[Opensim-users] Banning "bad" viewers was Re: Can this be done?
Kyle Hamilton
aerowolf at gmail.com
Tue Jan 12 21:37:16 UTC 2010
Security through obscurity is no security at all. If you're relying
on people not figuring it out, people *will* figure it out.
</experience of security expert for many years>
-Kyle H
On Tue, Jan 12, 2010 at 1:34 PM, Imago <imagorabbit at gmail.com> wrote:
> But really... How many people who aren't really looking for this info are
> going to find it. ;) Nubs aren't going to know where to look. But blocking
> by string probably wouldn't be the best, but it would work for dumb people.
> ;)
>
> ----- Original Message -----
> From: "Frisby, Adam" <adam at deepthink.com.au>
> To: <opensim-users at lists.berlios.de>; <diva at metaverseink.com>
> Sent: Tuesday, January 12, 2010 3:25 PM
> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be done?
>
>
>> While I hate to rain on anyone's parade - but you can use the "-channel"
>> commandline switch to edit the version string to whatever you want. I
>> really wouldn't rely on it.
>>
>> Adam
>>
>>> -----Original Message-----
>>> From: opensim-users-bounces at lists.berlios.de [mailto:opensim-users-
>>> bounces at lists.berlios.de] On Behalf Of Imago
>>> Sent: Tuesday, 12 January 2010 9:34 AM
>>> To: diva at metaverseink.com; opensim-users at lists.berlios.de
>>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be
>>> done?
>>>
>>> Thanks, I've been looking over the code, and yeah, I know people could.
>>> But
>>> really how many regular joes out there would be interested enough to
>>> download, compile, and play with the code. *laughs* I don't think
>>> there's
>>> many, because a lot of them would much rather have instant
>>> gratification
>>> rather then having to work for it.
>>>
>>> But in my opinion even fragile filtering is better then none at all.
>>> Because
>>> while some could get in the population en masse wouldn't be able to.
>>>
>>> ----- Original Message -----
>>> From: <diva at metaverseink.com>
>>> To: <opensim-users at lists.berlios.de>
>>> Sent: Tuesday, January 12, 2010 8:15 AM
>>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be
>>> done?
>>>
>>>
>>> > As Teravus said, the LL viewer sends a string identifying itself and
>>> a
>>> > version. In the new login procedure that is captured by the
>>> > LLLoginHandlers as
>>> > if (requestData.Contains("version"))
>>> > clientVersion = requestData["version"].ToString();
>>> >
>>> > Right now we're not doing anything interesting with this information.
>>> > When this refactoring makes it to the master branch, people can
>>> replace
>>> > / augment the existing LLLoginHandlers to do other things including
>>> > filtering logins according to this field.
>>> >
>>> > But as others said here, this is a very fragile filtering, as any
>>> viewer
>>> > can send that field saying that it's an LL viewer.
>>> >
>>> > Imago wrote:
>>> >> Ah! Thank you. I did read something on the subject, but then
>>> suffered a
>>> >> hard
>>> >> drive death and it wiped out any settings I had. :( Google comes up
>>> with
>>> >> way
>>> >> too much junk when you look for stuff as well as Mantis stuff and
>>> Jiras.
>>> >> I
>>> >> will check in to this. So, now I know it is possible. :D Now, it's
>>> just
>>> >> finding a way to do it. *shrugs and laughs* If it keeps a few kids
>>> out
>>> >> than
>>> >> that's fine. I'd rather have fun then to have to police my console
>>> for
>>> >> logins. :D
>>> >>
>>> >> ----- Original Message -----
>>> >> From: "Teravus Ovares" <teravus at gmail.com>
>>> >> To: <opensim-users at lists.berlios.de>
>>> >> Sent: Monday, January 11, 2010 11:56 PM
>>> >> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this
>>> be
>>> >> done?
>>> >>
>>> >>
>>> >>> The viewer information is sent when the viewer logs in. If you
>>> >>> check the viewer channel version string when the viewer logs in,
>>> you
>>> >>> can deny based on a string match. That's the easy (and least
>>> >>> effective way) to lock only specific viewers.
>>> >>>
>>> >>> I believe that diva and Melanie_T were the last to work on these
>>> >>> areas.. so they would probably be able to tell you where to
>>> check
>>> >>> 'best'.
>>> >>>
>>> >>> One thing to note, however, is..
>>> >>>
>>> >>> The viewer logs into the 'user service' by sending an XMLRPC
>>> request
>>> >>> to the HTTP Service with the login_to_simulator method. It's at
>>> >>> this time that the 'viewer channel string' should be checked.
>>> >>>
>>> >>> Teravus
>>> >>>
>>> >>> On Tue, Jan 12, 2010 at 12:34 AM, Imago <imagorabbit at gmail.com>
>>> wrote:
>>> >>>> Mostly I want this because of piece of mind, but also because I am
>>> >>>> considering compiling a viewer on Hippo code that will have a
>>> different
>>> >>>> channel code altogether that I will probably use for the sim. If I
>>> can
>>> >>>> lock
>>> >>>> off viewers that don't have my exact channel or code then I can be
>>> sure
>>> >>>> only
>>> >>>> official viewers can get in. Right now the sim is only for friends
>>> but
>>> >>>> if
>>> >>>> I
>>> >>>> open it up to more I wouldn't want idiots coming in and mucking
>>> about
>>> >>>> the
>>> >>>> place. Which is why I was asking. I know that some opensim
>>> *shaking
>>> >>>> head*
>>> >>>> I
>>> >>>> wish I could remember who and where banned certain viewers from
>>> logging
>>> >>>> in.
>>> >>>> I'm not sure how she/he did it, though, but it got me curious as
>>> to how
>>> >>>> it's
>>> >>>> done. That and I wouldn't really want someone using something like
>>> Cryo
>>> >>>> or
>>> >>>> even Meerkat, but as you said... They probably all have the same
>>> >>>> default
>>> >>>> code. But if I put in another code and compiled it off of hippo or
>>> >>>> Linden's
>>> >>>> viewer I could put in my own channel and have others not able to
>>> enter.
>>> >>>> I
>>> >>>> like security and peace of mind, but security in this day and age
>>> is a
>>> >>>> myth.
>>> >>>> (Like those stupid broadcasting things that were supposed to stop
>>> >>>> copybot.)
>>> >>>>
>>> >>>> But I was just curious if anyone had done it or heard of it. I
>>> want to
>>> >>>> say
>>> >>>> openlifegrid did it, but I can't remember so I don't want to say
>>> for
>>> >>>> sure
>>> >>>> until I find it again. (computer crashes suck.)
>>> >>>> ----- Original Message -----
>>> >>>> From: "Karen Palen" <karen_palen at yahoo.com>
>>> >>>> To: <opensim-users at lists.berlios.de>
>>> >>>> Sent: Monday, January 11, 2010 11:24 PM
>>> >>>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can
>>> this be
>>> >>>> done?
>>> >>>>
>>> >>>>
>>> >>>>> As I think of it the answer is the same.
>>> >>>>>
>>> >>>>> The Linden Labs viewer does send an identification and version
>>> number,
>>> >>>>> bat
>>> >>>>> that really does very little. Almost every viewer out there is
>>> based
>>> >>>>> on
>>> >>>>> the current LL viewer and many people don't bother changing this
>>> code
>>> >>>>> for
>>> >>>>> their experimental versions.
>>> >>>>>
>>> >>>>> For example I just checked and I have a customised LL viewer
>>> where the
>>> >>>>> only change is that it will log on to my private sim by default.
>>> The
>>> >>>>> ID
>>> >>>>> codes are identical to the original since I never bothered to
>>> change
>>> >>>>> them.
>>> >>>>>
>>> >>>>> I use it to make sure that my private sim will run OK with the
>>> >>>>> "official"
>>> >>>>> viewer.
>>> >>>>>
>>> >>>>> I am not really sure why you would want that restriction though.
>>> >>>>> Should
>>> >>>>> I
>>> >>>>> be considering that for my sim? Have I missed something here?
>>> >>>>>
>>> >>>>> Sorry.
>>> >>>>>
>>> >>>>> Karen
>>> >>>>>
>>> >>>>> --- On Mon, 1/11/10, Imago <imagorabbit at gmail.com> wrote:
>>> >>>>>
>>> >>>>>> From: Imago <imagorabbit at gmail.com>
>>> >>>>>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can
>>> this
>>> >>>>>> be
>>> >>>>>> done?
>>> >>>>>> To: opensim-users at lists.berlios.de
>>> >>>>>> Date: Monday, January 11, 2010, 10:05 PM
>>> >>>>>> I don't think anyone is
>>> >>>>>> understanding. :D It's not just Cryo. I want only
>>> >>>>>> Linden Lab viewers to be able to login. I've seen it done
>>> >>>>>> on other
>>> >>>>>> opensim's. I know people can get around that. But the point
>>> >>>>>> is... Not
>>> >>>>>> everyone is a coder. So, while they could compile and make
>>> >>>>>> it look like a
>>> >>>>>> Linden Lab viewer then so be it. I just want to know if
>>> >>>>>> there's a mod or
>>> >>>>>> string that I can put in to opensim to see what channel the
>>> >>>>>> viewer is
>>> >>>>>> sending, and if it's not the right one than to display an
>>> >>>>>> error message that
>>> >>>>>> would tell them to download an official release in order to
>>> >>>>>> login.
>>> >>>>>>
>>> >>>>>> Maybe I should have chosen my words better. Mentioning Cryo
>>> >>>>>> is like
>>> >>>>>> mentioning copybot, and responses only seem to be based on
>>> >>>>>> theft and copy
>>> >>>>>> protection. I just want to know if there's a string to
>>> >>>>>> block a viewer. I
>>> >>>>>> know people have done it I just can't remember what opensim
>>> >>>>>> I saw it done
>>> >>>>>> on. I also know that if I had Cryo source code I could
>>> >>>>>> compile and make it
>>> >>>>>> look like a Second Life release viewer. But not everyone is
>>> >>>>>> a hacker or a
>>> >>>>>> coder or both. Most people don't know how or can't compile
>>> >>>>>> a viewer or are
>>> >>>>>> too lazy to. So, they go look for one, and that's the basis
>>> >>>>>> for my thinking
>>> >>>>>> most theives are too lazy to try to figure out a way and
>>> >>>>>> will move on to the
>>> >>>>>> next target.
>>> >>>>>>
>>> >>>>>>
>>> >>>>>> So, the question I'm asking is:
>>> >>>>>> Is there a way for OpenSim to check a viewer string and
>>> >>>>>> allow or disallow
>>> >>>>>> based on that, and if so please let me know where that code
>>> >>>>>> is, and if
>>> >>>>>> not... Then I'll be burning the midnight oil again coding
>>> >>>>>> one up.
>>> >>>>>>
>>> >>>>>> ----- Original Message -----
>>> >>>>>> From: "Karen Palen" <karen_palen at yahoo.com>
>>> >>>>>> To: <opensim-users at lists.berlios.de>
>>> >>>>>> Sent: Monday, January 11, 2010 10:44 PM
>>> >>>>>> Subject: [Opensim-users] Banning "bad" viewers was Re: Can
>>> >>>>>> this be done?
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>> The short answer is no.
>>> >>>>>>>
>>> >>>>>>> The more complete answer is that you while can easily
>>> >>>>>> detect some
>>> >>>>>>> characteristic of a viewer (or other software) which
>>> >>>>>> identifies that
>>> >>>>>>> viewer and use that to ban it, nothing can stop the
>>> >>>>>> authors of that viewer
>>> >>>>>>> from changing whatever characteristic you use.
>>> >>>>>>>
>>> >>>>>>> Worse yet, whatever characteristic you select to
>>> >>>>>> identify the "bad"
>>> >>>>>>> software will inevitably turn up in some other
>>> >>>>>> (innocent) viewer sooner or
>>> >>>>>>> later and will cause them to be banned for no reason.
>>> >>>>>>>
>>> >>>>>>> The best you could hope to achieve is some sort of
>>> >>>>>> "arms race" between
>>> >>>>>>> "bad" viewer creators and sim operators.
>>> >>>>>>>
>>> >>>>>>> In addition any viewer could be adapted for piracy.
>>> >>>>>> The original
>>> >>>>>>> experiments that resulted in
>>> >>>>>> libsecondlife/openMetaverse were based on
>>> >>>>>>> analysing the data stream between the Second Life
>>> >>>>>> Servers and the viewer
>>> >>>>>>> software (at the time ONLY the Linden Labs viewer) and
>>> >>>>>> had access to all
>>> >>>>>>> of that information. This was all done without
>>> >>>>>> modifying the viewer in any
>>> >>>>>>> way - it was proprietary at the time.
>>> >>>>>>>
>>> >>>>>>> Sadly the lesson of the endless failures of DRM
>>> >>>>>> schemes elsewhere shows
>>> >>>>>>> that the real losers are the honest/innocent users who
>>> >>>>>> are unable to do
>>> >>>>>>> the things that they really should expect to do with
>>> >>>>>> the content that they
>>> >>>>>>> have purchased.
>>> >>>>>>>
>>> >>>>>>> For example, I have completely stopped buying anything
>>> >>>>>> in Second Life
>>> >>>>>>> since I want to use the inventory I buy in my private
>>> >>>>>> sims as well. Sure I
>>> >>>>>>> can use pirate tools to do this, but if I have to do
>>> >>>>>> that to use my
>>> >>>>>>> purchases where I want to use them then why not just
>>> >>>>>> steal the stuff in
>>> >>>>>>> the first place?
>>> >>>>>>>
>>> >>>>>>> This is very similar to the situation with music CDs
>>> >>>>>> and DVDs, why build
>>> >>>>>>> an expensive collection if you will just have to
>>> >>>>>> re-purchase it in a few
>>> >>>>>>> years for the next technology and some DRM scheme
>>> >>>>>> tries to keep me from
>>> >>>>>>> playing my collection on the new equipment?
>>> >>>>>>>
>>> >>>>>>> There are several efforts being directed at come sort
>>> >>>>>> of "portable"
>>> >>>>>>> content. I hope that one or more actually proves to
>>> >>>>>> work, but I have no
>>> >>>>>>> illusions about that actually happening any time
>>> >>>>>> soon.
>>> >>>>>>> My opinion is that the best we can do at present is
>>> >>>>>> similar to the real
>>> >>>>>>> life piracy situation: stop the commercial marketing
>>> >>>>>> of pirated
>>> >>>>>>> merchandise as it is detected and reported. Ban anyone
>>> >>>>>> who engages in such
>>> >>>>>>> activities and if they persist bring real world law
>>> >>>>>> enforcement to bear.
>>> >>>>>>> For once Linden Labs seems to be using a reasonable
>>> >>>>>> version of this when
>>> >>>>>>> they state that the viewer is not the problem, it is
>>> >>>>>> the use of the
>>> >>>>>>> viewer. They have promised to act promptly to ban
>>> >>>>>> anyone using any viewer
>>> >>>>>>> for piracy.
>>> >>>>>>>
>>> >>>>>>> Karen
>>> >>>>>>>
>>> >>>>>>> --- On Mon, 1/11/10, Imago <imagorabbit at gmail.com>
>>> >>>>>> wrote:
>>> >>>>>>>> Is it possible to stop
>>> >>>>>>>> certain viewers from logging
>>> >>>>>>>> in to your opensim? Like Cryo?
>>> >>>>>>>
>>> >>>>>>>
>>> >>>>>>>
>>> >>>>>>> _______________________________________________
>>> >>>>>>> Opensim-users mailing list
>>> >>>>>>> Opensim-users at lists.berlios.de
>>> >>>>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>> >>>>>>
>>> >>>>>> _______________________________________________
>>> >>>>>> Opensim-users mailing list
>>> >>>>>> Opensim-users at lists.berlios.de
>>> >>>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>> >>>>>>
>>> >>>>>
>>> >>>>>
>>> >>>>> _______________________________________________
>>> >>>>> Opensim-users mailing list
>>> >>>>> Opensim-users at lists.berlios.de
>>> >>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>> >>>> _______________________________________________
>>> >>>> Opensim-users mailing list
>>> >>>> Opensim-users at lists.berlios.de
>>> >>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>> >>>>
>>> >>> _______________________________________________
>>> >>> Opensim-users mailing list
>>> >>> Opensim-users at lists.berlios.de
>>> >>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>> >>
>>> >> _______________________________________________
>>> >> Opensim-users mailing list
>>> >> Opensim-users at lists.berlios.de
>>> >> https://lists.berlios.de/mailman/listinfo/opensim-users
>>> >>
>>> > _______________________________________________
>>> > Opensim-users mailing list
>>> > Opensim-users at lists.berlios.de
>>> > https://lists.berlios.de/mailman/listinfo/opensim-users
>>>
>>> _______________________________________________
>>> Opensim-users mailing list
>>> Opensim-users at lists.berlios.de
>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>> _______________________________________________
>> Opensim-users mailing list
>> Opensim-users at lists.berlios.de
>> https://lists.berlios.de/mailman/listinfo/opensim-users
>
> _______________________________________________
> Opensim-users mailing list
> Opensim-users at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-users
>
More information about the Opensim-users
mailing list