Telnet Safety

Ghost

Hey, IT guy here. I've posted in the past about the technical dangers of MU in terms of other topics, but for those not aware, I thought I should write a little blog post.

1. ALL MUs that aren't using SSH are essentially unencrypted

Telnet (created in 69) uses TCP port 23. It sends unencrypted data across the TCP/IP network (internet) containing a clear, readable transmissions of all characters sent/received from the MU.

In 1969, this beast above was the most powerful computing system in the world. It went for a whopping 2.3 million ($23mil+ adj for inflation)and had an awesome memory availability of 982 kilobytes (just under 1Mb). A modern 20 dollar burner cell phone comes with 32GB storage, which is essentially 32000Mb, and 32,000,000 Kb).

That is how fucking old telnet is. It turns 100 in 2069 in 45 years. It predates modern cocaine use.

2. The difference between "data at rest" vs "data in transit"

The difference initially is obvious. Data "in flight" is in transmission and "at rest" is when it is stored, but what does this mean for your firewall/vpn/Etc?

AT REST DATA: All of your firewall/malware/virus protection typically is by device (laptop/cellphone) or handled via software on your router. THIS HELPS KEEP PEOPLE FROM HACKING YOUR MACHINE AND PULLING DATA OFF OF IT. This is data at rest. You have provided a "fort" for your data that is hard to get into.

IN TRANSMISSION your data becomes vulnerable. Like any important piece of mail (like your tax return) you want to mail it knowing that it is safe, won't be intercepted, and won't be acted upon by people the piece of mail isn't addressed to.

In-transmission data is quite simply the most dangerous part about the MU hobby.

3. How can unencrypted data over MU be dangerous?

Telnet protocol is insecure, and if a malicious MUer did or didn't have staff privileges (because the MU is insecure and the data is unencrypted) they could...

• capture/log all transmission data, both personal and roleplay including sensitive personal information
• use the established telnet connection and hacking wares (that are so obsolete that they are easy to obtain and can be used by kids) to manipulate what they can on your machine through the telnet protocol session you initiated on connection.
• Session snooping is simple. At the router level I can block port 23, but I can also log all data transmitted via telnet for my viewing. This puts TS MUers in a serious danger zone if their spouse has any tech skills. It could be done without even touching your laptop.
• If the MU staff or site hosting is not secure from MITM attacks or session snooping, then a malicious user could implement telnet snooping across all users of the mu hosting provider, and the existing use of telnet protocol makes this a constant threat.

So while the data is "in flight", it leaves YOUR network, is out in the open, and is then delivered to an "at rest" state on the MU server, you should keep these things in mind:

• MU hosting and MU staffing is an entirely unpaid, amateur effort
• Most game staff are not IT professionals, and even if they were the only true answer to safety is SSH...which requires additional purchases (certificate authority) and authentication protocols most MUs don't use (or have staff who would know how to implement)
• All data on the server is technically the property of the owner (not the user) with no existing legal recourse if the MU is infiltrated.
• The assumption that your private pages and roleplay is truly private is an absolute farce

(By this I mean...you're RPing or discussing potentially personal things over an INSECURE protocol on an antiquated BBS service owned/ran by a stranger with only "social damage" incurred if they're caught snooping your pages/rp, and at a certain level of privileges other staff would never even know if it was happening to them)

• NEVER give your address, phone, banking, fullname, general location, business information, etc over pages/chat in MU even if you trust the person because THE DANGER ISNT YOUR FRIEND, BUT THE SERVICE/PROTOCOL YOU ARE USING.

So with all this in mind, it's far safer to RP using discord or even Facebook chat windows, because at least those services have encryption, terms of service, data collection standards, and security baked into the format.

Really...anyone who knows this stuff when you don't is a potential malicious actor, and MU players seeking that free entertainment are pretty much at the mercy of the budget/hostingSite/protocol selection of the game-runners. There's no "policy" that fixes this issue, nor does a promise have any value, because the game site and protocol are pretty much wide open.

Now, you may read this and say "ennnnhhh...I doubt BubbaCliqDude or OPPCannotDie (whoever your fave/least fave MUers) have the skill, desire, or talent to fuck around with telnet" Don't think this.

Because literally anyone connected to any MUer, any malware/Trojans they have allow their malicious entity to snoop their telnet session that is using an insecure, open pipe of data from source-to-site (your transmission), then site-to-target (they receive). Both users have approved the connection and Microsoft is more than happy to let that approved connection do whatever it wants unless properly configured. Which...proper configuration in this case would be to disable telnet protocol altogether, which would kill your ability to connect to 99% of MUs

(note: every card payment taking service in the world is banned from having telnet protocol enabled on all windows machines. If telnet on any machines causes a PCI audit rejection, they could be contractually rendered unable to perform any transactions until telnet protocol is disabled across all machines)

THAT is how fucking bad telnet is.

faraday

@Ghost said in Telnet Safety:

use the established telnet connection and hacking wares (that are so obsolete that they are easy to obtain and can be used by kids) to manipulate what they can on your machine through the telnet protocol session you initiated on connection.

So... I agree with 99% of what you said, but this one made me raise an eyebrow.

Most MU players aren't actually establishing a "telnet connection". They are connecting via a MU client to a server running a listener on a specific port. A malicious actor could 100% snoop on your insecure connection, but I fail to see any way that they could manipulate anything on your machine unless there were some kind of underlying exploit in the MU client that they could leverage. Right?

Tangential side note - most Ares MUs use https for the web portal, so if you play via the portal your connection is secure. Even so, anything you transmit to ANY server (a MU*, Discord, Google, whatever) is ultimately accessible to the owner of the service and anyone they choose to share it with (coders, admins, etc.) The only difference is that statistically you're less likely to be personally targeted by a disgruntled Discord worker than a disgruntled MU staffer.

Ghost

@faraday said in Telnet Safety:

A malicious actor could 100% snoop on your insecure connection, but I fail to see any way that they could manipulate anything on your machine unless there were some kind of underlying exploit in the MU client that they could leverage. Right?

Basically, but I was also operating on the concept that information gained through insecure data transmission could lead to further exploits. Also, Telnet is not only susceptible to snooping, but also MITM/DNS Spoofing*, because telnet makes no attempt to validate the host it is connecting to.

Insecure transmissions are really just risky, so I 100% agree that the ABSOLUTE BEST approach is to do as @faraday says and connect via https at the portal.

Edit: (for those who don't know the slang)

• Man in the Middle (MITM) is where a malicious attacker inserts themselves in between the transmission to intercept data, but is not just limited to snooping. Communications can be modified/redirected. (mitigated by using secure protocols and disabling telnet)

• DNS Spoofing is where DNS records are manipulated to redirect targets to bogus websites , which could lead to further exploits. (mitigated by use of https)

OH AND I JUST REALIZED...

• Telnet transmissions include your IP address used, which makes users susceptible to malicious users backtracking the IP into port scans/penetration tests. Not trying to pile on against telnet, but this is 100% accurate
• also is the fact that your IP address is something always available to game admin, regardless of how much you trust them
• the only workaround for this is really a VPN, which is also 100% recommended to further increase your security and ensure that MU game admin can't use your actual IP for their own purposes without your permission

faraday

@Ghost said in Telnet Safety:

Also, Telnet is not only susceptible to snooping, but also MITM/DNS Spoofing, because telnet makes no attempt to validate the host it is connecting to.

Absolutely. And in the case of someone spoofing your bank, that's a very real concern because they could do all kinds of nefarious things. I don't think that same degree of danger exists with someone doing a MITM attack on a MUSH server... like, what are they going to do, spoof RP with you?

I'm not saying it's impossible, just that any real harm seems very unlikely. I would argue this is borne out by these kinds of attacks being pretty much unheard of in all the decades of MUSHing.

Social manipulation and stalking from giving someone your personal info? Absolute valid concern. But that can happen just as easily with a secure connection as an insecure one.

Edit for your edit: The IP address is also visible via a secure connection too. I would argue the better defense is firewall software rather than trying to always hide your IP from everyone but that's just me. (Also running with a VPN these days is a PITA due to all the sites blacklisting them. Can't even do a freaking google search any more.)

Ghost

@faraday You and I are like a regular good cop/bad cop episode lol. You're right, though. The dangers ARE considerably less on a MU server than foolishly connecting to some rando telnet port you find listed on the dark web.

However, I think it's important to understand the width of what could happen in a very realistic scenario, such as:

• Player A has a Trojan on their machine or other exploited vulnerability that gives the attacker access to their OS
• Player B does not
• WHOEVER has access to Player A's device (could be a Player or something black hat) can snoop the telnet transmission unknowingly to either player.

Any personally identifying information shared in that telnet stream between both unaware players (perhaps even ones that are in a real-life relationship, sending pages to each other about paying bills, or lifelong friends sharing address information) is open game, and neither of the players would have any clue that they'd been snooped on.

I feel like a massive asshole saying this, but the most hated/feared people in the community could easily start up a new game server under a false identity, LITERALLY EVERY PERSON IN THE HOBBY CHECKS IT OUT AT LEAST ONCE (because this happens for almost every new live game. Boom. IP addy.), request your Ares handle in the app process, and then log every 24 hours of content through the listening port to cloud-based storage.

I wouldn't do that, personally, but others who are down with other people's property could. If I were black hat or a stalker, that's exactly what I'd do.

faraday

@Ghost said in Telnet Safety:

WHOEVER has access to Player A's device (could be a Player or something black hat) can snoop the telnet transmission unknowingly to either player.

You're still fundamentally just snooping on the traffic between A and the game. You're just doing it in a different way.

You made it sound like like the game connection (which again, isn't "telnet" per se) opened up the rest of the machine to vulnerabilities, and I don't believe it does. If you've already got a Trojan on your PC, that's a separate issue.

@Ghost said in Telnet Safety:

LITERALLY EVERY PERSON IN THE HOBBY CHECKS IT OUT AT LEAST ONCE (because this happens for almost every new live game. Boom. IP addy.),

They literally don't.

request your Ares handle in the app process...

That's not how that works.

But could someone set up a game that's just an elaborate phishing exercise? 100%. Is that particularly likely? Nope. Does that have anything to do with telnet? Nope. It could be done just as easily with a game that runs entirely on SSH/HTTPS.

I don't disagree with your fundamental message to be careful what you share online. That's good advice no matter what, and I echo it in the Ares data privacy guides.

I do disagree with the assertion that connecting to a game with a traditional MU client is opening you up to vulnerabilities beyond someone snooping on the traffic between you and the game.

Ghost

@faraday I wasn't saying "request Ares handle" as if there was some way they could get through the https authentication with Ares, but merely as live data to tie an actual user to ip address.

@faraday said in Telnet Safety:

I do disagree with the assertion that connecting to a game with a traditional MU client is opening you up to vulnerabilities beyond someone snooping on the traffic between you and the game

Then you would find yourself in opposition to the entire information security industry, OWASP, etc.

In fact, most major companies stress that the biggest security risks are insecure handling of data, access gained through social manipulation, and the many many ways these things open you up for further intrusion. The least technical and educated people are the biggest risks.

Are millions of dollars in transactions (other people's money) at stake? No.

But as much as the community talks about stalkers, psychopaths, liars, manipulators, protofascists, and goes on and on and on about how bad certain people are...perhaps even MUing on games that allow "simulated" (airquote) paedophilia on the very same computer their kids do homework on...one would think that the risk of that outweighs your TS being snooped.

No one would purposefully try to go after this vulnerability for money (at least not in this community as it's free and obviously a draw because it's free), but if someone were so inclined it would probably be done by someone within the community than some random script kiddie in your apartment complex.

I guess people will just have to decide which of our obvious biases will or won't lead them astray!

Edit:

I had a "hold up" moment.

Do people in this community NOT realize just how much of your personal information alone you have archived and shared in the Hog Pit (or this forum alone for multiple years of use, people talking about their lawyer work, their jobs, their kids, how close they were to that thing that happened here in Raleigh?

Anyway, maybe this is just one of those things where the attachment to the hobby outweighs giving a fuck, or maybe your biased position @faraday dismantled the point, but I think it's crazy, crazy how easy it would be to sploit the hell out of people in this hobby in ways that absolutely scare/affect them, and my ability to do it all drops significantly when connecting via https or using a vpn.

And note your peers in this community have prioritized "socially avoiding/attacking people who use vpns because it doesn't allow game staff to try to track players by IP address". THIS is insane, because this is your peers openly admitting to tracking insecure IP addresses of players for a personal/biased reason. At every turn in this hobby, the priorities seem to always be:

1. Keeping the 5 or 6 specific "villain" names that people can remember off of the game for at least 4 concurrent months

Not that there has been really any success in this for well over a two decades, primarily because of...telnet.

I have no clue exactly how else to explain to people how using this protocol is literally the cause of all of their paranoia, inability to keep people out, and opens them up to literally the craziest people in the community, but if people were so inclined to workshop this (and allow me to prove my case) I would not be opposed to working with others to put together an operation to prove my case by using these methods to gather/log/report data on people doing criminal activity on sexMus

faraday

@Ghost said in Telnet Safety:

I wasn't saying "request Ares handle" as if there was some way they could get through the https authentication with Ares, but merely as live data to tie an actual user to ip address.

Your Ares handle is public. So anyone with access to your IP address on ANY game (e.g., staffers, coders, etc.) can already tie your identity to your IP -- even if you connected via HTTPs/SSH.

@Ghost said in Telnet Safety:

Then you would find yourself in opposition to the entire information security industry, OWASP, etc.

Woo! Me against the entire information security industry!

Seriously, come on. The security industry is based around formalized risk assessment processes. Literally nobody is going to equate the risks of general internet browsing (often with financial implications) - which is what those info security guidelines are geared towards - with the risks of roleplaying on some niche game server. Plus, most of the threat scenarios you've described (like IP snooping or social engineering) can happen even if you use a secure connection.

But you're right - folks can make their own decisions as to which risk assessment they choose to believe.

Ghost

This feels like an argument between:

• Person saying the entire information security world contains useful data that can protect you from threats you didn't know you didn't want to deal with, and attempting to explain to people the width of risk they should be aware of (framed in "community" scenarios)

• Person who currently has an active stake in the hobby literally going against every information security concept in existence to say "it's fine; ignore it, but it was important enough for me to get Ares set with https for a lot of those listed reasons."

Shit, fara, you're the one that put https out there as an option for these games. Why put effort into it if it's no biggie?

Edit:

Or:

@faraday do you prefer to use the https portal access to the games you play, or the telnet MU client, and why?

faraday

@Ghost said in Telnet Safety:

Shit, fara, you're the one that put https out there as an option for these games. Why put effort into it if it's no biggie?

Because I don't see the equivalence you do.

HTTPs is the default for websites. Web servers are easily set up with HTTPs, browsers support it out of the box (in fact, most web browsers will annoy you with warnings if you're NOT using HTTPs). Also you can't do browser notifications without HTTPs in some browsers.

Open ports is the default for MU servers. Many MU clients won't even connect over a secure connection.

I started off by saying I agree with 99% of what you said, we started qubbling over the last 1% (which is just that I don't think it's factually accurate to say that someone can manipulate your machine through an insecure MUSH server connection), and now it kinda feels like you're acting like I'm an idiot who doesn't support basic internet security principles. So I'm taking a break for awhile.

Ghost

@faraday And that's fine! Please don't mistake my tone as hostile; I'm really not.

The reason why https was made as a standard for websites (and thus web portals like Ares) is the addition of Transport Layer Security (TLS) that simply encrypts the data to keep it private. If it was simply that https was the standard of the service you were using, that's great. At least connecting through the Ares portal it provides some of that.

I don't think that you're an idiot who doesn't care about basic security principles, but I do think that the differences in bias in this conversation have led you to the "the risk is low" stance, whereas mine is "the risk you are focusing on is low, but there are other risks." It's just that "ignoring" the risk should only be recommended if you know the potential totality of damage if it were exploited.

No, a user cannot "take control of your machine" through use of telnet/23, but it is one hell of a sieve that can be exploited to violate your privacy, engineer further attacks (up to and including infiltration), and due to the use of telnet the risk isn't just your local machine, but the local machines of the other users and the MU itself (in terms of data breach).

I've said it before and I'll say it again:

• The #1 issue about leaving your data everywhere is retention. It is simply possible (and has been done many times) that MU owners can collect your data, it is stored on server, angry staffers steal the codebase, and in a lot of these cases there are no real questions asked about what (or if anything) is done with that data once the server is stolen/closed down. When Fallcoast got stolen, people found all kinds of other peoples' data on that yoink. Email addresses, conversations in pages people thought were private, etc. It can all be grabbed, and that -can- include data you don't want unintended people to know (addresses, names, businesses, phone numbers, email addresses, etc)
• "Mal" from Serenity and his goons were notorious for going "dark" and sitting in to watch people's TS, monitor their pages, and in many cases players found themselves getting screwed over for stuff they didn't know other players were watching. Changes to telnet since then: None. Still possible everywhere.
• There is so little active trust in the community that I don't understand why people REFUTE this topic so badly, when it is a technical fact. It is 100% believed there are psychopaths and "bad actors" in the community, and 100% confirmed there are people who like to RP sex with kids in the same community (and some on this forum even refer to it as "age play" - airquotes and yikes), but...what(?)...24.5% belief that any one of those people would exploit the use of the open protocol to get intel on players? Doesn't make sense at all. Why does the trust sudden show up there?

There are people who spend actual time of their lives trying to hide from the likes of SpidJeurgOppWhoever like they're going to swoop in at any moment to ruin their lives and destroy their self-esteem, stating that they're "dangerous" and "probably violent" and other choice words like "sociopath" and "incel" (et cetera; et cetera; et cetera), but then when a guy like me says "you know these psychos can SO easily fuck your lives up with this, right?" That the risk isn't through your roleplay but -- yanno -- them skipping past trying to RP with you to literally stalk you (as a person), completely undetected....and people are like:

"Nah! I ain't Bank of America so it's cool"

I will say this, though, not that I would do anything like this, but if I had threatened in this thread to send details on how to do this to any of those "bad actors" I'd probably get banned and send a lot of people into a state of anxiety, which would prove the point that the risk isn't in the RP being snooped. The risks are quite literally in the vein of:

AN EASY SCENARIO THAT IS 100% POSSIBLE AND REQUIRES NO TALENT TO PULL OFF

• MUing: an open, free hobby shared with an unknown number (but confirmed) stalkers, paedos, etc
• there is a lot of "stranger danger" factor, with unlimited ways to sneak in and infiltrate
• New games are ultimately trusted long enough for at least one connection to "check it out", which would be sufficient to give an insecure/non-VPN ip address to start the process. I figure it would take me a couple of months to cultivate a new "identity" on this forum or the other one, say "I'm Dave from Florida, new to the hobby but a Linux guy, and I'm gonna try to make a game, too!". Maybe go to the other forum and talk shit about Derp or something for 5 minutes until people are like "DUDES THIS NEW DAVE IS FUCKING RAD" (it's not hard to get in with these crowds at all, really. All you have to do is hate the people they hate. I've been in and out of the clique myself a few times back in the day - not to their knowledge"+"). People are generally excited for new play opportunities, and since this isn't a big risk at all, no one needs to really worry about the telnet connection, right?
• Player-Attachments to MU Clients (and the ways you can store sites, macros, etc) almost all use telnet/23, and it is unlikely that people would get rid of those in favor of https without their embedded colored text, spawn windows, etc
• A patient enough person exploiting this could simply gather data (RP, pages, chats) over time, completely unaware to an entire playerbase to datamine information on players, their IP addresses, backtrace those to their geolocation, apply their name/location/kids names/dogs' names/cats' names/spouse names/alma mater and then apply those to social media searches on X/FB/Insta/LinkedIn. At this stage it gets downright creepy.
• They could then utilize those methods to prepare guessed passwords, perform penetration testing for other insecure parts of the users' machine(s), and use that to get additional access on the PC. Regardless of that, the geolocation data is sufficient enough to make physical contact if so desired, with either the desired user or their personal interests (work, family, safety)
• How many MU players (that you really don't know) have YOU received private information about from 3rd parties that includes their jobs (lawyers? We got any lawyers in the house?) their general locations, their names, their sexual preferences, etc. How many players do you know on this forum and through their posts alone how much have you learned about their lives, medical needs, emotional needs, their twitch streams, their online writing and blogs, their extensive posts about their personal lives and what they're going through? Don't want to scare anyone, but I think I've learned more about MUers from 3rd parties than from the actual people themselves, because as the Hog Pit proved, the desire to shame other players with personal information is somewhat higher, and if a socially engineered dogpiling campaign comes your way...well...you know your personal life information is open season.
• ^ If you think THIS is inaccurate, then tell that to everyone a certain MUer shared details of my private life and difficulties with my kiddo to dozens of 3rd parties without my consent as a result of being rejected romantically on a RL level and continues to share a self-edited version to this day.

(Note: The story others get is sans the part about their RL flirtation towards me, the request for space/rejection after a line was crossed with their flirtation in an unsolicited message to my RL cell phone that my partner saw and didnt appreciate, but apparently needed to provide a falsified version of myself and my RL situation to anyone who would listen as an emotional user of people and an emotionally draining "need" sponge. This is ultimately fucked up because I was dressed as an emotional abuser as a result of trying to set reasonable boundaries with someone who was emotionally cheating on their partner, but as a result I was publicly abused by this person out of spite, yet they needed it to be delivered as being my victim).

Ya tell a person you need space (and arent comfortable), they say "don't I get a say in this?" and "I'm always being chosen above other women", and then 10 pages later you find yourself on the bottom end of of accusation of being an abuser and user. Gotta love it when people cross your requested lines and then retaliate when you protect yourself from them, right?

(I digress, but it's entirely bizarre the number of people who do "OPPshit" that want everyone to keep OPP out.)

This kind of shit happens regularly to better people than I. IYKYK, and I know plenty of people have heard this story from one side. Your personal life details are cheap to trade and even easier to corrupt.

And for those of you who got personal information about me from those bs stories? I guarantee the same people are talking about your personal details, too.

• I literally know a few of your real-life names, which is crazy considering I can count of one hand the number of MUers I know who have told me their real-life names personally. A lot of that data just came conversationally and without request.
• IF the PC is breached, everything from logging to DNS cache poisoning to MITM is on the table, provided the talent, time, and willingness of the malicious actor

This is not a fantasy scenario. This is "Red team 101" and probably covered in the first few chapters of the Certified Ethical Hacker certification, but if not in the first few chapters it is definitely in there. People need to consider the actual 10,000 foot view of just what they're giving away to these other players, and need to understand that just because it's a direct page to "Steve" on "New England By Night" (PB Paul Walker or something), that the existence of telnet being used means that when you give "Steve" your phone number, there is absolutely no guarantee that a 3rd party isn't actively collecting that data, and in the MU community it is far more likely to be used in a personally harmful manner than a financial one. Not only is there no guarantee, it is sickeningly easy to do.

Either way, agree with me or not, fuck it, it's y'alls problem, but it is a problem. Good luck out there and please take this seriously, regardless of the counterpoint Fara provided. It's real.

"(+)" - Sidenote: I didn't "infiltrate" the clique, but when you're not declaring who you are it's shockingly easy to get picked up for a scene and then get included in chats about how bad everyone else is. ¯\(ツ)/¯ The fact that it happened multiple times is just...I guess a fringe benefit or somethin. It's hard to tell who other people are, too, when you don't care.

faraday

@Ghost said in Telnet Safety:

AN EASY SCENARIO THAT IS 100% POSSIBLE AND REQUIRES NO TALENT TO PULL OFF

Absolutely everything in your nightmare scenario can be done if the game is running SSH/HTTPS. You're blaming the technology for a people problem.

@Ghost said in Telnet Safety:

I've said it before and I'll say it again:

And I've said it before and will say it again:

@faraday said in Telnet Safety:

I don't disagree with your fundamental message to be careful what you share online. That's good advice no matter what, and I echo it in the Ares data privacy guides.

Ghost

@faraday said in Telnet Safety:

Absolutely everything in your nightmare scenario can be done if the game is running SSH/HTTPS. You're blaming the technology for a people problem.

Yes and no.

A person with admin-type access has access to connection level information even through HTTPS, and on-server can log/monitor communications, yes. That is correct.

But it is significantly harder for even someone with that admin access to utilize an HTTPS(TLS) connection to further exploit their own users without being detected or perform unwanted session redirects without being detected.

It is a people problem, yes, but to spoof a TLS connection you'd need a forged certificate and the actual public key of the target site. You don't need that with telnet. TLS mitigates a lot of the potential attack vectors, but even with TLS there are issues.

1. A user connected via HTTPS roleplaying with a player connected via telnet potentially exposes things further through the telnet player. The TLS user sends/receives encrypted data, but the same data (pages to telnet player, etc) are then transmitted to the telnet user in cleartext because the sessions are with the host and not P2P or arranged through something like "shared key/insecure network" security provided by Diffie Hellman.

(I'm now wondering if it's possible to implement something like Diffie-Hellman on a MU server....its sure AF old enough, and I now wonder if the Unix-based programming in a MU client could handle the exchange of a shared DH/AES key with the connected telnet user. Might be worth exploring for telnet users, and tls for https users.)

^^^ IF this is possible (being theoretical, here), I recommend including "log text" in the MU to record something like this:

• mask the shared key/IPs sent to the username's session, but keep the date and timestamps to ensure other staff aren't collecting data (The shared private key between host and client can be used to decrypt). ONLY access the non-masked information on a need-to-know basis, locked behind God privileges, and NOT accessible on the same staff logins even the headwiz uses regularly
• if the implementation is stable enough and works, require telnet users to accept the randomized shared key and connect via D-H to play on the game. Everyone is encrypted.
• IF possible (unknown), idle connections are released after being idle (other user disconnected) for an hour, release the DH shared key, and require a new one
• IF possible, include a list of blacklisted usernames and IPs who are to be denied the DH key. Forcing this may actually be the solution to further keeping people off of games.
• may require a client download on the user's side to complete the connection and run parallel to their MU client

(Again, D-H is deprecated as shit and crackable even in this implementation, but it is better than Telnet and further mitigates local router snooping telnet logs, as well as any other session interception reading issues. Im not sure if anyone has tried D-H over MU via telnet before, but if the BBSsystem can handle the handshaking and the client is a free and safe download, this could be the answer.)

2. If the certificate (for Ares I don't know off hand if it's the hosting site's certificates or faraday's, and no one should know where its stored) is exposed through any means, a malicious user can decrypt as desired

3. TLS 1.2 is still vulnerable to Raccoon, large ticket injection, Sloth, CRIME, BREACH, etc, but those require more skill and talent to breach, though MUs are not likely targets for these attacks. I doubt a MUser would go to these lengths.

faraday

@Ghost I feel like we're arguing in circles and you're saying that I'm dismissing concerns that I'm not dismissing.

I am simply saying that many of those things you're worried about (honeypot MUs run by malicious actors, scraping IPs, social engineering, data within the game being compromised/spied on) are just as much a concern if you're using a secure connection as if you're using an insecure one. That is supporting your call for vigilance, not undermining it.

I just do not agree that you can compromise a MUClient connection in the way you seem to be describing. MUs do not use telnet/23, they use a simple, custom TCP protocol. It's a dumb-as-nails text connection that sends text to the game and displays text back from the game. The primary vulnerability is simply being able to snoop and/or manipulate the text sent back and forth. Which is a point I've agreed with from post 1. If there is some other technical exploit I'm missing here, I would genuinely love to know (even if it's by DM if you don't want to advertise it). But nothing you've said so far has convinced me that there is.

Tangentially, for the record, each Ares game has to set up its own security cert.

Ghost

@faraday I think this would have been an amazing conversation over coffee, and I apologize. I don't mean for my tone to come across as accusatory as it did. I'll keep an eye on that, especially with you since you're awfully nice.

In my head this was more of a "DUDE...BUT..." type cubicle conversation about tech stuff, but one thing I think we did amazingly here is provide a point/counterpoint.

I am a former MUer with evident trust issues with the globulous "community" who is approaching this from the point of view of "...the bad scenario" and wanting to state out the width of possibilities to get them out there and undernconsideration

You are still prevalent in the community and are approaching this from a "stepping back from that, this is more likely" approach, and are providing a technical counterpoint about where the safety works and why it is better than it used to be (it is!)

I do think one thing is sure, though. Whatever next state the hobby takes will probably include someone either improving the insecure transmission issue through some new client/interface to cover that problem, or improvements to client/web interfaces using TLS to allow for more of the customization that MuClients provide.

And hot-damn, I'm still wondering about Diffie

faraday

@Ghost said in Telnet Safety:

I don't mean for my tone to come across as accusatory as it did. I'll keep an eye on that, especially with you since you're awfully nice.

Thanks - I think we were largely just talking past each other. All good.

@Ghost said in Telnet Safety:

Whatever next state the hobby takes will probably include someone either improving the insecure transmission issue through some new client/interface to cover that problem, or improvements to client/web interfaces using TLS to allow for more of the customization that MuClients provide.

That would be nice, but moving away from the old MU clients - even if you could pry old unsupported ones out of peoples' fingers - presents a whole other set of hurdles. Probably for a different thread, tho.

Ghost

@faraday Mo' tech, mo' money, different problems

Misadventure

Maybe this should be a sticky.

Juniper

bless faraday for having the patience for this

faraday

@Juniper Heh. Though just for the record (in case it wasn't clear by the nitpicky arguing) Ghost and I agree on the core technical risks:

1. Anything sent between your computer and an insecure endpoint is susceptible to being snooped by a third party. This includes both http(without-the-s) websites and virtually all MU* client connections.

2. Anything you send to another MU player can be snooped by a third party if THE OTHER PLAYER is using an insecure connection.

3. Anything you transmit to ANY internet service is potentially visible to and exploitable by the service owner, anyone they choose to share it with, and anyone who compromises THEIR security.

Since #2 and #3 are still risks on a MUSH even if you connect securely, I don't personally lose sleep over #1. But I do think it's prudent to follow general precautions no matter how you connect:

• Avoid sharing sensitive information with other players, and if you do - it's safer on discord or via email than on a game.
• If you're on a dodgy public network (like a coffee shop) or have a dodgy partner/roommate, use a VPN.
• Follow general internet safety practices on your PC to protect it from vulnerabilities (e.g., use firewall/virus software, be very careful with email links/attachments, etc.)
• Be extra cautious/suspicious of sites that have insecure connections, and never trust them for anything truly important (ecommerce, banking, email, etc.)

With those general precautions in place, I'm perfectly comfortable connecting to my favorite MU via Atlantis/Beip/etc. YMMV.