Can this be done?

classic Classic list List threaded Threaded
75 messages Options
1234
Reply | Threaded
Open this post in threaded view
|

Can this be done?

Imago
Is it possible to stop certain viewers from logging in to your opensim? Like Cryo?

_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: Can this be done?

Teravus Ovares
Not with any real certainty.      You could stop script kiddies by
scrutinizing the viewer string when the viewer logs in to the user
service..   but, determined developers who understand the protocol can
cause their hacked viewer to report whatever they want for the version
string.    It's not very difficult to do..    much like the browser
reports the user agent...    the viewer reports the name and version.

If you really wanted to try to stop Cryo..     try to figure out
something that it, uniquely does.     See if you can discover a
pattern..
If you can, then detect the pattern and scramble the user's inventory,
turn them into a stick bug, and send every texture as a missing image:
:).     I'm sure they won't log-in again if they encounter that.

Regards

Teravus


On Mon, Jan 11, 2010 at 8:50 PM, Imago <[hidden email]> wrote:
> Is it possible to stop certain viewers from logging in to your opensim? Like
> Cryo?
> _______________________________________________
> Opensim-users mailing list
> [hidden email]
> https://lists.berlios.de/mailman/listinfo/opensim-users
>
>
_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: Can this be done?

Imago
*laughing* Thanks. But I was mostly looking for if you could stop a viewer
by name. Most script kiddies come in with viewers they downloaded off the
internet. So, if you or anyone else knows where to add something to the
opensim code to block viewers I guess it would be by channels or something.
Please share it. I know a couple opensim's that don't allow certain viewers,
but I'm at a loss on how they block them.

----- Original Message -----
From: "Teravus Ovares" <[hidden email]>
To: <[hidden email]>
Sent: Monday, January 11, 2010 10:13 PM
Subject: Re: [Opensim-users] Can this be done?


> Not with any real certainty.      You could stop script kiddies by
> scrutinizing the viewer string when the viewer logs in to the user
> service..   but, determined developers who understand the protocol can
> cause their hacked viewer to report whatever they want for the version
> string.    It's not very difficult to do..    much like the browser
> reports the user agent...    the viewer reports the name and version.
>
> If you really wanted to try to stop Cryo..     try to figure out
> something that it, uniquely does.     See if you can discover a
> pattern..
> If you can, then detect the pattern and scramble the user's inventory,
> turn them into a stick bug, and send every texture as a missing image:
> :).     I'm sure they won't log-in again if they encounter that.
>
> Regards
>
> Teravus
>
>
> On Mon, Jan 11, 2010 at 8:50 PM, Imago <[hidden email]> wrote:
>> Is it possible to stop certain viewers from logging in to your opensim?
>> Like
>> Cryo?
>> _______________________________________________
>> Opensim-users mailing list
>> [hidden email]
>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>
>>
> _______________________________________________
> Opensim-users mailing list
> [hidden email]
> https://lists.berlios.de/mailman/listinfo/opensim-users 

_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Banning "bad" viewers was Re: Can this be done?

Karen_Palen
In reply to this post by Imago
The short answer is no.

The more complete answer is that you while can easily detect some characteristic of a viewer (or other software) which identifies that viewer and use that to ban it, nothing can stop the authors of that viewer from changing whatever characteristic you use.

Worse yet, whatever characteristic you select to identify the "bad" software will inevitably turn up in some other (innocent) viewer sooner or later and will cause them to be banned for no reason.

The best you could hope to achieve is some sort of "arms race" between "bad" viewer creators and sim operators.

In addition any viewer could be adapted for piracy. The original experiments that resulted in libsecondlife/openMetaverse were based on analysing the data stream between the Second Life Servers and the viewer software (at the time ONLY the Linden Labs viewer) and had access to all of that information. This was all done without modifying the viewer in any way - it was proprietary at the time.

Sadly the lesson of the endless failures of DRM schemes elsewhere shows that the real losers are the honest/innocent users who are unable to do the things that they really should expect to do with the content that they have purchased.

For example, I have completely stopped buying anything in Second Life since I want to use the inventory I buy in my private sims as well. Sure I can use pirate tools to do this, but if I have to do that to use my purchases where I want to use them then why not just steal the stuff in the first place?

This is very similar to the situation with music CDs and DVDs, why build an expensive collection if you will just have to re-purchase it in a few years for the next technology and some DRM scheme tries to keep me from playing my collection on the new equipment?

There are several efforts being directed at come sort of "portable" content. I hope that one or more actually proves to work, but I have no illusions about that actually happening any time soon.

My opinion is that the best we can do at present is similar to the real life piracy situation: stop the commercial marketing of pirated merchandise as it is detected and reported. Ban anyone who engages in such activities and if they persist bring real world law enforcement to bear.

For once Linden Labs seems to be using a reasonable version of this when they state that the viewer is not the problem, it is the use of the viewer. They have promised to act promptly to ban anyone using any viewer for piracy.

Karen

--- On Mon, 1/11/10, Imago <[hidden email]> wrote:

> Is it possible to stop
> certain viewers from logging
> in to your opensim? Like Cryo?



     
_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: Banning "bad" viewers was Re: Can this be done?

Imago
I don't think anyone is understanding. :D It's not just Cryo. I want only
Linden Lab viewers to be able to login. I've seen it done on other
opensim's. I know people can get around that. But the point is... Not
everyone is a coder. So, while they could compile and make it look like a
Linden Lab viewer then so be it. I just want to know if there's a mod or
string that I can put in to opensim to see what channel the viewer is
sending, and if it's not the right one than to display an error message that
would tell them to download an official release in order to login.

Maybe I should have chosen my words better. Mentioning Cryo is like
mentioning copybot, and responses only seem to be based on theft and copy
protection. I just want to know if there's a string to block a viewer. I
know people have done it I just can't remember what opensim I saw it done
on. I also know that if I had Cryo source code I could compile and make it
look like a Second Life release viewer. But not everyone is a hacker or a
coder or both. Most people don't know how or can't compile a viewer or are
too lazy to. So, they go look for one, and that's the basis for my thinking
most theives are too lazy to try to figure out a way and will move on to the
next target.


So, the question I'm asking is:
Is there a way for OpenSim to check a viewer string and allow or disallow
based on that, and if so please let me know where that code is, and if
not... Then I'll be burning the midnight oil again coding one up.

----- Original Message -----
From: "Karen Palen" <[hidden email]>
To: <[hidden email]>
Sent: Monday, January 11, 2010 10:44 PM
Subject: [Opensim-users] Banning "bad" viewers was Re: Can this be done?


> The short answer is no.
>
> The more complete answer is that you while can easily detect some
> characteristic of a viewer (or other software) which identifies that
> viewer and use that to ban it, nothing can stop the authors of that viewer
> from changing whatever characteristic you use.
>
> Worse yet, whatever characteristic you select to identify the "bad"
> software will inevitably turn up in some other (innocent) viewer sooner or
> later and will cause them to be banned for no reason.
>
> The best you could hope to achieve is some sort of "arms race" between
> "bad" viewer creators and sim operators.
>
> In addition any viewer could be adapted for piracy. The original
> experiments that resulted in libsecondlife/openMetaverse were based on
> analysing the data stream between the Second Life Servers and the viewer
> software (at the time ONLY the Linden Labs viewer) and had access to all
> of that information. This was all done without modifying the viewer in any
> way - it was proprietary at the time.
>
> Sadly the lesson of the endless failures of DRM schemes elsewhere shows
> that the real losers are the honest/innocent users who are unable to do
> the things that they really should expect to do with the content that they
> have purchased.
>
> For example, I have completely stopped buying anything in Second Life
> since I want to use the inventory I buy in my private sims as well. Sure I
> can use pirate tools to do this, but if I have to do that to use my
> purchases where I want to use them then why not just steal the stuff in
> the first place?
>
> This is very similar to the situation with music CDs and DVDs, why build
> an expensive collection if you will just have to re-purchase it in a few
> years for the next technology and some DRM scheme tries to keep me from
> playing my collection on the new equipment?
>
> There are several efforts being directed at come sort of "portable"
> content. I hope that one or more actually proves to work, but I have no
> illusions about that actually happening any time soon.
>
> My opinion is that the best we can do at present is similar to the real
> life piracy situation: stop the commercial marketing of pirated
> merchandise as it is detected and reported. Ban anyone who engages in such
> activities and if they persist bring real world law enforcement to bear.
>
> For once Linden Labs seems to be using a reasonable version of this when
> they state that the viewer is not the problem, it is the use of the
> viewer. They have promised to act promptly to ban anyone using any viewer
> for piracy.
>
> Karen
>
> --- On Mon, 1/11/10, Imago <[hidden email]> wrote:
>
>> Is it possible to stop
>> certain viewers from logging
>> in to your opensim? Like Cryo?
>
>
>
>
> _______________________________________________
> Opensim-users mailing list
> [hidden email]
> https://lists.berlios.de/mailman/listinfo/opensim-users 

_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: Banning "bad" viewers was Re: Can this be done?

Karen_Palen
As I think of it the answer is the same.

The Linden Labs viewer does send an identification and version number, bat that really does very little. Almost every viewer out there is based on the current LL viewer and many people don't bother changing this code for their experimental versions.

For example I just checked and I have a customised LL viewer where the only change is that it will log on to my private sim by default. The ID codes are identical to the original since I never bothered to change them.

I use it to make sure that my private sim will run OK with the "official" viewer.

I am not really sure why you would want that restriction though. Should I be considering that for my sim? Have I missed something here?

Sorry.

Karen

--- On Mon, 1/11/10, Imago <[hidden email]> wrote:

> From: Imago <[hidden email]>
> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be done?
> To: [hidden email]
> Date: Monday, January 11, 2010, 10:05 PM
> I don't think anyone is
> understanding. :D It's not just Cryo. I want only
> Linden Lab viewers to be able to login. I've seen it done
> on other
> opensim's. I know people can get around that. But the point
> is... Not
> everyone is a coder. So, while they could compile and make
> it look like a
> Linden Lab viewer then so be it. I just want to know if
> there's a mod or
> string that I can put in to opensim to see what channel the
> viewer is
> sending, and if it's not the right one than to display an
> error message that
> would tell them to download an official release in order to
> login.
>
> Maybe I should have chosen my words better. Mentioning Cryo
> is like
> mentioning copybot, and responses only seem to be based on
> theft and copy
> protection. I just want to know if there's a string to
> block a viewer. I
> know people have done it I just can't remember what opensim
> I saw it done
> on. I also know that if I had Cryo source code I could
> compile and make it
> look like a Second Life release viewer. But not everyone is
> a hacker or a
> coder or both. Most people don't know how or can't compile
> a viewer or are
> too lazy to. So, they go look for one, and that's the basis
> for my thinking
> most theives are too lazy to try to figure out a way and
> will move on to the
> next target.
>
>
> So, the question I'm asking is:
> Is there a way for OpenSim to check a viewer string and
> allow or disallow
> based on that, and if so please let me know where that code
> is, and if
> not... Then I'll be burning the midnight oil again coding
> one up.
>
> ----- Original Message -----
> From: "Karen Palen" <[hidden email]>
> To: <[hidden email]>
> Sent: Monday, January 11, 2010 10:44 PM
> Subject: [Opensim-users] Banning "bad" viewers was Re: Can
> this be done?
>
>
> > The short answer is no.
> >
> > The more complete answer is that you while can easily
> detect some
> > characteristic of a viewer (or other software) which
> identifies that
> > viewer and use that to ban it, nothing can stop the
> authors of that viewer
> > from changing whatever characteristic you use.
> >
> > Worse yet, whatever characteristic you select to
> identify the "bad"
> > software will inevitably turn up in some other
> (innocent) viewer sooner or
> > later and will cause them to be banned for no reason.
> >
> > The best you could hope to achieve is some sort of
> "arms race" between
> > "bad" viewer creators and sim operators.
> >
> > In addition any viewer could be adapted for piracy.
> The original
> > experiments that resulted in
> libsecondlife/openMetaverse were based on
> > analysing the data stream between the Second Life
> Servers and the viewer
> > software (at the time ONLY the Linden Labs viewer) and
> had access to all
> > of that information. This was all done without
> modifying the viewer in any
> > way - it was proprietary at the time.
> >
> > Sadly the lesson of the endless failures of DRM
> schemes elsewhere shows
> > that the real losers are the honest/innocent users who
> are unable to do
> > the things that they really should expect to do with
> the content that they
> > have purchased.
> >
> > For example, I have completely stopped buying anything
> in Second Life
> > since I want to use the inventory I buy in my private
> sims as well. Sure I
> > can use pirate tools to do this, but if I have to do
> that to use my
> > purchases where I want to use them then why not just
> steal the stuff in
> > the first place?
> >
> > This is very similar to the situation with music CDs
> and DVDs, why build
> > an expensive collection if you will just have to
> re-purchase it in a few
> > years for the next technology and some DRM scheme
> tries to keep me from
> > playing my collection on the new equipment?
> >
> > There are several efforts being directed at come sort
> of "portable"
> > content. I hope that one or more actually proves to
> work, but I have no
> > illusions about that actually happening any time
> soon.
> >
> > My opinion is that the best we can do at present is
> similar to the real
> > life piracy situation: stop the commercial marketing
> of pirated
> > merchandise as it is detected and reported. Ban anyone
> who engages in such
> > activities and if they persist bring real world law
> enforcement to bear.
> >
> > For once Linden Labs seems to be using a reasonable
> version of this when
> > they state that the viewer is not the problem, it is
> the use of the
> > viewer. They have promised to act promptly to ban
> anyone using any viewer
> > for piracy.
> >
> > Karen
> >
> > --- On Mon, 1/11/10, Imago <[hidden email]>
> wrote:
> >
> >> Is it possible to stop
> >> certain viewers from logging
> >> in to your opensim? Like Cryo?
> >
> >
> >
> >
> > _______________________________________________
> > Opensim-users mailing list
> > [hidden email]
> > https://lists.berlios.de/mailman/listinfo/opensim-users
>
>
> _______________________________________________
> Opensim-users mailing list
> [hidden email]
> https://lists.berlios.de/mailman/listinfo/opensim-users
>


     
_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: Banning "bad" viewers was Re: Can this be done?

Imago
Mostly I want this because of piece of mind, but also because I am
considering compiling a viewer on Hippo code that will have a different
channel code altogether that I will probably use for the sim. If I can lock
off viewers that don't have my exact channel or code then I can be sure only
official viewers can get in. Right now the sim is only for friends but if I
open it up to more I wouldn't want idiots coming in and mucking about the
place. Which is why I was asking. I know that some opensim *shaking head* I
wish I could remember who and where banned certain viewers from logging in.
I'm not sure how she/he did it, though, but it got me curious as to how it's
done. That and I wouldn't really want someone using something like Cryo or
even Meerkat, but as you said... They probably all have the same default
code. But if I put in another code and compiled it off of hippo or Linden's
viewer I could put in my own channel and have others not able to enter. I
like security and peace of mind, but security in this day and age is a myth.
(Like those stupid broadcasting things that were supposed to stop copybot.)

But I was just curious if anyone had done it or heard of it. I want to say
openlifegrid did it, but I can't remember so I don't want to say for sure
until I find it again. (computer crashes suck.)
----- Original Message -----
From: "Karen Palen" <[hidden email]>
To: <[hidden email]>
Sent: Monday, January 11, 2010 11:24 PM
Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be done?


> As I think of it the answer is the same.
>
> The Linden Labs viewer does send an identification and version number, bat
> that really does very little. Almost every viewer out there is based on
> the current LL viewer and many people don't bother changing this code for
> their experimental versions.
>
> For example I just checked and I have a customised LL viewer where the
> only change is that it will log on to my private sim by default. The ID
> codes are identical to the original since I never bothered to change them.
>
> I use it to make sure that my private sim will run OK with the "official"
> viewer.
>
> I am not really sure why you would want that restriction though. Should I
> be considering that for my sim? Have I missed something here?
>
> Sorry.
>
> Karen
>
> --- On Mon, 1/11/10, Imago <[hidden email]> wrote:
>
>> From: Imago <[hidden email]>
>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be
>> done?
>> To: [hidden email]
>> Date: Monday, January 11, 2010, 10:05 PM
>> I don't think anyone is
>> understanding. :D It's not just Cryo. I want only
>> Linden Lab viewers to be able to login. I've seen it done
>> on other
>> opensim's. I know people can get around that. But the point
>> is... Not
>> everyone is a coder. So, while they could compile and make
>> it look like a
>> Linden Lab viewer then so be it. I just want to know if
>> there's a mod or
>> string that I can put in to opensim to see what channel the
>> viewer is
>> sending, and if it's not the right one than to display an
>> error message that
>> would tell them to download an official release in order to
>> login.
>>
>> Maybe I should have chosen my words better. Mentioning Cryo
>> is like
>> mentioning copybot, and responses only seem to be based on
>> theft and copy
>> protection. I just want to know if there's a string to
>> block a viewer. I
>> know people have done it I just can't remember what opensim
>> I saw it done
>> on. I also know that if I had Cryo source code I could
>> compile and make it
>> look like a Second Life release viewer. But not everyone is
>> a hacker or a
>> coder or both. Most people don't know how or can't compile
>> a viewer or are
>> too lazy to. So, they go look for one, and that's the basis
>> for my thinking
>> most theives are too lazy to try to figure out a way and
>> will move on to the
>> next target.
>>
>>
>> So, the question I'm asking is:
>> Is there a way for OpenSim to check a viewer string and
>> allow or disallow
>> based on that, and if so please let me know where that code
>> is, and if
>> not... Then I'll be burning the midnight oil again coding
>> one up.
>>
>> ----- Original Message -----
>> From: "Karen Palen" <[hidden email]>
>> To: <[hidden email]>
>> Sent: Monday, January 11, 2010 10:44 PM
>> Subject: [Opensim-users] Banning "bad" viewers was Re: Can
>> this be done?
>>
>>
>> > The short answer is no.
>> >
>> > The more complete answer is that you while can easily
>> detect some
>> > characteristic of a viewer (or other software) which
>> identifies that
>> > viewer and use that to ban it, nothing can stop the
>> authors of that viewer
>> > from changing whatever characteristic you use.
>> >
>> > Worse yet, whatever characteristic you select to
>> identify the "bad"
>> > software will inevitably turn up in some other
>> (innocent) viewer sooner or
>> > later and will cause them to be banned for no reason.
>> >
>> > The best you could hope to achieve is some sort of
>> "arms race" between
>> > "bad" viewer creators and sim operators.
>> >
>> > In addition any viewer could be adapted for piracy.
>> The original
>> > experiments that resulted in
>> libsecondlife/openMetaverse were based on
>> > analysing the data stream between the Second Life
>> Servers and the viewer
>> > software (at the time ONLY the Linden Labs viewer) and
>> had access to all
>> > of that information. This was all done without
>> modifying the viewer in any
>> > way - it was proprietary at the time.
>> >
>> > Sadly the lesson of the endless failures of DRM
>> schemes elsewhere shows
>> > that the real losers are the honest/innocent users who
>> are unable to do
>> > the things that they really should expect to do with
>> the content that they
>> > have purchased.
>> >
>> > For example, I have completely stopped buying anything
>> in Second Life
>> > since I want to use the inventory I buy in my private
>> sims as well. Sure I
>> > can use pirate tools to do this, but if I have to do
>> that to use my
>> > purchases where I want to use them then why not just
>> steal the stuff in
>> > the first place?
>> >
>> > This is very similar to the situation with music CDs
>> and DVDs, why build
>> > an expensive collection if you will just have to
>> re-purchase it in a few
>> > years for the next technology and some DRM scheme
>> tries to keep me from
>> > playing my collection on the new equipment?
>> >
>> > There are several efforts being directed at come sort
>> of "portable"
>> > content. I hope that one or more actually proves to
>> work, but I have no
>> > illusions about that actually happening any time
>> soon.
>> >
>> > My opinion is that the best we can do at present is
>> similar to the real
>> > life piracy situation: stop the commercial marketing
>> of pirated
>> > merchandise as it is detected and reported. Ban anyone
>> who engages in such
>> > activities and if they persist bring real world law
>> enforcement to bear.
>> >
>> > For once Linden Labs seems to be using a reasonable
>> version of this when
>> > they state that the viewer is not the problem, it is
>> the use of the
>> > viewer. They have promised to act promptly to ban
>> anyone using any viewer
>> > for piracy.
>> >
>> > Karen
>> >
>> > --- On Mon, 1/11/10, Imago <[hidden email]>
>> wrote:
>> >
>> >> Is it possible to stop
>> >> certain viewers from logging
>> >> in to your opensim? Like Cryo?
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > Opensim-users mailing list
>> > [hidden email]
>> > https://lists.berlios.de/mailman/listinfo/opensim-users
>>
>>
>> _______________________________________________
>> Opensim-users mailing list
>> [hidden email]
>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>
>
>
>
> _______________________________________________
> Opensim-users mailing list
> [hidden email]
> https://lists.berlios.de/mailman/listinfo/opensim-users 

_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: Banning "bad" viewers was Re: Can this be done?

Teravus Ovares
The viewer information is sent when the viewer logs in.      If you
check the viewer channel version string when the viewer logs in, you
can deny based on a string match.      That's the easy (and least
effective way) to lock only specific viewers.

I believe that diva and Melanie_T were the last to work on these
areas..    so they would probably be able to tell you where to check
'best'.

One thing to note, however, is..

The viewer logs into the 'user service' by sending an XMLRPC request
to the HTTP Service with the login_to_simulator method.    It's at
this time that the 'viewer channel string' should be checked.

Teravus

On Tue, Jan 12, 2010 at 12:34 AM, Imago <[hidden email]> wrote:

> Mostly I want this because of piece of mind, but also because I am
> considering compiling a viewer on Hippo code that will have a different
> channel code altogether that I will probably use for the sim. If I can lock
> off viewers that don't have my exact channel or code then I can be sure only
> official viewers can get in. Right now the sim is only for friends but if I
> open it up to more I wouldn't want idiots coming in and mucking about the
> place. Which is why I was asking. I know that some opensim *shaking head* I
> wish I could remember who and where banned certain viewers from logging in.
> I'm not sure how she/he did it, though, but it got me curious as to how it's
> done. That and I wouldn't really want someone using something like Cryo or
> even Meerkat, but as you said... They probably all have the same default
> code. But if I put in another code and compiled it off of hippo or Linden's
> viewer I could put in my own channel and have others not able to enter. I
> like security and peace of mind, but security in this day and age is a myth.
> (Like those stupid broadcasting things that were supposed to stop copybot.)
>
> But I was just curious if anyone had done it or heard of it. I want to say
> openlifegrid did it, but I can't remember so I don't want to say for sure
> until I find it again. (computer crashes suck.)
> ----- Original Message -----
> From: "Karen Palen" <[hidden email]>
> To: <[hidden email]>
> Sent: Monday, January 11, 2010 11:24 PM
> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be done?
>
>
>> As I think of it the answer is the same.
>>
>> The Linden Labs viewer does send an identification and version number, bat
>> that really does very little. Almost every viewer out there is based on
>> the current LL viewer and many people don't bother changing this code for
>> their experimental versions.
>>
>> For example I just checked and I have a customised LL viewer where the
>> only change is that it will log on to my private sim by default. The ID
>> codes are identical to the original since I never bothered to change them.
>>
>> I use it to make sure that my private sim will run OK with the "official"
>> viewer.
>>
>> I am not really sure why you would want that restriction though. Should I
>> be considering that for my sim? Have I missed something here?
>>
>> Sorry.
>>
>> Karen
>>
>> --- On Mon, 1/11/10, Imago <[hidden email]> wrote:
>>
>>> From: Imago <[hidden email]>
>>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be
>>> done?
>>> To: [hidden email]
>>> Date: Monday, January 11, 2010, 10:05 PM
>>> I don't think anyone is
>>> understanding. :D It's not just Cryo. I want only
>>> Linden Lab viewers to be able to login. I've seen it done
>>> on other
>>> opensim's. I know people can get around that. But the point
>>> is... Not
>>> everyone is a coder. So, while they could compile and make
>>> it look like a
>>> Linden Lab viewer then so be it. I just want to know if
>>> there's a mod or
>>> string that I can put in to opensim to see what channel the
>>> viewer is
>>> sending, and if it's not the right one than to display an
>>> error message that
>>> would tell them to download an official release in order to
>>> login.
>>>
>>> Maybe I should have chosen my words better. Mentioning Cryo
>>> is like
>>> mentioning copybot, and responses only seem to be based on
>>> theft and copy
>>> protection. I just want to know if there's a string to
>>> block a viewer. I
>>> know people have done it I just can't remember what opensim
>>> I saw it done
>>> on. I also know that if I had Cryo source code I could
>>> compile and make it
>>> look like a Second Life release viewer. But not everyone is
>>> a hacker or a
>>> coder or both. Most people don't know how or can't compile
>>> a viewer or are
>>> too lazy to. So, they go look for one, and that's the basis
>>> for my thinking
>>> most theives are too lazy to try to figure out a way and
>>> will move on to the
>>> next target.
>>>
>>>
>>> So, the question I'm asking is:
>>> Is there a way for OpenSim to check a viewer string and
>>> allow or disallow
>>> based on that, and if so please let me know where that code
>>> is, and if
>>> not... Then I'll be burning the midnight oil again coding
>>> one up.
>>>
>>> ----- Original Message -----
>>> From: "Karen Palen" <[hidden email]>
>>> To: <[hidden email]>
>>> Sent: Monday, January 11, 2010 10:44 PM
>>> Subject: [Opensim-users] Banning "bad" viewers was Re: Can
>>> this be done?
>>>
>>>
>>> > The short answer is no.
>>> >
>>> > The more complete answer is that you while can easily
>>> detect some
>>> > characteristic of a viewer (or other software) which
>>> identifies that
>>> > viewer and use that to ban it, nothing can stop the
>>> authors of that viewer
>>> > from changing whatever characteristic you use.
>>> >
>>> > Worse yet, whatever characteristic you select to
>>> identify the "bad"
>>> > software will inevitably turn up in some other
>>> (innocent) viewer sooner or
>>> > later and will cause them to be banned for no reason.
>>> >
>>> > The best you could hope to achieve is some sort of
>>> "arms race" between
>>> > "bad" viewer creators and sim operators.
>>> >
>>> > In addition any viewer could be adapted for piracy.
>>> The original
>>> > experiments that resulted in
>>> libsecondlife/openMetaverse were based on
>>> > analysing the data stream between the Second Life
>>> Servers and the viewer
>>> > software (at the time ONLY the Linden Labs viewer) and
>>> had access to all
>>> > of that information. This was all done without
>>> modifying the viewer in any
>>> > way - it was proprietary at the time.
>>> >
>>> > Sadly the lesson of the endless failures of DRM
>>> schemes elsewhere shows
>>> > that the real losers are the honest/innocent users who
>>> are unable to do
>>> > the things that they really should expect to do with
>>> the content that they
>>> > have purchased.
>>> >
>>> > For example, I have completely stopped buying anything
>>> in Second Life
>>> > since I want to use the inventory I buy in my private
>>> sims as well. Sure I
>>> > can use pirate tools to do this, but if I have to do
>>> that to use my
>>> > purchases where I want to use them then why not just
>>> steal the stuff in
>>> > the first place?
>>> >
>>> > This is very similar to the situation with music CDs
>>> and DVDs, why build
>>> > an expensive collection if you will just have to
>>> re-purchase it in a few
>>> > years for the next technology and some DRM scheme
>>> tries to keep me from
>>> > playing my collection on the new equipment?
>>> >
>>> > There are several efforts being directed at come sort
>>> of "portable"
>>> > content. I hope that one or more actually proves to
>>> work, but I have no
>>> > illusions about that actually happening any time
>>> soon.
>>> >
>>> > My opinion is that the best we can do at present is
>>> similar to the real
>>> > life piracy situation: stop the commercial marketing
>>> of pirated
>>> > merchandise as it is detected and reported. Ban anyone
>>> who engages in such
>>> > activities and if they persist bring real world law
>>> enforcement to bear.
>>> >
>>> > For once Linden Labs seems to be using a reasonable
>>> version of this when
>>> > they state that the viewer is not the problem, it is
>>> the use of the
>>> > viewer. They have promised to act promptly to ban
>>> anyone using any viewer
>>> > for piracy.
>>> >
>>> > Karen
>>> >
>>> > --- On Mon, 1/11/10, Imago <[hidden email]>
>>> wrote:
>>> >
>>> >> Is it possible to stop
>>> >> certain viewers from logging
>>> >> in to your opensim? Like Cryo?
>>> >
>>> >
>>> >
>>> >
>>> > _______________________________________________
>>> > Opensim-users mailing list
>>> > [hidden email]
>>> > https://lists.berlios.de/mailman/listinfo/opensim-users
>>>
>>>
>>> _______________________________________________
>>> Opensim-users mailing list
>>> [hidden email]
>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>
>>
>>
>>
>> _______________________________________________
>> Opensim-users mailing list
>> [hidden email]
>> https://lists.berlios.de/mailman/listinfo/opensim-users
>
> _______________________________________________
> Opensim-users mailing list
> [hidden email]
> https://lists.berlios.de/mailman/listinfo/opensim-users
>
_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: Banning "bad" viewers was Re: Can this be done?

Karen_Palen
In reply to this post by Imago
My recollection is that it was due to a nasty bug on a particular grid. It was never a security thing, just a stopgap to keep things working until they fixed the problem.

Sadly idiots are a universal fact of life wherever you go. The only place I have seen them minimised is in remote island that you can only reach with your own sail boat. The idiots generally have killed themselves before they get that far. :-)

Karen
--- On Mon, 1/11/10, Imago <[hidden email]> wrote:

> From: Imago <[hidden email]>
> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be done?
> To: [hidden email]
> Date: Monday, January 11, 2010, 10:34 PM
> Mostly I want this because of piece
> of mind, but also because I am
> considering compiling a viewer on Hippo code that will have
> a different
> channel code altogether that I will probably use for the
> sim. If I can lock
> off viewers that don't have my exact channel or code then I
> can be sure only
> official viewers can get in. Right now the sim is only for
> friends but if I
> open it up to more I wouldn't want idiots coming in and
> mucking about the
> place. Which is why I was asking. I know that some opensim
> *shaking head* I
> wish I could remember who and where banned certain viewers
> from logging in.
> I'm not sure how she/he did it, though, but it got me
> curious as to how it's
> done. That and I wouldn't really want someone using
> something like Cryo or
> even Meerkat, but as you said... They probably all have the
> same default
> code. But if I put in another code and compiled it off of
> hippo or Linden's
> viewer I could put in my own channel and have others not
> able to enter. I
> like security and peace of mind, but security in this day
> and age is a myth.
> (Like those stupid broadcasting things that were supposed
> to stop copybot.)
>
> But I was just curious if anyone had done it or heard of
> it. I want to say
> openlifegrid did it, but I can't remember so I don't want
> to say for sure
> until I find it again. (computer crashes suck.)
> ----- Original Message -----
> From: "Karen Palen" <[hidden email]>
> To: <[hidden email]>
> Sent: Monday, January 11, 2010 11:24 PM
> Subject: Re: [Opensim-users] Banning "bad" viewers was Re:
> Can this be done?
>
>
> > As I think of it the answer is the same.
> >
> > The Linden Labs viewer does send an identification and
> version number, bat
> > that really does very little. Almost every viewer out
> there is based on
> > the current LL viewer and many people don't bother
> changing this code for
> > their experimental versions.
> >
> > For example I just checked and I have a customised LL
> viewer where the
> > only change is that it will log on to my private sim
> by default. The ID
> > codes are identical to the original since I never
> bothered to change them.
> >
> > I use it to make sure that my private sim will run OK
> with the "official"
> > viewer.
> >
> > I am not really sure why you would want that
> restriction though. Should I
> > be considering that for my sim? Have I missed
> something here?
> >
> > Sorry.
> >
> > Karen
> >
> > --- On Mon, 1/11/10, Imago <[hidden email]>
> wrote:
> >
> >> From: Imago <[hidden email]>
> >> Subject: Re: [Opensim-users] Banning "bad" viewers
> was Re: Can this be
> >> done?
> >> To: [hidden email]
> >> Date: Monday, January 11, 2010, 10:05 PM
> >> I don't think anyone is
> >> understanding. :D It's not just Cryo. I want only
> >> Linden Lab viewers to be able to login. I've seen
> it done
> >> on other
> >> opensim's. I know people can get around that. But
> the point
> >> is... Not
> >> everyone is a coder. So, while they could compile
> and make
> >> it look like a
> >> Linden Lab viewer then so be it. I just want to
> know if
> >> there's a mod or
> >> string that I can put in to opensim to see what
> channel the
> >> viewer is
> >> sending, and if it's not the right one than to
> display an
> >> error message that
> >> would tell them to download an official release in
> order to
> >> login.
> >>
> >> Maybe I should have chosen my words better.
> Mentioning Cryo
> >> is like
> >> mentioning copybot, and responses only seem to be
> based on
> >> theft and copy
> >> protection. I just want to know if there's a
> string to
> >> block a viewer. I
> >> know people have done it I just can't remember
> what opensim
> >> I saw it done
> >> on. I also know that if I had Cryo source code I
> could
> >> compile and make it
> >> look like a Second Life release viewer. But not
> everyone is
> >> a hacker or a
> >> coder or both. Most people don't know how or can't
> compile
> >> a viewer or are
> >> too lazy to. So, they go look for one, and that's
> the basis
> >> for my thinking
> >> most theives are too lazy to try to figure out a
> way and
> >> will move on to the
> >> next target.
> >>
> >>
> >> So, the question I'm asking is:
> >> Is there a way for OpenSim to check a viewer
> string and
> >> allow or disallow
> >> based on that, and if so please let me know where
> that code
> >> is, and if
> >> not... Then I'll be burning the midnight oil again
> coding
> >> one up.
> >>
> >> ----- Original Message -----
> >> From: "Karen Palen" <[hidden email]>
> >> To: <[hidden email]>
> >> Sent: Monday, January 11, 2010 10:44 PM
> >> Subject: [Opensim-users] Banning "bad" viewers was
> Re: Can
> >> this be done?
> >>
> >>
> >> > The short answer is no.
> >> >
> >> > The more complete answer is that you while
> can easily
> >> detect some
> >> > characteristic of a viewer (or other
> software) which
> >> identifies that
> >> > viewer and use that to ban it, nothing can
> stop the
> >> authors of that viewer
> >> > from changing whatever characteristic you
> use.
> >> >
> >> > Worse yet, whatever characteristic you select
> to
> >> identify the "bad"
> >> > software will inevitably turn up in some
> other
> >> (innocent) viewer sooner or
> >> > later and will cause them to be banned for no
> reason.
> >> >
> >> > The best you could hope to achieve is some
> sort of
> >> "arms race" between
> >> > "bad" viewer creators and sim operators.
> >> >
> >> > In addition any viewer could be adapted for
> piracy.
> >> The original
> >> > experiments that resulted in
> >> libsecondlife/openMetaverse were based on
> >> > analysing the data stream between the Second
> Life
> >> Servers and the viewer
> >> > software (at the time ONLY the Linden Labs
> viewer) and
> >> had access to all
> >> > of that information. This was all done
> without
> >> modifying the viewer in any
> >> > way - it was proprietary at the time.
> >> >
> >> > Sadly the lesson of the endless failures of
> DRM
> >> schemes elsewhere shows
> >> > that the real losers are the honest/innocent
> users who
> >> are unable to do
> >> > the things that they really should expect to
> do with
> >> the content that they
> >> > have purchased.
> >> >
> >> > For example, I have completely stopped buying
> anything
> >> in Second Life
> >> > since I want to use the inventory I buy in my
> private
> >> sims as well. Sure I
> >> > can use pirate tools to do this, but if I
> have to do
> >> that to use my
> >> > purchases where I want to use them then why
> not just
> >> steal the stuff in
> >> > the first place?
> >> >
> >> > This is very similar to the situation with
> music CDs
> >> and DVDs, why build
> >> > an expensive collection if you will just have
> to
> >> re-purchase it in a few
> >> > years for the next technology and some DRM
> scheme
> >> tries to keep me from
> >> > playing my collection on the new equipment?
> >> >
> >> > There are several efforts being directed at
> come sort
> >> of "portable"
> >> > content. I hope that one or more actually
> proves to
> >> work, but I have no
> >> > illusions about that actually happening any
> time
> >> soon.
> >> >
> >> > My opinion is that the best we can do at
> present is
> >> similar to the real
> >> > life piracy situation: stop the commercial
> marketing
> >> of pirated
> >> > merchandise as it is detected and reported.
> Ban anyone
> >> who engages in such
> >> > activities and if they persist bring real
> world law
> >> enforcement to bear.
> >> >
> >> > For once Linden Labs seems to be using a
> reasonable
> >> version of this when
> >> > they state that the viewer is not the
> problem, it is
> >> the use of the
> >> > viewer. They have promised to act promptly to
> ban
> >> anyone using any viewer
> >> > for piracy.
> >> >
> >> > Karen
> >> >
> >> > --- On Mon, 1/11/10, Imago <[hidden email]>
> >> wrote:
> >> >
> >> >> Is it possible to stop
> >> >> certain viewers from logging
> >> >> in to your opensim? Like Cryo?
> >> >
> >> >
> >> >
> >> >
> >> >
> _______________________________________________
> >> > Opensim-users mailing list
> >> > [hidden email]
> >> > https://lists.berlios.de/mailman/listinfo/opensim-users
> >>
> >>
> >> _______________________________________________
> >> Opensim-users mailing list
> >> [hidden email]
> >> https://lists.berlios.de/mailman/listinfo/opensim-users
> >>
> >
> >
> >
> > _______________________________________________
> > Opensim-users mailing list
> > [hidden email]
> > https://lists.berlios.de/mailman/listinfo/opensim-users
>
>
> _______________________________________________
> Opensim-users mailing list
> [hidden email]
> https://lists.berlios.de/mailman/listinfo/opensim-users
>


     
_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: Banning "bad" viewers was Re: Can this be done?

Imago
In reply to this post by Teravus Ovares
Ah! Thank you. I did read something on the subject, but then suffered a hard
drive death and it wiped out any settings I had. :( Google comes up with way
too much junk when you look for stuff as well as Mantis stuff and Jiras. I
will check in to this. So, now I know it is possible. :D Now, it's just
finding a way to do it. *shrugs and laughs* If it keeps a few kids out than
that's fine. I'd rather have fun then to have to police my console for
logins. :D

----- Original Message -----
From: "Teravus Ovares" <[hidden email]>
To: <[hidden email]>
Sent: Monday, January 11, 2010 11:56 PM
Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be done?


> The viewer information is sent when the viewer logs in.      If you
> check the viewer channel version string when the viewer logs in, you
> can deny based on a string match.      That's the easy (and least
> effective way) to lock only specific viewers.
>
> I believe that diva and Melanie_T were the last to work on these
> areas..    so they would probably be able to tell you where to check
> 'best'.
>
> One thing to note, however, is..
>
> The viewer logs into the 'user service' by sending an XMLRPC request
> to the HTTP Service with the login_to_simulator method.    It's at
> this time that the 'viewer channel string' should be checked.
>
> Teravus
>
> On Tue, Jan 12, 2010 at 12:34 AM, Imago <[hidden email]> wrote:
>> Mostly I want this because of piece of mind, but also because I am
>> considering compiling a viewer on Hippo code that will have a different
>> channel code altogether that I will probably use for the sim. If I can
>> lock
>> off viewers that don't have my exact channel or code then I can be sure
>> only
>> official viewers can get in. Right now the sim is only for friends but if
>> I
>> open it up to more I wouldn't want idiots coming in and mucking about the
>> place. Which is why I was asking. I know that some opensim *shaking head*
>> I
>> wish I could remember who and where banned certain viewers from logging
>> in.
>> I'm not sure how she/he did it, though, but it got me curious as to how
>> it's
>> done. That and I wouldn't really want someone using something like Cryo
>> or
>> even Meerkat, but as you said... They probably all have the same default
>> code. But if I put in another code and compiled it off of hippo or
>> Linden's
>> viewer I could put in my own channel and have others not able to enter. I
>> like security and peace of mind, but security in this day and age is a
>> myth.
>> (Like those stupid broadcasting things that were supposed to stop
>> copybot.)
>>
>> But I was just curious if anyone had done it or heard of it. I want to
>> say
>> openlifegrid did it, but I can't remember so I don't want to say for sure
>> until I find it again. (computer crashes suck.)
>> ----- Original Message -----
>> From: "Karen Palen" <[hidden email]>
>> To: <[hidden email]>
>> Sent: Monday, January 11, 2010 11:24 PM
>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be
>> done?
>>
>>
>>> As I think of it the answer is the same.
>>>
>>> The Linden Labs viewer does send an identification and version number,
>>> bat
>>> that really does very little. Almost every viewer out there is based on
>>> the current LL viewer and many people don't bother changing this code
>>> for
>>> their experimental versions.
>>>
>>> For example I just checked and I have a customised LL viewer where the
>>> only change is that it will log on to my private sim by default. The ID
>>> codes are identical to the original since I never bothered to change
>>> them.
>>>
>>> I use it to make sure that my private sim will run OK with the
>>> "official"
>>> viewer.
>>>
>>> I am not really sure why you would want that restriction though. Should
>>> I
>>> be considering that for my sim? Have I missed something here?
>>>
>>> Sorry.
>>>
>>> Karen
>>>
>>> --- On Mon, 1/11/10, Imago <[hidden email]> wrote:
>>>
>>>> From: Imago <[hidden email]>
>>>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be
>>>> done?
>>>> To: [hidden email]
>>>> Date: Monday, January 11, 2010, 10:05 PM
>>>> I don't think anyone is
>>>> understanding. :D It's not just Cryo. I want only
>>>> Linden Lab viewers to be able to login. I've seen it done
>>>> on other
>>>> opensim's. I know people can get around that. But the point
>>>> is... Not
>>>> everyone is a coder. So, while they could compile and make
>>>> it look like a
>>>> Linden Lab viewer then so be it. I just want to know if
>>>> there's a mod or
>>>> string that I can put in to opensim to see what channel the
>>>> viewer is
>>>> sending, and if it's not the right one than to display an
>>>> error message that
>>>> would tell them to download an official release in order to
>>>> login.
>>>>
>>>> Maybe I should have chosen my words better. Mentioning Cryo
>>>> is like
>>>> mentioning copybot, and responses only seem to be based on
>>>> theft and copy
>>>> protection. I just want to know if there's a string to
>>>> block a viewer. I
>>>> know people have done it I just can't remember what opensim
>>>> I saw it done
>>>> on. I also know that if I had Cryo source code I could
>>>> compile and make it
>>>> look like a Second Life release viewer. But not everyone is
>>>> a hacker or a
>>>> coder or both. Most people don't know how or can't compile
>>>> a viewer or are
>>>> too lazy to. So, they go look for one, and that's the basis
>>>> for my thinking
>>>> most theives are too lazy to try to figure out a way and
>>>> will move on to the
>>>> next target.
>>>>
>>>>
>>>> So, the question I'm asking is:
>>>> Is there a way for OpenSim to check a viewer string and
>>>> allow or disallow
>>>> based on that, and if so please let me know where that code
>>>> is, and if
>>>> not... Then I'll be burning the midnight oil again coding
>>>> one up.
>>>>
>>>> ----- Original Message -----
>>>> From: "Karen Palen" <[hidden email]>
>>>> To: <[hidden email]>
>>>> Sent: Monday, January 11, 2010 10:44 PM
>>>> Subject: [Opensim-users] Banning "bad" viewers was Re: Can
>>>> this be done?
>>>>
>>>>
>>>> > The short answer is no.
>>>> >
>>>> > The more complete answer is that you while can easily
>>>> detect some
>>>> > characteristic of a viewer (or other software) which
>>>> identifies that
>>>> > viewer and use that to ban it, nothing can stop the
>>>> authors of that viewer
>>>> > from changing whatever characteristic you use.
>>>> >
>>>> > Worse yet, whatever characteristic you select to
>>>> identify the "bad"
>>>> > software will inevitably turn up in some other
>>>> (innocent) viewer sooner or
>>>> > later and will cause them to be banned for no reason.
>>>> >
>>>> > The best you could hope to achieve is some sort of
>>>> "arms race" between
>>>> > "bad" viewer creators and sim operators.
>>>> >
>>>> > In addition any viewer could be adapted for piracy.
>>>> The original
>>>> > experiments that resulted in
>>>> libsecondlife/openMetaverse were based on
>>>> > analysing the data stream between the Second Life
>>>> Servers and the viewer
>>>> > software (at the time ONLY the Linden Labs viewer) and
>>>> had access to all
>>>> > of that information. This was all done without
>>>> modifying the viewer in any
>>>> > way - it was proprietary at the time.
>>>> >
>>>> > Sadly the lesson of the endless failures of DRM
>>>> schemes elsewhere shows
>>>> > that the real losers are the honest/innocent users who
>>>> are unable to do
>>>> > the things that they really should expect to do with
>>>> the content that they
>>>> > have purchased.
>>>> >
>>>> > For example, I have completely stopped buying anything
>>>> in Second Life
>>>> > since I want to use the inventory I buy in my private
>>>> sims as well. Sure I
>>>> > can use pirate tools to do this, but if I have to do
>>>> that to use my
>>>> > purchases where I want to use them then why not just
>>>> steal the stuff in
>>>> > the first place?
>>>> >
>>>> > This is very similar to the situation with music CDs
>>>> and DVDs, why build
>>>> > an expensive collection if you will just have to
>>>> re-purchase it in a few
>>>> > years for the next technology and some DRM scheme
>>>> tries to keep me from
>>>> > playing my collection on the new equipment?
>>>> >
>>>> > There are several efforts being directed at come sort
>>>> of "portable"
>>>> > content. I hope that one or more actually proves to
>>>> work, but I have no
>>>> > illusions about that actually happening any time
>>>> soon.
>>>> >
>>>> > My opinion is that the best we can do at present is
>>>> similar to the real
>>>> > life piracy situation: stop the commercial marketing
>>>> of pirated
>>>> > merchandise as it is detected and reported. Ban anyone
>>>> who engages in such
>>>> > activities and if they persist bring real world law
>>>> enforcement to bear.
>>>> >
>>>> > For once Linden Labs seems to be using a reasonable
>>>> version of this when
>>>> > they state that the viewer is not the problem, it is
>>>> the use of the
>>>> > viewer. They have promised to act promptly to ban
>>>> anyone using any viewer
>>>> > for piracy.
>>>> >
>>>> > Karen
>>>> >
>>>> > --- On Mon, 1/11/10, Imago <[hidden email]>
>>>> wrote:
>>>> >
>>>> >> Is it possible to stop
>>>> >> certain viewers from logging
>>>> >> in to your opensim? Like Cryo?
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > _______________________________________________
>>>> > Opensim-users mailing list
>>>> > [hidden email]
>>>> > https://lists.berlios.de/mailman/listinfo/opensim-users
>>>>
>>>>
>>>> _______________________________________________
>>>> Opensim-users mailing list
>>>> [hidden email]
>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Opensim-users mailing list
>>> [hidden email]
>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>
>> _______________________________________________
>> Opensim-users mailing list
>> [hidden email]
>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>
> _______________________________________________
> Opensim-users mailing list
> [hidden email]
> https://lists.berlios.de/mailman/listinfo/opensim-users 

_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: Banning "bad" viewers was Re: Can this be done?

Diva Canto
As Teravus said, the LL viewer sends a string identifying itself and a
version. In the new login procedure that is captured by the
LLLoginHandlers as
   if (requestData.Contains("version"))
     clientVersion = requestData["version"].ToString();

Right now we're not doing anything interesting with this information.
When this refactoring makes it to the master branch, people can replace
/ augment the existing LLLoginHandlers to do other things including
filtering logins according to this field.

But as others said here, this is a very fragile filtering, as any viewer
can send that field saying that it's an LL viewer.

Imago wrote:

> Ah! Thank you. I did read something on the subject, but then suffered a hard
> drive death and it wiped out any settings I had. :( Google comes up with way
> too much junk when you look for stuff as well as Mantis stuff and Jiras. I
> will check in to this. So, now I know it is possible. :D Now, it's just
> finding a way to do it. *shrugs and laughs* If it keeps a few kids out than
> that's fine. I'd rather have fun then to have to police my console for
> logins. :D
>
> ----- Original Message -----
> From: "Teravus Ovares" <[hidden email]>
> To: <[hidden email]>
> Sent: Monday, January 11, 2010 11:56 PM
> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be done?
>
>
>> The viewer information is sent when the viewer logs in.      If you
>> check the viewer channel version string when the viewer logs in, you
>> can deny based on a string match.      That's the easy (and least
>> effective way) to lock only specific viewers.
>>
>> I believe that diva and Melanie_T were the last to work on these
>> areas..    so they would probably be able to tell you where to check
>> 'best'.
>>
>> One thing to note, however, is..
>>
>> The viewer logs into the 'user service' by sending an XMLRPC request
>> to the HTTP Service with the login_to_simulator method.    It's at
>> this time that the 'viewer channel string' should be checked.
>>
>> Teravus
>>
>> On Tue, Jan 12, 2010 at 12:34 AM, Imago <[hidden email]> wrote:
>>> Mostly I want this because of piece of mind, but also because I am
>>> considering compiling a viewer on Hippo code that will have a different
>>> channel code altogether that I will probably use for the sim. If I can
>>> lock
>>> off viewers that don't have my exact channel or code then I can be sure
>>> only
>>> official viewers can get in. Right now the sim is only for friends but if
>>> I
>>> open it up to more I wouldn't want idiots coming in and mucking about the
>>> place. Which is why I was asking. I know that some opensim *shaking head*
>>> I
>>> wish I could remember who and where banned certain viewers from logging
>>> in.
>>> I'm not sure how she/he did it, though, but it got me curious as to how
>>> it's
>>> done. That and I wouldn't really want someone using something like Cryo
>>> or
>>> even Meerkat, but as you said... They probably all have the same default
>>> code. But if I put in another code and compiled it off of hippo or
>>> Linden's
>>> viewer I could put in my own channel and have others not able to enter. I
>>> like security and peace of mind, but security in this day and age is a
>>> myth.
>>> (Like those stupid broadcasting things that were supposed to stop
>>> copybot.)
>>>
>>> But I was just curious if anyone had done it or heard of it. I want to
>>> say
>>> openlifegrid did it, but I can't remember so I don't want to say for sure
>>> until I find it again. (computer crashes suck.)
>>> ----- Original Message -----
>>> From: "Karen Palen" <[hidden email]>
>>> To: <[hidden email]>
>>> Sent: Monday, January 11, 2010 11:24 PM
>>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be
>>> done?
>>>
>>>
>>>> As I think of it the answer is the same.
>>>>
>>>> The Linden Labs viewer does send an identification and version number,
>>>> bat
>>>> that really does very little. Almost every viewer out there is based on
>>>> the current LL viewer and many people don't bother changing this code
>>>> for
>>>> their experimental versions.
>>>>
>>>> For example I just checked and I have a customised LL viewer where the
>>>> only change is that it will log on to my private sim by default. The ID
>>>> codes are identical to the original since I never bothered to change
>>>> them.
>>>>
>>>> I use it to make sure that my private sim will run OK with the
>>>> "official"
>>>> viewer.
>>>>
>>>> I am not really sure why you would want that restriction though. Should
>>>> I
>>>> be considering that for my sim? Have I missed something here?
>>>>
>>>> Sorry.
>>>>
>>>> Karen
>>>>
>>>> --- On Mon, 1/11/10, Imago <[hidden email]> wrote:
>>>>
>>>>> From: Imago <[hidden email]>
>>>>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be
>>>>> done?
>>>>> To: [hidden email]
>>>>> Date: Monday, January 11, 2010, 10:05 PM
>>>>> I don't think anyone is
>>>>> understanding. :D It's not just Cryo. I want only
>>>>> Linden Lab viewers to be able to login. I've seen it done
>>>>> on other
>>>>> opensim's. I know people can get around that. But the point
>>>>> is... Not
>>>>> everyone is a coder. So, while they could compile and make
>>>>> it look like a
>>>>> Linden Lab viewer then so be it. I just want to know if
>>>>> there's a mod or
>>>>> string that I can put in to opensim to see what channel the
>>>>> viewer is
>>>>> sending, and if it's not the right one than to display an
>>>>> error message that
>>>>> would tell them to download an official release in order to
>>>>> login.
>>>>>
>>>>> Maybe I should have chosen my words better. Mentioning Cryo
>>>>> is like
>>>>> mentioning copybot, and responses only seem to be based on
>>>>> theft and copy
>>>>> protection. I just want to know if there's a string to
>>>>> block a viewer. I
>>>>> know people have done it I just can't remember what opensim
>>>>> I saw it done
>>>>> on. I also know that if I had Cryo source code I could
>>>>> compile and make it
>>>>> look like a Second Life release viewer. But not everyone is
>>>>> a hacker or a
>>>>> coder or both. Most people don't know how or can't compile
>>>>> a viewer or are
>>>>> too lazy to. So, they go look for one, and that's the basis
>>>>> for my thinking
>>>>> most theives are too lazy to try to figure out a way and
>>>>> will move on to the
>>>>> next target.
>>>>>
>>>>>
>>>>> So, the question I'm asking is:
>>>>> Is there a way for OpenSim to check a viewer string and
>>>>> allow or disallow
>>>>> based on that, and if so please let me know where that code
>>>>> is, and if
>>>>> not... Then I'll be burning the midnight oil again coding
>>>>> one up.
>>>>>
>>>>> ----- Original Message -----
>>>>> From: "Karen Palen" <[hidden email]>
>>>>> To: <[hidden email]>
>>>>> Sent: Monday, January 11, 2010 10:44 PM
>>>>> Subject: [Opensim-users] Banning "bad" viewers was Re: Can
>>>>> this be done?
>>>>>
>>>>>
>>>>>> The short answer is no.
>>>>>>
>>>>>> The more complete answer is that you while can easily
>>>>> detect some
>>>>>> characteristic of a viewer (or other software) which
>>>>> identifies that
>>>>>> viewer and use that to ban it, nothing can stop the
>>>>> authors of that viewer
>>>>>> from changing whatever characteristic you use.
>>>>>>
>>>>>> Worse yet, whatever characteristic you select to
>>>>> identify the "bad"
>>>>>> software will inevitably turn up in some other
>>>>> (innocent) viewer sooner or
>>>>>> later and will cause them to be banned for no reason.
>>>>>>
>>>>>> The best you could hope to achieve is some sort of
>>>>> "arms race" between
>>>>>> "bad" viewer creators and sim operators.
>>>>>>
>>>>>> In addition any viewer could be adapted for piracy.
>>>>> The original
>>>>>> experiments that resulted in
>>>>> libsecondlife/openMetaverse were based on
>>>>>> analysing the data stream between the Second Life
>>>>> Servers and the viewer
>>>>>> software (at the time ONLY the Linden Labs viewer) and
>>>>> had access to all
>>>>>> of that information. This was all done without
>>>>> modifying the viewer in any
>>>>>> way - it was proprietary at the time.
>>>>>>
>>>>>> Sadly the lesson of the endless failures of DRM
>>>>> schemes elsewhere shows
>>>>>> that the real losers are the honest/innocent users who
>>>>> are unable to do
>>>>>> the things that they really should expect to do with
>>>>> the content that they
>>>>>> have purchased.
>>>>>>
>>>>>> For example, I have completely stopped buying anything
>>>>> in Second Life
>>>>>> since I want to use the inventory I buy in my private
>>>>> sims as well. Sure I
>>>>>> can use pirate tools to do this, but if I have to do
>>>>> that to use my
>>>>>> purchases where I want to use them then why not just
>>>>> steal the stuff in
>>>>>> the first place?
>>>>>>
>>>>>> This is very similar to the situation with music CDs
>>>>> and DVDs, why build
>>>>>> an expensive collection if you will just have to
>>>>> re-purchase it in a few
>>>>>> years for the next technology and some DRM scheme
>>>>> tries to keep me from
>>>>>> playing my collection on the new equipment?
>>>>>>
>>>>>> There are several efforts being directed at come sort
>>>>> of "portable"
>>>>>> content. I hope that one or more actually proves to
>>>>> work, but I have no
>>>>>> illusions about that actually happening any time
>>>>> soon.
>>>>>> My opinion is that the best we can do at present is
>>>>> similar to the real
>>>>>> life piracy situation: stop the commercial marketing
>>>>> of pirated
>>>>>> merchandise as it is detected and reported. Ban anyone
>>>>> who engages in such
>>>>>> activities and if they persist bring real world law
>>>>> enforcement to bear.
>>>>>> For once Linden Labs seems to be using a reasonable
>>>>> version of this when
>>>>>> they state that the viewer is not the problem, it is
>>>>> the use of the
>>>>>> viewer. They have promised to act promptly to ban
>>>>> anyone using any viewer
>>>>>> for piracy.
>>>>>>
>>>>>> Karen
>>>>>>
>>>>>> --- On Mon, 1/11/10, Imago <[hidden email]>
>>>>> wrote:
>>>>>>> Is it possible to stop
>>>>>>> certain viewers from logging
>>>>>>> in to your opensim? Like Cryo?
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Opensim-users mailing list
>>>>>> [hidden email]
>>>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>>>
>>>>> _______________________________________________
>>>>> Opensim-users mailing list
>>>>> [hidden email]
>>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Opensim-users mailing list
>>>> [hidden email]
>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>> _______________________________________________
>>> Opensim-users mailing list
>>> [hidden email]
>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>
>> _______________________________________________
>> Opensim-users mailing list
>> [hidden email]
>> https://lists.berlios.de/mailman/listinfo/opensim-users 
>
> _______________________________________________
> Opensim-users mailing list
> [hidden email]
> https://lists.berlios.de/mailman/listinfo/opensim-users
>
_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: Banning "bad" viewers was Re: Can this be done?

Imago
Thanks, I've been looking over the code, and yeah, I know people could. But
really how many regular joes out there would be interested enough to
download, compile, and play with the code. *laughs* I don't think there's
many, because a lot of them would much rather have instant gratification
rather then having to work for it.

But in my opinion even fragile filtering is better then none at all. Because
while some could get in the population en masse wouldn't be able to.

----- Original Message -----
From: <[hidden email]>
To: <[hidden email]>
Sent: Tuesday, January 12, 2010 8:15 AM
Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be done?


> As Teravus said, the LL viewer sends a string identifying itself and a
> version. In the new login procedure that is captured by the
> LLLoginHandlers as
>   if (requestData.Contains("version"))
>     clientVersion = requestData["version"].ToString();
>
> Right now we're not doing anything interesting with this information.
> When this refactoring makes it to the master branch, people can replace
> / augment the existing LLLoginHandlers to do other things including
> filtering logins according to this field.
>
> But as others said here, this is a very fragile filtering, as any viewer
> can send that field saying that it's an LL viewer.
>
> Imago wrote:
>> Ah! Thank you. I did read something on the subject, but then suffered a
>> hard
>> drive death and it wiped out any settings I had. :( Google comes up with
>> way
>> too much junk when you look for stuff as well as Mantis stuff and Jiras.
>> I
>> will check in to this. So, now I know it is possible. :D Now, it's just
>> finding a way to do it. *shrugs and laughs* If it keeps a few kids out
>> than
>> that's fine. I'd rather have fun then to have to police my console for
>> logins. :D
>>
>> ----- Original Message -----
>> From: "Teravus Ovares" <[hidden email]>
>> To: <[hidden email]>
>> Sent: Monday, January 11, 2010 11:56 PM
>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be
>> done?
>>
>>
>>> The viewer information is sent when the viewer logs in.      If you
>>> check the viewer channel version string when the viewer logs in, you
>>> can deny based on a string match.      That's the easy (and least
>>> effective way) to lock only specific viewers.
>>>
>>> I believe that diva and Melanie_T were the last to work on these
>>> areas..    so they would probably be able to tell you where to check
>>> 'best'.
>>>
>>> One thing to note, however, is..
>>>
>>> The viewer logs into the 'user service' by sending an XMLRPC request
>>> to the HTTP Service with the login_to_simulator method.    It's at
>>> this time that the 'viewer channel string' should be checked.
>>>
>>> Teravus
>>>
>>> On Tue, Jan 12, 2010 at 12:34 AM, Imago <[hidden email]> wrote:
>>>> Mostly I want this because of piece of mind, but also because I am
>>>> considering compiling a viewer on Hippo code that will have a different
>>>> channel code altogether that I will probably use for the sim. If I can
>>>> lock
>>>> off viewers that don't have my exact channel or code then I can be sure
>>>> only
>>>> official viewers can get in. Right now the sim is only for friends but
>>>> if
>>>> I
>>>> open it up to more I wouldn't want idiots coming in and mucking about
>>>> the
>>>> place. Which is why I was asking. I know that some opensim *shaking
>>>> head*
>>>> I
>>>> wish I could remember who and where banned certain viewers from logging
>>>> in.
>>>> I'm not sure how she/he did it, though, but it got me curious as to how
>>>> it's
>>>> done. That and I wouldn't really want someone using something like Cryo
>>>> or
>>>> even Meerkat, but as you said... They probably all have the same
>>>> default
>>>> code. But if I put in another code and compiled it off of hippo or
>>>> Linden's
>>>> viewer I could put in my own channel and have others not able to enter.
>>>> I
>>>> like security and peace of mind, but security in this day and age is a
>>>> myth.
>>>> (Like those stupid broadcasting things that were supposed to stop
>>>> copybot.)
>>>>
>>>> But I was just curious if anyone had done it or heard of it. I want to
>>>> say
>>>> openlifegrid did it, but I can't remember so I don't want to say for
>>>> sure
>>>> until I find it again. (computer crashes suck.)
>>>> ----- Original Message -----
>>>> From: "Karen Palen" <[hidden email]>
>>>> To: <[hidden email]>
>>>> Sent: Monday, January 11, 2010 11:24 PM
>>>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be
>>>> done?
>>>>
>>>>
>>>>> As I think of it the answer is the same.
>>>>>
>>>>> The Linden Labs viewer does send an identification and version number,
>>>>> bat
>>>>> that really does very little. Almost every viewer out there is based
>>>>> on
>>>>> the current LL viewer and many people don't bother changing this code
>>>>> for
>>>>> their experimental versions.
>>>>>
>>>>> For example I just checked and I have a customised LL viewer where the
>>>>> only change is that it will log on to my private sim by default. The
>>>>> ID
>>>>> codes are identical to the original since I never bothered to change
>>>>> them.
>>>>>
>>>>> I use it to make sure that my private sim will run OK with the
>>>>> "official"
>>>>> viewer.
>>>>>
>>>>> I am not really sure why you would want that restriction though.
>>>>> Should
>>>>> I
>>>>> be considering that for my sim? Have I missed something here?
>>>>>
>>>>> Sorry.
>>>>>
>>>>> Karen
>>>>>
>>>>> --- On Mon, 1/11/10, Imago <[hidden email]> wrote:
>>>>>
>>>>>> From: Imago <[hidden email]>
>>>>>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this
>>>>>> be
>>>>>> done?
>>>>>> To: [hidden email]
>>>>>> Date: Monday, January 11, 2010, 10:05 PM
>>>>>> I don't think anyone is
>>>>>> understanding. :D It's not just Cryo. I want only
>>>>>> Linden Lab viewers to be able to login. I've seen it done
>>>>>> on other
>>>>>> opensim's. I know people can get around that. But the point
>>>>>> is... Not
>>>>>> everyone is a coder. So, while they could compile and make
>>>>>> it look like a
>>>>>> Linden Lab viewer then so be it. I just want to know if
>>>>>> there's a mod or
>>>>>> string that I can put in to opensim to see what channel the
>>>>>> viewer is
>>>>>> sending, and if it's not the right one than to display an
>>>>>> error message that
>>>>>> would tell them to download an official release in order to
>>>>>> login.
>>>>>>
>>>>>> Maybe I should have chosen my words better. Mentioning Cryo
>>>>>> is like
>>>>>> mentioning copybot, and responses only seem to be based on
>>>>>> theft and copy
>>>>>> protection. I just want to know if there's a string to
>>>>>> block a viewer. I
>>>>>> know people have done it I just can't remember what opensim
>>>>>> I saw it done
>>>>>> on. I also know that if I had Cryo source code I could
>>>>>> compile and make it
>>>>>> look like a Second Life release viewer. But not everyone is
>>>>>> a hacker or a
>>>>>> coder or both. Most people don't know how or can't compile
>>>>>> a viewer or are
>>>>>> too lazy to. So, they go look for one, and that's the basis
>>>>>> for my thinking
>>>>>> most theives are too lazy to try to figure out a way and
>>>>>> will move on to the
>>>>>> next target.
>>>>>>
>>>>>>
>>>>>> So, the question I'm asking is:
>>>>>> Is there a way for OpenSim to check a viewer string and
>>>>>> allow or disallow
>>>>>> based on that, and if so please let me know where that code
>>>>>> is, and if
>>>>>> not... Then I'll be burning the midnight oil again coding
>>>>>> one up.
>>>>>>
>>>>>> ----- Original Message -----
>>>>>> From: "Karen Palen" <[hidden email]>
>>>>>> To: <[hidden email]>
>>>>>> Sent: Monday, January 11, 2010 10:44 PM
>>>>>> Subject: [Opensim-users] Banning "bad" viewers was Re: Can
>>>>>> this be done?
>>>>>>
>>>>>>
>>>>>>> The short answer is no.
>>>>>>>
>>>>>>> The more complete answer is that you while can easily
>>>>>> detect some
>>>>>>> characteristic of a viewer (or other software) which
>>>>>> identifies that
>>>>>>> viewer and use that to ban it, nothing can stop the
>>>>>> authors of that viewer
>>>>>>> from changing whatever characteristic you use.
>>>>>>>
>>>>>>> Worse yet, whatever characteristic you select to
>>>>>> identify the "bad"
>>>>>>> software will inevitably turn up in some other
>>>>>> (innocent) viewer sooner or
>>>>>>> later and will cause them to be banned for no reason.
>>>>>>>
>>>>>>> The best you could hope to achieve is some sort of
>>>>>> "arms race" between
>>>>>>> "bad" viewer creators and sim operators.
>>>>>>>
>>>>>>> In addition any viewer could be adapted for piracy.
>>>>>> The original
>>>>>>> experiments that resulted in
>>>>>> libsecondlife/openMetaverse were based on
>>>>>>> analysing the data stream between the Second Life
>>>>>> Servers and the viewer
>>>>>>> software (at the time ONLY the Linden Labs viewer) and
>>>>>> had access to all
>>>>>>> of that information. This was all done without
>>>>>> modifying the viewer in any
>>>>>>> way - it was proprietary at the time.
>>>>>>>
>>>>>>> Sadly the lesson of the endless failures of DRM
>>>>>> schemes elsewhere shows
>>>>>>> that the real losers are the honest/innocent users who
>>>>>> are unable to do
>>>>>>> the things that they really should expect to do with
>>>>>> the content that they
>>>>>>> have purchased.
>>>>>>>
>>>>>>> For example, I have completely stopped buying anything
>>>>>> in Second Life
>>>>>>> since I want to use the inventory I buy in my private
>>>>>> sims as well. Sure I
>>>>>>> can use pirate tools to do this, but if I have to do
>>>>>> that to use my
>>>>>>> purchases where I want to use them then why not just
>>>>>> steal the stuff in
>>>>>>> the first place?
>>>>>>>
>>>>>>> This is very similar to the situation with music CDs
>>>>>> and DVDs, why build
>>>>>>> an expensive collection if you will just have to
>>>>>> re-purchase it in a few
>>>>>>> years for the next technology and some DRM scheme
>>>>>> tries to keep me from
>>>>>>> playing my collection on the new equipment?
>>>>>>>
>>>>>>> There are several efforts being directed at come sort
>>>>>> of "portable"
>>>>>>> content. I hope that one or more actually proves to
>>>>>> work, but I have no
>>>>>>> illusions about that actually happening any time
>>>>>> soon.
>>>>>>> My opinion is that the best we can do at present is
>>>>>> similar to the real
>>>>>>> life piracy situation: stop the commercial marketing
>>>>>> of pirated
>>>>>>> merchandise as it is detected and reported. Ban anyone
>>>>>> who engages in such
>>>>>>> activities and if they persist bring real world law
>>>>>> enforcement to bear.
>>>>>>> For once Linden Labs seems to be using a reasonable
>>>>>> version of this when
>>>>>>> they state that the viewer is not the problem, it is
>>>>>> the use of the
>>>>>>> viewer. They have promised to act promptly to ban
>>>>>> anyone using any viewer
>>>>>>> for piracy.
>>>>>>>
>>>>>>> Karen
>>>>>>>
>>>>>>> --- On Mon, 1/11/10, Imago <[hidden email]>
>>>>>> wrote:
>>>>>>>> Is it possible to stop
>>>>>>>> certain viewers from logging
>>>>>>>> in to your opensim? Like Cryo?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Opensim-users mailing list
>>>>>>> [hidden email]
>>>>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>>>>
>>>>>> _______________________________________________
>>>>>> Opensim-users mailing list
>>>>>> [hidden email]
>>>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Opensim-users mailing list
>>>>> [hidden email]
>>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>> _______________________________________________
>>>> Opensim-users mailing list
>>>> [hidden email]
>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>>
>>> _______________________________________________
>>> Opensim-users mailing list
>>> [hidden email]
>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>
>> _______________________________________________
>> Opensim-users mailing list
>> [hidden email]
>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>
> _______________________________________________
> Opensim-users mailing list
> [hidden email]
> https://lists.berlios.de/mailman/listinfo/opensim-users 

_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: Banning "bad" viewers was Re: Can this be done?

Kyle Hamilton
If it's not sent via https, it's being sent out over the network
interface in the clear.  Anyone with admin access to their own machine
(*cough*everyone*cough*) can install Wireshark and see what your
channel code is -- if you give them the viewer, anyway.

Even if they don't, I'm fairly sure 'strings' being run against the
executable would reveal it.

An aside: I know too many people who are willing to go to nearly
insane lengths to beat something that they perceive as a 'challenge'
to be able to say that "regular joes" are your enemy.  You're looking
to prevent improper modification or violation of policy on your sim.
The only way to do that is to use user-based access control, and to
manually go in and grant access to the user accounts that you want to
have the ability to modify things (or even own land).

-Kyle H

On Tue, Jan 12, 2010 at 9:34 AM, Imago <[hidden email]> wrote:

> Thanks, I've been looking over the code, and yeah, I know people could. But
> really how many regular joes out there would be interested enough to
> download, compile, and play with the code. *laughs* I don't think there's
> many, because a lot of them would much rather have instant gratification
> rather then having to work for it.
>
> But in my opinion even fragile filtering is better then none at all. Because
> while some could get in the population en masse wouldn't be able to.
>
> ----- Original Message -----
> From: <[hidden email]>
> To: <[hidden email]>
> Sent: Tuesday, January 12, 2010 8:15 AM
> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be done?
>
>
>> As Teravus said, the LL viewer sends a string identifying itself and a
>> version. In the new login procedure that is captured by the
>> LLLoginHandlers as
>>   if (requestData.Contains("version"))
>>     clientVersion = requestData["version"].ToString();
>>
>> Right now we're not doing anything interesting with this information.
>> When this refactoring makes it to the master branch, people can replace
>> / augment the existing LLLoginHandlers to do other things including
>> filtering logins according to this field.
>>
>> But as others said here, this is a very fragile filtering, as any viewer
>> can send that field saying that it's an LL viewer.
>>
>> Imago wrote:
>>> Ah! Thank you. I did read something on the subject, but then suffered a
>>> hard
>>> drive death and it wiped out any settings I had. :( Google comes up with
>>> way
>>> too much junk when you look for stuff as well as Mantis stuff and Jiras.
>>> I
>>> will check in to this. So, now I know it is possible. :D Now, it's just
>>> finding a way to do it. *shrugs and laughs* If it keeps a few kids out
>>> than
>>> that's fine. I'd rather have fun then to have to police my console for
>>> logins. :D
>>>
>>> ----- Original Message -----
>>> From: "Teravus Ovares" <[hidden email]>
>>> To: <[hidden email]>
>>> Sent: Monday, January 11, 2010 11:56 PM
>>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be
>>> done?
>>>
>>>
>>>> The viewer information is sent when the viewer logs in.      If you
>>>> check the viewer channel version string when the viewer logs in, you
>>>> can deny based on a string match.      That's the easy (and least
>>>> effective way) to lock only specific viewers.
>>>>
>>>> I believe that diva and Melanie_T were the last to work on these
>>>> areas..    so they would probably be able to tell you where to check
>>>> 'best'.
>>>>
>>>> One thing to note, however, is..
>>>>
>>>> The viewer logs into the 'user service' by sending an XMLRPC request
>>>> to the HTTP Service with the login_to_simulator method.    It's at
>>>> this time that the 'viewer channel string' should be checked.
>>>>
>>>> Teravus
>>>>
>>>> On Tue, Jan 12, 2010 at 12:34 AM, Imago <[hidden email]> wrote:
>>>>> Mostly I want this because of piece of mind, but also because I am
>>>>> considering compiling a viewer on Hippo code that will have a different
>>>>> channel code altogether that I will probably use for the sim. If I can
>>>>> lock
>>>>> off viewers that don't have my exact channel or code then I can be sure
>>>>> only
>>>>> official viewers can get in. Right now the sim is only for friends but
>>>>> if
>>>>> I
>>>>> open it up to more I wouldn't want idiots coming in and mucking about
>>>>> the
>>>>> place. Which is why I was asking. I know that some opensim *shaking
>>>>> head*
>>>>> I
>>>>> wish I could remember who and where banned certain viewers from logging
>>>>> in.
>>>>> I'm not sure how she/he did it, though, but it got me curious as to how
>>>>> it's
>>>>> done. That and I wouldn't really want someone using something like Cryo
>>>>> or
>>>>> even Meerkat, but as you said... They probably all have the same
>>>>> default
>>>>> code. But if I put in another code and compiled it off of hippo or
>>>>> Linden's
>>>>> viewer I could put in my own channel and have others not able to enter.
>>>>> I
>>>>> like security and peace of mind, but security in this day and age is a
>>>>> myth.
>>>>> (Like those stupid broadcasting things that were supposed to stop
>>>>> copybot.)
>>>>>
>>>>> But I was just curious if anyone had done it or heard of it. I want to
>>>>> say
>>>>> openlifegrid did it, but I can't remember so I don't want to say for
>>>>> sure
>>>>> until I find it again. (computer crashes suck.)
>>>>> ----- Original Message -----
>>>>> From: "Karen Palen" <[hidden email]>
>>>>> To: <[hidden email]>
>>>>> Sent: Monday, January 11, 2010 11:24 PM
>>>>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be
>>>>> done?
>>>>>
>>>>>
>>>>>> As I think of it the answer is the same.
>>>>>>
>>>>>> The Linden Labs viewer does send an identification and version number,
>>>>>> bat
>>>>>> that really does very little. Almost every viewer out there is based
>>>>>> on
>>>>>> the current LL viewer and many people don't bother changing this code
>>>>>> for
>>>>>> their experimental versions.
>>>>>>
>>>>>> For example I just checked and I have a customised LL viewer where the
>>>>>> only change is that it will log on to my private sim by default. The
>>>>>> ID
>>>>>> codes are identical to the original since I never bothered to change
>>>>>> them.
>>>>>>
>>>>>> I use it to make sure that my private sim will run OK with the
>>>>>> "official"
>>>>>> viewer.
>>>>>>
>>>>>> I am not really sure why you would want that restriction though.
>>>>>> Should
>>>>>> I
>>>>>> be considering that for my sim? Have I missed something here?
>>>>>>
>>>>>> Sorry.
>>>>>>
>>>>>> Karen
>>>>>>
>>>>>> --- On Mon, 1/11/10, Imago <[hidden email]> wrote:
>>>>>>
>>>>>>> From: Imago <[hidden email]>
>>>>>>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this
>>>>>>> be
>>>>>>> done?
>>>>>>> To: [hidden email]
>>>>>>> Date: Monday, January 11, 2010, 10:05 PM
>>>>>>> I don't think anyone is
>>>>>>> understanding. :D It's not just Cryo. I want only
>>>>>>> Linden Lab viewers to be able to login. I've seen it done
>>>>>>> on other
>>>>>>> opensim's. I know people can get around that. But the point
>>>>>>> is... Not
>>>>>>> everyone is a coder. So, while they could compile and make
>>>>>>> it look like a
>>>>>>> Linden Lab viewer then so be it. I just want to know if
>>>>>>> there's a mod or
>>>>>>> string that I can put in to opensim to see what channel the
>>>>>>> viewer is
>>>>>>> sending, and if it's not the right one than to display an
>>>>>>> error message that
>>>>>>> would tell them to download an official release in order to
>>>>>>> login.
>>>>>>>
>>>>>>> Maybe I should have chosen my words better. Mentioning Cryo
>>>>>>> is like
>>>>>>> mentioning copybot, and responses only seem to be based on
>>>>>>> theft and copy
>>>>>>> protection. I just want to know if there's a string to
>>>>>>> block a viewer. I
>>>>>>> know people have done it I just can't remember what opensim
>>>>>>> I saw it done
>>>>>>> on. I also know that if I had Cryo source code I could
>>>>>>> compile and make it
>>>>>>> look like a Second Life release viewer. But not everyone is
>>>>>>> a hacker or a
>>>>>>> coder or both. Most people don't know how or can't compile
>>>>>>> a viewer or are
>>>>>>> too lazy to. So, they go look for one, and that's the basis
>>>>>>> for my thinking
>>>>>>> most theives are too lazy to try to figure out a way and
>>>>>>> will move on to the
>>>>>>> next target.
>>>>>>>
>>>>>>>
>>>>>>> So, the question I'm asking is:
>>>>>>> Is there a way for OpenSim to check a viewer string and
>>>>>>> allow or disallow
>>>>>>> based on that, and if so please let me know where that code
>>>>>>> is, and if
>>>>>>> not... Then I'll be burning the midnight oil again coding
>>>>>>> one up.
>>>>>>>
>>>>>>> ----- Original Message -----
>>>>>>> From: "Karen Palen" <[hidden email]>
>>>>>>> To: <[hidden email]>
>>>>>>> Sent: Monday, January 11, 2010 10:44 PM
>>>>>>> Subject: [Opensim-users] Banning "bad" viewers was Re: Can
>>>>>>> this be done?
>>>>>>>
>>>>>>>
>>>>>>>> The short answer is no.
>>>>>>>>
>>>>>>>> The more complete answer is that you while can easily
>>>>>>> detect some
>>>>>>>> characteristic of a viewer (or other software) which
>>>>>>> identifies that
>>>>>>>> viewer and use that to ban it, nothing can stop the
>>>>>>> authors of that viewer
>>>>>>>> from changing whatever characteristic you use.
>>>>>>>>
>>>>>>>> Worse yet, whatever characteristic you select to
>>>>>>> identify the "bad"
>>>>>>>> software will inevitably turn up in some other
>>>>>>> (innocent) viewer sooner or
>>>>>>>> later and will cause them to be banned for no reason.
>>>>>>>>
>>>>>>>> The best you could hope to achieve is some sort of
>>>>>>> "arms race" between
>>>>>>>> "bad" viewer creators and sim operators.
>>>>>>>>
>>>>>>>> In addition any viewer could be adapted for piracy.
>>>>>>> The original
>>>>>>>> experiments that resulted in
>>>>>>> libsecondlife/openMetaverse were based on
>>>>>>>> analysing the data stream between the Second Life
>>>>>>> Servers and the viewer
>>>>>>>> software (at the time ONLY the Linden Labs viewer) and
>>>>>>> had access to all
>>>>>>>> of that information. This was all done without
>>>>>>> modifying the viewer in any
>>>>>>>> way - it was proprietary at the time.
>>>>>>>>
>>>>>>>> Sadly the lesson of the endless failures of DRM
>>>>>>> schemes elsewhere shows
>>>>>>>> that the real losers are the honest/innocent users who
>>>>>>> are unable to do
>>>>>>>> the things that they really should expect to do with
>>>>>>> the content that they
>>>>>>>> have purchased.
>>>>>>>>
>>>>>>>> For example, I have completely stopped buying anything
>>>>>>> in Second Life
>>>>>>>> since I want to use the inventory I buy in my private
>>>>>>> sims as well. Sure I
>>>>>>>> can use pirate tools to do this, but if I have to do
>>>>>>> that to use my
>>>>>>>> purchases where I want to use them then why not just
>>>>>>> steal the stuff in
>>>>>>>> the first place?
>>>>>>>>
>>>>>>>> This is very similar to the situation with music CDs
>>>>>>> and DVDs, why build
>>>>>>>> an expensive collection if you will just have to
>>>>>>> re-purchase it in a few
>>>>>>>> years for the next technology and some DRM scheme
>>>>>>> tries to keep me from
>>>>>>>> playing my collection on the new equipment?
>>>>>>>>
>>>>>>>> There are several efforts being directed at come sort
>>>>>>> of "portable"
>>>>>>>> content. I hope that one or more actually proves to
>>>>>>> work, but I have no
>>>>>>>> illusions about that actually happening any time
>>>>>>> soon.
>>>>>>>> My opinion is that the best we can do at present is
>>>>>>> similar to the real
>>>>>>>> life piracy situation: stop the commercial marketing
>>>>>>> of pirated
>>>>>>>> merchandise as it is detected and reported. Ban anyone
>>>>>>> who engages in such
>>>>>>>> activities and if they persist bring real world law
>>>>>>> enforcement to bear.
>>>>>>>> For once Linden Labs seems to be using a reasonable
>>>>>>> version of this when
>>>>>>>> they state that the viewer is not the problem, it is
>>>>>>> the use of the
>>>>>>>> viewer. They have promised to act promptly to ban
>>>>>>> anyone using any viewer
>>>>>>>> for piracy.
>>>>>>>>
>>>>>>>> Karen
>>>>>>>>
>>>>>>>> --- On Mon, 1/11/10, Imago <[hidden email]>
>>>>>>> wrote:
>>>>>>>>> Is it possible to stop
>>>>>>>>> certain viewers from logging
>>>>>>>>> in to your opensim? Like Cryo?
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Opensim-users mailing list
>>>>>>>> [hidden email]
>>>>>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Opensim-users mailing list
>>>>>>> [hidden email]
>>>>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Opensim-users mailing list
>>>>>> [hidden email]
>>>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>>> _______________________________________________
>>>>> Opensim-users mailing list
>>>>> [hidden email]
>>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>>>
>>>> _______________________________________________
>>>> Opensim-users mailing list
>>>> [hidden email]
>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>
>>> _______________________________________________
>>> Opensim-users mailing list
>>> [hidden email]
>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>
>> _______________________________________________
>> Opensim-users mailing list
>> [hidden email]
>> https://lists.berlios.de/mailman/listinfo/opensim-users
>
> _______________________________________________
> Opensim-users mailing list
> [hidden email]
> https://lists.berlios.de/mailman/listinfo/opensim-users
>
_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: Banning "bad" viewers was Re: Can this be done?

Imago
Oh, I know it. And I know that there's even ways to exploit the official SL
viewer to reveal no mod scripts and export things that you shouldn't be able
to. The point is that not everyone is tech savvy or even has a brain large
enough to think of seeing what string is being sent or what channel is going
in. *laughs* Not everyone is a hacker. Most script kiddies out there want to
download what they can and use that. They aren't going to concern themselves
with the fact of how it works only that it works and they can get instant
gratification off of it. :) I don't so much concern myself with them, but
it's those folks that are the ones that do it because they can and that's
the ones you want to keep out. The little 12 year olds who download
something like Jack the Ripper to use to crack passwords and then call
themselves a hacker. Which is why the word hacker means next to nothing
anymore, because real hackers do what everyone has been describing...
Reverse engineer, make it work, figure out why it works, and move on to the
next exploit. Well, after putting up your mark on the world in some small
way. (And no I'm not talking about defacing a website... That's script
kiddie crap.) I'm talking about just leaving a text file on the server
telling the owner how bad thier protection is.

But yeah, I know it can be worked around... That's not the point. The point
was could it be done, and the answer is yeah it can, but the long answer
seems to be it won't stop real programmers or hackers. But the point is it
would stop average and basement joe from coming in. :D


----- Original Message -----
From: "Kyle Hamilton" <[hidden email]>
To: "opensim-users" <[hidden email]>
Sent: Tuesday, January 12, 2010 1:52 PM
Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be done?


> If it's not sent via https, it's being sent out over the network
> interface in the clear.  Anyone with admin access to their own machine
> (*cough*everyone*cough*) can install Wireshark and see what your
> channel code is -- if you give them the viewer, anyway.
>
> Even if they don't, I'm fairly sure 'strings' being run against the
> executable would reveal it.
>
> An aside: I know too many people who are willing to go to nearly
> insane lengths to beat something that they perceive as a 'challenge'
> to be able to say that "regular joes" are your enemy.  You're looking
> to prevent improper modification or violation of policy on your sim.
> The only way to do that is to use user-based access control, and to
> manually go in and grant access to the user accounts that you want to
> have the ability to modify things (or even own land).
>
> -Kyle H
>
> On Tue, Jan 12, 2010 at 9:34 AM, Imago <[hidden email]> wrote:
>> Thanks, I've been looking over the code, and yeah, I know people could.
>> But
>> really how many regular joes out there would be interested enough to
>> download, compile, and play with the code. *laughs* I don't think there's
>> many, because a lot of them would much rather have instant gratification
>> rather then having to work for it.
>>
>> But in my opinion even fragile filtering is better then none at all.
>> Because
>> while some could get in the population en masse wouldn't be able to.
>>
>> ----- Original Message -----
>> From: <[hidden email]>
>> To: <[hidden email]>
>> Sent: Tuesday, January 12, 2010 8:15 AM
>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be
>> done?
>>
>>
>>> As Teravus said, the LL viewer sends a string identifying itself and a
>>> version. In the new login procedure that is captured by the
>>> LLLoginHandlers as
>>> if (requestData.Contains("version"))
>>> clientVersion = requestData["version"].ToString();
>>>
>>> Right now we're not doing anything interesting with this information.
>>> When this refactoring makes it to the master branch, people can replace
>>> / augment the existing LLLoginHandlers to do other things including
>>> filtering logins according to this field.
>>>
>>> But as others said here, this is a very fragile filtering, as any viewer
>>> can send that field saying that it's an LL viewer.
>>>
>>> Imago wrote:
>>>> Ah! Thank you. I did read something on the subject, but then suffered a
>>>> hard
>>>> drive death and it wiped out any settings I had. :( Google comes up
>>>> with
>>>> way
>>>> too much junk when you look for stuff as well as Mantis stuff and
>>>> Jiras.
>>>> I
>>>> will check in to this. So, now I know it is possible. :D Now, it's just
>>>> finding a way to do it. *shrugs and laughs* If it keeps a few kids out
>>>> than
>>>> that's fine. I'd rather have fun then to have to police my console for
>>>> logins. :D
>>>>
>>>> ----- Original Message -----
>>>> From: "Teravus Ovares" <[hidden email]>
>>>> To: <[hidden email]>
>>>> Sent: Monday, January 11, 2010 11:56 PM
>>>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be
>>>> done?
>>>>
>>>>
>>>>> The viewer information is sent when the viewer logs in. If you
>>>>> check the viewer channel version string when the viewer logs in, you
>>>>> can deny based on a string match. That's the easy (and least
>>>>> effective way) to lock only specific viewers.
>>>>>
>>>>> I believe that diva and Melanie_T were the last to work on these
>>>>> areas.. so they would probably be able to tell you where to check
>>>>> 'best'.
>>>>>
>>>>> One thing to note, however, is..
>>>>>
>>>>> The viewer logs into the 'user service' by sending an XMLRPC request
>>>>> to the HTTP Service with the login_to_simulator method. It's at
>>>>> this time that the 'viewer channel string' should be checked.
>>>>>
>>>>> Teravus
>>>>>
>>>>> On Tue, Jan 12, 2010 at 12:34 AM, Imago <[hidden email]> wrote:
>>>>>> Mostly I want this because of piece of mind, but also because I am
>>>>>> considering compiling a viewer on Hippo code that will have a
>>>>>> different
>>>>>> channel code altogether that I will probably use for the sim. If I
>>>>>> can
>>>>>> lock
>>>>>> off viewers that don't have my exact channel or code then I can be
>>>>>> sure
>>>>>> only
>>>>>> official viewers can get in. Right now the sim is only for friends
>>>>>> but
>>>>>> if
>>>>>> I
>>>>>> open it up to more I wouldn't want idiots coming in and mucking about
>>>>>> the
>>>>>> place. Which is why I was asking. I know that some opensim *shaking
>>>>>> head*
>>>>>> I
>>>>>> wish I could remember who and where banned certain viewers from
>>>>>> logging
>>>>>> in.
>>>>>> I'm not sure how she/he did it, though, but it got me curious as to
>>>>>> how
>>>>>> it's
>>>>>> done. That and I wouldn't really want someone using something like
>>>>>> Cryo
>>>>>> or
>>>>>> even Meerkat, but as you said... They probably all have the same
>>>>>> default
>>>>>> code. But if I put in another code and compiled it off of hippo or
>>>>>> Linden's
>>>>>> viewer I could put in my own channel and have others not able to
>>>>>> enter.
>>>>>> I
>>>>>> like security and peace of mind, but security in this day and age is
>>>>>> a
>>>>>> myth.
>>>>>> (Like those stupid broadcasting things that were supposed to stop
>>>>>> copybot.)
>>>>>>
>>>>>> But I was just curious if anyone had done it or heard of it. I want
>>>>>> to
>>>>>> say
>>>>>> openlifegrid did it, but I can't remember so I don't want to say for
>>>>>> sure
>>>>>> until I find it again. (computer crashes suck.)
>>>>>> ----- Original Message -----
>>>>>> From: "Karen Palen" <[hidden email]>
>>>>>> To: <[hidden email]>
>>>>>> Sent: Monday, January 11, 2010 11:24 PM
>>>>>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this
>>>>>> be
>>>>>> done?
>>>>>>
>>>>>>
>>>>>>> As I think of it the answer is the same.
>>>>>>>
>>>>>>> The Linden Labs viewer does send an identification and version
>>>>>>> number,
>>>>>>> bat
>>>>>>> that really does very little. Almost every viewer out there is based
>>>>>>> on
>>>>>>> the current LL viewer and many people don't bother changing this
>>>>>>> code
>>>>>>> for
>>>>>>> their experimental versions.
>>>>>>>
>>>>>>> For example I just checked and I have a customised LL viewer where
>>>>>>> the
>>>>>>> only change is that it will log on to my private sim by default. The
>>>>>>> ID
>>>>>>> codes are identical to the original since I never bothered to change
>>>>>>> them.
>>>>>>>
>>>>>>> I use it to make sure that my private sim will run OK with the
>>>>>>> "official"
>>>>>>> viewer.
>>>>>>>
>>>>>>> I am not really sure why you would want that restriction though.
>>>>>>> Should
>>>>>>> I
>>>>>>> be considering that for my sim? Have I missed something here?
>>>>>>>
>>>>>>> Sorry.
>>>>>>>
>>>>>>> Karen
>>>>>>>
>>>>>>> --- On Mon, 1/11/10, Imago <[hidden email]> wrote:
>>>>>>>
>>>>>>>> From: Imago <[hidden email]>
>>>>>>>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this
>>>>>>>> be
>>>>>>>> done?
>>>>>>>> To: [hidden email]
>>>>>>>> Date: Monday, January 11, 2010, 10:05 PM
>>>>>>>> I don't think anyone is
>>>>>>>> understanding. :D It's not just Cryo. I want only
>>>>>>>> Linden Lab viewers to be able to login. I've seen it done
>>>>>>>> on other
>>>>>>>> opensim's. I know people can get around that. But the point
>>>>>>>> is... Not
>>>>>>>> everyone is a coder. So, while they could compile and make
>>>>>>>> it look like a
>>>>>>>> Linden Lab viewer then so be it. I just want to know if
>>>>>>>> there's a mod or
>>>>>>>> string that I can put in to opensim to see what channel the
>>>>>>>> viewer is
>>>>>>>> sending, and if it's not the right one than to display an
>>>>>>>> error message that
>>>>>>>> would tell them to download an official release in order to
>>>>>>>> login.
>>>>>>>>
>>>>>>>> Maybe I should have chosen my words better. Mentioning Cryo
>>>>>>>> is like
>>>>>>>> mentioning copybot, and responses only seem to be based on
>>>>>>>> theft and copy
>>>>>>>> protection. I just want to know if there's a string to
>>>>>>>> block a viewer. I
>>>>>>>> know people have done it I just can't remember what opensim
>>>>>>>> I saw it done
>>>>>>>> on. I also know that if I had Cryo source code I could
>>>>>>>> compile and make it
>>>>>>>> look like a Second Life release viewer. But not everyone is
>>>>>>>> a hacker or a
>>>>>>>> coder or both. Most people don't know how or can't compile
>>>>>>>> a viewer or are
>>>>>>>> too lazy to. So, they go look for one, and that's the basis
>>>>>>>> for my thinking
>>>>>>>> most theives are too lazy to try to figure out a way and
>>>>>>>> will move on to the
>>>>>>>> next target.
>>>>>>>>
>>>>>>>>
>>>>>>>> So, the question I'm asking is:
>>>>>>>> Is there a way for OpenSim to check a viewer string and
>>>>>>>> allow or disallow
>>>>>>>> based on that, and if so please let me know where that code
>>>>>>>> is, and if
>>>>>>>> not... Then I'll be burning the midnight oil again coding
>>>>>>>> one up.
>>>>>>>>
>>>>>>>> ----- Original Message -----
>>>>>>>> From: "Karen Palen" <[hidden email]>
>>>>>>>> To: <[hidden email]>
>>>>>>>> Sent: Monday, January 11, 2010 10:44 PM
>>>>>>>> Subject: [Opensim-users] Banning "bad" viewers was Re: Can
>>>>>>>> this be done?
>>>>>>>>
>>>>>>>>
>>>>>>>>> The short answer is no.
>>>>>>>>>
>>>>>>>>> The more complete answer is that you while can easily
>>>>>>>> detect some
>>>>>>>>> characteristic of a viewer (or other software) which
>>>>>>>> identifies that
>>>>>>>>> viewer and use that to ban it, nothing can stop the
>>>>>>>> authors of that viewer
>>>>>>>>> from changing whatever characteristic you use.
>>>>>>>>>
>>>>>>>>> Worse yet, whatever characteristic you select to
>>>>>>>> identify the "bad"
>>>>>>>>> software will inevitably turn up in some other
>>>>>>>> (innocent) viewer sooner or
>>>>>>>>> later and will cause them to be banned for no reason.
>>>>>>>>>
>>>>>>>>> The best you could hope to achieve is some sort of
>>>>>>>> "arms race" between
>>>>>>>>> "bad" viewer creators and sim operators.
>>>>>>>>>
>>>>>>>>> In addition any viewer could be adapted for piracy.
>>>>>>>> The original
>>>>>>>>> experiments that resulted in
>>>>>>>> libsecondlife/openMetaverse were based on
>>>>>>>>> analysing the data stream between the Second Life
>>>>>>>> Servers and the viewer
>>>>>>>>> software (at the time ONLY the Linden Labs viewer) and
>>>>>>>> had access to all
>>>>>>>>> of that information. This was all done without
>>>>>>>> modifying the viewer in any
>>>>>>>>> way - it was proprietary at the time.
>>>>>>>>>
>>>>>>>>> Sadly the lesson of the endless failures of DRM
>>>>>>>> schemes elsewhere shows
>>>>>>>>> that the real losers are the honest/innocent users who
>>>>>>>> are unable to do
>>>>>>>>> the things that they really should expect to do with
>>>>>>>> the content that they
>>>>>>>>> have purchased.
>>>>>>>>>
>>>>>>>>> For example, I have completely stopped buying anything
>>>>>>>> in Second Life
>>>>>>>>> since I want to use the inventory I buy in my private
>>>>>>>> sims as well. Sure I
>>>>>>>>> can use pirate tools to do this, but if I have to do
>>>>>>>> that to use my
>>>>>>>>> purchases where I want to use them then why not just
>>>>>>>> steal the stuff in
>>>>>>>>> the first place?
>>>>>>>>>
>>>>>>>>> This is very similar to the situation with music CDs
>>>>>>>> and DVDs, why build
>>>>>>>>> an expensive collection if you will just have to
>>>>>>>> re-purchase it in a few
>>>>>>>>> years for the next technology and some DRM scheme
>>>>>>>> tries to keep me from
>>>>>>>>> playing my collection on the new equipment?
>>>>>>>>>
>>>>>>>>> There are several efforts being directed at come sort
>>>>>>>> of "portable"
>>>>>>>>> content. I hope that one or more actually proves to
>>>>>>>> work, but I have no
>>>>>>>>> illusions about that actually happening any time
>>>>>>>> soon.
>>>>>>>>> My opinion is that the best we can do at present is
>>>>>>>> similar to the real
>>>>>>>>> life piracy situation: stop the commercial marketing
>>>>>>>> of pirated
>>>>>>>>> merchandise as it is detected and reported. Ban anyone
>>>>>>>> who engages in such
>>>>>>>>> activities and if they persist bring real world law
>>>>>>>> enforcement to bear.
>>>>>>>>> For once Linden Labs seems to be using a reasonable
>>>>>>>> version of this when
>>>>>>>>> they state that the viewer is not the problem, it is
>>>>>>>> the use of the
>>>>>>>>> viewer. They have promised to act promptly to ban
>>>>>>>> anyone using any viewer
>>>>>>>>> for piracy.
>>>>>>>>>
>>>>>>>>> Karen
>>>>>>>>>
>>>>>>>>> --- On Mon, 1/11/10, Imago <[hidden email]>
>>>>>>>> wrote:
>>>>>>>>>> Is it possible to stop
>>>>>>>>>> certain viewers from logging
>>>>>>>>>> in to your opensim? Like Cryo?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> Opensim-users mailing list
>>>>>>>>> [hidden email]
>>>>>>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Opensim-users mailing list
>>>>>>>> [hidden email]
>>>>>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Opensim-users mailing list
>>>>>>> [hidden email]
>>>>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>>>> _______________________________________________
>>>>>> Opensim-users mailing list
>>>>>> [hidden email]
>>>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>>>>
>>>>> _______________________________________________
>>>>> Opensim-users mailing list
>>>>> [hidden email]
>>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>>
>>>> _______________________________________________
>>>> Opensim-users mailing list
>>>> [hidden email]
>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>>
>>> _______________________________________________
>>> Opensim-users mailing list
>>> [hidden email]
>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>
>> _______________________________________________
>> Opensim-users mailing list
>> [hidden email]
>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>
> _______________________________________________
> Opensim-users mailing list
> [hidden email]
> https://lists.berlios.de/mailman/listinfo/opensim-users
>

_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: Banning "bad" viewers was Re: Can this be done?

Frisby, Adam
In reply to this post by Imago
While I hate to rain on anyone's parade - but you can use the "-channel" commandline switch to edit the version string to whatever you want. I really wouldn't rely on it.

Adam

> -----Original Message-----
> From: [hidden email] [mailto:opensim-users-
> [hidden email]] On Behalf Of Imago
> Sent: Tuesday, 12 January 2010 9:34 AM
> To: [hidden email]; [hidden email]
> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be
> done?
>
> Thanks, I've been looking over the code, and yeah, I know people could.
> But
> really how many regular joes out there would be interested enough to
> download, compile, and play with the code. *laughs* I don't think
> there's
> many, because a lot of them would much rather have instant
> gratification
> rather then having to work for it.
>
> But in my opinion even fragile filtering is better then none at all.
> Because
> while some could get in the population en masse wouldn't be able to.
>
> ----- Original Message -----
> From: <[hidden email]>
> To: <[hidden email]>
> Sent: Tuesday, January 12, 2010 8:15 AM
> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be
> done?
>
>
> > As Teravus said, the LL viewer sends a string identifying itself and
> a
> > version. In the new login procedure that is captured by the
> > LLLoginHandlers as
> >   if (requestData.Contains("version"))
> >     clientVersion = requestData["version"].ToString();
> >
> > Right now we're not doing anything interesting with this information.
> > When this refactoring makes it to the master branch, people can
> replace
> > / augment the existing LLLoginHandlers to do other things including
> > filtering logins according to this field.
> >
> > But as others said here, this is a very fragile filtering, as any
> viewer
> > can send that field saying that it's an LL viewer.
> >
> > Imago wrote:
> >> Ah! Thank you. I did read something on the subject, but then
> suffered a
> >> hard
> >> drive death and it wiped out any settings I had. :( Google comes up
> with
> >> way
> >> too much junk when you look for stuff as well as Mantis stuff and
> Jiras.
> >> I
> >> will check in to this. So, now I know it is possible. :D Now, it's
> just
> >> finding a way to do it. *shrugs and laughs* If it keeps a few kids
> out
> >> than
> >> that's fine. I'd rather have fun then to have to police my console
> for
> >> logins. :D
> >>
> >> ----- Original Message -----
> >> From: "Teravus Ovares" <[hidden email]>
> >> To: <[hidden email]>
> >> Sent: Monday, January 11, 2010 11:56 PM
> >> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this
> be
> >> done?
> >>
> >>
> >>> The viewer information is sent when the viewer logs in.      If you
> >>> check the viewer channel version string when the viewer logs in,
> you
> >>> can deny based on a string match.      That's the easy (and least
> >>> effective way) to lock only specific viewers.
> >>>
> >>> I believe that diva and Melanie_T were the last to work on these
> >>> areas..    so they would probably be able to tell you where to
> check
> >>> 'best'.
> >>>
> >>> One thing to note, however, is..
> >>>
> >>> The viewer logs into the 'user service' by sending an XMLRPC
> request
> >>> to the HTTP Service with the login_to_simulator method.    It's at
> >>> this time that the 'viewer channel string' should be checked.
> >>>
> >>> Teravus
> >>>
> >>> On Tue, Jan 12, 2010 at 12:34 AM, Imago <[hidden email]>
> wrote:
> >>>> Mostly I want this because of piece of mind, but also because I am
> >>>> considering compiling a viewer on Hippo code that will have a
> different
> >>>> channel code altogether that I will probably use for the sim. If I
> can
> >>>> lock
> >>>> off viewers that don't have my exact channel or code then I can be
> sure
> >>>> only
> >>>> official viewers can get in. Right now the sim is only for friends
> but
> >>>> if
> >>>> I
> >>>> open it up to more I wouldn't want idiots coming in and mucking
> about
> >>>> the
> >>>> place. Which is why I was asking. I know that some opensim
> *shaking
> >>>> head*
> >>>> I
> >>>> wish I could remember who and where banned certain viewers from
> logging
> >>>> in.
> >>>> I'm not sure how she/he did it, though, but it got me curious as
> to how
> >>>> it's
> >>>> done. That and I wouldn't really want someone using something like
> Cryo
> >>>> or
> >>>> even Meerkat, but as you said... They probably all have the same
> >>>> default
> >>>> code. But if I put in another code and compiled it off of hippo or
> >>>> Linden's
> >>>> viewer I could put in my own channel and have others not able to
> enter.
> >>>> I
> >>>> like security and peace of mind, but security in this day and age
> is a
> >>>> myth.
> >>>> (Like those stupid broadcasting things that were supposed to stop
> >>>> copybot.)
> >>>>
> >>>> But I was just curious if anyone had done it or heard of it. I
> want to
> >>>> say
> >>>> openlifegrid did it, but I can't remember so I don't want to say
> for
> >>>> sure
> >>>> until I find it again. (computer crashes suck.)
> >>>> ----- Original Message -----
> >>>> From: "Karen Palen" <[hidden email]>
> >>>> To: <[hidden email]>
> >>>> Sent: Monday, January 11, 2010 11:24 PM
> >>>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can
> this be
> >>>> done?
> >>>>
> >>>>
> >>>>> As I think of it the answer is the same.
> >>>>>
> >>>>> The Linden Labs viewer does send an identification and version
> number,
> >>>>> bat
> >>>>> that really does very little. Almost every viewer out there is
> based
> >>>>> on
> >>>>> the current LL viewer and many people don't bother changing this
> code
> >>>>> for
> >>>>> their experimental versions.
> >>>>>
> >>>>> For example I just checked and I have a customised LL viewer
> where the
> >>>>> only change is that it will log on to my private sim by default.
> The
> >>>>> ID
> >>>>> codes are identical to the original since I never bothered to
> change
> >>>>> them.
> >>>>>
> >>>>> I use it to make sure that my private sim will run OK with the
> >>>>> "official"
> >>>>> viewer.
> >>>>>
> >>>>> I am not really sure why you would want that restriction though.
> >>>>> Should
> >>>>> I
> >>>>> be considering that for my sim? Have I missed something here?
> >>>>>
> >>>>> Sorry.
> >>>>>
> >>>>> Karen
> >>>>>
> >>>>> --- On Mon, 1/11/10, Imago <[hidden email]> wrote:
> >>>>>
> >>>>>> From: Imago <[hidden email]>
> >>>>>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can
> this
> >>>>>> be
> >>>>>> done?
> >>>>>> To: [hidden email]
> >>>>>> Date: Monday, January 11, 2010, 10:05 PM
> >>>>>> I don't think anyone is
> >>>>>> understanding. :D It's not just Cryo. I want only
> >>>>>> Linden Lab viewers to be able to login. I've seen it done
> >>>>>> on other
> >>>>>> opensim's. I know people can get around that. But the point
> >>>>>> is... Not
> >>>>>> everyone is a coder. So, while they could compile and make
> >>>>>> it look like a
> >>>>>> Linden Lab viewer then so be it. I just want to know if
> >>>>>> there's a mod or
> >>>>>> string that I can put in to opensim to see what channel the
> >>>>>> viewer is
> >>>>>> sending, and if it's not the right one than to display an
> >>>>>> error message that
> >>>>>> would tell them to download an official release in order to
> >>>>>> login.
> >>>>>>
> >>>>>> Maybe I should have chosen my words better. Mentioning Cryo
> >>>>>> is like
> >>>>>> mentioning copybot, and responses only seem to be based on
> >>>>>> theft and copy
> >>>>>> protection. I just want to know if there's a string to
> >>>>>> block a viewer. I
> >>>>>> know people have done it I just can't remember what opensim
> >>>>>> I saw it done
> >>>>>> on. I also know that if I had Cryo source code I could
> >>>>>> compile and make it
> >>>>>> look like a Second Life release viewer. But not everyone is
> >>>>>> a hacker or a
> >>>>>> coder or both. Most people don't know how or can't compile
> >>>>>> a viewer or are
> >>>>>> too lazy to. So, they go look for one, and that's the basis
> >>>>>> for my thinking
> >>>>>> most theives are too lazy to try to figure out a way and
> >>>>>> will move on to the
> >>>>>> next target.
> >>>>>>
> >>>>>>
> >>>>>> So, the question I'm asking is:
> >>>>>> Is there a way for OpenSim to check a viewer string and
> >>>>>> allow or disallow
> >>>>>> based on that, and if so please let me know where that code
> >>>>>> is, and if
> >>>>>> not... Then I'll be burning the midnight oil again coding
> >>>>>> one up.
> >>>>>>
> >>>>>> ----- Original Message -----
> >>>>>> From: "Karen Palen" <[hidden email]>
> >>>>>> To: <[hidden email]>
> >>>>>> Sent: Monday, January 11, 2010 10:44 PM
> >>>>>> Subject: [Opensim-users] Banning "bad" viewers was Re: Can
> >>>>>> this be done?
> >>>>>>
> >>>>>>
> >>>>>>> The short answer is no.
> >>>>>>>
> >>>>>>> The more complete answer is that you while can easily
> >>>>>> detect some
> >>>>>>> characteristic of a viewer (or other software) which
> >>>>>> identifies that
> >>>>>>> viewer and use that to ban it, nothing can stop the
> >>>>>> authors of that viewer
> >>>>>>> from changing whatever characteristic you use.
> >>>>>>>
> >>>>>>> Worse yet, whatever characteristic you select to
> >>>>>> identify the "bad"
> >>>>>>> software will inevitably turn up in some other
> >>>>>> (innocent) viewer sooner or
> >>>>>>> later and will cause them to be banned for no reason.
> >>>>>>>
> >>>>>>> The best you could hope to achieve is some sort of
> >>>>>> "arms race" between
> >>>>>>> "bad" viewer creators and sim operators.
> >>>>>>>
> >>>>>>> In addition any viewer could be adapted for piracy.
> >>>>>> The original
> >>>>>>> experiments that resulted in
> >>>>>> libsecondlife/openMetaverse were based on
> >>>>>>> analysing the data stream between the Second Life
> >>>>>> Servers and the viewer
> >>>>>>> software (at the time ONLY the Linden Labs viewer) and
> >>>>>> had access to all
> >>>>>>> of that information. This was all done without
> >>>>>> modifying the viewer in any
> >>>>>>> way - it was proprietary at the time.
> >>>>>>>
> >>>>>>> Sadly the lesson of the endless failures of DRM
> >>>>>> schemes elsewhere shows
> >>>>>>> that the real losers are the honest/innocent users who
> >>>>>> are unable to do
> >>>>>>> the things that they really should expect to do with
> >>>>>> the content that they
> >>>>>>> have purchased.
> >>>>>>>
> >>>>>>> For example, I have completely stopped buying anything
> >>>>>> in Second Life
> >>>>>>> since I want to use the inventory I buy in my private
> >>>>>> sims as well. Sure I
> >>>>>>> can use pirate tools to do this, but if I have to do
> >>>>>> that to use my
> >>>>>>> purchases where I want to use them then why not just
> >>>>>> steal the stuff in
> >>>>>>> the first place?
> >>>>>>>
> >>>>>>> This is very similar to the situation with music CDs
> >>>>>> and DVDs, why build
> >>>>>>> an expensive collection if you will just have to
> >>>>>> re-purchase it in a few
> >>>>>>> years for the next technology and some DRM scheme
> >>>>>> tries to keep me from
> >>>>>>> playing my collection on the new equipment?
> >>>>>>>
> >>>>>>> There are several efforts being directed at come sort
> >>>>>> of "portable"
> >>>>>>> content. I hope that one or more actually proves to
> >>>>>> work, but I have no
> >>>>>>> illusions about that actually happening any time
> >>>>>> soon.
> >>>>>>> My opinion is that the best we can do at present is
> >>>>>> similar to the real
> >>>>>>> life piracy situation: stop the commercial marketing
> >>>>>> of pirated
> >>>>>>> merchandise as it is detected and reported. Ban anyone
> >>>>>> who engages in such
> >>>>>>> activities and if they persist bring real world law
> >>>>>> enforcement to bear.
> >>>>>>> For once Linden Labs seems to be using a reasonable
> >>>>>> version of this when
> >>>>>>> they state that the viewer is not the problem, it is
> >>>>>> the use of the
> >>>>>>> viewer. They have promised to act promptly to ban
> >>>>>> anyone using any viewer
> >>>>>>> for piracy.
> >>>>>>>
> >>>>>>> Karen
> >>>>>>>
> >>>>>>> --- On Mon, 1/11/10, Imago <[hidden email]>
> >>>>>> wrote:
> >>>>>>>> Is it possible to stop
> >>>>>>>> certain viewers from logging
> >>>>>>>> in to your opensim? Like Cryo?
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> _______________________________________________
> >>>>>>> Opensim-users mailing list
> >>>>>>> [hidden email]
> >>>>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> Opensim-users mailing list
> >>>>>> [hidden email]
> >>>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
> >>>>>>
> >>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> Opensim-users mailing list
> >>>>> [hidden email]
> >>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
> >>>> _______________________________________________
> >>>> Opensim-users mailing list
> >>>> [hidden email]
> >>>> https://lists.berlios.de/mailman/listinfo/opensim-users
> >>>>
> >>> _______________________________________________
> >>> Opensim-users mailing list
> >>> [hidden email]
> >>> https://lists.berlios.de/mailman/listinfo/opensim-users
> >>
> >> _______________________________________________
> >> Opensim-users mailing list
> >> [hidden email]
> >> https://lists.berlios.de/mailman/listinfo/opensim-users
> >>
> > _______________________________________________
> > Opensim-users mailing list
> > [hidden email]
> > https://lists.berlios.de/mailman/listinfo/opensim-users
>
> _______________________________________________
> Opensim-users mailing list
> [hidden email]
> https://lists.berlios.de/mailman/listinfo/opensim-users
_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: Banning "bad" viewers was Re: Can this be done?

Imago
But really... How many people who aren't really looking for this info are
going to find it. ;) Nubs aren't going to know where to look. But blocking
by string probably wouldn't be the best, but it would work for dumb people.
;)

----- Original Message -----
From: "Frisby, Adam" <[hidden email]>
To: <[hidden email]>; <[hidden email]>
Sent: Tuesday, January 12, 2010 3:25 PM
Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be done?


> While I hate to rain on anyone's parade - but you can use the "-channel"
> commandline switch to edit the version string to whatever you want. I
> really wouldn't rely on it.
>
> Adam
>
>> -----Original Message-----
>> From: [hidden email] [mailto:opensim-users-
>> [hidden email]] On Behalf Of Imago
>> Sent: Tuesday, 12 January 2010 9:34 AM
>> To: [hidden email]; [hidden email]
>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be
>> done?
>>
>> Thanks, I've been looking over the code, and yeah, I know people could.
>> But
>> really how many regular joes out there would be interested enough to
>> download, compile, and play with the code. *laughs* I don't think
>> there's
>> many, because a lot of them would much rather have instant
>> gratification
>> rather then having to work for it.
>>
>> But in my opinion even fragile filtering is better then none at all.
>> Because
>> while some could get in the population en masse wouldn't be able to.
>>
>> ----- Original Message -----
>> From: <[hidden email]>
>> To: <[hidden email]>
>> Sent: Tuesday, January 12, 2010 8:15 AM
>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be
>> done?
>>
>>
>> > As Teravus said, the LL viewer sends a string identifying itself and
>> a
>> > version. In the new login procedure that is captured by the
>> > LLLoginHandlers as
>> >   if (requestData.Contains("version"))
>> >     clientVersion = requestData["version"].ToString();
>> >
>> > Right now we're not doing anything interesting with this information.
>> > When this refactoring makes it to the master branch, people can
>> replace
>> > / augment the existing LLLoginHandlers to do other things including
>> > filtering logins according to this field.
>> >
>> > But as others said here, this is a very fragile filtering, as any
>> viewer
>> > can send that field saying that it's an LL viewer.
>> >
>> > Imago wrote:
>> >> Ah! Thank you. I did read something on the subject, but then
>> suffered a
>> >> hard
>> >> drive death and it wiped out any settings I had. :( Google comes up
>> with
>> >> way
>> >> too much junk when you look for stuff as well as Mantis stuff and
>> Jiras.
>> >> I
>> >> will check in to this. So, now I know it is possible. :D Now, it's
>> just
>> >> finding a way to do it. *shrugs and laughs* If it keeps a few kids
>> out
>> >> than
>> >> that's fine. I'd rather have fun then to have to police my console
>> for
>> >> logins. :D
>> >>
>> >> ----- Original Message -----
>> >> From: "Teravus Ovares" <[hidden email]>
>> >> To: <[hidden email]>
>> >> Sent: Monday, January 11, 2010 11:56 PM
>> >> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this
>> be
>> >> done?
>> >>
>> >>
>> >>> The viewer information is sent when the viewer logs in.      If you
>> >>> check the viewer channel version string when the viewer logs in,
>> you
>> >>> can deny based on a string match.      That's the easy (and least
>> >>> effective way) to lock only specific viewers.
>> >>>
>> >>> I believe that diva and Melanie_T were the last to work on these
>> >>> areas..    so they would probably be able to tell you where to
>> check
>> >>> 'best'.
>> >>>
>> >>> One thing to note, however, is..
>> >>>
>> >>> The viewer logs into the 'user service' by sending an XMLRPC
>> request
>> >>> to the HTTP Service with the login_to_simulator method.    It's at
>> >>> this time that the 'viewer channel string' should be checked.
>> >>>
>> >>> Teravus
>> >>>
>> >>> On Tue, Jan 12, 2010 at 12:34 AM, Imago <[hidden email]>
>> wrote:
>> >>>> Mostly I want this because of piece of mind, but also because I am
>> >>>> considering compiling a viewer on Hippo code that will have a
>> different
>> >>>> channel code altogether that I will probably use for the sim. If I
>> can
>> >>>> lock
>> >>>> off viewers that don't have my exact channel or code then I can be
>> sure
>> >>>> only
>> >>>> official viewers can get in. Right now the sim is only for friends
>> but
>> >>>> if
>> >>>> I
>> >>>> open it up to more I wouldn't want idiots coming in and mucking
>> about
>> >>>> the
>> >>>> place. Which is why I was asking. I know that some opensim
>> *shaking
>> >>>> head*
>> >>>> I
>> >>>> wish I could remember who and where banned certain viewers from
>> logging
>> >>>> in.
>> >>>> I'm not sure how she/he did it, though, but it got me curious as
>> to how
>> >>>> it's
>> >>>> done. That and I wouldn't really want someone using something like
>> Cryo
>> >>>> or
>> >>>> even Meerkat, but as you said... They probably all have the same
>> >>>> default
>> >>>> code. But if I put in another code and compiled it off of hippo or
>> >>>> Linden's
>> >>>> viewer I could put in my own channel and have others not able to
>> enter.
>> >>>> I
>> >>>> like security and peace of mind, but security in this day and age
>> is a
>> >>>> myth.
>> >>>> (Like those stupid broadcasting things that were supposed to stop
>> >>>> copybot.)
>> >>>>
>> >>>> But I was just curious if anyone had done it or heard of it. I
>> want to
>> >>>> say
>> >>>> openlifegrid did it, but I can't remember so I don't want to say
>> for
>> >>>> sure
>> >>>> until I find it again. (computer crashes suck.)
>> >>>> ----- Original Message -----
>> >>>> From: "Karen Palen" <[hidden email]>
>> >>>> To: <[hidden email]>
>> >>>> Sent: Monday, January 11, 2010 11:24 PM
>> >>>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can
>> this be
>> >>>> done?
>> >>>>
>> >>>>
>> >>>>> As I think of it the answer is the same.
>> >>>>>
>> >>>>> The Linden Labs viewer does send an identification and version
>> number,
>> >>>>> bat
>> >>>>> that really does very little. Almost every viewer out there is
>> based
>> >>>>> on
>> >>>>> the current LL viewer and many people don't bother changing this
>> code
>> >>>>> for
>> >>>>> their experimental versions.
>> >>>>>
>> >>>>> For example I just checked and I have a customised LL viewer
>> where the
>> >>>>> only change is that it will log on to my private sim by default.
>> The
>> >>>>> ID
>> >>>>> codes are identical to the original since I never bothered to
>> change
>> >>>>> them.
>> >>>>>
>> >>>>> I use it to make sure that my private sim will run OK with the
>> >>>>> "official"
>> >>>>> viewer.
>> >>>>>
>> >>>>> I am not really sure why you would want that restriction though.
>> >>>>> Should
>> >>>>> I
>> >>>>> be considering that for my sim? Have I missed something here?
>> >>>>>
>> >>>>> Sorry.
>> >>>>>
>> >>>>> Karen
>> >>>>>
>> >>>>> --- On Mon, 1/11/10, Imago <[hidden email]> wrote:
>> >>>>>
>> >>>>>> From: Imago <[hidden email]>
>> >>>>>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can
>> this
>> >>>>>> be
>> >>>>>> done?
>> >>>>>> To: [hidden email]
>> >>>>>> Date: Monday, January 11, 2010, 10:05 PM
>> >>>>>> I don't think anyone is
>> >>>>>> understanding. :D It's not just Cryo. I want only
>> >>>>>> Linden Lab viewers to be able to login. I've seen it done
>> >>>>>> on other
>> >>>>>> opensim's. I know people can get around that. But the point
>> >>>>>> is... Not
>> >>>>>> everyone is a coder. So, while they could compile and make
>> >>>>>> it look like a
>> >>>>>> Linden Lab viewer then so be it. I just want to know if
>> >>>>>> there's a mod or
>> >>>>>> string that I can put in to opensim to see what channel the
>> >>>>>> viewer is
>> >>>>>> sending, and if it's not the right one than to display an
>> >>>>>> error message that
>> >>>>>> would tell them to download an official release in order to
>> >>>>>> login.
>> >>>>>>
>> >>>>>> Maybe I should have chosen my words better. Mentioning Cryo
>> >>>>>> is like
>> >>>>>> mentioning copybot, and responses only seem to be based on
>> >>>>>> theft and copy
>> >>>>>> protection. I just want to know if there's a string to
>> >>>>>> block a viewer. I
>> >>>>>> know people have done it I just can't remember what opensim
>> >>>>>> I saw it done
>> >>>>>> on. I also know that if I had Cryo source code I could
>> >>>>>> compile and make it
>> >>>>>> look like a Second Life release viewer. But not everyone is
>> >>>>>> a hacker or a
>> >>>>>> coder or both. Most people don't know how or can't compile
>> >>>>>> a viewer or are
>> >>>>>> too lazy to. So, they go look for one, and that's the basis
>> >>>>>> for my thinking
>> >>>>>> most theives are too lazy to try to figure out a way and
>> >>>>>> will move on to the
>> >>>>>> next target.
>> >>>>>>
>> >>>>>>
>> >>>>>> So, the question I'm asking is:
>> >>>>>> Is there a way for OpenSim to check a viewer string and
>> >>>>>> allow or disallow
>> >>>>>> based on that, and if so please let me know where that code
>> >>>>>> is, and if
>> >>>>>> not... Then I'll be burning the midnight oil again coding
>> >>>>>> one up.
>> >>>>>>
>> >>>>>> ----- Original Message -----
>> >>>>>> From: "Karen Palen" <[hidden email]>
>> >>>>>> To: <[hidden email]>
>> >>>>>> Sent: Monday, January 11, 2010 10:44 PM
>> >>>>>> Subject: [Opensim-users] Banning "bad" viewers was Re: Can
>> >>>>>> this be done?
>> >>>>>>
>> >>>>>>
>> >>>>>>> The short answer is no.
>> >>>>>>>
>> >>>>>>> The more complete answer is that you while can easily
>> >>>>>> detect some
>> >>>>>>> characteristic of a viewer (or other software) which
>> >>>>>> identifies that
>> >>>>>>> viewer and use that to ban it, nothing can stop the
>> >>>>>> authors of that viewer
>> >>>>>>> from changing whatever characteristic you use.
>> >>>>>>>
>> >>>>>>> Worse yet, whatever characteristic you select to
>> >>>>>> identify the "bad"
>> >>>>>>> software will inevitably turn up in some other
>> >>>>>> (innocent) viewer sooner or
>> >>>>>>> later and will cause them to be banned for no reason.
>> >>>>>>>
>> >>>>>>> The best you could hope to achieve is some sort of
>> >>>>>> "arms race" between
>> >>>>>>> "bad" viewer creators and sim operators.
>> >>>>>>>
>> >>>>>>> In addition any viewer could be adapted for piracy.
>> >>>>>> The original
>> >>>>>>> experiments that resulted in
>> >>>>>> libsecondlife/openMetaverse were based on
>> >>>>>>> analysing the data stream between the Second Life
>> >>>>>> Servers and the viewer
>> >>>>>>> software (at the time ONLY the Linden Labs viewer) and
>> >>>>>> had access to all
>> >>>>>>> of that information. This was all done without
>> >>>>>> modifying the viewer in any
>> >>>>>>> way - it was proprietary at the time.
>> >>>>>>>
>> >>>>>>> Sadly the lesson of the endless failures of DRM
>> >>>>>> schemes elsewhere shows
>> >>>>>>> that the real losers are the honest/innocent users who
>> >>>>>> are unable to do
>> >>>>>>> the things that they really should expect to do with
>> >>>>>> the content that they
>> >>>>>>> have purchased.
>> >>>>>>>
>> >>>>>>> For example, I have completely stopped buying anything
>> >>>>>> in Second Life
>> >>>>>>> since I want to use the inventory I buy in my private
>> >>>>>> sims as well. Sure I
>> >>>>>>> can use pirate tools to do this, but if I have to do
>> >>>>>> that to use my
>> >>>>>>> purchases where I want to use them then why not just
>> >>>>>> steal the stuff in
>> >>>>>>> the first place?
>> >>>>>>>
>> >>>>>>> This is very similar to the situation with music CDs
>> >>>>>> and DVDs, why build
>> >>>>>>> an expensive collection if you will just have to
>> >>>>>> re-purchase it in a few
>> >>>>>>> years for the next technology and some DRM scheme
>> >>>>>> tries to keep me from
>> >>>>>>> playing my collection on the new equipment?
>> >>>>>>>
>> >>>>>>> There are several efforts being directed at come sort
>> >>>>>> of "portable"
>> >>>>>>> content. I hope that one or more actually proves to
>> >>>>>> work, but I have no
>> >>>>>>> illusions about that actually happening any time
>> >>>>>> soon.
>> >>>>>>> My opinion is that the best we can do at present is
>> >>>>>> similar to the real
>> >>>>>>> life piracy situation: stop the commercial marketing
>> >>>>>> of pirated
>> >>>>>>> merchandise as it is detected and reported. Ban anyone
>> >>>>>> who engages in such
>> >>>>>>> activities and if they persist bring real world law
>> >>>>>> enforcement to bear.
>> >>>>>>> For once Linden Labs seems to be using a reasonable
>> >>>>>> version of this when
>> >>>>>>> they state that the viewer is not the problem, it is
>> >>>>>> the use of the
>> >>>>>>> viewer. They have promised to act promptly to ban
>> >>>>>> anyone using any viewer
>> >>>>>>> for piracy.
>> >>>>>>>
>> >>>>>>> Karen
>> >>>>>>>
>> >>>>>>> --- On Mon, 1/11/10, Imago <[hidden email]>
>> >>>>>> wrote:
>> >>>>>>>> Is it possible to stop
>> >>>>>>>> certain viewers from logging
>> >>>>>>>> in to your opensim? Like Cryo?
>> >>>>>>>
>> >>>>>>>
>> >>>>>>>
>> >>>>>>> _______________________________________________
>> >>>>>>> Opensim-users mailing list
>> >>>>>>> [hidden email]
>> >>>>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>> >>>>>>
>> >>>>>> _______________________________________________
>> >>>>>> Opensim-users mailing list
>> >>>>>> [hidden email]
>> >>>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>> >>>>>>
>> >>>>>
>> >>>>>
>> >>>>> _______________________________________________
>> >>>>> Opensim-users mailing list
>> >>>>> [hidden email]
>> >>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>> >>>> _______________________________________________
>> >>>> Opensim-users mailing list
>> >>>> [hidden email]
>> >>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>> >>>>
>> >>> _______________________________________________
>> >>> Opensim-users mailing list
>> >>> [hidden email]
>> >>> https://lists.berlios.de/mailman/listinfo/opensim-users
>> >>
>> >> _______________________________________________
>> >> Opensim-users mailing list
>> >> [hidden email]
>> >> https://lists.berlios.de/mailman/listinfo/opensim-users
>> >>
>> > _______________________________________________
>> > Opensim-users mailing list
>> > [hidden email]
>> > https://lists.berlios.de/mailman/listinfo/opensim-users
>>
>> _______________________________________________
>> Opensim-users mailing list
>> [hidden email]
>> https://lists.berlios.de/mailman/listinfo/opensim-users
> _______________________________________________
> Opensim-users mailing list
> [hidden email]
> https://lists.berlios.de/mailman/listinfo/opensim-users 

_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: Banning "bad" viewers was Re: Can this be done?

Kyle Hamilton
Security through obscurity is no security at all.  If you're relying
on people not figuring it out, people *will* figure it out.

</experience of security expert for many years>

-Kyle H

On Tue, Jan 12, 2010 at 1:34 PM, Imago <[hidden email]> wrote:

> But really... How many people who aren't really looking for this info are
> going to find it. ;) Nubs aren't going to know where to look. But blocking
> by string probably wouldn't be the best, but it would work for dumb people.
> ;)
>
> ----- Original Message -----
> From: "Frisby, Adam" <[hidden email]>
> To: <[hidden email]>; <[hidden email]>
> Sent: Tuesday, January 12, 2010 3:25 PM
> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be done?
>
>
>> While I hate to rain on anyone's parade - but you can use the "-channel"
>> commandline switch to edit the version string to whatever you want. I
>> really wouldn't rely on it.
>>
>> Adam
>>
>>> -----Original Message-----
>>> From: [hidden email] [mailto:opensim-users-
>>> [hidden email]] On Behalf Of Imago
>>> Sent: Tuesday, 12 January 2010 9:34 AM
>>> To: [hidden email]; [hidden email]
>>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be
>>> done?
>>>
>>> Thanks, I've been looking over the code, and yeah, I know people could.
>>> But
>>> really how many regular joes out there would be interested enough to
>>> download, compile, and play with the code. *laughs* I don't think
>>> there's
>>> many, because a lot of them would much rather have instant
>>> gratification
>>> rather then having to work for it.
>>>
>>> But in my opinion even fragile filtering is better then none at all.
>>> Because
>>> while some could get in the population en masse wouldn't be able to.
>>>
>>> ----- Original Message -----
>>> From: <[hidden email]>
>>> To: <[hidden email]>
>>> Sent: Tuesday, January 12, 2010 8:15 AM
>>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be
>>> done?
>>>
>>>
>>> > As Teravus said, the LL viewer sends a string identifying itself and
>>> a
>>> > version. In the new login procedure that is captured by the
>>> > LLLoginHandlers as
>>> >   if (requestData.Contains("version"))
>>> >     clientVersion = requestData["version"].ToString();
>>> >
>>> > Right now we're not doing anything interesting with this information.
>>> > When this refactoring makes it to the master branch, people can
>>> replace
>>> > / augment the existing LLLoginHandlers to do other things including
>>> > filtering logins according to this field.
>>> >
>>> > But as others said here, this is a very fragile filtering, as any
>>> viewer
>>> > can send that field saying that it's an LL viewer.
>>> >
>>> > Imago wrote:
>>> >> Ah! Thank you. I did read something on the subject, but then
>>> suffered a
>>> >> hard
>>> >> drive death and it wiped out any settings I had. :( Google comes up
>>> with
>>> >> way
>>> >> too much junk when you look for stuff as well as Mantis stuff and
>>> Jiras.
>>> >> I
>>> >> will check in to this. So, now I know it is possible. :D Now, it's
>>> just
>>> >> finding a way to do it. *shrugs and laughs* If it keeps a few kids
>>> out
>>> >> than
>>> >> that's fine. I'd rather have fun then to have to police my console
>>> for
>>> >> logins. :D
>>> >>
>>> >> ----- Original Message -----
>>> >> From: "Teravus Ovares" <[hidden email]>
>>> >> To: <[hidden email]>
>>> >> Sent: Monday, January 11, 2010 11:56 PM
>>> >> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this
>>> be
>>> >> done?
>>> >>
>>> >>
>>> >>> The viewer information is sent when the viewer logs in.      If you
>>> >>> check the viewer channel version string when the viewer logs in,
>>> you
>>> >>> can deny based on a string match.      That's the easy (and least
>>> >>> effective way) to lock only specific viewers.
>>> >>>
>>> >>> I believe that diva and Melanie_T were the last to work on these
>>> >>> areas..    so they would probably be able to tell you where to
>>> check
>>> >>> 'best'.
>>> >>>
>>> >>> One thing to note, however, is..
>>> >>>
>>> >>> The viewer logs into the 'user service' by sending an XMLRPC
>>> request
>>> >>> to the HTTP Service with the login_to_simulator method.    It's at
>>> >>> this time that the 'viewer channel string' should be checked.
>>> >>>
>>> >>> Teravus
>>> >>>
>>> >>> On Tue, Jan 12, 2010 at 12:34 AM, Imago <[hidden email]>
>>> wrote:
>>> >>>> Mostly I want this because of piece of mind, but also because I am
>>> >>>> considering compiling a viewer on Hippo code that will have a
>>> different
>>> >>>> channel code altogether that I will probably use for the sim. If I
>>> can
>>> >>>> lock
>>> >>>> off viewers that don't have my exact channel or code then I can be
>>> sure
>>> >>>> only
>>> >>>> official viewers can get in. Right now the sim is only for friends
>>> but
>>> >>>> if
>>> >>>> I
>>> >>>> open it up to more I wouldn't want idiots coming in and mucking
>>> about
>>> >>>> the
>>> >>>> place. Which is why I was asking. I know that some opensim
>>> *shaking
>>> >>>> head*
>>> >>>> I
>>> >>>> wish I could remember who and where banned certain viewers from
>>> logging
>>> >>>> in.
>>> >>>> I'm not sure how she/he did it, though, but it got me curious as
>>> to how
>>> >>>> it's
>>> >>>> done. That and I wouldn't really want someone using something like
>>> Cryo
>>> >>>> or
>>> >>>> even Meerkat, but as you said... They probably all have the same
>>> >>>> default
>>> >>>> code. But if I put in another code and compiled it off of hippo or
>>> >>>> Linden's
>>> >>>> viewer I could put in my own channel and have others not able to
>>> enter.
>>> >>>> I
>>> >>>> like security and peace of mind, but security in this day and age
>>> is a
>>> >>>> myth.
>>> >>>> (Like those stupid broadcasting things that were supposed to stop
>>> >>>> copybot.)
>>> >>>>
>>> >>>> But I was just curious if anyone had done it or heard of it. I
>>> want to
>>> >>>> say
>>> >>>> openlifegrid did it, but I can't remember so I don't want to say
>>> for
>>> >>>> sure
>>> >>>> until I find it again. (computer crashes suck.)
>>> >>>> ----- Original Message -----
>>> >>>> From: "Karen Palen" <[hidden email]>
>>> >>>> To: <[hidden email]>
>>> >>>> Sent: Monday, January 11, 2010 11:24 PM
>>> >>>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can
>>> this be
>>> >>>> done?
>>> >>>>
>>> >>>>
>>> >>>>> As I think of it the answer is the same.
>>> >>>>>
>>> >>>>> The Linden Labs viewer does send an identification and version
>>> number,
>>> >>>>> bat
>>> >>>>> that really does very little. Almost every viewer out there is
>>> based
>>> >>>>> on
>>> >>>>> the current LL viewer and many people don't bother changing this
>>> code
>>> >>>>> for
>>> >>>>> their experimental versions.
>>> >>>>>
>>> >>>>> For example I just checked and I have a customised LL viewer
>>> where the
>>> >>>>> only change is that it will log on to my private sim by default.
>>> The
>>> >>>>> ID
>>> >>>>> codes are identical to the original since I never bothered to
>>> change
>>> >>>>> them.
>>> >>>>>
>>> >>>>> I use it to make sure that my private sim will run OK with the
>>> >>>>> "official"
>>> >>>>> viewer.
>>> >>>>>
>>> >>>>> I am not really sure why you would want that restriction though.
>>> >>>>> Should
>>> >>>>> I
>>> >>>>> be considering that for my sim? Have I missed something here?
>>> >>>>>
>>> >>>>> Sorry.
>>> >>>>>
>>> >>>>> Karen
>>> >>>>>
>>> >>>>> --- On Mon, 1/11/10, Imago <[hidden email]> wrote:
>>> >>>>>
>>> >>>>>> From: Imago <[hidden email]>
>>> >>>>>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can
>>> this
>>> >>>>>> be
>>> >>>>>> done?
>>> >>>>>> To: [hidden email]
>>> >>>>>> Date: Monday, January 11, 2010, 10:05 PM
>>> >>>>>> I don't think anyone is
>>> >>>>>> understanding. :D It's not just Cryo. I want only
>>> >>>>>> Linden Lab viewers to be able to login. I've seen it done
>>> >>>>>> on other
>>> >>>>>> opensim's. I know people can get around that. But the point
>>> >>>>>> is... Not
>>> >>>>>> everyone is a coder. So, while they could compile and make
>>> >>>>>> it look like a
>>> >>>>>> Linden Lab viewer then so be it. I just want to know if
>>> >>>>>> there's a mod or
>>> >>>>>> string that I can put in to opensim to see what channel the
>>> >>>>>> viewer is
>>> >>>>>> sending, and if it's not the right one than to display an
>>> >>>>>> error message that
>>> >>>>>> would tell them to download an official release in order to
>>> >>>>>> login.
>>> >>>>>>
>>> >>>>>> Maybe I should have chosen my words better. Mentioning Cryo
>>> >>>>>> is like
>>> >>>>>> mentioning copybot, and responses only seem to be based on
>>> >>>>>> theft and copy
>>> >>>>>> protection. I just want to know if there's a string to
>>> >>>>>> block a viewer. I
>>> >>>>>> know people have done it I just can't remember what opensim
>>> >>>>>> I saw it done
>>> >>>>>> on. I also know that if I had Cryo source code I could
>>> >>>>>> compile and make it
>>> >>>>>> look like a Second Life release viewer. But not everyone is
>>> >>>>>> a hacker or a
>>> >>>>>> coder or both. Most people don't know how or can't compile
>>> >>>>>> a viewer or are
>>> >>>>>> too lazy to. So, they go look for one, and that's the basis
>>> >>>>>> for my thinking
>>> >>>>>> most theives are too lazy to try to figure out a way and
>>> >>>>>> will move on to the
>>> >>>>>> next target.
>>> >>>>>>
>>> >>>>>>
>>> >>>>>> So, the question I'm asking is:
>>> >>>>>> Is there a way for OpenSim to check a viewer string and
>>> >>>>>> allow or disallow
>>> >>>>>> based on that, and if so please let me know where that code
>>> >>>>>> is, and if
>>> >>>>>> not... Then I'll be burning the midnight oil again coding
>>> >>>>>> one up.
>>> >>>>>>
>>> >>>>>> ----- Original Message -----
>>> >>>>>> From: "Karen Palen" <[hidden email]>
>>> >>>>>> To: <[hidden email]>
>>> >>>>>> Sent: Monday, January 11, 2010 10:44 PM
>>> >>>>>> Subject: [Opensim-users] Banning "bad" viewers was Re: Can
>>> >>>>>> this be done?
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>> The short answer is no.
>>> >>>>>>>
>>> >>>>>>> The more complete answer is that you while can easily
>>> >>>>>> detect some
>>> >>>>>>> characteristic of a viewer (or other software) which
>>> >>>>>> identifies that
>>> >>>>>>> viewer and use that to ban it, nothing can stop the
>>> >>>>>> authors of that viewer
>>> >>>>>>> from changing whatever characteristic you use.
>>> >>>>>>>
>>> >>>>>>> Worse yet, whatever characteristic you select to
>>> >>>>>> identify the "bad"
>>> >>>>>>> software will inevitably turn up in some other
>>> >>>>>> (innocent) viewer sooner or
>>> >>>>>>> later and will cause them to be banned for no reason.
>>> >>>>>>>
>>> >>>>>>> The best you could hope to achieve is some sort of
>>> >>>>>> "arms race" between
>>> >>>>>>> "bad" viewer creators and sim operators.
>>> >>>>>>>
>>> >>>>>>> In addition any viewer could be adapted for piracy.
>>> >>>>>> The original
>>> >>>>>>> experiments that resulted in
>>> >>>>>> libsecondlife/openMetaverse were based on
>>> >>>>>>> analysing the data stream between the Second Life
>>> >>>>>> Servers and the viewer
>>> >>>>>>> software (at the time ONLY the Linden Labs viewer) and
>>> >>>>>> had access to all
>>> >>>>>>> of that information. This was all done without
>>> >>>>>> modifying the viewer in any
>>> >>>>>>> way - it was proprietary at the time.
>>> >>>>>>>
>>> >>>>>>> Sadly the lesson of the endless failures of DRM
>>> >>>>>> schemes elsewhere shows
>>> >>>>>>> that the real losers are the honest/innocent users who
>>> >>>>>> are unable to do
>>> >>>>>>> the things that they really should expect to do with
>>> >>>>>> the content that they
>>> >>>>>>> have purchased.
>>> >>>>>>>
>>> >>>>>>> For example, I have completely stopped buying anything
>>> >>>>>> in Second Life
>>> >>>>>>> since I want to use the inventory I buy in my private
>>> >>>>>> sims as well. Sure I
>>> >>>>>>> can use pirate tools to do this, but if I have to do
>>> >>>>>> that to use my
>>> >>>>>>> purchases where I want to use them then why not just
>>> >>>>>> steal the stuff in
>>> >>>>>>> the first place?
>>> >>>>>>>
>>> >>>>>>> This is very similar to the situation with music CDs
>>> >>>>>> and DVDs, why build
>>> >>>>>>> an expensive collection if you will just have to
>>> >>>>>> re-purchase it in a few
>>> >>>>>>> years for the next technology and some DRM scheme
>>> >>>>>> tries to keep me from
>>> >>>>>>> playing my collection on the new equipment?
>>> >>>>>>>
>>> >>>>>>> There are several efforts being directed at come sort
>>> >>>>>> of "portable"
>>> >>>>>>> content. I hope that one or more actually proves to
>>> >>>>>> work, but I have no
>>> >>>>>>> illusions about that actually happening any time
>>> >>>>>> soon.
>>> >>>>>>> My opinion is that the best we can do at present is
>>> >>>>>> similar to the real
>>> >>>>>>> life piracy situation: stop the commercial marketing
>>> >>>>>> of pirated
>>> >>>>>>> merchandise as it is detected and reported. Ban anyone
>>> >>>>>> who engages in such
>>> >>>>>>> activities and if they persist bring real world law
>>> >>>>>> enforcement to bear.
>>> >>>>>>> For once Linden Labs seems to be using a reasonable
>>> >>>>>> version of this when
>>> >>>>>>> they state that the viewer is not the problem, it is
>>> >>>>>> the use of the
>>> >>>>>>> viewer. They have promised to act promptly to ban
>>> >>>>>> anyone using any viewer
>>> >>>>>>> for piracy.
>>> >>>>>>>
>>> >>>>>>> Karen
>>> >>>>>>>
>>> >>>>>>> --- On Mon, 1/11/10, Imago <[hidden email]>
>>> >>>>>> wrote:
>>> >>>>>>>> Is it possible to stop
>>> >>>>>>>> certain viewers from logging
>>> >>>>>>>> in to your opensim? Like Cryo?
>>> >>>>>>>
>>> >>>>>>>
>>> >>>>>>>
>>> >>>>>>> _______________________________________________
>>> >>>>>>> Opensim-users mailing list
>>> >>>>>>> [hidden email]
>>> >>>>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>> >>>>>>
>>> >>>>>> _______________________________________________
>>> >>>>>> Opensim-users mailing list
>>> >>>>>> [hidden email]
>>> >>>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>> >>>>>>
>>> >>>>>
>>> >>>>>
>>> >>>>> _______________________________________________
>>> >>>>> Opensim-users mailing list
>>> >>>>> [hidden email]
>>> >>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>> >>>> _______________________________________________
>>> >>>> Opensim-users mailing list
>>> >>>> [hidden email]
>>> >>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>> >>>>
>>> >>> _______________________________________________
>>> >>> Opensim-users mailing list
>>> >>> [hidden email]
>>> >>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>> >>
>>> >> _______________________________________________
>>> >> Opensim-users mailing list
>>> >> [hidden email]
>>> >> https://lists.berlios.de/mailman/listinfo/opensim-users
>>> >>
>>> > _______________________________________________
>>> > Opensim-users mailing list
>>> > [hidden email]
>>> > https://lists.berlios.de/mailman/listinfo/opensim-users
>>>
>>> _______________________________________________
>>> Opensim-users mailing list
>>> [hidden email]
>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>> _______________________________________________
>> Opensim-users mailing list
>> [hidden email]
>> https://lists.berlios.de/mailman/listinfo/opensim-users
>
> _______________________________________________
> Opensim-users mailing list
> [hidden email]
> https://lists.berlios.de/mailman/listinfo/opensim-users
>
_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: Banning "bad" viewers was Re: Can this be done?

Imago
Most people won't bother though. Because the average user isn't going to
attempt to break in to a website, server, etc. I've got experience with
security, reverse engineering, programming. (Probably going on almost 20
something years now.) So, yeah, it's not secure, but average joe user isn't
going to attempt to hack if you don't put up a big sign that says
"Unhackable" or "Secure as all hell." You put out stuff like that you're
just begging for someone to take down your 64 or 128 bit encryption. Because
in my experience everyone now thinks base64 is "unhackable" and yet it's
being done and has been done. So, really... There is no such thing as
unhackable.

But what I'm saying is the average user has little to no working knowledge
of how a website, program, etc works. They don't care if it runs and they
can use it then they are happy. I've done so much website work, programming
work, etc for people over the years I think I'm an expert on how stupid the
average user really is when it comes to anything computer related. ;)

----- Original Message -----
From: "Kyle Hamilton" <[hidden email]>
To: "opensim-users" <[hidden email]>
Sent: Tuesday, January 12, 2010 3:37 PM
Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be done?


> Security through obscurity is no security at all.  If you're relying
> on people not figuring it out, people *will* figure it out.
>
> </experience of security expert for many years>
>
> -Kyle H
>
> On Tue, Jan 12, 2010 at 1:34 PM, Imago <[hidden email]> wrote:
>> But really... How many people who aren't really looking for this info are
>> going to find it. ;) Nubs aren't going to know where to look. But
>> blocking
>> by string probably wouldn't be the best, but it would work for dumb
>> people.
>> ;)
>>
>> ----- Original Message -----
>> From: "Frisby, Adam" <[hidden email]>
>> To: <[hidden email]>; <[hidden email]>
>> Sent: Tuesday, January 12, 2010 3:25 PM
>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be
>> done?
>>
>>
>>> While I hate to rain on anyone's parade - but you can use the "-channel"
>>> commandline switch to edit the version string to whatever you want. I
>>> really wouldn't rely on it.
>>>
>>> Adam
>>>
>>>> -----Original Message-----
>>>> From: [hidden email] [mailto:opensim-users-
>>>> [hidden email]] On Behalf Of Imago
>>>> Sent: Tuesday, 12 January 2010 9:34 AM
>>>> To: [hidden email]; [hidden email]
>>>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be
>>>> done?
>>>>
>>>> Thanks, I've been looking over the code, and yeah, I know people could.
>>>> But
>>>> really how many regular joes out there would be interested enough to
>>>> download, compile, and play with the code. *laughs* I don't think
>>>> there's
>>>> many, because a lot of them would much rather have instant
>>>> gratification
>>>> rather then having to work for it.
>>>>
>>>> But in my opinion even fragile filtering is better then none at all.
>>>> Because
>>>> while some could get in the population en masse wouldn't be able to.
>>>>
>>>> ----- Original Message -----
>>>> From: <[hidden email]>
>>>> To: <[hidden email]>
>>>> Sent: Tuesday, January 12, 2010 8:15 AM
>>>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be
>>>> done?
>>>>
>>>>
>>>> > As Teravus said, the LL viewer sends a string identifying itself and
>>>> a
>>>> > version. In the new login procedure that is captured by the
>>>> > LLLoginHandlers as
>>>> > if (requestData.Contains("version"))
>>>> > clientVersion = requestData["version"].ToString();
>>>> >
>>>> > Right now we're not doing anything interesting with this information.
>>>> > When this refactoring makes it to the master branch, people can
>>>> replace
>>>> > / augment the existing LLLoginHandlers to do other things including
>>>> > filtering logins according to this field.
>>>> >
>>>> > But as others said here, this is a very fragile filtering, as any
>>>> viewer
>>>> > can send that field saying that it's an LL viewer.
>>>> >
>>>> > Imago wrote:
>>>> >> Ah! Thank you. I did read something on the subject, but then
>>>> suffered a
>>>> >> hard
>>>> >> drive death and it wiped out any settings I had. :( Google comes up
>>>> with
>>>> >> way
>>>> >> too much junk when you look for stuff as well as Mantis stuff and
>>>> Jiras.
>>>> >> I
>>>> >> will check in to this. So, now I know it is possible. :D Now, it's
>>>> just
>>>> >> finding a way to do it. *shrugs and laughs* If it keeps a few kids
>>>> out
>>>> >> than
>>>> >> that's fine. I'd rather have fun then to have to police my console
>>>> for
>>>> >> logins. :D
>>>> >>
>>>> >> ----- Original Message -----
>>>> >> From: "Teravus Ovares" <[hidden email]>
>>>> >> To: <[hidden email]>
>>>> >> Sent: Monday, January 11, 2010 11:56 PM
>>>> >> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this
>>>> be
>>>> >> done?
>>>> >>
>>>> >>
>>>> >>> The viewer information is sent when the viewer logs in. If you
>>>> >>> check the viewer channel version string when the viewer logs in,
>>>> you
>>>> >>> can deny based on a string match. That's the easy (and least
>>>> >>> effective way) to lock only specific viewers.
>>>> >>>
>>>> >>> I believe that diva and Melanie_T were the last to work on these
>>>> >>> areas.. so they would probably be able to tell you where to
>>>> check
>>>> >>> 'best'.
>>>> >>>
>>>> >>> One thing to note, however, is..
>>>> >>>
>>>> >>> The viewer logs into the 'user service' by sending an XMLRPC
>>>> request
>>>> >>> to the HTTP Service with the login_to_simulator method. It's at
>>>> >>> this time that the 'viewer channel string' should be checked.
>>>> >>>
>>>> >>> Teravus
>>>> >>>
>>>> >>> On Tue, Jan 12, 2010 at 12:34 AM, Imago <[hidden email]>
>>>> wrote:
>>>> >>>> Mostly I want this because of piece of mind, but also because I am
>>>> >>>> considering compiling a viewer on Hippo code that will have a
>>>> different
>>>> >>>> channel code altogether that I will probably use for the sim. If I
>>>> can
>>>> >>>> lock
>>>> >>>> off viewers that don't have my exact channel or code then I can be
>>>> sure
>>>> >>>> only
>>>> >>>> official viewers can get in. Right now the sim is only for friends
>>>> but
>>>> >>>> if
>>>> >>>> I
>>>> >>>> open it up to more I wouldn't want idiots coming in and mucking
>>>> about
>>>> >>>> the
>>>> >>>> place. Which is why I was asking. I know that some opensim
>>>> *shaking
>>>> >>>> head*
>>>> >>>> I
>>>> >>>> wish I could remember who and where banned certain viewers from
>>>> logging
>>>> >>>> in.
>>>> >>>> I'm not sure how she/he did it, though, but it got me curious as
>>>> to how
>>>> >>>> it's
>>>> >>>> done. That and I wouldn't really want someone using something like
>>>> Cryo
>>>> >>>> or
>>>> >>>> even Meerkat, but as you said... They probably all have the same
>>>> >>>> default
>>>> >>>> code. But if I put in another code and compiled it off of hippo or
>>>> >>>> Linden's
>>>> >>>> viewer I could put in my own channel and have others not able to
>>>> enter.
>>>> >>>> I
>>>> >>>> like security and peace of mind, but security in this day and age
>>>> is a
>>>> >>>> myth.
>>>> >>>> (Like those stupid broadcasting things that were supposed to stop
>>>> >>>> copybot.)
>>>> >>>>
>>>> >>>> But I was just curious if anyone had done it or heard of it. I
>>>> want to
>>>> >>>> say
>>>> >>>> openlifegrid did it, but I can't remember so I don't want to say
>>>> for
>>>> >>>> sure
>>>> >>>> until I find it again. (computer crashes suck.)
>>>> >>>> ----- Original Message -----
>>>> >>>> From: "Karen Palen" <[hidden email]>
>>>> >>>> To: <[hidden email]>
>>>> >>>> Sent: Monday, January 11, 2010 11:24 PM
>>>> >>>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can
>>>> this be
>>>> >>>> done?
>>>> >>>>
>>>> >>>>
>>>> >>>>> As I think of it the answer is the same.
>>>> >>>>>
>>>> >>>>> The Linden Labs viewer does send an identification and version
>>>> number,
>>>> >>>>> bat
>>>> >>>>> that really does very little. Almost every viewer out there is
>>>> based
>>>> >>>>> on
>>>> >>>>> the current LL viewer and many people don't bother changing this
>>>> code
>>>> >>>>> for
>>>> >>>>> their experimental versions.
>>>> >>>>>
>>>> >>>>> For example I just checked and I have a customised LL viewer
>>>> where the
>>>> >>>>> only change is that it will log on to my private sim by default.
>>>> The
>>>> >>>>> ID
>>>> >>>>> codes are identical to the original since I never bothered to
>>>> change
>>>> >>>>> them.
>>>> >>>>>
>>>> >>>>> I use it to make sure that my private sim will run OK with the
>>>> >>>>> "official"
>>>> >>>>> viewer.
>>>> >>>>>
>>>> >>>>> I am not really sure why you would want that restriction though.
>>>> >>>>> Should
>>>> >>>>> I
>>>> >>>>> be considering that for my sim? Have I missed something here?
>>>> >>>>>
>>>> >>>>> Sorry.
>>>> >>>>>
>>>> >>>>> Karen
>>>> >>>>>
>>>> >>>>> --- On Mon, 1/11/10, Imago <[hidden email]> wrote:
>>>> >>>>>
>>>> >>>>>> From: Imago <[hidden email]>
>>>> >>>>>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can
>>>> this
>>>> >>>>>> be
>>>> >>>>>> done?
>>>> >>>>>> To: [hidden email]
>>>> >>>>>> Date: Monday, January 11, 2010, 10:05 PM
>>>> >>>>>> I don't think anyone is
>>>> >>>>>> understanding. :D It's not just Cryo. I want only
>>>> >>>>>> Linden Lab viewers to be able to login. I've seen it done
>>>> >>>>>> on other
>>>> >>>>>> opensim's. I know people can get around that. But the point
>>>> >>>>>> is... Not
>>>> >>>>>> everyone is a coder. So, while they could compile and make
>>>> >>>>>> it look like a
>>>> >>>>>> Linden Lab viewer then so be it. I just want to know if
>>>> >>>>>> there's a mod or
>>>> >>>>>> string that I can put in to opensim to see what channel the
>>>> >>>>>> viewer is
>>>> >>>>>> sending, and if it's not the right one than to display an
>>>> >>>>>> error message that
>>>> >>>>>> would tell them to download an official release in order to
>>>> >>>>>> login.
>>>> >>>>>>
>>>> >>>>>> Maybe I should have chosen my words better. Mentioning Cryo
>>>> >>>>>> is like
>>>> >>>>>> mentioning copybot, and responses only seem to be based on
>>>> >>>>>> theft and copy
>>>> >>>>>> protection. I just want to know if there's a string to
>>>> >>>>>> block a viewer. I
>>>> >>>>>> know people have done it I just can't remember what opensim
>>>> >>>>>> I saw it done
>>>> >>>>>> on. I also know that if I had Cryo source code I could
>>>> >>>>>> compile and make it
>>>> >>>>>> look like a Second Life release viewer. But not everyone is
>>>> >>>>>> a hacker or a
>>>> >>>>>> coder or both. Most people don't know how or can't compile
>>>> >>>>>> a viewer or are
>>>> >>>>>> too lazy to. So, they go look for one, and that's the basis
>>>> >>>>>> for my thinking
>>>> >>>>>> most theives are too lazy to try to figure out a way and
>>>> >>>>>> will move on to the
>>>> >>>>>> next target.
>>>> >>>>>>
>>>> >>>>>>
>>>> >>>>>> So, the question I'm asking is:
>>>> >>>>>> Is there a way for OpenSim to check a viewer string and
>>>> >>>>>> allow or disallow
>>>> >>>>>> based on that, and if so please let me know where that code
>>>> >>>>>> is, and if
>>>> >>>>>> not... Then I'll be burning the midnight oil again coding
>>>> >>>>>> one up.
>>>> >>>>>>
>>>> >>>>>> ----- Original Message -----
>>>> >>>>>> From: "Karen Palen" <[hidden email]>
>>>> >>>>>> To: <[hidden email]>
>>>> >>>>>> Sent: Monday, January 11, 2010 10:44 PM
>>>> >>>>>> Subject: [Opensim-users] Banning "bad" viewers was Re: Can
>>>> >>>>>> this be done?
>>>> >>>>>>
>>>> >>>>>>
>>>> >>>>>>> The short answer is no.
>>>> >>>>>>>
>>>> >>>>>>> The more complete answer is that you while can easily
>>>> >>>>>> detect some
>>>> >>>>>>> characteristic of a viewer (or other software) which
>>>> >>>>>> identifies that
>>>> >>>>>>> viewer and use that to ban it, nothing can stop the
>>>> >>>>>> authors of that viewer
>>>> >>>>>>> from changing whatever characteristic you use.
>>>> >>>>>>>
>>>> >>>>>>> Worse yet, whatever characteristic you select to
>>>> >>>>>> identify the "bad"
>>>> >>>>>>> software will inevitably turn up in some other
>>>> >>>>>> (innocent) viewer sooner or
>>>> >>>>>>> later and will cause them to be banned for no reason.
>>>> >>>>>>>
>>>> >>>>>>> The best you could hope to achieve is some sort of
>>>> >>>>>> "arms race" between
>>>> >>>>>>> "bad" viewer creators and sim operators.
>>>> >>>>>>>
>>>> >>>>>>> In addition any viewer could be adapted for piracy.
>>>> >>>>>> The original
>>>> >>>>>>> experiments that resulted in
>>>> >>>>>> libsecondlife/openMetaverse were based on
>>>> >>>>>>> analysing the data stream between the Second Life
>>>> >>>>>> Servers and the viewer
>>>> >>>>>>> software (at the time ONLY the Linden Labs viewer) and
>>>> >>>>>> had access to all
>>>> >>>>>>> of that information. This was all done without
>>>> >>>>>> modifying the viewer in any
>>>> >>>>>>> way - it was proprietary at the time.
>>>> >>>>>>>
>>>> >>>>>>> Sadly the lesson of the endless failures of DRM
>>>> >>>>>> schemes elsewhere shows
>>>> >>>>>>> that the real losers are the honest/innocent users who
>>>> >>>>>> are unable to do
>>>> >>>>>>> the things that they really should expect to do with
>>>> >>>>>> the content that they
>>>> >>>>>>> have purchased.
>>>> >>>>>>>
>>>> >>>>>>> For example, I have completely stopped buying anything
>>>> >>>>>> in Second Life
>>>> >>>>>>> since I want to use the inventory I buy in my private
>>>> >>>>>> sims as well. Sure I
>>>> >>>>>>> can use pirate tools to do this, but if I have to do
>>>> >>>>>> that to use my
>>>> >>>>>>> purchases where I want to use them then why not just
>>>> >>>>>> steal the stuff in
>>>> >>>>>>> the first place?
>>>> >>>>>>>
>>>> >>>>>>> This is very similar to the situation with music CDs
>>>> >>>>>> and DVDs, why build
>>>> >>>>>>> an expensive collection if you will just have to
>>>> >>>>>> re-purchase it in a few
>>>> >>>>>>> years for the next technology and some DRM scheme
>>>> >>>>>> tries to keep me from
>>>> >>>>>>> playing my collection on the new equipment?
>>>> >>>>>>>
>>>> >>>>>>> There are several efforts being directed at come sort
>>>> >>>>>> of "portable"
>>>> >>>>>>> content. I hope that one or more actually proves to
>>>> >>>>>> work, but I have no
>>>> >>>>>>> illusions about that actually happening any time
>>>> >>>>>> soon.
>>>> >>>>>>> My opinion is that the best we can do at present is
>>>> >>>>>> similar to the real
>>>> >>>>>>> life piracy situation: stop the commercial marketing
>>>> >>>>>> of pirated
>>>> >>>>>>> merchandise as it is detected and reported. Ban anyone
>>>> >>>>>> who engages in such
>>>> >>>>>>> activities and if they persist bring real world law
>>>> >>>>>> enforcement to bear.
>>>> >>>>>>> For once Linden Labs seems to be using a reasonable
>>>> >>>>>> version of this when
>>>> >>>>>>> they state that the viewer is not the problem, it is
>>>> >>>>>> the use of the
>>>> >>>>>>> viewer. They have promised to act promptly to ban
>>>> >>>>>> anyone using any viewer
>>>> >>>>>>> for piracy.
>>>> >>>>>>>
>>>> >>>>>>> Karen
>>>> >>>>>>>
>>>> >>>>>>> --- On Mon, 1/11/10, Imago <[hidden email]>
>>>> >>>>>> wrote:
>>>> >>>>>>>> Is it possible to stop
>>>> >>>>>>>> certain viewers from logging
>>>> >>>>>>>> in to your opensim? Like Cryo?
>>>> >>>>>>>
>>>> >>>>>>>
>>>> >>>>>>>
>>>> >>>>>>> _______________________________________________
>>>> >>>>>>> Opensim-users mailing list
>>>> >>>>>>> [hidden email]
>>>> >>>>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>> >>>>>>
>>>> >>>>>> _______________________________________________
>>>> >>>>>> Opensim-users mailing list
>>>> >>>>>> [hidden email]
>>>> >>>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>> >>>>>>
>>>> >>>>>
>>>> >>>>>
>>>> >>>>> _______________________________________________
>>>> >>>>> Opensim-users mailing list
>>>> >>>>> [hidden email]
>>>> >>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>> >>>> _______________________________________________
>>>> >>>> Opensim-users mailing list
>>>> >>>> [hidden email]
>>>> >>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>> >>>>
>>>> >>> _______________________________________________
>>>> >>> Opensim-users mailing list
>>>> >>> [hidden email]
>>>> >>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>> >>
>>>> >> _______________________________________________
>>>> >> Opensim-users mailing list
>>>> >> [hidden email]
>>>> >> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>> >>
>>>> > _______________________________________________
>>>> > Opensim-users mailing list
>>>> > [hidden email]
>>>> > https://lists.berlios.de/mailman/listinfo/opensim-users
>>>>
>>>> _______________________________________________
>>>> Opensim-users mailing list
>>>> [hidden email]
>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>> _______________________________________________
>>> Opensim-users mailing list
>>> [hidden email]
>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>
>> _______________________________________________
>> Opensim-users mailing list
>> [hidden email]
>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>
> _______________________________________________
> Opensim-users mailing list
> [hidden email]
> https://lists.berlios.de/mailman/listinfo/opensim-users
>

_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: Banning "bad" viewers was Re: Can this be done?

Kyle Hamilton
All it takes is one person with the knowledge of how your system works
to create a tool to bypass your security.  THAT is what script-kiddies
use.  This is why it's considered an arms race, and the people who
actually physically own the systems on the net are at a severe
disadvantage: they have to successfully defend against every attack,
while the generic class of attackers has a severe advantage: only one
attack needs to succeed.

Lock your sim permissions down, and manually grant object
creation/modification permissions to people you want to be able to do
so.  That's the only way to prevent the scribbling that you're so
afraid of.  (Well, then again, if you *really* want to be secure,
disable new account creation and remove all privileges from the
current userbase.  Otherwise, one of those accounts can be haksz0red,
and you're left with the same issue.)

Security is a balance between unusability (you don't want the attacker
to be able to use/deface your system) and usability (you do want to be
able to do something with your computer, in this case allow your
friends onto your sim).

On another mailing list, I described 'trust' thus: "trust is choosing
to open a point of vulnerability to another entity whom you believe
will not cause damage."  You obviously don't trust the hackers or
script-kiddies.  You obviously trust yourself, and you may or may not
trust the others you allow onto your sim.  But, there's no way to
resolve it via obscurity.

(Well, there is *one* way, but it's not 'obscurity', it's 'entropy'...
and that's outside the scope of this discussion, since I don't even
know if it can be done in Mono, and the required infrastructure just
doesn't exist in the world.  This way would be 'client certificate
authentication of a TLS channel to the services' so that even if they
had the channel string, they still wouldn't be able to use it without
an authorized client certificate.)

-Kyle H

On Tue, Jan 12, 2010 at 1:50 PM, Imago <[hidden email]> wrote:

> Most people won't bother though. Because the average user isn't going to
> attempt to break in to a website, server, etc. I've got experience with
> security, reverse engineering, programming. (Probably going on almost 20
> something years now.) So, yeah, it's not secure, but average joe user isn't
> going to attempt to hack if you don't put up a big sign that says
> "Unhackable" or "Secure as all hell." You put out stuff like that you're
> just begging for someone to take down your 64 or 128 bit encryption. Because
> in my experience everyone now thinks base64 is "unhackable" and yet it's
> being done and has been done. So, really... There is no such thing as
> unhackable.
>
> But what I'm saying is the average user has little to no working knowledge
> of how a website, program, etc works. They don't care if it runs and they
> can use it then they are happy. I've done so much website work, programming
> work, etc for people over the years I think I'm an expert on how stupid the
> average user really is when it comes to anything computer related. ;)
>
> ----- Original Message -----
> From: "Kyle Hamilton" <[hidden email]>
> To: "opensim-users" <[hidden email]>
> Sent: Tuesday, January 12, 2010 3:37 PM
> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be done?
>
>
>> Security through obscurity is no security at all.  If you're relying
>> on people not figuring it out, people *will* figure it out.
>>
>> </experience of security expert for many years>
>>
>> -Kyle H
>>
>> On Tue, Jan 12, 2010 at 1:34 PM, Imago <[hidden email]> wrote:
>>> But really... How many people who aren't really looking for this info are
>>> going to find it. ;) Nubs aren't going to know where to look. But
>>> blocking
>>> by string probably wouldn't be the best, but it would work for dumb
>>> people.
>>> ;)
>>>
>>> ----- Original Message -----
>>> From: "Frisby, Adam" <[hidden email]>
>>> To: <[hidden email]>; <[hidden email]>
>>> Sent: Tuesday, January 12, 2010 3:25 PM
>>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be
>>> done?
>>>
>>>
>>>> While I hate to rain on anyone's parade - but you can use the "-channel"
>>>> commandline switch to edit the version string to whatever you want. I
>>>> really wouldn't rely on it.
>>>>
>>>> Adam
>>>>
>>>>> -----Original Message-----
>>>>> From: [hidden email] [mailto:opensim-users-
>>>>> [hidden email]] On Behalf Of Imago
>>>>> Sent: Tuesday, 12 January 2010 9:34 AM
>>>>> To: [hidden email]; [hidden email]
>>>>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be
>>>>> done?
>>>>>
>>>>> Thanks, I've been looking over the code, and yeah, I know people could.
>>>>> But
>>>>> really how many regular joes out there would be interested enough to
>>>>> download, compile, and play with the code. *laughs* I don't think
>>>>> there's
>>>>> many, because a lot of them would much rather have instant
>>>>> gratification
>>>>> rather then having to work for it.
>>>>>
>>>>> But in my opinion even fragile filtering is better then none at all.
>>>>> Because
>>>>> while some could get in the population en masse wouldn't be able to.
>>>>>
>>>>> ----- Original Message -----
>>>>> From: <[hidden email]>
>>>>> To: <[hidden email]>
>>>>> Sent: Tuesday, January 12, 2010 8:15 AM
>>>>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be
>>>>> done?
>>>>>
>>>>>
>>>>> > As Teravus said, the LL viewer sends a string identifying itself and
>>>>> a
>>>>> > version. In the new login procedure that is captured by the
>>>>> > LLLoginHandlers as
>>>>> > if (requestData.Contains("version"))
>>>>> > clientVersion = requestData["version"].ToString();
>>>>> >
>>>>> > Right now we're not doing anything interesting with this information.
>>>>> > When this refactoring makes it to the master branch, people can
>>>>> replace
>>>>> > / augment the existing LLLoginHandlers to do other things including
>>>>> > filtering logins according to this field.
>>>>> >
>>>>> > But as others said here, this is a very fragile filtering, as any
>>>>> viewer
>>>>> > can send that field saying that it's an LL viewer.
>>>>> >
>>>>> > Imago wrote:
>>>>> >> Ah! Thank you. I did read something on the subject, but then
>>>>> suffered a
>>>>> >> hard
>>>>> >> drive death and it wiped out any settings I had. :( Google comes up
>>>>> with
>>>>> >> way
>>>>> >> too much junk when you look for stuff as well as Mantis stuff and
>>>>> Jiras.
>>>>> >> I
>>>>> >> will check in to this. So, now I know it is possible. :D Now, it's
>>>>> just
>>>>> >> finding a way to do it. *shrugs and laughs* If it keeps a few kids
>>>>> out
>>>>> >> than
>>>>> >> that's fine. I'd rather have fun then to have to police my console
>>>>> for
>>>>> >> logins. :D
>>>>> >>
>>>>> >> ----- Original Message -----
>>>>> >> From: "Teravus Ovares" <[hidden email]>
>>>>> >> To: <[hidden email]>
>>>>> >> Sent: Monday, January 11, 2010 11:56 PM
>>>>> >> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this
>>>>> be
>>>>> >> done?
>>>>> >>
>>>>> >>
>>>>> >>> The viewer information is sent when the viewer logs in. If you
>>>>> >>> check the viewer channel version string when the viewer logs in,
>>>>> you
>>>>> >>> can deny based on a string match. That's the easy (and least
>>>>> >>> effective way) to lock only specific viewers.
>>>>> >>>
>>>>> >>> I believe that diva and Melanie_T were the last to work on these
>>>>> >>> areas.. so they would probably be able to tell you where to
>>>>> check
>>>>> >>> 'best'.
>>>>> >>>
>>>>> >>> One thing to note, however, is..
>>>>> >>>
>>>>> >>> The viewer logs into the 'user service' by sending an XMLRPC
>>>>> request
>>>>> >>> to the HTTP Service with the login_to_simulator method. It's at
>>>>> >>> this time that the 'viewer channel string' should be checked.
>>>>> >>>
>>>>> >>> Teravus
>>>>> >>>
>>>>> >>> On Tue, Jan 12, 2010 at 12:34 AM, Imago <[hidden email]>
>>>>> wrote:
>>>>> >>>> Mostly I want this because of piece of mind, but also because I am
>>>>> >>>> considering compiling a viewer on Hippo code that will have a
>>>>> different
>>>>> >>>> channel code altogether that I will probably use for the sim. If I
>>>>> can
>>>>> >>>> lock
>>>>> >>>> off viewers that don't have my exact channel or code then I can be
>>>>> sure
>>>>> >>>> only
>>>>> >>>> official viewers can get in. Right now the sim is only for friends
>>>>> but
>>>>> >>>> if
>>>>> >>>> I
>>>>> >>>> open it up to more I wouldn't want idiots coming in and mucking
>>>>> about
>>>>> >>>> the
>>>>> >>>> place. Which is why I was asking. I know that some opensim
>>>>> *shaking
>>>>> >>>> head*
>>>>> >>>> I
>>>>> >>>> wish I could remember who and where banned certain viewers from
>>>>> logging
>>>>> >>>> in.
>>>>> >>>> I'm not sure how she/he did it, though, but it got me curious as
>>>>> to how
>>>>> >>>> it's
>>>>> >>>> done. That and I wouldn't really want someone using something like
>>>>> Cryo
>>>>> >>>> or
>>>>> >>>> even Meerkat, but as you said... They probably all have the same
>>>>> >>>> default
>>>>> >>>> code. But if I put in another code and compiled it off of hippo or
>>>>> >>>> Linden's
>>>>> >>>> viewer I could put in my own channel and have others not able to
>>>>> enter.
>>>>> >>>> I
>>>>> >>>> like security and peace of mind, but security in this day and age
>>>>> is a
>>>>> >>>> myth.
>>>>> >>>> (Like those stupid broadcasting things that were supposed to stop
>>>>> >>>> copybot.)
>>>>> >>>>
>>>>> >>>> But I was just curious if anyone had done it or heard of it. I
>>>>> want to
>>>>> >>>> say
>>>>> >>>> openlifegrid did it, but I can't remember so I don't want to say
>>>>> for
>>>>> >>>> sure
>>>>> >>>> until I find it again. (computer crashes suck.)
>>>>> >>>> ----- Original Message -----
>>>>> >>>> From: "Karen Palen" <[hidden email]>
>>>>> >>>> To: <[hidden email]>
>>>>> >>>> Sent: Monday, January 11, 2010 11:24 PM
>>>>> >>>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can
>>>>> this be
>>>>> >>>> done?
>>>>> >>>>
>>>>> >>>>
>>>>> >>>>> As I think of it the answer is the same.
>>>>> >>>>>
>>>>> >>>>> The Linden Labs viewer does send an identification and version
>>>>> number,
>>>>> >>>>> bat
>>>>> >>>>> that really does very little. Almost every viewer out there is
>>>>> based
>>>>> >>>>> on
>>>>> >>>>> the current LL viewer and many people don't bother changing this
>>>>> code
>>>>> >>>>> for
>>>>> >>>>> their experimental versions.
>>>>> >>>>>
>>>>> >>>>> For example I just checked and I have a customised LL viewer
>>>>> where the
>>>>> >>>>> only change is that it will log on to my private sim by default.
>>>>> The
>>>>> >>>>> ID
>>>>> >>>>> codes are identical to the original since I never bothered to
>>>>> change
>>>>> >>>>> them.
>>>>> >>>>>
>>>>> >>>>> I use it to make sure that my private sim will run OK with the
>>>>> >>>>> "official"
>>>>> >>>>> viewer.
>>>>> >>>>>
>>>>> >>>>> I am not really sure why you would want that restriction though.
>>>>> >>>>> Should
>>>>> >>>>> I
>>>>> >>>>> be considering that for my sim? Have I missed something here?
>>>>> >>>>>
>>>>> >>>>> Sorry.
>>>>> >>>>>
>>>>> >>>>> Karen
>>>>> >>>>>
>>>>> >>>>> --- On Mon, 1/11/10, Imago <[hidden email]> wrote:
>>>>> >>>>>
>>>>> >>>>>> From: Imago <[hidden email]>
>>>>> >>>>>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can
>>>>> this
>>>>> >>>>>> be
>>>>> >>>>>> done?
>>>>> >>>>>> To: [hidden email]
>>>>> >>>>>> Date: Monday, January 11, 2010, 10:05 PM
>>>>> >>>>>> I don't think anyone is
>>>>> >>>>>> understanding. :D It's not just Cryo. I want only
>>>>> >>>>>> Linden Lab viewers to be able to login. I've seen it done
>>>>> >>>>>> on other
>>>>> >>>>>> opensim's. I know people can get around that. But the point
>>>>> >>>>>> is... Not
>>>>> >>>>>> everyone is a coder. So, while they could compile and make
>>>>> >>>>>> it look like a
>>>>> >>>>>> Linden Lab viewer then so be it. I just want to know if
>>>>> >>>>>> there's a mod or
>>>>> >>>>>> string that I can put in to opensim to see what channel the
>>>>> >>>>>> viewer is
>>>>> >>>>>> sending, and if it's not the right one than to display an
>>>>> >>>>>> error message that
>>>>> >>>>>> would tell them to download an official release in order to
>>>>> >>>>>> login.
>>>>> >>>>>>
>>>>> >>>>>> Maybe I should have chosen my words better. Mentioning Cryo
>>>>> >>>>>> is like
>>>>> >>>>>> mentioning copybot, and responses only seem to be based on
>>>>> >>>>>> theft and copy
>>>>> >>>>>> protection. I just want to know if there's a string to
>>>>> >>>>>> block a viewer. I
>>>>> >>>>>> know people have done it I just can't remember what opensim
>>>>> >>>>>> I saw it done
>>>>> >>>>>> on. I also know that if I had Cryo source code I could
>>>>> >>>>>> compile and make it
>>>>> >>>>>> look like a Second Life release viewer. But not everyone is
>>>>> >>>>>> a hacker or a
>>>>> >>>>>> coder or both. Most people don't know how or can't compile
>>>>> >>>>>> a viewer or are
>>>>> >>>>>> too lazy to. So, they go look for one, and that's the basis
>>>>> >>>>>> for my thinking
>>>>> >>>>>> most theives are too lazy to try to figure out a way and
>>>>> >>>>>> will move on to the
>>>>> >>>>>> next target.
>>>>> >>>>>>
>>>>> >>>>>>
>>>>> >>>>>> So, the question I'm asking is:
>>>>> >>>>>> Is there a way for OpenSim to check a viewer string and
>>>>> >>>>>> allow or disallow
>>>>> >>>>>> based on that, and if so please let me know where that code
>>>>> >>>>>> is, and if
>>>>> >>>>>> not... Then I'll be burning the midnight oil again coding
>>>>> >>>>>> one up.
>>>>> >>>>>>
>>>>> >>>>>> ----- Original Message -----
>>>>> >>>>>> From: "Karen Palen" <[hidden email]>
>>>>> >>>>>> To: <[hidden email]>
>>>>> >>>>>> Sent: Monday, January 11, 2010 10:44 PM
>>>>> >>>>>> Subject: [Opensim-users] Banning "bad" viewers was Re: Can
>>>>> >>>>>> this be done?
>>>>> >>>>>>
>>>>> >>>>>>
>>>>> >>>>>>> The short answer is no.
>>>>> >>>>>>>
>>>>> >>>>>>> The more complete answer is that you while can easily
>>>>> >>>>>> detect some
>>>>> >>>>>>> characteristic of a viewer (or other software) which
>>>>> >>>>>> identifies that
>>>>> >>>>>>> viewer and use that to ban it, nothing can stop the
>>>>> >>>>>> authors of that viewer
>>>>> >>>>>>> from changing whatever characteristic you use.
>>>>> >>>>>>>
>>>>> >>>>>>> Worse yet, whatever characteristic you select to
>>>>> >>>>>> identify the "bad"
>>>>> >>>>>>> software will inevitably turn up in some other
>>>>> >>>>>> (innocent) viewer sooner or
>>>>> >>>>>>> later and will cause them to be banned for no reason.
>>>>> >>>>>>>
>>>>> >>>>>>> The best you could hope to achieve is some sort of
>>>>> >>>>>> "arms race" between
>>>>> >>>>>>> "bad" viewer creators and sim operators.
>>>>> >>>>>>>
>>>>> >>>>>>> In addition any viewer could be adapted for piracy.
>>>>> >>>>>> The original
>>>>> >>>>>>> experiments that resulted in
>>>>> >>>>>> libsecondlife/openMetaverse were based on
>>>>> >>>>>>> analysing the data stream between the Second Life
>>>>> >>>>>> Servers and the viewer
>>>>> >>>>>>> software (at the time ONLY the Linden Labs viewer) and
>>>>> >>>>>> had access to all
>>>>> >>>>>>> of that information. This was all done without
>>>>> >>>>>> modifying the viewer in any
>>>>> >>>>>>> way - it was proprietary at the time.
>>>>> >>>>>>>
>>>>> >>>>>>> Sadly the lesson of the endless failures of DRM
>>>>> >>>>>> schemes elsewhere shows
>>>>> >>>>>>> that the real losers are the honest/innocent users who
>>>>> >>>>>> are unable to do
>>>>> >>>>>>> the things that they really should expect to do with
>>>>> >>>>>> the content that they
>>>>> >>>>>>> have purchased.
>>>>> >>>>>>>
>>>>> >>>>>>> For example, I have completely stopped buying anything
>>>>> >>>>>> in Second Life
>>>>> >>>>>>> since I want to use the inventory I buy in my private
>>>>> >>>>>> sims as well. Sure I
>>>>> >>>>>>> can use pirate tools to do this, but if I have to do
>>>>> >>>>>> that to use my
>>>>> >>>>>>> purchases where I want to use them then why not just
>>>>> >>>>>> steal the stuff in
>>>>> >>>>>>> the first place?
>>>>> >>>>>>>
>>>>> >>>>>>> This is very similar to the situation with music CDs
>>>>> >>>>>> and DVDs, why build
>>>>> >>>>>>> an expensive collection if you will just have to
>>>>> >>>>>> re-purchase it in a few
>>>>> >>>>>>> years for the next technology and some DRM scheme
>>>>> >>>>>> tries to keep me from
>>>>> >>>>>>> playing my collection on the new equipment?
>>>>> >>>>>>>
>>>>> >>>>>>> There are several efforts being directed at come sort
>>>>> >>>>>> of "portable"
>>>>> >>>>>>> content. I hope that one or more actually proves to
>>>>> >>>>>> work, but I have no
>>>>> >>>>>>> illusions about that actually happening any time
>>>>> >>>>>> soon.
>>>>> >>>>>>> My opinion is that the best we can do at present is
>>>>> >>>>>> similar to the real
>>>>> >>>>>>> life piracy situation: stop the commercial marketing
>>>>> >>>>>> of pirated
>>>>> >>>>>>> merchandise as it is detected and reported. Ban anyone
>>>>> >>>>>> who engages in such
>>>>> >>>>>>> activities and if they persist bring real world law
>>>>> >>>>>> enforcement to bear.
>>>>> >>>>>>> For once Linden Labs seems to be using a reasonable
>>>>> >>>>>> version of this when
>>>>> >>>>>>> they state that the viewer is not the problem, it is
>>>>> >>>>>> the use of the
>>>>> >>>>>>> viewer. They have promised to act promptly to ban
>>>>> >>>>>> anyone using any viewer
>>>>> >>>>>>> for piracy.
>>>>> >>>>>>>
>>>>> >>>>>>> Karen
>>>>> >>>>>>>
>>>>> >>>>>>> --- On Mon, 1/11/10, Imago <[hidden email]>
>>>>> >>>>>> wrote:
>>>>> >>>>>>>> Is it possible to stop
>>>>> >>>>>>>> certain viewers from logging
>>>>> >>>>>>>> in to your opensim? Like Cryo?
>>>>> >>>>>>>
>>>>> >>>>>>>
>>>>> >>>>>>>
>>>>> >>>>>>> _______________________________________________
>>>>> >>>>>>> Opensim-users mailing list
>>>>> >>>>>>> [hidden email]
>>>>> >>>>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>>> >>>>>>
>>>>> >>>>>> _______________________________________________
>>>>> >>>>>> Opensim-users mailing list
>>>>> >>>>>> [hidden email]
>>>>> >>>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>>> >>>>>>
>>>>> >>>>>
>>>>> >>>>>
>>>>> >>>>> _______________________________________________
>>>>> >>>>> Opensim-users mailing list
>>>>> >>>>> [hidden email]
>>>>> >>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>>> >>>> _______________________________________________
>>>>> >>>> Opensim-users mailing list
>>>>> >>>> [hidden email]
>>>>> >>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>>> >>>>
>>>>> >>> _______________________________________________
>>>>> >>> Opensim-users mailing list
>>>>> >>> [hidden email]
>>>>> >>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>>> >>
>>>>> >> _______________________________________________
>>>>> >> Opensim-users mailing list
>>>>> >> [hidden email]
>>>>> >> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>>> >>
>>>>> > _______________________________________________
>>>>> > Opensim-users mailing list
>>>>> > [hidden email]
>>>>> > https://lists.berlios.de/mailman/listinfo/opensim-users
>>>>>
>>>>> _______________________________________________
>>>>> Opensim-users mailing list
>>>>> [hidden email]
>>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>> _______________________________________________
>>>> Opensim-users mailing list
>>>> [hidden email]
>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>
>>> _______________________________________________
>>> Opensim-users mailing list
>>> [hidden email]
>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>
>> _______________________________________________
>> Opensim-users mailing list
>> [hidden email]
>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>
>
> _______________________________________________
> Opensim-users mailing list
> [hidden email]
> https://lists.berlios.de/mailman/listinfo/opensim-users
>
_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users
Reply | Threaded
Open this post in threaded view
|

Re: Banning "bad" viewers was Re: Can this be done?

John Ward-2
Security is often added in layers.  One might start with setting
expectations with a sign or announcement.  "Please only use the LL
client when accessing this grid."  I'm willing to honor the grid
operators request so that system is secure from me.  One might secure a
user's agreement to use a particular client as a condition of getting an
account in the first place, another similar layer.  If a grid operator
wants a little better protection by checking the string the client
identifies itself with would seem a reasonable additional layer.

So, is the system secure?  If one's goal was to prevent casual
non-compliance then it probably is reasonably secure.  If one wants to
prevent anyone from ever running a bad client on their grid then one's
grid is not secure.

"Security through obscurity" is quite valid.  That's why we (hopefully)
choose obscure passwords. If one understands what the obsfucation gets
them then is just another layer.

I think having lots of easy to setup and use layers is a good thing even
when some of them are easily defeated. :-)

John.

On 01/12/2010 03:39 PM, Kyle Hamilton wrote:

> All it takes is one person with the knowledge of how your system works
> to create a tool to bypass your security.  THAT is what script-kiddies
> use.  This is why it's considered an arms race, and the people who
> actually physically own the systems on the net are at a severe
> disadvantage: they have to successfully defend against every attack,
> while the generic class of attackers has a severe advantage: only one
> attack needs to succeed.
>
> Lock your sim permissions down, and manually grant object
> creation/modification permissions to people you want to be able to do
> so.  That's the only way to prevent the scribbling that you're so
> afraid of.  (Well, then again, if you *really* want to be secure,
> disable new account creation and remove all privileges from the
> current userbase.  Otherwise, one of those accounts can be haksz0red,
> and you're left with the same issue.)
>
> Security is a balance between unusability (you don't want the attacker
> to be able to use/deface your system) and usability (you do want to be
> able to do something with your computer, in this case allow your
> friends onto your sim).
>
> On another mailing list, I described 'trust' thus: "trust is choosing
> to open a point of vulnerability to another entity whom you believe
> will not cause damage."  You obviously don't trust the hackers or
> script-kiddies.  You obviously trust yourself, and you may or may not
> trust the others you allow onto your sim.  But, there's no way to
> resolve it via obscurity.
>
> (Well, there is *one* way, but it's not 'obscurity', it's 'entropy'...
> and that's outside the scope of this discussion, since I don't even
> know if it can be done in Mono, and the required infrastructure just
> doesn't exist in the world.  This way would be 'client certificate
> authentication of a TLS channel to the services' so that even if they
> had the channel string, they still wouldn't be able to use it without
> an authorized client certificate.)
>
> -Kyle H
>
> On Tue, Jan 12, 2010 at 1:50 PM, Imago<[hidden email]>  wrote:
>> Most people won't bother though. Because the average user isn't going to
>> attempt to break in to a website, server, etc. I've got experience with
>> security, reverse engineering, programming. (Probably going on almost 20
>> something years now.) So, yeah, it's not secure, but average joe user isn't
>> going to attempt to hack if you don't put up a big sign that says
>> "Unhackable" or "Secure as all hell." You put out stuff like that you're
>> just begging for someone to take down your 64 or 128 bit encryption. Because
>> in my experience everyone now thinks base64 is "unhackable" and yet it's
>> being done and has been done. So, really... There is no such thing as
>> unhackable.
>>
>> But what I'm saying is the average user has little to no working knowledge
>> of how a website, program, etc works. They don't care if it runs and they
>> can use it then they are happy. I've done so much website work, programming
>> work, etc for people over the years I think I'm an expert on how stupid the
>> average user really is when it comes to anything computer related. ;)
>>
>> ----- Original Message -----
>> From: "Kyle Hamilton"<[hidden email]>
>> To: "opensim-users"<[hidden email]>
>> Sent: Tuesday, January 12, 2010 3:37 PM
>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be done?
>>
>>
>>> Security through obscurity is no security at all.  If you're relying
>>> on people not figuring it out, people *will* figure it out.
>>>
>>> </experience of security expert for many years>
>>>
>>> -Kyle H
>>>
>>> On Tue, Jan 12, 2010 at 1:34 PM, Imago<[hidden email]>  wrote:
>>>> But really... How many people who aren't really looking for this info are
>>>> going to find it. ;) Nubs aren't going to know where to look. But
>>>> blocking
>>>> by string probably wouldn't be the best, but it would work for dumb
>>>> people.
>>>> ;)
>>>>
>>>> ----- Original Message -----
>>>> From: "Frisby, Adam"<[hidden email]>
>>>> To:<[hidden email]>;<[hidden email]>
>>>> Sent: Tuesday, January 12, 2010 3:25 PM
>>>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be
>>>> done?
>>>>
>>>>
>>>>> While I hate to rain on anyone's parade - but you can use the "-channel"
>>>>> commandline switch to edit the version string to whatever you want. I
>>>>> really wouldn't rely on it.
>>>>>
>>>>> Adam
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: [hidden email] [mailto:opensim-users-
>>>>>> [hidden email]] On Behalf Of Imago
>>>>>> Sent: Tuesday, 12 January 2010 9:34 AM
>>>>>> To: [hidden email]; [hidden email]
>>>>>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be
>>>>>> done?
>>>>>>
>>>>>> Thanks, I've been looking over the code, and yeah, I know people could.
>>>>>> But
>>>>>> really how many regular joes out there would be interested enough to
>>>>>> download, compile, and play with the code. *laughs* I don't think
>>>>>> there's
>>>>>> many, because a lot of them would much rather have instant
>>>>>> gratification
>>>>>> rather then having to work for it.
>>>>>>
>>>>>> But in my opinion even fragile filtering is better then none at all.
>>>>>> Because
>>>>>> while some could get in the population en masse wouldn't be able to.
>>>>>>
>>>>>> ----- Original Message -----
>>>>>> From:<[hidden email]>
>>>>>> To:<[hidden email]>
>>>>>> Sent: Tuesday, January 12, 2010 8:15 AM
>>>>>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this be
>>>>>> done?
>>>>>>
>>>>>>
>>>>>>> As Teravus said, the LL viewer sends a string identifying itself and
>>>>>> a
>>>>>>> version. In the new login procedure that is captured by the
>>>>>>> LLLoginHandlers as
>>>>>>> if (requestData.Contains("version"))
>>>>>>> clientVersion = requestData["version"].ToString();
>>>>>>>
>>>>>>> Right now we're not doing anything interesting with this information.
>>>>>>> When this refactoring makes it to the master branch, people can
>>>>>> replace
>>>>>>> / augment the existing LLLoginHandlers to do other things including
>>>>>>> filtering logins according to this field.
>>>>>>>
>>>>>>> But as others said here, this is a very fragile filtering, as any
>>>>>> viewer
>>>>>>> can send that field saying that it's an LL viewer.
>>>>>>>
>>>>>>> Imago wrote:
>>>>>>>> Ah! Thank you. I did read something on the subject, but then
>>>>>> suffered a
>>>>>>>> hard
>>>>>>>> drive death and it wiped out any settings I had. :( Google comes up
>>>>>> with
>>>>>>>> way
>>>>>>>> too much junk when you look for stuff as well as Mantis stuff and
>>>>>> Jiras.
>>>>>>>> I
>>>>>>>> will check in to this. So, now I know it is possible. :D Now, it's
>>>>>> just
>>>>>>>> finding a way to do it. *shrugs and laughs* If it keeps a few kids
>>>>>> out
>>>>>>>> than
>>>>>>>> that's fine. I'd rather have fun then to have to police my console
>>>>>> for
>>>>>>>> logins. :D
>>>>>>>>
>>>>>>>> ----- Original Message -----
>>>>>>>> From: "Teravus Ovares"<[hidden email]>
>>>>>>>> To:<[hidden email]>
>>>>>>>> Sent: Monday, January 11, 2010 11:56 PM
>>>>>>>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can this
>>>>>> be
>>>>>>>> done?
>>>>>>>>
>>>>>>>>
>>>>>>>>> The viewer information is sent when the viewer logs in. If you
>>>>>>>>> check the viewer channel version string when the viewer logs in,
>>>>>> you
>>>>>>>>> can deny based on a string match. That's the easy (and least
>>>>>>>>> effective way) to lock only specific viewers.
>>>>>>>>>
>>>>>>>>> I believe that diva and Melanie_T were the last to work on these
>>>>>>>>> areas.. so they would probably be able to tell you where to
>>>>>> check
>>>>>>>>> 'best'.
>>>>>>>>>
>>>>>>>>> One thing to note, however, is..
>>>>>>>>>
>>>>>>>>> The viewer logs into the 'user service' by sending an XMLRPC
>>>>>> request
>>>>>>>>> to the HTTP Service with the login_to_simulator method. It's at
>>>>>>>>> this time that the 'viewer channel string' should be checked.
>>>>>>>>>
>>>>>>>>> Teravus
>>>>>>>>>
>>>>>>>>> On Tue, Jan 12, 2010 at 12:34 AM, Imago<[hidden email]>
>>>>>> wrote:
>>>>>>>>>> Mostly I want this because of piece of mind, but also because I am
>>>>>>>>>> considering compiling a viewer on Hippo code that will have a
>>>>>> different
>>>>>>>>>> channel code altogether that I will probably use for the sim. If I
>>>>>> can
>>>>>>>>>> lock
>>>>>>>>>> off viewers that don't have my exact channel or code then I can be
>>>>>> sure
>>>>>>>>>> only
>>>>>>>>>> official viewers can get in. Right now the sim is only for friends
>>>>>> but
>>>>>>>>>> if
>>>>>>>>>> I
>>>>>>>>>> open it up to more I wouldn't want idiots coming in and mucking
>>>>>> about
>>>>>>>>>> the
>>>>>>>>>> place. Which is why I was asking. I know that some opensim
>>>>>> *shaking
>>>>>>>>>> head*
>>>>>>>>>> I
>>>>>>>>>> wish I could remember who and where banned certain viewers from
>>>>>> logging
>>>>>>>>>> in.
>>>>>>>>>> I'm not sure how she/he did it, though, but it got me curious as
>>>>>> to how
>>>>>>>>>> it's
>>>>>>>>>> done. That and I wouldn't really want someone using something like
>>>>>> Cryo
>>>>>>>>>> or
>>>>>>>>>> even Meerkat, but as you said... They probably all have the same
>>>>>>>>>> default
>>>>>>>>>> code. But if I put in another code and compiled it off of hippo or
>>>>>>>>>> Linden's
>>>>>>>>>> viewer I could put in my own channel and have others not able to
>>>>>> enter.
>>>>>>>>>> I
>>>>>>>>>> like security and peace of mind, but security in this day and age
>>>>>> is a
>>>>>>>>>> myth.
>>>>>>>>>> (Like those stupid broadcasting things that were supposed to stop
>>>>>>>>>> copybot.)
>>>>>>>>>>
>>>>>>>>>> But I was just curious if anyone had done it or heard of it. I
>>>>>> want to
>>>>>>>>>> say
>>>>>>>>>> openlifegrid did it, but I can't remember so I don't want to say
>>>>>> for
>>>>>>>>>> sure
>>>>>>>>>> until I find it again. (computer crashes suck.)
>>>>>>>>>> ----- Original Message -----
>>>>>>>>>> From: "Karen Palen"<[hidden email]>
>>>>>>>>>> To:<[hidden email]>
>>>>>>>>>> Sent: Monday, January 11, 2010 11:24 PM
>>>>>>>>>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can
>>>>>> this be
>>>>>>>>>> done?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> As I think of it the answer is the same.
>>>>>>>>>>>
>>>>>>>>>>> The Linden Labs viewer does send an identification and version
>>>>>> number,
>>>>>>>>>>> bat
>>>>>>>>>>> that really does very little. Almost every viewer out there is
>>>>>> based
>>>>>>>>>>> on
>>>>>>>>>>> the current LL viewer and many people don't bother changing this
>>>>>> code
>>>>>>>>>>> for
>>>>>>>>>>> their experimental versions.
>>>>>>>>>>>
>>>>>>>>>>> For example I just checked and I have a customised LL viewer
>>>>>> where the
>>>>>>>>>>> only change is that it will log on to my private sim by default.
>>>>>> The
>>>>>>>>>>> ID
>>>>>>>>>>> codes are identical to the original since I never bothered to
>>>>>> change
>>>>>>>>>>> them.
>>>>>>>>>>>
>>>>>>>>>>> I use it to make sure that my private sim will run OK with the
>>>>>>>>>>> "official"
>>>>>>>>>>> viewer.
>>>>>>>>>>>
>>>>>>>>>>> I am not really sure why you would want that restriction though.
>>>>>>>>>>> Should
>>>>>>>>>>> I
>>>>>>>>>>> be considering that for my sim? Have I missed something here?
>>>>>>>>>>>
>>>>>>>>>>> Sorry.
>>>>>>>>>>>
>>>>>>>>>>> Karen
>>>>>>>>>>>
>>>>>>>>>>> --- On Mon, 1/11/10, Imago<[hidden email]>  wrote:
>>>>>>>>>>>
>>>>>>>>>>>> From: Imago<[hidden email]>
>>>>>>>>>>>> Subject: Re: [Opensim-users] Banning "bad" viewers was Re: Can
>>>>>> this
>>>>>>>>>>>> be
>>>>>>>>>>>> done?
>>>>>>>>>>>> To: [hidden email]
>>>>>>>>>>>> Date: Monday, January 11, 2010, 10:05 PM
>>>>>>>>>>>> I don't think anyone is
>>>>>>>>>>>> understanding. :D It's not just Cryo. I want only
>>>>>>>>>>>> Linden Lab viewers to be able to login. I've seen it done
>>>>>>>>>>>> on other
>>>>>>>>>>>> opensim's. I know people can get around that. But the point
>>>>>>>>>>>> is... Not
>>>>>>>>>>>> everyone is a coder. So, while they could compile and make
>>>>>>>>>>>> it look like a
>>>>>>>>>>>> Linden Lab viewer then so be it. I just want to know if
>>>>>>>>>>>> there's a mod or
>>>>>>>>>>>> string that I can put in to opensim to see what channel the
>>>>>>>>>>>> viewer is
>>>>>>>>>>>> sending, and if it's not the right one than to display an
>>>>>>>>>>>> error message that
>>>>>>>>>>>> would tell them to download an official release in order to
>>>>>>>>>>>> login.
>>>>>>>>>>>>
>>>>>>>>>>>> Maybe I should have chosen my words better. Mentioning Cryo
>>>>>>>>>>>> is like
>>>>>>>>>>>> mentioning copybot, and responses only seem to be based on
>>>>>>>>>>>> theft and copy
>>>>>>>>>>>> protection. I just want to know if there's a string to
>>>>>>>>>>>> block a viewer. I
>>>>>>>>>>>> know people have done it I just can't remember what opensim
>>>>>>>>>>>> I saw it done
>>>>>>>>>>>> on. I also know that if I had Cryo source code I could
>>>>>>>>>>>> compile and make it
>>>>>>>>>>>> look like a Second Life release viewer. But not everyone is
>>>>>>>>>>>> a hacker or a
>>>>>>>>>>>> coder or both. Most people don't know how or can't compile
>>>>>>>>>>>> a viewer or are
>>>>>>>>>>>> too lazy to. So, they go look for one, and that's the basis
>>>>>>>>>>>> for my thinking
>>>>>>>>>>>> most theives are too lazy to try to figure out a way and
>>>>>>>>>>>> will move on to the
>>>>>>>>>>>> next target.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> So, the question I'm asking is:
>>>>>>>>>>>> Is there a way for OpenSim to check a viewer string and
>>>>>>>>>>>> allow or disallow
>>>>>>>>>>>> based on that, and if so please let me know where that code
>>>>>>>>>>>> is, and if
>>>>>>>>>>>> not... Then I'll be burning the midnight oil again coding
>>>>>>>>>>>> one up.
>>>>>>>>>>>>
>>>>>>>>>>>> ----- Original Message -----
>>>>>>>>>>>> From: "Karen Palen"<[hidden email]>
>>>>>>>>>>>> To:<[hidden email]>
>>>>>>>>>>>> Sent: Monday, January 11, 2010 10:44 PM
>>>>>>>>>>>> Subject: [Opensim-users] Banning "bad" viewers was Re: Can
>>>>>>>>>>>> this be done?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>> The short answer is no.
>>>>>>>>>>>>>
>>>>>>>>>>>>> The more complete answer is that you while can easily
>>>>>>>>>>>> detect some
>>>>>>>>>>>>> characteristic of a viewer (or other software) which
>>>>>>>>>>>> identifies that
>>>>>>>>>>>>> viewer and use that to ban it, nothing can stop the
>>>>>>>>>>>> authors of that viewer
>>>>>>>>>>>>> from changing whatever characteristic you use.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Worse yet, whatever characteristic you select to
>>>>>>>>>>>> identify the "bad"
>>>>>>>>>>>>> software will inevitably turn up in some other
>>>>>>>>>>>> (innocent) viewer sooner or
>>>>>>>>>>>>> later and will cause them to be banned for no reason.
>>>>>>>>>>>>>
>>>>>>>>>>>>> The best you could hope to achieve is some sort of
>>>>>>>>>>>> "arms race" between
>>>>>>>>>>>>> "bad" viewer creators and sim operators.
>>>>>>>>>>>>>
>>>>>>>>>>>>> In addition any viewer could be adapted for piracy.
>>>>>>>>>>>> The original
>>>>>>>>>>>>> experiments that resulted in
>>>>>>>>>>>> libsecondlife/openMetaverse were based on
>>>>>>>>>>>>> analysing the data stream between the Second Life
>>>>>>>>>>>> Servers and the viewer
>>>>>>>>>>>>> software (at the time ONLY the Linden Labs viewer) and
>>>>>>>>>>>> had access to all
>>>>>>>>>>>>> of that information. This was all done without
>>>>>>>>>>>> modifying the viewer in any
>>>>>>>>>>>>> way - it was proprietary at the time.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Sadly the lesson of the endless failures of DRM
>>>>>>>>>>>> schemes elsewhere shows
>>>>>>>>>>>>> that the real losers are the honest/innocent users who
>>>>>>>>>>>> are unable to do
>>>>>>>>>>>>> the things that they really should expect to do with
>>>>>>>>>>>> the content that they
>>>>>>>>>>>>> have purchased.
>>>>>>>>>>>>>
>>>>>>>>>>>>> For example, I have completely stopped buying anything
>>>>>>>>>>>> in Second Life
>>>>>>>>>>>>> since I want to use the inventory I buy in my private
>>>>>>>>>>>> sims as well. Sure I
>>>>>>>>>>>>> can use pirate tools to do this, but if I have to do
>>>>>>>>>>>> that to use my
>>>>>>>>>>>>> purchases where I want to use them then why not just
>>>>>>>>>>>> steal the stuff in
>>>>>>>>>>>>> the first place?
>>>>>>>>>>>>>
>>>>>>>>>>>>> This is very similar to the situation with music CDs
>>>>>>>>>>>> and DVDs, why build
>>>>>>>>>>>>> an expensive collection if you will just have to
>>>>>>>>>>>> re-purchase it in a few
>>>>>>>>>>>>> years for the next technology and some DRM scheme
>>>>>>>>>>>> tries to keep me from
>>>>>>>>>>>>> playing my collection on the new equipment?
>>>>>>>>>>>>>
>>>>>>>>>>>>> There are several efforts being directed at come sort
>>>>>>>>>>>> of "portable"
>>>>>>>>>>>>> content. I hope that one or more actually proves to
>>>>>>>>>>>> work, but I have no
>>>>>>>>>>>>> illusions about that actually happening any time
>>>>>>>>>>>> soon.
>>>>>>>>>>>>> My opinion is that the best we can do at present is
>>>>>>>>>>>> similar to the real
>>>>>>>>>>>>> life piracy situation: stop the commercial marketing
>>>>>>>>>>>> of pirated
>>>>>>>>>>>>> merchandise as it is detected and reported. Ban anyone
>>>>>>>>>>>> who engages in such
>>>>>>>>>>>>> activities and if they persist bring real world law
>>>>>>>>>>>> enforcement to bear.
>>>>>>>>>>>>> For once Linden Labs seems to be using a reasonable
>>>>>>>>>>>> version of this when
>>>>>>>>>>>>> they state that the viewer is not the problem, it is
>>>>>>>>>>>> the use of the
>>>>>>>>>>>>> viewer. They have promised to act promptly to ban
>>>>>>>>>>>> anyone using any viewer
>>>>>>>>>>>>> for piracy.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Karen
>>>>>>>>>>>>>
>>>>>>>>>>>>> --- On Mon, 1/11/10, Imago<[hidden email]>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>> Is it possible to stop
>>>>>>>>>>>>>> certain viewers from logging
>>>>>>>>>>>>>> in to your opensim? Like Cryo?
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>> Opensim-users mailing list
>>>>>>>>>>>>> [hidden email]
>>>>>>>>>>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>>>>>>>>>>
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> Opensim-users mailing list
>>>>>>>>>>>> [hidden email]
>>>>>>>>>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> Opensim-users mailing list
>>>>>>>>>>> [hidden email]
>>>>>>>>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Opensim-users mailing list
>>>>>>>>>> [hidden email]
>>>>>>>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> Opensim-users mailing list
>>>>>>>>> [hidden email]
>>>>>>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Opensim-users mailing list
>>>>>>>> [hidden email]
>>>>>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Opensim-users mailing list
>>>>>>> [hidden email]
>>>>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>>>>
>>>>>> _______________________________________________
>>>>>> Opensim-users mailing list
>>>>>> [hidden email]
>>>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>>> _______________________________________________
>>>>> Opensim-users mailing list
>>>>> [hidden email]
>>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>>
>>>> _______________________________________________
>>>> Opensim-users mailing list
>>>> [hidden email]
>>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>>
>>> _______________________________________________
>>> Opensim-users mailing list
>>> [hidden email]
>>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>>
>>
>> _______________________________________________
>> Opensim-users mailing list
>> [hidden email]
>> https://lists.berlios.de/mailman/listinfo/opensim-users
>>
> _______________________________________________
> Opensim-users mailing list
> [hidden email]
> https://lists.berlios.de/mailman/listinfo/opensim-users
>
_______________________________________________
Opensim-users mailing list
[hidden email]
https://lists.berlios.de/mailman/listinfo/opensim-users
1234