1. Forum
  2. fsxNet
  3. FSX GEN

  • Yet another 2oFB apology. :/

    From paulie420@21:2/150 to All on Sun Nov 2 11:41:55 2025
    A user @ 2oFB utilized weak settings (s20g2) on FSX_DAT. They were able to post and send out vulgar and racist IBBS one-liners. Not only did they post inappropriate one-liners, but they posted 'as' Avon, Smooth, jACK pHLASH and other leaders of the BBS community.

    I've tightened settings on FSX_DAT, DUPES, TESTING, etc to s255 for list, read - <s100 users won't see those bases in the future.

    Its really fun that 2oFB gets callers from the BBS community - and BEYOND. We are listed on a few CTF websites; which brings a different user that may not know how wonderful this community is - and think they're 'hacking history' - it just sucks that I didn't already have the security in place that stops these basic non-hacks from happening - I apologize to anyone who was offended by, or was posted as, any of those one-liners.

    The user(s) [singular person] that posted the offending content was NIXDORF & Kevin Mitnick. These user(s) now have a flag banning them from local and IBBS one-liners - I've sent Avon an email discussing an fsxNet ban if warranted.

    2oFB and I apologize to fsxNet and the BBS community. :/ Again.



    |07p|15AULIE|1142|07o
    |08.........

    --- Mystic BBS v1.12 A49 2024/05/29 (Linux/64)
    * Origin: 2o fOr beeRS bbs>>>20ForBeers.com:1337 (21:2/150)
  • From esc@21:3/203 to paulie420 on Sun Nov 2 20:33:02 2025
    The user(s) [singular person] that posted the offending content was
    NIXDORF & Kevin Mitnick. These user(s) now have a flag banning them
    from local and IBBS one-liners - I've sent Avon an email discussing an fsxNet ban if warranted.

    Isn't Kevin Mitnick some famous OG hacker or something? I bet the user isn't actually him but someone cosplaying as him.

    |03--|11[|05esc|13!|05dEMONIC|11]|03--|07

    --- DayDream BBS/UNIX (Linux) 2.15a
    * Origin: [>mONTEREYbBS.COM>] (21:3/203)
  • From Nightfox@21:1/137 to paulie420 on Sun Nov 2 12:51:00 2025
    Re: Yet another 2oFB apology. :/
    By: paulie420 to All on Sun Nov 02 2025 11:41 am

    A user @ 2oFB utilized weak settings (s20g2) on FSX_DAT. They were able to post and send out vulgar and racist IBBS one-liners. Not only did they post inappropriate one-liners, but they posted 'as' Avon, Smooth, jACK pHLASH and other leaders of the BBS community.

    What do you mean when you say they utilized weak settings? What settings can a BBS user configure that would be 'weak' in this instance? And what is s20g2?

    A user on any BBS could create an account with any username, so they could potentially create an account with the same name as someone else. I don't think that has anything to do with any settings on the user's side that could be considered 'weak' or 'strong'..

    Nightfox
    --- SBBSecho 3.31-Linux
    * Origin: Digital Distortion: digdist.synchro.net (21:1/137)
  • From ogg@21:2/147 to Nightfox on Sun Nov 2 15:21:07 2025
    What do you mean when you say they utilized weak settings? What
    settings can a BBS user configure that would be 'weak' in this instance? And what is s20g2?

    s20g2 is a security setting for users. A new user would generally be set to s10. A "validated" user is typically bumped up to something higher. The
    sysop is typically s255. Btw, g2 is the "group" setting with the echo areas (fidonet, fsxNet, etc.) defined as their own group. These are defined by the sysop while setting up the bbs.

    |11ogg
    |11SysOp, Altair IV BBS
    |11altairiv.ddns.net:2323

    ... My reality check just bounced

    --- Mystic BBS v1.12 A49 2024/05/29 (Windows/64)
    * Origin: Altair IV BBS (altairiv.ddns.net:2323) (21:2/147)
  • From Nightfox@21:1/137 to ogg on Sun Nov 2 14:18:28 2025
    Re: Yet another 2oFB apology. :/
    By: ogg to Nightfox on Sun Nov 02 2025 03:21 pm

    What do you mean when you say they utilized weak settings? What
    settings can a BBS user configure that would be 'weak' in this instance?
    And what is s20g2?

    s20g2 is a security setting for users. A new user would generally be set to s10. A "validated" user is typically bumped up to something higher. The sysop is typically s255. Btw, g2 is the "group" setting with the echo areas (fidonet, fsxNet, etc.) defined as their own group. These are defined by the sysop while setting up the bbs.

    Is that something in Mystic? (I use Synchronet, so I'm not very familiar with Mystic)

    Nightfox
    --- SBBSecho 3.31-Linux
    * Origin: Digital Distortion: digdist.synchro.net (21:1/137)
  • From ogg@21:2/147 to Nightfox on Sun Nov 2 16:31:06 2025
    s20g2 is a security setting for users. A new user would generally be


    to s10. A "validated" user is typically bumped up to something higher


    The sysop is typically s255. Btw, g2 is the "group" setting with the


    areas (fidonet, fsxNet, etc.) defined as their own group. These are defined by the sysop while setting up the bbs.

    Is that something in Mystic? (I use Synchronet, so I'm not very
    familiar with Mystic)

    Yes. It similar to how Sychronet uses Levels for user permissions.

    |11ogg
    |11SysOp, Altair IV BBS
    |11altairiv.ddns.net:2323

    ... The reason Santa is so jolly is because he knows where the bad girls live

    --- Mystic BBS v1.12 A49 2024/05/29 (Windows/64)
    * Origin: Altair IV BBS (altairiv.ddns.net:2323) (21:2/147)
  • From paulie420@21:2/150 to Nightfox on Sun Nov 2 15:53:57 2025
    A user @ 2oFB utilized weak settings (s20g2) on FSX_DAT. They were ab post and send out vulgar and racist IBBS one-liners. Not only did the post inappropriate one-liners, but they posted 'as' Avon, Smooth, jAC pHLASH and other leaders of the BBS community.

    What do you mean when you say they utilized weak settings? What
    settings can a BBS user configure that would be 'weak' in this instance? And what is s20g2?

    A user on any BBS could create an account with any username, so they
    could potentially create an account with the same name as someone else.
    I don't think that has anything to do with any settings on the user's
    side that could be considered 'weak' or 'strong'..

    Thats not what is was. Two [different, I've found out] users were able to utilize 2oFBs weak fsxNet Message Base ACS settings. I had FSX_DAT set to;

    list :s20
    read :s20
    post :s20
    sysop :s255

    The correct settings should have been:

    list :s255
    read :s255
    post :
    sysop :s255

    The users were able to create fake InterBBS Onliner posts like this:

    Title: InterBBS Oneliner
    -----Content of msg-----
    Author: Avon
    Source: The Agency
    Oneliner:Some fake post
    Oneliner:With many lines
    -----

    Once saved, they were routed thru fsxNet to many BBSes IBBS one-liner mod. Of course I realize that user 'Kevin Mitnick' isn't the infamous hacker turned computer security consultant that died in 2o23 - rather was just letting other sysops know the 2 users involved; NIXDORF [non vulgar, but using others handles] and Kevin Mitnick [who posted vulgar and racist posts]...

    I've banned both from using the IBBS one-liners and local one-liners right at the Menu Command - and I've set FSX_DAT to correct setting to disallow ANY user from utilizing non-obfuscated InterBBS Oneliner posts because they now can't SEE FSX_DAT.

    :P



    |07p|15AULIE|1142|07o
    |08.........

    --- Mystic BBS v1.12 A49 2024/05/29 (Linux/64)
    * Origin: 2o fOr beeRS bbs>>>20ForBeers.com:1337 (21:2/150)
  • From paulie420@21:2/150 to esc on Sun Nov 2 15:54:56 2025
    The user(s) [singular person] that posted the offending content was NIXDORF & Kevin Mitnick. These user(s) now have a flag banning them from local and IBBS one-liners - I've sent Avon an email discussing an fsxNet ban if warranted.

    Isn't Kevin Mitnick some famous OG hacker or something? I bet the user isn't actually him but someone cosplaying as him.

    :P Yes, it seems Mr. Mitnicks luck ran out summer of 2o23; but that doesn't stop young script-kiddies from using the moniker. :P



    |07p|15AULIE|1142|07o
    |08.........

    --- Mystic BBS v1.12 A49 2024/05/29 (Linux/64)
    * Origin: 2o fOr beeRS bbs>>>20ForBeers.com:1337 (21:2/150)
  • From paulie420@21:2/150 to Nightfox on Sun Nov 2 15:56:07 2025
    Is that something in Mystic? (I use Synchronet, so I'm not very
    familiar with Mystic)

    Yep; on any BBS software, FSX_DAT/TESTING/NETOPS, should be set in an access way that only sysops or very high access users can even SEE those Message Areas.



    |07p|15AULIE|1142|07o
    |08.........

    --- Mystic BBS v1.12 A49 2024/05/29 (Linux/64)
    * Origin: 2o fOr beeRS bbs>>>20ForBeers.com:1337 (21:2/150)
  • From apam@21:3/197 to Nightfox on Mon Nov 3 00:53:22 2025
    What do you mean when you say they utilized weak settings? What
    settings can a BBS user configure that would be 'weak' in this
    instance? And what is s20g2?

    What paulie was refering to was the access to the FSX_DAT area, it's very
    easy to fake oneliners and say they are written by someone else as for
    some reason whoever made the oneliners originally used a field in the
    message body as who it's from, rather than the from field of the message.

    A user on any BBS could create an account with any username, so they
    could potentially create an account with the same name as someone else.

    Yeah, they could, but that wasn't the case in this instance, in this
    instance it was a user name of NIXDORF that was creating IBBS oneliners
    from other people, and while he could have for example signed up as Avon
    on 20 for beers, he couldn't sign up as Paulie420 as that username is
    taken there, but he could post oneliners that appear from Paulie420 as
    NIXDORF.

    Locking down the FSX_DAT area will fix this, as paulie has done.

    Maybe the oneliners needs to be strengthened a bit to validate the from
    field with who the message is actually from? I don't know who wrote the original mystic mod (i think it might have been gryphon?), but I think it
    would be fairly easy to do and maintain backward compatability.

    Andrew


    --- envy/0.1-8c9ebf2
    * Origin: Quinn - Random Things - bbs.quinnos.com:2323 (21:3/197)
  • From Dumas Walker@21:1/175 to paulie420 on Mon Nov 3 08:23:58 2025
    Re: Yet another 2oFB apology. :/
    By: paulie420 to All on Sun Nov 02 2025 11:41:55

    The user(s) [singular person] that posted the offending content was NIXDORF Kevin Mitnick. These user(s) now have a flag banning them from local and IBB one-liners - I've sent Avon an email discussing an fsxNet ban if warranted.

    Never heard of them.

    This does beg the question -- why would someone go to all that trouble? :(
    --- SBBSecho 3.28-Linux
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (21:1/175)
  • From Zip@21:1/202 to paulie420 on Mon Nov 3 21:01:00 2025
    Hello paulie420!

    On 02 Nov 2025, paulie420 said the following...

    The correct settings should have been:

    list :s255
    read :s255
    post :
    sysop :s255

    Glad to hear you managed to track down the reason and the users causing the trouble!

    Not sure if an empty ACS code will prevent posting, though, but % should definitely do so (it should always translate to "false"). I know I have used it for some areas which should never allow for "manual" posting.

    Also, congrats on the 50,000 callers -- that's quite an achievement! :)

    Best regards
    Zip

    --- Mystic BBS v1.12 A49 2024/05/29 (Linux/64)
    * Origin: Star Collision BBS, Uppsala, Sweden (21:1/202)
  • From ogg@21:2/147 to Zip on Mon Nov 3 15:06:28 2025
    Glad to hear you managed to track down the reason and the users causing the trouble!

    Not sure if an empty ACS code will prevent posting, though, but % should definitely do so (it should always translate to "false"). I know I have used it for some areas which should never allow for "manual" posting.

    I just put s255 in to only let me post. I won't but that definitely stops anyone else.

    Also, congrats on the 50,000 callers -- that's quite an achievement! :)
    +1 as well!

    |11ogg
    |11SysOp, Altair IV BBS
    |11altairiv.ddns.net:2323

    ... DOS=HIGH? I knew it was on something...

    --- Mystic BBS v1.12 A49 2024/05/29 (Windows/64)
    * Origin: Altair IV BBS (altairiv.ddns.net:2323) (21:2/147)