[Opensim-users] Banning "bad" viewers was Re: Can this be done?

Anders Arnholm anders at arnholm.se
Fri Jan 15 08:39:19 UTC 2010 


Skickat från min iPhone

13 jan 2010 kl. 18.48 skrev John Ward <jward at uci.edu>:

> On 01/13/2010 01:45 AM, Anders Arnholm wrote:
>> On Tue, Jan 12, 2010 at 04:55:10PM -0800, John Ward wrote:
>>
>>> account in the first place, another similar layer.  If a grid  
>>> operator
>>> wants a little better protection by checking the string the client
>>> identifies itself with would seem a reasonable additional layer.
>>
>> The grid operator may give any stupid ideas to the user, but i  
>> would not
>> call it security. Like there is no security in making a web-site that
>> only works in IE. If the operator calls this a security thing, it's
>> obvius that person don't know squat about security or is lieing.  
>> Either
>> case lowers the trust for the operator to me.
>
> If one takes a step that thwarts an attack, has security been  
> improved?
>  I say it has.  Does thwarting an attack make a system secure?  Not
> necessarily.
>
> If you have stupidly written a web site that only securely works with
> one browser should you try to restrict access to your web site to that
> one browser?

Not fixing once problem is irresponsible. If you have this problem and  
spend time on the workaround I would call you stupid. You have done a  
really bad system to start with you now have to pay the bill for not  
doing it right. Closing the site may be a better solution given all  
viewer already have a maskerade mode.


>
>>> So, is the system secure?  If one's goal was to prevent casual
>>> non-compliance then it probably is reasonably secure.  If one  
>>> wants to
>>> prevent anyone from ever running a bad client on their grid then  
>>> one's
>>> grid is not secure.
>>>
>>> "Security through obscurity" is quite valid.  That's why we  
>>> (hopefully)
>>> choose obscure passwords. If one understands what the obsfucation  
>>> gets
>>> them then is just another layer.
>>
>> A good random passphase is not security by obsurity.
>
> If a password is not obscured it's not effective.  If I can guess it  
> or

Your usage definition of obscure doesn't match what's common in the  
security world hence using this as proof for obsurity in security  
terms is invalid. An easy knowlede as an easy password have lower  
value for authenication.

>
> figure it out it's not secure.  The very point of a password is for
> others not to know it.  The more obscure it is to others the more  
> secure
> it is.  The security relies on this very obscurity.
>
>> It's a part of authentication of the user.
>> In security reserach one have identified
>> three elemetrs thet is needed for an authenitcation of a person.
>> "ownership", "knowledge" and "inherence". The passphase is the
>> "knowledge" part, the harder something is to know the better thius  
>> leg
>> of authentication. For example we couls say it you in phone can state
>> when year you are born, I think you are you. This knowledge is quite
>> easy for someone else to figure out so this leg is quite easy to  
>> break.
>> By makeing the knowledge some kind of long obsure string I made up my
>> self. It's much harder for someone else to figure this out and the  
>> trust
>> is me is me gets better, Still is just the knowledge element. To  
>> make a
>> good authentication one need atleast two elements. verifying the two
>> other elements of authenitcation over the internet is almost  
>> impossible
>> even if some atemts have been done.
>>
>> The passphase only lets you to some extent be sure of the person in  
>> the
>> other end is the person he or she clames to be. It have nothing with
>> securing what he or she can do.
>
> Determining who can do what is often called authorization.

The password thou aint part of authorizarion. Its the part of knowing  
who is who. Once that is done one can go over to determing what that  
person can do.


>
>>> I think having lots of easy to setup and use layers is a good  
>>> thing even
>>> when some of them are easily defeated. :-)
>>
>> The big risk is that no security chain is stronger that it's weakest
>> link. And having a loot of staong links in one part makes the user  
>> feel
>> secure. Feeling secure whan one isn't could be fatal.
>
> I think of security in terms of layers not chains.  If one technique  
> is
> subject to spoofing or man-in-the-middle attack I may need to add  
> other
> layers.  I don't necessarily stop using those techniques because  
> they don't.
>

Both models have there vaildity the problem with the layer idea is  
when it applied to stuff that easy can be added into a tool.


> John.
> _______________________________________________
> Opensim-users mailing list
> Opensim-users at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/opensim-users
>
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the Opensim-users mailing list