Coding

Sort of yes? I've been toying with using the Storypath Ultra system to do a WoD-style game. I'm a big fan of the system and think it could be a good way to give a fresh coat of paint on things while keeping it familiar and comfortable.

I am currently working on a completely from scratch refactoring, redesign, and streamlining of my popular Penn/Rhost Code.

Warning, it's NOT ready to install yet.

And, at the same time, I've fixed pretty much every issue with 3.x's Rhost compatibility, and am working on finalizing a new release of for 3.5 which should be the last major bit of work I do involving that older code. I've abandoned maintaining the Storyteller stuff for 3.5 because 4.0 is already blowing it out of the water.

Here's my main goals for 4.0's version of the Codesuite:

• Rhost-only. Rhost, at the moment, has left Penn so far behind that I don't see any pros left to working with Penn. Sticking to just Rhost has lead to far simpler code, and being able to count on 32kb buffers instead of 8kb makes many things now possible.
• Account-based logins using Rhost's new login system. login to an account, select a character to play.
• Simple, streamlined, idiomatic coding style with fewer idiosyncracies. The code is much cleaner and more readable. I want to keep it that way. Easy to read, easy to maintain and modify.
• Less is more. Although the new code has trimmed out some extraneous features (like Divisions in factions), being simpler has enabled more flexibility in other ways.
• Minimal SQL involvement. Only roleplay logging and a few very similarly heavy topics require SQL. The BBS, Ticket Tracker, Storyteller data, etc, does not need SQL.
• Simple setup, largely unobtrusive installation that can get along with other code packages, if any.
• Full integration and accounting for some of Rhost's more peculiar and interesting features, like Reality Levels.
• Idiomatic handling of Rhost's security for new security model that covers collaborative building.
• Support for Storyteller games: Exalted 2e, Exalted 3e, Chronicles of Darkness 2e, World of Darkness 20th Anniversary, and perhaps some fan stuff. (Exalted vs WoD? Exalted x Chronicles of Darkness? Exalted Demake?). Maybe Scion 2e?
• (Highly experimental) MUD-style game SDK building on it. I want to see if Rhost can be used to make a spiritual successor to a Dragon Ball MUD I maintain and if I can generalize its features into a MUD SDK, I definitely will.

@Juniper Heh. Though just for the record (in case it wasn't clear by the nitpicky arguing) Ghost and I agree on the core technical risks:

1. Anything sent between your computer and an insecure endpoint is susceptible to being snooped by a third party. This includes both http(without-the-s) websites and virtually all MU* client connections.

2. Anything you send to another MU player can be snooped by a third party if THE OTHER PLAYER is using an insecure connection.

3. Anything you transmit to ANY internet service is potentially visible to and exploitable by the service owner, anyone they choose to share it with, and anyone who compromises THEIR security.

Since #2 and #3 are still risks on a MUSH even if you connect securely, I don't personally lose sleep over #1. But I do think it's prudent to follow general precautions no matter how you connect:

• Avoid sharing sensitive information with other players, and if you do - it's safer on discord or via email than on a game.
• If you're on a dodgy public network (like a coffee shop) or have a dodgy partner/roommate, use a VPN.
• Follow general internet safety practices on your PC to protect it from vulnerabilities (e.g., use firewall/virus software, be very careful with email links/attachments, etc.)
• Be extra cautious/suspicious of sites that have insecure connections, and never trust them for anything truly important (ecommerce, banking, email, etc.)

With those general precautions in place, I'm perfectly comfortable connecting to my favorite MU via Atlantis/Beip/etc. YMMV.

@Ghost said in Telnet Safety:

I don't mean for my tone to come across as accusatory as it did. I'll keep an eye on that, especially with you since you're awfully nice.

Thanks - I think we were largely just talking past each other. All good.

@Ghost said in Telnet Safety:

Whatever next state the hobby takes will probably include someone either improving the insecure transmission issue through some new client/interface to cover that problem, or improvements to client/web interfaces using TLS to allow for more of the customization that MuClients provide.

That would be nice, but moving away from the old MU clients - even if you could pry old unsupported ones out of peoples' fingers - presents a whole other set of hurdles. Probably for a different thread, tho.

@Ghost I feel like we're arguing in circles and you're saying that I'm dismissing concerns that I'm not dismissing.

I am simply saying that many of those things you're worried about (honeypot MUs run by malicious actors, scraping IPs, social engineering, data within the game being compromised/spied on) are just as much a concern if you're using a secure connection as if you're using an insecure one. That is supporting your call for vigilance, not undermining it.

I just do not agree that you can compromise a MUClient connection in the way you seem to be describing. MUs do not use telnet/23, they use a simple, custom TCP protocol. It's a dumb-as-nails text connection that sends text to the game and displays text back from the game. The primary vulnerability is simply being able to snoop and/or manipulate the text sent back and forth. Which is a point I've agreed with from post 1. If there is some other technical exploit I'm missing here, I would genuinely love to know (even if it's by DM if you don't want to advertise it). But nothing you've said so far has convinced me that there is.

Tangentially, for the record, each Ares game has to set up its own security cert.

@Ghost said in Telnet Safety:

AN EASY SCENARIO THAT IS 100% POSSIBLE AND REQUIRES NO TALENT TO PULL OFF

Absolutely everything in your nightmare scenario can be done if the game is running SSH/HTTPS. You're blaming the technology for a people problem.

@Ghost said in Telnet Safety:

I've said it before and I'll say it again:

And I've said it before and will say it again:

@faraday said in Telnet Safety:

I don't disagree with your fundamental message to be careful what you share online. That's good advice no matter what, and I echo it in the Ares data privacy guides.

@Ghost said in Telnet Safety:

Shit, fara, you're the one that put https out there as an option for these games. Why put effort into it if it's no biggie?

Because I don't see the equivalence you do.

HTTPs is the default for websites. Web servers are easily set up with HTTPs, browsers support it out of the box (in fact, most web browsers will annoy you with warnings if you're NOT using HTTPs). Also you can't do browser notifications without HTTPs in some browsers.

Open ports is the default for MU servers. Many MU clients won't even connect over a secure connection.

I started off by saying I agree with 99% of what you said, we started qubbling over the last 1% (which is just that I don't think it's factually accurate to say that someone can manipulate your machine through an insecure MUSH server connection), and now it kinda feels like you're acting like I'm an idiot who doesn't support basic internet security principles. So I'm taking a break for awhile.

@Ghost said in Telnet Safety:

I wasn't saying "request Ares handle" as if there was some way they could get through the https authentication with Ares, but merely as live data to tie an actual user to ip address.

Your Ares handle is public. So anyone with access to your IP address on ANY game (e.g., staffers, coders, etc.) can already tie your identity to your IP -- even if you connected via HTTPs/SSH.

@Ghost said in Telnet Safety:

Then you would find yourself in opposition to the entire information security industry, OWASP, etc.

Woo! Me against the entire information security industry!

Seriously, come on. The security industry is based around formalized risk assessment processes. Literally nobody is going to equate the risks of general internet browsing (often with financial implications) - which is what those info security guidelines are geared towards - with the risks of roleplaying on some niche game server. Plus, most of the threat scenarios you've described (like IP snooping or social engineering) can happen even if you use a secure connection.

But you're right - folks can make their own decisions as to which risk assessment they choose to believe.

@Ghost said in Telnet Safety:

WHOEVER has access to Player A's device (could be a Player or something black hat) can snoop the telnet transmission unknowingly to either player.

You're still fundamentally just snooping on the traffic between A and the game. You're just doing it in a different way.

You made it sound like like the game connection (which again, isn't "telnet" per se) opened up the rest of the machine to vulnerabilities, and I don't believe it does. If you've already got a Trojan on your PC, that's a separate issue.

@Ghost said in Telnet Safety:

LITERALLY EVERY PERSON IN THE HOBBY CHECKS IT OUT AT LEAST ONCE (because this happens for almost every new live game. Boom. IP addy.),

They literally don't.

request your Ares handle in the app process...

That's not how that works.

But could someone set up a game that's just an elaborate phishing exercise? 100%. Is that particularly likely? Nope. Does that have anything to do with telnet? Nope. It could be done just as easily with a game that runs entirely on SSH/HTTPS.

I don't disagree with your fundamental message to be careful what you share online. That's good advice no matter what, and I echo it in the Ares data privacy guides.

I do disagree with the assertion that connecting to a game with a traditional MU client is opening you up to vulnerabilities beyond someone snooping on the traffic between you and the game.

@Ghost said in Telnet Safety:

Also, Telnet is not only susceptible to snooping, but also MITM/DNS Spoofing, because telnet makes no attempt to validate the host it is connecting to.

Absolutely. And in the case of someone spoofing your bank, that's a very real concern because they could do all kinds of nefarious things. I don't think that same degree of danger exists with someone doing a MITM attack on a MUSH server... like, what are they going to do, spoof RP with you?

I'm not saying it's impossible, just that any real harm seems very unlikely. I would argue this is borne out by these kinds of attacks being pretty much unheard of in all the decades of MUSHing.

Social manipulation and stalking from giving someone your personal info? Absolute valid concern. But that can happen just as easily with a secure connection as an insecure one.

Edit for your edit: The IP address is also visible via a secure connection too. I would argue the better defense is firewall software rather than trying to always hide your IP from everyone but that's just me. (Also running with a VPN these days is a PITA due to all the sites blacklisting them. Can't even do a freaking google search any more.)