[Opensim-users] Banning "bad" viewers was Re: Can this be done?
Anders Arnholm
anders at arnholm.se
Thu Jan 14 14:42:41 UTC 2010
Skickat från min iPhone
13 jan 2010 kl. 19.52 skrev John Ward <jward at uci.edu>:
> On 01/13/2010 01:57 AM, Anders Arnholm wrote:
>> On Tue, Jan 12, 2010 at 11:45:25PM -0800, John Ward wrote:
>>> Karen Palen wrote:
>>>> Hmm, somehow your posts are coming with a really strange time
>>>> stamp. I
>>>> would guess that the local time zone on your machine is incorrect.
>>>
>>> No, just the clock off, and off by enough to keep NTP from
>>> updating it
>>> automatically.
>>>
>>>> My central point remains that knowing the viewer ID string does
>>>> nothing to
>>>> prevent any such attack, this is simply one workaround.
>>>
>>> With all do respect the first of your claims I responded to had
>>> been that
>>> using the ID string was worse then doing nothing. Which is
>>> false. Then you
>>
>> I agress usign the ID string is Worse that doing nothing, Karen is
>> right. It's an actiuons that hurt the good guys more and make you
>> think
>> you did anything to the bad guy. You argue here it stop bad guys,
>> if you
>> think that you are wrong. If you keep arguing it stop's bad guy. You
>> sort of prove it hurts your security becase you belive it helps you
>> be
>> safe.
>
> If a grid operator only wants a particular viewer connected to their
> grid and you connect with an alternate are you a good guy or a bad
> guy?
Actually I call that operator stupid, he is showing he don't care
about the customer. And I wouldn't even care to try to connect again
there are many good alternatives and an operator that thinks one
viewer one tool fit all kinds of work and don't let the user make the
chooise. Is for me not worthy of my time or money.
>
> I say you are a bad guy. If blocking based on the ID string keeps
> you
> out I wanted you out anyway!
Your and my definition of bad guy differ. I call the one trying to
make a grid a better place for all. Trying to create and help the
residents a god user and someone trying to destroy a bad user. if a
griefer in the default vierer are god and someone ntrying to help bad
well again I wouldn't like the grid I would not feel welcome or in
short a lost sale.
> Keeping bad guys out as well as slowing
> them down definitionally improves security. Does this make the system
> "secure" from bad guys and all attacks? Nope, I don't recall anyone
> saying so.
But who does this slowdown? Does it slow down copybots? No, by there
nature they tend to not give away there identity e.g. They send the
"correct" string. With your definition of bad guy. In not sure of what
your goal is being a fashist grid operator well maybe it helps making
the exerience worse.
>
>>> went with it does NOTHING apart from "feelgood"! Which is also
>>> false. Now
>>
>> It doesn't to anythign on identifying what software is running
>> remote,
>> in fact what software is running remote you can't determin.
>
> Really, do all clients send bad ID strings? I did not know that. I
> appear to be under the mistaken impression that clients generally use
> that ID string to identify themselves.
The string could be true or false anything you get over the net could
be false. Any security scheme that builds on the information from the
client being true is bound to be fault. I say there are so many things
that give better value for the spent effort. As all security work is
taking from the usability and adding. I hope no one today would
suggest limit a website to only be used by IE would add to the sites
security.
> Are you who you say you are?
> Can I determine if that's really you and not someone else? Is it OK to
> accept that you are who you say because you have said so?
Authenication over networks are a hard problem but usually one can
archive an accetable compromize here.
> Mailing lists commonly require one to be a member to post to the list.
> Why? I can spoof any email address. That's not secure. I guess we
> should stop because we wouldn't want anyone to falsely feel safe. :-)
Actually that is a little higher than the scheme you suggest it's a
very simple authentication needing the user to know a member of the
mailinglist. The spam getting into even this kind of mailing lists
would be a proff that it doesn't work. In the grid case I can't even
imagin what kind of protection one hope to archive with this effort.
>
>>> its it does nothing to prevent an attack. I mostly agree with
>>> that. What it
>>> does do is limit a viewer based on how it identifies itself which
>>> is something
>> What it does is chaning the protocol for connecting a little making
>> your
>> grid not compatible with the other grids. This limitation in your
>> grid
>> may stop some users, it will most probably keep all evlite users
>> out as
>> your grid will not contain anything they think is worth this
>> inconvienience.
>
> I support you choosing what grids you connect to. I also support a
> grid
> operator making decisions about their grid.
Sure the operator is free to close his grid. But if he claims it for
security of his user he is either lieing or missinformed. In both
cases I think information is good. Most imprortant is that the
potential users understand that the possibility to use imprudance,
coolviewer or emerald is not a choosie for them but to make the ego of
the grid owner grow. For me a grid owener could make rule that only
black or White people could connect that the client computer has to be
blue. However don't tell me it make me more secure. Also if trying to
make a sucessull grid banning good citizen on false ground to me looks
like a stupid idea.
> _______________________________________________
> Opensim-users mailing list
> Opensim-users at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-users
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the Opensim-users
mailing list