[Opensim-users] Banning "bad" viewers was Re: Can this be done?

John Ward jward at uci.edu
Wed Jan 13 19:42:12 UTC 2010 

On 01/13/2010 10:58 AM, Karen Palen wrote:
>
>
> --- On Wed, 1/13/10, John Ward<jward at uci.edu>  wrote:
>
>> From: John Ward<jward at uci.edu> Subject: Re: [Opensim-users] Banning
>> "bad" viewers was Re: Can this be done? To:
>> opensim-users at lists.berlios.de Cc: "Karen
>> Palen"<karen_palen at yahoo.com> Date: Wednesday, January 13, 2010,
>> 10:06 AM
>>
>>
>> On 01/13/2010 12:18 AM, Karen Palen wrote:
>>> I suppose the way to disprove this would be to compile
>> a version of
>>> the "genuine" Linden Labs viewer with all content
>> checking disabled
>>> and the capability to do some sort of nastiness then
>> distribute it to
>>> all the script kiddies somehow.
>>
>> What would this prove?  I think it would prove that one would have
>> to use a client that identifies itself with a blessed ID.
>
> It would be the equivalent of some crook who sells defective fire
> extinguishers at a flea market.
>
> Whatever evil characteristics you consider to be equivalent to a
> defective fire extinguisher can be included in such a "viewer". This
> serves to counter the argument about "script kiddies" not being able
> to do this.

You didn't answer my questions, and I have no idea what you are saying.

>
>>> I am sure there are people out there who will do (or
>> have done)
>>> exactly that, but it will not be me even to prove a
>> point. A quick
>>> look at the code says it should be about a half day's
>> work, less if I
>>> reverse engineered some version of copybot.
>>
>> You must have lots of spare time to call a half day's work
>> NOTHING.
>
> Well I HAVE been retired for many years now LOL
>
> In fact it is a matter of priorities, however there are certainly
> plenty of people out there who WILL spend this time.
>
> One datum point is to check something like "Windows 7" on Pirate Bay,
> this morning there were over 900 in the search results. Checking the
> more popular looking ones shows that someone is spending a huge
> amount of time and effort cracking and repackaging the software for
> any "script kiddie" who cares to download one.
>
> I would be very surprised if there were NOT somehting out there that
> pretends to be the LL viewer in fact.
>
> Changing the ID string takes some effort on the part of the coder and
> it is hardly somehting that someone who is trying to produce a "bad"
> version will care about.

I understand that checking an ID string can be defeated.  That has never 
been my point.  You point out that it takes some effort to change the 
string.  That very effort is an impediment.  Slowing down the bad guys 
can be very worthwhile!  It's not lost on me that slowing down the good 
guys may make it a poor choice.  Some methods are not worth the trouble. 
  Repeatedly saying it's nothing only show you do not understand my point.

>>> In my estimation that makes the illusion that checking
>> the ID exactly
>>> equivalent to illusion presented by a dummy fire
>> extinguisher. We
>>> just have not (yet) identified which "genuine LL
>> viewer" is the
>>> really the fake!
>>
>> The broken analogy again....  What fire does a dummy fire
>> extinguisher put out?  Blocking based on ID will block any client
>> with the wrong ID.
>
> Which accomplishes exactly what? NOTHING!

If you wanted to block a client with certain ID how would you do it? 
Would you do NOTHING or would you check the ID string?

>
>> It will let any client in with a correct ID even an undesirable
>> one.
>
> Which makes the check essentially useless as a security tool.

That assumes keeping out all bad guys is the only measure of a security 
tool.  This is plain wrong.  We do things that slow down bad guys and 
often the good guys too.  We often do things that only provide partial 
protection.  That's how security get provided in practice.

>> I find it painfully amusing that on one hand you call this nothing
>> and on another complain how it hurts good users.  If its nothing
>> how can it hurt good users?
>
> It hurts good users by removing a tool that they can use to work
> around bugs and communications problems.
>
> I use different viewers on Linux and on Windows for just that
> reason.

I see.  Your choice of viewer is more important then the grid operators 
choices.  It's OK to limit their tools.

More information about the Opensim-users mailing list