User:Zero Linden/Office Hours/2007 Aug 23

From Second Life Wiki
Jump to navigation Jump to search

Transcript of Zero Linden's office hours:

[7:33] Saijanai Kuhn: IM an officer for an invite
[7:33] otakup0pe Neumann: g'day zero
[7:34] Zero Linden: hello all
[7:34] Wyn Galbraith: Just join, it's free.
[7:34] Tree Kyomoon: welcome to your office hours zero!
[7:34] Saijanai Kuhn: hey zero
[7:34] Cup of Hot Coffee whispers: Ah!Hot, strong, and STEAMY!
[7:34] Saijanai Kuhn: its a closed group now, Wyn
[7:34] Wyn Galbraith: But sometimes they're like an annoying IM buzz in the ears.
[7:34] Coffee Mug whispers: Ahh! Fresh Hot Coffee
[7:34] Zero Linden: Wow - it's my office hours.... cool!
[7:35] Tree Kyomoon: are you in chicago?
[7:35] Morgaine Dinova: 'Morning Zero
[7:35] Zero Linden: Me? Alas no. I"m in Mtn. View
[7:35] Zero Linden: I'm the only one in the office
[7:35] otakup0pe Neumann: heh. it's still early on the west coast though ;)
[7:36] Tedd Maa: Zero: Could you remind Baabbage to post a sample C# script? he said he would, but probably forgot
[7:36] Tree Kyomoon: guarding the top secret files from those stealers at HIPIHI
[7:36] otakup0pe Neumann: ooh. hoverchair.
[7:36] Wyn Galbraith: Don't you love that Zero, being the first in the office?
[7:36] otakup0pe Neumann: haha tree.
[7:36] Morgaine Dinova: Can't really blame them, early risers and rather uncommon :-)
[7:36] Morgaine Dinova: are*
[7:36] Saijanai Kuhn stifles a yawn
[7:36] Zero Linden: Reminded, Tedd.
[7:36] Saijanai Kuhn time = SL time
[7:36] Tedd Maa: thanks :)
[7:36] Wyn Galbraith: Don't start Saijanai, I'm really weak to just that word.
[7:37] Zero Linden: Well, for ages, when all we had was a SF office - I would get in at 7am every morning.... usually the one to open up.
[7:37] Zero Linden: It was pretty nice.
[7:37] Wyn Galbraith: One of the ponies found that out and now IMs me the y* word out of the blue. Mt View is nice.
[7:37] Saijanai Kuhn: btw, Zero, grats on a smooth HetGrid start
[7:38] Morgaine Dinova: Oh, I often saw 7am in my early tech days .... but by doing all-nighters from the other end of the day :-)
[7:38] Tedd Maa: I'm a developer, I'm expected in around noonish...
[7:38] otakup0pe Neumann: Heh.
[7:38] Tree Kyomoon: yes, can we go visit it yet?
[7:38] otakup0pe Neumann: Visit the het grid ?
[7:38] Zero Linden: Hey - thanks. Thet Het Grid parts went swimmingly
[7:38] Wyn Galbraith use to get up at 5am to be in Petaluma by 6:30am.
[7:38] Zero Linden: "You're soaking in it"
[7:38] Tree Kyomoon: lol
[7:38] otakup0pe Neumann: Haha Zero - nice
[7:38] Tree Kyomoon: feeling heterogenous already :)
[7:39] Zero Linden: Which is to say that the grid is "Het" enabled, and we can bring up special build regions at any time
[7:39] Rex Cronon: hello everybody
[7:39] Saijanai Kuhn: someone last night told me the blogs said that it was only partially converted...
[7:39] Wyn Galbraith het het hets.
[7:39] Zero Linden: But not sure when the first test of that will be
[7:39] otakup0pe Neumann: so. let's go on a field trip to an island with mono ;)
[7:39] Morgaine Dinova: "No sex please, we're American (but violence is OK)" :-)
[7:39] Zero Linden: Saijanai - they were wrong.
[7:39] Saijanai Kuhn wants his own private mono sandbox to play in
[7:39] Saijanai Kuhn: you can call it Sajanaiville
[7:39] Zero Linden: HetGrid is more a set of tools for how we do deploy and region management
[7:39] Wyn Galbraith: It was partly done last update.
[7:40] Wyn Galbraith: Not this update, correct Zero?
[7:40] Zero Linden: The logic to enable the sims to handle it was 95% Message Liberation
[7:40] Saijanai Kuhn: the switch was flipped yesterday
[7:40] Tree Kyomoon: so does this mean an end to the wednesday grid takedowns?
[7:40] otakup0pe Neumann: That went in with 1.18 right Zero ?
[7:40] Zero Linden: Well, in the sense that deploys are all now using the new tools
[7:40] otakup0pe Neumann: I haven't had to update any bots since then !
[7:40] Zero Linden: Yes, MsgLib was 1.18
[7:40] Wyn Galbraith: Ah darn, that's bathroom, bed and laundry time ;)
[7:41] Wyn Galbraith cleans during downtime LOL
[7:41] Morgaine Dinova: Hehe
[7:41] Zero Linden: So, for anyone new here: Welcome to my office hours. Well, welcome to all you old-timers too
[7:41] Tree Kyomoon: so Zero have you tried Hipihi yet?
[7:42] otakup0pe Neumann: So what's on the agenda today Zero
[7:42] Zero Linden: We hold discussion about technical topics around the grid, and the transcript is published on the wiki.
[7:42] Zero Linden: So speak openly, speek freely.
[7:42] Zero Linden: No, I've not tried HiPiHi - I don't think they have a Mac client...
[7:42] Zero Linden: (and I'm a hopless Mac addict)
[7:42] otakup0pe Neumann: that drives me nuts zero. so many things without a mac client.
[7:42] Saijanai Kuhn cheers
[7:42] otakup0pe Neumann: i've forsaken intellisense in favor of my mac :s
[7:43] Tree Kyomoon: you could try parallels
[7:43] otakup0pe Neumann: that's what they all say Tree.
[7:43] Zero Linden shudders
[7:43] otakup0pe Neumann: haha zero.
[7:43] Wyn Galbraith was looking at maybe getting her first Mac. "I've tested on Apples, but never owned a Mac before."
[7:43] otakup0pe Neumann: i bet you shuddered in real life as well. i know i did.
[7:43] Morgaine Dinova: People should simply totally ignore apps that only work on one platform.
[7:43] Zero Linden: acutally heavy 3D generally doesn't work well under things like parallels
[7:43] otakup0pe Neumann: morgaine that's why i have yet to try entropia, eve online or umm.
[7:43] otakup0pe Neumann: kaneva.
[7:43] Tree Kyomoon: is the nvidia 8600 on the new macs better than the 7950?
[7:44] Zero Linden: Don't know
[7:44] Neas Bade: us Linux folks tend to get even less support than mac. Thankfully SL supports Linux pretty well
[7:44] Zero Linden: I had one topic to cover
[7:44] Wyn Galbraith noticed the reasonably priced Macbooks have Intel graphics.
[7:44] Saijanai Kuhn is innoent
[7:44] Tree Kyomoon: yuk
[7:44] Saijanai Kuhn: innocent*
[7:44] Zero Linden: and it is a going to take all of you willing to er, think outside the box a bit....
[7:44] Wyn Galbraith blames Saijanai's ants.
[7:44] Morgaine Dinova: otakup0pe: yeah, we're in a bizarre world, where one's machine's operating system decides which apps one can run. Just bizarre.
[7:44] Zero Linden: (and no, I'm not talking sculpties)
[7:45] otakup0pe Neumann: Think outside the timecube.
[7:45] Wyn Galbraith likes outside the box.
[7:45] Tree Kyomoon: heres a box to think outside of
[7:45] Zero Linden: What I want to talk about is how one logs into second life.
[7:45] otakup0pe Neumann: Ooh.
[7:45] Wyn Galbraith: Ah
[7:45] Tree Kyomoon: mmm
[7:45] Morgaine Dinova: Is that Intel X3100 chipset good enough for running the SL client?
[7:45] Wyn Galbraith: Painfully yesterday ;)
[7:46] Zero Linden: Right now, the viewer has, as you all know, a traditional name and password box
[7:46] Pavig Lok 's ears prick up
[7:46] Morgaine Dinova: Oh, I like what's coming.
[7:47] Zero Linden: and then that info is sent, over HTTPS to our login servers which validates it, sets up the session and returns enough session info to the viewer for the viewer to contact the first region
[7:47] otakup0pe Neumann: mmm sessionid.
[7:47] Zero Linden: (it also returns the "seed" capability for those who follow the details, which is also over HTTPS)
[7:47] Rex Cronon: would we have to give blood sample(or other kind of fluid samples) too? a id and pass no longer enough?
[7:47] otakup0pe Neumann: rex there is some other stuff in there i beleive
[7:47] otakup0pe Neumann: i know libsl sends down contact information and a version string at least.
[7:47] Zero Linden: Well, on the other "side of the organization", the web site has the same sort of login set up
[7:48] Zero Linden: of course, it is a different sort of session id, and lets you into a different set of features
[7:48] otakup0pe Neumann: you mean with jira and the wiki and stuff zero ?
[7:48] Tree Kyomoon: cookie based?
[7:48] Zero Linden: There is in indeed much other "set up data" that login sends, but it is irrelevant to the discussion of logging in....
[7:48] Tree Kyomoon: ;P
[7:49] Wyn Galbraith pastes cookies to Tree's ribs.
[7:49] Zero Linden: And, no, at present I'm not including PJira or the public wiki - I'm talking about the main web site
[7:49] Morgaine Dinova: Cookies for all!
[7:49] Zero Linden: where you log in to manage your account
[7:49] otakup0pe Neumann: oh ok.
[7:49] Zero Linden: and yes, like almost all account based web sites, we store the session id for the web site in a cookie
[7:50] Wyn Galbraith: So if we're logged into SL we're instantly logged into the website?
[7:50] Zero Linden: (and again, just to be clear, the web's session cookie has nothing to do with the grid's idea of session-ids (there are two for the grid))
[7:50] Tree Kyomoon: mmm tree eats the cookie from zero
[7:50] Zero Linden: Okay, so here's the deal
[7:51] Wyn Galbraith waits for it.
[7:51] Zero Linden: so
[7:51] Zero Linden: let's say that we, or you, wanted some stronger form of authentication
[7:52] Zero Linden: for example, say we supported some form of electronic key fob
[7:52] otakup0pe Neumann: There you go Rex. Fluid samples.
[7:52] Zero Linden: and you could choose to enable that for your account
[7:52] Wyn Galbraith: LOL
[7:52] otakup0pe Neumann: Hmm.
[7:52] Zero Linden points at the phrase "you could choose"
[7:53] Zero Linden raises eyebrows
[7:53] Tedd Maa: yes, definitively
[7:53] Zero Linden draws underlines
[7:53] Wyn Galbraith: Ok.
[7:53] Pavig Lok: ooOOOoo business has gotta like that (in world and out)
[7:53] Zero Linden doesn't want to see panic strikken headlines in certain newspapers
[7:53] otakup0pe Neumann: Heh.
[7:53] Tedd Maa: but, this would also allow for a more "smartcard" bank card aproach to money
[7:53] Morgaine Dinova: Forget DNA, it's in the process of being reworked freely in biotech, and it carries no signature. :-)
[7:53] Wyn Galbraith: Well, Zero, you
[7:53] Zero Linden except The Onion
[7:53] Tedd Maa: encrypting payment with your private key
[7:53] otakup0pe Neumann: So it's opt-in rather than opt-out.
[7:53] Saijanai Kuhn ssees the headlines Dongle required for free account
[7:54] Wyn Galbraith: your going to see that no matter what, panic stricken headlines are some newspapers life.
[7:54] Zero Linden: But the issue is that IF this were available, we'd have to modify BOTH the website AND the viewer
[7:54] Zero Linden: and if some other anti-fraud thing came along that we could do during log-in, we'd have to do both again
[7:54] Zero Linden: SO
[7:54] Zero Linden: crazy ass idea
[7:54] Rex Cronon: if people were paying for it, u could afford it
[7:54] Wyn Galbraith doesn't think so.
[7:54] Zero Linden: what if you had to be logged in the web site to log in to SL.....
[7:54] Zero Linden: in particular,
[7:55] Zero Linden: once you were logged in on the web site, the web site would have some large button "Go In World"
[7:55] Tedd Maa: how about using only keys, but if user has disabled option the key is automatically installed? new key if feature is enabled (so old cached key is invalidated)
[7:55] Zero Linden: which would just launch the viewer and in you'd go.
[7:55] Wyn Galbraith would like that.
[7:55] otakup0pe Neumann: As long as it's cross platform Zero.
[7:55] Pavig Lok: (... and also i imagine use plugins and such stuff on the web side - plus get it out in the client to macs linux and pc)
[7:55] Zero Linden: oN: I'm pretty sure we can do that cross-platform
[7:56] Zero Linden: Well, I'm not sure that web browses are going to be friendly to a plug-in as intensive as SL... but hey, go for it!
[7:56] Tree Kyomoon: /what about when you crash, a region logs you out, and you have to login 5 or 6 times to get back in or wait 5-10 minutes before the system lets you log back in?
[7:56] Tedd Maa: isn't "There" using that web-login aproach?
[7:56] Morgaine Dinova: Cross platform AND open-source. You can't do authentication/security things in obscurity, it's a false concept.
[7:56] Rex Cronon: no way tree
[7:56] Zero Linden: Tedd - don't know, re. the previous discussion - windows only!
[7:56] Rex Cronon: if u r in the middle of something when u crash u can't wait 10 minutes to log in
[7:56] Zero Linden: Oh - I'll open source the method right here!
[7:57] Zero Linden: (how's that!)
[7:57] otakup0pe Neumann: haha.
[7:57] Morgaine Dinova: Good :-)
[7:57] Zero Linden: Basically, the "Go In World" button would link to a page on the web site that checks that you are logged in (as many of the pages on the web site do, this is easy)
[7:58] Wyn Galbraith: What is up with that 3-5 minute wait sometimes logging in after a crash?
[7:58] Tree Kyomoon: /that kind of turns logging in over to IE and it doesnt handle storing passwords very well, not as good as the SL client
[7:58] Wyn Galbraith doesn't use IE, uses Firefox.
[7:58] Tree Kyomoon likes that deleting my cookies in IE doesnt affect my user/pass storage in the SL client
[7:58] Zero Linden: then if you are perform the first half of the log in process, getting a pair of session-ids (grid session-ids) for you and then returns them (all via HTTPS)
[7:59] Zero Linden: then the resulting page contains a redirect to "secondlife:/x/login?fn=Zero;ln=Linden;s1=190827981273971293;s2=210298309809"
[7:59] Zero Linden: or some such
[7:59] Tree Kyomoon doesnt understand what problem this is trying to solve for the average resident, it seems like it would cause unnecessary confusion
[7:59] Tedd Maa: just don't use URL to parse data from webbrowser to client... ;)(
[7:59] Zero Linden: the viewer starts, extracts the parameters, and contacts login.cgi now with teh session ids rather than the password.
[7:59] otakup0pe Neumann: Tree the details would be hidden from the average resident.
[7:59] Tedd Maa: uhm,. exactly
[7:59] Zero Linden: and ther rest is the same
[8:00] Tedd Maa: that is a bad idea, URL = very easy to catch for external apps
[8:00] otakup0pe Neumann: remember that the sl login screen is a web browser heh.
[8:00] Zero Linden: Tedd - that URL would be in an internal page redirect... you'd never see it
[8:00] Tree Kyomoon: SL is a webbrowser that is independant of IE or Firefox, and that is good
[8:00] Tedd Maa: browser inside app?
[8:00] Zero Linden: Tedd - right now, external apps could easily grab your password too....
[8:00] Zero Linden: and at least in this case, it is only a credential to log in once
[8:00] Tedd Maa: just had a round with my online bank on that, they are fixing it now... :)
[8:01] Rex Cronon: mabe the slviewer should be maid with javascript?
[8:01] Benja Kepler: any thoughts on separating passwords for pjira/wiki and sl/web?
[8:01] Zero Linden: alas, most OSs provide a way for a web page to invoke an application and that way is via a registered URL scheme - and hence all info must be in the URL
[8:01] Wyn Galbraith: So simliar to when you click on a SLurl without being in SL it launches SL.
[8:01] Zero Linden: Benja - let me get back to those in a bit
[8:01] Wright Juran: so two questions, the page doesn't give a url back to the SL client , so it connects straight onto the main grid? I know its not a issue for you but what about other "grids"
[8:02] Wright Juran: also will libsl clients still be able to connect to SL (the main grid)
[8:02] Tree Kyomoon: other grids would have their own launching pages?
[8:02] Zero Linden: WJ - we'd have to have buttons for "connect to Beta" and "connect to Gamma" etc....
[8:02] otakup0pe Neumann: wright we'll have to change the login code heh
[8:02] Zero Linden: though there is an issue of how to launch the right version of SL if you have several installed...
[8:02] Zero Linden: ...haven't worked that out
[8:03] Zero Linden: 1) On the issue of why not use the browser in the viewer - we could
[8:03] Rex Cronon: ask user to choose version
[8:03] Tree Kyomoon still doesnt understand how this makes the user experience better
[8:03] Zero Linden: but then we lose one thing --
[8:03] Tedd Maa: Using the OS feature for URL is what I mean, then any app can override it. Using it only internally in app is different
[8:03] Zero Linden: by using an external browser - we are teaching people to NEVER type thier passwords into anything other than our log in page -- which is good
[8:03] Jansen Miles: Tree: single point of login
[8:04] Zero Linden: the other is that once this in use, you could use any 3rd party viewer build and not worry that they might steal your password
[8:04] otakup0pe Neumann: Hmm.
[8:04] otakup0pe Neumann: That sounds fun to implement. Detecting versions of SL on systems cross platform.
[8:04] Tree Kyomoon: I think it would be better if you log into the client and that logs you into the webpages automatically...websites are easy to create mimics of
[8:05] Wyn Galbraith: Login pages can still be spoofed.
[8:05] otakup0pe Neumann: So yeah how would this affect libsecondlife style clients ? they would presumably have to use this same login page ?
[8:05] Tree Kyomoon: for example
[8:05] otakup0pe Neumann: just using curl or whatever.
[8:05] Tedd Maa: they could still steal your private key.. :)
[8:05] Zero Linden: 2) We could support the current PW scheme for libsl - though I imagine it being depreceated.... but libsl could basically do the same log in - only now it would have to negotiate a web form
[8:06] otakup0pe Neumann: ok
[8:06] Zero Linden: it is concievable we could do an API for libsl - but it would probably not work for any account that needed more than a PW... as perhasp it should!
[8:06] otakup0pe Neumann: hmm.
[8:06] Tree Kyomoon: /if there is to be a single point of login, why not put it in the client?
[8:06] otakup0pe Neumann: well this is open source you say... as long as we can still pass the same information in.
[8:06] Zero Linden: TK - because the client is open sourced and hence even easier to spoof in there
[8:07] otakup0pe Neumann: depending on what the account is used for, i can see higher forms of authentication being handy.
[8:07] Zero Linden: It would be like signing into paypal - you learn to NEVER do it except when you've followed your own bookmark to PayPal
[8:07] Pavig Lok: well if you're going to use a key just write closed source launchers for sl as a component
[8:07] Zero Linden: or your bank
[8:07] Zero Linden: Pavig - possible - but I see no reason for it to be closed source
[8:08] Zero Linden: there is no security added by that
[8:08] Tree Kyomoon: I still think its easier to create a copycat website than a copycat client, even if it is open sourced
[8:08] Zero Linden: True - but we already run that risk
[8:08] Morgaine Dinova: It's false security to rely on "thinking" that you're connected to the right site.
[8:08] Rex Cronon: how many times have webpages been highjacked?
[8:09] Zero Linden: in fact, right now, it is just as bad - you spoof the website to phish a password.... and you are totally in ....
[8:09] Wyn Galbraith: All the time.
[8:09] Zero Linden: DNS hijacking is not common
[8:09] Tree Kyomoon: it just seems a lot more prudent to build a single login into the client, you can thus write a lot more security features in if you are not llimited by the web browser
[8:09] otakup0pe Neumann: heh
[8:09] Tedd Maa: but if the login procedure becomes proprietary it may block any third party clients or servers to ever be built, which in turn would make it difficult for SL to become the next Big thing
[8:09] Zero Linden: it happens, but not nearly as common as the standard forms of phishing attacks
[8:09] otakup0pe Neumann: dns hijacking on a large scale is even less common.
[8:09] Tree Kyomoon: you could even write a special non opensource login app
[8:09] Morgaine Dinova: Isn't this reinventing the wheel? Site authentication is a known area and well honed solutions.
[8:10] otakup0pe Neumann: yeah the only part that seems hairy is detecting installed versions of sl.
[8:10] Zero Linden: Well - we're not going to do anything that relies on closed source or obscurty for security --- those things never work out
[8:10] otakup0pe Neumann: i'm assumiing that means traditional viewers. rather than, say, sleek.
[8:10] Wyn Galbraith goes over how to spot phishing almost very day with her 73+ roommate.
[8:10] Zero Linden: MD - exactly - and so we can be much more agile in the protections offered for site authentication....
[8:11] Pavig Lok thinks folk with low end hardware get a performance hit from running browsers and sl at the same time
[8:11] Zero Linden: it is much harder to change the baked login UI in the viewer
[8:11] Zero Linden: PL- yes, we worry about that
[8:11] Zero Linden: fortuenately, you can close your browser as soon as SL starts.
[8:11] Zero Linden: we had an earlier design which you couldn.t
[8:11] Wyn Galbraith: Bank of America now uses an image chosen by the user to verify that you're logging into the right place.
[8:11] Zero Linden: and it was that problem that prodded us to look for this one
[8:11] otakup0pe Neumann: That's a nice touch Wyn.
[8:12] Wyn Galbraith: It's an extra step, but I deal with it.
[8:12] Zero Linden: See - exactl the kind of thing we could do - but really only by loggin in from the web site
[8:12] otakup0pe Neumann: Well as long as it plays well with libsl I'm happy.
[8:12] otakup0pe Neumann: Is this something for next quarter or is it going on now ?
[8:12] Rex Cronon: doesn't really offer that much protection wyn
[8:12] Tree Kyomoon: so walk me through this...I am happily working in SL, the viewer crashes. I try to log back in but I have to launch IE first. SO I launch IE, log in, and I get the dreaded" the system is logging you out right now", then I log in again and I get the old "you cant log in until 5.45 PST because we say so" error...all via IE , then the SL client ...seems like a huge pain
[8:12] Benja Kepler: and for forensics, a record of logins will be kept, whereas now the secondlife.log file is overwritten?
[8:12] Zero Linden: (I wonder how the phsihing sites just don't play man-in-the-middle to get you that image.....)
[8:13] Wyn Galbraith: It does, see, cause a phisher isn't going to know what the user choose as a picture, they tell you don't log in if this picture isn't the one you chose.
[8:13] Wyn Galbraith: I don't know how they could do that. I haven't checked but I don't think that image is stored on my system.
[8:14] Zero Linden: Well, yes, if you keep the browser closed - the difference is tha tyou'd have to launch your browsers
[8:14] Zero Linden: again
[8:14] Zero Linden: but - otherwise, the sequence of steps is baiscally the same
[8:14] Tedd Maa: the point is getting down the massive amounts of spam-phisers I guess
[8:14] Zero Linden: just the giant SL application wouldn't load until you can actually log in
[8:14] Wyn Galbraith launches them anyway for email etc.
[8:14] Tree Kyomoon: so this adds frustration to an already very frustrating issue
[8:14] Wyn Galbraith: Maybe we could have a SL browser
[8:15] Tree Kyomoon hates it when the viewer crashes and I have to login 4 times
[8:15] Zero Linden: Well, we'd change the SL icon you see on your desktop to automatically launch the browser to exactly the same spot.
[8:15] Zero Linden: so really, the actions you do would be identical
[8:15] Tree Kyomoon: /what would be best is your session data should survive a crash
[8:15] Tree Kyomoon: if the browser is open, theoretically it should work as the session is there, not the client
[8:15] Zero Linden: you'd crash, click on the Hand icon again, it would launch your browser (if not launched) to the "Go in world page"... if you were not logged in, you'd be directed immediatly to the log in page on the web site
[8:15] Benja Kepler: and perhaps use browser favourites as slurls?
[8:16] Zero Linden: pressing return would log you in, go back to the other page, which would launch the viewer - and away you go
[8:16] Morgaine Dinova: Surely this doesn't need a full browser, even if the login process uses webservers. None of the graphic elements are required at all really.
[8:16] Zero Linden: it is the same set of steps - only you'd be typing into the browser, not the viewer
[8:16] Tree Kyomoon: this is kind of how gametap works
[8:16] Pavig Lok: erm there's a browser in the client - could we use that? :P
[8:16] Wyn Galbraith likes the 'go to world' button idea.
[8:16] Zero Linden: BK - in fact we could offer all of your landmarks as log-in points....
[8:17] Zero Linden: PL - we could - and we could make that default....
[8:17] Tree Kyomoon: the important thing would be to keep any video card intensive things like animations OFF the login screen in the browser so that the video card could be fully availalb eto the SL client
[8:17] Zero Linden: so you could do it either way
[8:17] Tree Kyomoon: for those of us with limited video power
[8:18] Benja Kepler: ZL - cool!
[8:18] Zero Linden: I'm pretty should we wouldn't have a YouTube feed on the Go In World page.... :-)
[8:18] Wyn Galbraith: Interesting idea.
[8:18] Zero Linden: So - way back someone brought up PJira and Wiki
[8:18] Zero Linden: I have a different plan for those
[8:18] otakup0pe Neumann: yeah it would be best to make the built in browser the default
[8:19] Tree Kyomoon: /so if the client is independant of the session data, can you launch the client yourself from your HD or do you have to use "launch SL"
[8:19] otakup0pe Neumann: is it openid ? heh
[8:19] Wyn Galbraith: Rebake Kooky. :)
[8:19] Tree Kyomoon: reason is, if SL client crashes but the browser didnt, you should be able to relaunch without having to relog
[8:19] Zero Linden: What if - we turned every Second Life avatar name into a valid OpenID ?
[8:19] Wyn Galbraith oos.
[8:19] Morgaine Dinova: I think a dependency on browsers is VERY much the wrong way to go. They're the most unreliable part of our systems, because of their monolithic nature and vast size --- inherently buggy, it's unavoidable.
[8:19] Benja Kepler: all 9 million+ of them?
[8:20] Zero Linden: then we could use OpenID as the way to signin to those sites, and you'd use your SL OpenID
[8:20] Wyn Galbraith: SL Passports.
[8:20] Jansen Miles: The ability to choose from our landmarks for login-points? Sold!
[8:20] Rex Cronon: i think some people would like to change their name, openid is used
[8:20] Benja Kepler: and require Contribution Agreements for submitting to wiki and pjira?
[8:21] otakup0pe Neumann: signpostmarv martin had that working at one point
[8:21] otakup0pe Neumann: kinda i think. something with openid.
[8:21] Kooky Jetaime: Changing names is nice.... although I have a strange feeling that would cause more harm than good
[8:21] Tree Kyomoon: would be more secure if your username wasnt your avatar name
[8:21] Tree Kyomoon: we give half of our logins to everyone we meet in SL
[8:21] Wyn Galbraith: It would maybe, but then what about if you have alts?
[8:22] Zero Linden: BK - no different than before
[8:22] Benja Kepler: is it necessary to sign the Contribution Agreement to submit to wiki and pjira now?
[8:22] Kooky Jetaime really wishes he'd wakee up sooner and have made this meeting from the start..
[8:22] Zero Linden: TK - if that worries you, take whatever you'd like to use as a username and put it infront of your password -
[8:22] Tree Kyomoon: zero has given much to think about, this is quite the curve ball
[8:22] Zero Linden: I'm pretty sure that makes it as secure
[8:23] Saijanai Kuhn: an openid thing would allow a multi-grid presence. Only one grid could have that openID active at any given time
[8:23] Zero Linden: SK - no, not at all
[8:23] Zero Linden: you can log into multiple sites with teh same OPenID at the same time
[8:23] Zero Linden: but again, I'm not talking about signing into the grid with OpenID - just using it for other related websites
[8:23] Tree Kyomoon: all unique sessions zero?
[8:23] Rex Cronon: isn't there only one sl?
[8:24] Tree Kyomoon: or do they all use the same session?
[8:24] Wyn Galbraith: So it could be like a MS Passport, log in once and get into mulit sites.
[8:24] Zero Linden: which concept of session are we talking about? Grid-session ids? No, each grid has it's own set...
[8:24] Kooky Jetaime: Zero -I was having a similar discussion with Everett I believe... that its kinda bad that you have to hand over your password to get the simplest help from inside the client.
[8:25] Wyn Galbraith: So that's Jira, Wiki, what about the Knowledge base, Support, etc?
[8:25] Zero Linden: Wyn - yes, OpenID is an identity, single-sign-on system similar ot MS Passport
[8:25] Tree Kyomoon: ah ok, so I log in to my account on SL's website, that session is differnet than my session in the grid?
[8:25] Pavig Lok: sounds a treat - single login for sl and sl web, then single validated sessions for each other openid site
[8:25] Tree Kyomoon: and if the client crashes, does my grid session crash with it?
[8:25] Zero Linden: "that its kinda bad that you have to hand over your password to get the simplest help from inside the client." --- you do? Where?
[8:25] Rex Cronon: why dont u test it on beta?
[8:26] Kooky Jetaime: Zero - Goto Preferences
[8:26] Kooky Jetaime: Hit Help
[8:26] Benja Kepler: sorry, Zero, can I ask again: is it necessary to sign the Contribution Agreement to submit to wiki and pjira now?
[8:26] Kooky Jetaime: Bamph - support Portal
[8:26] Kooky Jetaime: Password Required
[8:26] Zero Linden: right - but that isn't in the client - it takes you to the web site
[8:26] Wyn Galbraith hasn't signed anything for those Benja.
[8:27] Tree Kyomoon: right so in what you are talking about, would we auto login to the support site?
[8:27] Zero Linden:
[8:27] Benja Kepler thought it was only necessary for Open Source Contributions
[8:27] Kooky Jetaime: Benja - it is
[8:27] Zero Linden: TK - well, we'd like that
[8:27] Zero Linden: if it were OpenID based, then we could enable that easily -
[8:27] Benja Kepler: KJ - its what? only for Open Source or for pjira/wiki?
[8:28] Wyn Galbraith oos and likes that Zero, "I'm got to remember so many passwords. But then if someone cracks your password they would have access to everything.
[8:28] Zero Linden: so long as you had logged in once with your OpenID, then you can get in as yo ulike
[8:28] Kooky Jetaime: Open Source Contributions
[8:28] Kooky Jetaime: Wyn - I'll IM you
[8:28] Tree Kyomoon: and if the client crashes, my Open ID session doesnt crash with it right?
[8:28] Benja Kepler: Zero said 'no different than before' - just like him to reply, KJ
[8:29] Zero Linden: There is a trade off with single-sign-on systems - one of the gambits is that if people need fewer passwords, they'll be willing to make those passwords stronger, and guard them better
[8:29] Morgaine Dinova: I assume that we can use a different OpenID for each different site, and there's some automatic selection of the appropriate one? Without that, it would be very hard to keep ones IDs separate. Typing a prefix in by hand each time sounds dreadful.
[8:29] Tree Kyomoon hates having to relogin every time the client crashes
[8:29] Wyn Galbraith: I think you're right there Zero.
[8:29] Pavig Lok: this sounds like a good plan - it got the added bonus that if my sl login breaks then you don't have to deal with my pesky support tickets (cause that'll break too) :P
[8:29] Zero Linden: with a single-sign-on system, in theory you could have just one web password, and you'd know to only use it on your identity provider's web site
[8:30] Morgaine Dinova: A single passphrase doesn't imply a single ID.
[8:30] Zero Linden: Well, TK - iff you've kept you browser open (aye, there's the rub)
[8:30] Kooky Jetaime: Wyn - I have a solution for your password issues.. I'll talk toy ou in pvt though
[8:30] otakup0pe Neumann: any idea when we would see this being available ?
[8:30] Zero Linden: But if you did, then yo wouldn't need to type a password again.
[8:30] Tree Kyomoon: Hey! browser stays open just fine when the sl client crashes
[8:31] Rex Cronon: not 4 me
[8:31] Tree Kyomoon: you dont need to type, but the system still voides your session right?
[8:31] Kooky Jetaime: Tree - do what I do, save password, autologon
[8:31] Jansen Miles: Gmail was in the news the other day as being vulnerable to a man-in-the-middle. The cookie could be spoofed.
[8:31] Kooky Jetaime: tis as insecure as hell, but no pausing at the logon screen :)
[8:31] Tree Kyomoon: Its not the typing that bothers me, its waiting for the relog /timeout stuff
[8:31] Zero Linden: oN: Some engineers and I were disucssing designs just yesterday (see how much you guys get to see!)
[8:31] Wyn Galbraith: The timeout thing bothers me more than relogging.
[8:31] Zero Linden: There is a possibilty that we'll move quickly on this - meaning a month or so
[8:32] Tree Kyomoon: /hate that "you cant login until such and such time" message...infuriating
[8:32] Kooky Jetaime: Zero... Journalling before Unified Login
[8:32] Zero Linden: but it isn't certain yet....
[8:32] Zero Linden: which is why I wanted to get your input
[8:32] Zero Linden: !
[8:32] otakup0pe Neumann: ok cool.
[8:32] Kooky Jetaime: I'll gladly type my password a million times
[8:32] Kooky Jetaime: I
[8:32] Zero Linden: Okay all - as always, you have been wonderful.
[8:32] Kooky Jetaime: I'm gonna turn into Sai and beat a dead horse
[8:32] otakup0pe Neumann: well openid is cool, but keep the libsl group informed as to the changes :o
[8:32] Wyn Galbraith: Thanks Zero.
[8:32] Zero Linden: Absolutely - oN!
[8:33] Tree Kyomoon: /hope Ive been helpful! DOnt mean to sound negative
[8:33] Zero Linden: later all
[8:33] Morgaine Dinova: The local authentication endpoint and the client shouldn't really be the same process. The client WILL crash periodically, as it's an evolving system. The authenticated endpoint should be a separate process that stays up though.
[8:33] Wyn Galbraith: Have a nice day ;)
[8:33] Jansen Miles: See ya!
[8:33] Zero Linden: No no, TK - your input is welcome
[8:33] otakup0pe Neumann: take it easy zero.
[8:33] Rex Cronon: bye zero
[8:33] otakup0pe Neumann: ok i have to go make brunch :o
[8:33] Benja Kepler: thanks for not answering me ZL
[8:33] Rex Cronon: try it first on beta
[8:33] Zero Linden: sorry, BK? on?
[8:33] Tree Kyomoon: /ouch
[8:34] Wyn Galbraith: having to sign something to use Jira or wiki.
[8:34] Kooky Jetaime: He's gone
[8:34] Tree Kyomoon: /weird did benja leave?
[8:34] Tree Kyomoon: bizarre comment to leave on
[8:35] Pavig Lok: oh well
[8:35] Kooky Jetaime: I answered his question but he didn't like me answering it
[8:35] Zero Linden: hmmm.... thought I did -
[8:35] Viscount Lisle: do u have to sign the Contribution Agreement to submit to wiki and pjira now?.....look like we'll never know
[8:35] Kooky Jetaime: he wanted his own personal Zero Answer
[8:35] Wyn Galbraith: [8:26] Benja Kepler: sorry, Zero, can I ask again: is it necessary to sign the Contribution Agreement to submit to wiki and pjira now?
[8:35] Zero Linden: Hmmm... ah - see, the initial question was "will it change" - and I said "no change"
[8:36] Zero Linden: but I didn't realize BK wanted to know the current requirements
[8:36] Pavig Lok likes signing on cause me don't want wiki trolled
[8:36] Saijanai Kuhn: guess he thought he knew the current requirements
[8:36] Viscount Lisle: just a quick question - how is the authentication process encrypted?
[8:36] Tedd Maa: (aka, what are man-in-the-middle requirements?)
[8:37] Viscount Lisle: aka, am i vulnerable
[8:37] Zero Linden: Hmmmm. a quick check - you don't have to sign anything to contribute, but by contributing you agree to the "Second Life Project Contribution Agreement"
[8:37] Zero Linden:
[8:37] Kooky Jetaime: Hi Squirrel
[8:37] Squirrel Wood: Meep
[8:37] Morgaine Dinova: Hiya Squirrel, you're late :-))
[8:38] Wyn Galbraith: Hey Squirrel.
[8:38] Tree Kyomoon: this is definitely a conversation for the logs
[8:38] Squirrel Wood: Not late. Just got home from work :p
[8:38] Tree Kyomoon needs to read it a few times
[8:38] Kooky Jetaime: I'll be reading the transcript when it goes up
[8:38] Morgaine Dinova: Work is ovehyped, don't do it :-)
[8:38] Wyn Galbraith: At least you have work to come home from
[8:38] Kooky Jetaime: heheh
[8:38] Squirrel Wood: Work pays me bills. No work does not. :p
[8:38] Wyn Galbraith: Except getting an RL job would mean missing Linden meetings ;)
[8:39] Kooky Jetaime: thats what transcripts are for
[8:39] Zero Linden: WRiting in Jira uses the same terms
[8:39] Zero Linden: see
[8:39] Kooky Jetaime: OR for the lucky one
[8:39] Zero Linden:
[8:39] Tree Kyomoon: /tree hopes that this open id stuff would get us a bit closer to supporting cookies in llHTTPRequest
[8:39] Wyn Galbraith: True. I would miss seeing Zero's smiling face.
[8:39] Kooky Jetaime: Attend the meetings from Work
[8:39] Kooky Jetaime: :)
[8:39] Zero Linden: okay - now I've got to run
[8:39] Zero Linden: later
[8:39] Wyn Galbraith: Most companies I've worked for have policies about stuff tlike that.