 
wcSECURE "The Platinum Standard of BBS Caller Verification"

BBS Security Hints & Tips from the Author of wcSECURE, Joe Goeller.

In the world of BBS's, there are several types of Sysops. Most of
them can be broken down into two groups. Those that verify, and those
that don't.

For those Sysops who don't care who connects to their BBS, or if they
are using a dozen fake log in accounts to cheat the time or file
downloading limits, this file and the wcSECURE program won't be of
much use to you. I wrote the program and then followed up with this
hints file in an effort to aid the newer sysop with the chore of
operating a fine tuned BBS.

Before we dive into the core of the Hints & Tips, I've decided to
relate a short story to you about one of our local sysops. I'll
leave all names and factual references out of this document to 
preserve their privacy.

About 1 1/2 years ago, a local caller to the board decided to open
up their own BBS. Being a freelancing, non verifying type, this
sysop opened up the BBS to all callers, no limits, no verification,
etc....

About 6 months ago, this Sysop spent numerous e-mail messages back
and forth to me, talking about all the problems this sysop had
developed as a result of not verifying callers, and allowing anyone
onto the BBS. This sysop wanted to know what they could do to
stop all the trouble that had occured as a result of this open ended
BBS.

My first advise was to limit access, until callers could be verified,
at least to some degree. This sysop was concerned about being labeled
a "control freak" (kiddie hackers often refer to BBS sysops that
verify their callers as "control freaks", because they can't have
their 12 or so log in names to defeat any time or downloading limits)

After some hard months, and trying to get a handle on things, this
sysop was able to take the "control" back from the kiddie hackers.

Moral to the story: "Verify your callers from Day 1 and avoid
all of the problems in the future!"

One important thing to keep in mind. Your BBS is an extension of your
home or office. You don't permit people you don't know to roam
around your house for as long as they want or do anything they
want while they are there, do you? Of course not.

You are the sysop of YOUR BBS. You can have as little or as much
involvement in your BBS as you'd like. If you're running it parttime
and only a few hours a day, screening your callers may not be
as important. But if you're on-line 24 hours a day, and become a
popular system, you'll want to have a handle on your callers,
so that everyone has a fair chance to call your system (and not
have the kiddie hackers with 12+ log in names tying up YOUR BBS
for hours everyday).


Onto the Hints & Tips:

Tip #1:  Only use REAL NAMES for logging in.
         BBS's which allow alias names for logging in will have
         tremendous difficulty in keeping track of things.
         Additionally, many kiddie hackers refuse to use their
         real name on BBS's, and as such, won't call those BBS's
         which require them!

Tip #2:  Require REAL phone Numbers & other Caller Information.
         If you get to be a popular BBS, you'll want to be able
         to make sure your caller database is complete, not
         only for the liability concerns, but for security as
         well. 

Tip #3:  Verify your callers!
         How you verify your callers is your choice. Voice verification
         offers a high degree of security for your BBS. Voice 
         verification, plus a screening program, such as wcSECURE
         will give you the most secure environment.

         Part of the reason I created wcSECURE was out of my own
         personal need. I wanted something that would tell me if
         someone was duplicated on the system. There are some
         freeware programs which give you a printout of duplicated
         caller information, but I found these to be difficult
         to use at best. By checking for duplicated information
         from the callers very first call, I found this to be
         highly effective in screening callers. Many callers with
         multi-first names like Richard, were calling back a week or
         so later with RICH, RICK, etc. In the first week of
         beta testing, 2 callers using this approach were accurately
         identifed by wcSECURE. Continued use has shown that numerous
         callers are calling back with variations of their first
         names. Honest mistake or ????


Tip #4.  Have a consistant policy regarding people who try and
         cheat your BBS.
         By always handling the "less than honorable" callers the
         same way, you eliminate the "personal" attack that
         some callers may feel. If you set down the rules, and someone
         violates the rules, they should realize what will happen
         to them and not feel that they are being singled out for
         some reason.

Tip #5.  (WC 4.0x and newer) Place your disclaimer in your QUESNEW
         (New User Questionnaire) file.
         By displaying this file and the all important qualifying
         question "Do you agree to follow the rules" (or what ever
         is correct for your BBS) within the new caller questionnaire,
         you can politely "hang up" on the caller if they answer
         no. What makes this so great, is that the caller is never
         logged into the BBS, and you don't have to worry about them!
         (If you'd like more info on specifically how to do this,
          please feel to contact me!)

Tip #6.  Use Wildcats! Built in fake number screening. 
         When someone logs into your BBS using 111-111-1111 as their
         phone number, Wildcat! will send them a display file,
         then log them off. Wildcat! has this feature fairly well
         documented, however, if you'd like help in setting up the
         text file which contains the bogus phone numbers, just
         let me know.

Tip #7.  Use Wildcats! built in alias name filter.
         By requiring real names, you can effectively prevent
         callers using names like "master blaster" or "ghost rider"
         from calling your BBS. Wildcat! does an excellent job
         in this regard, and with a comprehensive filtering file,
         you'll deter most fake names from even logging in!


Tip #8.  Always use Wildcat! BBS software. It not only give you
         and your callers the easiest BBS to use and operate, it
         also gives you the most secure BBS!


My goal with this hints file, and the program wcSECURE is to give
sysops an edge on the problem callers, that are out there, and that
will try all sorts of things to cheat YOUR BBS. I hope this 
information is helpful, and if you'd like additional help with
BBS security, feel free to contact me (the info is posted in the
SYSOP.DOC file).


Joe Goeller has been a Wildcat! Sysop for 4 years, and has been a
specialist in the area of digital security for nearly a decade.


(Wildcat! is a registered Trade Mark of Mustang Software, Inc)

