Posts made by faraday

@Juniper Heh. Though just for the record (in case it wasn't clear by the nitpicky arguing) Ghost and I agree on the core technical risks:

1. Anything sent between your computer and an insecure endpoint is susceptible to being snooped by a third party. This includes both http(without-the-s) websites and virtually all MU* client connections.

2. Anything you send to another MU player can be snooped by a third party if THE OTHER PLAYER is using an insecure connection.

3. Anything you transmit to ANY internet service is potentially visible to and exploitable by the service owner, anyone they choose to share it with, and anyone who compromises THEIR security.

Since #2 and #3 are still risks on a MUSH even if you connect securely, I don't personally lose sleep over #1. But I do think it's prudent to follow general precautions no matter how you connect:

• Avoid sharing sensitive information with other players, and if you do - it's safer on discord or via email than on a game.
• If you're on a dodgy public network (like a coffee shop) or have a dodgy partner/roommate, use a VPN.
• Follow general internet safety practices on your PC to protect it from vulnerabilities (e.g., use firewall/virus software, be very careful with email links/attachments, etc.)
• Be extra cautious/suspicious of sites that have insecure connections, and never trust them for anything truly important (ecommerce, banking, email, etc.)

With those general precautions in place, I'm perfectly comfortable connecting to my favorite MU via Atlantis/Beip/etc. YMMV.

@Ghost said in Telnet Safety:

I don't mean for my tone to come across as accusatory as it did. I'll keep an eye on that, especially with you since you're awfully nice.

Thanks - I think we were largely just talking past each other. All good.

@Ghost said in Telnet Safety:

Whatever next state the hobby takes will probably include someone either improving the insecure transmission issue through some new client/interface to cover that problem, or improvements to client/web interfaces using TLS to allow for more of the customization that MuClients provide.

That would be nice, but moving away from the old MU clients - even if you could pry old unsupported ones out of peoples' fingers - presents a whole other set of hurdles. Probably for a different thread, tho.

@Ghost I feel like we're arguing in circles and you're saying that I'm dismissing concerns that I'm not dismissing.

I am simply saying that many of those things you're worried about (honeypot MUs run by malicious actors, scraping IPs, social engineering, data within the game being compromised/spied on) are just as much a concern if you're using a secure connection as if you're using an insecure one. That is supporting your call for vigilance, not undermining it.

I just do not agree that you can compromise a MUClient connection in the way you seem to be describing. MUs do not use telnet/23, they use a simple, custom TCP protocol. It's a dumb-as-nails text connection that sends text to the game and displays text back from the game. The primary vulnerability is simply being able to snoop and/or manipulate the text sent back and forth. Which is a point I've agreed with from post 1. If there is some other technical exploit I'm missing here, I would genuinely love to know (even if it's by DM if you don't want to advertise it). But nothing you've said so far has convinced me that there is.

Tangentially, for the record, each Ares game has to set up its own security cert.

@Ghost said in Telnet Safety:

AN EASY SCENARIO THAT IS 100% POSSIBLE AND REQUIRES NO TALENT TO PULL OFF

Absolutely everything in your nightmare scenario can be done if the game is running SSH/HTTPS. You're blaming the technology for a people problem.

@Ghost said in Telnet Safety:

I've said it before and I'll say it again:

And I've said it before and will say it again:

@faraday said in Telnet Safety:

I don't disagree with your fundamental message to be careful what you share online. That's good advice no matter what, and I echo it in the Ares data privacy guides.

@Ghost said in Telnet Safety:

Shit, fara, you're the one that put https out there as an option for these games. Why put effort into it if it's no biggie?

Because I don't see the equivalence you do.

HTTPs is the default for websites. Web servers are easily set up with HTTPs, browsers support it out of the box (in fact, most web browsers will annoy you with warnings if you're NOT using HTTPs). Also you can't do browser notifications without HTTPs in some browsers.

Open ports is the default for MU servers. Many MU clients won't even connect over a secure connection.

I started off by saying I agree with 99% of what you said, we started qubbling over the last 1% (which is just that I don't think it's factually accurate to say that someone can manipulate your machine through an insecure MUSH server connection), and now it kinda feels like you're acting like I'm an idiot who doesn't support basic internet security principles. So I'm taking a break for awhile.

@Ghost said in Telnet Safety:

I wasn't saying "request Ares handle" as if there was some way they could get through the https authentication with Ares, but merely as live data to tie an actual user to ip address.

Your Ares handle is public. So anyone with access to your IP address on ANY game (e.g., staffers, coders, etc.) can already tie your identity to your IP -- even if you connected via HTTPs/SSH.

@Ghost said in Telnet Safety:

Then you would find yourself in opposition to the entire information security industry, OWASP, etc.

Woo! Me against the entire information security industry!

Seriously, come on. The security industry is based around formalized risk assessment processes. Literally nobody is going to equate the risks of general internet browsing (often with financial implications) - which is what those info security guidelines are geared towards - with the risks of roleplaying on some niche game server. Plus, most of the threat scenarios you've described (like IP snooping or social engineering) can happen even if you use a secure connection.

But you're right - folks can make their own decisions as to which risk assessment they choose to believe.

@Ghost said in Telnet Safety:

WHOEVER has access to Player A's device (could be a Player or something black hat) can snoop the telnet transmission unknowingly to either player.

You're still fundamentally just snooping on the traffic between A and the game. You're just doing it in a different way.

You made it sound like like the game connection (which again, isn't "telnet" per se) opened up the rest of the machine to vulnerabilities, and I don't believe it does. If you've already got a Trojan on your PC, that's a separate issue.

@Ghost said in Telnet Safety:

LITERALLY EVERY PERSON IN THE HOBBY CHECKS IT OUT AT LEAST ONCE (because this happens for almost every new live game. Boom. IP addy.),

They literally don't.

request your Ares handle in the app process...

That's not how that works.

But could someone set up a game that's just an elaborate phishing exercise? 100%. Is that particularly likely? Nope. Does that have anything to do with telnet? Nope. It could be done just as easily with a game that runs entirely on SSH/HTTPS.

I don't disagree with your fundamental message to be careful what you share online. That's good advice no matter what, and I echo it in the Ares data privacy guides.

I do disagree with the assertion that connecting to a game with a traditional MU client is opening you up to vulnerabilities beyond someone snooping on the traffic between you and the game.

@Ghost said in Telnet Safety:

Also, Telnet is not only susceptible to snooping, but also MITM/DNS Spoofing, because telnet makes no attempt to validate the host it is connecting to.

Absolutely. And in the case of someone spoofing your bank, that's a very real concern because they could do all kinds of nefarious things. I don't think that same degree of danger exists with someone doing a MITM attack on a MUSH server... like, what are they going to do, spoof RP with you?

I'm not saying it's impossible, just that any real harm seems very unlikely. I would argue this is borne out by these kinds of attacks being pretty much unheard of in all the decades of MUSHing.

Social manipulation and stalking from giving someone your personal info? Absolute valid concern. But that can happen just as easily with a secure connection as an insecure one.

Edit for your edit: The IP address is also visible via a secure connection too. I would argue the better defense is firewall software rather than trying to always hide your IP from everyone but that's just me. (Also running with a VPN these days is a PITA due to all the sites blacklisting them. Can't even do a freaking google search any more.)

@Ghost said in Telnet Safety:

use the established telnet connection and hacking wares (that are so obsolete that they are easy to obtain and can be used by kids) to manipulate what they can on your machine through the telnet protocol session you initiated on connection.

So... I agree with 99% of what you said, but this one made me raise an eyebrow.

Most MU players aren't actually establishing a "telnet connection". They are connecting via a MU client to a server running a listener on a specific port. A malicious actor could 100% snoop on your insecure connection, but I fail to see any way that they could manipulate anything on your machine unless there were some kind of underlying exploit in the MU client that they could leverage. Right?

Tangential side note - most Ares MUs use https for the web portal, so if you play via the portal your connection is secure. Even so, anything you transmit to ANY server (a MU*, Discord, Google, whatever) is ultimately accessible to the owner of the service and anyone they choose to share it with (coders, admins, etc.) The only difference is that statistically you're less likely to be personally targeted by a disgruntled Discord worker than a disgruntled MU staffer.

@Ghost said in A.I. in the Community:

So I guess my argument is: if the emphasis is less on writing and more on titillating your writing partner,

I don't think this practice is as widespread as you assert it is. (Though doubtless it does exist.)

I am against generative AI on principle, so I don't like to see it used anywhere.

Yes, many games fall into the "fanfic" realm of copyright, but IMHO fanfic has never actually harmed anyone's livelihood. Gen AI is actively doing so on an unimaginable scale. The majority of the tools are making millions (billions?) of dollars on the backs of stolen work products, including my own. It's also horrible for the environment in terms of the computing power used. And the prompts people use are leveraged to improve the tools, participating in the destruction.

I hate them. I think they're dangerous.

There is no "harmless fun" involvement in using them, but I realize most people don't understand or agree with that, so I don't translate my hatred to them. It still leaves a bad taste in my mouth.

ETA: I also disagree that replacing a static description with a PB is an evidence of writing waning, since most novels/stories don't pause the action to give you a multi-paragraph data dump on the character's looks and clothing either. That was always a MUSH quirk. But that's a separate convo.

@Ghost said in About GenAi (ChatGPT, etc) Safety:

and a need for Ai engines to purge personally identifiable information stored in their databases.

Which will be hilarious to watch, since they would then have to invent a way to erase data from a neural network. Since (as I'm sure you know, Ghost, but not everyone does) it's not a "database" or "data" in the traditional sense, but a vast array of "connections". That's what makes it so hard for these things to correctly attribute sources, avoid regurgitating copyrighted information, and stop the hallucinations.

But that aside, your other points are spot on.

I had just done a college essay on Michael Faraday, and he was a pretty cool scientist/engineer. Seemed fitting for my first staff coder bit.

For PCs, I tend to just use names that I like, since I'm going to have to constantly be typing and seeing them. Occasionally I'll come up with a unique one special to a setting/etc. (on The 100, for instance, they used variants of local place names/signs), but mostly I just rotate ones from my 'stable' of names.

Using famous people for PBs is kind of meh, for reasons previously outlined.

Using AI to generate PBs (many of whom, let's be honest, are just going to be: "put Chris Pratt into a Starfleet uniform" kind of stuff) is kind of meh.

Not having PBs at all is kind of meh (for me anyway - which I now realize is partly due to my visual imagination being poor on the aphantasia scale, so descs just go in one ear and out the other.)

I see no good answer.

@Ghost said in Stranger Danger?:

Do you have issues finding/maintaining RP with players once they find out you're not open to IC-relationship stuff? That was always kind of my issue: I was able to find a lot of available RP, but people would suddenly have "electrical storm" or "rl emergency" or "sorry gotta go" when it was established I wasn't into TS/relationship RP with the person.

Nope. I've had loads of folks RP my character's besties, coworkers, frenemies, found family, actual family... even unrequited suitors.

Even when I have done IC romances, for many years I've been very up-front about being exclusively FTB. Never had anyone be like: "Oh well in that case... poof."

Might come down to the games, dunno.

@Ghost said in Stranger Danger?:

But yeah, in my perfect world, the right to remain anonymous and partake in roleplay without needing to expose who you are as an OOC persona would be important. I think that should be everyone's right to do so without being treated with hostility.

I do agree it's everyone's right to not be treated with hostility, but I don't think "Eh, I'd rather not RP with someone for <insert any reason short of bigotry>" is "hostility". People have a right to RP (or not) with whomever they choose. Nobody is owed someone else's time.

When I decide whether or not to join a game on Storium, for instance, I look over the profile of the GM and other players to see what else they've done and whether they'd be fun to play with. If someone has no history, that's not necessarily a red flag, but it does influence my decision. And it's entirely Storium's right as a platform to say that each player may have only one account. (I don't know if they do, just saying they could.)

In fact, I would argue that this idea of player anonymity (not in a PII/RL sense but in a 'different identity across each game instance' sense) is pretty unique to MUSHes these days.

I think certain behaviors in the community have made it a necessary evil, but I don't think it's good. That's why I created the handle system for Ares. It is optional for practical reasons, but in my philosophical ideal world, it wouldn't be.

@Misadventure said in Stranger Danger?:

It's a question of self awareness, and managing that bleed.

Yeah, I mean - if authors and fans and actors can all get overly invested in their characters, it's only natural that MU players will sometimes too. But that's why boundaries and communication are important.

@Ghost said in Stranger Danger?:

^ I write this because it again highlights how quickly these things can get personal despite your best intentions, and whoever it is they say they are one needs to just hope they're stable enough not to impact your RL.

Isn't that true of any relationship, though, online or off? Someone who's had bad experiences is naturally going to be more leery than someone who hasn't, but it almost seems like you're saying it's better to just never engage OOCly at all. (Maybe I'm misunderstanding.) Even if that were practical, I'm not convinced it would really insulate you from drama.

@Hella said in Stranger Danger?:

I enforce firm boundaries, period. IC, OOC, all the boundaries, everywhere.

Oh yes, very true. I only call out IC relationships specifically because that's been the #1 source of boundary issues through the years.

Where I've landed after all these years:

• I stick to friendly co-op games.
• I don't do PVP or TS.
• I enforce firm boundaries on IC relationships. (Though even that has proved exhausting enough that I am now leery of romantic RP with anyone I don't already know and trust OOCly.)
• I'm choosy about the games I play on - usually either my own or ones from people I trust.

I feel bad that you've had such horrible experiences, though, because I have made several life-long friends through MUSHing. Not just "oh they RP well so it's fun to play a game with them" but true friends. Yes, we must be cautious and sensible with any interactions on the internet, but I don't think we need to be so paranoid that we cut ourselves off from meaningful interaction.

@Jackarn Not that I've seen.

@Hella said in I owe a lot of people some apologies.:

And when you find them? It's worth the rest.

Yeah, I don't mean to downplay the drama and toxic behavior, which has always existed in MUs. All I mean is that -- for me, personally -- the good people and fun have always outweighed the bad. Otherwise I would've quit long ago.

But there's some selection bias there. I don't play on WoD or L&L games, which tend to have more PVP-oriented shenanigans, or Comic games, which tend to have fights over who gets to play (or hook up with) Batman or whatever, etc., etc. That's not to say my games are happy unicorn utopias - it's still strangers playing games on the internet, and sometimes there are issues. But they're not the cesspool of bullying that Ghost has seen, either.