Security

General Project Phoenix discussion
User avatar
Duckula
Posts: 86
Joined: Wed Jul 22, 2020 1:19 am

Re: Security

Post by Duckula »

Specin wrote:
> I think I'd be against removing telnet outright, though I can certainly see
> the argument for SSH. I think, at least for me, part of the nostalgia comes
> from the programs I connect with themselves. I personally use Telemate
> through DOSBox for most things, SWATH for Tradewars and Megamud for
> Majormud. Though Telemate did not have telnet, I have it working thanks to
> instructions posted by Starbase21. I suppose if there's a similar way to
> make windows/dos programs connect through SSH instead of telnet, it's less
> of an issue.
>
> There's just something about the old terminal programs that makes it feel
> right to me. It might not be that big of an issue to anyone else.

I certainly agree nostalgia is a big part of the whole experience. The plan would not to be replace Telnet, it may be we meed to add SSH as another option.

That way people can make a choice based on their preference.
-- Duckula (Site admin / owner )

User avatar
Gangrif
Posts: 22
Joined: Sun Aug 09, 2020 2:25 am
Contact:

Re: Security

Post by Gangrif »

Platform:
Absolutely, we need to make the bbs compatible, natively, with more modern platforms! This opens up so many more options than just security fixes. Security, in my opinion, is very important. We are living in a world where its dirt simple, and pretty cheap, to fire up a cloud instance and run whatever we'd like. That includes the BBS. The Underground ran on AWS on a Windows instance for years. The options for Windows systems on cloud providers is going to preclude old, out of support, OS's. So for that reason alone we should move to more modern Windows OS's.

On top of that, i'd personally love to see the board running on Linux. Though I don't know what that looks like right now. That, too, would open up a variety of options for hosting a bbs. Providers like Digital Ocean are cheaper than AWS, but don't to my knowledge offer windows systems at all.

Current sysops are willing to jump through hoops to make these things work, because they're passionate. The number of hours I poured into figuring out how to virtualize WG2 back in the day stands as a testament to that.

And lastly, on platform, we _can not_ ignore platform security because there's no expectation of security. That's ludicrous. If you run a windows server in your basement, protected by a firewall, this might be acceptable. But if you're in any sort of shared environment, along side any computers on a network, or on a cloud provider, this cannot be ignored. Especially if we're eventually going to be available to a larger base. This isnt just about what data we've got stored, and what could be leaked, its about your BBS turning into a crypto-mining botnet member, or a foothold in your network, or a worm propagating cesspool. Windows is one of the most targeted platforms around, because it's an easy target. We can't ignore that.

User data:
I think we've covered this. But here's my 2 cents. The Underground still asks for a lot of that personal data when people register. Because i never took the time to turn it off. Or even look into turning it off. I'd say that 99% of my users provide bogus data, and that's fine. These boards, for what we're using them for, don't need it. That being said, password databases, and email addresses, are still targets. If i'm asking users for their name, password, and an email address for validation, that's enough data to make an attacker at least curious. The fact that passwords are commonly sent over telnet makes it even worse, but let's assume we've moved to ssh for a moment (which ill get to next). One of the biggest problems in computer security is password re-use. You use your password on this message forum, you use the same one on your BBS, and then maybe you use the same one at your bank. Smart users know thats dumb, but not everyone is a smart user. The BBS gets popped, and the user database (which is all clear text) gets exfiltrated. Now an attacker has a bunch of Names, Email addresses, and possible passwords to try. This might seem like a non-issue for a smart user, but for an average user, that could get an attacker into their bank account, or their facebook account, or something.

Also.. ENCRYPT THE PASSWORDS! This should be number 1 on the next release's check list IMHO.

Ideally, we need MFA. I don't know how to implement it, or what it might look like, but I think MFA, and encrypted passwords is the absolute minimum any system on the internet should implement for password security.

Encrypted protocols:
I don't know what to do about telnet... I really dont. My gut, and all my years as a sysadmin says it should be disabled and thrown in the dumpster out back. But I get we've got compatibility to think about. I don't know what to do about that. I could imagine some sort of proxy work-around. Like.. Users who want to use telnet, have some little local proxy they can run, so they telnet to that and that SSH's to the board? This gets complicated though.

The board needs to default to encrypted protocols, SSH, Telnet over TLS, https (when we get to talking about a web server for the board). Telnet.. I just dont know. Personally I think we need to disable public access over telnet, and find a work-around for anyone wanting to use a telnet-only client, of which there are many! I know the pain here, mud clients, tw2002 helpers, hell just your favorite terminal app. They all support telnet by default. In my investigations however, a number of them that are still under development support telnet/tls and ssh as well. So maybe we need to add both telnet/tls and ssh as options, and find some sort of easily packaged local proxy to handle telnet to telnet/tls?

Lastly, Http:
The board is largely a text only medium. I found C/S to be cool, and used it back in the old days, but i have not even tried it out for a very long time. It was neat! I'd use it again if it were supported. Same deal with http! I love the idea that I could fire up a web browser and access my board.

Most people probably arent using it today because its a trash fire on the current worldgroup. If it were revamped in some future release, I'd use it, absolutely. again, secure protocols!!!

Oh, one more thing to think about... GDPR and COPPA are things.. we should consider them in future security settings.
[Nate][VeNoM][Gangrif]
SySop of The Underground BBS
bbs.undrground.org

User avatar
Duckula
Posts: 86
Joined: Wed Jul 22, 2020 1:19 am

Re: Security

Post by Duckula »

Thanks Gangrif, excellent contribution.

On your point of cross platform, this is definitely a goal and something I would personally love to see. Obviously it is more difficult in reality to implement however it is something the team has on the "wish list" and regularly comes up in discussions. One of the advantages we do have is that after the Worldgroup for Unix "experiment", quite a lot of code that carried forward into later versions kept this multi-platform approach. Having said that, this was 25+ years ago now, so as with all the other code, it needs to be reviewed.

OS/Platform security as you say is obviously a key element also, which is why we are looking at raising the minimum Windows OS version to those still under security support by Microsoft.

Password encryption is on the list of development items also and will be given priority. MFA is a consideration, however fixing the clear-text password storage issue will come first.

Like you, Telnet for me is a really difficult one. Given it is the default connection method (likely because SSH is not an option at this point), simply removing it (as much as my security focused brain tells me too) is likely not an immediate option. I suspect a phased approach to removing Telnet is the more appropriate way to go, whereby once SSH can be implemented, Telnet is maintained for X number of future releases past that, then removed. Or if the decision is made to keep it in the long term due to community feedback, an education campaign is rolled out to encourage users to switch (such as reminding users that connect via Telnet that their information is not securely transmitted).

As I have mentioned previously in several threads, although it has not been confirmed yet, it is likely that ActiveHTML and Client/Server mode will be removed in the next release. Given the number of security issues (particularly with ActiveHTML), it would be negligent for us to continue including them. I personally don't see a return to a client/server type system, rather a rich, web-based interface (in whatever form that takes) using appropriately secure protocols as you suggest.

On the thought of a web interface, one possible option is to provide a system that allows sysops/the community to develop their own interfaces which allows for complete customisation, either using the web or other apps. Exactly what technology (RESTful API, webassembly, webhooks, etc) is still up for debate but I think an approach like this offers the most flexibility in the long term.

It should be noted that what I have discussed here (and in other threads) is not set in stone yet and as always we are open to feedback from the community.

Thanks for your input!
-- Duckula (Site admin / owner )

daniel_spain
Posts: 163
Joined: Sun Aug 09, 2020 2:39 am

Re: Security

Post by daniel_spain »

in regards to password encryption i already wrote something "like" that. when i send login/password info to my Rlogin Daemon Dma Project it takes your info and creates a string of "trash" just what seems like jibberish but the server receives it and translates it. So though rlogin is a simple text sending protocol it does not mean the sent text can be translated oh and its never the same.... Sysop right now will not be the same characters the next time it is generated since it uses time stamps to determine the seed method.

User avatar
Gangrif
Posts: 22
Joined: Sun Aug 09, 2020 2:25 am
Contact:

Re: Security

Post by Gangrif »

daniel_spain wrote:
> in regards to password encryption i already wrote something
> "like" that. when i send login/password info to my Rlogin Daemon
> Dma Project it takes your info and creates a string of "trash"
> just what seems like jibberish but the server receives it and translates
> it. So though rlogin is a simple text sending protocol it does not mean the
> sent text can be translated oh and its never the same.... Sysop right now
> will not be the same characters the next time it is generated since it uses
> time stamps to determine the seed method.
That's cool, and definitely an improvement.

History tells us that creating our own encryption algorithm doesn't usually end well though. Ideally we need to pick a standard, and use that. A determined attacker would patiently reverse engineer your method, by getting their own board, or stealing one, and poking at it until they figured out your method, and then it'd be useless.

Yea, i get that we're talkiing about an application that has the security coverage of swiss cheese (by todays standards) to start with, and nothing truly "important" going on... but if we think big now, who knows? Maybe this thing gets picked up as the next facebook?
[Nate][VeNoM][Gangrif]
SySop of The Underground BBS
bbs.undrground.org

User avatar
Duckula
Posts: 86
Joined: Wed Jul 22, 2020 1:19 am

Re: Security

Post by Duckula »

I think it would be appropriate to use a library such as OpenSSL, for both the crypto (user password issues) and web interface security.
-- Duckula (Site admin / owner )

Questman
Posts: 77
Joined: Fri Aug 07, 2020 2:12 pm

Re: Security

Post by Questman »

At this point, AES-256 would be the best.

Post Reply