That last one was morse code of course. I was thinking of doing a different code or puzzle each week for a while. That might liven it up. I wonder if there's a morse decoder ring? "It's morse, just morse." Oh that's a different morse isn't it? Also called Inspector with Lewis right behind.

--- Mystic BBS v1.12 A35 (Linux/64)
* Origin: Mystic AlphaTest bcw142.zapto.org:2323 (21:1/145.2)

On 09/07/17, bcw142 pondered and said...

That last one was morse code of course. I was thinking of doing a different code or puzzle each week for a while. That might liven it up.
I wonder if there's a morse decoder ring? "It's morse, just morse." Oh that's a different morse isn't it? Also called Inspector with Lewis
right behind.

I need to get back into the PGP stuff I was playing with a while ago... will look in to this in the coming days... be good to test some encrypted stuff
out.

--- Mystic BBS v1.12 A35 (Windows/32)
* Origin: Agency BBS | telnet://agency.bbs.geek.nz (21:1/101)

I need to get back into the PGP stuff I was playing with a while ago... will look in to this in the coming days... be good to test some encrypted stuff out

I've been toying with the idea for some time to add encryption to
Magicka, not PGP, but just ordinary key based encryption where the sender
and receiver both know the key.

Might be fun, but I don't know that it would be much use.

Andrew


--- MagickaBBS v0.6alpha (Linux/x86_64)
* Origin: Exotica BBS - telnet://exoticabbs.com:2023/ (21:1/125)

On 09/16/17, apam pondered and said...

I've been toying with the idea for some time to add encryption to
Magicka, not PGP, but just ordinary key based encryption where the sender and receiver both know the key.

i'd be interested in testing that... going to set up my pi again with the
view to having it runa copy of magicka, mystic and enigma on it... just need
to get some time to do it... i think i may have found a mystic bug but need
to test a theory on the pi first to confirm it before reporting it..


best, Paul

--- Mystic BBS v1.12 A35 (Windows/32)
* Origin: Agency BBS | telnet://agency.bbs.geek.nz (21:1/101)

On 09/16/17, apam said the following...

I've been toying with the idea for some time to add encryption to
Magicka, not PGP, but just ordinary key based encryption where the sender and receiver both know the key.

This is a good place to test it. As far as not knowing if it will be used or how, there's the now 'old' build it and they will come ;) Once it exists
people will figure out uses and such. Encryption is where things are going,
it can be used to help weed out the hackers and cracking that is causing problems with the BBS. I'm sure ssh doesn't have as much trouble for that
very reason - encryption. I know they can't make it in my ssh ports and it's much harder to do DDOS on them as well. Anything that's pretty automatic and can be made in to a new 'standard' for BBS will likely help, it doesn't need
to be as much as ssh is.
Any 'code' could be 'encryption', even down to pig latin ;)
Itway'say allway aterway underway ethay idgebray overway oubledtray aterway. PS. 'pig' is part of bsdgames in Linux generally

--- Mystic BBS v1.12 A35 (Linux/64)
* Origin: Mystic AlphaTest bcw142.zapto.org:2323 (21:1/145.2)

On Saturday, September 16th apam muttered...

I've been toying with the idea for some time to add encryption to Magicka, not PGP, but just ordinary key based encryption where the sender and receiver both know the key.

The problem here is that there isn't much of a way to secure messages:
* If over telnet, you need to accept plain-text (user system -> host bbs) then
encrypt. Message is unsecure in transit + 3rd party (the bbs) has the plain text message
* If over SSH the second part still applies

With an external tool (e.g. PGP), users have security: They can paste the message in the FSE for example *already* encrypted. It's never in a compromised
situation.




--- ENiGMA 1/2 v0.0.8-alpha (linux; x64; 6.11.3)
* Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)

The problem here is that there isn't much of a way to secure messages: *

Yeah, my thinking was it would be entered into the FSE then you enter a password and it's encrypted and saved to the message base.

A sysop could potentially read the message, or even the key, both on the sender's end or the receivers end, but on any other boards that the
echomail travels to it would be encrypted.

I totally agree that PGP would be the more secure way to send encrypted comminucations, but apart from preparing the message offline and
uploading / copy pasting, I can't imagine how it could be built in
without the sysop having access to users private keys.

Like I said, might be fun, but I don't see much use ;)

Andrew

--- MagickaBBS v0.6alpha (Linux/x86_64)
* Origin: Exotica BBS - telnet://exoticabbs.com:2023/ (21:1/125)

On Saturday, September 16th apam was heard saying...

uploading / copy pasting, I can't imagine how it could be built in without the sysop having access to users private keys.

I'm not sure that you could. No matter what, the message has to travel unencrypted to the board first.



--- ENiGMA 1/2 v0.0.8-alpha (linux; x64; 6.11.3)
* Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)

On 09/17/17, apam said the following...

I totally agree that PGP would be the more secure way to send encrypted comminucations, but apart from preparing the message offline and
uploading / copy pasting, I can't imagine how it could be built in
without the sysop having access to users private keys.

The private key could be part of the BBS information. Only those with a
private key could use the encryption, but it could be added at any time.

--- Mystic BBS v1.12 A35 (Raspberry Pi/32)
* Origin: Mystic Pi BBS bcw142.zapto.org (21:1/145)

On 09/16/17, NuSkooler said the following...

I'm not sure that you could. No matter what, the message has to travel unencrypted to the board first.

No, you can use ssh. It would require ssh and wouldn't encrypt onless the
user was using ssh (and a private key stored on the bbs).

--- Mystic BBS v1.12 A35 (Raspberry Pi/32)
* Origin: Mystic Pi BBS bcw142.zapto.org (21:1/145)

On 09/16/17, bcw142 said the following...

On 09/16/17, apam said the following...

I've been toying with the idea for some time to add encryption to Magicka, not PGP, but just ordinary key based encryption where the se and receiver both know the key.

This is a good place to test it. As far as not knowing if it will be
used or how, there's the now 'old' build it and they will come ;) Once
it exists people will figure out uses and such. Encryption is where
things are going, it can be used to help weed out the hackers and
cracking that is causing problems with the BBS. I'm sure ssh doesn't
have as much trouble for that very reason - encryption. I know they
can't make it in my ssh ports and it's much harder to do DDOS on them as well. Anything that's pretty automatic and can be made in to a new

This whole area really interests me and I set this echo up for this kind of discussion and hopefully some development in this space.

I recall Nu in your TODO you were looking at mesh networking and had the end
to end security of communications in mind also?

I agree with comments about the irony of trying to secure comms if the poster is logged in via a telnet session. But assuming the login is a local one on a system sitting inside a home LAN then I guess that issue is negated.

As I understand it, the real issue becomes how to create a enviroment of
shared trust... so how does a key get exchanged in a secure way between two parties prior to the encrypted exchanges taking place?

Apam et al.. I do hope you can further bake some options in to your platforms as I'd be keen to help with the development of this.

Xqtr and I did so some work playing with Mystic MPL and PGP a while ago. I
just need to find all of the work again :) But the idea was to use the full screen editor and then have the output run through PGP then posted to the echomail area encrypted. It worked to a point but the shared key thing was
not flying as it should - does that sound right Xqtr?

Best, Paul

--- Mystic BBS v1.12 A35 (Raspberry Pi/32)
* Origin: Cryptogenic Radix (21:1/179)

I agree with comments about the irony of trying to secure comms if the poster is logged in via a telnet session. But assuming the login is a local one on a system sitting inside a home LAN then I guess that issue i negated.

Yep, if you're the only one using the BBS, then it wouldn't matter. I
guess in this day and age where we're all Sysops it could work, it's when
you add users to the equation it gets complicated.

As I understand it, the real issue becomes how to create a enviroment of shared trust... so how does a key get exchanged in a secure way between two parties prior to the encrypted exchanges taking place

You'd have to send the initial key some other way, ideally in person,
after that you could include subsequent keys inside the encrypted
message. That's why PGP would be wayy better because it solves the issue
of sharing the first key.

Apam et al.. I do hope you can further bake some options in to your platforms as I'd be keen to help with the development of this

I'd really like to, but as Nu said, the secrecy wouldn't be ideal, as
users messages could still be read by the sysop. I guess it would have to
come with some kind of disclaimer not to use it for nuclear launch codes
or the like ;P

Xqtr and I did so some work playing with Mystic MPL and PGP a while ago.
I just need to find all of the work again :) But the idea was to use the full screen editor and then have the output run through PGP then posted t the echomail area encrypted. It worked to a point but the shared key
thing was not flying as it should - does that sound right Xqtr

This would still suffer the same problem in that the sysop with the
shared key could read all the users encrypted mail.

So, while the sysop would have security, the users would only have an
illusion of security. I don't know if this is worse than having no
security at all in that, with no security the user is aware that his communication can be read.

As Nu said copy/pasting PGP encrypted texts is the best solution, I think
the most ideal would be an offline reader with a PGP plugin.

Andrew

--- MagickaBBS v0.6alpha (Linux/x86_64)
* Origin: Exotica BBS - telnet://exoticabbs.com:2023/ (21:1/125)

apam wrote to Avon <=-

As Nu said copy/pasting PGP encrypted texts is the best solution, I
think the most ideal would be an offline reader with a PGP plugin.

If I use Eudora, I have Enigmail configured (that's why I export this echo as a mailing list to myself), and it's pretty transparent. I used to have a PGP encryption system in my old Bluewave setup that worked in a similar way to Enigmail. It was activated through the external editor hook, and ran before and after the editor was called. Was quite neat. :)


... The way some people find fault - you'd think there was a reward.
--- MultiMail/Win32 v0.49
* Origin: Freeway BBS - freeway.apana.org.au (3:633/410)

On Saturday, September 16th apam muttered...

As Nu said copy/pasting PGP encrypted texts is the best solution, I think the most ideal would be an offline reader with a PGP plugin.

Unfortunantely with BBS tech this is as good as it gets. As someone mentioned, some offline readers can help with this by auto-detecting PGP blocks and decyphering them if the key is available. ...and encrypting with the click of a
button. Web browsers can do this by running local JavaScript (e.g. never leave
the box) as well. I think with e.g. VTXClient or fTelnet, one may be able to use the proper browser plugin and just select the text to decrypt / encrypt. ...but having somehting built into the board isn't really viable :(



--- ENiGMA 1/2 v0.0.8-alpha (linux; x64; 6.11.3)
* Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)

On Saturday, September 16th Avon was heard saying...

I recall Nu in your TODO you were looking at mesh networking and had the end to end security of communications in mind also?

Yup, this is still in my sights as well. I haven't started on anything but brainstorming though. ...want to wrap up a few more 'standard' BBS things first.

The idea is a fully decentralized and end-to-end encrypted system. One could imagine in a setup as such that a user-side encrypted mode could be entered such that no one but the user ever has the key in hand (e.g. encrypted before transmit)





--- ENiGMA 1/2 v0.0.8-alpha (linux; x64; 6.11.3)
* Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)

Hi apam!

16 Sep 2017 17:23, from apam -> Avon:

I've been toying with the idea for some time to add encryption to
Magicka, not PGP, but just ordinary key based encryption where the
sender and receiver both know the key.

Why not GPG/PGP?
They already exist, have been peer reviewed security wise and have key distribution in place.
What do you gain by inventing the wheel again (just worse).
(Read Phil Zimmermanns comments about his first try, and then reading it as an example of how NOT to do it ... security is hard, and it takes many tries and tons of review by security experts to get it up to a useable security level)

Might be fun, but I don't know that it would be much use.

I do not really see the usecase.
Regarding one of the follow up replies, I am shocked that anybody uses telnet any more in 2017 ...
As long as that is the case, forget encryption and work on eradicating that failure of history!

CU, Ricsi

--- GoldED+/LNX
* Origin: Optimist laugh to forget - Pessimists forget to laugh. (21:1/104)

Hi apam!

17 Sep 2017 07:42, from apam -> NuSkooler:

Yeah, my thinking was it would be entered into the FSE then you enter
a password and it's encrypted and saved to the message base.

THAT can be done also with PGP.
It supports a symmetric mode, where you can enter a password, and it will encrypt the file/text.
The receiver can decrypt it with the same password.

CU, Ricsi

--- GoldED+/LNX
* Origin: This fellow's wise enough to play the fool. (21:1/104)

Hi bcw142!

16 Sep 2017 19:09, from bcw142 -> apam:

The private key could be part of the BBS information. Only those with
a private key could use the encryption, but it could be added at any
time.

Sorry to play advocatus diaboli.
But why on earth would anybody trust his secret key to a piece of SW so little peer reviewed and potentially buggy as todays BBSes?

Take a look at how hard it is for big corporations with large security teams not to get hacked.
If that happens to those relatively badly written BBSes, all that information is in the public.

"badly written" when compared to large SW projects with security reviews.

CU, Ricsi

--- GoldED+/LNX
* Origin: Cats love work; They can sit and watch it for hours. (21:1/104)

Hi Vk3jed!

17 Sep 2017 17:35, from Vk3jed -> apam:

As Nu said copy/pasting PGP encrypted texts is the best solution,
I think the most ideal would be an offline reader with a PGP
plugin.

If I use Eudora, I have Enigmail configured (that's why I export this
echo as a mailing list to myself), and it's pretty transparent. I
used to have a PGP encryption system in my old Bluewave setup that
worked in a similar way to Enigmail. It was activated through the external editor hook, and ran before and after the editor was called.
Was quite neat. :)

Same can be done with Golded.
Sadly I was still to lazy to recover my GPG key from the old HDD.

CU, Ricsi

--- GoldED+/LNX
* Origin: Free advice is seldom cheap. (21:1/104)

Why not GPG/PGP? They already exist, have been peer reviewed security
wise and have key distribution in place. What do you gain by inventing th wheel again (just worse). (Read Phil Zimmermanns comments about his first try, and then reading it as an

I didn't plan on 'reinventing the wheel' just using a key based
algorithm instead of PGP. The reason for not using PGP is the users key
would have to be stored on the BBS, and the sysop would have access to
them, regardless of how buggy modern bbses are, this is a problem.

I do not really see the usecase. Regarding one of the follow up replies,
I am shocked that anybody uses telnet any more in 2017 ... As long as tha is the case, forget encryption and work on eradicating that failure of history

Magicka supports SSH.

Andrew


--- MagickaBBS v0.7alpha (Linux/x86_64)
* Origin: Exotica BBS - telnet://exoticabbs.com:2023/ (21:1/125)

THAT can be done also with PGP. It supports a symmetric mode, where you can enter a password, and it will encrypt the file/text. The receiver can decrypt it with the same password

You do realize PGP isn't an encryption algorithm, but a frontend that
uses them? What is there to gain from using PGP than using another crypto-library directly.

Andrew

--- MagickaBBS v0.7alpha (Linux/x86_64)
* Origin: Exotica BBS - telnet://exoticabbs.com:2023/ (21:1/125)

On Saturday, September 23rd apam was heard saying...

I didn't plan on 'reinventing the wheel' just using a key based algorithm instead of PGP. The reason for not using PGP is the users key would have to be stored on the BBS, and the sysop would have access to them, regardless of how buggy modern bbses are, this is a problem.

I (think) what he was saying is rolling your own crypto is generally considered
a no-no unless you're a crypto expert. And rightfully so: Creating secure crypto is very hard, so it's better to use a well used and trusted system 99.9%
of the time.

*Any* crypto in a BBS that doesn't rely on you pasting/uploading pre-encrypted data is going to suffer from the two problems I described previously: Trust (you can't!) and plain-text travel.



--- ENiGMA 1/2 v0.0.8-alpha (linux; x64; 6.11.3)
* Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)

I (think) what he was saying is rolling your own crypto is generally considere
a no-no unless you're a crypto expert. And rightfully so: Creating
secure crypto is very hard, so it's better to use a well used and trusted system 99.9
of the time.

Yes, I'm aware that trying to invent your on cryptography is usually not
a good idea, I wasn't planning on doing that. I was thinking about using
an already established algorithm, (XTEA as it's fairly easy to
implement).

*Any* crypto in a BBS that doesn't rely on you pasting/uploading pre-encrypte
data is going to suffer from the two problems I described previously: Trust (you can't!) and plain-text travel

Yeah, it depends on who you trust, if you trust the System operator and
are using SSH, then it wouldn't matter so much. In the game second life, encryption is often used in objects that communicate with other objects,
anyone at Linden Labs could easily see what you're communicating, but the
point was to hide it from the people you were selling the objects to so
they couldn't reverse engineer etc.

Now if my users trust me, and they trust the sysop the message will be decrypted on then it would be ok, why then encrypt, you might not trust
someone on the way.

If you take users out of the equation and just want to have secure sysop
to sysop communication, that would also work.

What wouldn't work is calling a random system and expecting your
communications to be secure.

Andrew

--- MagickaBBS v0.7alpha (Linux/x86_64)
* Origin: Exotica BBS - telnet://exoticabbs.com:2023/ (21:1/125)

Richard Menedetter wrote to Vk3jed <=-

If I use Eudora, I have Enigmail configured (that's why I export this
echo as a mailing list to myself), and it's pretty transparent. I
used to have a PGP encryption system in my old Bluewave setup that
worked in a similar way to Enigmail. It was activated through the external editor hook, and ran before and after the editor was called.
Was quite neat. :)

Same can be done with Golded.
Sadly I was still to lazy to recover my GPG key from the old HDD.

I have my system on a virtual hard disk, the problem is in getting VirtualBox to mount the image. As soon as I attempt to add a second drive to the OS/2 VM, VirtualBox crashes. :(


... Budget: a mathematical confirmation of your suspicions...
--- MultiMail/Win32 v0.49
* Origin: Freeway BBS - freeway.apana.org.au (3:633/410)

Hi apam!

24 Sep 2017 08:53, from apam -> Richard Menedetter:

THAT can be done also with PGP. It supports a symmetric mode,
where you can enter a password, and it will encrypt the file/text.
The receiver can decrypt it with the same password

You do realize PGP isn't an encryption algorithm, but a frontend that
uses them? What is there to gain from using PGP than using another crypto-library directly.

Yes ... I realize that.
Depends on the state of the crypto library.
If done correctly it can be as secure as using an existing and proven solution. The problem is the IF above ... that is a big if, and one can make big mistakes
by using the crypto libraries in a wrong way.
Using them securely is not a trivial task, and it is not to be taken lightly.

Great that Magicka supports SSH!

CU, Ricsi

--- GoldED+/LNX
* Origin: I thought that you thought... must be a mistake. (21:1/104)

Hi Vk3jed!

24 Sep 2017 12:34, from Vk3jed -> Richard Menedetter:

I have my system on a virtual hard disk, the problem is in getting VirtualBox to mount the image. As soon as I attempt to add a second
drive to the OS/2 VM, VirtualBox crashes. :(

A shot in the dark.
I think some VirtualBox containers can be read by VMWare ...
You can try if VMWare can open it.

Holding my fingers crossed!

CU, Ricsi

--- GoldED+/LNX
* Origin: Mary had a little lamb... a little beef, a little ham. (21:1/104)

On 09/24/17, apam pondered and said...

THAT can be done also with PGP. It supports a symmetric mode, where yo can enter a password, and it will encrypt the file/text. The receiver decrypt it with the same password

You do realize PGP isn't an encryption algorithm, but a frontend that
uses them? What is there to gain from using PGP than using another crypto-library directly.

So in my test case I have PGP set up and (from memory) it's set to use a certain style of encryption and then I just provide it with the source text
and a simple key to use to encode that source text.

We could try an open test to confirm that much works if you like? :)

Best, Paul

--- Mystic BBS v1.12 A35 (Windows/32)
* Origin: Agency BBS | telnet://agency.bbs.geek.nz (21:1/101)

I have my system on a virtual hard disk, the problem is in getting
VirtualBox to mount the image. As soon as I attempt to add a second
drive to the OS/2 VM, VirtualBox crashes. :(

A shot in the dark.
I think some VirtualBox containers can be read by VMWare ...
You can try if VMWare can open it.

It can open some of them, and you can export them from VirtualBox. But VMWare and Oracle (VirtualBox) seems to have slightly different ideas on what the proper format is.



-joho

---
* Origin: Stockholm | Sweden (21:3/101)