[DGD] Re: Net Security

[Sten Lindgren]

On Tue, 17 Mar 1998, Logic wrote:

> On Tue, 17 Mar 1998, Sten Lindgren wrote:
> > In my experience there is always one more security flaw that can be
> > exploited, and there will be those who try to explot them.
> 
> One could then argue that connecting a machine to the Internet opens up
> the potential for innumerable security issues, and that OS vendors who
> support this functionality are being irresponsible by opening such a
> potential security problem for the user.
> 
> People connect to the Internet everyday, you'll note, and quite
> successfully. Just as people use interpretive languages like DGD's LPC for
> doing basic networking everyday.

There is as I see it one big difference between muds and an syatem with
user. A mud is in general open to everyone, a lot of people do wiz and
thus get the ability to code, archwizards tend to change a lot and it only
takes on to make a mistake in order to open the possebility for anyone to
modify any code within the mud. On the average machine the userbase is
usually more controlled, one doens't usually change the core OS (which
include all security features) etc. Of cource security holes exists in any
system, they will always do, but in general my experience is that MUD
security is in general low, and even when it is high someone with improved
access usually do a mistake sooner or later making it possible for any
wizard/coder/whatever gain full access to the lib code.
Im very aware of that there are several flawys in existing OSes as well
and always will be, but in general one do know what users one got, where
they are from etc. This is usually not true in a mud.

> You would recommend, based on fear of your own skills, that others not
> make informed use of these features?

It is up to everyone to choose what risks they would take, but as I said I
would not want any such mud on my system knowing what level of security
most muds hold. Now of cource DGD could very well be used for other things
then traditional muds in which case outgoing network connections can come
in handy.

> Let's take the SMTP model a little bit farther: you implement an external
> SMTP gateway for the mud. It opens a connection to the mud itself (logging
> in as a special virtual user, for example), and communicates incoming
> email to the system (by some mechanism of bolting up to the locally
> installed email backend. It also receives outgoing email from the mud,
> injecting it into the local email backend, or directly delivering it
> either to a smarthost, or to the target system itself.

Actually outgoing SMTP and ingoing as well can be implemented without any
connection to the mud at all, I seem to recall a mud running a vanilla
3.1.2 driver doing just this.

> At this point, can you honestly say you've done anything different than
> native LPC network access? You've just increased the time it will take to
> implement (since you'll be spending a lot of time writing an external SMTP
> gateway) and you'll still have the same potential for abuse that native
> functions would allow (since you now have a two-way channel to a process
> running on the local system, which could potentially be bug-ridden). How
> is this different than simply providing networking primitives to the
> administrator, and charging them with the responsibility of securing their
> system appropriately, which they would NEED TO DO ANYWAY?
> 

An external process that is dedicated to do only one thing is less likely
to be possible to allow for any generic connection (even if the risk for
bugs do exist). Having the ability to open any port to any machine makes
it possible to basically anonymously attack a system if a standard wizard
manages to gain access to the socket funs in the mud.

(I wonder if this post made any sence at all.)


Sten Lindgren				ged at solace.mh.se




List config page:  http://list.imaginary.com/mailman/listinfo/dgd