home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
ftp.wwiv.com
/
ftp.wwiv.com.zip
/
ftp.wwiv.com
/
pub
/
HATCH
/
WWIVNEWS.ZIP
/
9304_2.NWS
< prev
next >
Wrap
Text File
|
1993-04-10
|
20KB
|
374 lines
───────────────┬─────────────────────────────────────────────┬───────────────
│ Type 0 Forum │
│ Edited by Omega Man (1@5282) │
└─────────────────────────────────────────────┘
The Type 0 Forum is WWIVnews' "Letters To The Editor" section. Comments,
criticisms, questions, and suggestions can be sent to WWIVnews c/o 1@5282.
WWIVnews reserves the right to edit any submissions for either clarity,
punctuation, or spelling, but will endeavor to maintain the content integrity
as close to that originally submitted as possible.
─────────────────────────────────────────────────────────────────────────────
Dear Editor:
I have registered a file called NetRunner 1.02. It is distributed as
NETRN102.ZIP on MegaRom ][ - Shareware Spectacular, as well as through normal
shareware channels (i.e. bbs systems).
This game is a "Cyberpunk" styled game. The mission: Hack into systems and
steal credits while avoiding ICE (Intrusion-Counter Electronics). It is a fun
game and many of the users at The Theatre Of Vampires (WWIVNet/ICEnet 3325)
enjoyed the game immensely.
Unregistered the game is fully functional. However, SYSBUILD.EXE (a utility to
build systems) does not work until the game is registered. Also, all NetRunners
are retired at 5000 experience points.
The game was authored by Rob Jacob, of Federal Way, WA and distributed by
Seattle Cybertechnologies.
I sent in the registration form and a check for $25.00 on the 9th of January,
1993. I waited for four weeks and had not received a registration number when
I received a new bank statement for my checking account. The check I wrote to
Seattle Cybertechnologies had cleared the 12th of January 1993, only three days
after I wrote and mailed it.
I tried to contact Rob Jacob or Seattle Cybertechnologies by telephone, to find
that the numbers were unlisted or disconnected. I attempted to call the two
telephone numbers listed for CyberSpace BBS, both of which had been
disconnected. I contacted the second SDS for NetRunner 1.02, HCS BBS, and left
mail with the sysop of that board, explaining to him my dilemma.
On 9 Feb 93, I sent a letter to Rob Jacob requesting the registration number.
I gave him the benefit of the doubt (lost in mail, oversight, etc) and
requested a registration number be sent for this game.
On 23 Feb 93, I called back to HCS BBS, and had received mail back from the
sysop. He informed me that this lack of support from Rob Jacob had begun in
July of 1992. Several registrants, who had downloaded the game from HCS, had
contacted the sysop of HCS concerning the registration numbers not being
received. HCS BBS' sysop spent a relatively large sum of money attempting to
contact Rob Jacob concerning NetRunner and the failure to support the product.
Rob Jacob did not return his calls. After that, HCS BBS dropped the game from
his download area and posted several warnings on nationwide networks such as
FidoNet.
At that time I sent Rob Jacob the second follow-up letter. In this letter I
informed him of my correspondence with HCS BBS and of my intentions should a
registration number not be received.
I am now (28 March 93) waiting for further correspondence and a reply from
Seattle CyberTechnologies and Mr. Rob Jacob. In the meantime, is there any
other recourse I can take to expedite matters?
Lestat The Immortal (1@3325)
Editor's Reply:
Lestat's problem isn't unheard of. At least once a month, reports surface on
the major computer networks about a particular shareware author who appears to
have suddenly disappeared off the face of the Earth, leaving all registered
users and pending registrations in limbo. In the majority of cases this is
usually revealed to be a misunderstanding or miscommunication between the
author and his customer(s), and matters are usually settled between both
parties in a satisfactory manner.
However, in Lestat's case, the problem may be a bit different. Inquiries have
also surfaced in recent weeks on Usenet and Fidonet regarding the whereabouts
of both Seattle CyberTechnologies and Ron Jacob. As of this writing, neither
company nor shareware author have been located, and Lestat's grievance has
not been settled.
Lestat is not without recourse, however. When purchasing *anything* using
the United States Postal Service, there are several steps that should be taken
so as to protect yourself from any possibilities of fraud or misconduct on the
part of the vendor:
1) Prior to purchase, ask around to see if anyone's heard anything negative
about the vendor. Ask about post-sale support, positive customer relations,
and integrity of financial dealings. If you cannot find anyone locally who has
dealt with the vendor, contact the chapter of the Better Business Bureau that
is local to the vendor, and inquire about any complaints pending with the
agency. Another option is to try using one of the computer networks to inquire
as to the integrity of the vendor. If all else fails, try asking the vendor
for a brief list of other consumers with whom you can correspond about their
products. If the vendor refuses to grant such a list, this is generally
considered to be a warning sign against that vendor.
2) If you decide to purchase from the vendor, unless it is totally impossible
to do so, pay by a credit card. If you fail to receive what you've ordered,
the credit agency behind the card can stop payment on the item until the
matter is settled.
3) If you cannot pay by a credit card, pay by cashier's check from your bank,
S&L, or credit union. Prior to purchasing, ask your financial institution
whether they can offer the same sort of protection for the check as they can
with a credit card purchase. If they cannot, ask them to suggest an alternative
method of purchase.
4) While it's not feasible for some consumers, the best way to ensure that
the product you order is delivered into your hot little hands is to order via
COD. If the vendor refuses to ship COD, refuse to do business with them.
5) Under *no* circumstances should you ever pay by cash over the mail. COD is
only slightly more permissible, and a check should be used when possible. This
is especially true in the case of large purchases.
If you think you're the possible victim of mail fraud, and you've taken these
steps, you stand a better chance of getting the matter settled with a positive
result. If you think something's amiss behind your purchase, take the following
steps:
1) A good faith attempt to contact the vendor is in order. This does NOT mean
that one disconnected phone call constitutes a good faith attempt. Follow-up
the call with a second call the following day to ensure that the disconnection
was not a screwup on the part of either the vendor or the local phone company.
One report on Usenet years ago about one of Microsoft's support lines being
disconnected started a brief world-wide flurry of rumors regarding the
impending demise of Gates' then-minor empire.
If you paid by credit card, you can call the agency and request a stop payment
on the purchase. This usually will get a quick response from the vendor.
If you paid by anything other than a credit card, read on.
2) Send a letter of inquiry to the vendor. Have this letter sent registered
with the USPS. This usually costs an extra $1, and requires that the recipient
of the letter sign a green card of acceptance before being the letter is
officially delivered. This is a sign to a vendor that you mean business right
off the bat, and usually expedites matters about two steps down the chain
quicker than a normal letter.
3) If the letter is returned as undeliverable because the vendor could not
be located, attempt to locate through the USPS any sort of forwarding or
alternative addresses for the vendor. Some vendors use Post Office Boxes
which some local USPS sites have been known to change without notice, and
these changes take weeks to be reflected throughout the entire USPS system.
4) If the letter is returned as refused by sender, then a complaint can be
filed with the USPS for possible mail fraud. This will require forms being
filled out, and copies made of any correspondence with the vendor prior
to filing the complaint. Call in advance and ask for details so that you
bring everything the local Postmaster will need to pursue the matter further.
5) If the Postmaster determines that fraud may have occurred, the matter
becomes a Federal case, and is pursued accordingly. If the purchase was of
a significant amount, it may be wise to pursue the advice of a local attorney
with regards to your next steps.
A word to the wise: if the matter gets this far, don't expect to get your
money back any time soon, and don't expect to get it all back. In many cases,
such as the recent computer mail fraud situation in Southern California, the
consumer who failed to pay by credit card is usually the consumer whose only
satisfaction is knowing they helped prevent other consumers from being
defrauded as well.
It should be noted that the majority of shareware authors are persons of honor
and integrity, and as with any business there are times when accidents happen
and orders fall through the cracks. Before going half-cocked and filing a
formal grievance at the first sign of trouble, attempt to contact the vendor
and try to solve the problem in a friendly, professional manner.
Dear Editor:
I just saw someone locally that pulled the neatest "trick" I've ever seen...
also one that unfortunately removes much of the control over a subboard from
it's Host. I do not fault the person that showed me this: he only did this to
show me "Hey, look at what a neat thing I can do with your sub if I wanted to."
────────────────────────────────────────────────────────────────
This is the normal, typical setup in 4.22 to SUBSCRIBE to a sub
────────────────────────────────────────────────────────────────
A. Name : Drawing Down The Moon / Ritual Magick
B. Filename : DRAWING
C. Key : None
D. Read SL : 28
E. Post SL : 28
F. Anony : No
G. Min. Age : 0
H. Max Msgs : 75
I. AR : None.
J. Net info :
Network Type Host Flags
a) WWIVNet 5413 5413
K. Storage typ: 2
L. Val network: No
M. Req ANSI : No
N. Disable tag: No
O. Description: Pagan/Wiccan/Ceremonialist discussions, some chatter.
─────────────────────────────────────────────────────────────────────────
Here's a perfect example of how a SUBSCRIBER can GATE WITHOUT PERMISSION!
─────────────────────────────────────────────────────────────────────────
A. Name : Drawing Down The Moon / Ritual Magick
B. Filename : DRAWING
C. Key : None
D. Read SL : 28
E. Post SL : 28
F. Anony : No
G. Min. Age : 0
H. Max Msgs : 75
I. AR : None.
J. Net info :
Network Type Host Flags
a) WWIVNet 5413 5413
b) WWIVLink 5413 <HERE> Auto-Req Auto-Info
K. Storage typ: 2
L. Val network: No
M. Req ANSI : No
N. Disable tag: No
O. Description: Pagan/Wiccan/Ceremonialist discussions, some chatter.
My concerns are of *security* and *control*, by a Host, for their subs.
I did not create my subs merely to allow other Sysops unrestricted reign. The
above two screen capture sets show that *apparently* anyone can gate a sub, at
least to another network, without any form of permission from the original
host. At the minimum this offers several problems.
Say I wanted to prevent someone from subscribing to a sub. I can either put
the sub on manual updating, or I can opt to use auto"R"equest features and put
that node in DISALLOW.NET.
PROBLEM #1: Someone decides to gate my subs to perhaps a second network. A
banned system I'm disallowing to my sub has access to the second network. The
banned system effectively subscribes to my sub ANYHOW because they are picking
it up on the second network's gating of my sub.
PROBLEM #2: (more convoluted) A member of second network picks up my sub on
WWIVNet and gates it to perhaps IceNet. An IceNet member gates my sub over
to WWIVLink. A Link subscriber gates it to TeensieNet. A TeensieNet member
gates it to StupidNet. StupidNet member gates it to PubertyNet. etc, etc.
PROBLEM #3: In either of the above cases, who sends what to whom? Do I suddenly
lose total control over the subscription process? Do people now send request
notices to boards other than the original Host?!
PROBLEM #4: I have one of the two largest subs in WWIVNet, totalling 487
subscribers. Am I now being told that any one of those people can now each gate
my sub to have a dozen or more different networks?!
PROBLEM #5: And what about massive, I mean MASSIVE traffic flow problems? What
will happen when these gated and re-gated packets bounce several times across
the nation, possibly looping several times, before winding back at *MY* system?
(remember me, the HOST?!)
PROBLEM #6: Since other systems, other SUBSCRIBER systems, are now acting as
Co-Hosts to *MY* subs, could THEIR having NetVal or other flags override or
complicate any setting arrangements that are present on *MY* board? Could
THEIR having things like NetVal turned on for *MY* sub that they "poached"
cause outbound message from *ME* to have to be subjected to NetVal before THEY
allow *MY* Hosted message to pass THEIR gateway?! (remember me, the HOST?!)
Now these are all REASONABLE concerns in my view, and other people are going to
start asking the same questions once they read this message. If they haven't
already seen other similar pieces of seeming evidence. Frankly this scares me,
and drastically lowers my confidence in the way the network is changing if all
of this turns out to be true.
Furry Lover (1@5413)
Editor's Response:
This incident wasn't exactly unforseen, but at the same time there's not really
that much that can be done about the problem software-wise with regards to the
network executables. There's been a few ideas battered about on the various
sysop subs, but nothing comprehensive has been proposed so far.
Although no preventive fix currently exists for this potential abuse of gating,
this does not mean that the problem has simply been ignored by Wayne Bell. As
this month's column from the creator of WWIV and WWIVNet explains in clear
details, unauthorized gating of this sort is against WWIVNet rules, and should
be expected to be just as illegal on any of the other WWIVNet-based networks.
Dear Editor:
I have been getting a lot of E-mail about stopping WWIV from being hacked. I
made a standing offer on one of the subs about hacking that I would pay $100.00
to anyone that could hack my board, and that I would even give them 255 SL and
the system PW. No one took me up on it.
Anyway, I have written this short file on what I have done on my board to
protect it, and thought that you might want to consider putting it in the next
issue of WWIVNews. If not, or if you like the idea but need more meat, let me
know and I will add more to it, however I don't think that there is a lot more
to add that could make it any better.
──────────────────────────────────────────────────────────────────────────────
Here is what you should do if you want to make your WWIV hack-proof. I cannot
GUARANTEE it will stop hackers, but it should. I have offered hackers $100.00
if they could hack my board, and even offered to give them the system password
and 255 SL to help them out, but none has been able to do it successfully.
If you have the source, it will be VERY helpful. What you will need to do is
go into BBS.C and change all the // commands, especially //DOS, //EDIT, //LOAD,
//UEDIT, //CHAINEDIT, //REN, //MOVE, //DIREDIT, //LOG, and //CHUSER. You might
as well change them all. What you change them to doesn't matter, but make it
something completely unrelated to BBSing, for instance, change //DOS to
//TURTLE or something that they could never guess. This way, even if they get
255 SL AND your system PW, they will not be able to do anything.
DON'T have a C:\WWIV\DLOADS dir. Call it something else. Make sure that you
identify it in INIT. Call your C:\WWIV\TEMP dir something else, again making
sure that you let INIT know about it.
Change your system PW often, and DON'T GIVE IT TO ANYONE!!!! I cannot stress
this enough. Your BBS is only as secure as what you want to make it. If you
go giving out 255 SL's to people, you are asking for trouble. Even IF they
never do anything to you, someone could see them logging on sometime and get
their logon info, or they could copy all their script files from their term
program without your friend knowing it...all sorts of things can happen. I
cannot think of any reason to give someone 255 SL, and if you set up your //
commands like I have outlined above, even if they did log in as your friend,
they would not be able to do anything, unless of course your friend had all of
them written down by his computer or in a file somewhere.
Of course, there is not really a lot that you can do about stopping trojans and
viruses from being uploaded... a good upload event would help, although I'm
told that there is a viruses that is executed when Scan runs on it, so it
might be a good idea to write-protect your hard drive, and copy the file to
floppy and scan it. Most hackers are not out to upload viruses though. Most
of them want to get into your DOS somehow.
Common sense plays a HUGE role in BBS security. Use it.
Sam (1@2077)
Editor's Response:
Sam's suggestions are very good ones. In fact, many of them date back to the
old 3.21d days of WWIV, where renaming // commands was the easiest way to
make Wayne's solid spaghetti code a bit more bulletproof. This solution was
usually combined with the "Sysop Menu" mods that still find their way onto
the MODNET to this very day.
The same basic philosophy applied to changing directory names to something
nonstandard so as to confuse anyone who'd managed to hack into the system
remotely. If your BBS was in C:\123R3\SMARTPIC instead of C:\WWIV, then
odds are very unlikely that a hacker would take what little time he had to
snoop around every directory to find where WWIV really resided. When combined
with a mod or two to the source to make sure the shell to DOS placed the
hacker in the root directory, this became a very effective means of reducing
a hacker's time frame from which to work with.
Finally, the best way period to dramatically increase your system security is
to frequently change your system passwords - especially at the first sign of
any suspected attempt upon your system's security. Again, when selecting a
password, choose something that you can easily remember, but doesn't have
anything directly relating to you on a surface level. Some sysops use the
method by which the password is determined by a serial number of a part inside
the system itself. A BIOS revision number, SIMM OEM number, or even the slot
number in which their modem resides is not easily hackable by someone who has
no sysop-side access to the system itself.
Again, a little common sense can deter even the most experienced hacker.