I saw a new shopping region advertised on OpenSimWorld.com yesterday. The region uses Globits as it's currency and states that avatars will be able to take their purchases back to their home grid. I've been looking for a way to sell in OpenSim but I had a question about "just how secure is this?".

I logged in and posed my question in the comments section for that region. I went back last night but it hadn't received a reply. I went back this morning and my question is gone, as well as the one other comment on the page. Perhaps that was a bad spot to pose the question (I choose it because I figured the region owners and the creators selling there would surely be up on the security and would be able to answer my question), or perhaps something went whack with the OpenSimWorld db and it had to be restored I thought. So I tried to login and pose the question again, but, once I try to login I am ignored (it just goes back to the same login now situation). If I put in a bad password, it gives me the message that my password is bad, but if I put in the proper one, boom, nothing.

So, not sure if I am asking a question that no one wants to answer truthfully or if I just picked a bad place to ask, or if OSW is having problems. But here is my question...

The region touts that you can make your purchases with Globits and take those purchases back to your home grid. I'm not so concerned that the Globits aren't secure, but my worry is that once an item has been delivered back to the home grid for the customer, have extra steps been taken that would prevent the database owner from opening the db in a query browser and changing the permissions or the owner, or the creator to themselves? I've had to do that for my own items a few times (I wasn't smart enough to use the same UUID for myself when we moved from 6 to 7 and the grid had to be remade from oars, I know better now).

I'd like to sell some items in OpenSim but I don't want to end up in the situation where my items are copied out of OS and uploaded to SL (where I also sell some of those same items) such that I end up competing with my own products for sell at a lower price.

So, that's my honest question. I'm just looking for an honest answer. If nothing has been done to secure those listings in the database, if they are in there just as all the other assets are without any other safeguards, I know the fields can be overwritten to whatever the person editing the database wants. I'd love a secure way to sell in OS, I'm hoping extra steps have been taken to protect the content, but... have they? Is there anyone in the know that can enlighten me?

And... while typing this up, I also had the thought, these items, once back in their home grid, will they also export with OARS and IARS like the rest of the assets? OARS and IARS are nothing more than zipped folders. You can open them with 7-zip and see (copy/mod) the items. Textures for example are exported as jpeg2000 format graphics. Once exported and double unzipped (you'll have to unzip twice to see the files, so, unzip the folder, then unzip the folder created on the first unzip) textures (as is) are surely not secure. So clothing wise, the person may have to make the item over again but the texture is the key to remaking an item and that they will end up with it in their OARS and IARS if no other steps have been taken to secure the content.

And, do these same security holes apply to Kitely since they also allow the items to be delivered back to the home grid? Or has Kitely taken extra steps to prevent this type of theft from happening?

OK, these are my honest questions seeking honest answers. Thanks to any one that replies with some knowledge.

I'm not trying to cause problems, I'm just trying to figure out if these platforms are truly secure, of if we have secured the front door while leaving the back door wide open with a lit up welcome sign.

OK, apparently that region is so popular that they have created a second one and I had been looking at it when I couldn't find my question. It is still there and showing on the original region.

But as of now, no reply so my questions still stand.

If you run your own region, then you run your own region database. So whatever someone rezzes on your region can be altered. Besides tampering with the database it's also possible to request admin rights and just fullperm/become owner (but not creator) through the admin menu.

That is the case on open grids. Closed/commercial grids usually don't allow this since besides controlling the grid services they manage all customers regions and decide what their customers are permitted to do with the regions.

I have never heard of a case where someone deliberately put themselves as creator for bragging rights or whatever, so don't worry. Throughout the whole hypergrid metaverse you'll see things here and there that have a different name than the original creator. This is because some people don't know to take care of preserving the creator name when exporting/importing. Also, that preserving wasn't even possible until about OpenSim 0.8+ and there is still a lot of older content out there.



I wouldn't worry about this at all. Remember, such people don't buy your stuff to then copy it. They just copy it regardless, wherever they come across it; it only has to be visible to their copybot viewer inworld. I would worry more about what you sell in SL to be botted and then resold, since the chance of botting is a gazillion times higher in SL than in OpenSim. Botters flock to places with the neatest stuff, and OpenSim isn't that place.




This is about 2 DB's. One is assets controlled by the grid.. but when a resident rezzes something to their region... a copy of it is made into the region DB. Correct me if wrong please.

The region database protection is only ever as secure as the database administrator makes it to be. And that DB admin is whoever runs that region on their computer/server of which a creator has no say about.

The only way to protect stuff with the perms set is to sell only to non-open tightly controlled grids..




I'm not sure if this is it, but a grid can have in Robust.ini:


I know some grids add second meaning to certain combinations of permissions, which I think is a total wrong approach and breaks expectations of established permissions as we know them. Really they should submit a patch to have the [X] Export permission working in the viewer instead.

Anyway this permission is usually Copy AND Transfer and then your item can be saved in an IAR or OAR backup. Another weird one I came across on a grid is if Object Price > 0 then it's decided to not be exportable. Really bad, certainly a grid where I will not settle down with my store because then hypergridders won't be able to buy and take their item home.




If you intend to sell on Kitely market, you can choose to NOT mark your product as export, and they won't be saved in OARs (Kitely doesn't support IARs yet). Also the customer won't be able to wear the item when hypergridding, or take it in their 'My Suitcase' folder. Note that when an item is not marked as export, other grids than Kitely won't be able to buy it from you since the product can't be delivered to other grids when it's not exportable. The item can then only be used by Kitely users in the Kitely grid. I suggest asking the Kitely forums for more info.

Thanks for the reply Lotek. Most all that I already knew (I started with OS back when you had to roll your own to have anything, before anything was physical or was retained through a reboot (no db support), before OSGrid was launched).

So, to sum it up, as far as you know, nothing has been done to add extra security to the databases, and anyone who makes a purchase through Kitely or with Gloebits (I learned to spell that since my first post! lol) or any currency that allows the item to be delivered back to their home grid, is at risk for someone to make a purchase, hack the database, export it, and upload it for sale or giveaway on SL or Inworldz or any currency enabled (or not) closed or open gird or standalone.

I do agree that the copybotters want to grab the "cool" stuff which makes OS not their first destination, but, that is the situation today since the creators haven't felt their items are secure in the present arrangement. But with the promise of a secure channel I would expect more creators to embrace it and more of the cool stuff to eventually make its way here, thereby changing the dynamic and the desirability of coming to OS to steal content.

I am just wondering if the glaring holes that have been a part of OS from the start (content security wise) have been plugged or not.

What I was hoping for was to hear that the items sent through these currency systems were going to be stored in a new encrypted table in the database that would store that data securely and the data from that table would not be exportable as an OAR or IAR, or that there was some other new type of protection in place to prevent those types of hacks from being so easy to do.

As my grandfather used to say, a lock keeps an honest man honest, but it won't stop a thief. I was (am) just hoping someone had/has placed a new lock on those old holes.

I don't expect any interest from developers to introduce draconian encryption of our own region assets. The whole point of OPENsim is transparency, not to have our own data be encrypted without us having the key to that data.

Until the permission system is bug-free and working like it should, admin-mode has very valid uses. Even doing a regexp on .xml files within an OAR has valid uses like the case you presented yourself.


It takes a switch of mind, and a different approach to create projects for the hypergrid. For example, always assume customers can godmode your stuff; always assume someone can modify scripts within stuff. Yes that is a challenge (and not impossible!), but in return we get a nice open ecosystem where land is affordable and anything can be realized. Since OpenSim is open source, we can write our own custom modules for handling situations where particular security features are wanted (for example, a combat system).


Whether we pay 0L for a freebie or pay 100L for an item through a plugged in currency module doesn't change anything about how assets are stored in OpenSim core.

Perhaps what you're really looking for is the closed walled garden called Second Life. In OpenSim the remaining options are grids with severe export and permission restrictions, which would also imply selling to the hypergrid is out of the question.

Alternatively, open your mind a bit and don't treat customers as potential 'thiefs' like the merchants in SL do. People who have bad intentions are just a tiny fraction of all the good people out there, certainly on OpenSim.

Security would be augmented greatly if the db was encrypted. As it stands, I can rez anything on my sim, find the entry in the relevant table with a simple query, pop my uuid in the creator field and that object is now mine for all intents and purposes.

I started this thread in the hopes of finding out that one of the currency solutions had also worked on securing the content that was passing through its system. How they would do that (adding an encrypted table, tokens, certificates, region modules, .dll or whatever) is up to them but... I keep seeing new currencies come out and each time I do I have the same question, have they done anything to secure the content?

The OS devs have stated from the start that they would not be making/offering/supporting a money module. They have also stated that the plugin type architecture of OS would allow those who wanted to make a plugin to handle currency to do so. In my mind, this has nothing to do with the core devs, as they concluded long ago, a currency module should not be a part of core.

The currency system that moves beyond securing the transactions (money) and offers a way to also secure the content that passes through their system, to that system will go the spoils as when true security for the whole process can be offered, that is when the creators will embrace OS.

Perhaps the value of my post will be to point out to the people that are making the currency systems that the burden to secure the content that they are profiting from is on their shoulders. IMHO.

Hi there Orb,

Been a long time since I posted in here, but to your point - there is an enormous difference between a money module and a security "module". Not to mention, the type of security which you desire is not just another module. It is something someone would need to write as a fork and implement something akin to a new "SecureSim - a fork of OpenSimulator".

There are many grids out there right now that use OpenSimulator with their own money modules in place, making secure transactions, using their own X$ on their own exchanges. The issue with that is that they too, like SL, are mostly closed grids - no hypergridding in and out. Those that do allow hypergridding, have a few select regions for it, or they have guest avatars so when you arrive and none of your apparel appears, you have something to wear while you're there.

Making a money system is pretty simple. Making a secure transaction isn't that much more difficult. Taking an entire simulator system, and forcing it into some myriad encrypted environment - is an entirely different beast. It's also completely unnecessary. Basically you are dealing with two different types of marketplaces.

The transactions, including the transfer of objects, are entirely secure. In one scenario, you have a closed marketplace where items can never leave. They are subject to only the piracy problems of that self-contained system. In the other, you have an open marketplace, where items can be sent cross-grid to anywhere that accepts inbound transactions. That's it, you're done.

Now, you can accept that in a closed marketplace with trademarks and copyright rules, nobody will be able to "legally" reproduce something of yours. In an open marketplace, much like Bandcamp and iPlugger for musicians, Kickstarter for entrepeneurs, etc. - there are no controls for someone listening / looking at something you've done, taking it, tweaking it, and trying to sell it themselves.

In the end, it wouldn't matter if you encrypted everything. Whoever owns the grid / region that the item was sent to, has control over the database. Someone has to have permissions controls to restore lost items, rollback database problems, etc.

I used to be a huge scripter in SL many years ago. Some I gave away, many I wrote for profit embedded in some really nice items for some people and shared the profit. All of them ended up everywhere all over the place by people that ripped them off during one of SL's permissions screwups - another issue that you'll never completely avoid. The 'shit happens' rule.

So no worries. I think you should do what most people do in the SL / OpenSim world that do both. Leave your high-ticket / popular items you're worried about in SL. Make some truly nice things you'd like to share with the rest of the world for OpenSim. Put a pricetag on it, put it up in a marketplace somewhere. I think you'll be surprised how much more money vs. ripoff you will make in the Open world, where people pay out of appreciation. It's always impressed me.

Just some rambling thoughts. Have a great one! I hope you do decide to put a few things out there. I know I spent a fortune on some great people's natural landscaping stoofs over at Kitely. Amazing stuff man.