MOO-cows Mailing List Archive

Re: stupid newbie question

Date: Fri, 9 Feb 1996 07:31:44 PST
From:
sir@po.cwru.edu (Seth I. Rich)
Reply-to:
sir@po.cwru.edu (Seth I. Rich)

> OK, first message. I'm setting up a MOO. One member
> of the CS dept is in strong opposition... very strong...
> what can I do to
> 
> politically: quiet her fears
> 
> Technically: make the MOO secure
> 
> she's worried about breakins... and says MOOs are notorious
> among sysops as security nightmares. After months of work
> on my part to get the server acquired and running, she wants
> it shut down and banned.

1. DO NOT RUN FUP.  (Here I want to say, up-front, that this is a
   POLITICAL suggestion, not a TECHNICAL one.)  It is very valuable to
be able to claim to your sysadmin that the MOO allows no (zero) access
to the filesystem (except when checkpointing) and allows no (zero) access
to the shell.  FUP shaves a little bit off that claim, but it's enough
little bit that you can't afford it at this time.

2. If you're going to be running with open_network_connection() enabled,
   get your wizards to sign an agreement that they will not use that
ability to do anything inappropriate.  (Spell it out.)

3. Research any security issues involved with firewalls at your site.
   Offer to work with your sysadmin to make those problems go away.

4. Offer to run the MOO only during off-peak hours.  Offer to limit the
   disk space used by the MOO data.  Offer to limit the size of the
server's process (rebooting when it's too large).  Offer to limit 
the number of active connections at any one time.  Make concessions.

5. Running a MOO -will- get your server machine more failed login
   attempts than they're used to.  People -will- telnet to the MOO's
machine and attempt to log on as their MOO characters.  This in itself
does not pose a threat.  Make them understand, tactfully, that security
issues on the machine are -their- responsibility.  If they have any such
holes, it's possible that the only reason they haven't been exploited is
that nobody's tried their machine before.  Advertising the address may
attract people to the site, which in turn may result in those holes being
exploited.  It's not the MOO's fault; it's the sysadmin's fault.  Be as
tactful about this as possible, but make them understand.

Seth / Blackbriar

--
----------------------------------------------------------------------
Seth I. Rich
Woo, woo!  OpalMOO's back!       There is nothing more precious than
Rabbits on walls, no problem.    a tear of true repentance.

Prev: RE: stupid newbie question
Next: Re: stupid newbie question
Index: MOO-cows
Thread: MOO-cows

Home | Subject Index | Thread Index