What's your identity worth to you?

RnMissionRun

@arkandel said in What's your identity worth to you?:

@thenomain said in What's your identity worth to you?:

There is nothing you can ask for from us that we can't easily fake, unless you're asking for a mailing address or phone number in which case you're going to lose a lot of people.

I am far less concerned with people whose technical familiarity allows them to easily maneuver around trivial limitations without much trouble and more with those who are skeptical about participating in the community here in the first place, and for whom having that extra step of providing a 'real' e-mail account to register might be what decides it for them.

In other words I want to make life a little harder for trolls, but not at the expense of legitimate, casual newcomers.

The only flaw in this plan is the fact that any troll sufficiently practiced in the art to be a problem, will likely fall into the former group, not the latter.

Arkandel

@rnmissionrun Iiiii am aware, yep.

ixokai

@arkandel I disagree. The 'I wont give you an email' crowd is nothing at all like a silent minority, from what I've seen/remembered. They'll vocally and viciously not give you their email more often then not.

Apos

@faraday said in What's your identity worth to you?:

@apos said in What's your identity worth to you?:

Oh yeah I'm sure they exist, I just think it's so small and so niche that it's not worth it to factor them into design decisions.

I guess it depends. Unlike Arx, most MU*s are pretty small. The idea of potentially alienating up to 10% of your already-small population seems like something many games would want to factor into their design decisions - even if that decision is ultimately "screw it, we're using email".

Yeah, I can understand that as a major concern. I think I should rephrase what I'm saying as, 'I think game runners worry too much about loud voices that have been in the hobby for eons, and it's a bigger danger to alienate a much larger base of players by trying to appease them'. If a game runner can appeal to both, no reason not to.

Arkandel

@ixokai said in What's your identity worth to you?:

@arkandel I disagree. The 'I wont give you an email' crowd is nothing at all like a silent minority, from what I've seen/remembered. They'll vocally and viciously not give you their email more often then not.

The reason I was asking wasn't to judge the sentiment (even though I kinda do), it's that there's zero need to give anyone your e-mail or for that matter, to even create one.

For example I can send an e-mail right now to weirdpeoplewhodontlikeemailaccounts@mailinator.com without taking any other action first - not even to create an account. Then I can go to mailinator.com and yep, the e-mail will be waiting there for weirdpeoplewhodontlikeemailaccounts .

I would like to understand the moral qualm about this, that's all.

Nemesis

@arkandel said in What's your identity worth to you?:

@ixokai said in What's your identity worth to you?:

@arkandel I disagree. The 'I wont give you an email' crowd is nothing at all like a silent minority, from what I've seen/remembered. They'll vocally and viciously not give you their email more often then not.

I would like to understand the moral qualm about this, that's all.

I will never as much as log into any MU that demands an email registration just to connect. Not because it's shady or a privacy concern but because I won't know until I've looked at the +news and recent bboards (or how recent the last bbpost is anywhere) if the game is worth creating an address for or clumping in with half a dozen others or if it's just a waste. I've seen a hundred quality ads that turn out to be shitty MUs or MUs populated with shitty people or MUs that just aren't that interesting or MUs that are just plain not active.

When a MU allows guest connections without email registration or if it allows character creation but not necessarily character approval without email registration, I will always look around. If the game is active and the bbposts are generally literate and there isn't juvenile bullshit like flame-warring going on right out on front street, I will give them an email address. If it passes the last 2 but not the first then I will usually ask staff if I can get a char @pcreated without giving up an email address. If it doesn't pass the last 2, I won't waste my time. I've had some staffers seriously lose their shit as if I was being vocally and viciously against email reg when I said something like, "Hey, can I just skip the email reg part?"

RnMissionRun

There is no moral dilemma.

It's mainly paranoia and distrust caused by past experiences with psycho staffers/players. It's also people wondering why they're being required to give an email address at all if any disposable email account will meet the requirement.

Ganymede

@nemesis said in What's your identity worth to you?:

When a MU allows guest connections without email registration or if it allows character creation but not necessarily character approval without email registration, I will always look around. If the game is active and the bbposts are generally literate and there isn't juvenile bullshit like flame-warring going on right out on front street, I will give them an email address.

I concur with you completely, but would add that I would go through the process if a RP partner I trust recommends the game at issue; that's why I was willing to give Arx my email address.

Arkandel

@nemesis said in What's your identity worth to you?:

Not because it's shady or a privacy concern but because I won't know until I've looked at the +news and recent bboards (or how recent the last bbpost is anywhere) if the game is worth creating an address for or clumping in with half a dozen others or if it's just a waste.

Hrm, so even using an on-demand e-mail address like mailinator is too large an investment in time? I'm not trying to criticize you, I just want to understand since it literally takes 5 seconds to switch to the web browser and get the activation URL from its mailbox, which you'd never need to use again.

The reason I don't understand it is that, as you said, it takes considerably more time afterwards to figure out if the MU* is any good, or even active.

I've had some staffers seriously lose their shit as if I was being vocally and viciously against email reg when I said something like, "Hey, can I just skip the email reg part?"

Well, there are lots of whackjobs out there staffing, there's no arguing that.

Ghost

In MU, privacy has a few core problems:

1. There are really no (or few) two-way agreememts as to what game staff can or cannot use your contact information for. A good example of this is Mal from SerenityMush mass mailing everyone his LinkedIn information. Aside from annoyance and leaving the game, there is no guarantee staff won't use your IP or contact info for their own purposes.

2. From an IT perspective, telnet is insecure and any personal information stored on a telnet game could also be vulnerable to a number of attacks. MUs are far less secure than Equifax, and do not have established rules for patching, etc.

3. As we have seen recently, being subjectively kind of like that one guy from Louisiana and also being from Louisiana, will not protect a musher from having someone else's identity knowledge being used against them on an inaccurate witch hunt. Justified or not. (Though, I think the term justified is morally ambiguous in this case)

4. Stranger Danger. I've seen some seriously dark behavior, controlling behavior, abuse, etc in this hobby. Again, I will remind people that while these people share a common hobby, they are strangers. There's plenty of stalking and obsessive behavior on these games, and the assumption that you havent provided enough information to have your private life infiltrated is an assumption. Staffers could perform IP lookup to gather location data, view stored email address information, and either through web sleuthing on Google or social phishing could definitely find ways to violate your privacy.

Keep in mind that this isn't an anonymous online gaming community where you play Call of Duty and are protected by a screen name and 10 minutes of matchmaking. Many people in this hobby simulate very intimate and personal scenarios with people who are strangers, could be misrepresenting who they are over long term, or over time could develop obsessive/controlling/attachment behaviors that can make you regret having shared any information.

It is unwise to assume (with the number of strange and extreme personalities in this hobby) that just because you give a fake email address that you cannot be found.

#2 should be your greatest concern. Technically, Zero/Elsa/OPP/Spider, any of your usual suspects anathema crowd, have at times had more than enough information to breach your privacy or perform attacks on you.

surreality

@arkandel In all fairness, dude mentioned a dislike for anonymizers for pass through logins to the server and whatnot earlier. It's not much of a stretch to extend that distaste to something like a 'there and gone again' email setup that's similar. If someone feels something is shady when looking at it from the admin side, I'd like to think they would be less likely to use those options as a player, too.

I'm not real fond of the pass through servers like this either, for the same 'even if this person is not up to something shady like evading alt limits or similar, they feel unsafe enough here to take this step' and I wouldn't want either on the game. (Needless paranoia is needless* and can also create a lot of trouble in a different way, if the people running a place aren't email spamming people.)

I don't care as much about the email accounts, since they're primarily for password retrieval and the wiki, and ultimately, someone using a there-and-gone is only shooting themselves in the foot, as I'm not inclined to hoop-jump for them to work around that past a certain reasonable extent.

• I'm not real worried on this front personally. The email used for BITN's wiki email sender is the same one I set up for the game I was going to set up around the same time (in short: we knew it worked and it's a pain in the ass to set up), and nobody's been stalked or spammed through it, so I have something I can clearly point to to say: y'all don't need to worry about that with me (if I ever do a thing).

ETA: tl;dr: If I can trust you to not wreck a wiki I spent a year or more building, and a game that probably took longer than that, you can trust me with a throwaway gmail account made for that game you're only going to bother logging into if you need to reset a password.

Ghost

Double post.

I'm not on any games, don't staff anywhere, but before I write this want to make it clear that I'm writing this to drive home my point.

Say I were staff.

I could:

• reverse lookup your IP to gather geographical data
• use your IP information gathered at every login to port sniff your computer(s)
• web search your email address to research who you are. If it's not a throwaway email, this might lead me to your social media where I can learn your name or family members names
• I could then search those names for more Intel.
• if its a throwaway email, I could find other sites where youve used said login/alias to research places where you may have slipped and given details.
• through IP use, if I'm able to break through your security, I may be able to find a port capable of allowing me to insert man in the middle attacks or monitor keystrokes.

After all of these are put together, I suppose I could be an obsessed stalker, or an identity thief, or that guy who is really into rape Role play, but I'd have what I needed to fuck some shit up.

There are reasons why this information is protected on a corporate server level, and I assure you, RanfomMUofDarkness isn't applying Infosec level guidelines and background checks on the people getting access to that information.

And this is just an example for information that you weren't aware that you were giving.

There is a very real reason why telnet is blocked by most infosec orgs and SSL is required.

Ghost

Moar posting.

Ask yourselves these questions:

1. Since I'm using telnet, my password is being transmitted in clear text (telnet vulnerability). Does my MU char password match or resemble the pwd for my provided email address or any other sensitive logins I use on other sites?

2. Is the database where my email/ip information is recorded in logs encrypted? Likely not.

3. Who runs the MU? Who are they really? How do they store or remove IP/contact information? Who has access to this information? What is the vetting process to mitigate new staff using this information against me? Do I get a say or have any way in proving if a staffer does use this information against me? Are the identities of these individuals (staffers/wiz)tracked, or is it semi-anonymous? How long is this information stored? When a game is scrubbed and the DB moved to another game, is this data scrubbed? When someone steals the DB from the game owner and makes a game of their own using the DB, what happens to my IP/email information?

4. Is it possible that any of these people who lurk, stalk, or behave negatively haven't made notes about who is who, or has any of my personally identifying information that I've given these strangers been stored?

I don't mean to be a broken record, but I'm going to venture to say that the majority of people in this hobby are not technically savvy and rely on 3rd party products to protect themselves from intrusion on mostly Windows OS software. I'll also venture to say that a large number of players are more knowledgeable on MU commands than MU technology, otherwise we wouldn't have so many help threads like "What to do if your MU is attacked", because many game runners rely on outside sources for code/tech knowledge (and aren't technically savvy enough to protect this data day in, day out).

I'm just saying "Let's be real..." here. Every one of you gives every game you log into the #1 piece of important information every time you log in: where you are. You give every game a point-to-point traceable path back to your location and device.

Sunny

@ghost

So...yay, lots of scare info for worst case scenarios, good job. Do you have any recommendations or anything constructive, or are you just trying to give folks nightmares and make them rethink mushing entirely?

What practical result are you attempting to accomplish with this?

Ghost

@sunny

1. a worst case scenario only needs to happen once.

2. this information may be useful to people in terms of password security, security hardening on MUs, and protecting their identities

3. identifying the holes is step 1 to filling them.

My advice?

Establish SSL for encrypted login data transmission as a standard, verify that databases are encrypted and that login IP information is only available to head wiz and only stored for 30 days. When new staff is hired their identities should be shared with the game owner (if they have access to personal data) and in a perfect world staff might do something to vet that the person is who they say they are and don't have a recorded history of abusive behavior, sex offender database, etc.

Mostly just be aware that this hobby is built primarily on insecure/outdated technology, that code bases and staffing procedures could be rife with vulnerabilities, and to be very aware with this while engaging in highly personal conversation or simulated situations with absolute strangers.

Like it or not, the truth is that we may talk about people here on MSB that behave like sexual predators, but should never forget that we may never know if they're taking their game online because theyre a convicted sex offender in RL.

Arkandel

@sunny Nearly everything @Ghost mentioned applies to just about everything online, and people do need to be careful. There are ways to do that though, and for example:

• Don't reuse passwords. Ever. You don't know who has access to them, how they are stored or if they get stolen regularly. There are plenty of services - LastPass is online, KeePassX uses files stored on your machine/phone - that can help you keep separate, distinct authentication for everything you use.

• Have a throwaway e-mail account and use it for everything that's remotely sketchy. MUSH and games in general absolutely fall into that category - don't set your real name on it, just keep it as a mailbox you don't ever intend to check unless you need a password reset on the spot.

• If you are downloading torrents or such it's always a good idea to have a proxy service. Mine costs something stupidly low like $15/year and the provider keeps no logs, but they mask your IP completely. Sure, if the NSA is after you they could probably work something out but Joe Asshole who runs the MUSH you pissed him off on will look at the IP you logged on from and see something from Miami or Florida when you've been to neither of those States in years.

• Finally, and this goes without saying or it should... does anyone who visit MSB not understand there are simply people who don't like each other? Or that there are jerks among us - and I don't just mean "folks I don't like to RP with". Don't distribute your photos, address or identifiable information unless you want them to have it. I'm pretty confident that goes twice for female gamers but it's a good policy in general.

Just some ideas.

Arkandel

Oh - double post, but you'll notice MSB isn't using (and hasn't ever even before I took over) SSL.

I suppose I could have it do so but frankly you'd be well served not sending anything through this forum which constitutes 'sensitive information' of any sort. It's a gaming forum. Don't trust it.

Thenomain

@arkandel

Oh I don’t, sir. I do not indeed!

Ghost

@arkandel said in What's your identity worth to you?:

If you are downloading torrents or such it's always a good idea to have a proxy service. Mine costs something stupidly low like $15/year and the provider keeps no logs, but they mask your IP completely. Sure, if the NSA is after you they could probably work something out but Joe Asshole who runs the MUSH you pissed him off on will look at the IP you logged on from and see something from Miami or Florida when you've been to neither of those States in years

I thought some MUs blocked proxy services, or was that just one or two sites that got blacklisted?

But that's just another thing to think about. Proxy services are great. They mask your key location and make you harder to track, but unless the MU blocks proxy services (requiring user to authenticate with their actual IPs), then your go-to anathema people (or stalkers) can continually spoof IPs. It's a limitation of the technology that you can prepare for, but there's no silver bullet.

But the point of my last 3-4 posts is just this:

The majority of development in these MUs is for codebase/game system and not with security and identity protection in mind. IT standards that protect the user are simply not at the forefront of development of MU code. Some people try, and some security updates get made and may be mitigated on the user OS level, but it's still connecting to a potentially insecure service through a port. WoW devs/Infosec work around the clock on creating an unhackable service. Random MU does not.

It is absolutely something to keep in mind when MUing, or doing anything over the internet, especially when communicating any personal details.

Arkandel

@ghost said in What's your identity worth to you?:

I thought some MUs blocked proxy services, or was that just one or two sites that got blacklisted?

Other than for case-by-case banning it's pretty unlikely MU* will have the resources to block anything but TOR. One of proxy services' biggest profits come from Netflix masking (so non-USA residents get the benefit of a USA subscription) so it's in their interests to continue adding new addresses to their rotation... which probably makes it too hard for anyone other than dedicated professionals to keep up with that.