Not sure if that's exactly the way to put it, "anonymous," but was
wondering how one might handle an SSH-only BBS, particuarly new
account
creation.
Talisman supports login as "NEW" with password "NEW" to create a new account. (so does magicka actually).
Not sure if that's exactly the way to put it, "anonymous," but was wondering how one might handle an SSH-only BBS, particuarly new account creation.
As far as passwords being less secure, it's basically just that they
are shorter and in general not random unlike a key. I actually added
key support to enigma but I don't think I ever got around to exposing
it to users. They'd have to login over something secure (e.g. their
pass) then upload the key. I guess I could allow it over HTTPS POST
also or soemthing. ...but not sure if anyone would use it as none of
the "BBS" terminal softwares support it (that I know of anyway)
connection usernames over SSH (like "user"), but then essentially the
BBS software would tunnel the user to the telnet login for UN and PW login. The advantagebeing, from day 1, the process is more secure.
Even users creating their intial BBS account with a password in clear text--I'm finally realizing--is a pretty bad idea, LOL. I'm sure many people are like, who cares? It's a BBS. Welcome to the 1908s.
I was pondering a way to do this with Net2BBS and Telegard. Setup an SSH connection that proxies the connection over to telnet kind of like how SEXPOTS does with Modem<->Telnet.
Not sure if that's exactly the way to put it, "anonymous," but was wondering how one might handle an SSH-only BBS, particuarly new account creation.
I saw someone post a git issue for Syncterm today (Deuce?) that seemed like Syncterm supports BBSs that have 'generic' or anonymous connection usernames over SSH (like "user"), but then essentially the BBS software would tunnel the user to the telnet login for UN and PW login. The
I haven't looked too much into it, because like you, I was kind if like "who cares"? lol - But it'd be a neat project if for no other reason
than to go through the exercise.
Again with this? Why are you people SO AFRAID that someone might
steal your
logon name and password to a BBS? I don't understand this. Why
bother?
It's SOOO stupid. The only reason I see for this if you are a hiding sexual
predator or hiding from the law for some reason. It's a BBS for
Christ's
sake.
Not sure if that's exactly the way to put it, "anonymous," but was wondering how one might handle an SSH-only BBS, particuarly new account creation.
Mystic handles it a little differently.
I've just tested it on the current version of Mystic on my BBS. My BBS
has
Mystic's own builtin SSH server running on 2222 (and the regular
Debian
OpenSSH server running on port 22 but not accessible to the
internet).
Again with this? Why are you people SO AFRAID that someone might steal your logon name and password to a BBS?
I don't understand this. Why bother?
It's SOOO stupid. The only reason I see for this if you are a hiding sexual predator or hiding from the law for some reason.
It's a BBS for Christ's sake.
Again with this? Why are you people SO AFRAID that someone might steal your logon name and password to a BBS? I don't understand this. Why bother? It's SOOO stupid. The only reason I see for this if you are a hiding sexual predator or hiding from the law for some reason. It's a BBS for Christ's sake.
we like an excuse to tinker with things. Figure out how they work. Not because we are hiding from the law.
If a INVALID user/password is entered Mystic responds with just a new line If you then press enter again you connect to the BBS and after the ANSI detection prompt drops back to the login screen where you can type in again you new login and the system will then set you up as a new user.
Again with this? Why are you people SO AFRAID that someone might stea your logon name and password to a BBS?
There is no fear involved. It is a simple matter of keeping users info
I don't understand this. Why bother?So people can't snoop your info.
Yeah. Should people transmit their info in the clear just because it's a BBS?
What info? Their HANDLE? It's not like you are taking credit cards for payments or have their SSN on file.
So people can't snoop your info.
What people?!
A name and a BBS password ... yeah, yeah they should. That's a stupid comment. Because you know there are people out there just waiting in coffee shops and diners waiting to grab someone's BBS info. Then black mail them for 3 google play cards and a steam card so they don't tell people their handle is "cry baby" .... Yeah, I see that happening everyday. Get real.
Again with this? Why are you people SO AFRAID that someone might steal y logon name and password to a BBS? I don't understand this. Why bother? It's SOOO stupid. The only reason I see for this if you are a hiding sex predator or hiding from the law for some reason. It's a BBS for Christ's
this exact logic can be extended to all parts of life. it's b.s.
In the beginning when using dial-up modems BBSing was absolutely secure.
In the beginning when using dial-up modems BBSing was absolutely
secure.
Not really,
as telephone corporations and governments could tap into the
telephone lines and get the transferred information.
Much like today with The Internet.
It just was a little more complex to accomplish, but information transferred via a modem was not encrypted.
Sure, if you were under investigation and the court allowed a wiretap
they would listen and record your conversations.
I was not talking about investigations and wiretaps. I was speaking of keeping user info secure. Do you think we should make some attempt at
doing that?
You clearly don't understand the vast extent of internet traffic snooping. Systems are in place that record, analyze, and cross reference all available
There is a difference between one caring about traffic snooped on for personal/commercial/enterprise things and traffic that resides on a silly B that has not been designed with any security beyond text-passwords or has any innovation beyond being executable by an equally silly telnet server.
Nobody snooping on my BBS usage is going to gain anything from me other tha have a real fun way of killing time.
Sure, if you were under investigation and the court allowed a wiretap
they would listen and record your conversations.
That would depend on the country you're calling to / from.
I think everyone bar Exodus (who I suspect was just trolling) things user info should be kept secure.
I suspect Exodus just doesn't care about security. That's OK if he is just "having fun" then there is nothing to protect.
Hell, for years most software had the sysop be able to SEE the user's passwords.
The only protection in a BBS that has been is a text based password. Nothing more, nothing less.
Of course I'm having fun .. been since 1993 when I started my BBS .... but thats what it is, a BBS. If you want to be secure, you are on the wrong system. Go use the web and run something secure.
The BBS was never made to be secure. Hell, for years most software had the sysop be able to SEE the user's passwords.
The only protection in a BBS that has been is a text based password. Nothing more, nothing less.
Of course I'm having fun .. been since 1993 when I started my BBS .... but thats what it is, a BBS. If you want to be secure, you are on the wrong
The BBS was never made to be secure. Hell, for years most software had sysop be able to SEE the user's passwords.
Sure it was. That's why it asks for a password.
there are a handful of bbses in china with more living users than there ever were in the history of bbs usage as we know it. they moved on to ssh just fine. they have all sorts of interesting modern features that we're just now getting to.
your idea that the bbs is stuck in a fixed point in time that you're fond of simply isn't based on facts.
Since this silly convo is about holding obsolete BBS stuff to the same cybersecurity practices of today, "no", BBS software was never made to
be secure.
Since this silly convo is about holding obsolete BBS stuff to the same cybersecurity practices of today, "no", BBS software was never made to be secure.
THD Proscan bragged about keeping my BBS "secure" but went bonkers
over Zip-bombs; Zip archives purposely created to crash the system by exploiting limitations of Pkunzip or the MS-DOS filesystem.
BBS software usually had no 2FA, passwords shown locally to the console, passwords stored as plain-text, MANY textfiles published on h/p/a boards about how to exploit many different systems. Then theres the trojan/backdoor malware crap specifically written to grab a copy of one's user database. Stuff that never passed as a virus to something like THD Proscan.
is that rest of the world outside of China does not care jack-shit about BBS's.
It's because of those kind of bad actors that we try to be secure.
even the mighty synchronet came with an old version of pkzip at one point.. all you had to do is zip a file with a full path like:
doorgame\cool.exe
edit the zipfile with a hex editor and change that to:
..\data\users.dat (or whatever)
and it wrote the file out on upload (zip verification)
i guess the point is when you start looking for stuff like that, you can sometimes find it..
It seems to me this is more about resistance of change, those who "don't care" about security look like they're using old BBS software from the 90s, where as those who are looking to be more secure are using more modern software.
Really, people might not care about reading your private bbs messages, but they might like to sniff your sysop password, especially if you're running a bbs system that allows you to drop to shell.
I haven't read anyone holding obsolete BBS stuff to today's standards. We ar talking about BBSing today and being secure.
Someone running a BBS that is no longer being updated is going to have to b happy with what they have unless they have the source and can update it themselves if that's what they want/need to do.
account or whatever (i can see it now.. you're already typing up a message about reusing passwords..) but they can cause temporary hardship for the user.. whether it be people posting at them harassing others, spam, being outright banned without any decent way of contacting the sysop to explain..
i feel you've taken a stand on something that's both incredibly easy and logical to move toward.
No it wasn't. Back then it was a direct call from point A to point B. There was no need for encryption.
There is a difference between one caring about traffic snooped on for personal/commercial/enterprise things and traffic that resides on a silly BBS that has not been designed with any security beyond text-passwords or has any innovation beyond being executable by an equally silly telnet server.
your idea that the bbs is stuck in a fixed point in time that you're fond of simply isn't based on facts.
As someone running a 24/7 board since 1993 on the same software, sporadically patched over decades... the idea that some hacker is going to snoop and somehow gain access to my personal crap via my board is totally laughable.
You literally included "personal" in your example list, which is what BBSing is.
- All available points of information are fed into a system.
- This system links the points of data as much as possible.
- This allows for example your FB post or your work traffic, so on to still "you". This includes telnet traffic.
Your argument is you haven't been hacked yet? This dodges the point of data being collected, but you're also probably not a target. If you become one fo one reason or another, you're open to the world and absolutely will get hacked. It's childs play.
All Sysop commands and shell have been gutted here completely and I do not At> remote into my own board from outside my LAN.he says:> security isn't important> why bother it's just a bbsand then takes steps to prevent things we're suggesting could happen--- SBBSecho 3.14-Linux
There is no "argument" because I'm not "arguing" anything. I'm actually finding all of this hilarious that in 2021 suddenly apparently its a proble to be running a telnet system with 90's-era software that one can supposedl "snoop on". The idea that some blackhat is going to snoop someone's telnet session while they trade barbs on some silly net or cheat at Tradewars is beyond absurd. I'll take a pass on whatever is being smoked here.
All Sysop commands and shell have been gutted here completely andI do not
remote into my own board from outside my LAN.
he says
security isn't important why bother it's just a bbs and then takes
steps to prevent things we're suggesting could happen
All Sysop commands and shell have been gutted here completely and I donot At> remote into my own board from outside my LAN.he says:> security isn' important> why bother it's just a bbsand then takes steps to prevent things we're suggesting could happen
Damn it Nick .... they came knocking at the door today about a message I posted in 1994. Said I spelled Miscellaneous wrong. I told them since 199 I made sure I knew the correct spelling of the word. Then we all sat down, laughed and giggled a bit about the old days. Then just like that, I woke u in a field 3 miles from my house .... with the letters SSH wrote on a piece paper .... do you think this all ties together?!
he says
security isn't important why bother it's just a bbs and then takes
steps to prevent things we're suggesting could happen
I noticed that. I don't think we're going to change anyones minds though.
I noticed that. I don't think we're going to change anyones mindsthough.
Noticed what?
Damn it Nick .... they came knocking at the door today about a message I posted in 1994. Said I spelled Miscellaneous wrong. I told them since 19 I made sure I knew the correct spelling of the word. Then we all sat down, laughed and giggled a bit about the old days. Then just like that, I woke in a field 3 miles from my house .... with the letters SSH wrote on a piece paper .... do you think this all ties together?!
Lol. Make sure you're not sitting in a coffee shop logged in to your board telnet, someone will see how much you sexually harass Violet and then shame you on social media. Dox you, ruin your life, all because you use telnet.
That you do seem to care about your own security, just not that of anyone else who may connect to your board.
I hope Seth Able never sees this! There goes my free turns playing LORD.
Uhh that could be said for the vast majority of boards out there that
accept
telnet connections. Will you lecture them all how insecure their
systems are
or will you just single out mine because I refuse the paranoid party
Sure, if they don't offer an SSH option.
I offer telnet for those who don't care, I also offer SSH for those who
do.
On 03-21-21 13:45, apam wrote to Atreyu <=-
I offer telnet for those who don't care, I also offer SSH for those who do.
I hope Seth Able never sees this! There goes my free turns playing LORD.
accept telnet connections. Will you lecture them all how insecure their systems are or will you just single out mine because I refuse the
paranoid party line?
and to actually answer your question, it's because people feel as though your actions are hypocritical, rather than it being about security or "the paranoid party line". They're aiming at the perceived hypocrisy, not the security.
I hope Seth Able never sees this! There goes my free turns playing LO
Bah. Let him see it. Dude sometimes expresses his love by sending me negati money.
Also, I have a sneaking suspicion that he's really just pursuing Jenny Gart
This topic came up because someone asked, "Hey, how can I do x
security
thing", and got a response of, "That's dumb".
BBSing hasn't really changed much in 30 years
Anyway when those people who perceive hypocrisy show me documented cases from cybersecurity professionals how BBS telnet snooping specifically is "a thing", I will gladly retract. Until then I stand by my posts and "don't care" to tow the line on BBS telnet snooping or how one's SSH means one has a bigger caring penis.
Some people care about providing more modern security for BBSs, others
are ambivilant, and a few more are just downright nasty toward those who care.
Lol. Make sure you're not sitting in a coffee shop logged in to your board via telnet, someone will see how much you sexually harass Violet and then shame you on social media. Dox you, ruin your life, all because you use telnet.
1. ac> I would have to explore how a guest login/"new user login" etc. could be ac> accomplished to make it look "normal".not related directly to your post per se. but i set up stunnel today for "telnet/ssl" .. basically accepts the ssl connection on port 992 and forwards it to port 23 locally. i know of one client that supports this, which is ZOC (and it costs money..) but it works perfectly. it also doesn't do anything special with auth like SSH does, so it connects and displays text immediately like you'd expect of a bbs.that said, ZOC at least didn't mention anything about the certificate. i might dig around in there to see if there's any info. so for at least off the top of my head the only way to verify the certificate is via using the openssl command: openssl s_client -connect <host>:992if anyone wanted to verify certificates they would need to check the hostname and match the certificates from the server to a local certificate store..free certificates can be had from letsencrypt so that's not really a problem, or i'm assuming just something like "trust this certificate" on first login would suffice for most people..now only if syncterm et al. supported it :)--- SBBSecho 3.14-Linux
Lol. Make sure you're not sitting in a coffee shop logged in to your board via telnet, someone will see how much you sexually harass Violet and then shame you on social media. Dox you, ruin your life, all because you use telnet.
Why sould I do such a thing without using a VPN to my home network? :)
Some people care about providing more modern security for BBSs, others
are ambivilant, and a few more are just downright nasty toward those who care.
I might add two reasons why I don't offer SSH access to my Synchronet BBS:
I might add two reasons why I don't offer SSH access to my Synchronet BBS:
1.
I would have to explore how a guest login/"new user login" etc. could be accomplished to make it look "normal".
2.
My target audience especially includes retrocomputing people who very often use "Wifi modems" - and I don't know a single Wifi modem (ESP8266 or ESP32 based) that offers a SSH mode; they only offer Telnet connections.
So I chose to stick to Telnet access.
(Access to the Synchronet web server indeed is HTTPS only with an Apache reverse proxy inbetween and the fTelnet connection is also using HTTPS only, so this is a secure alternative here)
I could be wrong but I think that using ssh even over an insecure
wifi connection is secure end to end. We'd have to check with network
savy people to be sure of that.
Anyway when those people who perceive hypocrisy show me documented cases from cybersecurity professionals how BBS telnet snooping specifically is "a
thing", I will gladly retract. Until then I stand by my posts and "don't care" to tow the line on BBS telnet snooping or how one's SSH means one has
a bigger caring penis.
2. My target audience especially includes retrocomputing people who very
often use "Wifi modems" - and I don't know a single Wifi modem (ESP8266 or ESP32 based) that offers a SSH mode; they only offer Telnet connections.
You WANT the super hacker community to know you're banging a slut...
This topic came up because someone asked, "Hey, how can I do x
security
thing", and got a response of, "That's dumb".
Ha, yeah, that was me. So awesome to be called an idiot for asking a question.
Anyway, maybe it's time to put a stake in the heart of this thread.
(Besides, it's already well established in game that all sex in LoRD is public. Evidently there's a creepy old man who spies in all the key holes to figure out what everyone is doing that the drunks find so mystifying.)
I just logged in as guest via ssh. I used the name guest and the
password bogus. I also logged in as new the same way and created a new account using the same bogus password.
Perhaps it would be more normal if the ssh server didn't require a password when logging in as guest or new?
That would be a good feature request for the developers. You could make
that comment to Digital Man so he could give it some thought.
I could be wrong but I think that using ssh even over an insecure wifi connection is secure end to end. We'd have to check with network savy
people to be sure of that.
Already pointed out, but the clients would pretty much have to tunnel through a SSH connection. Perfectly doable, but probably not something you're _generally_ going to do when connecting via C64 or what not :)
With that said, a lot of the WiFi modems are essentially Arduinos and the like that are perfectly capable of doing the SSH locally. Gives me ideas :)
So what SSH should do here is: only check the host keys, create a secure ac> connection and then display the rest.this should be possible. the library that everyone in the bbs scene seems to use for ssh just either doesn't seem to support it or nobody decided to use it that way. i did read up a bit on it and it did make it sound like it was designed for simplicity of implementation..kind of unfortunate really that support is all over the place. maybe i should be writing sample code and distributing it far and wide instead of hootin' and hollerin ;) (for whoever might be watching: libbsh. though not libssh2! should do this just fine. heck you can ignore what the client says and just say "you're logged" in without ever checking anything)--- SBBSecho 3.14-Linux
Then there was crickets chirping for about a week or so, neither called the board anymore. Then the woman called and posted a message akin to
"You didn't tell me you were effin' married".
Then there was crickets chirping for about a week or so, neither called the board anymore. Then the woman called and posted a message akin to
"You didn't tell me you were effin' married".
Atreyu
So what SSH should do here is: only check the host keys, create a secure
connection and then display the rest.
This implies that no user certificate check would be possible.
But at least it would "feel" the old way.
And I don't know if it is possible with existing SSH clients :)
Then there was crickets chirping for about a week or so, neither called the board anymore. Then the woman called and posted a message akin to "You didn't tell me you were effin' married".
Atreyu
It all began on BBSes. :P Lol.
When there was nothing to watch on TV, I'd watch the BBS console.
*Plenty* of entertainment. Especially at midnight when the door games roll-over the turns, the lines used to get slammed with calls.
Atreyu
You know, being 16 years old or so and running a halfway decent 2-line BBS i Toledo, OH... it was totally a 'bube toob' for me to watch back then! I haven't used the nodespy software since coming back to BBSes in recent years but I'd be a fibber if I said I never did that in my lifetime!
Only thing interesting here lately is some guy that calls mine and really At> plays the heck out of LORD 2. That one where its the overhead-map Zelda At> clone. He calls and plays that for at least 2 to 3 hours.in some ways we're pretty spoiled. if LORD 2 was the ONLY game on a system available to you, it'd be the BEST game. not to take away from the game itself, it is really quite cool.--- SBBSecho 3.14-Linux
Only thing interesting here lately is some guy that calls mine and really
plays the heck out of LORD 2. That one where its the overhead-mapZelda At> clone. He calls and plays that for at least 2 to 3 hours.in some ways we're pretty spoiled. if LORD 2 was the ONLY game on a system available to you, it'd be the BEST game. not to take away from the game itself, it is really quite cool.
I thought I'd let you know that your messages are unreadable for some de> reason. I see you are using the new fork of SBBS - so not sure if that is de> related - but I cannot determine the difference between what you quoted de> and what you replied to. I've seen it a few times so I thought I'd mention de> it. eek. probably this one too. i don't run the board i'm currently posting on fsxnet from (it's the main synchronet board) so i've reached out to Digital Man. thanks for letting me know!--- SBBSecho 3.14-Linux
Re: Re: Anonymous SSH login
By: Fusion to Atreyu on Wed Mar 24 2021 10:11 pm
Howdy,
I thought I'd let you know that your messages are unreadable for some reason. I see you are using the new fork of SBBS - so not sure if that is related - but I cannot determine the difference between what you quoted and what you replied to. I've seen it a few times so I thought I'd mention it.
Here is an example from this message:
Only thing interesting here lately is some guy that calls mine and really
plays the heck out of LORD 2. That one where its the overhead-mapZelda At> clone. He calls and plays that for at least 2 to 3 hours.in some ways we're pretty spoiled. if LORD 2 was the ONLY game on a system available to you, it'd be the BEST game. not to take away from the game itself, it is really quite cool.
Re: Re: Anonymous SSH login
By: deon to Fusion on Thu Mar 25 2021 07:52 pm
I thought I'd let you know that your messages are unreadable for some reason. I see you are using the new fork of SBBS - so not sure if that is related - but I cannot determine the difference between what you quoted and what you replied to. I've seen it a few times so I thought I'd mention it.
eek. probably this one too. i don't run the board i'm currently posting on fsxnet from (it's the main synchronet board) so i've reached out to Digital Man. thanks for letting me know!
His messages look fine here. Maybe they're being reformatted in-route to your system.
Odd indeed.
I'm pretty sure I've noticed it in a couple of nets. I'll pay more
attention and see if there is something else in common, other than
VERT (if that's where they originate) and me.
Re: Re: Anonymous SSH login
By: Digital Man to deon on Thu Mar 25 2021 11:41 am
His messages look fine here. Maybe they're being reformatted in-route to your system.
Odd indeed.
I'm pretty sure I've noticed it in a couple of nets. I'll pay more attention and see if there is something else in common, other than VERT (if that's where they originate) and me.
Annnnnndddd... I knew a Sysop at the time who would advertise their
board and purposely take the line off-hook sometimes. He would then call other boards pretending to be users complaining about they couldn't get in. Brilliant marketing on his part.
eek. probably this one too. i don't run the board i'm currently posting on >> fsxnet from (it's the main synchronet board) so i've reached out to Digital >> Man. thanks for letting me know!
Looks fine to me.
Am 25.03.21 schrieb Digital Man@21:1/183 in FSX_BBS:
Here, the messages from him also do look garbled.
It looks like the linebreaks are stripped out or are converted wrongly
en route to my point (I'm using OpenXP which has my SBBS as uplink).
Annnnnndddd... I knew a Sysop at the time who would advertise their
board and purposely take the line off-hook sometimes. He would then call other boards pretending to be users complaining about they couldn't get in. Brilliant marketing on his part.
| Sysop: | altere |
|---|---|
| Location: | Houston, TX |
| Users: | 60 |
| Nodes: | 4 (0 / 4) |
| Uptime: | 19:05:41 |
| Calls: | 516 |
| Files: | 6,995 |
| D/L today: |
2 files (24K bytes) |
| Messages: | 289,081 |