[Opensim-users] Banning "bad" viewers was Re: Can this be done?

Adelle Fitzgerald Adelle at DreamTechnologies.co.uk
Wed Jan 13 18:35:02 UTC 2010 

I think you missed my point with regard to open source insecurities (or
maybe I didn't explain correctly). I am not saying that open source
software is insecure as you have pointed out a good example with Apache.
What I was trying to say is that if you have an open source viewer that
poses a risk to the sim, be it open source or not (such as SL) as the
viewer can easily be modified to attack/circumvent security much easier
than a closed source viewer could. Also a user of an open source sim
could easily modify that to attack/circumvent security on a viewer, be
it open or closed source. Where a user has either an open source client
or host it creates the possibility for someone to modify easily for
'bad' purposes, just as we are seeing on the Linden grid now with
modified viewers. The rest I pretty much agree with.

Adelle

-----Original Message-----
From: opensim-users-bounces at lists.berlios.de
[mailto:opensim-users-bounces at lists.berlios.de] On Behalf Of Karen Palen
Sent: 13 January 2010 05:33
To: opensim-users at lists.berlios.de
Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be
done?

--- On Tue, 1/12/10, Adelle Fitzgerald <Adelle at DreamTechnologies.co.uk>
wrote:

> The only way to stop 'bad'
> viewers is to create an iron mountain, which OpenSim is far
> far off being and until it has its own proprietary viewer, will
> probably stay that way (though ANY open source client poses a constant
> security threat to OpenSim, as does any open source simulator to the
> client).

OpenSim is not very secure because it is not designed to be an "iron
mountain" and because it is still very much under development.

I take issue with the notion that open source viewers (or anything open
source software) is inherently insecure however.

Probably the best example is to compare the Apache open source web
servers with the Microsoft proprietary based servers. They have about an
equal share of the market, yet almost all of the real life exploits and
ALL of the successful virus/malware attacks happen on the Microsoft
based system!

The same dichotomy carries over into the desktop versions of Linux and
Windows although the market shares are different enough to provide some
sort of explanation, at least in theory. In practice though one Windows
virus/worm (Confliker) is currently infecting over 5 million machines
while there are ZERO successful Linux viruses/worms. There have been
some hilarious attempts though.

I am not trying to introduce the eternal "fanboy" flamewar here, but
only to point out that OpenSource is far from insecure! Before I get 10K
email flames about how Windows can be "secured" or some such, point out
a successful virus or malware attack on either Linux or MAC OS.

I don't count "social engineering" of tricking someone into installing
software that contains a "backdoor" or something - that is not a system
problem but a user problem! As far as I know the most successful of even
these only managed about 800 infections on MAC OSX.

> The best course of action, IMHO, is to backup. 

THAT is something we all agree about!

> If people are
> concerned about having their objects/assets stolen by
> people using 'bad'viewers then there really isn't a lot you 
> can do at the present time,
> except only invite people who you trust to your sims. On that note
> anyone trying to make money from selling objects/assets when connected
> to an open grid (i.e. not a walled garden) using OpenSim
> should be prepared for the worst, if they really are worth stealing,
> and that is something that plagues the Linden grid still to this day.

I will be so bold as to predict this this is not solvable problem in the
general sense! If only because so much information must be passed to the
viewer in order for the viewer to operate.

The only requirement is for curious people and lots of CPU time - both
of which are very readily available commodities!

Things like the "0-day" software and the "pre-release" videos show how
ineffective even trusted user lists can be.

I doubt is the virtual worlds can expect to do significantly better than
the real world despite the passionate claims of "true believers" with a
"real solution" to sell you (AKA "genuine Snake Oil").

It should be possible to stop the selling of pirated goods although even
this will not happen without effort and commitment. There are numerous
issues even here concerning "fair use" and "perceived value" which must
be solved for any scheme to be effective.

For example the problem for the SL vendors is that the value of their
products to me as a buyer is very low because I cannot (easily) use
those products on my own private sim. As a result I am not presently
buying anything in SL, but a year ago I was spending L$20K/month! I
suspect that is true for quite a few former customers.

Usage permissions are only a part of that problem BTW, there really is
no effective backup/transfer or ALL my SL inventory (Animations,
scripts, gestures, etc.) even if I have full perms or have made it all
myself.

THAT is reality.

Karen




      
_______________________________________________
Opensim-users mailing list
Opensim-users at lists.berlios.de
https://lists.berlios.de/mailman/listinfo/opensim-users

More information about the Opensim-users mailing list