and last name from out of nowhere, I had one hell of a panic attack.
I made a dark-humored joke with the Mac "BOOM BOMBSHELL" gif, then deleted it because it was bratty (not towards you, Surr).
I don't trust anyone in this hobby just in case. I dont know who you are, you don't know who I am, and unless we regularly go hang out, hug, and have coffee? My attitude these days is I don't really care. I don't want to have nor share PII with people. Doesn't mean we can't have good role play and fun chats!
Also, yeah, surr, I'd have lost my shit.
-
@Ghost Yeah, this dude claimed to not have malicious intentions, but... no. Not only is that bullshit, people who do that shit without identifying themselves in some fashion (he did not) know exactly what they're doing.
(That was volley one in the recent round of nonsense that, thankfully, Ark and Gany are being champs at keeping from spilling onto the forum, despite the fact that the person in question keeps chasing me here. Srsly, that was just the opening shot... )
-
Also. Disclaimer?
Saying this doesn't make it a 100% assurance (You could never know with accuracy that I'm not a liar), but I buy into 2 things when it comes to information security.
-
InfoSec people should be bonded and live by a code. If my next certification test goes well, I'll be signing to both. I would never do these things, because if I did and got caught, I'd lose that bonding. In fact, if I failed to report, I could lose it as well.
-
Just because I know about this stuff doesn't mean I would ever do it. It's just that to defend against malicious attackers you have to think like one. After a certain amount of time working on this shit, I've found you end up thinking like a cop: You look at things differently and weigh security everywhere you go. You notice things like protocols and give a shit about site certificates.
#2 is why all the time I'm like: Y'all using SSH yet? FUCKIN TELNET, MAN.
-
-
@surreality People with good intentions let you decide your level of involvement and vulnerability. Yeah. Fuck that guy.