What's your identity worth to you?

Ghost · Mar 14, 2018, 1:14 AM

@nemesis I don't...exactly understand why you're fighting this so much when the general Infosec and IT community disagrees with you. So I'll leave you with reading from sources that clearly have no idea what they're talking about.

NIST (National Institute of Standards and Technology): https://csrc.nist.gov/publications/detail/sp/800-119/final#pubs-abstract-header

OWASP (a bunch of chumps who are an international organization renowned as the tip of the spear in dealing with web/info vulnerabilities. It's OWASP top 10 is considered a fair standard for the top 10 security risks at ANY given time. They don't know anything, but they wrote a completely bogus thing on IPv6 vulnerabilities that I'm sure you knew about): https://www.owasp.org/index.php/File:Vulnerability_Scanning_in_an_IPv6_World.pdf

If you would like to try ARP spoofing using IPv6 on an IPv4 network, here you go: https://insinuator.net/2016/03/multicast-based-ipv6-neighbor-spoofing-response-behavior-on-cisco-devices/

Anyway, I'm gonna stop there. You're out of your damned mind if you think there isn't a widely sploited IPv6 vs IPv4 vulnerability for MITM attacks, and the rest of the IT world as a whole disagrees with you. Who am I to say, though? Maybe they're all wrong about their bogus terms such as boguns and vulnerabilities and 200+ videos on YouTube about IPv6 MITM attacks and IP spoofing. I'm not going to argue with you about this. You were factually wrong from the start. Let it go.

And I assure you in no way that I'm not reading, right now, about how to use socat to tunnel IPv6 through IPv4.

Anyway, this got derailed. Don't listen to this guy (he doesn't know shit) and an IPv6 attack against a home router that isn't protected from it is a potential vulnerability.

The point is that IP information gathered by MUs are a potential attack vector.

Ghost · Mar 14, 2018, 2:18 AM

New question:

Game Owners: From IP information to email addresses, what are the current standards of collection?

Are IP addresses stored, and if so how long?
Does stored IP information get scrubbed?
For games that require registration with an email address, does that email get scrubbed when the PC bit is destroyed?

surreality · Mar 14, 2018, 1:14 AM

@ghost I didn't need any of this info to make that call. "You need to go spend $120 so I can play at your virtual house," was more than enough for me to re-re-re-re-re-click the little eyeball on Nemesis. There's pretty much no amount of technical expertise (real or imagined) that would make me want someone with such a major sense of entitlement on any game I'd run. Who would?

Really, $120 is a year of hosting on digitalocean right now for plenty of space for a MUX w/wiki. If someone is concerned about their own security and is going to spend money related to a game, I would think they'd be more likely to spend it on something like that.

surreality · Mar 14, 2018, 1:29 AM

While I think the original question might more be related to 'what level of info provided would y'all be comfortable with providing since we keep getting repeat trolls creating accounts constantly up in here', this is worth looking at.

@ghost said in What's your identity worth to you?:

Are IP addresses stored, and if so how long?

Not sure. I don't actually think it necessarily expires from the MUX on its own. If it does, it may be 'after X number of IP slots have been used by that person' more than a factor of removal over time. As in, it stores ten, once you get the 11th, the first drops off, whether that's in two hours or twenty years. (I genuinely don't know, but there seem to be a few things in MUX that work this way.)

Similarly unsure regarding the wiki. (Since most games have both, it's worth looking at what the standard mediawiki install does with the same info.)

Does stored IP information get scrubbed?

Probably not, unless it's by one of the methods above. Every so often, Shang purges theirs by some metric or another, since they use theirs for alt-tracking/ensuring people remain within alt limits. I think it's every year or two, but I believe it's manual/a script they run, not an automated background process.

For games that require registration with an email address, does that email get scrubbed when the PC bit is destroyed?

There are a lot of moving parts to this one -- mostly because so many games don't destroy bits any more, they freeze them so the player can return later if they wish, without data loss re: sheet/etc.

Personally, I wouldn't.

Players who leave voluntarily should be permitted to return, and this is a simple way of verifying that Returning Bob and Original Bob are the same person. (Not Person Stalking Original Bob finds out Bob had an alt there and wants to thaw Bob's character to see who approaches Bob to chat, and about what. Having had someone spoof one of my characters in such a fashion before on a game that did destroy bits... yeah, this can and does happen.)

Players who have been removed should stay gone. Again, while there's a lot of workarounds for this, keeping forbidden IPs and 'Banned User Email List' is a very simple check on this. Most people will just use a VPN or new email, but a surprising number don't.

faraday · Mar 14, 2018, 2:20 AM

@surreality said in What's your identity worth to you?:

So if someone told me "Hey, update your home network so that this guy you don't know can connect via IPv6 to your home server to play an online game" I'd:

Me: "I'm offering something free under the terms I'm comfortable doing so, and no more." (The end.)

@surreality - I think maybe you've got Ghost's point backwards (or I'm seriously missing something here).

Ghost wasn't saying that you, the benevolent game-runner, need to do anything with your router (let alone spend $120 - or any money at all) to enable their fun.

The point was that a benevolent game-runner hosting a game on a PC on their home network was potentially opening themselves up to security vulnerabilities if they didn't follow network precautions. And if Ghost were that game-runner and some player complained that those network precautions prevented them from connecting to the game via ipv6, Ghost would tell them to pound sand.

There's no entitlement here.

@ghost said in What's your identity worth to you?:

Game Owners: From IP information to email addresses, what are the current standards of collection?

For Ares - your last IP and an email address (if voluntarily supplied) are stored until your character bit is destroyed. On some games, that may be forever.

I believe this to be appropriate use. Your email is attached to your account so it makes sense that it would exist until your account was deleted. (Of course you can always manually wipe it when you leave a game.) Most privacy standards recognize that web providers (the closest analogy to MU servers) are allowed to collect IP addresses for security reasons to protect against and pursue security violations. If someone's hyper-conscious about people accessing their IP address, they should use a dynamic VPN.

surreality · Mar 14, 2018, 2:22 AM

@faraday Ghost isn't the one displaying the entitled attitude at all.

That was in one of Nemesis' posts: "All you need to do is get this $120 router in order to allow this!" (which would allow them to play through the style of connection they are using, which the game owner did not want to do for reasons).

That crosses the entitlement line for me: "I want to use your freely offered thing, but I can't the way it is, so you go spend money so you can let me!"

It's pretty awful, really.

faraday · Mar 14, 2018, 2:23 AM

@surreality Oh, sorry - I guess I misunderstood. Nevermind then!

Ghost · Mar 14, 2018, 2:23 AM

Please also understand, my point in all these questions isn't "look at the big brain on Brad", but more "what identity information do we divulge merely by logging in and playing?"

My evolved ape brain just thinks IT-style when it comes to this topic:

Determine what personal information you give simply by logging in and playing.
Determine what personal info you're willing to give outside of the necessary.

I apologize if I derailed, but given what I do for a living I figured the tech side might be interesting info for some people.

Ghost · Mar 14, 2018, 2:28 AM

@faraday I think what @surreality was saying was that she agreed with me, and wasn't saying that my stance was entitled.

Like a side note, she was saying that demanding someone make a requested monetary change to a game runner's free entertainment service was an entitled thing to ask, and that her approach would be "I'm doing this my way, with my level of comfort, and if I'm not comfortable opening up IPv6 on my home router you have no right to demand it of me."

Tyche · Mar 14, 2018, 2:41 AM

@surreality said in What's your identity worth to you?:

Similarly unsure regarding the wiki. (Since most games have both, it's worth looking at what the standard mediawiki install does with the same info.)

While Mediawiki (or other wikis) may produce their own logs, the web server hosting the wiki also produces logs and many installations are by default configured to log IPs forever.

surreality · Mar 14, 2018, 2:45 AM

@tyche I have a feeling even the wikipedia ones do this. I know I once logged in to find a warning splashed all over my screen about restricted edits due to my IP -- despite the fact that I've never submitted anything to the actual wikipedia in my life. Someone with the IP I currently had apparently had, though -- four or so years earlier. So, yep. I know it can at least be set up to do that, even if it isn't default.

Killer Klown · Mar 14, 2018, 11:22 AM

@nemesis

Also;
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipv6/command/ipv6-cr-book/ipv6-i1.html

-->
In Cisco IOS Release 12.0(23)S or later releases, every IPv6 ACL has implicit permit icmp any any nd-na, permit icmp any any nd-ns, and deny ipv6 any any statements as its last match conditions.

*- In the event you add an explicit deny as the last line of the V6 ACL, this statement will take precedence over the implicit permits earlier described (for nd-na and nd-ns).

Maybe read the actual technical documents instead of a blog posting before opening your trap.

Nemesis · Mar 14, 2018, 8:31 PM

@surreality said in What's your identity worth to you?:

@faraday Ghost isn't the one displaying the entitled attitude at all.

That was in one of Nemesis' posts: "All you need to do is get this $120 router in order to allow this!" (which would allow them to play through the style of connection they are using, which the game owner did not want to do for reasons).

You shouldn't cite YouTube as evidence to contradict an article published by cisco.com and written by a CCNA, but for everyone who actually doesn't understand the technical aspects and why the latter is much more accredited:

The admin at SR2064 thought that a perfectly valid IPv6 address issued by Arin to AT&T broadband was a "BOGON" because his router was so outdated that it didn't even know what an IPv6 address is. He and other inexperienced admin are also clearly unaware of the fact that if there were such a thing as a "BOGON" in the actual IT world (which I'm re-classifying as someone simply spoofing an IP Address, as that's what it actually refers to), the spoofer or BOGON transmitter still wouldn't be able to receive any responses back to their terminal because that "BOGON" wouldn't be routed to anywhere at all by anyone at all. This type of network trickery is used in DoS attacks, not in "identity obfuscation," and it takes someone lacking technical expertise in this related field to think that one guy connected to and playing the game from their home IPv4 would attempt a DoS attack using 1 or 2 spoofed addresses at the same time. I tried explaining to this admin, just like I've explained here, that nobody was spoofing IP Addresses or attacking his game - the problem is/was his outdated equipment. To classify this as "entitlement" on my part is unfair as I was correcting technical misconceptions.

Claims have been made about Cisco networking device defaults that are plainly disproved by Cisco documentation - not just in the first paragraph but in the article title itself.

From 2008 to around 2014 there actually may have been devices and even operating system updates providing IPv6 compatibility which left those compat functions/features disabled by default. This was never due to "security concerns" but due to the fact that IPv4 exhaustion was not quite complete by 2010-2012 and IPv6 was a brand new thing that wasn't actually in widespread use yet. Forwarding IPv6 requests to network servers that hadn't yet been updated to support it would have resulted in false connection errors and may have erroneously triggered automated blocking/banning protocols as a result. These false-flag positives in no way represented security holes, only issues that would have been difficult to troubleshoot and might have forced legit IT guys to have to update/upgrade equipment to support new OS features before the agency was really prepared for it. By 2017/18 it's safe to say that anyone who isn't IPv6-ready isn't providing any "services" worth consuming in the professional world, and when anybody puts themself forward as a highly experienced and skilled IT guy it is utterly absurd for them not to apply the same standards to any publically-available service they provide including hobbyist endeavors.

Edit: Thanks to Apos for PRT

faraday · Mar 14, 2018, 4:28 PM

Seriously folks, can we not even have a discussion about freaking IP Addresses without resorting to name-calling and hostility?

And people wonder why some of us think these forums are toxic.

Roz · Mar 14, 2018, 4:46 PM

@faraday People in general can. I've yet to see Nemesis be able to, unfortunately. Everyone who disagrees with him gets the "lying troll" line. It's honestly weird.

Ghost · Mar 14, 2018, 4:51 PM

@nemesis said in What's your identity worth to you?:

This type of network trickery is used in DoS attacks

DDoS. Distributed Denial of Service attack.

DOS is a term for Disk Operating System

@Roz I agree. This is weird. I've placed him on ignore.

Apos · Mar 14, 2018, 5:07 PM

@nemesis said in What's your identity worth to you?:

@surreality said in What's your identity worth to you?:

@faraday Ghost isn't the one displaying the entitled attitude at all.

That was in one of Nemesis' posts: "All you need to do is get this $120 router in order to allow this!" (which would allow them to play through the style of connection they are using, which the game owner did not want to do for reasons).

That crosses the entitlement line for me: "I want to use your freely offered thing, but I can't the way it is, so you go spend money so you can let me!"

It's pretty awful, really.

You shouldn't cite YouTube as evidence to contradict an article published by cisco.com and written by a CCNA, but for everyone who actually doesn't understand the technical aspects and why the former is much more accredited:

The admin at SR2064 thought that a perfectly valid IPv6 address issued by Arin to AT&T broadband was a "BOGON" because his router was so outdated that it didn't even know what an IPv6 address is. He and other inexperienced admin are also clearly unaware of the fact that if there were such a thing as a "BOGON" in the actual IT world (which I'm re-classifying as someone simply spoofing an IP Address, as that's what it actually refers to), the spoofer or BOGON transmitter still wouldn't be able to receive any responses back to their terminal because that "BOGON" wouldn't be routed to anywhere at all by anyone at all. This type of network trickery is used in DoS attacks, not in "identity obfuscation," and it takes someone lacking technical expertise in this related field to think that one guy connected to and playing the game from their home IPv4 would attempt a DoS attack using 1 or 2 spoofed addresses at the same time. I tried explaining to this admin, just like I've explained here, that nobody was spoofing IP Addresses or attacking his game - the problem is/was his outdated equipment. To classify this as "entitlement" on my part is unfair as I was correcting technical misconceptions.

Claims have been made about Cisco networking device defaults that are plainly disproved by Cisco documentation - not just in the first paragraph but in the article title itself.

From 2008 to around 2014 there actually may have been devices and even operating system updates providing IPv6 compatibility which left those compat functions/features disabled by default. This was never due to "security concerns" but due to the fact that IPv4 exhaustion was not quite complete by 2010-2012 and IPv6 was a brand new thing that wasn't actually in widespread use yet. Forwarding IPv6 requests to network servers that hadn't yet been updated to support it would have resulted in false connection errors and may have erroneously triggered automated blocking/banning protocols as a result. These false-flag positives in no way represented security holes, only issues that would have been difficult to troubleshoot and might have forced legit IT guys to have to update/upgrade equipment to support new OS features before the agency was really prepared for it. By 2017/18 it's safe to say that anyone who isn't IPv6-ready isn't providing any "services" worth consuming in the professional world, even if it would be absurd to apply the same standards to a hobbyist endeavor with no consistent standards or expectations of service.

FTFY to be appropriate to mildly constructive. It's a psychotic rage translator.

Nemesis · Mar 14, 2018, 5:33 PM

@ghost said in What's your identity worth to you?:

@nemesis said in What's your identity worth to you?:

This type of network trickery is used in DoS attacks

DDoS. Distributed Denial of Service attack.

DOS is a term for Disk Operating System

Thank you, Comic-Book-Guy, for proving that you know less about IT than my 4 year old niece does.

A single individual can commit to a DoS. To be successful, they just need to have more outgoing bandwidth than you have incoming, or they need to be able to connect successfully/repeatedly to overspawn command execution instances, thus denying service to anyone else who tries to connect either by flooding out your bandwidth or making your server incapable of handling new successful connections.

A DDoS requires either a bunch of people or a botnet. It uses the exact same tactics as the DoS but comes from dozens or hundreds of vectors at once rather than just 1 remote client.

To suggest that 1 person is proxying around the world to attack your game is to suggest that a DoS is in progress.

Arkandel · Mar 14, 2018, 5:12 PM

People: Please stop snarking at each other in my goddamn thread. Take it elsewhere.

surreality · Mar 14, 2018, 7:34 PM

@Nemesis @Apos Not sure why you directed any of that at me, since (neither of) you addressed anything whatsoever that I said.

Nor did I cite youtube (or anything else) for literally anything in this thread, or likely ever on this forum as anything but a link to something funny -- or in a PM, of a craft process, to a fellow crafting geek.

I personally think expecting professional grade anything in this hobby as a default is foolish, no matter who or what someone claims to be.

You see what's on offer, and you take it or leave it. If it isn't up to your personal standards, leave it. Making suggestions is one thing, making demands is another entirely. Someone making demands is behaving inappropriately, especially if it entails the person you're demanding something of investing a significant amount of time or money in order to meet your demands for the sake of meeting your demands.

A great many things in this hobby are miles from my standards (or preferences) in a variety of ways -- so I either suck it up and deal if I go there, knowing this, or I don't engage with that thing. I do not demand it change to suit me, no matter what my reasons are, and I definitely do not demand that a game runner spend money on me