MOO-cows Mailing List Archive


Re: stupid newbie question

Disclaimer: I am not a security expert.  Anything I say below is
merely an identification of a risk I am aware of; there may be other
risks.  I request other members of MOO-Cows to add to or expand on my
list.  Feel free to send me anonymous email.

Ken: can we put something like this in the MOO-Cows FAQ?

Ian Macintosh writes:

> At 08:37 PM 08/02/96 PST, you wrote:
>> OK, first message. I'm setting up a MOO. One member
>> of the CS dept is in strong opposition... very strong...
>> what can I do to

>> politically: quiet her fears

>> Technically: make the MOO secure

>> she's worried about breakins... and says MOOs are notorious
>> among sysops as security nightmares. After months of work
>> on my part to get the server acquired and running, she wants
>> it shut down and banned.

>> ps. it's running BSD with the Lambda core...

Just a nit; there are a lot of systems out there that claim to be BSD,
and they can be very different.  Contrast BSDi's offering with NeXT;
although NeXT has a radically different architecture from what
Berkeley released, many people speak of it as the same system.

If you really want detailed feedback on your OS choice, the command
"uname -a" will tell us more.  I can't think of how it would really
matter, though.

> She's talking urban folklore.

Or about some other MUD server.

> Ask her to supply you the name of somebody who has experienced a problem.
> Folklore tends to vanish when you try to pin it down to a source, as quite
> frankly, it has no source.

I largely agree with Ian on this count.  However, people seem to be
reluctant to disclose security breaches, so this kind of anecdotal
evidence can be hard to find.

> You could also ask for exact details of what and where and how the security
> could be breached.  This will also be an elusive target, because, quite
> simply, there isn't one.

The first question to ask when any issue of computer security comes up
is "what are we trying to protect?", so I think it's impossible to say
this with authority.

(On a tangent, the second question is "what capabilities and
convenience are we willing to trade off?" The third question often is
"how much are we willing to expend on this, relative to other security
efforts, incluing non-computerized ones?", but I'm about to go off on
a rant.)

The threats to the server machine itself from the stock MOO server are
small.  I'm pretty sure they're limited to denial of service--either
by a builder creating so many objects that the machine runs out of
swap or disk, or by spamming the server to drive up CPU usage.

If you have OUTBOUND_NETWORK turned on, there are a few threats to
machines on your local net if they use some sort of ill-configured
IP-address-based trust mechanism.  Very few sites will care about
this, because everyone knows that address-based trust is a really bad
idea these days.  Your network admins will know if they have such an
assumption built into your network, and can remedy this by taking your
server machine out of the trust list.  (BTW, now that MOO can speak
binary data, the number of services you could potentially attack
through it has increased.  I still don't think it's a problem unless
you use, say, address-based authentication for X, aka xhost.)

If you have OUTBOUND_NETWORK turned on, your machine could be a threat
to the Internet as a whole by laundering connections---an attacker
connects to your server, and then connects through it to the machine
they're *really* after, to make tracing their connections more
difficult.  The chance of this is vanishingly small; there are far
more convenient anonymous sites out there that are perfectly able to
launder connections for the cracker community.

Anecdote: I was the primary system administrator for Metaverse for a
while, as well as being a primary MOO admin on JHM, Metaverse and
DistortionMOO.  I am not aware of any attacks of the above forms that
came anywhere close to succeeding.

By running any sort of visible and popular network service, you become
more of a target for conventional cracking attacks.  This risk is not
exclusive to MOO; hosting a popular web page will make it more
attractive for people to attack you.  Depending on your level of
visibility, you may want to tighten up general security on your
machine or site.

Some organizations have other concerns.  A MOO server may allow
organizational mapping, or accidental disclosure of proprietary
information, or whatever.  If you're a company that has issues like
this, you already understand these things or have people at your site
that do.  Go talk to them.  Feel free to ask them how the MOO server
is more dangerous than existing communications mechanisms such as

Perhaps this is not the glowing affirmation you'd like to have.  For
academic sites, I think everything I've detailed above is very
low-impact.  I'm listing these because I think you're entitled to
know, and because I think administrators are more assured by full
disclosure of known issues.

Jay Carlson

Flat text is just *never* what you want.   ---stephen p spackman


Home | Subject Index | Thread Index