Security through obscurity is no security at all. If you're relying on people not figuring it out, people *will* figure it out.
</experience of security expert for many years> -Kyle H On Tue, Jan 12, 2010 at 1:34 PM, Imago <[email protected]> wrote: > But really... How many people who aren't really looking for this info are > going to find it. ;) Nubs aren't going to know where to look. But blocking > by string probably wouldn't be the best, but it would work for dumb people. > ;) > > ----- Original Message ----- > From: "Frisby, Adam" <[email protected]> > To: <[email protected]>; <[email protected]> > Sent: Tuesday, January 12, 2010 3:25 PM > Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be done? > > >> While I hate to rain on anyone's parade - but you can use the "-channel" >> commandline switch to edit the version string to whatever you want. I >> really wouldn't rely on it. >> >> Adam >> >>> -----Original Message----- >>> From: [email protected] [mailto:opensim-users- >>> [email protected]] On Behalf Of Imago >>> Sent: Tuesday, 12 January 2010 9:34 AM >>> To: [email protected]; [email protected] >>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be >>> done? >>> >>> Thanks, I've been looking over the code, and yeah, I know people could. >>> But >>> really how many regular joes out there would be interested enough to >>> download, compile, and play with the code. *laughs* I don't think >>> there's >>> many, because a lot of them would much rather have instant >>> gratification >>> rather then having to work for it. >>> >>> But in my opinion even fragile filtering is better then none at all. >>> Because >>> while some could get in the population en masse wouldn't be able to. >>> >>> ----- Original Message ----- >>> From: <[email protected]> >>> To: <[email protected]> >>> Sent: Tuesday, January 12, 2010 8:15 AM >>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be >>> done? >>> >>> >>> > As Teravus said, the LL viewer sends a string identifying itself and >>> a >>> > version. In the new login procedure that is captured by the >>> > LLLoginHandlers as >>> > if (requestData.Contains("version")) >>> > clientVersion = requestData["version"].ToString(); >>> > >>> > Right now we're not doing anything interesting with this information. >>> > When this refactoring makes it to the master branch, people can >>> replace >>> > / augment the existing LLLoginHandlers to do other things including >>> > filtering logins according to this field. >>> > >>> > But as others said here, this is a very fragile filtering, as any >>> viewer >>> > can send that field saying that it's an LL viewer. >>> > >>> > Imago wrote: >>> >> Ah! Thank you. I did read something on the subject, but then >>> suffered a >>> >> hard >>> >> drive death and it wiped out any settings I had. :( Google comes up >>> with >>> >> way >>> >> too much junk when you look for stuff as well as Mantis stuff and >>> Jiras. >>> >> I >>> >> will check in to this. So, now I know it is possible. :D Now, it's >>> just >>> >> finding a way to do it. *shrugs and laughs* If it keeps a few kids >>> out >>> >> than >>> >> that's fine. I'd rather have fun then to have to police my console >>> for >>> >> logins. :D >>> >> >>> >> ----- Original Message ----- >>> >> From: "Teravus Ovares" <[email protected]> >>> >> To: <[email protected]> >>> >> Sent: Monday, January 11, 2010 11:56 PM >>> >> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this >>> be >>> >> done? >>> >> >>> >> >>> >>> The viewer information is sent when the viewer logs in. If you >>> >>> check the viewer channel version string when the viewer logs in, >>> you >>> >>> can deny based on a string match. That's the easy (and least >>> >>> effective way) to lock only specific viewers. >>> >>> >>> >>> I believe that diva and Melanie_T were the last to work on these >>> >>> areas.. so they would probably be able to tell you where to >>> check >>> >>> 'best'. >>> >>> >>> >>> One thing to note, however, is.. >>> >>> >>> >>> The viewer logs into the 'user service' by sending an XMLRPC >>> request >>> >>> to the HTTP Service with the login_to_simulator method. It's at >>> >>> this time that the 'viewer channel string' should be checked. >>> >>> >>> >>> Teravus >>> >>> >>> >>> On Tue, Jan 12, 2010 at 12:34 AM, Imago <[email protected]> >>> wrote: >>> >>>> Mostly I want this because of piece of mind, but also because I am >>> >>>> considering compiling a viewer on Hippo code that will have a >>> different >>> >>>> channel code altogether that I will probably use for the sim. If I >>> can >>> >>>> lock >>> >>>> off viewers that don't have my exact channel or code then I can be >>> sure >>> >>>> only >>> >>>> official viewers can get in. Right now the sim is only for friends >>> but >>> >>>> if >>> >>>> I >>> >>>> open it up to more I wouldn't want idiots coming in and mucking >>> about >>> >>>> the >>> >>>> place. Which is why I was asking. I know that some opensim >>> *shaking >>> >>>> head* >>> >>>> I >>> >>>> wish I could remember who and where banned certain viewers from >>> logging >>> >>>> in. >>> >>>> I'm not sure how she/he did it, though, but it got me curious as >>> to how >>> >>>> it's >>> >>>> done. That and I wouldn't really want someone using something like >>> Cryo >>> >>>> or >>> >>>> even Meerkat, but as you said... They probably all have the same >>> >>>> default >>> >>>> code. But if I put in another code and compiled it off of hippo or >>> >>>> Linden's >>> >>>> viewer I could put in my own channel and have others not able to >>> enter. >>> >>>> I >>> >>>> like security and peace of mind, but security in this day and age >>> is a >>> >>>> myth. >>> >>>> (Like those stupid broadcasting things that were supposed to stop >>> >>>> copybot.) >>> >>>> >>> >>>> But I was just curious if anyone had done it or heard of it. I >>> want to >>> >>>> say >>> >>>> openlifegrid did it, but I can't remember so I don't want to say >>> for >>> >>>> sure >>> >>>> until I find it again. (computer crashes suck.) >>> >>>> ----- Original Message ----- >>> >>>> From: "Karen Palen" <[email protected]> >>> >>>> To: <[email protected]> >>> >>>> Sent: Monday, January 11, 2010 11:24 PM >>> >>>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can >>> this be >>> >>>> done? >>> >>>> >>> >>>> >>> >>>>> As I think of it the answer is the same. >>> >>>>> >>> >>>>> The Linden Labs viewer does send an identification and version >>> number, >>> >>>>> bat >>> >>>>> that really does very little. Almost every viewer out there is >>> based >>> >>>>> on >>> >>>>> the current LL viewer and many people don't bother changing this >>> code >>> >>>>> for >>> >>>>> their experimental versions. >>> >>>>> >>> >>>>> For example I just checked and I have a customised LL viewer >>> where the >>> >>>>> only change is that it will log on to my private sim by default. >>> The >>> >>>>> ID >>> >>>>> codes are identical to the original since I never bothered to >>> change >>> >>>>> them. >>> >>>>> >>> >>>>> I use it to make sure that my private sim will run OK with the >>> >>>>> "official" >>> >>>>> viewer. >>> >>>>> >>> >>>>> I am not really sure why you would want that restriction though. >>> >>>>> Should >>> >>>>> I >>> >>>>> be considering that for my sim? Have I missed something here? >>> >>>>> >>> >>>>> Sorry. >>> >>>>> >>> >>>>> Karen >>> >>>>> >>> >>>>> --- On Mon, 1/11/10, Imago <[email protected]> wrote: >>> >>>>> >>> >>>>>> From: Imago <[email protected]> >>> >>>>>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can >>> this >>> >>>>>> be >>> >>>>>> done? >>> >>>>>> To: [email protected] >>> >>>>>> Date: Monday, January 11, 2010, 10:05 PM >>> >>>>>> I don't think anyone is >>> >>>>>> understanding. :D It's not just Cryo. I want only >>> >>>>>> Linden Lab viewers to be able to login. I've seen it done >>> >>>>>> on other >>> >>>>>> opensim's. I know people can get around that. But the point >>> >>>>>> is... Not >>> >>>>>> everyone is a coder. So, while they could compile and make >>> >>>>>> it look like a >>> >>>>>> Linden Lab viewer then so be it. I just want to know if >>> >>>>>> there's a mod or >>> >>>>>> string that I can put in to opensim to see what channel the >>> >>>>>> viewer is >>> >>>>>> sending, and if it's not the right one than to display an >>> >>>>>> error message that >>> >>>>>> would tell them to download an official release in order to >>> >>>>>> login. >>> >>>>>> >>> >>>>>> Maybe I should have chosen my words better. Mentioning Cryo >>> >>>>>> is like >>> >>>>>> mentioning copybot, and responses only seem to be based on >>> >>>>>> theft and copy >>> >>>>>> protection. I just want to know if there's a string to >>> >>>>>> block a viewer. I >>> >>>>>> know people have done it I just can't remember what opensim >>> >>>>>> I saw it done >>> >>>>>> on. I also know that if I had Cryo source code I could >>> >>>>>> compile and make it >>> >>>>>> look like a Second Life release viewer. But not everyone is >>> >>>>>> a hacker or a >>> >>>>>> coder or both. Most people don't know how or can't compile >>> >>>>>> a viewer or are >>> >>>>>> too lazy to. So, they go look for one, and that's the basis >>> >>>>>> for my thinking >>> >>>>>> most theives are too lazy to try to figure out a way and >>> >>>>>> will move on to the >>> >>>>>> next target. >>> >>>>>> >>> >>>>>> >>> >>>>>> So, the question I'm asking is: >>> >>>>>> Is there a way for OpenSim to check a viewer string and >>> >>>>>> allow or disallow >>> >>>>>> based on that, and if so please let me know where that code >>> >>>>>> is, and if >>> >>>>>> not... Then I'll be burning the midnight oil again coding >>> >>>>>> one up. >>> >>>>>> >>> >>>>>> ----- Original Message ----- >>> >>>>>> From: "Karen Palen" <[email protected]> >>> >>>>>> To: <[email protected]> >>> >>>>>> Sent: Monday, January 11, 2010 10:44 PM >>> >>>>>> Subject: [Opensim-users] Banning "bad" viewers was Re: Can >>> >>>>>> this be done? >>> >>>>>> >>> >>>>>> >>> >>>>>>> The short answer is no. >>> >>>>>>> >>> >>>>>>> The more complete answer is that you while can easily >>> >>>>>> detect some >>> >>>>>>> characteristic of a viewer (or other software) which >>> >>>>>> identifies that >>> >>>>>>> viewer and use that to ban it, nothing can stop the >>> >>>>>> authors of that viewer >>> >>>>>>> from changing whatever characteristic you use. >>> >>>>>>> >>> >>>>>>> Worse yet, whatever characteristic you select to >>> >>>>>> identify the "bad" >>> >>>>>>> software will inevitably turn up in some other >>> >>>>>> (innocent) viewer sooner or >>> >>>>>>> later and will cause them to be banned for no reason. >>> >>>>>>> >>> >>>>>>> The best you could hope to achieve is some sort of >>> >>>>>> "arms race" between >>> >>>>>>> "bad" viewer creators and sim operators. >>> >>>>>>> >>> >>>>>>> In addition any viewer could be adapted for piracy. >>> >>>>>> The original >>> >>>>>>> experiments that resulted in >>> >>>>>> libsecondlife/openMetaverse were based on >>> >>>>>>> analysing the data stream between the Second Life >>> >>>>>> Servers and the viewer >>> >>>>>>> software (at the time ONLY the Linden Labs viewer) and >>> >>>>>> had access to all >>> >>>>>>> of that information. This was all done without >>> >>>>>> modifying the viewer in any >>> >>>>>>> way - it was proprietary at the time. >>> >>>>>>> >>> >>>>>>> Sadly the lesson of the endless failures of DRM >>> >>>>>> schemes elsewhere shows >>> >>>>>>> that the real losers are the honest/innocent users who >>> >>>>>> are unable to do >>> >>>>>>> the things that they really should expect to do with >>> >>>>>> the content that they >>> >>>>>>> have purchased. >>> >>>>>>> >>> >>>>>>> For example, I have completely stopped buying anything >>> >>>>>> in Second Life >>> >>>>>>> since I want to use the inventory I buy in my private >>> >>>>>> sims as well. Sure I >>> >>>>>>> can use pirate tools to do this, but if I have to do >>> >>>>>> that to use my >>> >>>>>>> purchases where I want to use them then why not just >>> >>>>>> steal the stuff in >>> >>>>>>> the first place? >>> >>>>>>> >>> >>>>>>> This is very similar to the situation with music CDs >>> >>>>>> and DVDs, why build >>> >>>>>>> an expensive collection if you will just have to >>> >>>>>> re-purchase it in a few >>> >>>>>>> years for the next technology and some DRM scheme >>> >>>>>> tries to keep me from >>> >>>>>>> playing my collection on the new equipment? >>> >>>>>>> >>> >>>>>>> There are several efforts being directed at come sort >>> >>>>>> of "portable" >>> >>>>>>> content. I hope that one or more actually proves to >>> >>>>>> work, but I have no >>> >>>>>>> illusions about that actually happening any time >>> >>>>>> soon. >>> >>>>>>> My opinion is that the best we can do at present is >>> >>>>>> similar to the real >>> >>>>>>> life piracy situation: stop the commercial marketing >>> >>>>>> of pirated >>> >>>>>>> merchandise as it is detected and reported. Ban anyone >>> >>>>>> who engages in such >>> >>>>>>> activities and if they persist bring real world law >>> >>>>>> enforcement to bear. >>> >>>>>>> For once Linden Labs seems to be using a reasonable >>> >>>>>> version of this when >>> >>>>>>> they state that the viewer is not the problem, it is >>> >>>>>> the use of the >>> >>>>>>> viewer. They have promised to act promptly to ban >>> >>>>>> anyone using any viewer >>> >>>>>>> for piracy. >>> >>>>>>> >>> >>>>>>> Karen >>> >>>>>>> >>> >>>>>>> --- On Mon, 1/11/10, Imago <[email protected]> >>> >>>>>> wrote: >>> >>>>>>>> Is it possible to stop >>> >>>>>>>> certain viewers from logging >>> >>>>>>>> in to your opensim? Like Cryo? >>> >>>>>>> >>> >>>>>>> >>> >>>>>>> >>> >>>>>>> _______________________________________________ >>> >>>>>>> Opensim-users mailing list >>> >>>>>>> [email protected] >>> >>>>>>> https://lists.berlios.de/mailman/listinfo/opensim-users >>> >>>>>> >>> >>>>>> _______________________________________________ >>> >>>>>> Opensim-users mailing list >>> >>>>>> [email protected] >>> >>>>>> https://lists.berlios.de/mailman/listinfo/opensim-users >>> >>>>>> >>> >>>>> >>> >>>>> >>> >>>>> _______________________________________________ >>> >>>>> Opensim-users mailing list >>> >>>>> [email protected] >>> >>>>> https://lists.berlios.de/mailman/listinfo/opensim-users >>> >>>> _______________________________________________ >>> >>>> Opensim-users mailing list >>> >>>> [email protected] >>> >>>> https://lists.berlios.de/mailman/listinfo/opensim-users >>> >>>> >>> >>> _______________________________________________ >>> >>> Opensim-users mailing list >>> >>> [email protected] >>> >>> https://lists.berlios.de/mailman/listinfo/opensim-users >>> >> >>> >> _______________________________________________ >>> >> Opensim-users mailing list >>> >> [email protected] >>> >> https://lists.berlios.de/mailman/listinfo/opensim-users >>> >> >>> > _______________________________________________ >>> > Opensim-users mailing list >>> > [email protected] >>> > https://lists.berlios.de/mailman/listinfo/opensim-users >>> >>> _______________________________________________ >>> Opensim-users mailing list >>> [email protected] >>> https://lists.berlios.de/mailman/listinfo/opensim-users >> _______________________________________________ >> Opensim-users mailing list >> [email protected] >> https://lists.berlios.de/mailman/listinfo/opensim-users > > _______________________________________________ > Opensim-users mailing list > [email protected] > https://lists.berlios.de/mailman/listinfo/opensim-users > _______________________________________________ Opensim-users mailing list [email protected] https://lists.berlios.de/mailman/listinfo/opensim-users
