Simulator User Group/Transcripts/2012.06.05
|Prev 2012.06.01||Next 2012.06.08|
List of Speakers
|Angus Mesmer||Arawn Spitteler||Baker Linden|
|Chieron Tenk||Draconis Neurocam||Jonathan Yap|
|Keli Kyrie||Kelly Linden||Liisa Runo|
|Melvin Starbrook||Nalates Urriah||NikoKito Aries|
|Noa Arrowmint||Qie Niangao||Rex Cronon|
|Sahkolihaa Contepomi||Simon Linden||Slee Mayo|
|Squirrel Wood||Tankmaster Finesmith||Theresa Tennyson|
|Tillie Ariantho||Vincent Nacon||Yuzuru Jewell|
[12:02] Simon Linden: OK, I just got a note from Andrew that he's not able to make it today, so I'll be the ringleader
[12:02] Rex Cronon: how r u doing simon? fulloy rested and ready to fight server code:)
[12:02] Simon Linden: He says he has no news, fwiw
[12:02] Rex Cronon: fully rested*
[12:02] Jonathan Yap: The fight was yesterday I think
[12:03] Simon Linden: Thanks Rex, yes, I've been enjoying long weekends
[12:03] Simon Linden: Right Jonathan, there was some interesting fights yesterday
[12:03] Keli Kyrie: Hi Kelly
[12:03] Melvin's Windup key TO: Melvin Starbrook's windup key has run out.
[12:03] Jonathan Yap: Are all issues resolved? Because someone this morning was getting a hud forceattached against their will
[12:03] Simon Linden: ... which brings me to the news. We rolled new code grid-wide yesterday due to a security issue
[12:03] Rex Cronon: all the interesting stuff happens when i am not logged in:(
[12:04] Sahkolihaa Contepomi: Security issue - the force teleport one?
[12:04] Simon Linden: Yes Koli
[12:04] Tankmaster Finesmith: that was... an interesting exploit
[12:04] Simon Linden: I believe that should be resolved, Jonathan. If you're still seeing something, we'd love to know via a SEC jira
[12:04] Sahkolihaa Contepomi: Yes, Kelly's hour was ... fun.
[12:04] Rex Cronon: somebody took advantage of foreced tp?
[12:04] Tankmaster Finesmith: many someone's
[12:05] Simon Linden: Yes, it definitely was one of those only-in-SL problems
[12:05] Melvin Starbrook: forced tp?
[12:05] Tankmaster Finesmith: new lsl command
[12:05] Theresa Tennyson: Sending Goreans to My Little Pony sims and vice versa, along with other interesting schemes.
[12:05] Rex Cronon: haha
[12:05] Tankmaster Finesmith: no, one of the new experence lsl commands
[12:05] Simon Linden: So that put a wrench into this week's deploy plans, and the normal Tuesday roll didn't happen. The RCs will be updated tomorrow on schedule, however
[12:05] Melvin Starbrook: for friefers?
[12:06] Simon Linden: That's all I have for news - Kelly, do you have anything?
[12:06] Simon Linden: or Baker?
[12:07] Rex Cronon: let me guess. the funtion didn't check if somebody had the rights to tp others?
[12:07] Rex Cronon: the function*
[12:07] Sahkolihaa Contepomi: Rex - yup.
[12:07] Melvin Starbrook: we gotrestrained viewers
[12:07] Simon Linden: I don't know the exact details Rex, but yes, it was a permissions issue
[12:08] Sahkolihaa Contepomi: Everyone at Kelly's user group yesterday got sent to the public cornfield.
[12:08] Kelly Linden: *IF* llHTTPRequest were allowed to set custom request headers, are there any (besides those set by the server already) that should be blocked / blacklisted?
[12:08] Vincent Nacon: huh... I was gonna skip this meeting because I figured people would be overrunning here about that TP hack
[12:08] Melvin Starbrook: i hope i can turn off auto tp
[12:08] Melvin Starbrook: bcause t doesnt dound fun
[12:08] Liisa Runo: tp worked on collision to anyone when the prim had perms of owner
[12:08] Baker Linden: I don't really have anything big so far -- still working on a permissions bug
[12:09] Melvin's Windup key TO: Melvin Starbrook's windup key has run out.
[12:09] Keli Kyrie: @ Koli really? lol... oops sorry but it is kind of funny
[12:09] Jonathan Yap: I think there should be a notice when a force attach occurs, allowing you to block whatever object is performing that action on you
[12:09] Simon Linden: Does anyone have ideas on Kelly's question?
[12:10] Vincent Nacon: it does, Jonathan, with the experience permission
[12:10] Rex Cronon: depends what header does the mini http server implements
[12:11] Æ? (ashiri): as long as the permission check is on all servers right?
[12:11] Vincent Nacon: yeah...
[12:11] Qie Niangao: The Corn Fieldtrip was actually kinda fun. But I wonder if these functions getting proper testing on Aditi before RC deployment? (And by "proper testing" I mean public, not just closed-beta -- if they're even getting that)
[12:11] Rex Cronon: so can u give us the full list of http headers that it implements?
[12:12] Melvin Starbrook: when we get last names back
[12:12] Melvin Starbrook: ?
[12:13] Kelly Linden: I don't quite follow that question Rex.
[12:13] Simon Linden: Qie - these took a different route than most features, since they were part of the Linden Realms project. We definitely want to learn and not repeat this, so will be improving things
[12:13] Simon Linden: or at least increasing our paranoia
[12:13] Qie Niangao: Cool. Thanks Simon
[12:14] Rex Cronon: the http server has a list of headers that it implements/allows. usually htpp servers don't allow/implement all possible headers
[12:14] Tankmaster Finesmith: but it adds to the excitement of being in SL :P
[12:14] Kelly Linden: Rex: I am talking about adding request headers for outgoing requests that would be sent to remote servers
[12:14] Rex Cronon: ok
[12:14] Simon Linden: Melvin - I don't know of any project bringing the old-school names back for new accounts. I know Rod talked about it a while ago, but I think it was dropped
[12:15] Tillie Ariantho: For security issues only allow a few headers needed?
[12:15] Kelly Linden: So the answer varies by what server you are connecting to.
[12:15] Vincent Nacon: you're not getting old last name back
[12:15] Kelly Linden: What security reasons Tillie?
[12:15] Tillie Ariantho: Security to your infrastructure etc?
[12:15] Melvin Starbrook: thank you Simon..
[12:15] Qie Niangao: Yeah, I'm not actually seeing the risk with non-standard headers -- but I'm no expert.
[12:15] Kelly Linden: Currently it is not possible to set any custom headers on outbound requests. Adding headers does not (in general) create a security issue for our servers.
[12:16] Angus Mesmer: Speaking of names, any way the first(dot)second names could be recognised by search, to make it faster when copy/pasted from a profile?
[12:16] Rex Cronon: can it be used to launch a DOS on other servers?
[12:16] Tillie Ariantho: Ah you mean additional headers the script can set... hm.
[12:16] Kelly Linden: Rex: no more or less so than without custom headers.
[12:16] Jonathan Yap: Angus, Baker is fixing that
[12:16] Vincent Nacon: muhaha! Rex
[12:16] Slee Mayo: kelly: http://michael-coates.blogspot.com/2010/05/csrf-attacks-and-forged-headers.html
[12:17] Slee Mayo: using forged headers for DoS
[12:17] Simon Linden: Angus - that's actually a good idea. It's not directly something the server does (what Baker, Kelly and myself work on) so could you file that as a SVC jira request? I'll see it when we do triage and pass it to the web / search guys
[12:17] Angus Mesmer: I'll try to find the proper place to post it.
[12:17] Qie Niangao: (incidentally, Rex, http://wiki.secondlife.com/wiki/LlGetHTTPHeader has a list of special *received* headers, if that's of interest... but you may know those already)
[12:18] Jonathan Yap: Baker, I think you need to bring Simon up to speed on your first.last name work :P
[12:18] Baker Linden: Simon, we have a jira like that. I'm partially done with it :)
[12:18] Rex Cronon: let me check
[12:18] Simon Linden: Please be explict on where in the UI you're seaching from - there are a lot of ways to look up names
[12:18] Baker Linden: it's in the people finder tool
[12:18] Baker Linden: web searches work fine
[12:18] Baker Linden: apparemtly
[12:18] Tillie Ariantho: Maybe only allow custom headers that start with X-? Like X-somekeyname: blablubb ? I think those cant do any damage.
[12:18] Kelly Linden: Slee: that is essentially a man in the middle attack where the server causes the client to initiate a request and then forces/forges some headers.
[12:18] Simon Linden: I was assuming he was talking about web searching
[12:19] Slee Mayo: ko
[12:19] Baker Linden: Ahh. From what the JIRA says, web searching should be fine
[12:19] Kelly Linden: I don't think that applies here: LSL is the client in this case, not the server: it would be just as susceptible to this kind of attack and setting your own headers isn't the problem here.
[12:19] Kelly Linden: Also the conclusion seems to be on that page that there is no real security risk
[12:20] Qie Niangao: but Kelly, why is there a need for these custom headers? Some special server needs feeding?
[12:20] Kelly Linden: The real use case for the custom headers is for auth controls and interacting with 3rd party services (google, parse.com, etc) that use headers. Restricting how those headers look too much negates the use.
[12:20] Qie Niangao: ah
[12:20] Kelly Linden: It would allow much better mashups of SL + general web
[12:21] Qie Niangao: sounds reasonable.
[12:21] Qie Niangao: (as if I actually had a clue)
[12:22] Simon Linden: hmm, well, if it gets too quiet, maybe we should bring up prim accounting or script limits....
[12:22] Kelly Linden: I find parse.com and similar services particularly exciting as easy and relatively cheap ways to solve the long existing persistent storage issue in LSL. But these services require API keys and user keys etc in the headers in most cases. Google uses similar techniques as well.
[12:23] Simon Linden: parse.com is pretty cool
[12:23] Rex Cronon: maybe the header used for forwarding
[12:23] Æ? (ashiri): So making the lsl client look likr a 'rea' browser?
[12:23] Slee Mayo: i let my local php parse for me, then hand back off to sl
[12:23] Slee Mayo: much faster
[12:24] Kelly Linden: Yes, Rex. I did plan on blocking any headers we set (like the object owner, pos etc, as well as user-agent) and forwarding related headers.
[12:24] Melvin's Windup key TO: Melvin Starbrook's windup key has run out.
[12:24] Kelly Linden: ashiri: more like making it look like a real scripted web client.
[12:24] Kelly Linden: like what you could do from python or perl or ruby etc.
[12:24] Æ? (ashiri): I see
[12:27] Simon Linden: Results would have to be all text, I assume, but being able to connect to more sources would be interesting
[12:27] Rex Cronon: i wonder if a tor like system would be possible?
[12:28] Kelly Linden: Ah yes. Still needs a text response though I'd be looking at opening it up to accepting application/json as well. Though it will be difficult to deal with those results, they *are* text so it isn't impossible.
[12:28] Simon Linden: I'm not sure I understand what you'd be trying to do there, REx
[12:28] Æ? (ashiri): I have a project at the moment which would likely work better with being able to set a custom header to avoid having to pass info in the url
[12:28] Rex Cronon: u could use http server to annonymosly search the web:)
[12:29] Rex Cronon: u would a need a custom viewer
[12:29] Slee Mayo: simon, is it ok if i rez my earthquake map?
[12:29] Melvin's Windup key TO: Melvin Starbrook's windup key has run out.
[12:29] Simon Linden: I guess you could, until you hit some larger pages
[12:29] Kelly Linden: I'm not sure how tor works at this level, does it actually require custom headers? I imagine the difficulty in implementing tor would be encryption and the multiple connections and rebuilding the data.
[12:29] Simon Linden: Slee - I don't know exactly what that'll do, but assuming you're not about to grief us, go for it.
[12:30] Slee Mayo: ha, no
[12:30] Slee Mayo: i'm currently using custom headers local php to fake referer to usgs
[12:30] Simon Linden: Nice!
[12:31] Tillie Ariantho: :D
[12:31] Slee Mayo: takes a few minutes to load 7 days worth
[12:31] Keli Kyrie sings I gots the world world at my feet....
[12:31] Noa Arrowmint: it's the NOAA weather system :)
[12:31] Slee Mayo: yes, no current storms atm
[12:31] NikoKito Aries: nice work
[12:31] Tillie Ariantho: Is that for sale somewhere? :D
[12:31] Melvin Starbrook: wow
[12:31] Melvin Starbrook: hihi
[12:31] Simon Linden: I think it was the NOAA that had some regions with a big weather map you could walk around
[12:31] Melvin Starbrook: fun
[12:32] Slee Mayo: no, i don't sell in sl, just a personal project
[12:32] Tillie Ariantho: awww :-(
[12:32] Tillie Ariantho: Thats lots of earth quakes?
[12:32] Simon Linden: Is the NOAA data basic text, so with the header control you might not need your php server?
[12:32] Slee Mayo: yuh, only showing 2.5 magnitude and up
[12:32] Slee Mayo: noaa data is easier to grab
[12:32] Melvin Starbrook: 128 and counting
[12:32] Slee Mayo: rss feed
[12:33] Keli Kyrie: oops looks like there just was one
[12:33] Jonathan Yap: Even if itis not basic text there often is a different url where is it plain text
[12:33] Slee Mayo: oh..that reminds me...sl won't allow you to bring back certain types of xml
[12:33] Slee Mayo: 'unknown format'
[12:33] Melvin Starbrook: that many quakes.. ow fifnt know that hihi
[12:34] Tillie Ariantho: Beware, Lindens, lots of quakes over at SF. :-o
[12:34] Angus Mesmer: That is somewhat normal
[12:34] Simon Linden: oh nice, each event has a link
[12:34] Slee Mayo: yes, to it's corresponding usgs page
[12:34] Tillie Ariantho: :D
[12:34] Keli Kyrie: Yes there are lots of quakes everyday but most are so small people don't usually feel them
[12:34] Tillie Ariantho: Now thats some really cool SL project. =)
[12:34] Tillie Ariantho: blog worthy. :P
[12:35] Rex Cronon: so the most recent ones r bright red?
[12:35] Slee Mayo: coloe is by magnitude
[12:35] Slee Mayo: -e
[12:35] Melvin's Windup key TO: Melvin Starbrook's windup key has run out.
[12:35] Slee Mayo: lower = orange, get redder for higher magnitudes
[12:35] Keli Kyrie: If you look at the one in California right now they are all under 3.0... if you are moving around you most likely won't feel one of those
[12:35] Slee Mayo: not much of a contrast difference though
[12:36] Keli Kyrie: (s)
[12:36] Rex Cronon: it would be nice if either height or color were used to show how long ago they took place
[12:36] Angus Mesmer: and diameter to help with the magnitude?
[12:36] Slee Mayo: yes, i thought of making magnitude pin height, color = time
[12:37] Slee Mayo: past hour...past 24hrs...pas week..etc
[12:37] Qie Niangao: or could be alpha = time.
[12:37] Keli Kyrie: No way to click on a pin and get more info?
[12:37] Slee Mayo: yes
[12:37] Keli Kyrie: oh it does work
[12:37] Tillie Ariantho: And with request headers you could make that easier to get?
[12:37] Keli Kyrie: I was trying right click
[12:37] Rex Cronon: right. transparancy
[12:38] Slee Mayo: not really, i'm just using the custom header in php to grab the data, usgs is looking at refering page
[12:38] Slee Mayo: so i fake referer
[12:38] Tillie Ariantho: Ah :->
[12:38] Keli Kyrie: Yep that 3.5 quake is right by me and I did not feel a thing
[12:39] Vincent Nacon: 3.2 woke me up in middle of night one time
[12:39] Rex Cronon: u could run your own server that parses all the data, and have an lsl read it and update this map
[12:39] Slee Mayo: i am
[12:39] Keli Kyrie: yes if you are not moving in bed you are more likely to feel it
[12:39] Rex Cronon: nice
[12:39] Simon Linden: Running that extra server is a lot of work - hopefully the new headers will avoid that in some cases
[12:40] Slee Mayo: php strips out the info i want, puts it in a nice format so it's easy to parse to list
[12:40] Tillie Ariantho: Maybe someone is providing some csv data of all the earthquakes, too. might be easier to use.
[12:41] Slee Mayo: yes, there are some feeds for quakes
[12:41] Simon Linden: yeah, parsing in LSL isn't fun
[12:41] Qie Niangao: I'm wondering if parse.com could serve as that intermediate server. (By default, I'd have probably tried to use a google app or something)
[12:41] Slee Mayo: from usgs, but i wanted data not supplied on the feeds
[12:41] Rex Cronon: a map like this might be quite nice for strategy games in sl:)
[12:41] Angus Mesmer: It should definitely be displayed somewhere
[12:41] Tillie Ariantho: Rex: next war is being mapped in SL... O.o
[12:42] Rex Cronon: war with the ET?:)
[12:42] Angus Mesmer: You never know...
[12:43] Keli Kyrie: What is the time period for the map. How long does a quake stay on there before it falls off?
[12:43] Slee Mayo: usgs takes roughly 10-15mins to confirm the quake, then updates their site
[12:43] Tillie Ariantho: Keli: if you kick the table, it falls off. :D
[12:44] Slee Mayo: oh, sorry, past 7 days worth, keli
[12:44] Keli Kyrie: lol Tillie ty Slee
[12:44] Rex Cronon: how often is it updated? every 10 minutes?
[12:44] Slee Mayo: yes
[12:45] Rex Cronon: can u force update earlier?
[12:45] Qie Niangao: Enough aftershocks and you need to buy more prim land. :P
[12:45] Slee Mayo: not atm
[12:45] Slee Mayo: other than resetting script
[12:45] Angus Mesmer: How to hijack an office hour in one easy step. Bring an educational toy. I like it. :)
[12:45] Slee Mayo: i wrote a smaller script for my hud that alerts me of certain sized quakes
[12:45] Simon Linden: Each data point is a new rezzed prim, right?
[12:45] Slee Mayo: yes
[12:46] Squirrel Wood: You should make a point and use mesh for it ;)
[12:46] Chieron Tenk: hm, any way to get rid of the overlap ? the biggest quake on the map in bolivia is on the same spot as a medium 4.4 one
[12:46] Slee Mayo: map plots them by long/lat
[12:46] Slee Mayo: that's where they landed
[12:46] Tankmaster Finesmith: you could fill your region prim count with an event like in japan a few years ago ?
[12:47] Chieron Tenk: indeed.
[12:47] Qie Niangao: oh, heh, this would be much harder math using a different map projection.
[12:47] Yuzuru Jewell: I saw it.
[12:47] Simon Linden: Are these Richter scale values
[12:47] Simon Linden: ?
[12:47] Æ? (ashiri): I suppose one could also create a one-prim version using self-served pages with css for positiong (though that might be tricky)
[12:48] Rex Cronon: now i am taking over it:)
[12:48] Simon Linden: lol, this is going to turn in to a game of Risk
[12:48] Arawn Spitteler: Tsunami? What's a good quake without a Tsunami?
[12:48] Slee Mayo: yes, simon
[12:48] Noa Arrowmint: haha
[12:48] Chieron Tenk: squirrzilla?
[12:48] Rex Cronon: surrender:)
[12:48] Squirrel Wood: Now that should register somewhere all over africa :p
[12:48] Slee Mayo: if i recall...they changed the scale to make quakes not look so bad, not sure of how big the change was
[12:48] Tillie Ariantho: Africa goes nuts :P
[12:49] Melvin Starbrook: play risk lol
[12:49] Rex Cronon: :)
[12:49] Tankmaster Finesmith: the change was that over 5, it wasnt really accurate or something like that
[12:50] Melvin's Windup key TO: Melvin Starbrook's windup key has run out.
[12:50] Rex Cronon: too bad a im can't take over 100 avatars, otherwise u could make a nice strategy game:(
[12:50] Rex Cronon: too bad a sim*
[12:50] Angus Mesmer: Hmm...
[12:51] Squirrel Wood: AI, pathfinding, ...
[12:51] Squirrel Wood: and you has 100+
[12:51] Arawn Spitteler: Can't they? How many can a server take?
[12:51] Melvin Starbrook: 4 sims :)
[12:51] Slee Mayo: ok, going to delete
[12:51] Melvin Starbrook: pooof
[12:51] Squirrel Wood: OMG! You destroyed the world!!!!!111oneoneeleven!
[12:51] Rex Cronon: if u go over 100 usually things start to go slow
[12:51] Rex Cronon: nope. is in storage:0
[12:52] Squirrel Wood: ^^
[12:52] Zander Roxley: squirrel >.>
[12:52] Melvin Starbrook: wee yo ever part of a giant snail race hihi
[12:52] Squirrel Wood: Z!
[12:52] Melvin Starbrook: lol
[12:52] Nalates Urriah: Neat,keep RL in invenotry...
[12:52] Angus Mesmer: Which then also contains your SL, which contains your RL, etc...
[12:53] Rex Cronon: it gets coplicat...
[12:53] Tillie Ariantho: Angus: have fun with doing a (recursive) backup. :P
[12:53] Simon Linden: We're getting near the end of the hour ... are there any hot bugs we should know about?
[12:53] Melvin Starbrook: it will go kaboom!
[12:53] Tankmaster Finesmith: probably
[12:53] Tillie Ariantho: Mesh only loading on second attach is no server bug, right? :P
[12:54] Arawn Spitteler: Probably, but we don't know about them yet.
[12:54] Draconis Neurocam: is the thing with regionagentlists not working on attachments for parcel lists going to be fixed soon?
[12:54] Squirrel Wood: snowstorm forgetting to render parts or entire attachments ?
[12:54] Theresa Tennyson: Is the fix for the rezzing problem going to make the RC servers?
[12:55] Slee Mayo: i had a question about the newteleportagent function...when another user clicks it to tp....i foresee griefers making teleport perm stealers like anims
[12:55] Theresa Tennyson: SVC-7902
[12:55] JIRA-helper: http://jira.secondlife.com/browse/SVC-7902
[#SVC-7902] Problem of not being able to rez on my land continues
[12:55] Simon Linden: Yes, that will be in an RC tomorrow
[12:55] Theresa Tennyson: Woot!
[12:55] Theresa Tennyson: (It's scary that I had the JIRA memorized though)
[12:56] Angus Mesmer grumbles something about his ARs for copybotting apparently never going through. Got to be a bug.
[12:56] Tankmaster Finesmith: what about the one where restore to last position doesnt always work?
[12:56] Squirrel Wood: they do get through - you will not receive any feedback though
[12:57] Angus Mesmer: I know about no feedback. But no effect, I don't like.
[12:57] Simon Linden: The "restore to last position" caused some discussion -- apparently when it was on it caused a lot of problems, because people would restore onto a new region and put stuff underground, or off in a far corner and not realize it
[12:58] Æ? (ashiri): Is there a way to revoke given TP permissions ?
[12:58] Rex Cronon: i think u have to tp to a different sim in order to revoke the perms
[12:59] Jonathan Yap: Maybe there should be a "Revoke all permissions" menu entry, like there is for stopping animations
[12:59] Tankmaster Finesmith: so is LL going to remove that function then?
[12:59] Simon Linden: I don't know, Ashiri
[12:59] Nalates Urriah: You can ask Huseby Linden in Oskar's Thursday meeting
[13:00] Meeter: Thank you for coming to the Server User Group
[13:01] Simon Linden: Thanks everyone for coming this week
|Prev 2012.06.01||Next 2012.06.08|