Subj : Re: SSH on BBSes
To   : 2twisty
From : boraxman
Date : Sat Apr 02 2022 13:11:35

 2t> I thought I saw somewhere that the message packets can at least be
 2t> zipped with a password.
 2t> 
 2t> The very definition of echomail is public -- so someone being able to
 2t> read packets is no big deal.
 2t> 
 2t> However, since the node<>hub connection is in plain text and there are
 2t> passwords exchanged....it would be nice if it were more secure.  
 2t> 
 2t> If I ever decided to run a hub, I'd make it an SSL hub like you suggest
 2t> so that people who WANT to do secure sessions can.
 2t> 
 2t> I know that I'm trying to shoehorn a technology from a simpler era into
 2t> today's mindset...... But security and privacy are a real thing now,
 2t> even if the tools we are using aren't made for that. 
 2t> 
 2t> I wish I had the skill to write that fossil driver for serial<>ssh. 
 2t> Sadly, since SSH requires authentication, simply doing that would
 2t> require a user to have 2 sets of credentials or at best log in twice
 2t> since the underlying BBS software wold have no way to get the
 2t> authentication passed through.
 2t> 
 2t> So, for those of us who have the ability to use SSH and SSL, I think we
 2t> should, and we should actively find ways of making the network more
 2t> secure where possible.  Granted, as long as any part of the network is
 2t> unsecure, the whole network is "unsecure," but that's not an excuse to
 2t> just "toss it all" and don't even try.
 2t> 
 2t> So, on MY board, I plan to detect telnet users and encourage them to
 2t> switch to SSH since Mystic supports it natively.
 2t> 

This is similar to discussions and issues that I brought up a few months ago. The BBS is based on old technology, but also an old mindset, where security, privacy weren't the issues they are today.  The question is whether this is appropriate today, and the answer is "it depends".  For some, it doesn't matter, but for many it does.

The thing is, the implementation of security and privacy doesn't really impact the user that much.  Unlike moving to another platform (say, changing BBS's so you need an Android/iOS app), current client and current OS's have the means to do this already, and implementing privacy between nodes is a matter of either flicking a switch, or implementation at the server end.

I had contemplated setting up an othernet, but membership would be based on a covenant, agreeing to connect your node by SSL.  It isn't even necessary to have every "othernet" do this, but the offer some guarantee along the lines of "if you take part in discussions here, you will have privacy" would be welcome.

The really jarring thing, as I found with FidoNet, is that I didn't know that posts with my REAL NAME would be on the Internet.  I actually felt violated and pissed off, and found this very, very poor form.  No, the argument that it is the "Internet" doesn't hold.  I rarely take part in FidoNet as a result, and I'm skeptical of posting here.

Even FACEBOOK make it clear what is visible or not, though they do have a habit of changing things every now and then.  You access Facebook through the web, so that builds an expectation that what you are doing is on, "the web".

I see potential, but we need to to be accommodative of new social mores and expectations, and set a high standard.

--- Mystic BBS v1.12 A47 2021/12/24 (Linux/64)
 * Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (21:1/101)

.