@Sparks said in Difference between an NPC and a Staff PC?:

That if I do not RP with both Susan and Fred precisely equal amounts, I am being a bad staffer and doing it wrong.... But what's been bothering me on some level is the implication of these rules: that staff are inherently obligated to do certain things, whether or not staff themselves have pledged to do so.

This may be an unpopular opinion, but here goes: Nobody - and I mean nobody - is entitled to my free time. It is for me to spend as I choose. If RPing with Fred is excruciating, then I'm not gonna RP with Fred, as player or as staff. The only thing I am obliged to do is that which I have willingly pledged myself to do, and that does not include providing everyone NPC-RP on demand or in equal measure.

What I do pledge, though, is to "provide a sane, fair and friendly environment for you to tell your stories." Part of that fairness means ensuring that Fred has the same opportunities for success as my BFF Mary. I do not need to RP with him to do this. Off-camera scenes and +rolls are a thing for this very reason.

If that's a dealbreaker for you, don't play on my game. Problem solved.

Of note, since not everyone reads the Ares forums...

The player in question has been banned from AresCentral.

Being banned from a particular game generally does not affect your AresCentral status. However:

1. If you’ve been banned from a game, you may not come here and pester the game-runner(s) who banned you. Take the hint and leave them alone.
2. I reserve the right to make exceptions in extreme circumstances, like someone who’s been serially harassing people and maliciously attempting to bypass bans across multiple games.

They responded (due to a glitch with the forum ban... my error) protesting that they had been so very polite while doing #1, while apparently completely missing the fact that it was inappropriate to do so in the first place. (And also letting #2 sail right over their heads.)

@derp said in Idling all day on MU*s:

I think that I would personally challenge the premise that this is some kind of problem.

This. A MUSH is more than just a game, it's a community -- at least to many people.

So folks like to hang out and chat even when they can't necessarily go out to play.

I don't see any harm in it. If your game isn't getting any RP, there are probably larger issues going on. Trying to discourage people from hanging out and chatting isn't going to make them play - it's just going to make them not log in. I don't see how that helps anybody.

@downwithopp said in An Apology to BSO and BSU.:

When I first read this thread, my intent was to apologize to @faraday - who I put in a terrible spot, because we had communicated numerous times as friends and I had worked within the framework of BSU to help her when I could.

I said it once before, but seriously - leave me out of this. You didn't need to post here to apologize to me. You apologized months ago when I kicked you off BSGU. And you have my email.

I really do want to believe that your apology is sincere. The original post sounded heartfelt, which is why I reached out to say thank you for that. But I don't appreciate being continually used as a prop in your crusade here.

If you are indeed truly sorry, then just say so and leave it at that. No excuses, no arguing, no 'I was frustrated because...', no 'I didn't come here to fight...'. Just 'I'm sorry. I screwed up. I'll try to do better in the future. The end.'

Y'all are sweet. Thanks.

@Ghost said in Fandom and entitlement:

anyone actually seen, read, or heard (interviews/articles) where it's explained by the people who make the decisions that they're not "taking chances" on women or POC?

It’s pretty well documented, yes. There are numerous examples of Hollywood people being asked to change a role from a woman to a man or from a POC to white. Then there are the basic stats on representation (or lack thereof). You can either conclude from this that Hollywood is flat-out racist/sexist or that they have a pervasive belief that such casting is “risky”. Neither is good.

Here’s a nice article on representation: https://paris7masterculture.wordpress.com/2018/12/10/the-representation-of-poc-people-of-color-in-hollywood-a-case-study/

I particularly like the quote from Viola Davis: “The only thing that separates women of color from everyone else is opportunity. You cannot win an Emmy for roles that are simply not there.”

Also relevant

@tinuviel said in Spirit Lake: An Original Modern Fantasy Game:

Apparently not! Apparently restrictions were the idea all along, if @Noodle-McDoodle is to be believed.

I think that's assuming an awful lot of ill will based on a random comment from one person who isn't even on staff.

There's absolutely no indication that there was some unadvertised population cap, and every indication that it's just a case of staff dramatically underestimating how popular the game would be.

"oh this is going to be pretty niche, let's advertise so it's not a ghost town"
"ZOMG ALL THE PEOPLE CAME"

Disappointment is perfectly understandable. I was bummed I didn't get tickets to a show recently because I didn't find out about it in time. It happens.

But giving staff grief for making a tough call to try to make a quality game? That's not cool. That's the sort of attitude that makes people reluctant to run games in the first place.

@Darren said in Real World Peeves, Disgruntlement, and Irks.:

When I first started tinkering with Ares, some of my friends warned me that Faraday was not at all receptive to people modifying the server in ways she did not personally approve of and that she and I would most likely end up butting heads.

Yeah, y'know, given that I've spent an astonishing amount of time writing pages and pages of tutorials explaining how to write custom code and how the underlying engine works, that's not only patently untrue but kind of insulting.

There is an immeasurable difference between saying "no" to implementing something in my own spare time and objecting to someone else spending their time implementing the thing.

Ares is open source. Do whatever you want with it.

But there is a limit to how much of my free time I'm willing to expend hand-holding someone through hammering down the walls of the thing I've built to build something I don't approve of. I won't apologize for that, nor should I have to.

@Derp said in Difference between an NPC and a Staff PC?:

Does Fred have any barriers to access to this NPC?
Are you the only one that plays this NPC?
Not all PCs get access to all NPCs for various reasons, but 'I don't like the player' is not one of them. Not for a staffer. You don't get to just arbitrarily decide that a player isn't worth your time, and therefore doesn't get access to said NPC, even if you are providing 'other ways to succeed', because that sometimes doesn't work.

"Access to on-camera RP with a NPC" is not some inalienable player 'right'. It just isn't. If being staff on YOUR game means that I would have to provide hours-long scenes to anyone who asked for it, regardless of quality or player contribution, then you wouldn't have to fire me because I wouldn't touch that job with a ten foot pole.

"My character needs to talk to the king" can be resolved off-camera. There's no need for it to take up three hours of my real life. And if that's unsatisfactory? As I said, there's the door; no skin off my nose. I am providing a game as a voluntary service to the community. It is not for the community to dictate to me how I run that game. If my methods are intolerable, people can and should vote with their feet.

ETA after catching up on some of the other back-and-forth: Staffing is not a job, and MUSHes are not employers. Comparisons to the Fair Wage Act or expected behavior for paid customer service staff are absurd. Even unpaid volunteers in RL are only expected to meet the obligations they actually agreed to do.

There's a patch out for Ares now that fixes the bugs in the ban feature.

And contrary to what Troll may insist, they were, in fact, bugs. Silly oversights like "doh! the ban list is checked alongside the password but guests don't use a password", for instance.

Ares and Rhost both have an optional proxy blocking feature that will block players from known proxy sites (using a list graciously managed by @Ashen-Shugar). This doesn't stop all VPNs, but it can make it a little more difficult for a troll to play whack-a-mole with you. (At the cost of inconveniencing legit new players who may want to use proxies from work or whatever.)

That said, MUSHes are not exactly bastions of security. A savvy ten-year-old can bring down a MUSH--it hardly takes a Machiavellian tech genius. This is nothing more than someone wrecking the sandbox to keep the other kids from having fun. Sad, really.

@Juniper Heh. Though just for the record (in case it wasn't clear by the nitpicky arguing) Ghost and I agree on the core technical risks:

1. Anything sent between your computer and an insecure endpoint is susceptible to being snooped by a third party. This includes both http(without-the-s) websites and virtually all MU* client connections.

2. Anything you send to another MU player can be snooped by a third party if THE OTHER PLAYER is using an insecure connection.

3. Anything you transmit to ANY internet service is potentially visible to and exploitable by the service owner, anyone they choose to share it with, and anyone who compromises THEIR security.

Since #2 and #3 are still risks on a MUSH even if you connect securely, I don't personally lose sleep over #1. But I do think it's prudent to follow general precautions no matter how you connect:

• Avoid sharing sensitive information with other players, and if you do - it's safer on discord or via email than on a game.
• If you're on a dodgy public network (like a coffee shop) or have a dodgy partner/roommate, use a VPN.
• Follow general internet safety practices on your PC to protect it from vulnerabilities (e.g., use firewall/virus software, be very careful with email links/attachments, etc.)
• Be extra cautious/suspicious of sites that have insecure connections, and never trust them for anything truly important (ecommerce, banking, email, etc.)

With those general precautions in place, I'm perfectly comfortable connecting to my favorite MU via Atlantis/Beip/etc. YMMV.

@Ghost said in Telnet Safety:

I don't mean for my tone to come across as accusatory as it did. I'll keep an eye on that, especially with you since you're awfully nice.

Thanks - I think we were largely just talking past each other. All good.

@Ghost said in Telnet Safety:

Whatever next state the hobby takes will probably include someone either improving the insecure transmission issue through some new client/interface to cover that problem, or improvements to client/web interfaces using TLS to allow for more of the customization that MuClients provide.

That would be nice, but moving away from the old MU clients - even if you could pry old unsupported ones out of peoples' fingers - presents a whole other set of hurdles. Probably for a different thread, tho.

@Ghost I feel like we're arguing in circles and you're saying that I'm dismissing concerns that I'm not dismissing.

I am simply saying that many of those things you're worried about (honeypot MUs run by malicious actors, scraping IPs, social engineering, data within the game being compromised/spied on) are just as much a concern if you're using a secure connection as if you're using an insecure one. That is supporting your call for vigilance, not undermining it.

I just do not agree that you can compromise a MUClient connection in the way you seem to be describing. MUs do not use telnet/23, they use a simple, custom TCP protocol. It's a dumb-as-nails text connection that sends text to the game and displays text back from the game. The primary vulnerability is simply being able to snoop and/or manipulate the text sent back and forth. Which is a point I've agreed with from post 1. If there is some other technical exploit I'm missing here, I would genuinely love to know (even if it's by DM if you don't want to advertise it). But nothing you've said so far has convinced me that there is.

Tangentially, for the record, each Ares game has to set up its own security cert.

@Ghost said in Telnet Safety:

AN EASY SCENARIO THAT IS 100% POSSIBLE AND REQUIRES NO TALENT TO PULL OFF

Absolutely everything in your nightmare scenario can be done if the game is running SSH/HTTPS. You're blaming the technology for a people problem.

@Ghost said in Telnet Safety:

I've said it before and I'll say it again:

And I've said it before and will say it again:

@faraday said in Telnet Safety:

I don't disagree with your fundamental message to be careful what you share online. That's good advice no matter what, and I echo it in the Ares data privacy guides.

@Ghost said in Telnet Safety:

Shit, fara, you're the one that put https out there as an option for these games. Why put effort into it if it's no biggie?

Because I don't see the equivalence you do.

HTTPs is the default for websites. Web servers are easily set up with HTTPs, browsers support it out of the box (in fact, most web browsers will annoy you with warnings if you're NOT using HTTPs). Also you can't do browser notifications without HTTPs in some browsers.

Open ports is the default for MU servers. Many MU clients won't even connect over a secure connection.

I started off by saying I agree with 99% of what you said, we started qubbling over the last 1% (which is just that I don't think it's factually accurate to say that someone can manipulate your machine through an insecure MUSH server connection), and now it kinda feels like you're acting like I'm an idiot who doesn't support basic internet security principles. So I'm taking a break for awhile.

@Ghost said in Telnet Safety:

I wasn't saying "request Ares handle" as if there was some way they could get through the https authentication with Ares, but merely as live data to tie an actual user to ip address.

Your Ares handle is public. So anyone with access to your IP address on ANY game (e.g., staffers, coders, etc.) can already tie your identity to your IP -- even if you connected via HTTPs/SSH.

@Ghost said in Telnet Safety:

Then you would find yourself in opposition to the entire information security industry, OWASP, etc.

Woo! Me against the entire information security industry!

Seriously, come on. The security industry is based around formalized risk assessment processes. Literally nobody is going to equate the risks of general internet browsing (often with financial implications) - which is what those info security guidelines are geared towards - with the risks of roleplaying on some niche game server. Plus, most of the threat scenarios you've described (like IP snooping or social engineering) can happen even if you use a secure connection.

But you're right - folks can make their own decisions as to which risk assessment they choose to believe.

@Ghost said in Telnet Safety:

WHOEVER has access to Player A's device (could be a Player or something black hat) can snoop the telnet transmission unknowingly to either player.

You're still fundamentally just snooping on the traffic between A and the game. You're just doing it in a different way.

You made it sound like like the game connection (which again, isn't "telnet" per se) opened up the rest of the machine to vulnerabilities, and I don't believe it does. If you've already got a Trojan on your PC, that's a separate issue.

@Ghost said in Telnet Safety:

LITERALLY EVERY PERSON IN THE HOBBY CHECKS IT OUT AT LEAST ONCE (because this happens for almost every new live game. Boom. IP addy.),

They literally don't.

request your Ares handle in the app process...

That's not how that works.

But could someone set up a game that's just an elaborate phishing exercise? 100%. Is that particularly likely? Nope. Does that have anything to do with telnet? Nope. It could be done just as easily with a game that runs entirely on SSH/HTTPS.

I don't disagree with your fundamental message to be careful what you share online. That's good advice no matter what, and I echo it in the Ares data privacy guides.

I do disagree with the assertion that connecting to a game with a traditional MU client is opening you up to vulnerabilities beyond someone snooping on the traffic between you and the game.

@Ghost said in Telnet Safety:

Also, Telnet is not only susceptible to snooping, but also MITM/DNS Spoofing, because telnet makes no attempt to validate the host it is connecting to.

Absolutely. And in the case of someone spoofing your bank, that's a very real concern because they could do all kinds of nefarious things. I don't think that same degree of danger exists with someone doing a MITM attack on a MUSH server... like, what are they going to do, spoof RP with you?

I'm not saying it's impossible, just that any real harm seems very unlikely. I would argue this is borne out by these kinds of attacks being pretty much unheard of in all the decades of MUSHing.

Social manipulation and stalking from giving someone your personal info? Absolute valid concern. But that can happen just as easily with a secure connection as an insecure one.

Edit for your edit: The IP address is also visible via a secure connection too. I would argue the better defense is firewall software rather than trying to always hide your IP from everyone but that's just me. (Also running with a VPN these days is a PITA due to all the sites blacklisting them. Can't even do a freaking google search any more.)

@Ghost said in Telnet Safety:

use the established telnet connection and hacking wares (that are so obsolete that they are easy to obtain and can be used by kids) to manipulate what they can on your machine through the telnet protocol session you initiated on connection.

So... I agree with 99% of what you said, but this one made me raise an eyebrow.

Most MU players aren't actually establishing a "telnet connection". They are connecting via a MU client to a server running a listener on a specific port. A malicious actor could 100% snoop on your insecure connection, but I fail to see any way that they could manipulate anything on your machine unless there were some kind of underlying exploit in the MU client that they could leverage. Right?

Tangential side note - most Ares MUs use https for the web portal, so if you play via the portal your connection is secure. Even so, anything you transmit to ANY server (a MU*, Discord, Google, whatever) is ultimately accessible to the owner of the service and anyone they choose to share it with (coders, admins, etc.) The only difference is that statistically you're less likely to be personally targeted by a disgruntled Discord worker than a disgruntled MU staffer.

@Ghost said in A.I. in the Community:

So I guess my argument is: if the emphasis is less on writing and more on titillating your writing partner,

I don't think this practice is as widespread as you assert it is. (Though doubtless it does exist.)

I am against generative AI on principle, so I don't like to see it used anywhere.

Yes, many games fall into the "fanfic" realm of copyright, but IMHO fanfic has never actually harmed anyone's livelihood. Gen AI is actively doing so on an unimaginable scale. The majority of the tools are making millions (billions?) of dollars on the backs of stolen work products, including my own. It's also horrible for the environment in terms of the computing power used. And the prompts people use are leveraged to improve the tools, participating in the destruction.

I hate them. I think they're dangerous.

There is no "harmless fun" involvement in using them, but I realize most people don't understand or agree with that, so I don't translate my hatred to them. It still leaves a bad taste in my mouth.

ETA: I also disagree that replacing a static description with a PB is an evidence of writing waning, since most novels/stories don't pause the action to give you a multi-paragraph data dump on the character's looks and clothing either. That was always a MUSH quirk. But that's a separate convo.