|
-
May 28th, 2002, 11:54 PM
#11
*smokey the bear voice* Only YOU can delete this thread! Do it now!
I know you\'re out there. I can feel you now. I know that you\'re afraid. You\'re afraid of us. You\'re afraid of change. I don\'t know the future. I didn\'t come here to tell you how this is going to end. I came here to tell you how it\'s going to begin. I\'m going to hang up this phone, and then I\'m going to show these people what you don\'t want them to see. I\'m going to show them a world without you, a world without rules and controls, without borders or boundaries. A world where anything is possible. Where we go from there is a choice I leave to you.
-
May 28th, 2002, 11:58 PM
#12
And please change your sig  Its messing up the pages
-
May 28th, 2002, 11:58 PM
#13
And please change your sig Its messing up the pages
-
May 29th, 2002, 12:03 AM
#14
-
May 29th, 2002, 12:03 AM
#15
-
May 29th, 2002, 12:09 AM
#16
in an effort to save this lame thread....
http://www.moo.mud.org/moo-faq/moo-faq-1.html
1.7 What kind of security risk is running a MOO server?
(Most of the facts for the below answer come from thread on MOO-Cows about this subject. Most of the text, too. Thanks to Jay Carlson ( [email protected]) and Ian Macintosh ( [email protected]).)
Disclaimer: Everything said here is an identification of a risk I am aware of. I am not a security expert. There may be other risks or the risks I mention below may be of other forms. As with any other answer in this FAQ, I welcome submissions on this subject.
One of the first things to keep in mind with computer security is ``what are we trying to protect from whom?''. The threat that the unmodified MOO server poses to the server machine is limited to denial of service attacks. A MOO programmer could use all the memory, CPU, or disk on the partition that MOO is dumping to. The server itself provides no access to the filesystem (though there are patches that do) or other operating system services.
If you have OUTBOUND_NETWORK turned on, there are a few threats to machines on your local net if they use some sort of ill-configured IP-address-based trust mechanism. Only sites that rely on the dubious security of address-based trust will need to worry about this. Your network admins will know if they have such an assumption built into your network, and can remedy this by taking your server machine out of the trust list. Now that MOO can speak binary data, the number of services you could potentially attack through it has increased. I still do not think it is a problem unless you use address-based authentication for things.
If you have OUTBOUND_NETWORK turned on, your machine could be a threat to the Internet as a whole by laundering connections---an attacker connects to your server, and then connects through it to the machine they're really after, to make tracing their connections more difficult. The chance of this is vanishingly small; there are far more convenient anonymous sites out there that are perfectly able to launder connections for the cracker community.
By running any sort of visible and popular network service, you become more of a target for conventional cracking attacks. This risk is not exclusive to MOO; hosting a popular web page will make it more attractive for people to attack you. Depending on your level of visibility, you may want to tighten up general security on your machine or site.
Some organizations have other concerns. A MOO server may allow organizational mapping, or accidental disclosure of proprietary information, or whatever. If you're a company that has issues like this, you already understand these things or have people at your site that do. Go talk to them. Feel free to ask them how the MOO server is more dangerous than existing communications mechanisms such as electronic mail or the telephone.
I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson
-
May 29th, 2002, 12:09 AM
#17
in an effort to save this lame thread....
http://www.moo.mud.org/moo-faq/moo-faq-1.html
1.7 What kind of security risk is running a MOO server?
(Most of the facts for the below answer come from thread on MOO-Cows about this subject. Most of the text, too. Thanks to Jay Carlson ( [email protected]) and Ian Macintosh ( [email protected]).)
Disclaimer: Everything said here is an identification of a risk I am aware of. I am not a security expert. There may be other risks or the risks I mention below may be of other forms. As with any other answer in this FAQ, I welcome submissions on this subject.
One of the first things to keep in mind with computer security is ``what are we trying to protect from whom?''. The threat that the unmodified MOO server poses to the server machine is limited to denial of service attacks. A MOO programmer could use all the memory, CPU, or disk on the partition that MOO is dumping to. The server itself provides no access to the filesystem (though there are patches that do) or other operating system services.
If you have OUTBOUND_NETWORK turned on, there are a few threats to machines on your local net if they use some sort of ill-configured IP-address-based trust mechanism. Only sites that rely on the dubious security of address-based trust will need to worry about this. Your network admins will know if they have such an assumption built into your network, and can remedy this by taking your server machine out of the trust list. Now that MOO can speak binary data, the number of services you could potentially attack through it has increased. I still do not think it is a problem unless you use address-based authentication for things.
If you have OUTBOUND_NETWORK turned on, your machine could be a threat to the Internet as a whole by laundering connections---an attacker connects to your server, and then connects through it to the machine they're really after, to make tracing their connections more difficult. The chance of this is vanishingly small; there are far more convenient anonymous sites out there that are perfectly able to launder connections for the cracker community.
By running any sort of visible and popular network service, you become more of a target for conventional cracking attacks. This risk is not exclusive to MOO; hosting a popular web page will make it more attractive for people to attack you. Depending on your level of visibility, you may want to tighten up general security on your machine or site.
Some organizations have other concerns. A MOO server may allow organizational mapping, or accidental disclosure of proprietary information, or whatever. If you're a company that has issues like this, you already understand these things or have people at your site that do. Go talk to them. Feel free to ask them how the MOO server is more dangerous than existing communications mechanisms such as electronic mail or the telephone.
I used to be With IT. But then they changed what IT was. Now what I'm with isn't IT, and what's IT seems scary and weird." - Abe Simpson
-
May 29th, 2002, 01:29 AM
#18
aislinn, Aria, BTBAM, chevelle, codeseven, Cky, dredg, evergreen terrace, from autumn to ashes,hopesfall, hxc, luti-kriss, nirvana, norma jean, shai hulud, this hero dies, tool, underoath, zao,
-
May 29th, 2002, 01:29 AM
#19
aislinn, Aria, BTBAM, chevelle, codeseven, Cky, dredg, evergreen terrace, from autumn to ashes,hopesfall, hxc, luti-kriss, nirvana, norma jean, shai hulud, this hero dies, tool, underoath, zao,
-
May 29th, 2002, 09:00 AM
#20
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote