[Opensim-users] Banning "bad" viewers was Re: Can this be done?

[Karen Palen]

--- On Tue, 1/12/10, Adelle Fitzgerald <Adelle at DreamTechnologies.co.uk> wrote:

> The only way to stop 'bad'
> viewers is to create an iron mountain, which OpenSim is far
> far off being and until it has its own proprietary viewer, will
> probably stay that way (though ANY open source client poses a constant
> security threat to OpenSim, as does any open source simulator to the
> client).

OpenSim is not very secure because it is not designed to be an "iron mountain" and because it is still very much under development.

I take issue with the notion that open source viewers (or anything open source software) is inherently insecure however.

Probably the best example is to compare the Apache open source web servers with the Microsoft proprietary based servers. They have about an equal share of the market, yet almost all of the real life exploits and ALL of the successful virus/malware attacks happen on the Microsoft based system!

The same dichotomy carries over into the desktop versions of Linux and Windows although the market shares are different enough to provide some sort of explanation, at least in theory. In practice though one Windows virus/worm (Confliker) is currently infecting over 5 million machines while there are ZERO successful Linux viruses/worms. There have been some hilarious attempts though.

I am not trying to introduce the eternal "fanboy" flamewar here, but only to point out that OpenSource is far from insecure! Before I get 10K email flames about how Windows can be "secured" or some such, point out a successful virus or malware attack on either Linux or MAC OS.

I don't count "social engineering" of tricking someone into installing software that contains a "backdoor" or something - that is not a system problem but a user problem! As far as I know the most successful of even these only managed about 800 infections on MAC OSX.

> The best course of action, IMHO, is to backup. 

THAT is something we all agree about!

> If people are
> concerned about having their objects/assets stolen by
> people using 'bad'viewers then there really isn't a lot you 
> can do at the present time,
> except only invite people who you trust to your sims. On that note
> anyone trying to make money from selling objects/assets when connected
> to an open grid (i.e. not a walled garden) using OpenSim
> should be prepared for the worst, if they really are worth stealing,
> and that is something that plagues the Linden grid still to this day.

I will be so bold as to predict this this is not solvable problem in the general sense! If only because so much information must be passed to the viewer in order for the viewer to operate.

The only requirement is for curious people and lots of CPU time - both of which are very readily available commodities!

Things like the "0-day" software and the "pre-release" videos show how ineffective even trusted user lists can be.

I doubt is the virtual worlds can expect to do significantly better than the real world despite the passionate claims of "true believers" with a "real solution" to sell you (AKA "genuine Snake Oil").

It should be possible to stop the selling of pirated goods although even this will not happen without effort and commitment. There are numerous issues even here concerning "fair use" and "perceived value" which must be solved for any scheme to be effective.

For example the problem for the SL vendors is that the value of their products to me as a buyer is very low because I cannot (easily) use those products on my own private sim. As a result I am not presently buying anything in SL, but a year ago I was spending L$20K/month! I suspect that is true for quite a few former customers.

Usage permissions are only a part of that problem BTW, there really is no effective backup/transfer or ALL my SL inventory (Animations, scripts, gestures, etc.) even if I have full perms or have made it all myself.

THAT is reality.

Karen