Hey guys, I have a few security related (paranoia) ideas I'd like to kick around and see if anyone else has thoughts and/or is interested.

First, is there any way people can think of to enable 2FA?

Make it part of the login sequence. A user authenticates, and then they
either get an email with a login code or a text message. They use that as
their secondary password and then are able to login to the bbs.

Second, what about email verification to enable auto-upgrading of user
accounts from, say, s10 to s25?

Third, is there some kind of ACS code for determining if a user is logged in via telnet or ssh? Telnet is delivered as plaintext, and ssh is preferable
when transfering some files or communicating on message nets that expect some degree of privacy. I'd love to lock down certain message and file areas to ssh-only connections. Think of like s25g5 for security level 25, message
group 5, but I'd like to add something on there to make it only visible
during ssh connections.

Fourth, is it possible to detect logins via a websocket and disable file transfers? Is there some kind of ACS code? Is it even possible to detect?

Thanks!

--- Mystic BBS v1.12 A37 2017/12/27 (Linux/32)
* Origin: lo fidelity bbs (21:2/142)

First, is there any way people can think of to enable 2FA?

I suppose you could do it via MPL if you really wanted it, but it wasn't something that I considered adding at the moment. The BBS barely has any users as it is, and forcing them to go through multi-factor authentication is probably just going to be a deterrent.

What would be the circumstances that you feel should trigger a multi-factor authentication chain? A change in IP or something? If we could define what I feel is a reasonable workflow then maybe I would make this an option. But forcing a MFA every time a user logs in is overkill and I don't want that to be a function.

Second, what about email verification to enable auto-upgrading of user accounts from, say, s10 to s25?

This has/can been done in MPL/Python but its on the list to enabled internally once the outbound SMTP queue is enabled. The hold up on that is some indecisiveness in how I want to implement it and a lack of time to experiment.

Third, is there some kind of ACS code for determining if a user is
logged in via telnet or ssh? Telnet is delivered as plaintext, and ssh

No there isn't, but I just added one based on your suggestion :)

The next build will have "os" ACS which will be TRUE if the user is logged in via a secure connection (in this case only SSH falls into that category). Do you think "OS" also return true if the user is logged in locally or only via SSH or any other encrypted protocol?

Fourth, is it possible to detect logins via a websocket and disable file transfers? Is there some kind of ACS code? Is it even possible to detect?

I don't know enough about this to comment :(

--- Mystic BBS v1.12 A37 2017/12/30 (Windows/32)
* Origin: Sector 7 [Mystic BBS WHQ] (21:1/108)

Hey g00r00, thanks for replying to my stream of consciousness :)

What would be the circumstances that you feel should trigger a multi-factor authentication chain? A change in IP or something? If we could define what I feel is a reasonable workflow then maybe I would
make this an option. But forcing a MFA every time a user logs in is overkill and I don't want that to be a function.

I agree that 2FA would be overkill in most circumstances, but it'd be cool to have the option. I'm working on doing it locally just for fun for things like password resets. Give the user an option to confirm an email address and
phone number, and then a password reset can be automated in the future.
Dunno. I use 2FA on everything possible these days, due to a fair bit of paranoia. :)

Second, what about email verification to enable auto-upgrading of use accounts from, say, s10 to s25?

This has/can been done in MPL/Python but its on the list to enabled internally once the outbound SMTP queue is enabled. The hold up on that is some indecisiveness in how I want to implement it and a lack of time
to experiment.

Yeah, I've just finished setting up postfix to send arbitrary messages
outbound and defeat spam filters. I think now I can safely set up things like 2FA (for the hell of it) and email address verification. I'm working on doing something similar for text messages.

Third, is there some kind of ACS code for determining if a user is logged in via telnet or ssh? Telnet is delivered as plaintext, and ss

No there isn't, but I just added one based on your suggestion :)

Awesome. :)

The next build will have "os" ACS which will be TRUE if the user is
logged in via a secure connection (in this case only SSH falls into that category). Do you think "OS" also return true if the user is logged in locally or only via SSH or any other encrypted protocol?

I think locally should be fine to include here, maybe have a flag somewhere
in the configuration that can be sysop-configurable?

My basic idea is that if I want to have some *ahem* fully legal *ahem*
material hosted on my board that I simply don't want ISPs (and whomever else) sniffing, I want to make sure the content is completely obfuscated unless a user is logged in securely - ssh, local, encrypted ftp, stuff like that.

Fourth, is it possible to detect logins via a websocket and disable f transfers? Is there some kind of ACS code? Is it even possible to det

I don't know enough about this to comment :(

Frankly, I know basically nothing. I'm using websockify as a socket policy so that I can use vtxclient in a web browser. It.../may/ have some sort of file transfer capability, who knows. *shrug*

My thought process was to basically remove file transfer options from unsupported client connections, but...that may be a bit tough.

Thanks for everything!

--- Mystic BBS v1.12 A37 2017/12/27 (Linux/32)
* Origin: lo fidelity bbs (21:2/142)

On Saturday, December 30th esc was heard saying...

First, is there any way people can think of to enable 2FA?

I can't answer any of these for Mystic, but for ENiG, but they could be applied
to Mystic (possibly with some code from g00r00 or MPL?)

You can use Google's 2FA for example, as a 2-auth login. In ENiG this can be done with a .js mod @ login seq, and I imagine the same applies to Mystic with MPL.

On Saturday, December 30th esc muttered...

Second, what about email verification to enable auto-upgrading of user accounts from, say, s10 to s25?

I may steal this idea for ENiG at some point on my board :D In that case, I'd add them to a new user group e.g. 'everified' or soemthing.

On Saturday, December 30th esc muttered...

Third, is there some kind of ACS code for determining if a user is logged in via telnet or ssh? Telnet is delivered as plaintext, and ssh is preferable when transfering some files or communicating on message nets that expect some degree of privacy. I'd love to lock down certain message and file areas to ssh-only connections. Think of like s25g5 for security level 25, message group 5, but I'd like to add something on there to make it only visible during ssh connections.

FWIW there is something similar in ENiG. The ACS code 'SC' determines if the connection is considered secure. This is enabled for SSH and secure WebSocket currently.

You can also enable a header check for proxied connections in the case of SSL/TLS terminations (wss:// -> proxy -> ws://).

I personally love the idea of adding more security to BBSing, so will be following this thread ;)




--- ENiGMA 1/2 v0.0.8-alpha (linux; x64; 6.11.3)
* Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)

On 12/30/17, esc said the following...

Second, what about email verification to enable auto-upgrading of user accounts from, say, s10 to s25?

Many systems already do this via numerous different email verification doors
or scripts, though with all the free email services out there I'm skeptical about how useful this is.

Callback verification was pretty solid in years gone by since it typically wasn't trivial to change your phone number. Even if you had to carefully blacklist emergency services to combat cheeky applicants...

--- Mystic BBS v1.12 A36 2017/12/03 (Linux/64)
* Origin: Subcarrier BBS (21:2/140)

On 12/30/17, g00r00 said the following...

category). Do you think "OS" also return true if the user is logged in locally or only via SSH or any other encrypted protocol?

Logging in locally is reasonably secure. You can't eavesdrop on other users
or access memory they're using without elevated privileges on any of the OSes supported by 1.12.

--- Mystic BBS v1.12 A36 2017/12/03 (Linux/64)
* Origin: Subcarrier BBS (21:2/140)

First, is there any way people can think of to enable 2FA?

I can't answer any of these for Mystic, but for ENiG, but they could be applied to Mystic (possibly with some code from g00r00 or MPL?)

You can use Google's 2FA for example, as a 2-auth login. In ENiG this
can be done with a .js mod @ login seq, and I imagine the same applies
to Mystic with MPL.

Oooh, neat. :) I just did the following with Mystic:
1 - enabled postfix outbound emails
2 - configured "textbelt" for outgoing sms text messages
- https://github.com/typpo/textbelt

Right now, I'm writing a mystic python script to allow users to confirm email and phone # as password recovery options. It's pretty hacky...enabling
postfix requires a slew of other configuration considerations outside the
scope of mystic.

I'm curious what is in the enig js for doing this :)

--- Mystic BBS v1.12 A37 2017/12/27 (Linux/32)
* Origin: lo fidelity bbs (21:2/142)

FWIW there is something similar in ENiG. The ACS code 'SC' determines if the connection is considered secure. This is enabled for SSH and secure WebSocket currently.

<sorry for forked thread>

Dude! How do you detect this? :)

Right now, my socket policy server detects wss:// connections and forwards those to telnet. How on earth could I pass a secure connection to mystic? Any ideas here? :)

--- Mystic BBS v1.12 A37 2017/12/27 (Linux/32)
* Origin: lo fidelity bbs (21:2/142)

On Sunday, December 31st esc muttered...

Right now, I'm writing a mystic python script to allow users to confirm email and phone # as password recovery options. It's pretty hacky...enabling postfix requires a slew of other configuration considerations outside the scope of mystic.

Still very cool

On Sunday, December 31st esc was heard saying...

I'm curious what is in the enig js for doing this :)

It has a built in email recovery for lost passwords - and uses nodemailer to back email, so various services work out of the box. For SMS one could create a
mod .js to hook up with one of the services to send a message, then let the user punch in a recovery code. Same type of sytem could be used for 2FA



--- ENiGMA 1/2 v0.0.8-alpha (linux; x64; 6.11.3)
* Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)

On 12/31/17, Static said the following...

Callback verification was pretty solid in years gone by since it
typically wasn't trivial to change your phone number. Even if you had to carefully blacklist emergency services to combat cheeky applicants...

yeah call back verification was great and then i got the source to RGV
renegade callback verifier and got to fix some bugs but then if it was ld you hope the verification works fast lol

|08 .|05ú|13ù|15Dr|07e|08am Ma|07st|15er|13ù|05ú|08.
|08 øù|05ú|13ùø |13øù|05ú|08ùø
|11 DoRE|03!|11ACiDiC|03!|11Demonic |08[|15dreamland|09.|15darktech|09.|15org|08]

--- Mystic BBS v1.12 A36 2017/12/03 (Windows/64)
* Origin: |08--[|15!|07dreamland BBS dreamland.darktech.org (21:1/163)

I'm going to be the guy that everyone hates here in this reply:

Why in the world does a BBS need 2fa? We are storing no personal information, and to be honest everything in the bbs is nothing that can't be sent
plaintext to begin with.

I work in cyber security. One of the main ideas is you don't build in
controls just to do so. That causes you and the users more pain. More
security - less flexibility. I honestly see no valid reason to build in advanced security controls for a bbs. And a

I think your security you have is fine. And I think there are a lot of other things folks would like to see mystic have and issues to be fixed than to add in 2fa that is really going to be useless and annoy users.

For anyone who is going to think this post is completely wrong, point out one piece of information a normal bbs collects that would hurt a user if it were obtained through a hack. And email is not considered PII. The only thing I
can think of is address,

If we start collecting SSNs, credit card info, and other info, you have my support.

I hate to see bloating mystic for the sake of adding features that are just "cool".

On 19:43 30/12 , Static wrote:

On 12/30/17, esc said the following...

Second, what about email verification to enable auto-upgrading of user accounts from, say, s10 to s25?

Many systems already do this via numerous different email verification doors >or scripts, though with all the free email services out there I'm skeptical >about how useful this is.

Callback verification was pretty solid in years gone by since it typically >wasn't trivial to change your phone number. Even if you had to carefully >blacklist emergency services to combat cheeky applicants...

--- Mystic BBS v1.12 A36 2017/12/03 (Linux/64)
* Origin: Subcarrier BBS (21:2/140)

--
yrNews Usenet Reader for iOS
http://appstore.com/yrNewsUsenetReader

--- Mystic BBS/NNTP v1.12 A37 2017/12/30 (Linux/64)
* Origin: -=The ByteXchange BBS : bbs.thebytexchange.com=- (21:1/107)

And to take it one step further in this thinking:

2FA concept is really meant for systems that need granted or privileged
access to a part or entire access of a system that is generally not a public facing or openly accessible site. I have almost never see. It implemented in the public realm.

So doesn't that completely contradict what a bbs is? Why do I need to hack a bbs? I can just create an account and have access, for free. What do I expect to get if I hack? More time to play BRE? More shareware files?

I just don't see the need guys. Waste of time, in my opinion you didn't ask
for lol. Don't kick me out the mystic club guys :)

On 01:51 31/12 , Nugax wrote:

I'm going to be the guy that everyone hates here in this reply:

Why in the world does a BBS need 2fa? We are storing no personal information, >and to be honest everything in the bbs is nothing that can't be sent >plaintext to begin with.

I work in cyber security. One of the main ideas is you don't build in >controls just to do so. That causes you and the users more pain. More >security - less flexibility. I honestly see no valid reason to build in >advanced security controls for a bbs. And a

I think your security you have is fine. And I think there are a lot of other >things folks would like to see mystic have and issues to be fixed than to add >in 2fa that is really going to be useless and annoy users.

For anyone who is going to think this post is completely wrong, point out one >piece of information a normal bbs collects that would hurt a user if it were >obtained through a hack. And email is not considered PII. The only thing I >can think of is address,

If we start collecting SSNs, credit card info, and other info, you have my >support.

I hate to see bloating mystic for the sake of adding features that are just >"cool".

On 19:43 30/12 , Static wrote:

On 12/30/17, esc said the following...

Second, what about email verification to enable auto-upgrading of user >> es> accounts from, say, s10 to s25?

Many systems already do this via numerous different email verification doors >>or scripts, though with all the free email services out there I'm skeptical >>about how useful this is.

Callback verification was pretty solid in years gone by since it typically >>wasn't trivial to change your phone number. Even if you had to carefully >>blacklist emergency services to combat cheeky applicants...

--- Mystic BBS v1.12 A36 2017/12/03 (Linux/64)
* Origin: Subcarrier BBS (21:2/140)

--
yrNews Usenet Reader for iOS
http://appstore.com/yrNewsUsenetReader

--- Mystic BBS/NNTP v1.12 A37 2017/12/30 (Linux/64)
* Origin: -=The ByteXchange BBS : bbs.thebytexchange.com=- (21:1/107)

--
yrNews Usenet Reader for iOS
http://appstore.com/yrNewsUsenetReader

--- Mystic BBS/NNTP v1.12 A37 2017/12/30 (Linux/64)
* Origin: -=The ByteXchange BBS : bbs.thebytexchange.com=- (21:1/107)

On 12/31/17, dream master said the following...

if it was ld you hope the verification works fast lol

Nuts to that, LD used to cost your first born for the first minute. The CBV on my old Maximus board was set up for local calls only. If a caller was LD they were directed to a quick questionnaire they could fill out instead and I'd handle it manually. I didn't get many as LD callers were exceptionally rare, again because the per-minute rates were measured in souls of the innocent.

--- Mystic BBS v1.12 A36 2017/12/03 (Linux/64)
* Origin: Subcarrier BBS (21:2/140)

I agree that 2FA would be overkill in most circumstances, but it'd be
cool to have the option. I'm working on doing it locally just for fun
for things like password resets. Give the user an option to confirm an email address and phone number, and then a password reset can be

Well that is stuff that has already been done in a few lines of MPL/Python, and will be internally done too, but thats only a multi-factor authentication when they are new users.

What you could do with the existing system is: You could have users validate their e-mail and auto upgraded to say security 50. After a set number of days you could auto-expire their security to level 20, which would then require them to validate their e-mail again.

You could also detect when an IP or hostname changes, because Mystic caches that for the user and only updates it with the "current" session after they
log off. So you can see if their IP and/or hostname has changed from their previous call and kick off your multi-factor workflow.

This last option seems like the best approach to me, since I am assuming IP addresses really don't change all that much.

There is one issue though, until A38 the IP address cache will not work with IPV6. I have to do some data file changes in A38 for many reasons, which is one of the reasons I am trying to push A37 out the door now so I can get working on that stuff. IPV6 will properly cache after that.

--- Mystic BBS v1.12 A37 2017/12/30 (Windows/32)
* Origin: Sector 7 [Mystic BBS WHQ] (21:1/108)

You can use Google's 2FA for example, as a 2-auth login. In ENiG this
can be done with a .js mod @ login seq, and I imagine the same applies
to Mystic with MPL.

Yeah, it can and has been done with a few lines of MPL/Python.

--- Mystic BBS v1.12 A37 2017/12/30 (Windows/32)
* Origin: Sector 7 [Mystic BBS WHQ] (21:1/108)

Why in the world does a BBS need 2fa? We are storing no personal information, and to be honest everything in the bbs is nothing that
can't be sent plaintext to begin with.

For my purposes, to automatically validate a user (similar to CBV) or for automated password recovery.

--- Mystic BBS v1.12 A37 2017/12/27 (Linux/32)
* Origin: lo fidelity bbs (21:2/142)

And to take it one step further in this thinking:

2FA concept is really meant for systems that need granted or privileged access to a part or entire access of a system that is generally not a public facing or openly accessible site. I have almost never see. It implemented in the public realm.

I also am toying with the idea of implementing it on my own account. :)

--- Mystic BBS v1.12 A37 2017/12/27 (Linux/32)
* Origin: lo fidelity bbs (21:2/142)

On Sunday, December 31st esc muttered...

Right now, my socket policy server detects wss:// connections and forwards those to telnet. How on earth could I pass a secure connection to mystic? Any ideas here? :)

Hmmm... For ENiG it's slighty differnet in that it handles WebSocket natively, so no telnet in the mix in this case.

You might be able to implement a "secret knock" or something to indicate on the
Mystic side that the connection is from a secure channel? Not the best, but with Telnet it's limited. What I mean by this is you'd establish a Telent connection then send a special string that only your (proxy) system should know. Maybe a MPL could pick that up and set a bit somewhere?





--- ENiGMA 1/2 v0.0.8-alpha (linux; x64; 6.11.3)
* Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)

On Sunday, December 31st Nugax was heard saying...

2FA concept is really meant for systems that need granted or privileged access to a part or entire access of a system that is generally not a public facing or openly accessible site. I have almost never see. It implemented in the public realm.

This simply isn't true. 2FA is used heavily in the public by "normal" users. Games, game portals (e.g. Steam), email accounts, Google, FB, MS, ...a just tons of "site" logins, and so on.

2FA exists such that you have another "something you have". I can't simply guess/steal your password and get into your account - I need your 2FA device in
hand as well.

BBS's have all sorts of PII. Accounts often have name, email, DOB, location, phone number.

2FA login doesn't make a ton of sense yet, but if a system can be set up to only allow secure (SSH, wss://, ...) logins as well, it starts to make more sense. Further work needs done to create message networks and the like that are
not being sent plain-text all over the place.

2FA for a password recovery isn't too bad. Email recovery of course makes sense. SMS also makes sense.

I think most of the discussion here for Mystic anyway has been that it can all be achieved by MPL/Python, and I'm positive g00r00 is smart enough to prioritize the important stuff over this type of thing :)



--- ENiGMA 1/2 v0.0.8-alpha (linux; x64; 6.11.3)
* Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)

It that's user validation. Not 2 factor authentication all the time. 2 different things.

And there already are validation tools for Mystic out there.

On 12:21 31/12 , esc wrote:

Why in the world does a BBS need 2fa? We are storing no personal information, and to be honest everything in the bbs is nothing that
can't be sent plaintext to begin with.

For my purposes, to automatically validate a user (similar to CBV) or for >automated password recovery.

--- Mystic BBS v1.12 A37 2017/12/27 (Linux/32)
* Origin: lo fidelity bbs (21:2/142)

--
yrNews Usenet Reader for iOS
http://appstore.com/yrNewsUsenetReader

--- Mystic BBS/NNTP v1.12 A37 2017/12/30 (Linux/64)
* Origin: -=The ByteXchange BBS : bbs.thebytexchange.com=- (21:1/107)

The sysop account would be the only account I think would be valid for 2
factor of some sort, still think it's overkill.

Still, implementing a validation system is fine, that's not classic 2fa as
was discussed. And
Email validation is cool, and I'd use that, but making users go through 2fa every time you login is overkill and useless for a bbs. I swear no one is trying to snoop on your usurper game or echomail that's on every bbs system
out there. Lol



On 12:23 31/12 , esc wrote:

And to take it one step further in this thinking:

2FA concept is really meant for systems that need granted or privileged access to a part or entire access of a system that is generally not a public facing or openly accessible site. I have almost never see. It implemented in the public realm.

I also am toying with the idea of implementing it on my own account. :)

--- Mystic BBS v1.12 A37 2017/12/27 (Linux/32)
* Origin: lo fidelity bbs (21:2/142)

--
yrNews Usenet Reader for iOS
http://appstore.com/yrNewsUsenetReader

--- Mystic BBS/NNTP v1.12 A37 2017/12/30 (Linux/64)
* Origin: -=The ByteXchange BBS : bbs.thebytexchange.com=- (21:1/107)

I disagree. 2fa on steam and stuff is because you have payment and account
info which becomes PII. Email isn't PII. Neither is name without other identifying info. Address and dob are but let's be honest, most
Folks don't provide info to a bbs willingly with anything that can be stolen
if even true. I don't even ask PII. Maybe dob, but nothing else.

I do cyber assessments daily, I think a bbs system is not a place where a lot Of threat exists for data leaks to where you need to implement controls such
as 2fa. Want to add it as an option, fine. But, I bet almost no one uses it. Secure communication like ssh and encryption is a better route.

On 06:23 31/12 , NuSkooler wrote:

On Sunday, December 31st Nugax was heard saying...

2FA concept is really meant for systems that need granted or privileged access to a part or entire access of a system that is generally not a public facing or openly accessible site. I have almost never see. It implemented in the public realm.

This simply isn't true. 2FA is used heavily in the public by "normal" users. >Games, game portals (e.g. Steam), email accounts, Google, FB, MS, ...a just >tons of "site" logins, and so on.

2FA exists such that you have another "something you have". I can't simply >guess/steal your password and get into your account - I need your 2FA device in
hand as well.

BBS's have all sorts of PII. Accounts often have name, email, DOB, location, >phone number.

2FA login doesn't make a ton of sense yet, but if a system can be set up to >only allow secure (SSH, wss://, ...) logins as well, it starts to make more >sense. Further work needs done to create message networks and the like that are
not being sent plain-text all over the place.

2FA for a password recovery isn't too bad. Email recovery of course makes >sense. SMS also makes sense.

I think most of the discussion here for Mystic anyway has been that it can all >be achieved by MPL/Python, and I'm positive g00r00 is smart enough to >prioritize the important stuff over this type of thing :)

--- ENiGMA 1/2 v0.0.8-alpha (linux; x64; 6.11.3)
* Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)

--
yrNews Usenet Reader for iOS
http://appstore.com/yrNewsUsenetReader

--- Mystic BBS/NNTP v1.12 A37 2017/12/30 (Linux/64)
* Origin: -=The ByteXchange BBS : bbs.thebytexchange.com=- (21:1/107)

Re: Re: tinfoil hat bbsing
By: Nugax to All on Sun Dec 31 2017 08:42 am

I just don't see the need guys. Waste of time, in my opinion you didn't ask for lol.

I agree with pretty much all you have said. I don't see a problem with folks discussing it either though.

Don't kick me out the mystic club guys :)

It's not a club and nobody will kick you anywhere.. :)

Ttyl :-),
Al


... Everybody should believe in something - I believe I'll have a beer
--- SBBSecho 3.03-Linux
* Origin: The Rusty MailBox - Penticton, BC trmb.synchro.net (21:4/106)

On Sunday, December 31st Nugax was heard saying...

I disagree. 2fa on steam and stuff is because you have payment and account info which becomes PII. Email isn't PII. Neither is name without other identifying info. Address and dob are but let's be honest, most Folks don't provide info to a bbs willingly with anything that can be stolen if even true. I don't even ask PII. Maybe dob, but nothing else.

I don't want to start a battle here, but this is wrong. Many of these services (likely Steam as well) state *why* they include 2FA, and it's not only due to payment information at all. Passwords are constantly comprimised, 2FA requires something you have (not just something you know = password). If I find your account and PW one of the thousands of comprimised databases, I still can't access your account without *something you have*.

As far as PII: If I look at the accounts on my board, at least 90% of them seem
to be real values for DOB and location. Of course I don't know this for sure, but the ages are right - and some of them I know the person, and know it to be right.

On Sunday, December 31st Nugax was heard saying...

I do cyber assessments daily, I think a bbs system is not a place where a lot Of threat exists for data leaks to where you need to implement controls such as 2fa. Want to add it as an option, fine. But, I bet almost no one uses it. Secure communication like ssh and encryption is a better route.

If you're doing cyber assessments, you need to understand the difference between authentication mechanisms, something you have, something you know, and the difference between those and secure communications. SSH, TLS, etc. are not related to authentication and proof of identiy. They are a means of securing a channel.

With that said, I'm sure you're right about "not the place for data leaks". But
that's a mute point. Nothing is until it is. All it takes is one person.

Again, other issues such as requiring secure channels, encrypting system-to-system, and so on need addressed to make this stuff truly secure.

Have a great New Years!



--- ENiGMA 1/2 v0.0.8-alpha (linux; x64; 6.11.3)
* Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)

g00r00 wrote to esc <=-

The next build will have "os" ACS which will be TRUE if the user is
logged in via a secure connection (in this case only SSH falls into
that category). Do you think "OS" also return true if the user is
logged in locally or only via SSH or any other encrypted protocol?

And what about over trusted networks? For example:

1. when logged in on the same LAN (that you trust!).

2. When using telnet over a secure medium (SSH tunnel). This can be detected by similar means to #1 - by source IP.


... Hey! This is just like the REAL world!
___ MultiMail/Win32 v0.49

--- Mystic BBS/QWK v1.12 A36 2017/12/04 (Raspberry Pi/32)
* Origin: The Bridge - bridge.vkradio.com (21:1/143)

Right now, my socket policy server detects wss:// connections and
forwards those to telnet. How on earth could I pass a secure connection
to mystic? Any ideas here? :)

Not sure how you do that from your policy server, but its probably possible to implement this into Mystic directly.

--- Mystic BBS v1.12 A37 2017/12/31 (Windows/32)
* Origin: Sector 7 [Mystic BBS WHQ] (21:1/108)

Hmmm... For ENiG it's slighty differnet in that it handles WebSocket natively, so no telnet in the mix in this case.

You might be able to implement a "secret knock" or something to indicate on the Mystic side that the connection is from a secure channel? Not the best, but with Telnet it's limited. What I mean by this is you'd
establish a Telent connection then send a special string that only your (proxy) system should know. Maybe a MPL could pick that up and set a bit somewhere?

I like your train of thought, here. I could then translate that into
disabling unsupported file xfer stuff.

I'm not sure how I'd do that, though...hmmm...

--- Mystic BBS v1.12 A37 2017/12/27 (Linux/32)
* Origin: lo fidelity bbs (21:2/142)

I think most of the discussion here for Mystic anyway has been that it
can all be achieved by MPL/Python, and I'm positive g00r00 is smart
enough to prioritize the important stuff over this type of thing :)

^this

Working it out with mpl/python is precisely what I'm dealing with now. It's actually pretty straightforward. Configuring my server to send emails that
beat spam filters was harder than writing the .mpy :)

--- Mystic BBS v1.12 A37 2017/12/27 (Linux/32)
* Origin: lo fidelity bbs (21:2/142)

Still, implementing a validation system is fine, that's not classic 2fa
as was discussed. And
Email validation is cool, and I'd use that, but making users go through 2fa every time you login is overkill and useless for a bbs. I swear no
one is trying to snoop on your usurper game or echomail that's on every bbs system out there. Lol

You're certainly welcome to your opinion, and I'm welcome to mine, but I
won't lol at your opinion, don't worry.

--- Mystic BBS v1.12 A37 2017/12/27 (Linux/32)
* Origin: lo fidelity bbs (21:2/142)