I agree. In fact it takes a certain amount of effort to change the default ID which is built into the viewer code. Effort that no malware writer will expend!
There are a great many crazy ideas that hide under the banner of "security". Here in Arizona we have a traffic camera scam which is being promoted as "safety". The huge amount of statistical evidence which proves this to be false is simply ignored. Many people are receiving citations for speeding when in fact they are sick or travelling outside the US. Karen --- On Thu, 1/14/10, Marcus Llewellyn <[email protected]> wrote: > From: Marcus Llewellyn <[email protected]> > Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be done? > To: [email protected] > Date: Thursday, January 14, 2010, 9:15 AM > Okay, it's quite possible I'm > mistaken, but my understanding was that the -channel command > line parameter on the viewer allows a user to represent > themselves as pretty much any other viewer. If I'm > incorrect, then the rest of this message is to be > disregarded. :P > > > Putting aside whether or not viewer string filtering has > merit or not, it seems to me that if one must use this > approach, then mandating use of the official vanilla viewer > (or indeed, any current variant I know of) is *not* the way > to go. You would want one that did not acknowledge the > -channel parameter at all. And you wouldn't stop there. > > > In fact, since using any viewer to spoof the viewer string > is no more difficult then changing the shortcut to connect > to a different grid. This isn't even obscure... really > it's not. Most grids have a "How to connect" > page, and it doesn't take a mental giant to figure out > how to add other parameters to what's on there. No > coding skills are required. > > > To attempt security by obscurity (if we define coding > skills as a prerequisite for defeating it) you will really > have to maintain your own version of the viewer. One that > ignores a -channel parameter, and probably one that goes the > extra step of sending at least one other string that the > server expects to intercept for a successful login. And if > you're gonna do that, why not go whole hog and make the > client exchange keys to authenticate itself? > > > Sounds like a hassle to me. Wouldn't it simply be > easier to make your grid invitation only or something? > > > -----Inline Attachment Follows----- > > _______________________________________________ > Opensim-users mailing list > [email protected] > https://lists.berlios.de/mailman/listinfo/opensim-users > _______________________________________________ Opensim-users mailing list [email protected] https://lists.berlios.de/mailman/listinfo/opensim-users
