[Opensim-users] Announcement of inventory tool (MyInventory), mostly of interest to grid operators/grid nauts

[Diva Canto]

On 11/18/2012 12:23 PM, Snowcrash Short wrote:
> E.g. the vulnerabilities discussed with Diva. They are a clear example 
> of coders knowingly implementing security safeguards "client side 
> (well simulator side, but in a hypergrid that is pretty much the 
> same)". Fortunately - and to me hard to understand why they haven't - 
> hardening the interfaces somewhat isn't that hard.

Snowcrash,

I strongly suggest that you spend some more studying OpenSim. Your 
assumptions are wrong. The lack of security in the internal services is 
not an overlook; it's intentional.

The grid services are exactly that -- internal grid services. They exist 
with the sole purpose of sharing data among a set of simulators 
*operated by the same entity*. That's what they are designed to do, and 
nothing else. They don't have safeguards because they don't need them 
under those circumstances. They are designed under the assumption that 
grid operators will firewall them, because that's the absolute safest 
way of protecting data. Open grids a-la OSGrid are incurring in a huge 
risk. Luckily there aren't that many, at least not when compared to the 
total number of grids that do the right thing. OSGrid is special -- it's 
a test grid, and we all love it for that, security holes and all.

The Hypergrid services are completely different and separate from the 
internal grid services. They have all sorts of security guards designed 
for the Hypergrid and not for general-purpose access. They are safe for 
the purposes for which the HG has been designed.

If you want grids to place their data on the Internet, you need to 
provide a viable implementation of those services for whatever purposes 
you have in mind. The internal services will not be patched, because 
they don't need security.

Diva