[MUD-Dev] Identity Theft and MUDding

Anthony R. Haslage ucmm at inetsolve.com
Mon Jun 18 23:41:28 CEST 2001 

I posted this at The MUD Journal as well as submitted it to Imaginary
Realities.  Feel free to email me directly with questions or addition you
would like.  Updates will be made to the TMJ copy when they become
available.

Identity Theft and MUDding - Ntanel StormBlade of MudWorld
http://mudworld.inetsolve.com/ - ucmm at inetsolve.com

We are at a day and age where people in the community want to be known
and respected.  Many people slowly work up over the years and gain both
wisdom and respect.  Others do almost nothing and as well wish for the
respect of others.

Obviously, if you want to be someone who is both wise and respected,
you need to go the long, hard road and very slowly work upwards.  It is
alright to make a few mistakes as long as you learn from them.

However, there are now people who decide one day, "Hell, I want to be
able to gain access to places I normally could not and get the respect
I feel I deserve!".  Some of these people will work for it, but then
others will be the ones who steals your identity and use it to gain
what they want.

Again and again identity theft occurs.  Some are innocent enough, but
others use it as a way to gain access to things they would normally
never gain access to.  Let us define the different forms of indentity
theft.  We will also describe ways to detect the true identity
stealers.

A. Identity Theft - Case 1
You are a MUDder who strongly believes the codebase you most commonly
use is the best in the world.  You respect the designers and may even
think of them as gods.

You are in search of a new MUD for any reason and find a MUD which you
found at MudWorld or TMC which seems like it be fun, by its'
description alone.

You log into the MUD which you had known, by its' description, was a
SMAUG.  You see on the greeting the names of only the MUDs staff and
as you log in, nothing mentioning the Diku or Merc creators at all.

You eventually finish character creation as well as reading the MOTD to
discover not even those have a mention of the creators of Diku or Merc.
Checking the help CREDITS file again you notice something is missing.

You take it apon yourself to make it known that the MUD owners are
breaking the license which requires certain information on the GREETING
and CREDITS help files.  You make a comment to the administrator
available that he or she is breaking the license.  He or she then tells
you, "We were told we did not have to." or "Goto HELL!" and punishes
you.

Once you realize they will not comply, you try to email the codebase
designers about the license breaking.  The designers never get back to
you and after a few days you revisit the same MUD and discover nothing
has changed.

You finally become so angered by the disgrace these people have made of
the codebase that you love, you decide to force them to follow the
license yourself, but how?

You decide on which person would be most likely to visit a MUD who
breaks a license, so you take on thier persona.  You may make up an
email account at hotmail with that person's name and log into the MUD.

Welcome to the official identity theft club!

You complete character creation and arrive in room 100 and stand there
for god knows how long.  An administrator finally realizes you standing
there, or simply tried to ignore you and could not, and transfers you
to him or herself.  You then end up at the point of no return by saying
you are the persona of the person you are logged in as.

The administrator welcomes you and asks what you need.  You reply that
they administrator was breaking the license and needs to comply before
there is trouble for them.  Now, depending on how high the chain of
command this administrator is, you may get the "We were told we did not
have to." excuse or "Ok, I will follow the license.".

There is no real way you can find out who told them it was ok, if they
stick with the "We were told we did not have to." excuse, unless they
tell you.  If they do tell you and you find out it is a big lie, what
can you do?  Surely, arguring it with them could make a bad problem
worse.  Reporting it to the license holder is all you can and should
do.

Now, If they decided to follow the license, then you did what you set
out to do, all because you love the codebase.  Perhaps, never again you
will steal an identity no matter who or what it benefits.

However, as helpful as you were trying to be, you committed a crime the
FBI (In the U.S.A.) loves to prosecute, be happy you did not go any 
further.

B. Identity Theft - Case 2
Ok, let us say that in case 1 did work out and you have started to like
the respect you gained from the persona you have stolen.

You then find people emailing your fake email address as if you were
the real person.  They know you by the reputation you stole and because
you gave your email out to a few people, they passed it on to others
who could use your services.

You find yourself as your stolen persona on many MUDs.  You are given
high ranking staff positions you could never get before as yourself.

Then you are asked to help here and there.  You eventually realize you
could now start your own MUD, but you could avoid doing any work if
you plan it right.

Someone emails you asking that your coding knowledge would be very
useful to them.  You think to yourself, maybe this is the code I could
use as my own MUD.  Maybe this is the thing I am looking for to help me
get even further.

So you log into the MUD where the owner presents to you the keys to the
code that will be your new MUD.  They ask you to fix something simple
and you may actually be able to fix it.

You log into shell and fix the bug, but then you decide to quickly wipe
the object files and copy the entire MUD.  While you compile, you login
to the shell again using another window and grab the copy of the MUD
which you had just made and download it.  Then you purge the file you
just made, finish compiling, logout and tell the owner, "I am all
done.".

The owner, or shall we say victim, pats you on the back, shakes your
hand, bows and you logout.

You rub your hands together in excitement of your new MUD that you have
just stolen.  All you need to do now is remove the pfiles, logs, alter
any additional files, compile and start it up.

The MUD runs and you may have just gotten away with it.  You altered
the stolen code just enough where only the true owner would know it was
thier code.

What can happen to you now?  You got away with it free and clear.

Well, you broke the law in most countries when you stole the persona of
another.  You have now gone one step further and have become a hacker.

You ask, "Is not a hacker someone who accessed a server or account
which they did not have permission to enter?".  The answer is yes.

You just logged in as someone else, meaning you did not actually have
permission to access the shell.  The person whos' persona you stole was
the only person who had a right to access that shell.  Not to mention
the fact you took files which you had no permission to take, even as
the persona you stole.

Now however, the owner has found in the server logs the MUD was copied
by the persona you logged in as.  So the owner now has no choice but to
report to either the persona's employer or FBI of the offense.

You just committed the perfect crime, did you not?  The person whos'
persona you stole is being blamed.  But then, you remember you forgot
you left an ISP marker, the additional server and MUD logs.  The owner
has the time you logged in and by simply contacting your ISP, you can
be traced.

ISPs have the habit of directly reporting to the FBI, they will not
even tell you that you have been fingered.  However, you may find that
the next day your internet access is gone and men in suits are at your
door.

Think because you are a minor nothing can happen to you?  Well, guess
again!  In the U.S.A. you can get atleast 3 months in a Detention Hall.
As an adult, the time you spend in prison could be many years.  Either
way, after you get out, it will be hard to get another internet account
with many companies.

C. Something to Think About
Did you know there is a blacklist of hackers available to ISP, cable
and telephone services?  All they need to do is cross-reference a name,
address, social security number or other personal information and know
if you have been naughty or nice.

In my state, it takes a minimum of 1 week to have a background check
completed on you to see if you can be trusted or have past hacker
complaints made against you.  It only takes a few minutes to check to
see if someone is a hacker on the blacklist.

The internet, cable and phone services are growing so fast that there
are thousands of new accounts requested daily for each individual,
centralized service local to you.  This is the only reason some turn-
around times are a week or more, requests are taken in the order they
are recieved.

D. Detecting the True Identity Stealers
Unless a codebase designer has an autobiography written and an identity
thief just happens to own a copy, there are ways to find out if the
person is a fake.  Ask questions which you know you have a 100% correct
answer.

1. The person would know thier own real name.
2. The person would know where to download thier own codebase and where
   thier MUD or website is located.
3. They should be able to log in from the site or server they are most
   commonly known to be from.
4. They will not log in and make it seem totally automated.
5. Last and most important, they will answer quickly and accuratly
   without losing any patience.  You can tell of alterior motives when
   someone loses patience and/or demands they are who they say they
   are without proving it first.

E. How to Report Hacking
Call your local FBI office if you are in the U.S.A.  Otherwise, contact
a local law enforcement office on a non-emergency line for the number
or simply open a phonebook and look.

If you have logs which entail times, DNS/ISP and other indentifying
information, they FBI may request your harddrive.  Make a backup before
you hand it over, in many of the cases they will wipe it clean when
finished.  Before you even make a call, you need proof.

Frankly, this even goes for viruses.  How do you think many places know
about any of them?  The FBI is usually the first to be informed and
passes the information to the proper places.

F. In Closing
This will be an ongoing editorial.  I will add to it as more becomes
available.  It would be interesting to have admin submit to me ways to
prove they are themselves if and when they visit your MUD.

You can catch this at both Imaginary Realities
(http://imaginaryrealities.imaginary.com/) and updates will be posted
at The Mud Journal (http://www.inetsolve.com/~ucmm/TMJ/editorials/).

--------------------------------------------------------------------------
Haslage Net Electronics   "We Work for You!"   Co-Owner Anthony R. Haslage
Http://ucmm.dhs.org/~ucmm/                       Email: ucmm at inetsolve.com
--------------------------------------------------------------------------
President Ntanel R.P. StormBlade   AMRO, TMJ, UCMM, WIN & HNEM: AudioRealm
IFT Command Template Webmaster      Captain of the USS LaPorte NFC-77311-A
--------------------------------------------------------------------------



MUD-Dev mailing list
MUD-Dev at kanga.nu
https://www.kanga.nu/lists/listinfo/mud-dev

More information about the mud-dev-archive mailing list