[Opensim-users] Banning "bad" viewers was Re: Can this be done?

[Karen Palen]

After a whole lot of back and forth (much of it in private emails) I think we are beginning to agree.

--- On Thu, 1/14/10, John Ward <jward at uci.edu> wrote:
> I pretty much agree with you. 
> My objection is to the notion that 
> "fragile filtering" is NOTHING or worse because it only
> generates safe 
> feelings.  Lots of techniques have actual benefits that are not "real 
> security" in some academic sense but are if you measure the effects.

My distinction is between what you plan to do as part of the system "defense" and what you are forced to do to keep things working and keep the "bad guys" from destroying things.

This is really a different "plane" from John's view expressed above, but I see it as complimentary rather than a contradiction.

> Client ID string filtering is a poor example of a useful
> fragile filter. 
>   1. The threshold for avoiding it is too low. 
> 2. The cost of keeping legitimate users out is too high.

That we certainly agree on!

This particular example would require the "bad guys" to actually change something to identify themselves! 

Since our last email exchange I have found one "private" so called "backup" system that actually allows the user to select form a set of viewer identities that is maintained by the client writer! This feature actually allows the "script kiddie" user to select which viewer identity is sent and presumably also includes some sort of index to show which identity to use with which grid!

Once I can confirm this (with at least more than some You Tube bragging) I will post some details.

Karen