[Opensim-dev] DNCH (Re: User Authentication)

[Diva Canto]

People tend to be trusting and oblivious, which is great. And in fact, 
sh*&t only happens very seldom, statistically speaking. However, it's 
not great that people make plans, sometimes involving large amounts of 
money/time, under obliviousness with respect to security. We're getting 
close to 0.7, which is always a milestone in every project. 0.7 should 
not ignore security completely, even if we are stuck with a client that 
wasn't designed for open systems.

Being involved in the details of OpenSim, I feel a tension between not 
talking about security problems so not to scare people away and not to 
attract griefers; and talking about those problems because they are 
there and people should be informed about them so that they can take 
them into consideration when making plans, while we improve things on 
our end.

So, in order to make these problems visible and tangible, and give 
everybody a reality check, I just hooked up a sim to OSGrid that will 
make bad things happen. Right now, it wipes out the inventory of anyone 
who visits. Don't worry, it waits for your command, so it's not so 
violent :-)  The sim is called "DO NOT COME HERE" (DNCH). You can find 
it in the map.
WARNING: don't do this with your beloved main account(s), just make an 
alt if you want to experience the complete disappearance of inventory 
from under you.

As we roll security into OpenSim, whatever bad things the DNCH sim is 
doing should not happen anymore. So, see it as a test for security, and 
that's how I will be using it. The very first thing we need to fix is 
this inventory vulnerability in open grids. Please know that it exists, 
and be sure that it will be fixed properly(*).

Crista

* By "properly" I mean without having to involve lawyers and sign 
contracts between region/grid operators.