• Thinking of posting a code a week

    From bcw142@21:1/145.2 to All on Thu Sep 7 15:40:02 2017
    That last one was morse code of course. I was thinking of doing a different code or puzzle each week for a while. That might liven it up. I wonder if there's a morse decoder ring? "It's morse, just morse." Oh that's a different morse isn't it? Also called Inspector with Lewis right behind.

    --- Mystic BBS v1.12 A35 (Linux/64)
    * Origin: Mystic AlphaTest bcw142.zapto.org:2323 (21:1/145.2)
  • From Avon@21:1/101 to bcw142 on Wed Sep 13 20:16:58 2017
    On 09/07/17, bcw142 pondered and said...

    That last one was morse code of course. I was thinking of doing a different code or puzzle each week for a while. That might liven it up.
    I wonder if there's a morse decoder ring? "It's morse, just morse." Oh that's a different morse isn't it? Also called Inspector with Lewis
    right behind.

    I need to get back into the PGP stuff I was playing with a while ago... will look in to this in the coming days... be good to test some encrypted stuff
    out.

    --- Mystic BBS v1.12 A35 (Windows/32)
    * Origin: Agency BBS | telnet://agency.bbs.geek.nz (21:1/101)
  • From apam@21:1/125 to Avon on Sat Sep 16 17:23:05 2017
    I need to get back into the PGP stuff I was playing with a while ago... will look in to this in the coming days... be good to test some encrypted stuff out

    I've been toying with the idea for some time to add encryption to
    Magicka, not PGP, but just ordinary key based encryption where the sender
    and receiver both know the key.

    Might be fun, but I don't know that it would be much use.

    Andrew


    --- MagickaBBS v0.6alpha (Linux/x86_64)
    * Origin: Exotica BBS - telnet://exoticabbs.com:2023/ (21:1/125)
  • From Avon@21:1/101 to apam on Sat Sep 16 21:03:55 2017

    I've been toying with the idea for some time to add encryption to
    Magicka, not PGP, but just ordinary key based encryption where the sender and receiver both know the key.


    i'd be interested in testing that... going to set up my pi again with the
    view to having it runa copy of magicka, mystic and enigma on it... just need
    to get some time to do it... i think i may have found a mystic bug but need
    to test a theory on the pi first to confirm it before reporting it..


    best, Paul

    --- Mystic BBS v1.12 A35 (Windows/32)
    * Origin: Agency BBS | telnet://agency.bbs.geek.nz (21:1/101)
  • From bcw142@21:1/145.2 to apam on Sat Sep 16 08:02:11 2017
    On 09/16/17, apam said the following...
    I've been toying with the idea for some time to add encryption to
    Magicka, not PGP, but just ordinary key based encryption where the sender and receiver both know the key.

    This is a good place to test it. As far as not knowing if it will be used or how, there's the now 'old' build it and they will come ;) Once it exists
    people will figure out uses and such. Encryption is where things are going,
    it can be used to help weed out the hackers and cracking that is causing problems with the BBS. I'm sure ssh doesn't have as much trouble for that
    very reason - encryption. I know they can't make it in my ssh ports and it's much harder to do DDOS on them as well. Anything that's pretty automatic and can be made in to a new 'standard' for BBS will likely help, it doesn't need
    to be as much as ssh is.
    Any 'code' could be 'encryption', even down to pig latin ;)
    Itway'say allway aterway underway ethay idgebray overway oubledtray aterway. PS. 'pig' is part of bsdgames in Linux generally

    --- Mystic BBS v1.12 A35 (Linux/64)
    * Origin: Mystic AlphaTest bcw142.zapto.org:2323 (21:1/145.2)
  • From NuSkooler@21:1/121 to apam on Sat Sep 16 15:15:36 2017
    I've been toying with the idea for some time to add encryption to Magicka, not PGP, but just ordinary key based encryption where the sender and receiver both know the key.

    The problem here is that there isn't much of a way to secure messages:
    * If over telnet, you need to accept plain-text (user system -> host bbs) then
    encrypt. Message is unsecure in transit + 3rd party (the bbs) has the plain text message
    * If over SSH the second part still applies

    With an external tool (e.g. PGP), users have security: They can paste the message in the FSE for example *already* encrypted. It's never in a compromised
    situation.




    --- ENiGMA 1/2 v0.0.8-alpha (linux; x64; 6.11.3)
    * Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)
  • From apam@21:1/125 to NuSkooler on Sun Sep 17 07:42:58 2017
    The problem here is that there isn't much of a way to secure messages: *

    Yeah, my thinking was it would be entered into the FSE then you enter a password and it's encrypted and saved to the message base.

    A sysop could potentially read the message, or even the key, both on the sender's end or the receivers end, but on any other boards that the
    echomail travels to it would be encrypted.

    I totally agree that PGP would be the more secure way to send encrypted comminucations, but apart from preparing the message offline and
    uploading / copy pasting, I can't imagine how it could be built in
    without the sysop having access to users private keys.

    Like I said, might be fun, but I don't see much use ;)

    Andrew

    --- MagickaBBS v0.6alpha (Linux/x86_64)
    * Origin: Exotica BBS - telnet://exoticabbs.com:2023/ (21:1/125)
  • From NuSkooler@21:1/121 to apam on Sat Sep 16 16:07:34 2017
    uploading / copy pasting, I can't imagine how it could be built in without the sysop having access to users private keys.

    I'm not sure that you could. No matter what, the message has to travel unencrypted to the board first.



    --- ENiGMA 1/2 v0.0.8-alpha (linux; x64; 6.11.3)
    * Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)
  • From bcw142@21:1/145 to apam on Sat Sep 16 19:09:59 2017
    On 09/17/17, apam said the following...
    I totally agree that PGP would be the more secure way to send encrypted comminucations, but apart from preparing the message offline and
    uploading / copy pasting, I can't imagine how it could be built in
    without the sysop having access to users private keys.

    The private key could be part of the BBS information. Only those with a
    private key could use the encryption, but it could be added at any time.

    --- Mystic BBS v1.12 A35 (Raspberry Pi/32)
    * Origin: Mystic Pi BBS bcw142.zapto.org (21:1/145)
  • From bcw142@21:1/145 to NuSkooler on Sat Sep 16 19:11:46 2017
    On 09/16/17, NuSkooler said the following...
    I'm not sure that you could. No matter what, the message has to travel unencrypted to the board first.

    No, you can use ssh. It would require ssh and wouldn't encrypt onless the
    user was using ssh (and a private key stored on the bbs).

    --- Mystic BBS v1.12 A35 (Raspberry Pi/32)
    * Origin: Mystic Pi BBS bcw142.zapto.org (21:1/145)
  • From Avon@21:1/179 to apam,NuSkooler,bcw142 on Sun Sep 17 12:54:28 2017
    On 09/16/17, bcw142 said the following...

    On 09/16/17, apam said the following...
    I've been toying with the idea for some time to add encryption to Magicka, not PGP, but just ordinary key based encryption where the se and receiver both know the key.

    This is a good place to test it. As far as not knowing if it will be
    used or how, there's the now 'old' build it and they will come ;) Once
    it exists people will figure out uses and such. Encryption is where
    things are going, it can be used to help weed out the hackers and
    cracking that is causing problems with the BBS. I'm sure ssh doesn't
    have as much trouble for that very reason - encryption. I know they
    can't make it in my ssh ports and it's much harder to do DDOS on them as well. Anything that's pretty automatic and can be made in to a new

    This whole area really interests me and I set this echo up for this kind of discussion and hopefully some development in this space.

    I recall Nu in your TODO you were looking at mesh networking and had the end
    to end security of communications in mind also?

    I agree with comments about the irony of trying to secure comms if the poster is logged in via a telnet session. But assuming the login is a local one on a system sitting inside a home LAN then I guess that issue is negated.

    As I understand it, the real issue becomes how to create a enviroment of
    shared trust... so how does a key get exchanged in a secure way between two parties prior to the encrypted exchanges taking place?

    Apam et al.. I do hope you can further bake some options in to your platforms as I'd be keen to help with the development of this.

    Xqtr and I did so some work playing with Mystic MPL and PGP a while ago. I
    just need to find all of the work again :) But the idea was to use the full screen editor and then have the output run through PGP then posted to the echomail area encrypted. It worked to a point but the shared key thing was
    not flying as it should - does that sound right Xqtr?

    Best, Paul

    --- Mystic BBS v1.12 A35 (Raspberry Pi/32)
    * Origin: Cryptogenic Radix (21:1/179)
  • From apam@21:1/125 to Avon on Sun Sep 17 11:19:18 2017
    I agree with comments about the irony of trying to secure comms if the poster is logged in via a telnet session. But assuming the login is a local one on a system sitting inside a home LAN then I guess that issue i negated.

    Yep, if you're the only one using the BBS, then it wouldn't matter. I
    guess in this day and age where we're all Sysops it could work, it's when
    you add users to the equation it gets complicated.

    As I understand it, the real issue becomes how to create a enviroment of shared trust... so how does a key get exchanged in a secure way between two parties prior to the encrypted exchanges taking place

    You'd have to send the initial key some other way, ideally in person,
    after that you could include subsequent keys inside the encrypted
    message. That's why PGP would be wayy better because it solves the issue
    of sharing the first key.

    Apam et al.. I do hope you can further bake some options in to your platforms as I'd be keen to help with the development of this

    I'd really like to, but as Nu said, the secrecy wouldn't be ideal, as
    users messages could still be read by the sysop. I guess it would have to
    come with some kind of disclaimer not to use it for nuclear launch codes
    or the like ;P

    Xqtr and I did so some work playing with Mystic MPL and PGP a while ago.
    I just need to find all of the work again :) But the idea was to use the full screen editor and then have the output run through PGP then posted t the echomail area encrypted. It worked to a point but the shared key
    thing was not flying as it should - does that sound right Xqtr

    This would still suffer the same problem in that the sysop with the
    shared key could read all the users encrypted mail.

    So, while the sysop would have security, the users would only have an
    illusion of security. I don't know if this is worse than having no
    security at all in that, with no security the user is aware that his communication can be read.

    As Nu said copy/pasting PGP encrypted texts is the best solution, I think
    the most ideal would be an offline reader with a PGP plugin.

    Andrew

    --- MagickaBBS v0.6alpha (Linux/x86_64)
    * Origin: Exotica BBS - telnet://exoticabbs.com:2023/ (21:1/125)
  • From Vk3jed@3:633/410 to apam on Sun Sep 17 17:35:00 2017
    apam wrote to Avon <=-

    As Nu said copy/pasting PGP encrypted texts is the best solution, I
    think the most ideal would be an offline reader with a PGP plugin.

    If I use Eudora, I have Enigmail configured (that's why I export this echo as a mailing list to myself), and it's pretty transparent. I used to have a PGP encryption system in my old Bluewave setup that worked in a similar way to Enigmail. It was activated through the external editor hook, and ran before and after the editor was called. Was quite neat. :)


    ... The way some people find fault - you'd think there was a reward.
    --- MultiMail/Win32 v0.49
    * Origin: Freeway BBS - freeway.apana.org.au (3:633/410)
  • From NuSkooler@21:1/121 to apam on Sun Sep 17 09:50:22 2017
    As Nu said copy/pasting PGP encrypted texts is the best solution, I think the most ideal would be an offline reader with a PGP plugin.

    Unfortunantely with BBS tech this is as good as it gets. As someone mentioned, some offline readers can help with this by auto-detecting PGP blocks and decyphering them if the key is available. ...and encrypting with the click of a
    button. Web browsers can do this by running local JavaScript (e.g. never leave
    the box) as well. I think with e.g. VTXClient or fTelnet, one may be able to use the proper browser plugin and just select the text to decrypt / encrypt. ...but having somehting built into the board isn't really viable :(



    --- ENiGMA 1/2 v0.0.8-alpha (linux; x64; 6.11.3)
    * Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)
  • From NuSkooler@21:1/121 to Avon on Sun Sep 17 09:54:34 2017
    I recall Nu in your TODO you were looking at mesh networking and had the end to end security of communications in mind also?

    Yup, this is still in my sights as well. I haven't started on anything but brainstorming though. ...want to wrap up a few more 'standard' BBS things first.

    The idea is a fully decentralized and end-to-end encrypted system. One could imagine in a setup as such that a user-side encrypted mode could be entered such that no one but the user ever has the key in hand (e.g. encrypted before transmit)





    --- ENiGMA 1/2 v0.0.8-alpha (linux; x64; 6.11.3)
    * Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)
  • From Richard Menedetter@21:1/104 to apam on Sat Sep 23 17:16:00 2017
    Hi apam!

    16 Sep 2017 17:23, from apam -> Avon:

    I've been toying with the idea for some time to add encryption to
    Magicka, not PGP, but just ordinary key based encryption where the
    sender and receiver both know the key.

    Why not GPG/PGP?
    They already exist, have been peer reviewed security wise and have key distribution in place.
    What do you gain by inventing the wheel again (just worse).
    (Read Phil Zimmermanns comments about his first try, and then reading it as an example of how NOT to do it ... security is hard, and it takes many tries and tons of review by security experts to get it up to a useable security level)

    Might be fun, but I don't know that it would be much use.

    I do not really see the usecase.
    Regarding one of the follow up replies, I am shocked that anybody uses telnet any more in 2017 ...
    As long as that is the case, forget encryption and work on eradicating that failure of history!

    CU, Ricsi

    --- GoldED+/LNX
    * Origin: Optimist laugh to forget - Pessimists forget to laugh. (21:1/104)
  • From Richard Menedetter@21:1/104 to apam on Sat Sep 23 17:20:58 2017
    Hi apam!

    17 Sep 2017 07:42, from apam -> NuSkooler:

    Yeah, my thinking was it would be entered into the FSE then you enter
    a password and it's encrypted and saved to the message base.

    THAT can be done also with PGP.
    It supports a symmetric mode, where you can enter a password, and it will encrypt the file/text.
    The receiver can decrypt it with the same password.

    CU, Ricsi

    --- GoldED+/LNX
    * Origin: This fellow's wise enough to play the fool. (21:1/104)
  • From Richard Menedetter@21:1/104 to bcw142 on Sat Sep 23 17:22:12 2017
    Hi bcw142!

    16 Sep 2017 19:09, from bcw142 -> apam:

    The private key could be part of the BBS information. Only those with
    a private key could use the encryption, but it could be added at any
    time.

    Sorry to play advocatus diaboli.
    But why on earth would anybody trust his secret key to a piece of SW so little peer reviewed and potentially buggy as todays BBSes?

    Take a look at how hard it is for big corporations with large security teams not to get hacked.
    If that happens to those relatively badly written BBSes, all that information is in the public.

    "badly written" when compared to large SW projects with security reviews.

    CU, Ricsi

    --- GoldED+/LNX
    * Origin: Cats love work; They can sit and watch it for hours. (21:1/104)
  • From Richard Menedetter@21:1/104 to Vk3jed on Sat Sep 23 17:26:30 2017
    Hi Vk3jed!

    17 Sep 2017 17:35, from Vk3jed -> apam:

    As Nu said copy/pasting PGP encrypted texts is the best solution,
    I think the most ideal would be an offline reader with a PGP
    plugin.
    If I use Eudora, I have Enigmail configured (that's why I export this
    echo as a mailing list to myself), and it's pretty transparent. I
    used to have a PGP encryption system in my old Bluewave setup that
    worked in a similar way to Enigmail. It was activated through the external editor hook, and ran before and after the editor was called.
    Was quite neat. :)

    Same can be done with Golded.
    Sadly I was still to lazy to recover my GPG key from the old HDD.

    CU, Ricsi

    --- GoldED+/LNX
    * Origin: Free advice is seldom cheap. (21:1/104)
  • From apam@21:1/125 to Richard Menedetter on Sun Sep 24 08:49:45 2017
    Why not GPG/PGP? They already exist, have been peer reviewed security
    wise and have key distribution in place. What do you gain by inventing th wheel again (just worse). (Read Phil Zimmermanns comments about his first try, and then reading it as an

    I didn't plan on 'reinventing the wheel' just using a key based
    algorithm instead of PGP. The reason for not using PGP is the users key
    would have to be stored on the BBS, and the sysop would have access to
    them, regardless of how buggy modern bbses are, this is a problem.

    I do not really see the usecase. Regarding one of the follow up replies,
    I am shocked that anybody uses telnet any more in 2017 ... As long as tha is the case, forget encryption and work on eradicating that failure of history

    Magicka supports SSH.

    Andrew


    --- MagickaBBS v0.7alpha (Linux/x86_64)
    * Origin: Exotica BBS - telnet://exoticabbs.com:2023/ (21:1/125)
  • From apam@21:1/125 to Richard Menedetter on Sun Sep 24 08:53:26 2017
    THAT can be done also with PGP. It supports a symmetric mode, where you can enter a password, and it will encrypt the file/text. The receiver can decrypt it with the same password

    You do realize PGP isn't an encryption algorithm, but a frontend that
    uses them? What is there to gain from using PGP than using another crypto-library directly.

    Andrew

    --- MagickaBBS v0.7alpha (Linux/x86_64)
    * Origin: Exotica BBS - telnet://exoticabbs.com:2023/ (21:1/125)
  • From NuSkooler@21:1/121 to apam on Sat Sep 23 17:59:32 2017
    I didn't plan on 'reinventing the wheel' just using a key based algorithm instead of PGP. The reason for not using PGP is the users key would have to be stored on the BBS, and the sysop would have access to them, regardless of how buggy modern bbses are, this is a problem.

    I (think) what he was saying is rolling your own crypto is generally considered
    a no-no unless you're a crypto expert. And rightfully so: Creating secure crypto is very hard, so it's better to use a well used and trusted system 99.9%
    of the time.

    *Any* crypto in a BBS that doesn't rely on you pasting/uploading pre-encrypted data is going to suffer from the two problems I described previously: Trust (you can't!) and plain-text travel.



    --- ENiGMA 1/2 v0.0.8-alpha (linux; x64; 6.11.3)
    * Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)
  • From apam@21:1/125 to NuSkooler on Sun Sep 24 10:20:53 2017
    I (think) what he was saying is rolling your own crypto is generally considere
    a no-no unless you're a crypto expert. And rightfully so: Creating
    secure crypto is very hard, so it's better to use a well used and trusted system 99.9
    of the time.

    Yes, I'm aware that trying to invent your on cryptography is usually not
    a good idea, I wasn't planning on doing that. I was thinking about using
    an already established algorithm, (XTEA as it's fairly easy to
    implement).

    *Any* crypto in a BBS that doesn't rely on you pasting/uploading pre-encrypte
    data is going to suffer from the two problems I described previously: Trust (you can't!) and plain-text travel

    Yeah, it depends on who you trust, if you trust the System operator and
    are using SSH, then it wouldn't matter so much. In the game second life, encryption is often used in objects that communicate with other objects,
    anyone at Linden Labs could easily see what you're communicating, but the
    point was to hide it from the people you were selling the objects to so
    they couldn't reverse engineer etc.

    Now if my users trust me, and they trust the sysop the message will be decrypted on then it would be ok, why then encrypt, you might not trust
    someone on the way.

    If you take users out of the equation and just want to have secure sysop
    to sysop communication, that would also work.

    What wouldn't work is calling a random system and expecting your
    communications to be secure.

    Andrew

    --- MagickaBBS v0.7alpha (Linux/x86_64)
    * Origin: Exotica BBS - telnet://exoticabbs.com:2023/ (21:1/125)
  • From Vk3jed@3:633/410 to Richard Menedetter on Sun Sep 24 12:34:00 2017
    Richard Menedetter wrote to Vk3jed <=-

    If I use Eudora, I have Enigmail configured (that's why I export this
    echo as a mailing list to myself), and it's pretty transparent. I
    used to have a PGP encryption system in my old Bluewave setup that
    worked in a similar way to Enigmail. It was activated through the external editor hook, and ran before and after the editor was called.
    Was quite neat. :)

    Same can be done with Golded.
    Sadly I was still to lazy to recover my GPG key from the old HDD.

    I have my system on a virtual hard disk, the problem is in getting VirtualBox to mount the image. As soon as I attempt to add a second drive to the OS/2 VM, VirtualBox crashes. :(


    ... Budget: a mathematical confirmation of your suspicions...
    --- MultiMail/Win32 v0.49
    * Origin: Freeway BBS - freeway.apana.org.au (3:633/410)
  • From Richard Menedetter@21:1/104 to apam on Sun Sep 24 16:43:58 2017
    Hi apam!

    24 Sep 2017 08:53, from apam -> Richard Menedetter:

    THAT can be done also with PGP. It supports a symmetric mode,
    where you can enter a password, and it will encrypt the file/text.
    The receiver can decrypt it with the same password
    You do realize PGP isn't an encryption algorithm, but a frontend that
    uses them? What is there to gain from using PGP than using another crypto-library directly.

    Yes ... I realize that.
    Depends on the state of the crypto library.
    If done correctly it can be as secure as using an existing and proven solution. The problem is the IF above ... that is a big if, and one can make big mistakes
    by using the crypto libraries in a wrong way.
    Using them securely is not a trivial task, and it is not to be taken lightly.

    Great that Magicka supports SSH!

    CU, Ricsi

    --- GoldED+/LNX
    * Origin: I thought that you thought... must be a mistake. (21:1/104)
  • From Richard Menedetter@21:1/104 to Vk3jed on Sun Sep 24 16:47:20 2017
    Hi Vk3jed!

    24 Sep 2017 12:34, from Vk3jed -> Richard Menedetter:

    I have my system on a virtual hard disk, the problem is in getting VirtualBox to mount the image. As soon as I attempt to add a second
    drive to the OS/2 VM, VirtualBox crashes. :(

    A shot in the dark.
    I think some VirtualBox containers can be read by VMWare ...
    You can try if VMWare can open it.

    Holding my fingers crossed!

    CU, Ricsi

    --- GoldED+/LNX
    * Origin: Mary had a little lamb... a little beef, a little ham. (21:1/104)
  • From Avon@21:1/101 to apam on Mon Sep 25 12:47:49 2017

    THAT can be done also with PGP. It supports a symmetric mode, where yo can enter a password, and it will encrypt the file/text. The receiver decrypt it with the same password

    You do realize PGP isn't an encryption algorithm, but a frontend that
    uses them? What is there to gain from using PGP than using another crypto-library directly.

    So in my test case I have PGP set up and (from memory) it's set to use a certain style of encryption and then I just provide it with the source text
    and a simple key to use to encode that source text.

    We could try an open test to confirm that much works if you like? :)

    Best, Paul

    --- Mystic BBS v1.12 A35 (Windows/32)
    * Origin: Agency BBS | telnet://agency.bbs.geek.nz (21:1/101)
  • From Joaquim Homrighausen@21:3/101 to Richard Menedetter on Mon Sep 25 18:55:42 2017
    VirtualBox to mount the image. As soon as I attempt to add a second
    drive to the OS/2 VM, VirtualBox crashes. :(

    A shot in the dark.
    I think some VirtualBox containers can be read by VMWare ...
    You can try if VMWare can open it.

    It can open some of them, and you can export them from VirtualBox. But VMWare and Oracle (VirtualBox) seems to have slightly different ideas on what the proper format is.



    -joho

    ---
    * Origin: Stockholm | Sweden (21:3/101)