Whether to patch an angle of attack is definitely not my decision. If you and the core team are happy with the users and content creators in open grids being vulnerable, then I cannot do anything about it.<div><br></div><div>
But ... since standards are good, double ones must be....</div><div><br></div><div>best regards</div><div>Snowcrash</div><div><br><div class="gmail_quote">On Mon, Nov 19, 2012 at 1:27 AM, Diva Canto <span dir="ltr"><<a href="mailto:diva@metaverseink.com" target="_blank">diva@metaverseink.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">On 11/18/2012 12:23 PM, Snowcrash Short wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
E.g. the vulnerabilities discussed with Diva. They are a clear example of coders knowingly implementing security safeguards "client side (well simulator side, but in a hypergrid that is pretty much the same)". Fortunately - and to me hard to understand why they haven't - hardening the interfaces somewhat isn't that hard.<br>
</blockquote>
<br></div>
Snowcrash,<br>
<br>
I strongly suggest that you spend some more studying OpenSim. Your assumptions are wrong. The lack of security in the internal services is not an overlook; it's intentional.<br>
<br>
The grid services are exactly that -- internal grid services. They exist with the sole purpose of sharing data among a set of simulators *operated by the same entity*. That's what they are designed to do, and nothing else. They don't have safeguards because they don't need them under those circumstances. They are designed under the assumption that grid operators will firewall them, because that's the absolute safest way of protecting data. Open grids a-la OSGrid are incurring in a huge risk. Luckily there aren't that many, at least not when compared to the total number of grids that do the right thing. OSGrid is special -- it's a test grid, and we all love it for that, security holes and all.<br>
<br>
The Hypergrid services are completely different and separate from the internal grid services. They have all sorts of security guards designed for the Hypergrid and not for general-purpose access. They are safe for the purposes for which the HG has been designed.<br>
<br>
If you want grids to place their data on the Internet, you need to provide a viable implementation of those services for whatever purposes you have in mind. The internal services will not be patched, because they don't need security.<span class="HOEnZb"><font color="#888888"><br>
<br>
Diva</font></span><div class="HOEnZb"><div class="h5"><br>
<br>
______________________________<u></u>_________________<br>
Opensim-users mailing list<br>
<a href="mailto:Opensim-users@lists.berlios.de" target="_blank">Opensim-users@lists.berlios.de</a><br>
<a href="https://lists.berlios.de/mailman/listinfo/opensim-users" target="_blank">https://lists.berlios.de/<u></u>mailman/listinfo/opensim-users</a><br>
</div></div></blockquote></div><br></div>