[Opensim-users] Banning "bad" viewers was Re: Can this be done?

Wed Jan 13 18:52:16 UTC 2010

On 01/13/2010 01:57 AM, Anders Arnholm wrote:
> On Tue, Jan 12, 2010 at 11:45:25PM -0800, John Ward wrote:
>> Karen Palen wrote:
>>> Hmm, somehow your posts are coming with a really strange time stamp. I
>>> would guess that the local time zone on your machine is incorrect.
>>
>> No, just the clock off, and off by enough to keep NTP from updating it
>> automatically.
>>
>>> My central point remains that knowing the viewer ID string does nothing to
>>> prevent any such attack, this is simply one workaround.
>>
>> With all do respect the first of your claims I responded to had been that
>> using the ID string was worse then doing nothing.  Which is false.  Then you
>
> I agress usign the ID string is Worse that doing nothing, Karen is
> right. It's an actiuons that hurt the good guys more and make you think
> you did anything to the bad guy. You argue here it stop bad guys, if you
> think that you are wrong. If you keep arguing it stop's bad guy. You
> sort of prove it hurts your security becase you belive it helps you be
> safe.

If a grid operator only wants a particular viewer connected to their 
grid and you connect with an alternate are you a good guy or a bad guy? 
  I say you are a bad guy.  If blocking based on the ID string keeps you 
out I wanted you out anyway!  Keeping bad guys out as well as slowing 
them down definitionally improves security.  Does this make the system 
"secure" from bad guys and all attacks?  Nope, I don't recall anyone 
saying so.

>> went with it does NOTHING apart from "feelgood"!  Which is also false.  Now
>
> It doesn't to anythign on identifying what software is running remote,
> in fact what software is running remote you can't determin.

Really, do all clients send bad ID strings?  I did not know that.  I 
appear to be under the mistaken impression that clients generally use 
that ID string to identify themselves.  Are you who you say you are? 
Can I determine if that's really you and not someone else?  Is it OK to 
accept that you are who you say because you have said so?

Mailing lists commonly require one to be a member to post to the list. 
Why?  I can spoof any email address.  That's not secure.  I guess we 
should stop because we wouldn't want anyone to falsely feel safe. :-)

>> its it does nothing to prevent an attack.  I mostly agree with that.  What it
>> does do is limit a viewer based on how it identifies itself which is something
> What it does is chaning the protocol for connecting a little making your
> grid not compatible with the other grids. This limitation in your grid
> may stop some users, it will most probably keep all evlite users out as
> your grid will not contain anything they think is worth this
> inconvienience.

I support you choosing what grids you connect to.  I also support a grid 
operator making decisions about their grid.