[Opensim-users] Banning "bad" viewers was Re: Can this be done?

Anders Arnholm anders at arnholm.se
Thu Jan 14 14:05:39 UTC 2010 

Actuallly changing the identifier to be stopped by this security  
system is autually doing extra work. The default system uses the same  
channel as the official viewer.

Skickat från min iPhone

13 jan 2010 kl. 20.42 skrev John Ward <jward at uci.edu>:

> On 01/13/2010 10:58 AM, Karen Palen wrote:
>>
>>
>> --- On Wed, 1/13/10, John Ward<jward at uci.edu>  wrote:
>>
>>> From: John Ward<jward at uci.edu> Subject: Re: [Opensim-users] Banning
>>> "bad" viewers was Re: Can this be done? To:
>>> opensim-users at lists.berlios.de Cc: "Karen
>>> Palen"<karen_palen at yahoo.com> Date: Wednesday, January 13, 2010,
>>> 10:06 AM
>>>
>>>
>>> On 01/13/2010 12:18 AM, Karen Palen wrote:
>>>> I suppose the way to disprove this would be to compile
>>> a version of
>>>> the "genuine" Linden Labs viewer with all content
>>> checking disabled
>>>> and the capability to do some sort of nastiness then
>>> distribute it to
>>>> all the script kiddies somehow.
>>>
>>> What would this prove?  I think it would prove that one would have
>>> to use a client that identifies itself with a blessed ID.
>>
>> It would be the equivalent of some crook who sells defective fire
>> extinguishers at a flea market.
>>
>> Whatever evil characteristics you consider to be equivalent to a
>> defective fire extinguisher can be included in such a "viewer". This
>> serves to counter the argument about "script kiddies" not being able
>> to do this.
>
> You didn't answer my questions, and I have no idea what you are  
> saying.
>
>>
>>>> I am sure there are people out there who will do (or
>>> have done)
>>>> exactly that, but it will not be me even to prove a
>>> point. A quick
>>>> look at the code says it should be about a half day's
>>> work, less if I
>>>> reverse engineered some version of copybot.
>>>
>>> You must have lots of spare time to call a half day's work
>>> NOTHING.
>>
>> Well I HAVE been retired for many years now LOL
>>
>> In fact it is a matter of priorities, however there are certainly
>> plenty of people out there who WILL spend this time.
>>
>> One datum point is to check something like "Windows 7" on Pirate Bay,
>> this morning there were over 900 in the search results. Checking the
>> more popular looking ones shows that someone is spending a huge
>> amount of time and effort cracking and repackaging the software for
>> any "script kiddie" who cares to download one.
>>
>> I would be very surprised if there were NOT somehting out there that
>> pretends to be the LL viewer in fact.
>>
>> Changing the ID string takes some effort on the part of the coder and
>> it is hardly somehting that someone who is trying to produce a "bad"
>> version will care about.
>
> I understand that checking an ID string can be defeated.  That has  
> never
> been my point.  You point out that it takes some effort to change the
> string.  That very effort is an impediment.  Slowing down the bad guys
> can be very worthwhile!  It's not lost on me that slowing down the  
> good
> guys may make it a poor choice.  Some methods are not worth the  
> trouble.
>  Repeatedly saying it's nothing only show you do not understand my  
> point.
>
>>>> In my estimation that makes the illusion that checking
>>> the ID exactly
>>>> equivalent to illusion presented by a dummy fire
>>> extinguisher. We
>>>> just have not (yet) identified which "genuine LL
>>> viewer" is the
>>>> really the fake!
>>>
>>> The broken analogy again....  What fire does a dummy fire
>>> extinguisher put out?  Blocking based on ID will block any client
>>> with the wrong ID.
>>
>> Which accomplishes exactly what? NOTHING!
>
> If you wanted to block a client with certain ID how would you do it?
> Would you do NOTHING or would you check the ID string?
>
>>
>>> It will let any client in with a correct ID even an undesirable
>>> one.
>>
>> Which makes the check essentially useless as a security tool.
>
> That assumes keeping out all bad guys is the only measure of a  
> security
> tool.  This is plain wrong.  We do things that slow down bad guys and
> often the good guys too.  We often do things that only provide partial
> protection.  That's how security get provided in practice.
>
>>> I find it painfully amusing that on one hand you call this nothing
>>> and on another complain how it hurts good users.  If its nothing
>>> how can it hurt good users?
>>
>> It hurts good users by removing a tool that they can use to work
>> around bugs and communications problems.
>>
>> I use different viewers on Linux and on Windows for just that
>> reason.
>
> I see.  Your choice of viewer is more important then the grid  
> operators
> choices.  It's OK to limit their tools.
> _______________________________________________
> Opensim-users mailing list
> Opensim-users at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-users
>
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the Opensim-users mailing list