[Opensim-dev] DNCH (Re: User Authentication)
Diva Canto
diva at metaverseink.com
Wed Feb 25 21:32:11 UTC 2009
People tend to be trusting and oblivious, which is great. And in fact,
sh*&t only happens very seldom, statistically speaking. However, it's
not great that people make plans, sometimes involving large amounts of
money/time, under obliviousness with respect to security. We're getting
close to 0.7, which is always a milestone in every project. 0.7 should
not ignore security completely, even if we are stuck with a client that
wasn't designed for open systems.
Being involved in the details of OpenSim, I feel a tension between not
talking about security problems so not to scare people away and not to
attract griefers; and talking about those problems because they are
there and people should be informed about them so that they can take
them into consideration when making plans, while we improve things on
our end.
So, in order to make these problems visible and tangible, and give
everybody a reality check, I just hooked up a sim to OSGrid that will
make bad things happen. Right now, it wipes out the inventory of anyone
who visits. Don't worry, it waits for your command, so it's not so
violent :-) The sim is called "DO NOT COME HERE" (DNCH). You can find
it in the map.
WARNING: don't do this with your beloved main account(s), just make an
alt if you want to experience the complete disappearance of inventory
from under you.
As we roll security into OpenSim, whatever bad things the DNCH sim is
doing should not happen anymore. So, see it as a test for security, and
that's how I will be using it. The very first thing we need to fix is
this inventory vulnerability in open grids. Please know that it exists,
and be sure that it will be fixed properly(*).
Crista
* By "properly" I mean without having to involve lawyers and sign
contracts between region/grid operators.
More information about the Opensim-dev
mailing list