... darkrealms ...

Forums before death by AOL, social media and spammers... "We can't have nice things"

alt.bbs.mystic

Mystic Sysops are mystical nerds...

11,847 messages

[ << oldest | < older | list | newer > | newest >> ]

Message 9,864 of 11,847

g00r00 to All

Re: Use passwords only if needed?

08 Apr 21 11:02:30

   From: nospam.g00r00@f215.n129.z1.fidonet.org   
      
    bu> So, if PKT does NOT have password but a password is configured, it should   
    bu> detect it and NOT use it, and at least provide a warning ' PKT password   
    bu> especified for address, but PKT does not require it' (instead of saying '   
    bu> invalid pkt'... which is not real. The PKT is fine, the problem is   
    bu> something else)   
      
   There is no error that says "Invalid PKT" in the current version. If that were   
   the error message I agree it'd absolutely need to be changed!  The error   
   message is "PKT passsord does not match password set for ".   
      
   In terms of the PKT password logic: I understand what you're saying but I am   
   not sold on changing it and let me explain why.   
      
   We cannot be sure a system connecting to you and saying its your hub is really   
   your hub, so the security provided by a PKT password is a two-way street.  In   
   other words if Mystic would ignore a missing password from an incoming PKT it   
   would create a big security hole.   
      
   Lets say for example you have a hub connection to 1:1/1 and you've configured   
   it to require a PKT password.  An unknown system connect to you and sends you a   
   PKT file "from 1:1/1" that contains 1,000,000 gibberish echomail messages.   
      
   Result 1 (Mystic today):   
      
   Mystic sees that the password you've configured for 1:1/1 does not match what   
   is in the PKT.  The PKT files are refused because Mystic cannot be sure the PKT   
   files are legit.  The error message is: "PKT password does not match password   
   set for 1:1/1"   
      
   (This message used to just be 'Bad password' but I've changed it)   
      
   Result 2 (if I changed it to not use it):   
      
   Mystic sees that the PKT does not have the password you've set up, but   
   processes it anyway.  Your BBS system is flooded with 1,000,000 gibberish   
   echomail messages from an unknown system pretending to be 1:1/1.  Your system   
   is also a hub for 10 other systems too and those 1,000,000 messages are sent to   
   the downlinks flooding the network with 11,000,000 gibberish messages.   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)

[ << oldest | < older | list | newer > | newest >> ]