[Opensim-dev] Questions about hypergrid

Mon Feb 20 18:17:35 UTC 2017

On February 20, 2017 at 11:35:17 AM <http://airmail.calendar/2017-02-20%2011:35:17%20CST> , Mike Higgins (mike at kayaker.net <mailto:mike at kayaker.net> ) wrote:
To summarize: before HG:

1.	

The home server has a copy of your inventory

The home grid is the authoritative source of your inventory, the viewer has a “copy”.

1.	

When you log on, the server downloads the inventory list (names & UUIDs) into yor viewer

The viewer requests an inventory skeleton and the login service obliges. The skeleton contains categories (folders) and items (names, item uuid, asset id, flags, perms, sale info, etc)

1.	

When you rez an object, your viewer sends the name  & UUID of the object to the server to put in the scene inventory of a region

Note, the asset id is not the same as the inventory id. There is no “scene inventory”. The region contains a list of objects and their coordinates and positions. These have their own unique id’s. Textures, sounds, and animations are requested through the region and remain on the asset server and but are cached and sent by the region to the viewer. 

1.	When someone looks at the object, the server uses the UUID to fetch the object and all its parts from the asset server
The object remains on the region, not stored in the asset server this is what allows you to manipulate and build (objects in the region are mutable, the asset service is not.) When you take an object to inventory from the region, that’s when it is stored to the asset server.

Then you HG to a foreign grid and rez an object on the ground.
1.	Your viewer sends the name and UUID of the object to the server to put in the scene inventory of a region
1.	
The foreign server knows that you are a visitor and requests the object and all its parts from your home server
2.	The object and all its parts are stored in a combination of cache and asset server, using their original UUIDs
3.	When someone looks at the object, its parts are now available locally to send to viewers

My questions this time are: Is my understanding correct? Is this the correct order? And the big question:

The viewer has your inventory list (name/UUID pairs) and makes requests one at a time to rez these objects on the foreign grid. As far as I can see, the foreign grid does not have a copy of this list, so it cannot iterate through your inventory (be it full or My Suitcase) to request all your content. The only items the foreign server can see are the ones you drag out of inventory one at a time. Isn't this inherently secure?

No, this is not secure. Any inventory item you access is contained within a category, that category may be contained in another category down to the root inventory folder (My Inventory) which itself has a category key that a rogue grid can use to request the contents of, and recursively request more folders and items thereby building a copy of your inventory. It can then request every asset contained in your inventory. Furthermore, the region can just request the inventory for a particular agent and the home grid sends it without batting an eye which is leaps and bounds easier to do.

 Without a copy of your inventory list, there is no way to guess what UUIDs to request from your home server and no way to iterate over all possible UUIDs. Or is there some way that the foreign grid can request a copy of your inventory list? If not, then I don't see the My Suitcase folder making this inherently secure process any better. Why does the My Suitcase folder exist?

The My Suitcase folder exists just for that purpose. It is the only folder accessible for that particular agent by hypergrid services. The initial skeleton just fills in enough to not hammer the inventory service at login with too many requests, but you are receiving a copy and the viewer is not authoritative, it is requesting and updating the cache itself throughout the session. If the only time it requested your inventory on login, you wouldn’t be able to see new or changed inventory. Given a sufficiently sophisticated attack, a rouge grid would be able to download the inventory of every agent it had the avatar uuid for without them ever setting foot on their grid. Technically, you don’t even need to be running a grid to do this, but it is highly unlikely someone would write a standalone tool to download inventories, especially with HG 2.0 restricting it to My Suitcase.

-- 
Cinder Roxley
Sent with Airmail
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://opensimulator.org/pipermail/opensim-dev/attachments/20170220/c831bfef/attachment.html>