Politics

Bob Newhart, 94.

@Tapewyrm I used to, as well. I was in Amon Thranduil mostly, as Aranellome and Hellaia. God, that was a long time ago.

Edited to add, I'm RL friends with player of Orosul still, too, though he doesn't MU anymore. And I still have contact with Gilgurth-player as well, not sure if he MUs anymore.

@Ghost said in Telnet Safety:

NEVER give your address, phone, banking, fullname, general location, business information, etc over pages/chat in MU even if you trust the person because THE DANGER ISNT YOUR FRIEND, BUT THE SERVICE/PROTOCOL YOU ARE USING.

Fixed that for you.

You nerd.

@Juniper said in Telnet Safety:

bless faraday for having the patience for this

Bless your heart, too

Maybe this should be a sticky.

Spaceballs 2 is in development with Josh Gad and Mel Brooks at Amazon, as reported by Variety Magazine. No word yet on the possibility of return actors (including Rick Moranis)

@faraday Mo' tech, mo' money, different problems

@faraday I think this would have been an amazing conversation over coffee, and I apologize. I don't mean for my tone to come across as accusatory as it did. I'll keep an eye on that, especially with you since you're awfully nice.

In my head this was more of a "DUDE...BUT..." type cubicle conversation about tech stuff, but one thing I think we did amazingly here is provide a point/counterpoint.

I am a former MUer with evident trust issues with the globulous "community" who is approaching this from the point of view of "...the bad scenario" and wanting to state out the width of possibilities to get them out there and undernconsideration

You are still prevalent in the community and are approaching this from a "stepping back from that, this is more likely" approach, and are providing a technical counterpoint about where the safety works and why it is better than it used to be (it is!)

I do think one thing is sure, though. Whatever next state the hobby takes will probably include someone either improving the insecure transmission issue through some new client/interface to cover that problem, or improvements to client/web interfaces using TLS to allow for more of the customization that MuClients provide.

And hot-damn, I'm still wondering about Diffie

@faraday said in Telnet Safety:

Absolutely everything in your nightmare scenario can be done if the game is running SSH/HTTPS. You're blaming the technology for a people problem.

Yes and no.

A person with admin-type access has access to connection level information even through HTTPS, and on-server can log/monitor communications, yes. That is correct.

But it is significantly harder for even someone with that admin access to utilize an HTTPS(TLS) connection to further exploit their own users without being detected or perform unwanted session redirects without being detected.

It is a people problem, yes, but to spoof a TLS connection you'd need a forged certificate and the actual public key of the target site. You don't need that with telnet. TLS mitigates a lot of the potential attack vectors, but even with TLS there are issues.

1. A user connected via HTTPS roleplaying with a player connected via telnet potentially exposes things further through the telnet player. The TLS user sends/receives encrypted data, but the same data (pages to telnet player, etc) are then transmitted to the telnet user in cleartext because the sessions are with the host and not P2P or arranged through something like "shared key/insecure network" security provided by Diffie Hellman.

(I'm now wondering if it's possible to implement something like Diffie-Hellman on a MU server....its sure AF old enough, and I now wonder if the Unix-based programming in a MU client could handle the exchange of a shared DH/AES key with the connected telnet user. Might be worth exploring for telnet users, and tls for https users.)

^^^ IF this is possible (being theoretical, here), I recommend including "log text" in the MU to record something like this:

• mask the shared key/IPs sent to the username's session, but keep the date and timestamps to ensure other staff aren't collecting data (The shared private key between host and client can be used to decrypt). ONLY access the non-masked information on a need-to-know basis, locked behind God privileges, and NOT accessible on the same staff logins even the headwiz uses regularly
• if the implementation is stable enough and works, require telnet users to accept the randomized shared key and connect via D-H to play on the game. Everyone is encrypted.
• IF possible (unknown), idle connections are released after being idle (other user disconnected) for an hour, release the DH shared key, and require a new one
• IF possible, include a list of blacklisted usernames and IPs who are to be denied the DH key. Forcing this may actually be the solution to further keeping people off of games.
• may require a client download on the user's side to complete the connection and run parallel to their MU client

(Again, D-H is deprecated as shit and crackable even in this implementation, but it is better than Telnet and further mitigates local router snooping telnet logs, as well as any other session interception reading issues. Im not sure if anyone has tried D-H over MU via telnet before, but if the BBSsystem can handle the handshaking and the client is a free and safe download, this could be the answer.)

2. If the certificate (for Ares I don't know off hand if it's the hosting site's certificates or faraday's, and no one should know where its stored) is exposed through any means, a malicious user can decrypt as desired

3. TLS 1.2 is still vulnerable to Raccoon, large ticket injection, Sloth, CRIME, BREACH, etc, but those require more skill and talent to breach, though MUs are not likely targets for these attacks. I doubt a MUser would go to these lengths.

@reimesu that sucks. I love a LOT of his movies. He's also got a pretty talented kid lol.

I remember an interview (Conan I think) where Donald said that his son has 5 middle names. When asked why, he said "Because I owed a lot of money at the time" or something like that lol

"Kiefer William Frederick Dempsey George Rufus Sutherland"

The real story is that he was named after 5 people his parents adored and admired.

(From the webz)
Kiefer Sutherland's five middle names were mostly chosen to honor multiple important figures in his life, including his mother (Dempsey was her maiden name), paternal grandfather Frederick, and father's close friend George. The reasoning behind Rufus remains a mystery, even to Sutherland himself. Pretty beautiful story and shows a bit of who Donald was