Difference between revisions of "User:Robin Cornelius/ExecSummary"

From Second Life Wiki
Jump to: navigation, search
(Server/Protocol security issues)
(Viewer registry)
Line 23: Line 23:
 
* Who is making this decision?
 
* Who is making this decision?
 
* How are "approved" viewers actually checked?
 
* How are "approved" viewers actually checked?
 +
* Exactly what does Linden do with the viewer registry list?
  
 
Subject to the above questions, the most basic implementations is just a list of viewers linking to there websites. Almost like we already have on the wiki now [link needed]
 
Subject to the above questions, the most basic implementations is just a list of viewers linking to there websites. Almost like we already have on the wiki now [link needed]
Line 32: Line 33:
 
* How would we update the list?
 
* How would we update the list?
 
* Are we really going to have to jump through hoops every time we make a minor change?
 
* Are we really going to have to jump through hoops every time we make a minor change?
 +
* Will this affect our ability to test our code as we develop it? Will we still be able to connect to Agni to test new changes?
  
Things like gnupg could avoid much of this as you could check the key was for an example the "Emerald developers" key, you wound not need to change the registry at all and the 3rd party devs could push out as many releases as they liked they just sign with there private key and the viewer registry contains the public key. Debian uses this system for there official apt repositories BUT there is *no requirement* in Debian to use there official apt repository, a user could simply download a deb from a web site or use a 3rd part apt repository and this should not be a requirement here either
+
Things like gnupg could avoid much of this as you could check the key was for an example the "Emerald developers" key, you wound not need to change the registry at all and the 3rd party devs could push out as many releases as they liked they just sign with there private key and the viewer registry contains the public key. Debian uses this system for there official apt repositories BUT there is *no requirement* in Debian to use there official apt repository, a user could simply download a deb from a web site or use a 3rd party apt repository and this should not be a requirement here either. Who bears the responsibility if a bunch of devs are all pushing binaries with the "Emerald developers" key.
 
+
The other extreme of the viewer registry is only allowing approved viewers to connect to SL, this is related to the Authentication topic which i will discuss next. But this falls in to the whole category of limiting access to SL. Limiting SL access would IMHO be a very very bad move by LL, again the same questions of how to get approved come up, but now they have a real urgency and seriousness to them which much not be understated. There are many many viewers out there, all kinds of service bots, text clients, web clients as well as the ones produced by LL. Just trying to process this number of viewers would be difficult, and you will result in many authors just not bothering at all. There are viewers being developed for light operation with out graphics for low end systems, viewers designed for the blind user. There are also viewers for systems systems as 64bit linux, *BSD etc. These mostly require custom viewers to work on the grid. Often the end user is recompiling the viewer themselves just to get in SecondLife. In some cases such as omvviewer, this was allowing a lot of 64bit linux users to connect that otherwise would not be able to, or would suffer frequent crashes due to 32/64bit mixed issues. Loosing many of these viewers would prevent significant numbers of users connecting to the SL service and also break significant in world content and systems that require bots to operate.
+
  
 +
The other extreme of the viewer registry is only allowing approved viewers to connect to SL, this is related to the Authentication topic which i will discuss next. But this falls in to the whole category of limiting access to SL. Limiting SL access would IMHO be a very very bad move by LL, again the same questions of how to get approved come up, but now they have a real urgency and seriousness to them which much not be understated. There are many many viewers out there, all kinds of service bots, text clients, clients for blind users, web clients as well as the ones produced by LL. Just trying to process this number of viewers would be difficult, and you will result in many authors just not bothering at all. There are viewers being developed for light operation with out graphics for low end systems, viewers designed for the blind user. There are also viewers for systems systems as 64bit linux, *BSD etc. These mostly require custom viewers to work on the grid. Often the end user is recompiling the viewer themselves just to get in SecondLife. In some cases such as omvviewer, this was allowing a lot of 64bit linux users to connect that otherwise would not be able to, or would suffer frequent crashes due to 32/64bit mixed issues. Loosing many of these viewers would prevent significant numbers of users connecting to the SL service and also break significant in world content and systems that require bots to operate.
  
 
==Viewer Authentication and faking==
 
==Viewer Authentication and faking==

Revision as of 05:33, 28 October 2009

ToDO TODAY!

I'm sketching out ideas here over my working day and expanding out on topics, feel free to ping me on AWG/#opensl for live discussion

Key areas

  • Viewer registry
  • Viewer identification
  • Encryption of communication
  • Content theift
  • Server/Protocol security issues
  • Open source contributions to the stability and features of LL viewer
  • Open source inventions, new ideas, creativity with 3rd party viewers
  • non LL code base viewers and utility programs (text clients and bots)
  • Clari faction of TOS points

Viewer registry

Currently the entire concept of what is proposed by LL is very unclear and there is concern from the community that the entire concept may not work at all. Discussions on the Initial blog comments and at our pre-BB meeting has highlighted many of the concerns. The possible implementations we can visualize of this idea range from a simple list of "approved" viewers to only allowing "approved" viewers to connect to the grid.

Starting from the simple list extreme - There is some support for some ideas in this area from many in the opensource community, but this depends on exactly what is proposed. Some basic questions that cover all possible implementations include :-

  • How would you get on this list?
  • Who is making this decision?
  • How are "approved" viewers actually checked?
  • Exactly what does Linden do with the viewer registry list?

Subject to the above questions, the most basic implementations is just a list of viewers linking to there websites. Almost like we already have on the wiki now [link needed]

One issue here is that a list could give users some confidence in the viewer as a common concern is, "how can i trust a 3rd party viewer with personal information such as username/password combinations?". But conversely NOT being on the list could be seen as being an evil viewer and this is not a good situation either.

Moving along the scale we have things like providing some kind of crypographic signature for viewer binaries so that the list of approved viewers also contains, for a trivial example, a MD5 sum, or even a gnupg signature, so the user would then know they were getting the real thing from the 3rd part developer, whist the basic concept of "signing" a viewer is ok to many, if this was on the list it open up new questions :-

  • How would we update the list?
  • Are we really going to have to jump through hoops every time we make a minor change?
  • Will this affect our ability to test our code as we develop it? Will we still be able to connect to Agni to test new changes?

Things like gnupg could avoid much of this as you could check the key was for an example the "Emerald developers" key, you wound not need to change the registry at all and the 3rd party devs could push out as many releases as they liked they just sign with there private key and the viewer registry contains the public key. Debian uses this system for there official apt repositories BUT there is *no requirement* in Debian to use there official apt repository, a user could simply download a deb from a web site or use a 3rd party apt repository and this should not be a requirement here either. Who bears the responsibility if a bunch of devs are all pushing binaries with the "Emerald developers" key.

The other extreme of the viewer registry is only allowing approved viewers to connect to SL, this is related to the Authentication topic which i will discuss next. But this falls in to the whole category of limiting access to SL. Limiting SL access would IMHO be a very very bad move by LL, again the same questions of how to get approved come up, but now they have a real urgency and seriousness to them which much not be understated. There are many many viewers out there, all kinds of service bots, text clients, clients for blind users, web clients as well as the ones produced by LL. Just trying to process this number of viewers would be difficult, and you will result in many authors just not bothering at all. There are viewers being developed for light operation with out graphics for low end systems, viewers designed for the blind user. There are also viewers for systems systems as 64bit linux, *BSD etc. These mostly require custom viewers to work on the grid. Often the end user is recompiling the viewer themselves just to get in SecondLife. In some cases such as omvviewer, this was allowing a lot of 64bit linux users to connect that otherwise would not be able to, or would suffer frequent crashes due to 32/64bit mixed issues. Loosing many of these viewers would prevent significant numbers of users connecting to the SL service and also break significant in world content and systems that require bots to operate.

Viewer Authentication and faking

Currently the viewer only notifies the SL service what it is, via the channel it connects with. LL has the ability to block a specific channel there for crippling viewers that use that channel. In the above viewer registry discussion one extreme was only allowing authorized viewers to connect. But this also applies to creating a blacklist of bad viewers based on how they identify themselves.

Remote "untrusted" client authentication is a real world problem that no one has successfully solved. It just simply is not possible to get the viewer to say to the server I am viewer XZY and for anyone to actualy be even 10% sure that this is true. The viewer now as mentioned uses a trivial protocol to announce what it is. This is probably as good as this system will ever get.

The fundamental issues are even if an encrypted/cryptographic system was used for the viewer ident system, the keys to the crypo MUST be on the users system or else their viewer could not encrypt the message in the first place, and there for all this has done is started an arms race. Any hacker could simply extract the appropriate keys and use this to encrypt their own message and pretend they are XYZ viewer. This is not as difficult as it sounds, Microsoft's media DRM suffers from this type of attack, the DRM keys to decrypt the media are on your HardDisk if you are allowed to listen to it. So you just need to find those keys and you have unlocked the media. This is VERY common and microsoft have even taken steps to build this into there operating system to protect the keys. In a program such as a Secondlife Viewer, there is keys must be there in the code for all to extract by some means or other.

In summary here, relying on viewer authentication for either restricted access or for blacklisting viewers is doomed to failure and will result in good viewers being faked as bad and banned/blacklisted. It creates unnecessary hurdles for those creating 3rd part viewers and those greifing will invest the effort in to pretending to be viewers they are not (such as the offical LL viewer, or some 3rd party scapegoat viewer), or simply use approved viewers (including LL's own viewer) to carry on the greifing exactly as they did before.

Encrypting communications

This seems to be a particularly hot topic and one of the key concern areas for LL with regards to 3rd party viewers.

There are plenty of valid reasons for wanting private communications, one big one especially with LL's push for more businesses to come to SL to do work is that businesses do not want all there communications logged. I think if any business found out their private island meetings are recorded would be bad enough, but the fact IM's are also logged and encryption is seemingly not allowed would be the final nail in the coffin. Why would a business want to come to SL to do anything more than PR/Customer relations and advertising in this case.

We would like clarification of the ToS with regards to encryption and would like to understand exactly what the concern/requirement for LL log every IM is. For someone to receive an encrypted IM them must have first spoken to the other party and accepted the encryption key, so i find it hard to believe that just G-Team/AR reports are the reason for the concern here.

Possible reasons some us have considered include :-

  • AR/G-Team issues
  • A merge with the teen grid, concern over adults using encrypted chats with minors
  • Anti terror type issues

Please can LL just be open and honest on what the issue with encryption is, why its a problem?

Voice is not apparently logged by IM and voice based ARs are a problem to report, but it should be noted the voice packets go over vivox's network, are they recording the voice?

Content theft

This is a very difficult problem to solve but the following points are relevant :-

  • The first copy bot existed before the viewer was open source
  • The worst issues have been LL server exploits, either allowing xfer hacks to produce 100% copies including original creator or to allow full perm hacks to even get to the scripts
  • LL servers have managed to just loose permissions in the past
  • Textures can always be ripped right out of the OpenGL (or DirectX buffer)
  • Sounds and other assets also have some vulnerability, the cache is a weak spot, but is a needed thing for proper viewer operation

Now please don't get me wrong, i am not saying there is a free for all on these assets, but they are difficult to protect and that 3rd party viewers are a very long way away from the core problems.

That said, Emerald were one of the first to introduce a system for protecting the clothing layers, which LL have since adopted ideas from and have done there own version. This point should not be understated as this is a 3rd party viewer actively trying to prevent theft.

What else can 3rd party viewers do in this area? Developers of viewers expressed interest in helping protect content, but actually how to do this is an exceeding difficult challenge.

There was talk of watermarking images, a possible but again fake-able and how to you enforce this/prove this/prove you had original copyright/not get ARd for using a free image someone else already did etc.

Server/Protocol security issues

As mentioned in content theft, the worst issues have been server side/protocol issues. Many of these issues have been reported to LL a long time ago, I am not sure if the messages simply did not get to the right developers, or they were not taken seriously. But it has taken the development of renegaded viewers for LL to take these vulnerabilities seriously and to actually start patching the server.

If anything this teaches us the open source method works at finding issues but people *really* need to listen to the issues that are found and act on them

Open source contributions to the stability and features of LL viewer