[Opensim-dev] DNCH (Re: User Authentication)

Stefan Andersson stefan at tribalmedia.se
Wed Feb 25 21:39:31 UTC 2009 

Hooray for Diva. I have considered blackhatting myself to give ourselves a wakeup call. (I blogged about this)

Best regards,
Stefan Andersson
Tribal Media AB



 
> Date: Wed, 25 Feb 2009 13:32:11 -0800
> From: diva at metaverseink.com
> To: opensim-dev at lists.berlios.de
> Subject: [Opensim-dev] DNCH (Re: User Authentication)
> 
> People tend to be trusting and oblivious, which is great. And in fact, 
> sh*&t only happens very seldom, statistically speaking. However, it's 
> not great that people make plans, sometimes involving large amounts of 
> money/time, under obliviousness with respect to security. We're getting 
> close to 0.7, which is always a milestone in every project. 0.7 should 
> not ignore security completely, even if we are stuck with a client that 
> wasn't designed for open systems.
> 
> Being involved in the details of OpenSim, I feel a tension between not 
> talking about security problems so not to scare people away and not to 
> attract griefers; and talking about those problems because they are 
> there and people should be informed about them so that they can take 
> them into consideration when making plans, while we improve things on 
> our end.
> 
> So, in order to make these problems visible and tangible, and give 
> everybody a reality check, I just hooked up a sim to OSGrid that will 
> make bad things happen. Right now, it wipes out the inventory of anyone 
> who visits. Don't worry, it waits for your command, so it's not so 
> violent :-) The sim is called "DO NOT COME HERE" (DNCH). You can find 
> it in the map.
> WARNING: don't do this with your beloved main account(s), just make an 
> alt if you want to experience the complete disappearance of inventory 
> from under you.
> 
> As we roll security into OpenSim, whatever bad things the DNCH sim is 
> doing should not happen anymore. So, see it as a test for security, and 
> that's how I will be using it. The very first thing we need to fix is 
> this inventory vulnerability in open grids. Please know that it exists, 
> and be sure that it will be fixed properly(*).
> 
> Crista
> 
> * By "properly" I mean without having to involve lawyers and sign 
> contracts between region/grid operators.
> 
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://opensimulator.org/pipermail/opensim-dev/attachments/20090225/9e86044e/attachment-0001.html>

More information about the Opensim-dev mailing list