Re: RE: Secure Comms
By: NuSkooler to Digital Man on Fri Dec 21 2018 10:55 pm

On Friday, December 21st Digital Man was heard saying...

Not exactly. What g00r00 described is generally known as "explicit TLS", where one of the peers (the client in this case) requests to transition to a TLS-protected stream (also called "opportunistic TLS", e.g. how SMTP STARTTLS works).
A TLS-proxy would require a TCP port dedicated to a TLS-only mode and this is what is called "implicit TLS" (e.g. how HTTPS works).

Heh, thanks for the explinations. I've implemented TLS proxies and MITM more than once from scratch so I'm quite aware of the flavors.

It could still be done with HAPROXY or similar, but it's a shame that it's custom really.

Yup. Implicit TLS is considered more secure, but requires a separate/unique TCP port number, which was originally frowned upon by the IETF dudes but has since been embraced as how TLS protocols "should" be done.

digital man

This Is Spinal Tap quote #16:
David St. Hubbins: I believe virtually everything I read...
Norco, CA WX: 54.6�F, 79.0% humidity, 0 mph SSW wind, 0.00 inches rain/24hrs --- SBBSecho 3.06-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (21:1/183)

On 22-Dec-2018 10:19, Tiny wrote to apam <=-

Sqlite hasn't been through the FTSC. Totally not something that
could
handle something as important as fightonet.

HAHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA!!!!! :D


... And now for something you'll really like! -Rocky
--- MultiMail/Win
* Origin: Bush Track BBS (21:1/109.1)

I'm not sure at least those first two statements are true at all.
"SQL" is simply a language. If we're talking SQLite (I think we are),

Yep sqlite, but I also plan to make mysql a possiblity, I think it could
be useful if people want to design their own php-mysql type interfaces on
top of it.

I'd wager "it" is certainly much faster than any JAM et. al. based
message format. Multiple index
types, and data structures that have been mulled over by many people
for many many iterations beat the hell out of the old formats. Not a
whole lot of resources, either. These systems work in very tiny
embedded scenarios.

Well I don't know, I guess it depends on how you are using SQLite. For
example I would bet Enigma's Sqlite message bases are faster than
magicka's just because I think you know your way around sqlite better
than me.

Dependency I *guess* could be a claim, but
linking in a single C file is hardly that (of course it can be a pain

Yeah that's not an issue for me. SQLite is used for the filebases and
userbase and other things so is already a dependency.

Now if someone wanted to use MySQL, Postgres, etc. in a BBS... sure.
Though again, I *hihgly* doubt you'd even approach the speed.

Mysql would just be linking to the connector i think, and of course you
have to install mysql - so yeah thats a bit more of a dependency, but the
idea is you don't HAVE to, and I expect most people wont use that as a
message base, but those who want to (for whatever reason) can.

Andrew

--- MagickaBBS v0.12alpha (Linux/x86_64)
* Origin: The Fat Sandwich - sandwich.hopto.org:2023 (21:1/125)

I mean, yeah SQL is arguably slower, as factually more of a resource and introduces more dependency. What are the benefits though?

I'm not sure at least those first two statements are true at all. "SQL"
is simply a language. If we're talking SQLite (I think we are), I'd
wager "it" is certainly much faster than any JAM et. al. based message format. Multiple index types, and data structures that have been mulled

If its faster its only because it uses a massive outrageous amount of memory
to keep things in memory. At the end of the day you're comparing a system
that parses syntax then performs work based on that syntax and returns formatted results. The work it performs boils down to the same work you'd do directly without SQL...

Its absolutely not faster than directly reading the data unless those things are entirely in memory, in which case you can also do the same with a direct approach.

The only benefit of SQL would be that it is designed for parameter based queries and in that case it excels, but for reading a writing a blob of data from a file its going to be faster to do it directly assuming you index properly.

A long time ago I did benchmarks vs SQLite when we voted to use it or not
(the vote was to stick with what is there) and there wasn't a gain in doing
so, and also SQLite struggled significantly when dealing with multiple simultaneous transactions...

This was a long time ago though, and no doubt a lot of that has been resolved or worked around by now.

In this specific case... You also lose the ability to use so many 3rd party applications... there are tons of statistic and maintenance utilities as well as tossers that work with JAM.

Not saying its horrible to use SQLite, I'm just saying that shitting on the existing format isn't really founded.

--- Mystic BBS v1.12 A39 2018/04/21 (Windows/32)
* Origin: Black Flag <ACiD Telnet HQ> blackflagbbs.com (21:1/112)

I guess I'm more interested in simply putting a TLS proxy in the middle
so no code needs written. I'd rather not play in the Bink source code myself. TLS is a transport, so it doesn't really care what's traveling
on it. Seems like that's what you described, so a simple proxy should
work fine.

If you're talking about an encrypted transport only yes, but authenticity needs to be considered by the application and of course the client and server need
a way to handshake.

You could proxy it but you wouldn't be doing opportunistic TLS you'd have to just have it sitting on an SSL port right?

--- Mystic BBS v1.12 A39 2018/04/21 (Windows/32)
* Origin: Black Flag <ACiD Telnet HQ> blackflagbbs.com (21:1/112)

I mean, yeah SQL is arguably slower, as factually more of a resource hog, and introduces more dependency. What are the benefits though?

No clue man. None at all. My point is why not move foward away from
dos shit? Maybe when someone does something new and exciting we will
find benefits? Maybe not. I'm just saying why not try?

Yeah I agree if you are doing it new, it makes sense.

I guess I am just saying don't be so quick to hate on the old stuff, because the benefits of switching and rewriting everything for us old folks aren't really that great.

--- Mystic BBS v1.12 A39 2018/04/21 (Windows/32)
* Origin: Black Flag <ACiD Telnet HQ> blackflagbbs.com (21:1/112)

Yup. Implicit TLS is considered more secure, but requires a separate/unique TCP port number, which was originally frowned upon by
the IETF dudes but has since been embraced as how TLS protocols "should" be done.

Yeah there is a potential for man in the middle attacks on anything that does an opportunistic handshake. Of course, that is easily avoidable if the client and or server simply refuse to operate in a non-SSL mode. I made sure to include those options in Mystic's BINKP.

If others started to implement an implicit TLS for BINKP I would as well, I just started here since no one really has to change any configurations to
adopt it.

--- Mystic BBS v1.12 A39 2018/04/21 (Windows/32)
* Origin: Black Flag <ACiD Telnet HQ> blackflagbbs.com (21:1/112)

Yup. Implicit TLS is considered more secure, but requires a separate/unique TCP port number, which was originally frowned upon by the IETF dudes but has since been embraced as how TLS protocols "should" be done.

I wouldn't say "considered more secure" about TLS as much as I'd say "STARTTLS is simply not secure at all". This has been well researched and known for quite
some time now. An attacker simply strips the flag out and viola: No TLS.



--- ENiGMA 1/2 v0.0.9-alpha (linux; x64; 10.13.0)
* Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)

On Saturday, December 22nd apam muttered...

Well I don't know, I guess it depends on how you are using SQLite. For example I would bet Enigma's Sqlite message bases are faster than magicka's just because I think you know your way around sqlite better than me.

Of course I'm writing this with the assumption of a comparison against SQL that's written properly. I haven't looked at your SQL, but I doubt it's "bad". It's not overly complex for the type of stuff we're doing.



--- ENiGMA 1/2 v0.0.9-alpha (linux; x64; 10.13.0)
* Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)

On Saturday, December 22nd g00r00 muttered...

If its faster its only because it uses a massive outrageous amount of memory to keep things in memory. At the end of the day you're comparing a system that parses syntax then performs work based on that syntax and returns formatted results. The work it performs boils down to the same work you'd do directly without SQL...

No, that's now how SQLite works. Yes, it *does* utilize a *cache* -- if enabled
-- and only of data you've already processed. This cache is tiny.


On Saturday, December 22nd g00r00 muttered...

Its absolutely not faster than directly reading the data unless those things are entirely in memory, in which case you can also do the same with a direct approach.

'Cept it's not. SQLite does the exact same thing (as you stated previously): Read from disk. The difference is the data structures are much better than that
of ie JAM or Joe Blow's hand rolled format. This is due to years of thousands of people using and improving the algorithms, indexes, and so on. Sure, Joe Blow could create a highly optimized forma. But that's not what we're talking about here. We're talking about old JAM, QWK, etc.


On Saturday, December 22nd g00r00 was heard saying...

The only benefit of SQL would be that it is designed for parameter based queries and in that case it excels, but for reading a writing a blob of data from a file its going to be faster to do it directly assuming you index properly.

See above. SQLite reads the same blobs as pages.

There is no magic here, there is years of optimization and testing. The thing is one of the most heavily used libraries on the planet next to the Linux kernel. It's in everything, and has been optimized as such.


On Saturday, December 22nd g00r00 was heard saying...

This was a long time ago though, and no doubt a lot of that has been resolved or worked around by now.

This must have been a very long time ago :D

On Saturday, December 22nd g00r00 muttered...

In this specific case... You also lose the ability to use so many 3rd party applications... there are tons of statistic and maintenance utilities as well as tossers that work with JAM.

Can't argue that. And I think that does have a lot of merit. I debated using my
own (SQLite) format vs JAM for this very reason. To support JAM for instance on ENiG, I'd have to write an import/export type bridge.

On Saturday, December 22nd g00r00 muttered...

Not saying its horrible to use SQLite, I'm just saying that shitting on the existing format isn't really founded.

I don't think anyone is shitting on it (at least I'm not), but I will absolutely say that we've (programmers, collectively) learned a lot from years ago and have very much improved formats. Going back at looking at some of the old formats often gives me a good laugh. We thought something was a good idea, but clearly there are better ways. A lot of concepts we take for granted weren't even thought of yet. It's fun to see new code on old hardware (and using the same old compilers/etc.) for this very reason. Same machine, same tools can push it much harder.




--- ENiGMA 1/2 v0.0.9-alpha (linux; x64; 10.13.0)
* Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)

On Saturday, December 22nd g00r00 was heard saying...

If you're talking about an encrypted transport only yes, but authenticity needs to be considered by the application and of course the client and server need a way to handshake.

Authenticity of client (client cert validation) and of the server (server cert validation) are both built into TLS. Public keys could simply become part of the FTN applicaiton process.


On Saturday, December 22nd g00r00 was heard saying...

You could proxy it but you wouldn't be doing opportunistic TLS you'd have to just have it sitting on an SSL port right?

At first I thought you had implemented pure always-on TLS. In this case a proxy
is much easier. In the case of STARTTLS it may still be possible with scriptable (why I mention HAProxy) application-level aware proxies where the flag could be checked and TLS termination kicked into play. Much harder, and may actually *not* be possible wihthout custom code though.



--- ENiGMA 1/2 v0.0.9-alpha (linux; x64; 10.13.0)
* Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)

Yep sqlite, but I also plan to make mysql a possiblity, I think it could be useful if people want to design their own php-mysql type interfaces on top of it.

(Puts on CISSP hat)

I'm a strong advocate of avoiding exposing a DBMS to PHP whenever possible. :)

--- Mystic BBS v1.12 A39 2018/04/21 (Windows/32)
* Origin: Black Flag <ACiD Telnet HQ> blackflagbbs.com (21:1/112)

Not saying its horrible to use SQLite, I'm just saying that shitting on the existing format isn't really founded.

Agreed with your sentiment here. Though I have to wonder, doesn't something
as mature as modern SQLite come with all kinds of monitoring tooling and a wealth of knowledge floating around to make it something easier to maintain?

--- Mystic BBS v1.12 A39 2018/04/21 (Windows/32)
* Origin: Black Flag <ACiD Telnet HQ> blackflagbbs.com (21:1/112)

Re: Secure Comms
By: g00r00 to Digital Man on Sat Dec 22 2018 10:49 am

If others started to implement an implicit TLS for BINKP I would as well, I just started here since no one really has to change any configurations to adopt it.

For Synchronet's BinkIt to support incoming implicit TLS connections, it would just be a configuration setting in services.ini:

[BINKP]
Port=xxx ; Pick a unique port number here
Command=binkit.js
Options=TLS

digital man

Synchronet/BBS Terminology Definition #54:
SBBS = Synchronet Bulletin Board System
Norco, CA WX: 67.4�F, 42.0% humidity, 3 mph ESE wind, 0.00 inches rain/24hrs --- SBBSecho 3.06-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (21:1/183)

I wouldn't say "considered more secure" about TLS as much as I'd say "STARTTLS is simply not secure at all". This has been well researched
and known for quite some time now. An attacker simply strips the flag
out and viola: No TLS.

This is entirely inaccurate. That only works when those same servers are configured to work identically in cleartext, which if you actually use
anything with real data to protect... they don't.

Even the various free e-mail providers won't.

--- Mystic BBS v1.12 A39 2018/04/21 (Windows/32)
* Origin: Black Flag <ACiD Telnet HQ> blackflagbbs.com (21:1/112)

No, that's now how SQLite works. Yes, it *does* utilize a *cache* -- if enabled -- and only of data you've already processed. This cache is tiny.

This is simply not true (or wasn't years ago at least). The reason it works fast is because it keeps things in memory just like anything that is transactio based. When you deprive SQLite of memory it turns into a heaping pile (or at least older versions when I last did this sort of experimentation did).

A few years back I had to replace SQlite from a major international company (fortune 100) and there were all sorts of resource issues with it.

I just did a quick Google though and found people on forums basically echoing what I am saying, asking how they can reduce the memory overhead without turning it into shit.

In the BBS world none of this really matters anyway, because we don't see the type of bandwidth to make any of this a big deal, which is sort of what my point is. There isn't a lot of benefit here. If you're starting new like
your project, sure then maybe it makes sense.

But you aren't gaining a lot by using a SQLlite database for your message bases over JAM and its certainly arguable that you lose a lot by not doing, because you don't have access to the third party utilities or mail processors. I do agree SQLite has a better design than JAM but thats not really the point.

I was just watching a Mystic Guy video and his Pi imported like 400 messages
in 1 second, running off a slow ass SD card and shite processing power so its not like we're struggling for performance in the BBS world.

--- Mystic BBS v1.12 A39 2018/04/21 (Windows/32)
* Origin: Black Flag <ACiD Telnet HQ> blackflagbbs.com (21:1/112)

Authenticity of client (client cert validation) and of the server
(server cert validation) are both built into TLS. Public keys could
simply become part of the FTN applicaiton process.

Yes, but if you have a proxy server sitting somewhere, that is not the same as the Sysop having a server on-site where they can manage the keystore. Thats all I was trying to say with that. If you mean running the proxy local then sure that works for implicit SSL.

I think the concepts of SSL keystores and cert swapping may go beyond a lot of people's knowledge level as SysOps aren't always System Admin types (although o course many are)...

This is the reason I don't even talk about those things with Mystic, it just automatically creates a self sign and doesn't validate hosts. Although in the case of BINKP, you may want to do that anyway since there is a concept of accepting "unsecure" Netmail connections.

--- Mystic BBS v1.12 A39 2018/04/21 (Windows/32)
* Origin: Black Flag <ACiD Telnet HQ> blackflagbbs.com (21:1/112)

Not saying its horrible to use SQLite, I'm just saying that shitting the existing format isn't really founded.

Agreed with your sentiment here. Though I have to wonder, doesn't something as mature as modern SQLite come with all kinds of monitoring tooling and a wealth of knowledge floating around to make it something easier to maintain?

The tools would be certainly more reliable I would think, but I wouldn't go as far as easier to maintain. With SQLite you still can't adjust schema for existing tables (you have to drop, recreate, and repopulate) unless that has changed... so from a developers perspective its still annoying make record changes.

For an end user, I mean... To maintain a BBS message base you just run "msgpack". To do the same in SQlite you just run a single command too I believe, so I wouldn't say either of them are more difficult.

For a BBS application I don't know if anything SQLite provides would make it more valuable than being able to access a wealth of different echomail
tossers, mailers, and stat reporting tools.

--- Mystic BBS v1.12 A39 2018/04/21 (Windows/32)
* Origin: Black Flag <ACiD Telnet HQ> blackflagbbs.com (21:1/112)

If others started to implement an implicit TLS for BINKP I would as wel just started here since no one really has to change any configurations adopt it.

For Synchronet's BinkIt to support incoming implicit TLS connections, it would just be a configuration setting in services.ini:

Ahh good to know. I'll probably add in an implicit option as well then.

--- Mystic BBS v1.12 A39 2018/04/21 (Windows/32)
* Origin: Black Flag <ACiD Telnet HQ> blackflagbbs.com (21:1/112)

On Saturday, December 22nd g00r00 was heard saying...

This is simply not true (or wasn't years ago at least). The reason it works fast is because it keeps things in memory just like anything that is transactio based. When you deprive SQLite of memory it turns into a heaping pile (or at least older versions when I last did this sort of experimentation did).

You keep trying to prove a point, but slip in "at least years ago". Again, *maybe* many years ago in some ancient versions of SQLite some of this was true, but no, that's now how it works at all. Transactions put can put some data in memory, but often just dump to a temporary file. These are only on writes mind you. When it's time to commit, the data is put down paged. This lets it be read back (later, directly from disk) paged.

I'd love to see your Google searches. I don't doubt there are other people clueless about this either.

All of the major mobile phone vendors have had SQLite backing since v1 times when memory was crap. Desktop Windows & OS X use it. FireFox uses it. Again, it's one of the most heavily used pieces of software on the planet. From large scale memory to low. And works great between. Anyone seeing memory issues is cleary doing something wrong.


On Saturday, December 22nd g00r00 was heard saying...

In the BBS world none of this really matters anyway, because we don't see the type of bandwidth to make any of this a big deal, which is sort of what my point is. There isn't a lot of benefit here. If you're starting new like your project, sure then maybe it makes sense.

Trueish. Generally none of this matters in the BBS world RE I/O usage.

On Saturday, December 22nd g00r00 muttered...

But you aren't gaining a lot by using a SQLlite database for your message bases over JAM and its certainly arguable that you lose a lot by not doing, because you don't have access to the third party utilities or mail processors. I do agree SQLite has a better design than JAM but thats not really the point.

Maybe. Most of the tools out there are directly accessing JAM databases which is nonsense on it's own.



--- ENiGMA 1/2 v0.0.9-alpha (linux; x64; 10.13.0)
* Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)

On Saturday, December 22nd g00r00 was heard saying...

This is entirely inaccurate. That only works when those same servers are configured to work identically in cleartext, which if you actually use anything with real data to protect... they don't.

Even the various free e-mail providers won't.

I don't mean to argue with you about any of this, but misinformation is also not good. Yes, STARTLS is very susceptible to downgrade attacks and MITM for the very reason I stated. Including email.

This is why (any sane) mail servers have moved to pure TLS. Of course, Email has a bazillion other issues with security, so unless the end users are encrypting their payloads it's kinda mute depending on what they are trying protect.



--- ENiGMA 1/2 v0.0.9-alpha (linux; x64; 10.13.0)
* Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)

On 23-Dec-2018 08:08, apam wrote to NuSkooler <=-

I'm not sure at least those first two statements are true at all.
"SQL" is simply a language. If we're talking SQLite (I think we are),

Yep sqlite, but I also plan to make mysql a possiblity, I think it
could be useful if people want to design their own php-mysql type interfaces on top of it.

I think that could be an interesting option. I can see someone designing a true web forum around Magicka. Not me, I'm not a PHP programmer.

Mysql would just be linking to the connector i think, and of course you have to install mysql - so yeah thats a bit more of a dependency, but
the idea is you don't HAVE to, and I expect most people wont use that
as a message base, but those who want to (for whatever reason) can.

I love that philosophy of choice. :)


... [COUPON] Good for one FREE Tagline! [COUPON]
--- MultiMail/Win
* Origin: Bush Track BBS (21:1/109.1)

Quoting g00r00 to Tiny <=-

I guess I am just saying don't be so quick to hate on the old stuff, because the benefits of switching and rewriting everything for us old folks aren't really that great.

I'm an old folk too. Run the BBS since 1985. Not saying we have to
change everything right away, just saying moving forward with new tech
can't be a bad idea?

Shawn

... Illiteratets of the wlord. Untie!
--- Blue Wave/386
* Origin: A Tiny slice o pi (21:1/130.4)

You keep trying to prove a point, but slip in "at least years ago".

Yes, my experience was years ago so I say it was years ago.

I'd love to see your Google searches. I don't doubt there are other
people clueless about this either.

I think its great that you call me clueless. A simple Google search verifies everything I said though. You can even read the actual SQLite sight where
they specifically talk about how SQLite performance is heavily determined by memory usage and that in some cases it can be as fast as direct I/O...

So even their own website echos what I am saying, but feel free to call me clueless while I talk about hands on experience in major corporations as part of my job and you reiterate that I'm clueless while providing nothing at all
to back anything up other than "because I am right!"

--- Mystic BBS v1.12 A39 2018/04/21 (Windows/32)
* Origin: Black Flag <ACiD Telnet HQ> blackflagbbs.com (21:1/112)

I don't mean to argue with you about any of this, but misinformation is also not good. Yes, STARTLS is very susceptible to downgrade attacks and MITM for the very reason I stated. Including email.

This is why (any sane) mail servers have moved to pure TLS. Of course,

This is silly. A few messages ago you clearly didn't seem to even understand my description of opportunistic SSL and now you're acting like an expert?

There is no difference if the server is configured to not operating without SSL. The both listen on a port, one just negotiates the SSL connection immediately, the other one sends a line of text before negotiating SSL. The outcome is identical assuming the server is configured to only allow SSL.

But who cares, you can be right if you want to be! You only have CISSPs and Security Architects in here telling you otherwise, what do they know!

--- Mystic BBS v1.12 A39 2018/04/21 (Windows/32)
* Origin: Black Flag <ACiD Telnet HQ> blackflagbbs.com (21:1/112)

On Sunday, December 23rd g00r00 was heard saying...

I think its great that you call me clueless. A simple Google search verifies everything I said though. You can even read the actual SQLite sight where they specifically talk about how SQLite performance is heavily determined by memory usage and that in some cases it can be as fast as direct I/O...

A search reveals user error after error, mostly from sites & forms like S.O. which have answers indicating such.

Oh please, do link the page you're referring to on sqlite.org.


On Sunday, December 23rd g00r00 was heard saying...

So even their own website echos what I am saying, but feel free to call me clueless while I talk about hands on experience in major corporations as part of my job and you reiterate that I'm clueless while providing

No, you have some minimal experience "years ago". I've been using SQLite professionally for various projects off and on for 15+ years. In embedded, mobile, and desktop/server. Oh, and so have thousands and thousands of others.

Get your panties out of a wad.


--- ENiGMA 1/2 v0.0.9-alpha (linux; x64; 10.13.0)
* Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)

On Sunday, December 23rd g00r00 was heard saying...

This is silly. A few messages ago you clearly didn't seem to even understand my description of opportunistic SSL and now you're acting like an expert?

No, a few messages ago you lightly stated you "added TLS support", so I questioned how you did it.

I'd say I'm pretty god damn expert level at TLS, yeah. Since I've personally implemented the fucking MITM described more than once profesionally.

On Sunday, December 23rd g00r00 muttered...

There is no difference if the server is configured to not operating without SSL. The both listen on a port, one just negotiates the SSL connection immediately, the other one sends a line of text before negotiating SSL. The outcome is identical assuming the server is configured to only allow SSL.

If it's ONLY configured to use TLS, yes you can then prevent the downgrade attack. But if it's ONLY configured to use TLS you have zero reason to use STARTTLS. Else, are vunerable to a downgrade MITM attack. That's. How. It. Works.


On Sunday, December 23rd g00r00 muttered...

But who cares, you can be right if you want to be! You only have CISSPs and Security Architects in here telling you otherwise, what do they know!

Oh, I do? Interesting. I've been a Sr. Architect for many years and again, in the specific areas of TLS & security. Please.

I've seen this level of defensiveness from you previously as well, and it's extremely comical. You have a pattern of this kind of stuff, you know. I know you like the spotlight and such, but come on.

What would actually be beneficial to everyone here is if you'd step of your rediculous high horse and take some critisism + work with others in the community to actually get something together that benefits more than just Mystic.

- Use pure TLS. Listen on a different port, who cares. It's how things are done.
- Work with others around here to come up with some standards for this crap -- Bink, encrypted net/echomail, so on.






--- ENiGMA 1/2 v0.0.9-alpha (linux; x64; 10.13.0)
* Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)

Oh please, do link the page you're referring to on sqlite.org.

I don't feel like searching for it but it does say performance is based on memory allocation...

This is pretty common sense, and I wouldn't make it up. Result sets are commonly stored in memory and so are other transactions. Files are opened and left open. This is all stuff done in memory, and thats the only reason its able to out perform direct I/O. It doesn't allow concurrent access. One write causes the entire database to be locked regardless of it the other thread is accessing a different table entirely. Its all on the site, and I really don't care if you don't believe it :)

You can say I am clueless or whatever all you want (real cool) but the fact is that I'm not. I think you know that.

Rather than keep going lets get back on track: Not only was the original conversation one that wasn't directed towards you, but there were two points made that you replied to:

1. A direct I/O approach uses less resources
2. There isn't much benefit over using JAM.

Its strange to me that you're going this hard into trying to argue this...

My JAM library has a footprint of 36 kilobytes. That is still 36KB even when you have 50 million messages and are actively scrolling through a message list. Now start throwing queries at your 50 million messages in SQLite while listing all of those messages and see if it takes 36KB with good performance.

Hint: It doesn't.

You've also not really articulated benefit... The benefit of NOT using it is that you gain access to plenty of utilities for maintenance, reporting, and mature mail processing. All of this I have clearly stated, but I feel you've really said nothing at all other than "no you're wrong" over and over again.

Anyway I don't want to keep this going, this shit is exhausting. :)

--- Mystic BBS v1.12 A40 2018/12/23 (Windows/32)
* Origin: Sector 7 [Mystic BBS WHQ] (21:1/108)

No, a few messages ago you lightly stated you "added TLS support", so I questioned how you did it.

The way I remember it, I described the process which was clearly opportunistic and you jumped in to ask question about proxy compatibility. Digital Man then explained to you that it was opportunistic and your proxy idea wouldn't work with it, even before I saw your message.

He seemed to have no problem recognizing opportunistic TLS based on the same content you presumably had available to read.

I'd say I'm pretty god damn expert level at TLS, yeah. Since I've personally implemented the fucking MITM described more than once profesionally.

This seems like a pretty odd claim, but then its literally impossible for you not to know that what I'm saying is true. If you truly created something "professional" designed to strip STARTTLS commands (why would you?) multiple times (!!) then you know that it was completely useless if the server only accepts TLS.

Your claim that no one worth a damn uses opportunistic TLS (or whatever you said along those lines) is also completely wrong. The largest e-mail provider in the world (Google Gmail) uses opportunistic TLS. In fact, I haven't found one yet that doesn't. They sure as hell wouldn't if it was insecure. Its not.

If you understand how it works then you know that its the same thing as implicit SSL except you have the option to receive client capabilities in cleartext before you decide how you want to enforce the connection. Assuming your server is configured to only allow SSL, then its secure and your MITM attack doesn't work.

It doesn't matter how many times you may want to say Mystic TLS is not secure, the facts are that it is. Its not really worth continuing the discussion because there is no where else to go from here, this is simply fact.

--- Mystic BBS v1.12 A40 2018/12/23 (Windows/32)
* Origin: Sector 7 [Mystic BBS WHQ] (21:1/108)

Re: Secure Comms
By: Digital Man to g00r00 on Sat Dec 22 2018 03:20 pm

For Synchronet's BinkIt to support incoming implicit TLS connections, it would just be a configuration setting in services.ini:

[BINKP]
Port=xxx ; Pick a unique port number here
Command=binkit.js
Options=TLS

I have a link with a Mystic BBS that supports TLS connections although not implicit at this point. If I put the above in my services.ini in addition to the existing [BINKP] section will that work?

Is it possible with binkit to initiate a TLS session with a Mystic mailer that supports it (when that is ready)?

Ttyl :-),
Al

... Mathematician: A device for turning coffee into theorems!
--- SBBSecho 3.06-Linux
* Origin: The Rusty MailBox - Penticton, BC Canada (21:4/106)

I have a link with a Mystic BBS that supports TLS connections although
not implicit at this point. If I put the above in my services.ini in addition to the existing [BINKP] section will that work?

Is it possible with binkit to initiate a TLS session with a Mystic
mailer that supports it (when that is ready)?

No, because Mystic is opportunistic (it gives you the option to use a standard connection, TLS, or both with the same server on the same port). If you want to run a TLS-only BINKP with Mystic you can just set it to require TLS. But this still won't work with Synchronet because of different approach...

Either Rob has to implement opportunistic or I need to add implicit. My libraries/servers already do both so I can (and probably will) add the option for implicit too now that I know Synchronet allows it.

--- Mystic BBS v1.12 A40 2018/12/23 (Windows/32)
* Origin: Sector 7 [Mystic BBS WHQ] (21:1/108)

On Sunday, December 23rd g00r00 was heard saying...

This seems like a pretty odd claim, but then its literally impossible for you not to know that what I'm saying is true. If you truly created something "professional" designed to strip STARTTLS commands (why would you?) multiple times (!!) then you know that it was completely useless if the server only accepts TLS.

This is very common (and why I've done it multiple times) for filtering. When one performs a downgrade attack the traffic remains in the clear and can be analyzed, modified, so on. When doing a 'standard' MITM attack where a new certificate is in play, you must either a) have pre-installed the CA, or b) the
user must accept an untrusted authority. Most of the filtering products I've worked on do both, but it's obvious why the first is preferred.

Google uses STARTLS for mail by default, yes. This of course doesn't matter when using their web client which is pure TLS. When using your own clients, they recommend to disable fallback due to the very reasons I've started: It's essentially pointless. If the conection can fallback, that's the *only* thing that is needed to perform a downgrade attack and inspect plain text.

And actually, it's a little worse than how simple that seems. If the client doesn't also *require* TLS, when a start command is stripped it can go ahead and send plain text even though the real server actually requires/wants TLS.

I want to step back here before this nonsense continues:
I'm not attacking you nor Mystic. I ackowledge you're a great programmer and know your stuff. Mystic shows that, and I'm sure other products you've worked on do as well.

I have *not* started that Mystic is inherently insecure. What I started above is what I stated in my last reply and is true: Unless you *force* TLS (and the client sides know to do so as well), it is not secure. It's more of a fluffy feeling. This area has been flooded with talk of encryption and security for a while. No doubt why you have jumped on and put a lot of this stuff in. If nothing else, you should well document the information above so people know this: Force TLS on both sides, and yes it will be secure.

RE: SQLite, believe whatever you like. I've used and continue to use (and apparely nearly the rest of the planet: https://www.sqlite.org/mostdeployed.html) it, so I think we'll be OK :)

Have a merry whatever-it-is-you-celebrate. Hopefully things can return civil.








--- ENiGMA 1/2 v0.0.9-alpha (linux; x64; 10.13.0)
* Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)

On 12/24/18, g00r00 said the following...

Either Rob has to implement opportunistic or I need to add implicit. My libraries/servers already do both so I can (and probably will) add the option for implicit too now that I know Synchronet allows it.

I'll get this going with Synchronet once we have something to test.

Ttyl :-),
Al


--- Mystic BBS v1.12 A40 2018/12/23 (Linux/64)
* Origin: New Name Coming Soon - Penticton, BC Canada (22:4/106)

Re: Secure Comms
By: Al to Digital Man on Mon Dec 24 2018 02:56 am

Re: Secure Comms
By: Digital Man to g00r00 on Sat Dec 22 2018 03:20 pm

For Synchronet's BinkIt to support incoming implicit TLS connections, it would just be a configuration setting in services.ini:

[BINKP]
Port=xxx ; Pick a unique port number here
Command=binkit.js
Options=TLS

I have a link with a Mystic BBS that supports TLS connections although not implicit at this point. If I put the above in my services.ini in addition to the existing [BINKP] section will that work?

It would work for incoming implicit-TLS/BinkP sessions, yes.

Is it possible with binkit to initiate a TLS session with a Mystic mailer that supports it (when that is ready)?

That would require some minor updates to binkit.js, but totally doable.

digital man

This Is Spinal Tap quote #32:
Derek Smalls: [A jog?] We don't have time for that.
Norco, CA WX: 63.4�F, 62.0% humidity, 5 mph E wind, 0.00 inches rain/24hrs
--- SBBSecho 3.06-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (21:1/183)

Google uses STARTLS for mail by default, yes. This of course doesn't matter when using their web client which is pure TLS. When using your
own clients, they recommend to disable fallback due to the very reasons I've started: It's essentially pointless. If the conection can fallback, that's the *only* thing that is needed to perform a downgrade attack and inspect plain text.

You just repeated exactly what I've been saying in every single message to you, that you've been arguing against up until now.

Google's e-mail services simply do not work without STARTTLS; Google uses TLS only. Its secure. Its also an opportunistic handshake like Mystic. There is nothing for them to recommend on the client side because the server is what decides when a connection is accepted. If you try to use a non-SSL connection it is refused regardless of what the client wants, same as Mystic or any other opportunistic server if you force SSL. All are secure and none are at risk
for a man in the middle attack.

I have *not* started that Mystic is inherently insecure. What I started above is what I stated in my last reply and is true: Unless you *force* TLS (and the client sides know to do so as well), it is not secure. It's

But thats not what you did. You replied to a message about Mystic's TLS and said that opportunist TLS was insecure. Of which I've replied and restated several times that its absolutely secure unless you configure it to also run in non-SSL mode (which would be a user error if their intent was SSL only)...

Any of this ring a bell? Because you've completely flipped now and you're
just repeating what I've said to you over and over again.

That type of approach only seems to work if you're the president! ;)

--- Mystic BBS v1.12 A40 2018/12/23 (Windows/32)
* Origin: Sector 7 [Mystic BBS WHQ] (21:1/108)

On Monday, December 24th g00r00 was heard saying...

You just repeated exactly what I've been saying in every single message to you, that you've been arguing against up until now.

No, I'm repeating what I've said over and over. Feel free to go back and read them. That's the neat thing about text. It stays.


On Monday, December 24th g00r00 muttered...

Google's e-mail services simply do not work without STARTTLS; Google uses TLS only. Its secure. Its also an opportunistic handshake like Mystic. There is nothing for them to recommend on the client side because the server is what decides when a connection is accepted. If you try to use a non-SSL connection it is refused regardless of what the client wants, same as Mystic or any other opportunistic server if you force SSL. All are secure and none are at risk for a man in the middle attack.

First, no, that's how how Google does it.

From Google/Gmail: https://support.google.com/a/answer/2520500?hl=en
"Gmail uses TLS by default, but when a secure connection isn't available (both sender and recipient need to use TLS to create a secure connection), Gmail will
deliver messages over non-secure connections."

And what you said isn't how this actually works. I was taking the higher ground, but since you want to be a jerk, I'll explain it again: What the server
*wants* (TLS) is irrelevant. When you perform an attack you get in the middle between the client and server. When the server *wants* TLS (that is, it responds with a flag indicating an upgrade) you strip it and respond to the client without said flag. The client then proceeds to send you plain-text. For scenarios in which the client sends a "upgrade to secure" flag, the reverse applies and it works the same way. The MITM negotiates with the side that operates only in secure mode.

Client <---> MITM <---> Server

Server upgrades to TLS:
SVR to MITM (who it *thinks* is the real client): STARTTLS
MITM: OK
MITM to client: Start plain text.
Client: OK

It's. That. Easy.

On Monday, December 24th g00r00 muttered...

But thats not what you did. You replied to a message about Mystic's TLS and said that opportunist TLS was insecure.

Because it is. Unless both the client and server force TLS. In fact, it's done on a regular basis. For example: https://zakird.com/papers/mail.pdf. Software I've produced (described in previous posts) has done just this for various actors.

You could use those Google-foo skills you seem so good with to read, watch talks, or whatever your heart desires.

On Monday, December 24th g00r00 muttered...

Any of this ring a bell? Because you've completely flipped now and you're just repeating what I've said to you over and over again.

I've not flipped at all. This is the same information I've been re-iterating over and over.





--- ENiGMA 1/2 v0.0.9-alpha (linux; x64; 10.13.0)
* Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)

to you, that you've been arguing against up until now.

No, I'm repeating what I've said over and over. Feel free to go back and read them. That's the neat thing about text. It stays.

I have and its exactly like I said it was... Me telling you over and over that its considered secure unless you literally tell it not to use SSL only. Go look.

"Gmail uses TLS by default, but when a secure connection isn't available (both sender and recipient need to use TLS to create a secure
connection), Gmail will deliver messages over non-secure connections."

When I speak, I have hands on experience with something and I understand it. When I don't understand I don't argue endlessly, I usually try to take that opportunity to learn. What I don't do often is just regurgitate whatever I find on a quick Google search.

Here's how it works off the cuff go try it yourself if you want:

19:32:05 SMTP R:250-smtp.gmail.com at your service,
19:32:05 SMTP S:AUTH LOGIN
19:32:06 SMTP R:530 5.7.0 Must issue a STARTTLS command first.
19:32:06 Could not authenticate to SMTP server
19:32:10 Shutting down

And what you said isn't how this actually works. I was taking the higher ground, but since you want to be a jerk, I'll explain it again: What the

I'm not being a jerk, but you certainly have grouped me with the "other clueless people who think like me", talked about how I spread all this "misinformation" and so on. I've done nothing at all to you along those lines other than to tell you that opportunistic is not considered insecure unless its configured wrong.

In fact, this conversation didn't involve you and you barged your way into it. This is not unlike the stuff with Apam used to do and then turn around and blame me for a bunch of stuff that I was never really doing. He was willing to take a step back and reevaluate but it remains to be seen if you're able to do the same.

Server upgrades to TLS:
SVR to MITM (who it *thinks* is the real client): STARTTLS
MITM: OK
MITM to client: Start plain text.
Client: OK

What you're describing is not the strip attack.

The MITM can't impersonate an entire SSL connection because the encryption between the legit client and legit server encrypt with a private key that only each side has. Since the MITM doesn't have that, it cannot EVER impersonate the encrypted client connection; The MITM can only intercept and understand or impersonate data *PRIOR* to the SSL handshake and not afterwards.

The Strip attack only strips the cleartext STARTTLS command and HOPES that the server will operate in cleartext entirely when it does. If that doesn't work, then it cannot impersonate the client with an SSL connection without having the private key that only the client has. It does not do what you're said above because it can't without the private key.

In order for what you describe to work, you'd have to have an SSL server that does not use certificates, check hosts, etc. Now maybe in the BBS world you might see something like that, but I've been a Security Architect working as a consultant for 15 years and I've never went into a client's building and encountered an SSL server configured in such a way.

--- Mystic BBS v1.12 A40 2018/12/23 (Windows/32)
* Origin: Sector 7 [Mystic BBS WHQ] (21:1/108)

Re: Re: Secure Comms
By: g00r00 to NuSkooler on Mon Dec 24 2018 07:08 pm

Google's e-mail services simply do not work without STARTTLS;

I don't intend to stir the pot or get in the middle of this, but smtp.gmail.com and other gmail mail servers do indeed appear to support implicit TLS on TCP port 465. No "STARTTLS" needed.

digital man

Synchronet/BBS Terminology Definition #8:
BPS = Bits Per Second
Norco, CA WX: 54.7�F, 88.0% humidity, 0 mph SW wind, 0.00 inches rain/24hrs
--- SBBSecho 3.06-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (21:1/183)

Google's e-mail services simply do not work without STARTTLS;

I don't intend to stir the pot or get in the middle of this, but smtp.gmail.com and other gmail mail servers do indeed appear to support implicit TLS on TCP port 465. No "STARTTLS" needed.

Yes that was a sloppy choice of words on my part but the conversation before it wasn't about implicit it was whether it allows cleartext or not.

What I was trying to show was that it doesn't allow clients to fall back to cleartext at all. They use implicit and opportunistic only for SMTP. SSL required.

Its all good I ended up just adding him to my twit filter.

--- Mystic BBS v1.12 A40 2018/12/23 (Windows/32)
* Origin: Sector 7 [Mystic BBS WHQ] (21:1/108)

On 12/25/18, g00r00 pondered and said...

Yes that was a sloppy choice of words on my part but the conversation before it wasn't about implicit it was whether it allows cleartext or
not.
What I was trying to show was that it doesn't allow clients to fall back to cleartext at all. They use implicit and opportunistic only for SMTP. SSL required.
Its all good I ended up just adding him to my twit filter.

Whilst you guys may have debated a technical discussion that went waay over
my head and seemed to become a bit of a matter of professional pride for you both. I'd suggest it would be regrettable if you opt to filter Nu out of your echomail feeds.

Echomail filtering aside I don't personally regard Nu/Bryan as a twit. I
rate him as a good guy, a coder who's doing good things with his Enigma
1/2 BBS project and (like everyone else) is welcome to take part in fsxNet.

If the BBS scene is to advance with new technical standards, ideas
of different sorts of accepted interoperability etc. then it seems to me
that having discussions between software authors active in this space is kinda key to that wider success the a community of experimental tinkerers may be hoping for. Just my 2 cents :)

In the end, it's your call and your echomail feed (unfiltered or otherwise).

Hope your Christmas day was a good one, and I'm loving the new features in A40

Best, Paul

--- Mystic BBS v1.12 A40 2018/12/25 (Windows/32)
* Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (21:1/101)

g00r00 around Monday, December 24th...

I have and its exactly like I said it was... Me telling you over and over that its considered secure unless you literally tell it not to use SSL only. Go look.

I know I'm on g00r00's "twit" list now, but I'll reply anyway since I think there are others that can benefit from this discussion being that it is around security and we've been discussing such matters greatly around here.

I've talked about this in previous posts, but I'll try and put it more plainly what is being missed here RE STARTTLS and security.

TL;DR version: BOTH the server (remote Bink aka remote BBS) AND the client (local Bink, aka your BBS) must *FORCE* TLS only. If either side say it's optional, then TLS is broken (more details below):

Details again:
A STARTTLS works by communication starting in plain text. During the initial negotiations, the server (in this case) requests TLS. If the option is set, from the servers point of view this can be more of a demand: "I will only proceed using TLS".

- If the server does not "demand" TLS, the downgrade attack is very simple: One
simply removes the TLS request and the client moves along it's way. What would
have been secured via TLS is now simply sent plain-text.

- If the server demands TLS to proceed, a true MITM attack comes into play, covered below after the following quote for context:

On Monday, December 24th g00r00 said...

The MITM can't impersonate an entire SSL connection because the encryption between the legit client and legit server encrypt with a private key that only each side has. Since the MITM doesn't have that, it cannot EVER impersonate the encrypted client connection; The MITM can only intercept and understand or impersonate data *PRIOR* to the SSL handshake and not afterwards.

This is a misunderstanding of how TLS works in general, or how a MITM attack works. I'll explain it.

First, SSL/TLS uses Public Key Cryptography. When a legit client and legit server communicate, it works by encrypting with *public* keys and decrypting with the private, not how it is described above.

(client) data -> encrypt with servers *public key* -> (server) decrypt data using private key.

The client gets the public key to use via the certificate issued by the server early in the handshake. This is important to understand and it's critical to a MITM attack:

When a MITM is in the mix, the MITM intercepts the handshake and gives the client it's *own* certificate (generally based off the properties/etc. of the original from the real server). So, when the client encrypts data with this public key, it's now really encrypting with the MITM's public key, which the MITM of course can decrypt just fine. The MITM then does all the communciation with the *real* server and the client never knows.

There are Public Key Infrastructure (PKI) measures agains this:
For web browsers and the like the client will only talk to servers who issues certificates (described above) issued by a Certificate Authority (CA) that they
already trust. This is often known as your certificate store. Anything in the cert store is "trusted". Anything that is not results in severing the communication once the (untrusted) cert is received.

Another measure that can be deployed to really tie things down is Certificate Pinning. What this does is say when I'm talking to "xyz.com", I *know* in advance the *exact* certificate (or exact CA at the top of the chain) that they
should be using by hash (SHA-1, etc.) aka it's fingerprint. So if a certificate is handed back and it's fingerprint is not exactly the print I expect, hang up.

Cert pinning in browsers is interesting in relation to MITM: They allow it by default (IE, FF, Chrome, and Opera all operate the same here):
By default they allow MITM *if the CA is trusted* (described above). If you want further security (disallow MITM for pinned sites) you must change the default setting to match exact cert FP's.

Back to MITM impersonating a client connection:
There are actually some measures that can be taken here too, namely client certificate validation. During the handshake described above, the server can also request a client certificate. It can then validate that this certificate is white listed (ie: a trusted client) and if not, hang up.

- In the browser world, this is not used. Clearly websites cannot have a list of all the clients that will connect to them.

- Exact FP pinning and client verification are often used for applications that
talk only with a specific client to a specific server. Mobile apps have gotten
fairly good at this due to being shunned by Apple/Google if they don't do it, etc.

Now, how does this all relate to Bink commuinication?
- Your bink *client* MUST enforce TLS, and the server MUST enforce TLS to even ensure TLS is used.
- To prevent MITM, the client must only trust CA's issued to the servers it will connect to. If certificates are not validated, MITM is easy: Impersonate the server.
- Servers must only accept connections from whitelisted client (certs). If not,
MITM is easy: Impersonate the client.

On Monday, December 24th g00r00 was heard saying...

The Strip attack only strips the cleartext STARTTLS command and HOPES that the server will operate in cleartext entirely when it does. If that doesn't work, then it cannot impersonate the client with an SSL connection without having the private key that only the client has. It does not do what you're said above because it can't without the private key.

Just to reiterate here:
- Unless the server does client authentication (ie: the whitelisted set of certs it trusts), the MITM impersonation works perfecly fine. The server will talk to whatever client comes along.

Private keys are *never* shared between client/server. Only public keys, and those are shared in the open (hence the name: public).

Now, all this may seem like a lot for BBS/EchoMail related traffic, but remember what we're trying to protect from here: ISPs & Big Brother type snooping that feeds into large (NSA, so on...) databases. They all use techniques I described above (and more) and have so for a long time. I implemented this kind of stuff for 15 years or so. It done in real time, and it's not secret how it works. You can download MITM proxies/etc. off GitHub for
and the like and of course the private versions are much more complete and complex.

If you want to play with MITM stuff like this:
- https://mitmproxy.org/
- https://www.roe.ch/SSLsplit

Some more STARTTLS downgrade info: https://www.eff.org/deeplinks/2014/11/starttls-downgrade-attacks

-- Twit :)








--- ENiGMA 1/2 v0.0.9-alpha (linux; x64; 10.13.0)
* Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)

I know I'm on g00r00's "twit" list now, but I'll reply anyway since I
think there are others that can benefit from this discussion being
that it is around security and we've been discussing such matters
greatly around here.

Thanks Nu, interesting stuff.

Andrew

--- MagickaBBS v0.12alpha (Linux/x86_64)
* Origin: The Fat Sandwich - sandwich.hopto.org:2023 (21:1/125)

apam wrote to deon:

On 12/19/18, Tiny said the following...

I think moving forward the trick is:
1) Create a new way of doing things.

I came across this...

https://www.youtube.com/watch?v=IPSbNdBmWKE

I signed up to that a few days ago, but have no friends on it. There's a
few platforms like that GNU social, and some others.

Andrew

--- MagickaBBS v0.12alpha (Linux/x86_64)
* Origin: The Fat Sandwich - sandwich.hopto.org:2023 (21:1/125)

I'm administering a Nextcloud instance and a couple of Owncloud instances (scheduled to upgrade to Nextcloud soon, when I move their hosts to CentOS 7. Yes, I know it can be done with 6, if not officially, but there's more work involved keeping it updated, etc.) Both offer federated cloud ID's and Nextcloud has the Social app, which interoperate with Mastodon and other social
networks that support the ActivityPub protocol. Gnu social is supposed to be getting there, iirc. Pretty sure most of the decentralized social media platforms will eventually get there, too. eg. Matrix.org (riot.im), etc.

jbdigriz
@[email protected]



Greetings, James Digriz
email: [email protected]

--- MBSE BBS v1.0.7.6 (GNU/Linux-x86_64)
* Origin: DragonsWeb Labs (21:4/128)

James Digriz wrote to apam <=-

I'm administering a Nextcloud instance and a couple of Owncloud
instances (scheduled to upgrade to Nextcloud soon, when I move their
hosts to CentOS 7. Yes, I know it can be done with 6, if not
officially, but there's more work involved keeping it updated, etc.)
Both offer federated cloud ID's and Nextcloud has the Social app, which interoperate with Mastodon and other social
networks that support the ActivityPub protocol. Gnu social is supposed
to be getting there, iirc. Pretty sure most of the decentralized social media platforms will eventually get there, too. eg. Matrix.org
(riot.im), etc.

I've played a bit with Mastadon, but without anyone else to talk to on it testing it out is hard. Maybe we should set up a BBS sysops/users presence
on M?




... Have you ever questioned the nature of your reality?
--- MultiMail/XT v0.51
* Origin: http://realitycheckbbs.org (21:4/122)

poindexter FORTRAN wrote to James Digriz:

James Digriz wrote to apam <=-

I'm administering a Nextcloud instance and a couple of Owncloud instances (scheduled to upgrade to Nextcloud soon, when I move their hosts to CentOS 7. Yes, I know it can be done with 6, if not officially, but there's more work involved keeping it updated, etc.) Both offer federated cloud ID's and Nextcloud has the Social app,

which

interoperate with Mastodon and other social
networks that support the ActivityPub protocol. Gnu social is

supposed

to be getting there, iirc. Pretty sure most of the decentralized

social

media platforms will eventually get there, too. eg. Matrix.org (riot.im), etc.

I've played a bit with Mastadon, but without anyone else to talk to on it testing it out is hard. Maybe we should set up a BBS sysops/users presence on M?

... Have you ever questioned the nature of your reality?
--- MultiMail/XT v0.51
* Origin: http://realitycheckbbs.org (21:4/122)

Been thinking about setting up a Mastodon and/or matrix.org server, but Nextcloud does offer the Social app, AND something called Circles, which are like local groups, but distributed, federated, etc. Anyone wants to set one up on any Nextcloud server they can, and toot and share with circle members on other servers. Be sure to post the details on your board or in an echo so everyone that wants can join in.

Nextcloud has a self-registration app, too, so just find an instance, log
in, and let the adminstrator help you set it up.

Personally, I'd rather see a robust BBS community using BBS'es :-) But it may help with security, privacy, control of your data, etc. if that's needed. Sometimes helpful to be able to "unshare", and so on.

FWIW,
jbdigriz

Greetings, James Digriz
email: [email protected]

--- MBSE BBS v1.0.7.6 (GNU/Linux-x86_64)
* Origin: DragonsWeb Labs (21:4/128)

On 03 Mar 2019 at 01:06p, James Digriz pondered and said...

Personally, I'd rather see a robust BBS community using BBS'es :-) But

I agree with you there :)

Best, Paul

--- E:[email protected] ------ W:bbs.nz ---
--- K:keybase.io/avon --------------

--- Mystic BBS v1.12 A43 2019/03/03 (Windows/32)
* Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (21:1/101)