Subj : Re: The Documentary... To : Frank Vest From : sinister x Date : Mon Aug 15 2005 10:38 pm > While I agree with what I understood of what you said (I'm not up on all > the technology and important sounding initials :), I still find it funny > to watch some script kiddie or person trying to hack into my board when > they find my telnet, ftp, smtp/pop or other ports open. I, maybe in error, > create this mental picture of some punk a**hole thinking "WTF IS THIS S**T > AND HOW DO I GET PAST IT!?!?!" Sometimes I sit and watch the mail server > reject the same idiot trying to relay mail several dozen times and laugh. > :-)) The point is that BBS servers are just more secure to begin with, > imho. The programmers are more interested in security thinking than "get > it on the market today!" thinking. Well, one of the primary advantages of a bbs has to do with limiting the input that a user can put in. For example most boards have a matrix screen where you at least have to press enter once to get to a username/password prompt. That's a pretty big deterent right there since most shell logins start off at the username prompt and you can just keep entering in passwords, disconnect/reconnect and enter some more. That's not to say that any bbs can't be hacked, I'm sure they definitely can if you know the right people, but the context in which you can is significantly different than stuff that's made for the web. For example, and I've seen coding this sloppy before, a username/password site where once you enter in your info and authenticate it sets a cookie on your system for that domain that is simple called "authenticated". Well, you can go right in between and create that cookie yourself and then you're on the system without ever having to authenticate b/c the person who programmed the site ASSumed that you would always go through that prompt to get on. With BBSs though, the flow of program execution is linear so you go where it tells you that can go and nowhere in between, no browsing directly to a link that you're not supposed to go to yet. At least not usually. -- --- þ Synchronet þ theroughnecks.net - you know you want it .