Stories with Tag New Zealand

• Flame – BBS and MUD

  permalink

  Posted: 2025-03-31 12:54:46

  Verbose tl;dr

  Flame is a free and accessible telnet-based Bulletin Board System (BBS) and Multi-User Dungeon (MUD) hosted by the University of Canberra Computer Club. It offers a nostalgic online experience with classic BBS features like forums, file transfers, and games, alongside a MUD environment for text-based roleplaying and exploration. Flame aims to provide a friendly and welcoming community for both experienced users familiar with these older systems and newcomers curious to explore the history of online communities. Users can connect via telnet or through a web-based interface, making it easily accessible.

  The University of Canberra Computer Club (UCCC) proudly hosts Flame, a versatile platform that harkens back to the golden age of online text-based communities. Flame concurrently serves as both a Bulletin Board System (BBS) and a Multi-User Dungeon (MUD), offering a diverse range of experiences for users seeking text-based interaction. Accessible through telnet, users can connect directly to flame.ucc.asn.au on port 23, bypassing the need for specialized software. For those preferring a more modern approach, a web client is also available, offering a convenient gateway to the same rich content.

  As a BBS, Flame provides a classic forum for asynchronous communication. Users can engage in threaded discussions across a spectrum of topics within various message boards, share files through a dedicated file transfer system, and exchange personal messages with other members of the community. This functionality replicates the core experience of traditional BBS systems, fostering a sense of community and facilitating the exchange of information and ideas.

  Simultaneously, Flame functions as a MUD, offering a dynamic and interactive virtual world. Users can create and customize characters, embark on text-based adventures, explore intricate virtual environments, and interact with other players in real-time. This MUD component expands upon the static nature of the BBS, introducing a layer of immersive role-playing and collaborative storytelling.

  The post highlights the unique blend of these two distinct yet complementary services, emphasizing Flame's ability to cater to both those seeking asynchronous discussion and those desiring real-time interactive experiences. The enduring legacy of BBS and MUD culture is preserved and celebrated within Flame, offering a nostalgic glimpse into the past while simultaneously providing a vibrant platform for ongoing community engagement. The UCCC, as custodians of Flame, actively encourages new users to join and experience this unique digital realm.

  • bbs
  • MUD
  • Telnet
  • Retro Computing
  • online community
  • Internet History
  • dial-up
  • Text-Based Game
  • Virtual World
  • Multi-User Dungeon
  • Bulletin Board System
  • UCC
  • University of Canterbury (NZ)
  • New Zealand

  Summary of Comments ( 9 )
  https://news.ycombinator.com/item?id=43534480

  Verbose tl;dr

  Hacker News users discuss Flame, a BBS and MUD software package. Several commenters reminisce about their experiences with BBSes and MUDs, expressing nostalgia for that era of online interaction. Some discuss the technical aspects of Flame, praising its features and flexibility, and comparing it to other contemporary systems. A few users mention trying to get it running on modern hardware, with varying degrees of success. There's a brief discussion about the challenges of preserving old BBS software and data. Overall, the comments reflect a fondness for the history of online communities and an appreciation for Flame's role in it.

  The Hacker News post titled "Flame – BBS and MUD" has generated a moderate amount of discussion with several commenters sharing their experiences and insights related to BBSs and MUDs.

  One commenter reminisces about their early online experiences with bulletin board systems and dial-up modems, recalling the thrill of exploring new online worlds and the limitations of slow connection speeds. They also express a sense of nostalgia for the simpler times of early online communities.

  Another commenter dives deeper into the technical aspects, discussing the challenges of running a BBS with limited hardware resources and the ingenuity required to optimize performance. They mention specific hardware limitations and the clever workarounds employed to overcome them.

  Several comments focus on the unique culture of BBSs and MUDs, contrasting them with modern social media platforms. They highlight the stronger sense of community and the deeper connections fostered in these smaller, more focused online spaces. Some express a longing for the text-based interactions and the emphasis on creativity and imagination that characterized these earlier online environments.

  There's a discussion about the role of BBSs and MUDs in the development of online communities and the internet as a whole. Commenters acknowledge their importance as precursors to modern social platforms and online gaming. They also point to the influence of BBSs and MUDs on the development of internet technologies and culture.

  A few comments mention the challenges of preserving the history and legacy of BBSs and MUDs, with some suggesting resources and initiatives dedicated to archiving and documenting these early online spaces. They emphasize the importance of preserving these digital artifacts for future generations.

  One commenter points out the link provided in the original post actually leads to the Flame University Computer Club homepage rather than a specific page about Flame itself. They helpfully provide a direct link to the Flame documentation.

  Finally, a commenter highlights the unusual combination of BBS and MUD functionality in Flame, suggesting that it represents a unique hybrid of these two distinct online platforms. They find this combination intriguing and express curiosity about the technical implementation and user experience.

• How I pwned a major New Zealand service provider

  permalink

  Posted: 2025-03-24 23:07:14

  Verbose tl;dr

  A security researcher discovered a critical vulnerability in a major New Zealand service provider's website. By manipulating a forgotten password request, they were able to inject arbitrary JavaScript code that executed when an administrator viewed the request in their backend system. This cross-site scripting (XSS) vulnerability allowed the researcher to gain access to administrator cookies and potentially full control of the provider's systems. Although they demonstrated the vulnerability by merely changing the administrator's password, they highlighted the potential for far more damaging actions. The researcher responsibly disclosed the vulnerability to the provider, who promptly patched the flaw and awarded them a bug bounty.

  A New Zealand security researcher, operating under the pseudonym "Mr. Bruh," meticulously documented a series of escalating vulnerabilities discovered within a prominent, albeit unnamed, New Zealand service provider. This account details a concerning lapse in security practices, starting with a seemingly innocuous exposed .git directory on a publicly accessible server. This directory, a crucial component of the Git version control system, contained the complete source code for the service provider's website, including sensitive configuration files. Mr. Bruh exploited this initial vulnerability to gain access to database credentials, effectively granting him unauthorized access to the provider's core database.

  The researcher further exploited weaknesses within the system, leveraging these initial credentials to escalate his privileges. He discovered inadequately protected internal APIs, which, due to insufficient authorization checks, allowed him to perform actions beyond the scope of a regular user. This included manipulating account details and accessing internal tools intended solely for authorized personnel. The compromised APIs exposed customer data, including personally identifiable information, further exacerbating the severity of the breach.

  Mr. Bruh’s investigation also revealed a troubling lack of security logging and monitoring. This deficiency meant that his actions went largely undetected, allowing him to explore the system's vulnerabilities over an extended period without triggering any alarms. The lack of proper logging hindered the service provider's ability to track the extent of the breach and identify the compromised data.

  Throughout the process, Mr. Bruh meticulously documented his findings, including screenshots and technical details of the vulnerabilities he encountered. He emphasized the systemic nature of these security flaws, highlighting not just isolated incidents but a pervasive disregard for basic security practices. After responsibly disclosing the vulnerabilities to the affected service provider through their official channels, Mr. Bruh waited an appropriate period for them to rectify the issues. Following this period of responsible disclosure, he published a detailed account of his findings, redacting any information that could further compromise the provider or its customers, with the intent of educating the wider community about the importance of robust security measures. He concludes by expressing his disappointment with the service provider's overall security posture, emphasizing the potential for far more damaging exploitation by malicious actors.

  • Cybersecurity
  • Penetration Testing
  • Ethical Hacking
  • vulnerability disclosure
  • New Zealand
  • Service Provider
  • security breach
  • Web Security
  • hacking
  • information security
  • Data Breach

  Summary of Comments ( 2 )
  https://news.ycombinator.com/item?id=43466355

  Verbose tl;dr

  HN commenters discuss the ethical implications of the author's actions, questioning whether responsible disclosure was truly attempted given the short timeframe and lack of clear communication with the affected company. Several express skepticism about the "major" provider claim, suggesting it might be smaller than portrayed. Some doubt the technical details, pointing out potential flaws in the exploit description. Others debate the legality of the actions under New Zealand law, with some suggesting potential CFAA violations, despite the author's New Zealand origin. A few commenters offer alternative explanations for the observed behavior, proposing it might be a misconfiguration rather than a vulnerability. The overall sentiment is critical of the author's approach, emphasizing the potential for harm and the importance of responsible disclosure practices.

  The Hacker News post titled "How I pwned a major New Zealand service provider" (linking to https://mrbruh.com/majorprovider/) generated a significant discussion with a variety of comments. Several commenters focused on the ethical implications and responsible disclosure practices of the author.

  One compelling line of discussion revolved around the perceived recklessness of the author's actions. Some argued that escalating access to the point of root, even unintentionally, crossed a significant ethical line, especially given the potential for widespread disruption. They emphasized the importance of responsible disclosure and suggested that the author should have stopped at demonstrating the initial vulnerability and reported it immediately. Others countered that the author's curiosity and desire to understand the full extent of the vulnerability were understandable, especially given the provider's seemingly dismissive response.

  Another key point of discussion was the security posture of the affected provider. Several commenters expressed concern about the apparent lack of basic security measures, such as proper input sanitization and access controls. They questioned the competency of the provider's security team and speculated on the potential consequences of such lax security practices.

  Several users also debated the legality of the author's actions. While some argued that the author's actions likely violated New Zealand law, others pointed out the potential ambiguity of the relevant legislation and the difficulty of proving intent.

  The comment section also included technical discussions regarding the specific vulnerabilities exploited by the author. Some users dissected the technical details of the exploits, while others offered suggestions for mitigating similar vulnerabilities.

  A recurring theme was the contrast between the author's perceived youthful enthusiasm and the provider's apparent apathy. Many commenters expressed sympathy for the author's situation, while criticizing the provider's dismissive response.

  Finally, several commenters discussed the potential consequences for the author, ranging from legal repercussions to reputational damage. The discussion highlighted the complex ethical and legal landscape surrounding security research and responsible disclosure.