Page 1 of 2

Security

Posted: Tue Sep 22, 2020 6:35 am
by Duckula
This is a topic that the team has been discussing and we wanted to get the community involved to seek your input. Clearly since the days that WG was created, a lot has changed including the area of online security. We know there are still WG/MBBS servers out there running on Windows XP, Windows 2000/2003 server etc that have long been dropped from security support by Microsoft.

This presents a risk to the systems running these operating systems, even before we talk about the security issues with ActiveHTML, Client/Server, Telnet and other services within WG.

My personal thoughts are that we should "raise the bar" in regards to the minimum supported operating system for future releases, to at a minimum those still supported by Microsoft. As part of this, ActiveHTML and Client/Server would be removed and look to be replaced with a modern, secure, approach. Telnet to be looked at being replaced with SSH, etc. The polls we have done so far show very few if any systems are running ActiveHTML and or Client/Server mode, so I don't see this as a large cause of concern. Telnet is the most common connection method so this needs to be looked at carefully.

For fear of opening the floodgates, what is your perspective on this? Are sysops more accountable now given any personal data they may hold on these legacy based systems? Do BBS users expect these issues and not really care?

What security concerns do you have regarding WG as it is today? And if you had an opportunity to implement changes, what would they be?

Keep in mind we are likely to get a lot of requests for many different things and obviously these will need to be put into a priority system, however I think it is important that we identify the risks and think about possible solutions.

Looking forward to your input.

Re: Security

Posted: Tue Sep 22, 2020 2:01 pm
by Kracken
Thanks for the question.

My general stance on BBS security:

They are random internet databases, opened up by random joe sysops, over unencrypted Telnet.
As such, they should be approached as "not secure", no matter how many holes are patched.
These days, BBS shouldn't collect and hoard "personally identifiable information" (real name, DOB, phone, address) asif it's 1993.

So, I personally don't care much about any security improvement for that reason. It's just not safe and never will.
Doesn't mean no work can be done to mitigate risks. But users shouldn't trust any BBS for safe-keeping their true records.
And sysops shouldn't subject their users to undue risks by gathering and (potentially/unknowingly) expose sensitive info.
It's not a bank or a governement agency. The purpose of a BBS is casual fun.

PII is the new gold for modern day hackers...and many BBS are open goldmines.

Re: Security

Posted: Tue Sep 22, 2020 9:38 pm
by Ragtop
Personally, I'm not interested in any personal information, names, addresses, etc. I do like having their city/state so everyone can see where the other users are located in the userlist. I always thought it was nice to see how widespread our users are. If individual questions could be activated/inactivated, that could fix that. Right now, you can only eliminate all of the address questions. The only use for birthdays would be if there are age limited areas, and that could be taken care of with an 18 or older question instead of actual birthdays.

Re: Security

Posted: Wed Sep 23, 2020 12:42 am
by daniel_spain
Ragtop wrote:
> Personally, I'm not interested in any personal information, names,
> addresses, etc. I do like having their city/state so everyone can see where
> the other users are located in the userlist. I always thought it was nice
> to see how widespread our users are. If individual questions could be
> activated/inactivated, that could fix that. Right now, you can only
> eliminate all of the address questions. The only use for birthdays would be
> if there are age limited areas, and that could be taken care of with an 18
> or older question instead of actual birthdays.

im actually working on a mod now where names are history.
email address and password, you can also have a phone# on file
which you can text the bbs for a password reset.

only optional ones i feel are required is gender since most addons use the
bbs gender tag.

Re: Security

Posted: Wed Sep 23, 2020 12:56 am
by Bloodrock
on my bbs i ask for email and dob and gender

Re: BBS Terminal Side Security Needs SSH

Posted: Wed Sep 23, 2020 5:01 am
by Milton
Personally, I remove any sign up questions completely. Hobby Boards do not need it.
A Call-Back Email Address is all you really need on the terminal side with password recovery.
Secure Shell (SSH) protocol option to login to the BBS.
As for the Web Part, If you plan on using WG for Business, It needs a overhaul.

Re: Security

Posted: Wed Sep 23, 2020 12:34 pm
by Duckula
Thanks for the responses - it might be easiest to just have an on/off option for all signup questions, that way the sysop can decide.

What about system security? As Milton said, the Web side needs replacing. Are there other items people think need to be replaced with more secure options?

Re: Security

Posted: Wed Sep 23, 2020 2:21 pm
by Bloodrock
i don't have port 80 open

Re: Security

Posted: Wed Sep 23, 2020 3:47 pm
by Specin
I think I'd be against removing telnet outright, though I can certainly see the argument for SSH. I think, at least for me, part of the nostalgia comes from the programs I connect with themselves. I personally use Telemate through DOSBox for most things, SWATH for Tradewars and Megamud for Majormud. Though Telemate did not have telnet, I have it working thanks to instructions posted by Starbase21. I suppose if there's a similar way to make windows/dos programs connect through SSH instead of telnet, it's less of an issue.

There's just something about the old terminal programs that makes it feel right to me. It might not be that big of an issue to anyone else.

Re: Security

Posted: Wed Sep 23, 2020 11:07 pm
by daniel_spain
Duckula wrote:
> Thanks for the responses - it might be easiest to just have an on/off
> option for all signup questions, that way the sysop can decide.
>
> What about system security? As Milton said, the Web side needs replacing.
> Are there other items people think need to be replaced with more secure
> options?

there are way more problems than simple "hacking" in regards to the security vulnerabilities.
anything that can take down the system is just as bad and right now there are still tons of
ways to knock a bbs offline with simple web/ftp string parsing, also if a bbs is running on
a system that has no limitations on sending emails until i get SMTP AUTH done there are
"things" that can be done, there are a bunch more to which i am not going to name or list
here because last thing we need is someone picking up on a way to play bbs-warfare.
i have slowly been putting catch and release systems in but in reality just a simple update
to modern tech will clean most of them up.