Change font size
It is currently Thu Mar 23, 2017 9:15 am

Forum rules


Image



Post a new topicPost a reply Page 1 of 1   [ 7 posts ]
Author Message
 Post subject: Honest questions about selling securely in OpenSim
PostPosted: Mon Feb 06, 2017 12:48 pm 

Joined: Sat Mar 13, 2010 1:34 am
Posts: 19
I saw a new shopping region advertised on OpenSimWorld.com yesterday. The region uses Globits as it's currency and states that avatars will be able to take their purchases back to their home grid. I've been looking for a way to sell in OpenSim but I had a question about "just how secure is this?".

I logged in and posed my question in the comments section for that region. I went back last night but it hadn't received a reply. I went back this morning and my question is gone, as well as the one other comment on the page. Perhaps that was a bad spot to pose the question (I choose it because I figured the region owners and the creators selling there would surely be up on the security and would be able to answer my question), or perhaps something went whack with the OpenSimWorld db and it had to be restored I thought. So I tried to login and pose the question again, but, once I try to login I am ignored (it just goes back to the same login now situation). If I put in a bad password, it gives me the message that my password is bad, but if I put in the proper one, boom, nothing.

So, not sure if I am asking a question that no one wants to answer truthfully or if I just picked a bad place to ask, or if OSW is having problems. But here is my question...

The region touts that you can make your purchases with Globits and take those purchases back to your home grid. I'm not so concerned that the Globits aren't secure, but my worry is that once an item has been delivered back to the home grid for the customer, have extra steps been taken that would prevent the database owner from opening the db in a query browser and changing the permissions or the owner, or the creator to themselves? I've had to do that for my own items a few times (I wasn't smart enough to use the same UUID for myself when we moved from 6 to 7 and the grid had to be remade from oars, I know better now).

I'd like to sell some items in OpenSim but I don't want to end up in the situation where my items are copied out of OS and uploaded to SL (where I also sell some of those same items) such that I end up competing with my own products for sell at a lower price.

So, that's my honest question. I'm just looking for an honest answer. If nothing has been done to secure those listings in the database, if they are in there just as all the other assets are without any other safeguards, I know the fields can be overwritten to whatever the person editing the database wants. I'd love a secure way to sell in OS, I'm hoping extra steps have been taken to protect the content, but... have they? Is there anyone in the know that can enlighten me?

And... while typing this up, I also had the thought, these items, once back in their home grid, will they also export with OARS and IARS like the rest of the assets? OARS and IARS are nothing more than zipped folders. You can open them with 7-zip and see (copy/mod) the items. Textures for example are exported as jpeg2000 format graphics. Once exported and double unzipped (you'll have to unzip twice to see the files, so, unzip the folder, then unzip the folder created on the first unzip) textures (as is) are surely not secure. So clothing wise, the person may have to make the item over again but the texture is the key to remaking an item and that they will end up with it in their OARS and IARS if no other steps have been taken to secure the content.

And, do these same security holes apply to Kitely since they also allow the items to be delivered back to the home grid? Or has Kitely taken extra steps to prevent this type of theft from happening?

OK, these are my honest questions seeking honest answers. Thanks to any one that replies with some knowledge.

I'm not trying to cause problems, I'm just trying to figure out if these platforms are truly secure, of if we have secured the front door while leaving the back door wide open with a lit up welcome sign.


Top
 Profile  
 
 Post subject: Re: Honest questions about selling securely in OpenSim
PostPosted: Mon Feb 06, 2017 1:05 pm 

Joined: Sat Mar 13, 2010 1:34 am
Posts: 19
OK, apparently that region is so popular that they have created a second one and I had been looking at it when I couldn't find my question. It is still there and showing on the original region.

But as of now, no reply so my questions still stand.


Top
 Profile  
 
 Post subject: Re: Honest questions about selling securely in OpenSim
PostPosted: Mon Feb 06, 2017 4:39 pm 
User avatar

Joined: Thu Mar 19, 2015 9:52 am
Posts: 21
Orb Offcourse wrote:
The region touts that you can make your purchases with Globits and take those purchases back to your home grid. I'm not so concerned that the Globits aren't secure, but my worry is that once an item has been delivered back to the home grid for the customer, have extra steps been taken that would prevent the database owner from opening the db in a query browser and changing the permissions or the owner, or the creator to themselves? I've had to do that for my own items a few times (I wasn't smart enough to use the same UUID for myself when we moved from 6 to 7 and the grid had to be remade from oars, I know better now).


If you run your own region, then you run your own region database. So whatever someone rezzes on your region can be altered. Besides tampering with the database it's also possible to request admin rights and just fullperm/become owner (but not creator) through the admin menu.

That is the case on open grids. Closed/commercial grids usually don't allow this since besides controlling the grid services they manage all customers regions and decide what their customers are permitted to do with the regions.

I have never heard of a case where someone deliberately put themselves as creator for bragging rights or whatever, so don't worry. Throughout the whole hypergrid metaverse you'll see things here and there that have a different name than the original creator. This is because some people don't know to take care of preserving the creator name when exporting/importing. Also, that preserving wasn't even possible until about OpenSim 0.8+ and there is still a lot of older content out there.

Orb Offcourse wrote:
I'd like to sell some items in OpenSim but I don't want to end up in the situation where my items are copied out of OS and uploaded to SL (where I also sell some of those same items) such that I end up competing with my own products for sell at a lower price.


I wouldn't worry about this at all. Remember, such people don't buy your stuff to then copy it. They just copy it regardless, wherever they come across it; it only has to be visible to their copybot viewer inworld. I would worry more about what you sell in SL to be botted and then resold, since the chance of botting is a gazillion times higher in SL than in OpenSim. Botters flock to places with the neatest stuff, and OpenSim isn't that place.


Orb Offcourse wrote:
So, that's my honest question. I'm just looking for an honest answer. If nothing has been done to secure those listings in the database, if they are in there just as all the other assets are without any other safeguards, I know the fields can be overwritten to whatever the person editing the database wants. I'd love a secure way to sell in OS, I'm hoping extra steps have been taken to protect the content, but... have they? Is there anyone in the know that can enlighten me?


This is about 2 DB's. One is assets controlled by the grid.. but when a resident rezzes something to their region... a copy of it is made into the region DB. Correct me if wrong please.

The region database protection is only ever as secure as the database administrator makes it to be. And that DB admin is whoever runs that region on their computer/server of which a creator has no say about.

The only way to protect stuff with the perms set is to sell only to non-open tightly controlled grids..


Orb Offcourse wrote:
And... while typing this up, I also had the thought, these items, once back in their home grid, will they also export with OARS and IARS like the rest of the assets? OARS and IARS are nothing more than zipped folders. You can open them with 7-zip and see (copy/mod) the items. Textures for example are exported as jpeg2000 format graphics. Once exported and double unzipped (you'll have to unzip twice to see the files, so, unzip the folder, then unzip the folder created on the first unzip) textures (as is) are surely not secure. So clothing wise, the person may have to make the item over again but the texture is the key to remaking an item and that they will end up with it in their OARS and IARS if no other steps have been taken to secure the content.


I'm not sure if this is it, but a grid can have in Robust.ini:
Code:
    ;; Allow supporting viewers to export content
    ;; Set to false to prevent export
    ExportSupported = true


I know some grids add second meaning to certain combinations of permissions, which I think is a total wrong approach and breaks expectations of established permissions as we know them. Really they should submit a patch to have the [X] Export permission working in the viewer instead.

Anyway this permission is usually Copy AND Transfer and then your item can be saved in an IAR or OAR backup. Another weird one I came across on a grid is if Object Price > 0 then it's decided to not be exportable. Really bad, certainly a grid where I will not settle down with my store because then hypergridders won't be able to buy and take their item home.


Orb Offcourse wrote:
And, do these same security holes apply to Kitely since they also allow the items to be delivered back to the home grid? Or has Kitely taken extra steps to prevent this type of theft from happening?


If you intend to sell on Kitely market, you can choose to NOT mark your product as export, and they won't be saved in OARs (Kitely doesn't support IARs yet). Also the customer won't be able to wear the item when hypergridding, or take it in their 'My Suitcase' folder. Note that when an item is not marked as export, other grids than Kitely won't be able to buy it from you since the product can't be delivered to other grids when it's not exportable. The item can then only be used by Kitely users in the Kitely grid. I suggest asking the Kitely forums for more info.


Top
 Profile  
 
 Post subject: Re: Honest questions about selling securely in OpenSim
PostPosted: Mon Feb 06, 2017 6:08 pm 

Joined: Sat Mar 13, 2010 1:34 am
Posts: 19
Thanks for the reply Lotek. Most all that I already knew (I started with OS back when you had to roll your own to have anything, before anything was physical or was retained through a reboot (no db support), before OSGrid was launched).

So, to sum it up, as far as you know, nothing has been done to add extra security to the databases, and anyone who makes a purchase through Kitely or with Gloebits (I learned to spell that since my first post! lol) or any currency that allows the item to be delivered back to their home grid, is at risk for someone to make a purchase, hack the database, export it, and upload it for sale or giveaway on SL or Inworldz or any currency enabled (or not) closed or open gird or standalone.

I do agree that the copybotters want to grab the "cool" stuff which makes OS not their first destination, but, that is the situation today since the creators haven't felt their items are secure in the present arrangement. But with the promise of a secure channel I would expect more creators to embrace it and more of the cool stuff to eventually make its way here, thereby changing the dynamic and the desirability of coming to OS to steal content.

I am just wondering if the glaring holes that have been a part of OS from the start (content security wise) have been plugged or not.

What I was hoping for was to hear that the items sent through these currency systems were going to be stored in a new encrypted table in the database that would store that data securely and the data from that table would not be exportable as an OAR or IAR, or that there was some other new type of protection in place to prevent those types of hacks from being so easy to do.

As my grandfather used to say, a lock keeps an honest man honest, but it won't stop a thief. I was (am) just hoping someone had/has placed a new lock on those old holes.


Top
 Profile  
 
 Post subject: Re: Honest questions about selling securely in OpenSim
PostPosted: Tue Feb 07, 2017 9:35 am 
User avatar

Joined: Thu Mar 19, 2015 9:52 am
Posts: 21
Orb Offcourse wrote:
So, to sum it up, as far as you know, nothing has been done to add extra security to the databases, and anyone who makes a purchase through Kitely or with Gloebits (I learned to spell that since my first post! lol) or any currency that allows the item to be delivered back to their home grid, is at risk for someone to make a purchase, hack the database, export it, and upload it for sale or giveaway on SL or Inworldz or any currency enabled (or not) closed or open gird or standalone.

I don't expect any interest from developers to introduce draconian encryption of our own region assets. The whole point of OPENsim is transparency, not to have our own data be encrypted without us having the key to that data.

Until the permission system is bug-free and working like it should, admin-mode has very valid uses. Even doing a regexp on .xml files within an OAR has valid uses like the case you presented yourself.

Orb Offcourse wrote:
I do agree that the copybotters want to grab the "cool" stuff which makes OS not their first destination, but, that is the situation today since the creators haven't felt their items are secure in the present arrangement. But with the promise of a secure channel I would expect more creators to embrace it and more of the cool stuff to eventually make its way here, thereby changing the dynamic and the desirability of coming to OS to steal content.

It takes a switch of mind, and a different approach to create projects for the hypergrid. For example, always assume customers can godmode your stuff; always assume someone can modify scripts within stuff. Yes that is a challenge (and not impossible!), but in return we get a nice open ecosystem where land is affordable and anything can be realized. Since OpenSim is open source, we can write our own custom modules for handling situations where particular security features are wanted (for example, a combat system).

Orb Offcourse wrote:
I am just wondering if the glaring holes that have been a part of OS from the start (content security wise) have been plugged or not.

What I was hoping for was to hear that the items sent through these currency systems were going to be stored in a new encrypted table in the database that would store that data securely and the data from that table would not be exportable as an OAR or IAR, or that there was some other new type of protection in place to prevent those types of hacks from being so easy to do.

As my grandfather used to say, a lock keeps an honest man honest, but it won't stop a thief. I was (am) just hoping someone had/has placed a new lock on those old holes.

Whether we pay 0L for a freebie or pay 100L for an item through a plugged in currency module doesn't change anything about how assets are stored in OpenSim core.

Perhaps what you're really looking for is the closed walled garden called Second Life. In OpenSim the remaining options are grids with severe export and permission restrictions, which would also imply selling to the hypergrid is out of the question.

Alternatively, open your mind a bit and don't treat customers as potential 'thiefs' like the merchants in SL do. People who have bad intentions are just a tiny fraction of all the good people out there, certainly on OpenSim.


Top
 Profile  
 
 Post subject: Re: Honest questions about selling securely in OpenSim
PostPosted: Tue Feb 07, 2017 12:24 pm 
Furious Typer

Joined: Tue Jan 31, 2012 12:40 pm
Posts: 72
Security would be augmented greatly if the db was encrypted. As it stands, I can rez anything on my sim, find the entry in the relevant table with a simple query, pop my uuid in the creator field and that object is now mine for all intents and purposes.


Top
 Profile  
 
 Post subject: Re: Honest questions about selling securely in OpenSim
PostPosted: Wed Feb 08, 2017 11:14 am 

Joined: Sat Mar 13, 2010 1:34 am
Posts: 19
I started this thread in the hopes of finding out that one of the currency solutions had also worked on securing the content that was passing through its system. How they would do that (adding an encrypted table, tokens, certificates, region modules, .dll or whatever) is up to them but... I keep seeing new currencies come out and each time I do I have the same question, have they done anything to secure the content?

The OS devs have stated from the start that they would not be making/offering/supporting a money module. They have also stated that the plugin type architecture of OS would allow those who wanted to make a plugin to handle currency to do so. In my mind, this has nothing to do with the core devs, as they concluded long ago, a currency module should not be a part of core.

The currency system that moves beyond securing the transactions (money) and offers a way to also secure the content that passes through their system, to that system will go the spoils as when true security for the whole process can be offered, that is when the creators will embrace OS.

Perhaps the value of my post will be to point out to the people that are making the currency systems that the burden to secure the content that they are profiting from is on their shoulders. IMHO.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post a new topicPost a reply Page 1 of 1   [ 7 posts ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  


Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
610nm Style by Daniel St. Jules of Gamexe.net