Not much to do with hacking *accounts*. When you telnet, your traffic is going plain-text, and you bet your arse people are looking at that.

I agree. I'm just unsure what BBS transported information people would want
to take, and even if they did, what result or outcome would even come out of it?
So they see echomail, usernames and passwords for bbs, etc. What can even be done with that?

Not knocking your work, better security is always good.



-Nugax

--- Mystic BBS v1.12 A36 2017/11/15 (Linux/64)
* Origin: -=The ByteXchange BBS : bbs.thebytexchange.com=- (700:100/12)

On Sunday, November 19th Nugax muttered...

I agree. I'm just unsure what BBS transported information people would want to take, and even if they did, what result or outcome would even come out of it? So they see echomail, usernames and passwords for bbs, etc. What can even be done with that?

Many parties gather ALL the data they can on your every move - every word you say, post you make, site you visit, etc. This builds a profile as such. "I have
nothing to hide".

See https://en.wikipedia.org/wiki/Nothing_to_hide_argument
...or actually, I just posted a copy of the Nothing to Hide documentary (2017) you're free to snag.



--- ENiGMA 1/2 v0.0.8-alpha (linux; x64; 6.11.3)
* Origin: Xibalba -+- xibalba.l33t.codes:44510 (700:100/9)

See https://en.wikipedia.org/wiki/Nothing_to_hide_argument
...or actually, I just posted a copy of the Nothing to Hide documentary (2017) you're free to snag.

cool. ill take a look at some point.

Thanks.



-Nugax

--- Mystic BBS v1.12 A36 2017/11/15 (Linux/64)
* Origin: -=The ByteXchange BBS : bbs.thebytexchange.com=- (700:100/12)

on |1511/05/17|07, |11NuSkooler |08said the following|15.|07.|08.

I'd like some input on ideas for securing BBSing. Some things I've implemented / want to implement in ENiGMA 1/2 around this area:

yeah man.. all for it. anything going over the air or thru the net in clear text is being read. that's why I never use hotspots like Starbucks etc..
just don't trust it.

I'd like to see 2FA logons myself. now it'd be sweet if we could do it like
say blizzard (gaming company) handles their 2FA, logon, and the app on the phone prompts you to hit accept or decline. Not sure if that's feasible but hey just an idea :)

cheers!

|15-|08t|19|00M|16|08t|07 |08facility|07bbs|15.|00|23darktech|16|15.|08org|07

--- Mystic BBS v1.12 A36 2017/11/07 (Windows/32)
* Origin: the facility bbs (700:100/6)

On Wednesday, November 22nd themadtux was heard saying...

I'd like to see 2FA logons myself. now it'd be sweet if we could do it like say blizzard (gaming company) handles their 2FA, logon, and the app on the phone prompts you to hit accept or decline. Not sure if that's feasible but hey just an idea :)

It's actually quite easy to hook up to some 3rd party auth's like Google authenticator such that you could use your phone for 2FA for example. I may look into that in the future!



--- ENiGMA 1/2 v0.0.8-alpha (linux; x64; 6.11.3)
* Origin: Xibalba -+- xibalba.l33t.codes:44510 (700:100/9)

on |1511/22/17|07, |11NuSkooler |08said the following|15.|07.|08.

It's actually quite easy to hook up to some 3rd party auth's like Google authenticator such that you could use your phone for 2FA for example. I may look into that in the future!

I'm all for that... ;)

I need to hit you up on how to do some configuring of enigma...

Cheers!

|15-|08t|19|00M|16|08t|07 |08facility|07bbs|15.|00|23darktech|16|15.|08org|07

--- Mystic BBS v1.12 A36 2017/11/07 (Windows/32)
* Origin: the facility bbs (700:100/6)

On Wednesday, November 22nd themadtux muttered...

I need to hit you up on how to do some configuring of enigma...

By all means, ask away. If you need more immediate responses, #enigma-bbs on FreeNode, but any channel you can reach me works :)



--- ENiGMA 1/2 v0.0.8-alpha (linux; x64; 6.11.3)
* Origin: Xibalba -+- xibalba.l33t.codes:44510 (700:100/9)

on |1511/22/17|07, |11NuSkooler |08said the following|15.|07.|08.

By all means, ask away. If you need more immediate responses,
#enigma-bbs on FreeNode, but any channel you can reach me works :)

I've joined your irc channel. I'll hit you up with some questions this weekend. need to start really messing around with it and get some questions together :)

Cheers!

|15-|08t|19|00M|16|08t|07 |08facility|07bbs|15.|00|23darktech|16|15.|08org|07

--- Mystic BBS v1.12 A36 2017/11/07 (Windows/32)
* Origin: the facility bbs (700:100/6)

On Wednesday, November 22nd themadtux muttered...

I've joined your irc channel. I'll hit you up with some questions this weekend. need to start really messing around with it and get some questions together :)

FWIW, RiPuk just submitted a huge PR that cleans up some structure/locations of
files that should make things much easier once it's fully merged -- and very easy to run in Docker; e.g., you could essentially pull a Docker and fire it up

viola!

--- ENiGMA 1/2 v0.0.8-alpha (linux; x64; 6.11.3)
* Origin: Xibalba -+- xibalba.l33t.codes:44510 (700:100/9)

on |1511/23/17|07, |11NuSkooler |08said the following|15.|07.|08.

FWIW, RiPuk just submitted a huge PR that cleans up some structure/locations of files that should make things much easier once
it's fully merged -- and very easy to run in Docker; e.g., you could

viola!

ok I'll give the docker build a try and see how it goes.

Cheers!

|15-|08t|19|00M|16|08t|07 |08facility|07bbs|15.|00|23darktech|16|15.|08org|07

--- Mystic BBS v1.12 A36 2017/11/07 (Windows/32)
* Origin: the facility bbs (700:100/6)

Many parties gather ALL the data they can on your every move - every
word you say, post you make, site you visit, etc. This builds a profile
as such. "I have nothing to hide".

so /they/ gather data from me bbs'ing and scrape through (for example) spooknet's postings while they're at it?

i'm not that worried about it to be honest. there's already a profile of me because of work stuff. i've also had a blog since '00 or so and i bleed everything to facebook.

|08\ |07H7|08 of |07Blocktronics/dIVINE sTYLERS!/aCCESSiON/TRSi/Break!Ascii |08\ |07Haciend bbs sysop |08(|15telnet://haciend.com|08)|07

--- Mystic BBS v1.12 A35 (Linux/64)
* Origin: haciend.com - cloaks and daggers (700:100/15)

so /they/ gather data from me bbs'ing and scrape through (for example) spooknet's postings while they're at it?

i'm not that worried about it to be honest. there's already a profile of me because of work stuff. i've also had a blog since '00 or so and i
bleed everything to facebook.

The scary part is FB. I call it stalkerbook. FB scares me more than the
NSA .

--- Mystic BBS v1.12 A38 2018/01/01 (Linux/64)
* Origin: Twinkle BBS # (700:100/4)

On 02/19/18, djatropine said the following...

so /they/ gather data from me bbs'ing and scrape through (for example spooknet's postings while they're at it?

i'm not that worried about it to be honest. there's already a profile me because of work stuff. i've also had a blog since '00 or so and i bleed everything to facebook.

The scary part is FB. I call it stalkerbook. FB scares me more than the NSA .

Sadly it is used more to find/stalk younger kids more than I like to think about why I keep my profile private and have done the same for my baby sister in law. No one is allowed to friend me that is not already there.

Cheers!
Pequito

--- Mystic BBS v1.12 A38 2018/01/01 (Linux/64)
* Origin: Twinkle BBS # (700:100/4)

Sadly it is used more to find/stalk younger kids more than I like to
think about why I keep my profile private and have done the same for my

It's a piece of shit. The dude has how much money? But his interface looks
like that? (I don't like the interface - it could be optimized way better.)

I know people who would make FB a way better place for a crumb of his money.

And hell yea, the privacy is a joke. The focus is on the dollars, and not on the user friendliness/protection of children. I'm forced to use fb because of
a program my kid is affiliated with, however, that fucking program forces me
to use a horrible comm proggy (FB) to keep up with updates from the program director, allthewhile I'm dealing with scumbags trying to friend me. I HATE
fb. As soon as my kid is done with this program, I'll be back to deactivating my suckerburg acct.

--- Mystic BBS v1.12 A38 2018/01/01 (Raspberry Pi/32)
* Origin: Alcoholiday / Est. 1995 / alco.bbs.io (700:100/3)

The scary part is FB. I call it stalkerbook. FB scares me more than NSA .

Sadly it is used more to find/stalk younger kids more than I like to
think about why I keep my profile private and have done the same for my baby sister in law. No one is allowed to friend me that is not already there.

I tried to figure out the interface however i gave up. I prefer text based interfaces like BBS's since there is so much less "work". If I can't view
it in a text interface I am really not a fan of it. :D

--- Mystic BBS v1.12 A38 2018/01/01 (Linux/64)
* Origin: Twinkle BBS # (700:100/4)

On 02/27/18, djatropine said the following...

The scary part is FB. I call it stalkerbook. FB scares me more NSA .

Sadly it is used more to find/stalk younger kids more than I like to think about why I keep my profile private and have done the same for baby sister in law. No one is allowed to friend me that is not alrea there.

I tried to figure out the interface however i gave up. I prefer text based interfaces like BBS's since there is so much less "work". If I can't view it in a text interface I am really not a fan of it. :D

I hear ya, why I use linux for a lot of items still to this day vs windows. :)

Cheers!
Pequito

--- Mystic BBS v1.12 A38 2018/01/01 (Linux/64)
* Origin: Twinkle BBS # (700:100/4)

I'd like some input on ideas for securing BBSing. Some things I've implemented / want to implement in ENiGMA 1/2 around this area:

* (Have) SSH and Secure WebSockets (wss://) support. Plain text (Telnet)
across the internet is simply a bad idea.
* (Have) Strong PBKDF2 password hashing. No one should know or be able to know
your password.
* (Have) ACS flags around secure state. If you're not secure, you can't access
file/message/whatever features
* (ToDo) Public key login. Securely upload a public key and switch your account to requiring public key vs password for SSH
* (ToDo) Secure-lock account. Allow a user to set their account to secure
only. Logins will no longer be allowed if non-secure.
* (Have) HTTPS (TLS) downloads.
* (ToDo) HTTPS (TLS) uploads. SFTP may be a option here (inc d/l of course)

Bigger future work I'd like to do:
Fully E2E encrypted messaging network. This would only be available to users with previously mentioned secure ACS (else a 3rd party may be going non-secure).

...thoughts, comments, ideas, rants?


--- ENiGMA 1/2 v0.0.8-alpha (linux; x64; 6.11.3)
* Origin: Xibalba -+- xibalba.l33t.codes:44510 (700:100/9)

That's great, I just wonder if it's needed for a BBS? Seems like lots of work that although is awesome, how many people are actively trying to hack bbs accounts? Not very many I suspect.


On 03:14 05/11 , NuSkooler wrote:

I'd like some input on ideas for securing BBSing. Some things I've implemented >/ want to implement in ENiGMA 1/2 around this area:

* (Have) SSH and Secure WebSockets (wss://) support. Plain text (Telnet)
across the internet is simply a bad idea.
* (Have) Strong PBKDF2 password hashing. No one should know or be able to

know

your password.
* (Have) ACS flags around secure state. If you're not secure, you can't

access

file/message/whatever features
* (ToDo) Public key login. Securely upload a public key and switch your
account to requiring public key vs password for SSH
* (ToDo) Secure-lock account. Allow a user to set their account to secure
only. Logins will no longer be allowed if non-secure.
* (Have) HTTPS (TLS) downloads.
* (ToDo) HTTPS (TLS) uploads. SFTP may be a option here (inc d/l of course)

Bigger future work I'd like to do:
Fully E2E encrypted messaging network. This would only be available to users >with previously mentioned secure ACS (else a 3rd party may be going >non-secure).

...thoughts, comments, ideas, rants?

--- ENiGMA 1/2 v0.0.8-alpha (linux; x64; 6.11.3)
* Origin: Xibalba -+- xibalba.l33t.codes:44510 (700:100/9)

--
yrNews Usenet Reader for iOS
http://appstore.com/yrNewsUsenetReader

--- Mystic BBS/NNTP v1.12 A35 (Linux/64)
* Origin: -=The ByteXchange BBS : bbs.thebytexchange.com=- (700:100/12)

That's great, I just wonder if it's needed for a BBS? Seems like lots of work that although is awesome, how many people are actively trying to hack bbs accounts? Not very many I suspect.

Not much to do with hacking *accounts*. When you telnet, your traffic is going plain-text, and you bet your arse people are looking at that.



--- ENiGMA 1/2 v0.0.8-alpha (linux; x64; 6.11.3)
* Origin: Xibalba -+- xibalba.l33t.codes:44510 (700:100/9)

...thoughts, comments, ideas, rants?

i like the sound of that. how would you plan to go on with the public key logins to the bbs?

|08.\ |15H7 |08blocktronics|07accession|08trsi|07haciend

--- Mystic BBS v1.12 A35 (Linux/64)
* Origin: haciend.com - cloaks and daggers (700:100/15)

i like the sound of that. how would you plan to go on with the public key logins to the bbs?

My thinking if you'd have to log in from an already-secure channel (e.g. SSH or
secure WebSocket aka wss://) -> go to profile -> upload public key (paste or from file). Then from there, switch a setting to only allow a particular login typ(s)... maybe check/un-check the supported logins (telnet, SSH+pass, SSH+PublicKey, ...)





--- ENiGMA 1/2 v0.0.8-alpha (linux; x64; 6.11.3)
* Origin: Xibalba -+- xibalba.l33t.codes:44510 (700:100/9)