@faraday And that's fine! Please don't mistake my tone as hostile; I'm really not.
The reason why https was made as a standard for websites (and thus web portals like Ares) is the addition of Transport Layer Security (TLS) that simply encrypts the data to keep it private. If it was simply that https was the standard of the service you were using, that's great. At least connecting through the Ares portal it provides some of that.
I don't think that you're an idiot who doesn't care about basic security principles, but I do think that the differences in bias in this conversation have led you to the "the risk is low" stance, whereas mine is "the risk you are focusing on is low, but there are other risks." It's just that "ignoring" the risk should only be recommended if you know the potential totality of damage if it were exploited.
No, a user cannot "take control of your machine" through use of telnet/23, but it is one hell of a sieve that can be exploited to violate your privacy, engineer further attacks (up to and including infiltration), and due to the use of telnet the risk isn't just your local machine, but the local machines of the other users and the MU itself (in terms of data breach).
I've said it before and I'll say it again:
- The #1 issue about leaving your data everywhere is retention. It is simply possible (and has been done many times) that MU owners can collect your data, it is stored on server, angry staffers steal the codebase, and in a lot of these cases there are no real questions asked about what (or if anything) is done with that data once the server is stolen/closed down. When Fallcoast got stolen, people found all kinds of other peoples' data on that yoink. Email addresses, conversations in pages people thought were private, etc. It can all be grabbed, and that -can- include data you don't want unintended people to know (addresses, names, businesses, phone numbers, email addresses, etc)
- "Mal" from Serenity and his goons were notorious for going "dark" and sitting in to watch people's TS, monitor their pages, and in many cases players found themselves getting screwed over for stuff they didn't know other players were watching. Changes to telnet since then: None. Still possible everywhere.
- There is so little active trust in the community that I don't understand why people REFUTE this topic so badly, when it is a technical fact. It is 100% believed there are psychopaths and "bad actors" in the community, and 100% confirmed there are people who like to RP sex with kids in the same community (and some on this forum even refer to it as "age play" - airquotes and yikes), but...what(?)...24.5% belief that any one of those people would exploit the use of the open protocol to get intel on players? Doesn't make sense at all. Why does the trust sudden show up there?
There are people who spend actual time of their lives trying to hide from the likes of SpidJeurgOppWhoever like they're going to swoop in at any moment to ruin their lives and destroy their self-esteem, stating that they're "dangerous" and "probably violent" and other choice words like "sociopath" and "incel" (et cetera; et cetera; et cetera), but then when a guy like me says "you know these psychos can SO easily fuck your lives up with this, right?" That the risk isn't through your roleplay but -- yanno -- them skipping past trying to RP with you to literally stalk you (as a person), completely undetected....and people are like:
"Nah! I ain't Bank of America so it's cool"
I will say this, though, not that I would do anything like this, but if I had threatened in this thread to send details on how to do this to any of those "bad actors" I'd probably get banned and send a lot of people into a state of anxiety, which would prove the point that the risk isn't in the RP being snooped. The risks are quite literally in the vein of:
AN EASY SCENARIO THAT IS 100% POSSIBLE AND REQUIRES NO TALENT TO PULL OFF
- MUing: an open, free hobby shared with an unknown number (but confirmed) stalkers, paedos, etc
- there is a lot of "stranger danger" factor, with unlimited ways to sneak in and infiltrate
- New games are ultimately trusted long enough for at least one connection to "check it out", which would be sufficient to give an insecure/non-VPN ip address to start the process. I figure it would take me a couple of months to cultivate a new "identity" on this forum or the other one, say "I'm Dave from Florida, new to the hobby but a Linux guy, and I'm gonna try to make a game, too!". Maybe go to the other forum and talk shit about Derp or something for 5 minutes until people are like "DUDES THIS NEW DAVE IS FUCKING RAD" (it's not hard to get in with these crowds at all, really. All you have to do is hate the people they hate. I've been in and out of the clique myself a few times back in the day - not to their knowledge"+"). People are generally excited for new play opportunities, and since this isn't a big risk at all, no one needs to really worry about the telnet connection, right?
- Player-Attachments to MU Clients (and the ways you can store sites, macros, etc) almost all use telnet/23, and it is unlikely that people would get rid of those in favor of https without their embedded colored text, spawn windows, etc
- A patient enough person exploiting this could simply gather data (RP, pages, chats) over time, completely unaware to an entire playerbase to datamine information on players, their IP addresses, backtrace those to their geolocation, apply their name/location/kids names/dogs' names/cats' names/spouse names/alma mater and then apply those to social media searches on X/FB/Insta/LinkedIn. At this stage it gets downright creepy.
- They could then utilize those methods to prepare guessed passwords, perform penetration testing for other insecure parts of the users' machine(s), and use that to get additional access on the PC. Regardless of that, the geolocation data is sufficient enough to make physical contact if so desired, with either the desired user or their personal interests (work, family, safety)
- How many MU players (that you really don't know) have YOU received private information about from 3rd parties that includes their jobs (lawyers? We got any lawyers in the house?) their general locations, their names, their sexual preferences, etc. How many players do you know on this forum and through their posts alone how much have you learned about their lives, medical needs, emotional needs, their twitch streams, their online writing and blogs, their extensive posts about their personal lives and what they're going through? Don't want to scare anyone, but I think I've learned more about MUers from 3rd parties than from the actual people themselves, because as the Hog Pit proved, the desire to shame other players with personal information is somewhat higher, and if a socially engineered dogpiling campaign comes your way...well...you know your personal life information is open season.
- ^ If you think THIS is inaccurate, then tell that to everyone a certain MUer shared details of my private life and difficulties with my kiddo to dozens of 3rd parties without my consent as a result of being rejected romantically on a RL level and continues to share a self-edited version to this day.
(Note: The story others get is sans the part about their RL flirtation towards me, the request for space/rejection after a line was crossed with their flirtation in an unsolicited message to my RL cell phone that my partner saw and didnt appreciate, but apparently needed to provide a falsified version of myself and my RL situation to anyone who would listen as an emotional user of people and an emotionally draining "need" sponge. This is ultimately fucked up because I was dressed as an emotional abuser as a result of trying to set reasonable boundaries with someone who was emotionally cheating on their partner, but as a result I was publicly abused by this person out of spite, yet they needed it to be delivered as being my victim).
Ya tell a person you need space (and arent comfortable), they say "don't I get a say in this?" and "I'm always being chosen above other women", and then 10 pages later you find yourself on the bottom end of of accusation of being an abuser and user. Gotta love it when people cross your requested lines and then retaliate when you protect yourself from them, right?
(I digress, but it's entirely bizarre the number of people who do "OPPshit" that want everyone to keep OPP out.)
This kind of shit happens regularly to better people than I. IYKYK, and I know plenty of people have heard this story from one side. Your personal life details are cheap to trade and even easier to corrupt.
And for those of you who got personal information about me from those bs stories? I guarantee the same people are talking about your personal details, too.
- I literally know a few of your real-life names, which is crazy considering I can count of one hand the number of MUers I know who have told me their real-life names personally. A lot of that data just came conversationally and without request.
- IF the PC is breached, everything from logging to DNS cache poisoning to MITM is on the table, provided the talent, time, and willingness of the malicious actor
This is not a fantasy scenario. This is "Red team 101" and probably covered in the first few chapters of the Certified Ethical Hacker certification, but if not in the first few chapters it is definitely in there. People need to consider the actual 10,000 foot view of just what they're giving away to these other players, and need to understand that just because it's a direct page to "Steve" on "New England By Night" (PB Paul Walker or something), that the existence of telnet being used means that when you give "Steve" your phone number, there is absolutely no guarantee that a 3rd party isn't actively collecting that data, and in the MU community it is far more likely to be used in a personally harmful manner than a financial one. Not only is there no guarantee, it is sickeningly easy to do.
Either way, agree with me or not, fuck it, it's y'alls problem, but it is a problem. Good luck out there and please take this seriously, regardless of the counterpoint Fara provided. It's real.
"(+)" - Sidenote: I didn't "infiltrate" the clique, but when you're not declaring who you are it's shockingly easy to get picked up for a scene and then get included in chats about how bad everyone else is. ¯\(ツ)/¯ The fact that it happened multiple times is just...I guess a fringe benefit or somethin. It's hard to tell who other people are, too, when you don't care.