What's your identity worth to you?

Ghost

@arkandel Wow, I didn't think about TOR. Does TOR show up on IP address lookups as the origin point? I figure anyone actually paying out for a darknet account access on TOR might proxy after that, but damn, I wonder what I'd think if I saw someone logging in from a TOR IP.

surreality

@ghost It was so commonly used on Shang people flipped their shit when it was blocked in large numbers. Apparently, a lot of people use it default for MU*.

WildBaboons

Now that telecoms are free to sell your browsing habits it's a good idea to just always use a VPN for everything

Arkandel

TOR exit nodes are publicly known, although of course that won't tell you much about where they are actually from.

For instance this page - https://www.dan.me.uk/torlist/ is updated every 30 minutes. Blocking TOR wouldn't be too hard, they are after anonymity and not accessibility.

Ghost

@surreality said in What's your identity worth to you?:

@ghost It was so commonly used on Shang people flipped their shit when it was blocked in large numbers. Apparently, a lot of people use it default for MU*.

That's...chilling.

TOR is used commonly as a haven for cyber crime. It's been the go-to data drop site for groups like Anonymous and WikiLeaks, but it is also host to over 122+ sites of illegal pornography and used as a method for under the table communication of child porn.

Yes, I am suggesting that there is a possibility that TOR users on Shang or PenDes are also using TOR to access illegal pornography through the dark web. There's a reason why people choose TOR. It's the unpoliced wild west for hackers, pornographers, illegal financial trade, and software piracy.

surreality

@ghost For what it's worth, they blocked it a long time ago. Probably near a decade by now. So it's worth factoring that in re: what other things might have been available to people otherwise at the time. Ads for VPNs and such are everywhere these days -- even in actual TV commercials and whatnot -- which was definitely not the lay of the land then.

Nemesis

@Arkandel There are a huge number of TOR proxy addresses available for download specifically for people who want to block proxy users. There are probably a huge number of TOR proxies that aren't registered, too. Running a TOR proxy and registering that proxy with the reporting service are two different things, and both are optional.

Game admins need to remember to be cautious but not paranoid/stupid about this.

Awhile back I was playing on that Shadowrun RP MUD while a friend was in Austin (on AT&T fiber optic, with IPv6 addressing only) and when he was unable to connect to the game and I reported it the assclown who hosts that MUD on his home Comcast internet service, the assclown accused me and my friend both of TOR Proxying... I didn't fully understand his point in a lot of what he said but it seemed pretty clear to me that this moron thought I was me and the guy in Austin and a 3rd completely unrelated party in Amsterdam who had connected to his forums at around the same time that my friend was unable to connect. He used some ridiculous term "BOGONs" which was apparently in his cheap-o router's documentation, with a wikipedia article posted by the same fucktard who made up that bogus word, to describe IP Addresses which aren't in any RIR database. Because even if that was a legit tech term, a spoofed IP Address would totally work to get you connected up to a game. Pure brainless boob: Paranoid with delusions of grandeur toward his skillset and dumb enough to think anyone with a lick of sense wouldn't recognize his nonsense on the spot.

In reality, that fucktard lost 2 players because he's an idiot (who masquerades as a techie) and his router's too outdated to handle IPv6 addresses. In fact he's probably lost a lot more than 2 with the proliferation of IPv6 in major metropolitan areas (which is pretty much the entire US Eastern seaboard)... unless he sprang for the $120 router upgrade that he argued with me about after I told him that's all he needed.

Ghost

@nemesis

https://6session.wordpress.com/2009/04/08/ipv6-martian-and-bogon-filters/

Honestly? If I was hosting a MU on my home router, the dangers of potentially allowing IPv6 bogons to access my home network (an anonymous person who wants to play Shadowrun) outweighs a player not being able to connect via IPv4.

IPv6 transition (to IPv4) mechanisms have a nasty security risk of allowing outbound communication that cannot be detected by most network intrusion detection systems.

So if someone told me "Hey, update your home network so that this guy you don't know can connect via IPv6 to your home server to play an online game" I'd:

1. Never host an online game on my personal machine, so this would never be an issue.
2. Tell them no, politely.
3. If they insisted, I'd tell them politely to pound sand.

Bogons are widely used tech terminology, and IPv6 transmits IP information that appears bogus to IPv4 unless greater translation efforts are put in place. On a corporate level this gets handled more often than not, but a good home security tip is to disable IPv6 on your home router unless you have a specific reason to allow IPv6 connections through your home network.

So, in short, it may have been possible for someone connecting via IPv6 through an insecure home router to enable one-way logging for all users to their home device.

Ghost

So, respectfully, if that guy was a bogus assclown who was using bogus tech terminology, I invite you to unlock any IPv6 protections on your home router then post your home router's IP on Reddit.

I submit this as an example as to how lack of security knowledge can result in your private information being sniffed out over a MU server, and how lack of security knowledge can lead to a game owner being pressured to make their network (and the data from other people connected) ultimately hackable.

That guy made a good call, @Nemesis

surreality

@ghost said in What's your identity worth to you?:

So if someone told me "Hey, update your home network so that this guy you don't know can connect via IPv6 to your home server to play an online game" I'd:

Me: "I'm offering something free under the terms I'm comfortable doing so, and no more." (The end.)

Privately in my head: "Wow, the entitlement is really off the charts when someone's telling me to spend $120* just so they can join, too. Maybe I shouldn't bother doing this at all."

^ Because seriously, this attitude is not much different than, "If you want me to play in your tabletop game, you have to buy me all the books."

• Because maybe it's nothing to you, but $120 isn't something I have just laying around for my own fun, let alone to use on something for someone else's fun.

Nemesis

@ghost said in What's your identity worth to you?:

Bogons are widely used tech terminology

"Bogons" may be a widely used layman's term referring to technology the same way "Cloud" is a buzzword that means nothing but generically references "a computer network." Actual tech terms in reference to "a cloud" include "LAN" and/or "WAN". The actual tech term referencing "the cloud" is "The Internet." Similarly, IP Addresses (v4 or v6) are classed into A/B/C/D/E categories. Any IP Address that isn't assigned by an RIR is totally imaginary. It doesn't exist. Even if an OS let you set it or if you had the actual programming chops to put together a spoofing tool that allowed you to transmit raw IP packets with any IP Address you like, you wouldn't be able to transmit over the internet using it because it'd stall out on the way through your ISP's routing system. Even if you used a spoofed IP successfully, you would never get a reply to it (so you could never establish a bi-directional connection such as TCP - you could simulate one by sending connect packets and then waiting a few milliseconds before sending an ACK packet, if you had some way to predict or control certain parameters that would be set in by the server-side of that connection, but replies from the server would never, ever, in a hundred million eons, reach you).

Wikipedia is not your friend. Actually knowing wtf you're talking about is your friend.

Ghost

@nemesis You're the expert!

faraday

@arkandel said in What's your identity worth to you?:

I suppose I could have it do so but frankly you'd be well served not sending anything through this forum which constitutes 'sensitive information' of any sort. It's a gaming forum. Don't trust it.

Interesting tidbit - Google is on a bit of a crusade to eradicate HTTP and make everything secure. The other tech giants have been doing the same for telnet (it's no longer available on OSX terminal for example). So in that regard I agree with @Ghost that MUSHes are horrifyingly behind the times as far as security goes.

But I don't see that changing any time...ever, really. I looked into supporting SSL connections with Ares. The game code is trivial, but the steps involved in enabling it server-side were hideous for anyone who isn't an experienced server admin. Until MUSHers are willing to transition to a platform like Storium and sacrifice control over the game code in favor of having a robust, secure, game-on-demand platform, it just ain't gonna happen.

Killer Klown

Here's the thing. Cloud is pretty widely used in the technology side of things too - not because it's meaningless, but because the general usage of the term has given it a meaning. It can get irritating to some of us old hats (Don't get me started on people using the word 'drone'), but that doesn't make it less accepted or specifically incorrect. Short of technical absolutes <basically, ANSI or ISA related code words> most anything else has as much to do with what people know it as as official names - remember TWAIN, the standard interface for scanners back in the late 90s? Originally it was just there as a thing to interface two devices (twain, as in the old world for two); over time, though, it became commonly referred to as 'Technology Without An Interesting Name' and that stuck.

As far as IPv6 security vulnerabilities? Yes. All of our firewalls have 'block ipv6' enabled by default for just that reason. That's not something we set, that's manufacturer default (And before you ask, this is corporate level stuff - Cisco, Palo Alto, Symantec/Sygate, etc - not exactly Zone Alarm here.) It's gaining traction, but not nearly as quickly as predicted - and the fact is that lack of familiarity is more dangerous than any inherent security flaw - people don't know what to protect themselves against or how best to go about it. Therefore, most people take the airgap route - nothing can attack the device if the device is not plugged in - and that's perfectly viable, especially if it's not being utilized by more than a small percentage.

Arkandel

@faraday said in What's your identity worth to you?:

But I don't see that changing any time...ever, really. I looked into supporting SSL connections with Ares. The game code is trivial, but the steps involved in enabling it server-side were hideous for anyone who isn't an experienced server admin.

To be honest when I considered it I was busy with migrating MSB from the old to the new server so I had my hands full, and it seemed like an unnecessary detail to worry about.

Now I have more time and I could do it, but I'm not sure there's a use case for it. If there was a strong enough request, sure, but... why? We're sharing cat memes and chat about a hobby no one cares about, which is all public anyway, so unless people are reusing passwords (don't do it!) that might get stolen and authenticate attackers on other sites or sharing sensitive information in private chats...

But yeah. The future is an encrypted one. I also always loved the idea of coding a MUSH that somehow generates private keys for each user then signs everything that gets said or posed, so there's no chance something might be faked or altered in pasting without being able to know for sure.

faraday

@arkandel said in What's your identity worth to you?:

Now I have more time and I could do it, but I'm not sure there's a use case for it. If there was a strong enough request, sure, but... why?

I'm not saying you need to, but the answer to 'why' is right there in what @Ghost posted. There's data here, and that data could, in a worst-case black-hat sort of scenario be used as an attack vector. Whether it's a weak password, or identifying someone's Google account through their email (which often is the key to their virtual kingdom) or tracing their IP, or stalking posts to glean info to use in some kind of social engineering exploit, or impersonating them to a MU friend to open up some other attack vector...

Is it likely? No, not especially, which is why mom-and-pop websites have been using HTTP for years while only banks and places using financial transactions opted for HTTPS.

But it is possible, and that's why the security tide is turning.

Nemesis

@arkandel said in What's your identity worth to you?:

But yeah. The future is an encrypted one. I also always loved the idea of coding a MUSH that somehow generates private keys for each user then signs everything that gets said or posed, so there's no chance something might be faked or altered in pasting without being able to know for sure.

PennMUSH 1.8.6p1 has a config option that allows logging of all commands that are input which I assume includes pages/says/poses regardless of player/object location. And every MUSH since the original MUSH itself has the NOSPOOF flag which will tell you what object is responsible for sending the message you just saw.

That won't do you much good if somebody with a Wizbit wants to @force some player bit (or a player wants to @force some puppet object) to start spouting wtf-ever in the OOC room since the nospoof will show you that the player is saying things, not that they're being @forced to say them. At the end of the day NOSPOOF just guarantees that you'll know who sent every @emit even if they didn't include their @name in the pose.

As always, logs can be edited (or manufactured wholesale) with a simple text editor at which point the log is only as good as the person who was NOSPOOF (or claims to have been NOSPOOF) at the time the log was made... or in the case of Penn v1.8.6p1, the person who has access to the shell.

Ghost

@killer-klown Thanks for the seconding about IPv6.

One thing you definitely learn in IT is that it isn't always the technological vulnerability that is your biggest threat, but perhaps a threat in process. A good example of this is texting a challenge code on a password change to a registered mobile device (something the user will have on them) to avoid the risks associated with a call center person just changing a password because the person on the phone claims to be who they say they are.

So, to come full circle on the topic, I welcome game runners and players to look back at my previous questions.

1. Since telnet xmits UID/Passwords in clear text, do a quick audit to determine if ANY of your mu logins are using your email or banking passwords.

2. People really should consider the role of staff access to PII (personally identifiable information), ip logging, and how that information is stored as an important topic. Since MU uses outdated tech, less security-minded architecture, and no admin standards, it'll be processes that protect players' PII more than tech. Might be a good topic: MU Security Best Practices or something.

3. Players need to be aware that your "identity" isn't just limited to what you tell people. Data aggregation is a thing, and people are always more clever when they have a game plan. Anything that can be used as a starting point for research is useful, be it a screen name, an email address, or an IP address. It doesn't matter if you give a fake name or are mum on your private details if insecure data leads malicious attackers to the truth regardless.

These are things all people should know about the vulnerabilities of this hobby's technology, and worth keeping in mind.

Kanye Qwest

NOTHING would you like to be me?

ETA: you cannot have my dog

Nemesis

@killer-klown said in What's your identity worth to you?:

As far as IPv6 security vulnerabilities? Yes. All of our firewalls have 'block ipv6' enabled by default for just that reason. That's not something we set, that's manufacturer default (And before you ask, this is corporate level stuff - Cisco, Palo Alto, Symantec/Sygate, etc - not exactly Zone Alarm here.)

You are completely full of shit.

https://blogs.cisco.com/enterprise/disable-ipv6