Posts made by Ghost

Well, bear in mind that these aren't tables that tell you what your character feels outside of a growing state of tension based on supernatural hunger. Spamming power usage, even on disciplines that didn't used to cost blood, stirs and uses that blood. The beast within wants that blood replaced.

Like all games with willpower systems, it'll be up to good STs and good players to approach this in good faith.

I think this new system will be challenging to WoD players that have abused that good faith for a long time. From LARP to TT to MU, I've encountered plenty of players that prefer to focus on the fantastical/power side of RP, avoiding the difficulties of the supernatural element in lieu of more self-fulfilling/less complicated role play. V5 will embrace those challenges.

V5 doesn't mandate telling people how their characters feel, but the blood/hunger system will definitely make it clear as day when a player is refusing to follow the system when it's inconvenient to them. Now, when a character frenzies in a crowded nightclub, it's far less likely that they can choose to control themselves long enough to leave the crowded nightclub, walk out to an alley, enter access codes to a private warehouse with soundproofing and THEN frenzy where there will be zero repercussions.

But this is probably a topic for a different thread (re: WoD players abusing the system)

@bobotron said in New Vampire Release:

@ghost
Also, honestly, from a MU* standpoint? I can see Hunger being a good mechanic for MU* to use. It's easier to manage from a staff standpoint. I think we talked about this when Hunger was first previewed in another thread.

Agreed.

IMO a major problem with WoD is that powers are too useful. Be it blood/essence/etc economy, one of the bad habits that comes from a lot of WoD is relying so much on powers that most skill dot selections are done only to maximize the dice pool for a power scheme.

Inserting something like hunger will make players ask: "Do I want to use a power and risk becoming hungrier, or use skills to solve the problem?"

In the end, from what I experienced when I played the v5 playtest, it makes the character feel more like a monster battling against their inhumanity than a normal person with superpowers who just happens to be a vampire.

V5 makes it a lot harder for players to cheese power use, humanity rolls, and behaving like vampires by linking power use to self control.

@kestrel said in Heroic Sacrifice:

So the question becomes, as a game creator, how do you tackle this? How do you encourage your playerbase to step back a little from their need to play heroes? From their need to avoid obstacles, reject risks/stakes, and inhibit progression or complexity in a story?

I don't think that this can be done on any MU.

For the most part, MU culture doesn't flock to mushing because they want a lot of complication that they won't be able to control. They're looking for complication and conflict that is titillating, but not frustrating. You're talking about a lot of people who are going online to write and roleplay fantasies with a strong emphasis of escaping the elements of their daily lives where they cannot control the outcome.

I've mushed for over a decade, and if you look close enough you'll see this forum (and I've seen its predecessors) touch point on this every few months or so. This will never, ever, ever, ever be resolved due to the general pulse of the MU community.

In short: For a number of people, this is gaming. For a larger number of people, this is writing.

I personally advise you find, keep track of, and do your best to maintain positive relationships with people with similar mindsets, but understand that you're going to be surrounded by players with this hero concept that you described. You'll often hear it as the "My Story" concept, where when they make a character, their concern is for my story, and they want to ensure that my story is fulfilling for them. The general idea is that whether they're reasonable about it or selfish, it's that losing (pc death, failure, etc) isn't fun, and that others should be willing to find ways to also accommodate resolutions to the story that are fun for everyone (in the way that some people argue on behalf of everyone when it really is arguing for their own characters).

So in the least negative way possible, I'm advising you to just let it go.

Now, from a GM perspective? If you want to show people that their OOC desires aren't going to run the show, the best way to do so is by mandating dice rolling. Dice rolls ensure that it isn't the will of the OOC personality that mandates pass/fail. Without dice, many mushers have learned that OOC tactics work best for cutting the red tape: Making friends, roleplaying within cliques, character assassination, being difficult until they're given what they want, manipulation, schmoozing with staff, etc.

Not intentionally being negative, but as a musher what you're asking will be something you will struggle with for your entire time mushing.

I got to play a playtest for V5 and I'm 100% on board. I ended up picking up the Elder package. We're definitely going to be playing this game around my coffee table. It's pretty much done everything I'd hoped Masquerade would do:

1. Replace blood points with a hunger system: It's no longer about twinking blood economy, but the relative hunger your vampire gains due to using their blood.
2. Insert a story element that neutralizes a world filled with ancient 4000 xp elder PCs: You can't seem to find a VtM game (online or not) that isn't overburdened with supreme elder cheese characters with every discipline, every stat maxed, and way too much IC comfort. The new setting will make it difficult to be a vampire again.
3. A return to the clans/structure we started with: While I prefer nWoD's system, I always will love the original VtM clans more. It'll be a lot of fun getting back to the world of Camarilla/Anarch with Brujah, Gangrel, Tremere, etc
4. A New Inquisition: This second inquisition element is exciting. It's inserting into the setting that Vampires aren't the apex predators anymore, and maybe in a tongue-in-cheek way suggests that an era of one too many breaches of the masquerade have resulted in a severe need to worry about a 21st century society armed with cell phones, phone cameras, and near instant access to posting on Instagram.

I think the new ownership of the IP has really looked at the downsides of the oWoD game(s) and min-maxy player habits, and has made some really good decisions about how to play in the spirit of the setting.

@nemesis said in What's your identity worth to you?:

This type of network trickery is used in DoS attacks

DDoS. Distributed Denial of Service attack.

DOS is a term for Disk Operating System

@Roz I agree. This is weird. I've placed him on ignore.

@faraday I think what @surreality was saying was that she agreed with me, and wasn't saying that my stance was entitled.

Like a side note, she was saying that demanding someone make a requested monetary change to a game runner's free entertainment service was an entitled thing to ask, and that her approach would be "I'm doing this my way, with my level of comfort, and if I'm not comfortable opening up IPv6 on my home router you have no right to demand it of me."

Please also understand, my point in all these questions isn't "look at the big brain on Brad", but more "what identity information do we divulge merely by logging in and playing?"

My evolved ape brain just thinks IT-style when it comes to this topic:

• Determine what personal information you give simply by logging in and playing.
• Determine what personal info you're willing to give outside of the necessary.

I apologize if I derailed, but given what I do for a living I figured the tech side might be interesting info for some people.

New question:

Game Owners: From IP information to email addresses, what are the current standards of collection?

• Are IP addresses stored, and if so how long?
• Does stored IP information get scrubbed?
• For games that require registration with an email address, does that email get scrubbed when the PC bit is destroyed?

@nemesis I don't...exactly understand why you're fighting this so much when the general Infosec and IT community disagrees with you. So I'll leave you with reading from sources that clearly have no idea what they're talking about.

NIST (National Institute of Standards and Technology): https://csrc.nist.gov/publications/detail/sp/800-119/final#pubs-abstract-header

OWASP (a bunch of chumps who are an international organization renowned as the tip of the spear in dealing with web/info vulnerabilities. It's OWASP top 10 is considered a fair standard for the top 10 security risks at ANY given time. They don't know anything, but they wrote a completely bogus thing on IPv6 vulnerabilities that I'm sure you knew about): https://www.owasp.org/index.php/File:Vulnerability_Scanning_in_an_IPv6_World.pdf

If you would like to try ARP spoofing using IPv6 on an IPv4 network, here you go: https://insinuator.net/2016/03/multicast-based-ipv6-neighbor-spoofing-response-behavior-on-cisco-devices/

Anyway, I'm gonna stop there. You're out of your damned mind if you think there isn't a widely sploited IPv6 vs IPv4 vulnerability for MITM attacks, and the rest of the IT world as a whole disagrees with you. Who am I to say, though? Maybe they're all wrong about their bogus terms such as boguns and vulnerabilities and 200+ videos on YouTube about IPv6 MITM attacks and IP spoofing. I'm not going to argue with you about this. You were factually wrong from the start. Let it go.

And I assure you in no way that I'm not reading, right now, about how to use socat to tunnel IPv6 through IPv4.

Anyway, this got derailed. Don't listen to this guy (he doesn't know shit) and an IPv6 attack against a home router that isn't protected from it is a potential vulnerability.

The point is that IP information gathered by MUs are a potential attack vector.

@killer-klown Thanks for the seconding about IPv6.

One thing you definitely learn in IT is that it isn't always the technological vulnerability that is your biggest threat, but perhaps a threat in process. A good example of this is texting a challenge code on a password change to a registered mobile device (something the user will have on them) to avoid the risks associated with a call center person just changing a password because the person on the phone claims to be who they say they are.

So, to come full circle on the topic, I welcome game runners and players to look back at my previous questions.

1. Since telnet xmits UID/Passwords in clear text, do a quick audit to determine if ANY of your mu logins are using your email or banking passwords.

2. People really should consider the role of staff access to PII (personally identifiable information), ip logging, and how that information is stored as an important topic. Since MU uses outdated tech, less security-minded architecture, and no admin standards, it'll be processes that protect players' PII more than tech. Might be a good topic: MU Security Best Practices or something.

3. Players need to be aware that your "identity" isn't just limited to what you tell people. Data aggregation is a thing, and people are always more clever when they have a game plan. Anything that can be used as a starting point for research is useful, be it a screen name, an email address, or an IP address. It doesn't matter if you give a fake name or are mum on your private details if insecure data leads malicious attackers to the truth regardless.

These are things all people should know about the vulnerabilities of this hobby's technology, and worth keeping in mind.

@nemesis You're the expert!

So, respectfully, if that guy was a bogus assclown who was using bogus tech terminology, I invite you to unlock any IPv6 protections on your home router then post your home router's IP on Reddit.

I submit this as an example as to how lack of security knowledge can result in your private information being sniffed out over a MU server, and how lack of security knowledge can lead to a game owner being pressured to make their network (and the data from other people connected) ultimately hackable.

That guy made a good call, @Nemesis

@nemesis

https://6session.wordpress.com/2009/04/08/ipv6-martian-and-bogon-filters/

Honestly? If I was hosting a MU on my home router, the dangers of potentially allowing IPv6 bogons to access my home network (an anonymous person who wants to play Shadowrun) outweighs a player not being able to connect via IPv4.

IPv6 transition (to IPv4) mechanisms have a nasty security risk of allowing outbound communication that cannot be detected by most network intrusion detection systems.

So if someone told me "Hey, update your home network so that this guy you don't know can connect via IPv6 to your home server to play an online game" I'd:

1. Never host an online game on my personal machine, so this would never be an issue.
2. Tell them no, politely.
3. If they insisted, I'd tell them politely to pound sand.

Bogons are widely used tech terminology, and IPv6 transmits IP information that appears bogus to IPv4 unless greater translation efforts are put in place. On a corporate level this gets handled more often than not, but a good home security tip is to disable IPv6 on your home router unless you have a specific reason to allow IPv6 connections through your home network.

So, in short, it may have been possible for someone connecting via IPv6 through an insecure home router to enable one-way logging for all users to their home device.

@surreality said in What's your identity worth to you?:

@ghost It was so commonly used on Shang people flipped their shit when it was blocked in large numbers. Apparently, a lot of people use it default for MU*.

That's...chilling.

TOR is used commonly as a haven for cyber crime. It's been the go-to data drop site for groups like Anonymous and WikiLeaks, but it is also host to over 122+ sites of illegal pornography and used as a method for under the table communication of child porn.

Yes, I am suggesting that there is a possibility that TOR users on Shang or PenDes are also using TOR to access illegal pornography through the dark web. There's a reason why people choose TOR. It's the unpoliced wild west for hackers, pornographers, illegal financial trade, and software piracy.

@arkandel Wow, I didn't think about TOR. Does TOR show up on IP address lookups as the origin point? I figure anyone actually paying out for a darknet account access on TOR might proxy after that, but damn, I wonder what I'd think if I saw someone logging in from a TOR IP.

@arkandel said in What's your identity worth to you?:

If you are downloading torrents or such it's always a good idea to have a proxy service. Mine costs something stupidly low like $15/year and the provider keeps no logs, but they mask your IP completely. Sure, if the NSA is after you they could probably work something out but Joe Asshole who runs the MUSH you pissed him off on will look at the IP you logged on from and see something from Miami or Florida when you've been to neither of those States in years

I thought some MUs blocked proxy services, or was that just one or two sites that got blacklisted?

But that's just another thing to think about. Proxy services are great. They mask your key location and make you harder to track, but unless the MU blocks proxy services (requiring user to authenticate with their actual IPs), then your go-to anathema people (or stalkers) can continually spoof IPs. It's a limitation of the technology that you can prepare for, but there's no silver bullet.

But the point of my last 3-4 posts is just this:

The majority of development in these MUs is for codebase/game system and not with security and identity protection in mind. IT standards that protect the user are simply not at the forefront of development of MU code. Some people try, and some security updates get made and may be mitigated on the user OS level, but it's still connecting to a potentially insecure service through a port. WoW devs/Infosec work around the clock on creating an unhackable service. Random MU does not.

It is absolutely something to keep in mind when MUing, or doing anything over the internet, especially when communicating any personal details.

@sunny

1. a worst case scenario only needs to happen once.

2. this information may be useful to people in terms of password security, security hardening on MUs, and protecting their identities

3. identifying the holes is step 1 to filling them.

My advice?

Establish SSL for encrypted login data transmission as a standard, verify that databases are encrypted and that login IP information is only available to head wiz and only stored for 30 days. When new staff is hired their identities should be shared with the game owner (if they have access to personal data) and in a perfect world staff might do something to vet that the person is who they say they are and don't have a recorded history of abusive behavior, sex offender database, etc.

Mostly just be aware that this hobby is built primarily on insecure/outdated technology, that code bases and staffing procedures could be rife with vulnerabilities, and to be very aware with this while engaging in highly personal conversation or simulated situations with absolute strangers.

Like it or not, the truth is that we may talk about people here on MSB that behave like sexual predators, but should never forget that we may never know if they're taking their game online because theyre a convicted sex offender in RL.

Moar posting.

Ask yourselves these questions:

1. Since I'm using telnet, my password is being transmitted in clear text (telnet vulnerability). Does my MU char password match or resemble the pwd for my provided email address or any other sensitive logins I use on other sites?

2. Is the database where my email/ip information is recorded in logs encrypted? Likely not.

3. Who runs the MU? Who are they really? How do they store or remove IP/contact information? Who has access to this information? What is the vetting process to mitigate new staff using this information against me? Do I get a say or have any way in proving if a staffer does use this information against me? Are the identities of these individuals (staffers/wiz)tracked, or is it semi-anonymous? How long is this information stored? When a game is scrubbed and the DB moved to another game, is this data scrubbed? When someone steals the DB from the game owner and makes a game of their own using the DB, what happens to my IP/email information?

4. Is it possible that any of these people who lurk, stalk, or behave negatively haven't made notes about who is who, or has any of my personally identifying information that I've given these strangers been stored?

I don't mean to be a broken record, but I'm going to venture to say that the majority of people in this hobby are not technically savvy and rely on 3rd party products to protect themselves from intrusion on mostly Windows OS software. I'll also venture to say that a large number of players are more knowledgeable on MU commands than MU technology, otherwise we wouldn't have so many help threads like "What to do if your MU is attacked", because many game runners rely on outside sources for code/tech knowledge (and aren't technically savvy enough to protect this data day in, day out).

I'm just saying "Let's be real..." here. Every one of you gives every game you log into the #1 piece of important information every time you log in: where you are. You give every game a point-to-point traceable path back to your location and device.

Double post.

I'm not on any games, don't staff anywhere, but before I write this want to make it clear that I'm writing this to drive home my point.

Say I were staff.

I could:

• reverse lookup your IP to gather geographical data
• use your IP information gathered at every login to port sniff your computer(s)
• web search your email address to research who you are. If it's not a throwaway email, this might lead me to your social media where I can learn your name or family members names
• I could then search those names for more Intel.
• if its a throwaway email, I could find other sites where youve used said login/alias to research places where you may have slipped and given details.
• through IP use, if I'm able to break through your security, I may be able to find a port capable of allowing me to insert man in the middle attacks or monitor keystrokes.

After all of these are put together, I suppose I could be an obsessed stalker, or an identity thief, or that guy who is really into rape Role play, but I'd have what I needed to fuck some shit up.

There are reasons why this information is protected on a corporate server level, and I assure you, RanfomMUofDarkness isn't applying Infosec level guidelines and background checks on the people getting access to that information.

And this is just an example for information that you weren't aware that you were giving.

There is a very real reason why telnet is blocked by most infosec orgs and SSL is required.

In MU, privacy has a few core problems:

1. There are really no (or few) two-way agreememts as to what game staff can or cannot use your contact information for. A good example of this is Mal from SerenityMush mass mailing everyone his LinkedIn information. Aside from annoyance and leaving the game, there is no guarantee staff won't use your IP or contact info for their own purposes.

2. From an IT perspective, telnet is insecure and any personal information stored on a telnet game could also be vulnerable to a number of attacks. MUs are far less secure than Equifax, and do not have established rules for patching, etc.

3. As we have seen recently, being subjectively kind of like that one guy from Louisiana and also being from Louisiana, will not protect a musher from having someone else's identity knowledge being used against them on an inaccurate witch hunt. Justified or not. (Though, I think the term justified is morally ambiguous in this case)

4. Stranger Danger. I've seen some seriously dark behavior, controlling behavior, abuse, etc in this hobby. Again, I will remind people that while these people share a common hobby, they are strangers. There's plenty of stalking and obsessive behavior on these games, and the assumption that you havent provided enough information to have your private life infiltrated is an assumption. Staffers could perform IP lookup to gather location data, view stored email address information, and either through web sleuthing on Google or social phishing could definitely find ways to violate your privacy.

Keep in mind that this isn't an anonymous online gaming community where you play Call of Duty and are protected by a screen name and 10 minutes of matchmaking. Many people in this hobby simulate very intimate and personal scenarios with people who are strangers, could be misrepresenting who they are over long term, or over time could develop obsessive/controlling/attachment behaviors that can make you regret having shared any information.

It is unwise to assume (with the number of strange and extreme personalities in this hobby) that just because you give a fake email address that you cannot be found.

#2 should be your greatest concern. Technically, Zero/Elsa/OPP/Spider, any of your usual suspects anathema crowd, have at times had more than enough information to breach your privacy or perform attacks on you.