Subj : Re: The Documentary... To : alt.bbs.synchronet From : Frank Vest Date : Sat Aug 13 2005 12:41 pm From Newsgroup: alt.bbs.synchronet Sinister x wrote: > "Frank Vest" wrote in message > news:ZEcJe.9100$6D5.4383@newssvr29.news.prodigy.net... > >>To be honest, and in my own humble opinion: What "we", the BBS Sysops, >>programers and other developers, need to be careful about is to not lose >>the things that made "us" (see definition of "we") what we are. One >>critical thing, IMHO, is the security that BBSs have. It's more likely >>that you will die in a wreck than to get a virus from a BBS. Other >>security risks seem to be less as well. It's estimated that an unprotected >>computer on the inter net will last a few seconds before being hit. I can >>sit on my BBS via dial-up for all day and not worry. Even via >>telnet, being attacked just don't happen. I laugh when those "security >>check" site (DSL Reports and such" flash that warning that I have a telnet >>port open and could be hacked. :) > > >>At any rate, I hope the developers of the future keep that level of >>security in mind. To me, this is one of the major problems with Internet >>and a major downfall. Not to mention, of course, spam and such. > > > It's actually funny that you mention this, just this last week my school got > hacked (http://www.dfw.com/mld/dfw/news/state/12333650.htm) all b/c the > original developers didn't put in server-side security measure to protect > against people using the POST method to inject form data (instead they had > only client javascript security measures). How idiotic do you have to be to > do something like that? Furthermore, that puts ME at risk since I have > financial aid through the school, for something that a mere 50-100 lines of > code could have stopped instantly. > > At any rate... back to your post... you're absolutely right on that one. > BBS's typically fall under the radar nowadays for all kinds of things. > Security is a big one, what major player in the hacking game wants to try > and hack a software like synchronet when there are much bigger fish to fry > like IIS and Apache? Furthermore, with all of the DRM stuff coming about, > and the MPAA/RIAA coming around and suing people left and right for p2p's, > it will be the older unchecked technologies like irc and telnet that go > largely unchecked b/c by and large the mass populous of the instant > messaging, double-clicking world has long forgotten these technologies. > > Now that's not to say that bbs coders shouldn't attempt to make their > software as secure as possible. For the software that I'm coding right now > I've implemented one-way encryption of passwords b/c if some user has access > to read mystic's users.dat on my system they'll instantly have access to any > passwords in plaintext, that's just not good. Besides that, any software > that's out there has the potential for being hacked (but the question is, as > stated, if anyone would actually devote the time who has the skill to hack > such software). > > The major argument about telnet's vulnerability is that it is plaintext, and > can be packet sniffed on a local LAN, but a wrapper through ssh could fix > that in a heartbeat. Besides this, how many people who bbs are in a > situation where more than one person in their household knows how to bbs and > FURTHERMORE knows anything about packetsniffing? Probably very few, I think > I might actually be the only one since I get online from my g/f's sometimes > and she calls my board... but that would be in my favorite since she doesn't > know anything about packetsniffing (and not like we don't know each others' > passwords anyway...). While I agree with what I understood of what you said (I'm not up on all the technology and important sounding initials :), I still find it funny to watch some script kiddie or person trying to hack into my board when they find my telnet, ftp, smtp/pop or other ports open. I, maybe in error, create this mental picture of some punk a**hole thinking "WTF IS THIS S**T AND HOW DO I GET PAST IT!?!?!" Sometimes I sit and watch the mail server reject the same idiot trying to relay mail several dozen times and laugh. :-)) The point is that BBS servers are just more secure to begin with, imho. The programmers are more interested in security thinking than "get it on the market today!" thinking. --- Synchronet 3.13a-Win32 NewsLink 1.83 .