• Mystic Happenings

    From Avon@21:1/101 to All on Mon Dec 10 02:40:01 2018
    Hi guys

    I have not had any contact with g00r00 at the time of penning this update but I can report he's again active and has been working on Mystic 1.12 Alpha 40

    Over the last 24 hours there has been a pre release build for windows
    released and in the last few hours Linux versions have appeared also.

    From the whatsnew.txt thus far...

    [snip]

    + Door command lines now have %R which will return the user name without
    underscores in the name.

    ! Fixed a bug where groups could be created with a duplicate ID.

    ! Fixed a bug in Python GotoXY function that would cause a crash when using
    it.

    + The MUTIL ImportNA function now allows a "use_ansi" default value to be
    defined when creating message bases.

    + The MUTIL Echomail Import function now allows a "use_ansi" default value
    to be defined when automatically creating message bases.

    + The MUTIL ImportMessageBase function now allows a "use_ansi" default value
    to be defined when creating message bases.

    + MIS FTP now logs when a SysOp deletes a file from a filebase via FTP

    + MIS FTP/NNTP/SMTP/POP3 servers now have a better idle/timeout system which
    will cause the server to shutdown more gracefully when exiting MIS with
    active connections.

    + New menu command: M! This is a rewrite of the message area index reader
    rebuilt to work identically to the file base index lister. See the
    msg_index.ini file for more details. Command line option is the template
    name or default to msg_index.ini if none is specified. I am not removing
    the old one just yet so that people have time to adapt to the new version
    and to test it for issues, but please note the old one will likely be
    replaced by this new one eventually once the features are all done and
    tested.

    + New MPL variable: UserPosts contains the number of posts a user has made

    + New MPL variable: UserDLs contains the number of downloads user has made

    + New MPL variable: UserULs contains the number of uploads user has made

    + Mystic now has a new User Editor which doesn't look a whole lot different
    than the old one, except that it incorpates some newer ideas that were
    introduced into the Echomail Node editor that makes jumping around between
    pages of information easier. One major thing to note is that you can no
    longer view user passwords and can now only "reset" user passwords.

    Like the other page-based editors you can scroll from the first or last
    item to change page, use the tab key, the pageup/down keys, the left
    and right arrows, or enter a page number directly to shift between pages.

    + Mystic now has a password policy in System Configuration where the minimum
    password length can be set along with number of required capital letters,
    numbers, and symbols. It is highly recommended that the minimum password
    length is set to at least 7 characters. Some default prompts have been
    updated to support this new feature: 18, 419, 420. If you have custom
    themes, you should take a look at the new defaults and consider updating
    your custom prompts as well.

    + Mystic now allows the option to store passwords in case insensitive
    cleartext and case insensitive hashing using industry standard methods for
    password storage.

    + Mystic now allows passwords to be stored using PBKDF2 with SHA512-bit
    hashing at variable configurable iterations. What does this mean? The
    biggest thing is that when enabled, Mystic will never store a user's
    password anywhere in the BBS system. This system is the same system used
    for Password Managers such as LastPass, 1Password and operating systems
    such as MacOS. In fact, with its variable iterations Mystic could be
    considered to be more secure as those products in terms of reverse
    engineering a user's password hash.

    Two new options are added into the Password Policy options, the first is a
    password storage method which has three options:

    ClearText Case Insensitive (This was the legacy storage method)
    ClearText Case Sensitive
    PBKDF2 SHA512 Hash (This is also case sensitive)

    It is highly recommended to use password hashing and stop using cleartext
    passwords. With password hashing enabled, a person could be given your
    users.dat and they still would not be able get a user's password.

    The second option is VERY important when using PBKDF2 and that is the
    number of iterations the process will use when hasing a password. The
    default value is 1000 and may be considered a little low in terms of
    enterprise level password storage but it works at a reasonable speed for
    most systems. In general, the higher the number of iterations the more
    secure it is, but the longer it will take for Mystic to store or check a
    password.

    Setting this value to 10,000 on an original Raspberry Pi for example may
    cause Mystic to take 10+ seconds to store or check a password and for many
    that may be too slow.

    It is recommended that it is kept at 3000 or lower for performance reasons
    unless you know what you are doing. Even at this level PBKDF2 with a 512
    bit hashing system is more secure than any other BBS software today. If
    you find the delay for 1000 is too short you can adjust the value but just
    beware that if you change hardware someday, those values still remain...

    The way the system works is that a user's password is stored in the format
    configured at the time their password is set, including the iterations. The
    password remains stored in this format even if you change the storage
    method until the user changes their password or you reset it using the user
    editor.

    Because of this, it is imperative that you do not set the iteration level
    too high for the hardware you are using to run your BBS now or in the
    future.

    + Mystic user passwords have now been expanded to 25 characters maximum.

    + Mystic now allows passwords to be reset via Internet e-mail. This option
    can be enabled in System Configuration -> Password Policy and will require
    that the SMTP sendmail/relay options are configured in the Server General
    Options tab. The user must also have a valid e-mail address assigned to
    their user account.

    If enabled, the user will be sent an e-mail with a randomly generated code
    and then prompted by the BBS to enter the code. Upon entering the code
    the user will be prompted to change their password and finally logged into
    the BBS as if they had typed their password in correctly.

    8 new prompts have been added to the themes to support this new feature
    most having 4 promptinfo MCI codes active: &1=min length &2=min caps
    &3=min nums &4=min symbols. These new prompts (538-546) will need to
    be added to your custom themes if you have them. See the upgrade.txt
    for more information.

    + New Configuration theme: Turbo Vision

    + Mystic's built in RAR archive functions should now work with newer RAR5
    format RAR files. If you encounter any issues viewing a RAR file please
    e-mail me a link to download the same file or the file itself so I can
    take a look at it. Keep in mind Mystic does not allow you to view
    encrypted archives.

    + Changed the e(X)it command in the text editor to (Q)uit to match that of
    the ANSI editor.

    [snip]

    I have been testing the new index reader and it looks nice. Have been unable
    to get SMTP user validation via email working as yet. I am unsure of a good relay service to use that will support the auth type settings on offer from Mystic.

    The new user password security seems to be working well but I have
    encountered a few users so far that seem to have login issues at Agency. I'm monitoring that one.

    That's all for now.

    Best, Paul

    --- Mystic BBS v1.12 A40 2018/12/07 (Windows/32)
    * Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (21:1/101)
  • From NuSkooler@21:1/121 to Avon on Sun Dec 9 07:48:40 2018

    On Sunday, December 9th Avon muttered...
    + Door command lines now have %R which will return the user name without
    underscores in the name.

    Any idea what drove this?


    On Sunday, December 9th Avon muttered...
    + Mystic now allows passwords to be stored using PBKDF2 with SHA512-bit

    Love seeing this.

    On Sunday, December 9th Avon was heard saying...
    + Mystic now allows passwords to be reset via Internet e-mail.

    And this.






    --- ENiGMA 1/2 v0.0.9-alpha (linux; x64; 10.13.0)
    * Origin: Xibalba -+- xibalba.l33t.codes:44510 (21:1/121)
  • From Cmech@21:2/117 to Avon on Sun Dec 9 09:00:22 2018
    *
    * On Sunday 09 Dec 2018 343 at 09:40 PM,
    * Avon said to All,
    * about Mystic Happenings ...
    *

    Yes! He's back {chuckle} and A40 is stable so far, thanks :)


    .- Keep the faith, --------------------------------------------------.
    | |
    | Ben aka cMech Web: http|ftp|binkp|telnet|ssh://cmech.dynip.com |
    | |
    | vvvvvv Email: fido4cmechSPAM(at)lusfiberBLOCK.net |
    | { O O } Home page: http://cmech.dynip.com/homepage/ |
    | __m___oo___m__ |
    `--| | | |- WildCat! BBS 24/7 +1-337-984-4794 any BAUD 8,N,1 -'

    ... It's nice living in the Upper Ottawa Valley.
    --- GoldED+/W32-MSVC v1.1.5-g20180902 + Mystic BBS v1.12 A40 2018/12/07
    * Origin: FSXNet - Positronium: telnet://cmech.dynip.com (21:2/117)
  • From g00r00@21:1/112 to Avon on Sun Dec 9 11:10:33 2018
    I have not had any contact with g00r00 at the time of penning this
    update but I can report he's again active and has been working on Mystic 1.12 Alpha 40
    Over the last 24 hours there has been a pre release build for windows released and in the last few hours Linux versions have appeared also.

    This weekend I finally finished rebuilding the Linux 32/64-bit machines that I had been working on off and on the past few weekends.

    I just uploaded a new build for Windows and Linux based off of the latest code tonight which probably has the e-mail validation in it and a couple of other things that weren't in the whatsnew that you posted.

    --- Mystic BBS v1.12 A39 2018/04/21 (Windows/32)
    * Origin: Black Flag <ACiD Telnet HQ> blackflagbbs.com (21:1/112)
  • From g00r00@21:1/112 to NuSkooler on Sun Dec 9 11:11:13 2018
    + Door command lines now have %R which will return the user name wit
    underscores in the name.

    Any idea what drove this?

    Someone asked for it, so I added it :)

    --- Mystic BBS v1.12 A39 2018/04/21 (Windows/32)
    * Origin: Black Flag <ACiD Telnet HQ> blackflagbbs.com (21:1/112)
  • From Black Panther@21:1/186.2 to g00r00 on Sun Dec 9 21:17:03 2018
    I just uploaded a new build for Windows and Linux based off of the latest code tonight which probably has the e-mail validation in it and a couple of other things that weren't in the whatsnew that you posted.

    Welcome back, g00r00! Glad to see your smiling... message... :)




    ---
    Black Panther(RCS)
    aka Dan Richter
    Sysop - Castle Rock BBS
    telnet://bbs.castlerockbbs.com
    http://www.castlerockbbs.com
    The sparrows are flying again...


    --- MagickaBBS v0.12alpha (Linux/armv7l)
    * Origin: Castle Rock Magicka Pi (21:1/186.2)
  • From Black Panther@21:1/186.2 to g00r00 on Sun Dec 9 21:17:49 2018
    Any idea what drove this?

    Someone asked for it, so I added it :)

    Good reason... :)



    ---
    Black Panther(RCS)
    aka Dan Richter
    Sysop - Castle Rock BBS
    telnet://bbs.castlerockbbs.com
    http://www.castlerockbbs.com
    The sparrows are flying again...


    --- MagickaBBS v0.12alpha (Linux/armv7l)
    * Origin: Castle Rock Magicka Pi (21:1/186.2)
  • From deon@21:2/116.1 to Avon on Mon Dec 10 09:34:04 2018
    On 12/09/18, Avon said the following...
    I have not had any contact with g00r00 at the time of penning this
    update but I can report he's again active and has been working on Mystic 1.12 Alpha 40

    I dont know how to get feedback to g00r00 (or if he listens in this network?) but can you get some feedback to him - here are my notes:

    * Can PackMessageBases use "move" instead of "rename". You cant rename across different block devices - which occurs if your "temp" is on a different
    device to the message base paths.

    * The |TI on pre-login shows AM/PM, but once logged in doesnt.

    * Date on pre-login doesnt follow D/M/Y

    * When SSHing in, the "invisible login" prompt doesnt obey "-Y"

    * Creating a filebox errors 216 (workaround, create dir first)

    I've also noticed some issue with replying to netmails (and maybe because I'm
    a point.) For example, when Al netmail's me, if I press "reply", the default "to" address is mine, not Al's. This doesnt happen to everybody, but I notice it happens when Al sends me something.

    Thanks.

    ...deon

    _--_|\ | Deon George
    / \ | Chinwag BBS - A BBS on a PI in Docker!
    \_.__.*/ |
    V | Coming from the 'burbs of Melbourne, Australia

    --- Mystic BBS v1.12 A39 2018/04/21 (Raspberry Pi/32)
    * Origin: Chinwag | MysticBBS in Docker on a Pi! (21:2/116.1)
  • From nristen@21:1/161 to Avon on Mon Dec 10 16:50:18 2018
    update but I can report he's again active and has been working on Mystic 1.12 Alpha 40

    Very cool - looks like lots of exciting changes.

    The one thing that I am most curious about is how the upgrade process will
    work especially in regards to the password storage options.

    Nristen
    aka karl harris
    keybase.io/nristen

    --- Mystic BBS v1.12 A39 2018/04/21 (Raspberry Pi/32)
    * Origin: The Search BBS (21:1/161)
  • From g00r00@21:1/112 to nristen on Tue Dec 11 00:05:37 2018
    Very cool - looks like lots of exciting changes.

    The one thing that I am most curious about is how the upgrade process
    will work especially in regards to the password storage options.

    Nothing will be out of the ordinary you will just run "upgrade" and it will covert the passwords over. Initially the passwords will be stored in the "legacy" format meaning case insensitive cleartext in the user database...

    If you set it to PBKDF2 then Mystic will only store user passwords using
    the storage method moving forward. Meaning that you'd have to force users to change their passwords on next login if you wanted to make sure everyone's password is stored as case-sensitive PBKDF2.

    --- Mystic BBS v1.12 A39 2018/04/21 (Windows/32)
    * Origin: Black Flag <ACiD Telnet HQ> blackflagbbs.com (21:1/112)
  • From nristen@21:1/161 to g00r00 on Tue Dec 11 14:26:18 2018
    The one thing that I am most curious about is how the upgrade process will work especially in regards to the password storage options.

    If you set it to PBKDF2 then Mystic will only store user passwords using the storage method moving forward. Meaning that you'd have to force
    users to change their passwords on next login if you wanted to make sure everyone's password is stored as case-sensitive PBKDF2.

    Ok, now that makes sense.

    Nristen
    aka karl harris
    keybase.io/nristen

    --- Mystic BBS v1.12 A39 2018/04/21 (Raspberry Pi/32)
    * Origin: The Search BBS (21:1/161)