A user @ 2oFB utilized weak settings (s20g2) on FSX_DAT. They were able to post and send out vulgar and racist IBBS one-liners. Not only did they post inappropriate one-liners, but they posted 'as' Avon, Smooth, jACK pHLASH and other leaders of the BBS community.

I've tightened settings on FSX_DAT, DUPES, TESTING, etc to s255 for list, read - <s100 users won't see those bases in the future.

Its really fun that 2oFB gets callers from the BBS community - and BEYOND. We are listed on a few CTF websites; which brings a different user that may not know how wonderful this community is - and think they're 'hacking history' - it just sucks that I didn't already have the security in place that stops these basic non-hacks from happening - I apologize to anyone who was offended by, or was posted as, any of those one-liners.

The user(s) [singular person] that posted the offending content was NIXDORF & Kevin Mitnick. These user(s) now have a flag banning them from local and IBBS one-liners - I've sent Avon an email discussing an fsxNet ban if warranted.

2oFB and I apologize to fsxNet and the BBS community. :/ Again.



|07p|15AULIE|1142|07o
|08.........

--- Mystic BBS v1.12 A49 2024/05/29 (Linux/64)
* Origin: 2o fOr beeRS bbs>>>20ForBeers.com:1337 (21:2/150)

The user(s) [singular person] that posted the offending content was
NIXDORF & Kevin Mitnick. These user(s) now have a flag banning them
from local and IBBS one-liners - I've sent Avon an email discussing an fsxNet ban if warranted.

Isn't Kevin Mitnick some famous OG hacker or something? I bet the user isn't actually him but someone cosplaying as him.

|03--|11[|05esc|13!|05dEMONIC|11]|03--|07

--- DayDream BBS/UNIX (Linux) 2.15a
* Origin: [>mONTEREYbBS.COM>] (21:3/203)

Re: Yet another 2oFB apology. :/
By: paulie420 to All on Sun Nov 02 2025 11:41 am

A user @ 2oFB utilized weak settings (s20g2) on FSX_DAT. They were able to post and send out vulgar and racist IBBS one-liners. Not only did they post inappropriate one-liners, but they posted 'as' Avon, Smooth, jACK pHLASH and other leaders of the BBS community.

What do you mean when you say they utilized weak settings? What settings can a BBS user configure that would be 'weak' in this instance? And what is s20g2?

A user on any BBS could create an account with any username, so they could potentially create an account with the same name as someone else. I don't think that has anything to do with any settings on the user's side that could be considered 'weak' or 'strong'..

Nightfox
--- SBBSecho 3.31-Linux
* Origin: Digital Distortion: digdist.synchro.net (21:1/137)

What do you mean when you say they utilized weak settings? What
settings can a BBS user configure that would be 'weak' in this instance? And what is s20g2?

s20g2 is a security setting for users. A new user would generally be set to s10. A "validated" user is typically bumped up to something higher. The
sysop is typically s255. Btw, g2 is the "group" setting with the echo areas (fidonet, fsxNet, etc.) defined as their own group. These are defined by the sysop while setting up the bbs.

|11ogg
|11SysOp, Altair IV BBS
|11altairiv.ddns.net:2323

... My reality check just bounced

--- Mystic BBS v1.12 A49 2024/05/29 (Windows/64)
* Origin: Altair IV BBS (altairiv.ddns.net:2323) (21:2/147)

Re: Yet another 2oFB apology. :/
By: ogg to Nightfox on Sun Nov 02 2025 03:21 pm

What do you mean when you say they utilized weak settings? What
settings can a BBS user configure that would be 'weak' in this instance?
And what is s20g2?

s20g2 is a security setting for users. A new user would generally be set to s10. A "validated" user is typically bumped up to something higher. The sysop is typically s255. Btw, g2 is the "group" setting with the echo areas (fidonet, fsxNet, etc.) defined as their own group. These are defined by the sysop while setting up the bbs.

Is that something in Mystic? (I use Synchronet, so I'm not very familiar with Mystic)

Nightfox
--- SBBSecho 3.31-Linux
* Origin: Digital Distortion: digdist.synchro.net (21:1/137)

s20g2 is a security setting for users. A new user would generally be

to s10. A "validated" user is typically bumped up to something higher

The sysop is typically s255. Btw, g2 is the "group" setting with the

areas (fidonet, fsxNet, etc.) defined as their own group. These are defined by the sysop while setting up the bbs.

Is that something in Mystic? (I use Synchronet, so I'm not very
familiar with Mystic)

Yes. It similar to how Sychronet uses Levels for user permissions.

|11ogg
|11SysOp, Altair IV BBS
|11altairiv.ddns.net:2323

... The reason Santa is so jolly is because he knows where the bad girls live

--- Mystic BBS v1.12 A49 2024/05/29 (Windows/64)
* Origin: Altair IV BBS (altairiv.ddns.net:2323) (21:2/147)

A user @ 2oFB utilized weak settings (s20g2) on FSX_DAT. They were ab post and send out vulgar and racist IBBS one-liners. Not only did the post inappropriate one-liners, but they posted 'as' Avon, Smooth, jAC pHLASH and other leaders of the BBS community.

What do you mean when you say they utilized weak settings? What
settings can a BBS user configure that would be 'weak' in this instance? And what is s20g2?

A user on any BBS could create an account with any username, so they
could potentially create an account with the same name as someone else.
I don't think that has anything to do with any settings on the user's
side that could be considered 'weak' or 'strong'..

Thats not what is was. Two [different, I've found out] users were able to utilize 2oFBs weak fsxNet Message Base ACS settings. I had FSX_DAT set to;

list :s20
read :s20
post :s20
sysop :s255

The correct settings should have been:

list :s255
read :s255
post :
sysop :s255

The users were able to create fake InterBBS Onliner posts like this:

Title: InterBBS Oneliner
-----Content of msg-----
Author: Avon
Source: The Agency
Oneliner:Some fake post
Oneliner:With many lines
-----

Once saved, they were routed thru fsxNet to many BBSes IBBS one-liner mod. Of course I realize that user 'Kevin Mitnick' isn't the infamous hacker turned computer security consultant that died in 2o23 - rather was just letting other sysops know the 2 users involved; NIXDORF [non vulgar, but using others handles] and Kevin Mitnick [who posted vulgar and racist posts]...

I've banned both from using the IBBS one-liners and local one-liners right at the Menu Command - and I've set FSX_DAT to correct setting to disallow ANY user from utilizing non-obfuscated InterBBS Oneliner posts because they now can't SEE FSX_DAT.

:P



|07p|15AULIE|1142|07o
|08.........

--- Mystic BBS v1.12 A49 2024/05/29 (Linux/64)
* Origin: 2o fOr beeRS bbs>>>20ForBeers.com:1337 (21:2/150)

The user(s) [singular person] that posted the offending content was NIXDORF & Kevin Mitnick. These user(s) now have a flag banning them from local and IBBS one-liners - I've sent Avon an email discussing an fsxNet ban if warranted.

Isn't Kevin Mitnick some famous OG hacker or something? I bet the user isn't actually him but someone cosplaying as him.

:P Yes, it seems Mr. Mitnicks luck ran out summer of 2o23; but that doesn't stop young script-kiddies from using the moniker. :P



|07p|15AULIE|1142|07o
|08.........

--- Mystic BBS v1.12 A49 2024/05/29 (Linux/64)
* Origin: 2o fOr beeRS bbs>>>20ForBeers.com:1337 (21:2/150)

Is that something in Mystic? (I use Synchronet, so I'm not very
familiar with Mystic)

Yep; on any BBS software, FSX_DAT/TESTING/NETOPS, should be set in an access way that only sysops or very high access users can even SEE those Message Areas.



|07p|15AULIE|1142|07o
|08.........

--- Mystic BBS v1.12 A49 2024/05/29 (Linux/64)
* Origin: 2o fOr beeRS bbs>>>20ForBeers.com:1337 (21:2/150)

What do you mean when you say they utilized weak settings? What
settings can a BBS user configure that would be 'weak' in this
instance? And what is s20g2?

What paulie was refering to was the access to the FSX_DAT area, it's very
easy to fake oneliners and say they are written by someone else as for
some reason whoever made the oneliners originally used a field in the
message body as who it's from, rather than the from field of the message.

A user on any BBS could create an account with any username, so they
could potentially create an account with the same name as someone else.

Yeah, they could, but that wasn't the case in this instance, in this
instance it was a user name of NIXDORF that was creating IBBS oneliners
from other people, and while he could have for example signed up as Avon
on 20 for beers, he couldn't sign up as Paulie420 as that username is
taken there, but he could post oneliners that appear from Paulie420 as
NIXDORF.

Locking down the FSX_DAT area will fix this, as paulie has done.

Maybe the oneliners needs to be strengthened a bit to validate the from
field with who the message is actually from? I don't know who wrote the original mystic mod (i think it might have been gryphon?), but I think it
would be fairly easy to do and maintain backward compatability.

Andrew


--- envy/0.1-8c9ebf2
* Origin: Quinn - Random Things - bbs.quinnos.com:2323 (21:3/197)

Re: Yet another 2oFB apology. :/
By: paulie420 to All on Sun Nov 02 2025 11:41:55

The user(s) [singular person] that posted the offending content was NIXDORF Kevin Mitnick. These user(s) now have a flag banning them from local and IBB one-liners - I've sent Avon an email discussing an fsxNet ban if warranted.

Never heard of them.

This does beg the question -- why would someone go to all that trouble? :(
--- SBBSecho 3.28-Linux
* Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (21:1/175)

Hello paulie420!

On 02 Nov 2025, paulie420 said the following...

The correct settings should have been:

list :s255
read :s255
post :
sysop :s255

Glad to hear you managed to track down the reason and the users causing the trouble!

Not sure if an empty ACS code will prevent posting, though, but % should definitely do so (it should always translate to "false"). I know I have used it for some areas which should never allow for "manual" posting.

Also, congrats on the 50,000 callers -- that's quite an achievement! :)

Best regards
Zip

--- Mystic BBS v1.12 A49 2024/05/29 (Linux/64)
* Origin: Star Collision BBS, Uppsala, Sweden (21:1/202)

Glad to hear you managed to track down the reason and the users causing the trouble!

Not sure if an empty ACS code will prevent posting, though, but % should definitely do so (it should always translate to "false"). I know I have used it for some areas which should never allow for "manual" posting.

I just put s255 in to only let me post. I won't but that definitely stops anyone else.

Also, congrats on the 50,000 callers -- that's quite an achievement! :)

+1 as well!

|11ogg
|11SysOp, Altair IV BBS
|11altairiv.ddns.net:2323

... DOS=HIGH? I knew it was on something...

--- Mystic BBS v1.12 A49 2024/05/29 (Windows/64)
* Origin: Altair IV BBS (altairiv.ddns.net:2323) (21:2/147)

Never heard of them.

This does beg the question -- why would someone go to all that trouble? :(

People are morons.

... Our world is like a cactus except the pricks are inside.

--- Renegade v1.35/DOS
* Origin: The Titantic BBS Telnet - ttb.rgbbs.info (21:1/144)

Maybe the oneliners needs to be strengthened a bit to validate the from field with who the message is actually from? I don't know who wrote the original mystic mod (i think it might have been gryphon?), but I think it would be fairly easy to do and maintain backward compatability.

The IBBS Last Callers mod, by xqtr, uses much better obfuscation - I think base64, knowing xqtr... but not sure.

IBBS one-liners could be better by not using clear text; but none of that matters if BBSes use proper security - that 2oFB was NOT doing - so I'd mentioned updating the fsxNet infopack [Unless it already discusses this and I simply DIDN'T implement security correctly...] so that new sysOps made sure to secure their BBSes so these instances never happened...

At any rate, I'm just some nerd trying - and with the traffic I've been gifted, some bad actors will always find the flaws. :/



|07p|15AULIE|1142|07o
|08.........

--- Mystic BBS v1.12 A49 2024/05/29 (Linux/64)
* Origin: 2o fOr beeRS bbs>>>20ForBeers.com:1337 (21:2/150)

The user(s) [singular person] that posted the offending content was NIX Kevin Mitnick. These user(s) now have a flag banning them from local an one-liners - I've sent Avon an email discussing an fsxNet ban if warran

Never heard of them.

This does beg the question -- why would someone go to all that trouble?

... for some reason, 2oFB has callers from the BBS community - and beyond - and thats great; but with the increased traffic, it points out that security is important - even on these weird legacy systems we all love so much...

And I can only apologize and hope the community knows my intentions - I've buttoned it up... [And still prolly have other issues - an audit is in ORDER!]

:P



|07p|15AULIE|1142|07o
|08.........

--- Mystic BBS v1.12 A49 2024/05/29 (Linux/64)
* Origin: 2o fOr beeRS bbs>>>20ForBeers.com:1337 (21:2/150)

Not sure if an empty ACS code will prevent posting, though, but % sho definitely do so (it should always translate to "false"). I know I ha used it for some areas which should never allow for "manual" posting.

I just put s255 in to only let me post. I won't but that definitely
stops anyone else.

If an s255 for post on FSX_DAT, will the IBBS oneliners .mps be able to post in that base???



|07p|15AULIE|1142|07o
|08.........

--- Mystic BBS v1.12 A49 2024/05/29 (Linux/64)
* Origin: 2o fOr beeRS bbs>>>20ForBeers.com:1337 (21:2/150)

IBBS one-liners could be better by not using clear text; but none of that matters if BBSes use proper security - that 2oFB was NOT doing - so I'd mentioned updating the fsxNet infopack [Unless it already discusses this an simply DIDN'T implement security correctly...] so that new sysOps made sure secure their BBSes so these instances never happened...

I don't know why this base is a base anyways. Doesn't Mystic have an option for it's mail to make still process mail without creating a base?

With GEcho, I can create the data I would need, and Renegade would NEVER knew it existed. The beauty of using Fido software as it was intended, and not how someone half assed it into a bbs software. :(

NOT Calling you out just asking if you can do that or not in mystic

... More fun than @TO@ should be allowed.

--- Renegade v1.35/DOS
* Origin: The Titantic BBS Telnet - ttb.rgbbs.info (21:1/144)

I just put s255 in to only let me post. I won't but that definitely stops anyone else.

If an s255 for post on FSX_DAT, will the IBBS oneliners .mps be able to post in that base???

pAULIE42o

Is the .mps run as an event or by the sysop? If the sysop, then their
security setting "s255" should let it through. If it's an event, then I "suspect" that it wouldn't. Since I don't run the .mps, I'm only guessing however.

ogg

--- Mystic BBS v1.12 A49 2024/05/29 (Windows/64)
* Origin: Altair IV BBS (altairiv.ddns.net:2323) (21:2/147)

I don't know why this base is a base anyways. Doesn't Mystic have an option for it's mail to make still process mail without creating a base?

With GEcho, I can create the data I would need, and Renegade would NEVER knew it existed. The beauty of using Fido software as it was intended, and not how someone half assed it into a bbs software. :(

NOT Calling you out just asking if you can do that or not in mystic

Of course, RG is better than Mystic everyday of the week.... Sir Exodus. :P



|07p|15AULIE|1142|07o
|08.........

--- Mystic BBS v1.12 A49 2024/05/29 (Linux/64)
* Origin: 2o fOr beeRS bbs>>>20ForBeers.com:1337 (21:2/150)

Hi guys. Mitnick here.

This does beg the question -- why would someone go to all that trouble?

For fun! What else could it be?
You got a free security audit. How great. It's not my fault that this flaw existed. And there was no racist message - not sure where that came from. I'm kind of worried that few people know about Mitnick here!

I don't care if it was offensive. Take it like a man.

--- Mystic BBS v1.12 A49 2024/05/29 (Linux/64)
* Origin: 2o fOr beeRS bbs>>>20ForBeers.com:1337 (21:2/150)