Posts made by Ghost

... and if you think I'm wrong, you should ask why this forum site is still open (and being paid for), despite no one using it. Im not sure how expensive (or if at all) it is to keep this site up, but when the schism happened there was a promise made to not delete the Hog Pit.

So, idk if someone is paying for it monthly or not, but this unused space is being kept alive solely to act as custodian to a historical record of people being shitty to each other, and I would gladly pay the person who owns this space $100 to lock out the other admin, hand me the keys, and let me purge the Hog Pit and delete the site. (Dm me, I'm serious)

I just find it interesting how the entire community schism took place as a response to bullying and trying to stop Hog Pit behavior and then ultimately MSB became a custodian site to take extra special care of the Hog Pit itself, even after people stopped using MSB

Cmon, end this.

I got a little nostalgic and decided to skim the two warring boards to see what's going on and it got me thinking...

Before I post this, I want to note that I started playing MU games in the mid-90s, have seen WORA/MSB/BM-Day/Etc and have been around for a lot of the "problematic" incidents for almost 30 years (auuuuuuggggggggh), and this post is because I really got to thinking about the bigger picture in terms of the 30+ years I did this stuff.

One of my FIRST game experiences was on Denver (WoD) where I applied as a Sabbat character. I was a WoD TTRPG player and went in as if it was a legitimate WoD game. One of my first scenes as a Sabbat was a "coffee house scene" where a character introduced themselves as a "figure skater Toreador camarilla" (all said in-character). The player did a lot of flirtation RP, so like any Sabbat (Enemies to the Camarilla) i arranged to go "outside of the bar" and then called for a "Storyteller" as my character was planning on attacking and abducting the Toreador.

The character "fled" the scene, and when I was explaining to the storyteller the canonically valid response, the Toreador player claimed that I was "harassing" her oocly.

At first, i suspected this to be a "one-off" incident, a sign of a metagaming VtM player, and moved on. What i didn't suspect was how common this kind of behavior would be over the course of...30+ years...up to and including being party or witness to a sickening deal of poor/unethical OOC behavior to protect one's "standing" in the hobby at the expense of another's.

I started thinking back over the years and how common it was to watch people create egregious theories and stories about players to wiggle out of uncomfortable OOC/IC situations of their own creations, how common it was to see groups of people bullying others, and how over time people collected names of identifiably(and unpopular) unethical players and used those to implicate usually innocent players in coordinated attacks in hopes that they'd be added to the "verboten" list.

Of course, ive mentioned before that it happened to me a few times. Once I requested personal space from a player "coming on to me" in ways that I didn't consent and in result was immediately accused of being an "emotional abuser", and on another occasion didn't disclose that I planned to kill off a character...only for another player who had IC romance designs for that character to accuse me of being a "liar and a sociopath" after I retired the character.

Anyway, my point is this:

WHEN DID WE DECIDE TO ACCEPT THIS BEHAVIOR AS A COMMUNITY?

The ONE constant ive noticed over the past 30 or so years is that this hobby always (and I mean ALWAYS) has had a continuous, rolling desire for a place where people can be attacked and belittled with minimal ramifications. Before the 'split' (eyeroll), protection of the "Hog Pit" and people's "right" to use it as they saw fit was something people were actually protecting as one of two concepts:

1. We NEED this place to attack the "bad ones"
2. A place where we can be mean to each other is a "necessary pressure valve" to let people fight, in front of everyone, using whatever accusations are desired, for the better of us all

I mean, as adults, we can urge ourselves to understand why "gentlemanly duels with pistols to the death over personal problems" was phased out of our societies, but we can see if it still works in smaller settings, right?

This has been a constant, and people wonder why the social scene in the hobby became this rotten cesspool of unending drama and public displays of weird ooc dominance roleplay.

Basically, the seeds of the (better) community's own destruction were laid the moment some of the worse personalities in the community began to establish the concept of a "transactional popularity hierarchy" that allowed groups of allied players who ran games to exclude/belittle players. The entitlement to be cruel or unfair to others became a matter of friendly allegiance, and the concept of not being cruel for ethics sake took a backseat. Hard work was put into justifying one of any number of weekly belittlements: making fun of people's poses, descriptions, roleplay ability, and eventually mutated into concepts like "This person didnt give me what i wanted, so i attacked"

(On one occasion, I turned down TS with someone, who then told me that since they identify closely with their character, and my ooc decision hurt their character, that they were going to attack me OOCly)

And for the 1 or 3 people who say "nothing like this has EVER happened to me", let's be honest, theres 20+ people per those 1-3 who have.

So, in the end, I think its worth considering how so many MMO RPG guilds, churches, and other groups follow the same behaviors: a self regulated community of people who intend to play fair and kind are often usurped by ambitious people who want control of it. This is the same behavior that drives spin-offs of churches, book clubs, social cliques, etc. (This behavior is common outside of MU, but often protected with things like transparency and behavioral rules)

In an unregulated/unmoderated community there is no such thing as a true "judicial" process. There's no hierarchy or council of rational, level-headed people who make the decisions on who is or isn't in the right; its all argued over who believes who. (Sidebar: I still think it's telling that in a pc and text-based hobby how so few people with the biggest accusations often do so entirely without receipts and rely on convincing others of their story).

It all comes down to the following:

• who owns the MU or board space
• whether or not the complaint comes from inside or outside of someone's circle
• what people seek to lose or gain based on the accusation

And it's somewhat ridiculous to me that the core GOLDEN RING that gets won in the constant negative behavior is...bragging rights? I think people should have spent more time over those 30 years considering the why behind these drama episodes. What exactly was to gain, ever, from the constant unethical bullying?

1. Forcing other people not to be included
2. Uninterrupted "fulfilling" MeTime

In the end, I think that's all it is. At some point, everyone in this hobby has (or had) a reason as to why they wanted to spend 50+ hours a week at home, on a computer, spending time virtually with people instead of in-person. Sure, there could be medical reasons why people do it, but ultimately everyone in the hobby chose THIS hobby either as a substitute to in-person social activity or as an activity because of a lack of (or unfulfilling) in-person social life

So the reward is ultimately: "Damn it, I need/want this, and this person is ruining it for me"

Now, consider 30 years of finding creative ways to say this, without actually saying it, when considering that its a free, open-to-everyone hobby, and you have no right to force the person who is impacting your much-needed escape. You can force people out solely by attacking their reputation...or evidence.

And people ended up getting REAAAAAALLY comfortable with going with the "lack of evidence" approach in a hobby that is literally a constant paper-chain of text and logging that is done entirely on MU clients and servers that are basically made out of receipt paper.

At the end of the day, I'd met a lot of nice people in the hobby who refused to partake altogether, and those people are saints. We've lost a LOT of those people over the years to the unethical ones because its simply true that there's no point in fighting with the people truly interested in behaving this way because it's bizarre and not worth the effort; find better hobbies (<- me). I've also had a lot of friends who went in and out of talking shit in the conmunity; gods know i did (my interest was in calling out unethical people for their behavior and sometimes joking about how much shit can stink).

But the people who truly protected these negative behaviors, such as the Hog Pit, seemed to be motivated by a few tenets:

1. Fear of reprisal from the "good ones" who felt their entitlement to belittle others was for the benefit of all and were interested in plying said "goodness" in form of bullying against those who disagreed
2. Allegiances to their friends in #1
3. (In my opinion) The misguided assumption that their "super important and serious fight with so and so" was so critical to need to be a public community lashing, would provide them with a resolution (as opposed to what it actually became: a public punishment.)
4. Cruel people who simply wanted the public punishment for satisfaction's sake and cleverly worded it as an ethical necessity

I think this is worth reflecting on, especially as I see more old crew peeking in for nostalgia's sake. I personally think about this stuff (despite the fact I'm no longer in the hobby) in the sense that understanding what went wrong here would help me avoid joining communities with similar behaviors (identify them), and perhaps understanding why things can get so bad to begin with.

Anyway, I'll clip this here. It's a fucking shame, really, looking back to think that 10x more effort was put into developing good ways to attack people than was put towards a fair and moderated approach to the community's problems...which in the end left a good portion of the community to the people who presumed they "won the war" by protecting their own predatory behavior in the community.

-J

@Redbird I think I vaguely remember you from Fallcoast(TR), though I can't remember who I played as. Hope all is well!

As I understand it, the community is dwindling down and a lot of the old faces have moved on due to bad behavior in the community.

Great, I'll pass this information along to my friend.

And I assure you that I would never do any such thing for personal entertainment value.

@Ganymede said in Ethical Question:

@Ghost said in Ethical Question:

IS IT ETHICAL to join a bunch of MUs and embed yourself in roleplay with people who don't like you as a means to repair your relationship with them by being cool with them...and then later reveal it was you all along?

Generally, I don't find myself in such ethical quandaries because I have neither the time nor the inclination to try and convince people who don't like me that I am likeable.

Generally, it's for that reason that I've never moderated an online forum and have never been in a situation where I've trained to maintain my popularity in spite of.

Question...

IS IT ETHICAL to join a bunch of MUs and embed yourself in roleplay with people who don't like you as a means to repair your relationship with them by being cool with them...and then later reveal it was you all along?

...asking for a friend.

@Juniper said in Telnet Safety:

bless faraday for having the patience for this

Bless your heart, too

Spaceballs 2 is in development with Josh Gad and Mel Brooks at Amazon, as reported by Variety Magazine. No word yet on the possibility of return actors (including Rick Moranis)

@faraday Mo' tech, mo' money, different problems

@faraday I think this would have been an amazing conversation over coffee, and I apologize. I don't mean for my tone to come across as accusatory as it did. I'll keep an eye on that, especially with you since you're awfully nice.

In my head this was more of a "DUDE...BUT..." type cubicle conversation about tech stuff, but one thing I think we did amazingly here is provide a point/counterpoint.

I am a former MUer with evident trust issues with the globulous "community" who is approaching this from the point of view of "...the bad scenario" and wanting to state out the width of possibilities to get them out there and undernconsideration

You are still prevalent in the community and are approaching this from a "stepping back from that, this is more likely" approach, and are providing a technical counterpoint about where the safety works and why it is better than it used to be (it is!)

I do think one thing is sure, though. Whatever next state the hobby takes will probably include someone either improving the insecure transmission issue through some new client/interface to cover that problem, or improvements to client/web interfaces using TLS to allow for more of the customization that MuClients provide.

And hot-damn, I'm still wondering about Diffie

@faraday said in Telnet Safety:

Absolutely everything in your nightmare scenario can be done if the game is running SSH/HTTPS. You're blaming the technology for a people problem.

Yes and no.

A person with admin-type access has access to connection level information even through HTTPS, and on-server can log/monitor communications, yes. That is correct.

But it is significantly harder for even someone with that admin access to utilize an HTTPS(TLS) connection to further exploit their own users without being detected or perform unwanted session redirects without being detected.

It is a people problem, yes, but to spoof a TLS connection you'd need a forged certificate and the actual public key of the target site. You don't need that with telnet. TLS mitigates a lot of the potential attack vectors, but even with TLS there are issues.

1. A user connected via HTTPS roleplaying with a player connected via telnet potentially exposes things further through the telnet player. The TLS user sends/receives encrypted data, but the same data (pages to telnet player, etc) are then transmitted to the telnet user in cleartext because the sessions are with the host and not P2P or arranged through something like "shared key/insecure network" security provided by Diffie Hellman.

(I'm now wondering if it's possible to implement something like Diffie-Hellman on a MU server....its sure AF old enough, and I now wonder if the Unix-based programming in a MU client could handle the exchange of a shared DH/AES key with the connected telnet user. Might be worth exploring for telnet users, and tls for https users.)

^^^ IF this is possible (being theoretical, here), I recommend including "log text" in the MU to record something like this:

• mask the shared key/IPs sent to the username's session, but keep the date and timestamps to ensure other staff aren't collecting data (The shared private key between host and client can be used to decrypt). ONLY access the non-masked information on a need-to-know basis, locked behind God privileges, and NOT accessible on the same staff logins even the headwiz uses regularly
• if the implementation is stable enough and works, require telnet users to accept the randomized shared key and connect via D-H to play on the game. Everyone is encrypted.
• IF possible (unknown), idle connections are released after being idle (other user disconnected) for an hour, release the DH shared key, and require a new one
• IF possible, include a list of blacklisted usernames and IPs who are to be denied the DH key. Forcing this may actually be the solution to further keeping people off of games.
• may require a client download on the user's side to complete the connection and run parallel to their MU client

(Again, D-H is deprecated as shit and crackable even in this implementation, but it is better than Telnet and further mitigates local router snooping telnet logs, as well as any other session interception reading issues. Im not sure if anyone has tried D-H over MU via telnet before, but if the BBSsystem can handle the handshaking and the client is a free and safe download, this could be the answer.)

2. If the certificate (for Ares I don't know off hand if it's the hosting site's certificates or faraday's, and no one should know where its stored) is exposed through any means, a malicious user can decrypt as desired

3. TLS 1.2 is still vulnerable to Raccoon, large ticket injection, Sloth, CRIME, BREACH, etc, but those require more skill and talent to breach, though MUs are not likely targets for these attacks. I doubt a MUser would go to these lengths.

@reimesu that sucks. I love a LOT of his movies. He's also got a pretty talented kid lol.

I remember an interview (Conan I think) where Donald said that his son has 5 middle names. When asked why, he said "Because I owed a lot of money at the time" or something like that lol

"Kiefer William Frederick Dempsey George Rufus Sutherland"

The real story is that he was named after 5 people his parents adored and admired.

(From the webz)
Kiefer Sutherland's five middle names were mostly chosen to honor multiple important figures in his life, including his mother (Dempsey was her maiden name), paternal grandfather Frederick, and father's close friend George. The reasoning behind Rufus remains a mystery, even to Sutherland himself. Pretty beautiful story and shows a bit of who Donald was

@faraday And that's fine! Please don't mistake my tone as hostile; I'm really not.

The reason why https was made as a standard for websites (and thus web portals like Ares) is the addition of Transport Layer Security (TLS) that simply encrypts the data to keep it private. If it was simply that https was the standard of the service you were using, that's great. At least connecting through the Ares portal it provides some of that.

I don't think that you're an idiot who doesn't care about basic security principles, but I do think that the differences in bias in this conversation have led you to the "the risk is low" stance, whereas mine is "the risk you are focusing on is low, but there are other risks." It's just that "ignoring" the risk should only be recommended if you know the potential totality of damage if it were exploited.

No, a user cannot "take control of your machine" through use of telnet/23, but it is one hell of a sieve that can be exploited to violate your privacy, engineer further attacks (up to and including infiltration), and due to the use of telnet the risk isn't just your local machine, but the local machines of the other users and the MU itself (in terms of data breach).

I've said it before and I'll say it again:

• The #1 issue about leaving your data everywhere is retention. It is simply possible (and has been done many times) that MU owners can collect your data, it is stored on server, angry staffers steal the codebase, and in a lot of these cases there are no real questions asked about what (or if anything) is done with that data once the server is stolen/closed down. When Fallcoast got stolen, people found all kinds of other peoples' data on that yoink. Email addresses, conversations in pages people thought were private, etc. It can all be grabbed, and that -can- include data you don't want unintended people to know (addresses, names, businesses, phone numbers, email addresses, etc)
• "Mal" from Serenity and his goons were notorious for going "dark" and sitting in to watch people's TS, monitor their pages, and in many cases players found themselves getting screwed over for stuff they didn't know other players were watching. Changes to telnet since then: None. Still possible everywhere.
• There is so little active trust in the community that I don't understand why people REFUTE this topic so badly, when it is a technical fact. It is 100% believed there are psychopaths and "bad actors" in the community, and 100% confirmed there are people who like to RP sex with kids in the same community (and some on this forum even refer to it as "age play" - airquotes and yikes), but...what(?)...24.5% belief that any one of those people would exploit the use of the open protocol to get intel on players? Doesn't make sense at all. Why does the trust sudden show up there?

There are people who spend actual time of their lives trying to hide from the likes of SpidJeurgOppWhoever like they're going to swoop in at any moment to ruin their lives and destroy their self-esteem, stating that they're "dangerous" and "probably violent" and other choice words like "sociopath" and "incel" (et cetera; et cetera; et cetera), but then when a guy like me says "you know these psychos can SO easily fuck your lives up with this, right?" That the risk isn't through your roleplay but -- yanno -- them skipping past trying to RP with you to literally stalk you (as a person), completely undetected....and people are like:

"Nah! I ain't Bank of America so it's cool"

I will say this, though, not that I would do anything like this, but if I had threatened in this thread to send details on how to do this to any of those "bad actors" I'd probably get banned and send a lot of people into a state of anxiety, which would prove the point that the risk isn't in the RP being snooped. The risks are quite literally in the vein of:

AN EASY SCENARIO THAT IS 100% POSSIBLE AND REQUIRES NO TALENT TO PULL OFF

• MUing: an open, free hobby shared with an unknown number (but confirmed) stalkers, paedos, etc
• there is a lot of "stranger danger" factor, with unlimited ways to sneak in and infiltrate
• New games are ultimately trusted long enough for at least one connection to "check it out", which would be sufficient to give an insecure/non-VPN ip address to start the process. I figure it would take me a couple of months to cultivate a new "identity" on this forum or the other one, say "I'm Dave from Florida, new to the hobby but a Linux guy, and I'm gonna try to make a game, too!". Maybe go to the other forum and talk shit about Derp or something for 5 minutes until people are like "DUDES THIS NEW DAVE IS FUCKING RAD" (it's not hard to get in with these crowds at all, really. All you have to do is hate the people they hate. I've been in and out of the clique myself a few times back in the day - not to their knowledge"+"). People are generally excited for new play opportunities, and since this isn't a big risk at all, no one needs to really worry about the telnet connection, right?
• Player-Attachments to MU Clients (and the ways you can store sites, macros, etc) almost all use telnet/23, and it is unlikely that people would get rid of those in favor of https without their embedded colored text, spawn windows, etc
• A patient enough person exploiting this could simply gather data (RP, pages, chats) over time, completely unaware to an entire playerbase to datamine information on players, their IP addresses, backtrace those to their geolocation, apply their name/location/kids names/dogs' names/cats' names/spouse names/alma mater and then apply those to social media searches on X/FB/Insta/LinkedIn. At this stage it gets downright creepy.
• They could then utilize those methods to prepare guessed passwords, perform penetration testing for other insecure parts of the users' machine(s), and use that to get additional access on the PC. Regardless of that, the geolocation data is sufficient enough to make physical contact if so desired, with either the desired user or their personal interests (work, family, safety)
• How many MU players (that you really don't know) have YOU received private information about from 3rd parties that includes their jobs (lawyers? We got any lawyers in the house?) their general locations, their names, their sexual preferences, etc. How many players do you know on this forum and through their posts alone how much have you learned about their lives, medical needs, emotional needs, their twitch streams, their online writing and blogs, their extensive posts about their personal lives and what they're going through? Don't want to scare anyone, but I think I've learned more about MUers from 3rd parties than from the actual people themselves, because as the Hog Pit proved, the desire to shame other players with personal information is somewhat higher, and if a socially engineered dogpiling campaign comes your way...well...you know your personal life information is open season.
• ^ If you think THIS is inaccurate, then tell that to everyone a certain MUer shared details of my private life and difficulties with my kiddo to dozens of 3rd parties without my consent as a result of being rejected romantically on a RL level and continues to share a self-edited version to this day.

(Note: The story others get is sans the part about their RL flirtation towards me, the request for space/rejection after a line was crossed with their flirtation in an unsolicited message to my RL cell phone that my partner saw and didnt appreciate, but apparently needed to provide a falsified version of myself and my RL situation to anyone who would listen as an emotional user of people and an emotionally draining "need" sponge. This is ultimately fucked up because I was dressed as an emotional abuser as a result of trying to set reasonable boundaries with someone who was emotionally cheating on their partner, but as a result I was publicly abused by this person out of spite, yet they needed it to be delivered as being my victim).

Ya tell a person you need space (and arent comfortable), they say "don't I get a say in this?" and "I'm always being chosen above other women", and then 10 pages later you find yourself on the bottom end of of accusation of being an abuser and user. Gotta love it when people cross your requested lines and then retaliate when you protect yourself from them, right?

(I digress, but it's entirely bizarre the number of people who do "OPPshit" that want everyone to keep OPP out.)

This kind of shit happens regularly to better people than I. IYKYK, and I know plenty of people have heard this story from one side. Your personal life details are cheap to trade and even easier to corrupt.

And for those of you who got personal information about me from those bs stories? I guarantee the same people are talking about your personal details, too.

• I literally know a few of your real-life names, which is crazy considering I can count of one hand the number of MUers I know who have told me their real-life names personally. A lot of that data just came conversationally and without request.
• IF the PC is breached, everything from logging to DNS cache poisoning to MITM is on the table, provided the talent, time, and willingness of the malicious actor

This is not a fantasy scenario. This is "Red team 101" and probably covered in the first few chapters of the Certified Ethical Hacker certification, but if not in the first few chapters it is definitely in there. People need to consider the actual 10,000 foot view of just what they're giving away to these other players, and need to understand that just because it's a direct page to "Steve" on "New England By Night" (PB Paul Walker or something), that the existence of telnet being used means that when you give "Steve" your phone number, there is absolutely no guarantee that a 3rd party isn't actively collecting that data, and in the MU community it is far more likely to be used in a personally harmful manner than a financial one. Not only is there no guarantee, it is sickeningly easy to do.

Either way, agree with me or not, fuck it, it's y'alls problem, but it is a problem. Good luck out there and please take this seriously, regardless of the counterpoint Fara provided. It's real.

"(+)" - Sidenote: I didn't "infiltrate" the clique, but when you're not declaring who you are it's shockingly easy to get picked up for a scene and then get included in chats about how bad everyone else is. ¯\(ツ)/¯ The fact that it happened multiple times is just...I guess a fringe benefit or somethin. It's hard to tell who other people are, too, when you don't care.

This feels like an argument between:

• Person saying the entire information security world contains useful data that can protect you from threats you didn't know you didn't want to deal with, and attempting to explain to people the width of risk they should be aware of (framed in "community" scenarios)

• Person who currently has an active stake in the hobby literally going against every information security concept in existence to say "it's fine; ignore it, but it was important enough for me to get Ares set with https for a lot of those listed reasons."

Shit, fara, you're the one that put https out there as an option for these games. Why put effort into it if it's no biggie?

Edit:

Or:

@faraday do you prefer to use the https portal access to the games you play, or the telnet MU client, and why?

@faraday I wasn't saying "request Ares handle" as if there was some way they could get through the https authentication with Ares, but merely as live data to tie an actual user to ip address.

@faraday said in Telnet Safety:

I do disagree with the assertion that connecting to a game with a traditional MU client is opening you up to vulnerabilities beyond someone snooping on the traffic between you and the game

Then you would find yourself in opposition to the entire information security industry, OWASP, etc.

In fact, most major companies stress that the biggest security risks are insecure handling of data, access gained through social manipulation, and the many many ways these things open you up for further intrusion. The least technical and educated people are the biggest risks.

Are millions of dollars in transactions (other people's money) at stake? No.

But as much as the community talks about stalkers, psychopaths, liars, manipulators, protofascists, and goes on and on and on about how bad certain people are...perhaps even MUing on games that allow "simulated" (airquote) paedophilia on the very same computer their kids do homework on...one would think that the risk of that outweighs your TS being snooped.

No one would purposefully try to go after this vulnerability for money (at least not in this community as it's free and obviously a draw because it's free), but if someone were so inclined it would probably be done by someone within the community than some random script kiddie in your apartment complex.

I guess people will just have to decide which of our obvious biases will or won't lead them astray!

Edit:

I had a "hold up" moment.

Do people in this community NOT realize just how much of your personal information alone you have archived and shared in the Hog Pit (or this forum alone for multiple years of use, people talking about their lawyer work, their jobs, their kids, how close they were to that thing that happened here in Raleigh?

Anyway, maybe this is just one of those things where the attachment to the hobby outweighs giving a fuck, or maybe your biased position @faraday dismantled the point, but I think it's crazy, crazy how easy it would be to sploit the hell out of people in this hobby in ways that absolutely scare/affect them, and my ability to do it all drops significantly when connecting via https or using a vpn.

And note your peers in this community have prioritized "socially avoiding/attacking people who use vpns because it doesn't allow game staff to try to track players by IP address". THIS is insane, because this is your peers openly admitting to tracking insecure IP addresses of players for a personal/biased reason. At every turn in this hobby, the priorities seem to always be:

1. Keeping the 5 or 6 specific "villain" names that people can remember off of the game for at least 4 concurrent months

Not that there has been really any success in this for well over a two decades, primarily because of...telnet.

I have no clue exactly how else to explain to people how using this protocol is literally the cause of all of their paranoia, inability to keep people out, and opens them up to literally the craziest people in the community, but if people were so inclined to workshop this (and allow me to prove my case) I would not be opposed to working with others to put together an operation to prove my case by using these methods to gather/log/report data on people doing criminal activity on sexMus

@faraday You and I are like a regular good cop/bad cop episode lol. You're right, though. The dangers ARE considerably less on a MU server than foolishly connecting to some rando telnet port you find listed on the dark web.

However, I think it's important to understand the width of what could happen in a very realistic scenario, such as:

• Player A has a Trojan on their machine or other exploited vulnerability that gives the attacker access to their OS
• Player B does not
• WHOEVER has access to Player A's device (could be a Player or something black hat) can snoop the telnet transmission unknowingly to either player.

Any personally identifying information shared in that telnet stream between both unaware players (perhaps even ones that are in a real-life relationship, sending pages to each other about paying bills, or lifelong friends sharing address information) is open game, and neither of the players would have any clue that they'd been snooped on.

I feel like a massive asshole saying this, but the most hated/feared people in the community could easily start up a new game server under a false identity, LITERALLY EVERY PERSON IN THE HOBBY CHECKS IT OUT AT LEAST ONCE (because this happens for almost every new live game. Boom. IP addy.), request your Ares handle in the app process, and then log every 24 hours of content through the listening port to cloud-based storage.

I wouldn't do that, personally, but others who are down with other people's property could. If I were black hat or a stalker, that's exactly what I'd do.

@faraday said in Telnet Safety:

A malicious actor could 100% snoop on your insecure connection, but I fail to see any way that they could manipulate anything on your machine unless there were some kind of underlying exploit in the MU client that they could leverage. Right?

Basically, but I was also operating on the concept that information gained through insecure data transmission could lead to further exploits. Also, Telnet is not only susceptible to snooping, but also MITM/DNS Spoofing*, because telnet makes no attempt to validate the host it is connecting to.

Insecure transmissions are really just risky, so I 100% agree that the ABSOLUTE BEST approach is to do as @faraday says and connect via https at the portal.

Edit: (for those who don't know the slang)

• Man in the Middle (MITM) is where a malicious attacker inserts themselves in between the transmission to intercept data, but is not just limited to snooping. Communications can be modified/redirected. (mitigated by using secure protocols and disabling telnet)

• DNS Spoofing is where DNS records are manipulated to redirect targets to bogus websites , which could lead to further exploits. (mitigated by use of https)

OH AND I JUST REALIZED...

• Telnet transmissions include your IP address used, which makes users susceptible to malicious users backtracking the IP into port scans/penetration tests. Not trying to pile on against telnet, but this is 100% accurate
• also is the fact that your IP address is something always available to game admin, regardless of how much you trust them
• the only workaround for this is really a VPN, which is also 100% recommended to further increase your security and ensure that MU game admin can't use your actual IP for their own purposes without your permission

Waiting on a work call, and building off my prior post I thought I'd share a cool tech tip.

In my other post I mentioned that all telnet transmissions can be logged and reviewed at the router level. Really, having control of the household router can give you godlike levels of power.

So if your kid is using their Playstation at 3am against the rules (or some variation of this problem), do the following:

1. Get the IP address of the device
2. Log into your router as admin
3. Find the connected devices and deny that IP access to send data through the router between bedtime and back from school time

(Note: you can also assign nicknames to devices showing only as IP addresses. It helps to change these devices to names like "Billy's PS5" and "Dad's Cell Phone")

You can turn your kids' computer devices into bricks between whichever hours you please.

I ended up having to do this to my own teen that wasn't getting the point, and since I was the only person with the router password I could control those constraints.

Hey, IT guy here. I've posted in the past about the technical dangers of MU in terms of other topics, but for those not aware, I thought I should write a little blog post.

1. ALL MUs that aren't using SSH are essentially unencrypted

Telnet (created in 69) uses TCP port 23. It sends unencrypted data across the TCP/IP network (internet) containing a clear, readable transmissions of all characters sent/received from the MU.

In 1969, this beast above was the most powerful computing system in the world. It went for a whopping 2.3 million ($23mil+ adj for inflation)and had an awesome memory availability of 982 kilobytes (just under 1Mb). A modern 20 dollar burner cell phone comes with 32GB storage, which is essentially 32000Mb, and 32,000,000 Kb).

That is how fucking old telnet is. It turns 100 in 2069 in 45 years. It predates modern cocaine use.

2. The difference between "data at rest" vs "data in transit"

The difference initially is obvious. Data "in flight" is in transmission and "at rest" is when it is stored, but what does this mean for your firewall/vpn/Etc?

AT REST DATA: All of your firewall/malware/virus protection typically is by device (laptop/cellphone) or handled via software on your router. THIS HELPS KEEP PEOPLE FROM HACKING YOUR MACHINE AND PULLING DATA OFF OF IT. This is data at rest. You have provided a "fort" for your data that is hard to get into.

IN TRANSMISSION your data becomes vulnerable. Like any important piece of mail (like your tax return) you want to mail it knowing that it is safe, won't be intercepted, and won't be acted upon by people the piece of mail isn't addressed to.

In-transmission data is quite simply the most dangerous part about the MU hobby.

3. How can unencrypted data over MU be dangerous?

Telnet protocol is insecure, and if a malicious MUer did or didn't have staff privileges (because the MU is insecure and the data is unencrypted) they could...

• capture/log all transmission data, both personal and roleplay including sensitive personal information
• use the established telnet connection and hacking wares (that are so obsolete that they are easy to obtain and can be used by kids) to manipulate what they can on your machine through the telnet protocol session you initiated on connection.
• Session snooping is simple. At the router level I can block port 23, but I can also log all data transmitted via telnet for my viewing. This puts TS MUers in a serious danger zone if their spouse has any tech skills. It could be done without even touching your laptop.
• If the MU staff or site hosting is not secure from MITM attacks or session snooping, then a malicious user could implement telnet snooping across all users of the mu hosting provider, and the existing use of telnet protocol makes this a constant threat.

So while the data is "in flight", it leaves YOUR network, is out in the open, and is then delivered to an "at rest" state on the MU server, you should keep these things in mind:

• MU hosting and MU staffing is an entirely unpaid, amateur effort
• Most game staff are not IT professionals, and even if they were the only true answer to safety is SSH...which requires additional purchases (certificate authority) and authentication protocols most MUs don't use (or have staff who would know how to implement)
• All data on the server is technically the property of the owner (not the user) with no existing legal recourse if the MU is infiltrated.
• The assumption that your private pages and roleplay is truly private is an absolute farce

(By this I mean...you're RPing or discussing potentially personal things over an INSECURE protocol on an antiquated BBS service owned/ran by a stranger with only "social damage" incurred if they're caught snooping your pages/rp, and at a certain level of privileges other staff would never even know if it was happening to them)

• NEVER give your address, phone, banking, fullname, general location, business information, etc over pages/chat in MU even if you trust the person because THE DANGER ISNT YOUR FRIEND, BUT THE SERVICE/PROTOCOL YOU ARE USING.

So with all this in mind, it's far safer to RP using discord or even Facebook chat windows, because at least those services have encryption, terms of service, data collection standards, and security baked into the format.

Really...anyone who knows this stuff when you don't is a potential malicious actor, and MU players seeking that free entertainment are pretty much at the mercy of the budget/hostingSite/protocol selection of the game-runners. There's no "policy" that fixes this issue, nor does a promise have any value, because the game site and protocol are pretty much wide open.

Now, you may read this and say "ennnnhhh...I doubt BubbaCliqDude or OPPCannotDie (whoever your fave/least fave MUers) have the skill, desire, or talent to fuck around with telnet" Don't think this.

Because literally anyone connected to any MUer, any malware/Trojans they have allow their malicious entity to snoop their telnet session that is using an insecure, open pipe of data from source-to-site (your transmission), then site-to-target (they receive). Both users have approved the connection and Microsoft is more than happy to let that approved connection do whatever it wants unless properly configured. Which...proper configuration in this case would be to disable telnet protocol altogether, which would kill your ability to connect to 99% of MUs

(note: every card payment taking service in the world is banned from having telnet protocol enabled on all windows machines. If telnet on any machines causes a PCI audit rejection, they could be contractually rendered unable to perform any transactions until telnet protocol is disabled across all machines)

THAT is how fucking bad telnet is.

@Ganymede said in A.I. in the Community:

hate watching golf

A lot of my childhood is getting kicked outside (off the tv/Ninetendo) so my dad could watch golf. When I was older, I was kicked off the TV to mow the lawn so my dad could watch golf. Then my dad made me caddy for him a few times.

Now, when my coworkers go to TopGolf I just watch, because I'm so biased against golf now, I won't even swing lol