[Opensim-users] Banning "bad" viewers was Re: Can this be done?

Karen Palen karen_palen at yahoo.com
Wed Jan 13 19:09:03 UTC 2010 

That is the traditional argument about the security of open source software.

In practice what happens is that vulnerabilities and exploits get found much faster because they are found and evaluated at a much earlier stage.

Mozilla used to have a great explanation of this on their website about FireFox 2 and IE 6 - it has been removed, likely because both products are now obsolete.

They tracked typical exploits an dhow they got fixed, FF2 took about 9 days and IE 6 over 270 days. In part was was due to Microsoft's reluctance to change a stable product. More germane was the  observation that someone testing the Open Source who found somehting suspicious would likely look at the source code if only to evaluate the seriousness of the problem. An ethical researcher would include this information with the bug report and greatly speed up the process of fixing the problem.

I see no reason why this process should not apply to a 3d viewer in much the same way as a web browser.

Karen

--- On Wed, 1/13/10, Adelle Fitzgerald <Adelle at DreamTechnologies.co.uk> wrote:

> From: Adelle Fitzgerald <Adelle at DreamTechnologies.co.uk>
> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be done?
> To: opensim-users at lists.berlios.de
> Date: Wednesday, January 13, 2010, 11:35 AM
> I think you missed my point with
> regard to open source insecurities (or
> maybe I didn't explain correctly). I am not saying that
> open source
> software is insecure as you have pointed out a good example
> with Apache.
> What I was trying to say is that if you have an open source
> viewer that
> poses a risk to the sim, be it open source or not (such as
> SL) as the
> viewer can easily be modified to attack/circumvent security
> much easier
> than a closed source viewer could. Also a user of an open
> source sim
> could easily modify that to attack/circumvent security on a
> viewer, be
> it open or closed source. Where a user has either an open
> source client
> or host it creates the possibility for someone to modify
> easily for
> 'bad' purposes, just as we are seeing on the Linden grid
> now with
> modified viewers. The rest I pretty much agree with.
> 
> Adelle
> 
> -----Original Message-----
> From: opensim-users-bounces at lists.berlios.de
> [mailto:opensim-users-bounces at lists.berlios.de]
> On Behalf Of Karen Palen
> Sent: 13 January 2010 05:33
> To: opensim-users at lists.berlios.de
> Subject: Re: [Opensim-users] Banning "bad" viewers was Re:
> Can this be
> done?
> 
> --- On Tue, 1/12/10, Adelle Fitzgerald <Adelle at DreamTechnologies.co.uk>
> wrote:
> 
> > The only way to stop 'bad'
> > viewers is to create an iron mountain, which OpenSim
> is far
> > far off being and until it has its own proprietary
> viewer, will
> > probably stay that way (though ANY open source client
> poses a constant
> > security threat to OpenSim, as does any open source
> simulator to the
> > client).
> 
> OpenSim is not very secure because it is not designed to be
> an "iron
> mountain" and because it is still very much under
> development.
> 
> I take issue with the notion that open source viewers (or
> anything open
> source software) is inherently insecure however.
> 
> Probably the best example is to compare the Apache open
> source web
> servers with the Microsoft proprietary based servers. They
> have about an
> equal share of the market, yet almost all of the real life
> exploits and
> ALL of the successful virus/malware attacks happen on the
> Microsoft
> based system!
> 
> The same dichotomy carries over into the desktop versions
> of Linux and
> Windows although the market shares are different enough to
> provide some
> sort of explanation, at least in theory. In practice though
> one Windows
> virus/worm (Confliker) is currently infecting over 5
> million machines
> while there are ZERO successful Linux viruses/worms. There
> have been
> some hilarious attempts though.
> 
> I am not trying to introduce the eternal "fanboy" flamewar
> here, but
> only to point out that OpenSource is far from insecure!
> Before I get 10K
> email flames about how Windows can be "secured" or some
> such, point out
> a successful virus or malware attack on either Linux or MAC
> OS.
> 
> I don't count "social engineering" of tricking someone into
> installing
> software that contains a "backdoor" or something - that is
> not a system
> problem but a user problem! As far as I know the most
> successful of even
> these only managed about 800 infections on MAC OSX.
> 
> > The best course of action, IMHO, is to backup. 
> 
> THAT is something we all agree about!
> 
> > If people are
> > concerned about having their objects/assets stolen by
> > people using 'bad'viewers then there really isn't a
> lot you 
> > can do at the present time,
> > except only invite people who you trust to your sims.
> On that note
> > anyone trying to make money from selling
> objects/assets when connected
> > to an open grid (i.e. not a walled garden) using
> OpenSim
> > should be prepared for the worst, if they really are
> worth stealing,
> > and that is something that plagues the Linden grid
> still to this day.
> 
> I will be so bold as to predict this this is not solvable
> problem in the
> general sense! If only because so much information must be
> passed to the
> viewer in order for the viewer to operate.
> 
> The only requirement is for curious people and lots of CPU
> time - both
> of which are very readily available commodities!
> 
> Things like the "0-day" software and the "pre-release"
> videos show how
> ineffective even trusted user lists can be.
> 
> I doubt is the virtual worlds can expect to do
> significantly better than
> the real world despite the passionate claims of "true
> believers" with a
> "real solution" to sell you (AKA "genuine Snake Oil").
> 
> It should be possible to stop the selling of pirated goods
> although even
> this will not happen without effort and commitment. There
> are numerous
> issues even here concerning "fair use" and "perceived
> value" which must
> be solved for any scheme to be effective.
> 
> For example the problem for the SL vendors is that the
> value of their
> products to me as a buyer is very low because I cannot
> (easily) use
> those products on my own private sim. As a result I am not
> presently
> buying anything in SL, but a year ago I was spending
> L$20K/month! I
> suspect that is true for quite a few former customers.
> 
> Usage permissions are only a part of that problem BTW,
> there really is
> no effective backup/transfer or ALL my SL inventory
> (Animations,
> scripts, gestures, etc.) even if I have full perms or have
> made it all
> myself.
> 
> THAT is reality.
> 
> Karen
> 
> 
> 
> 
>       
> _______________________________________________
> Opensim-users mailing list
> Opensim-users at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-users
> _______________________________________________
> Opensim-users mailing list
> Opensim-users at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-users
>

More information about the Opensim-users mailing list