Tuesday, August 23, 2016

2016 HG: Planning for the future OSHG. A discussion of HG security. HGProjects

Planning for the future OSHG.  
A discussion of HG security. 
The shift by MOSES to the Halcyon branch of OpenSim has major implications for hypergrid. A recent discussion in OpenSim Virtual helps to clarify the issues.  Here I summarise and comment on the issues, then provide a copy of the original content. 

Summary

  • The military is seriously concerned about the security of the hypergrid.
  • Main military concern is "unauthenticated access to databases."
  • Grid operators and content creators may need to be concerned also.
  • Mike Dickson, in particular, is concerned.
  • The military has also had problems getting its patches accepted by core.
  • The main problem with acceptance is backward compatibility

To follow developments

Related

***********************************
  • (More after the break)
  • Where is Arcadia?
********************************************************************** 

Metaverse events, current and upcoming


***********************
*************************

My comments

  • Security of the hypergrid has been of concern to content creators for years.
  • The suitcase folder seems to have allayed some of the concerns. 
  • The suitcase technology should avoid the "unauthenticated access to databases."
  • But it is not used across the entire hypergrid. 
  • And I don't know that the code actually avoids opening off-grid databases.
  • The OpenSim Virtual discussion did not go into the suitcase technology.
  • I hope that Douglas Maxwell will comment on suitcase technology.
  • --
  • I don't read the article as indicating that the military wants to abandon HG.
  • It seems that the military will not be able to use HG as it is now coded.
  • The military may already have the code for the major fixes needed.
  • But the code cannot be added to the core release because of compatibility issues.
  • --
  • The security concerns are not limited to the military.  The grids have a stake too.
  • Two grids recently had DDOS attacks.  
  • No security problem there, urls are necessarily public.
  • But malicious intent, obviously.  
  • Couple that with "unauthenticated access to databases."
  • I don't want to think about it.  
  • But I hope the grid operators do want to think about it.
  • --
  • You can comment in the comment section of this article.
  • I will add the comments to this article or incorporate them into a new article.
  • I think this matter will get resolved with a level of security that satisfies the military, the grid operators, and the content creators.

Selected comments from the discussion 

Mike Dickson
Nods, there's much about the implementation that isn't secure, doesn't scale, etc. As Douglas said it was a research project, a good proof of concept. But exposing the internals of the grid over networked protocols isn't practical for commercial (or likely military use). There are definitely better ways to do it. And hopefully with attention to evolving the grid services and protocols it can be done in ways that do scale and allow exchange in secure fashion. 
-
Mike Dickson
Actually the note from Douglas did indicate that Hypergrid could be done but would be done differently than currently implemented. That's an area I'm interested in personally. And yes they were also clear they tried to work with the OpenSim core team and didn't feel that was working.
-
Halcyon is a significant departure from OpenSim, it was forked some time ago. That being said I think it and some of the technology embedded in it are representative of the future of VW simulation. It would be good to see others who want to contribute to that future participate in Halycon development.  
-
Douglas Maxwell
Good Question, Minetheree. Hypergrid tech is a good "proof of concept" that grids can be connected and the achievement is significant. However, it is time to find a way to apply it in a practical manner that is safe. In a nutshell, our problem stems with unauthenticated access to databases. For us this is an information assurance security issue, the civilian application would be to make content safe for commerce. v/r -doug
-
Douglas Maxwell
It is simply too easy to compromise Open Simulator.
-I understand where you are coming from and for most civilians, data protection is a dry subject that doesn't usually affect them directly. Until it does. (cue ominous music) This usually manifests itself through identity theft and fraud.
-Our problem with the OS code in its current state is that it is too easy to exploit. In our examination of Open Simulator security, we were able to copy entire sims from various grids without using a client AND not even having an account on the remote grid. It was just like visiting a web page and letting content fill a cache. We deemed this "openness" to be too dangerous. That is what I mean be unauthenticated access to the databases. If you want details on exactly how we did it, I'd be happy to share.
-We then brought the harvested content into our test grid and the ownership/creator tags were all washed. The permissions for all those objects are stored in the database, we simply copied down the assets and left the permissions behind. This is a major problem that needs to be fixed. We think web tokens may be the way to go here.
-It is my personal opinion that the metaverse economy hasn't blossomed like SL did in the previous decade because of a lack of real content protection. Without proper content protections in place, the solution providers and creators in the Open Simulator ecosystem don't have the confidence their hard work won't be stolen and distributed without restraint. Confidence in the economy is what makes the economy work.
-Of course we have the DMCA and instructions for takedowns. Realistically, that is pretty much the same as making a citizen's arrest. It is also tedious for prolific creators to send notices to every violator and it is unlikely they would have the financial resources to pay an attorney to follow through should there not be compliance. It is even more unlikely you can actually name the real identity of the violator in a complaint.
-Don't underestimate the importance of securing your digital life. Would you keep your social security and credit card numbers on a notecard in your inventory? (I hope not.) The more value and commerce that is performed, the more likely it is for a criminal element to try to exploit any vulnerability.
-Lastly, I spoke to Maria about this here:http://www.csoonline.com/article/2887254/data-protection/are-metaverse-pioneers-making-the-same-old-security-mistakes.html
-If you need an example, here is a quick writeup of a recent Hack:
http://www.hypergridbusiness.com/2016/08/avi-labs-hacked-grids-down/

-I hope this helps.

********************************************************

From OpenSim Virtual. Entire discussion.


Fred Beckhusen (aka Ferd Frederix)
Headline should be "military abandons hypergrid". And opensim just lost SL vehicle compatibility and PhysX physics. 

*** Mike Dickson
Aug 17, 2016
Actually the note from Douglas did indicate that Hypergrid could be done but would be done differently than currently implemented. That's an area I'm interested in personally. And yes they were also clear they tried to work with the OpenSim core team and didn't feel that was working.
- Halcyon is a significant departure from OpenSim, it was forked some time ago. That being said I think it and some of the technology embedded in it are representative of the future of VW simulation. It would be good to see others who want to contribute to that future participate in Halycon development.
***
Minetheree Athanasios
Aug 17, 2016
I keep wondering what people who say the hypergrid has issues (or whatever the current terminology) say are those issues?
- The only problem I have seen mentioned, and not tying into it, is god powers.
- I have considered that since grids, and individuals, would never give up god powers, since they could not function anymore, that hypergriding is just the convenient scapegoat.
- The hypergrid protocol, is, in and of itself, not the issue, it merely connects us all. It is where they end up that can be an issue due to possible nefarious activity by scoundrels who prey on the innocents.
- I would love to hear some real facts as to why some keep saying it is THE issue tho.
*** Douglas Maxwell
Aug 17, 2016
Good Question, Minetheree. Hypergrid tech is a good "proof of concept" that grids can be connected and the achievement is significant. However, it is time to find a way to apply it in a practical manner that is safe. In a nutshell, our problem stems with unauthenticated access to databases. For us this is an information assurance security issue, the civilian application would be to make content safe for commerce. v/r -doug

*** Minetheree Athanasios
Aug 17, 2016
Hi Doug, and thank you for your response. So as I understand what you are saying, and with my own small personal knowledge, the issue for you is the endpoint of the hypergrid teleport...where I have read somewhere or other that end point grid/region is able to get access to the users inventory, which makes sense of course.
- Though I don't especially need to understand specifics and while I would suppose "some" people may have used this access in negative ways, I have never heard of any specific people doing this.
- So if this unauthenticated access to databases is the basic issue the Army has, then I can imagine the reason why is that such an opening needs to be squashed (or whatever tech term is used) because NO SUCH ISSUES CAN BE ALLOWED IN GOVERNMENT USE whether or not they actually happen, just that they CAN happen.
- In civilian commerce and all that comes with that, secure permissions etc it seems to me that is already taken care of by the grid desiring such things to filter what they don't wish to see "out in the wild" so to speak.
- Several of the commercial opensim implementations do that very well with existing code.
- If that is taken care of within the grid/place/region then the hypergrid is spared per se.
- I do know that Christa and others have done some work in which the "suitcase" is used.
- I wonder if you have gotten in touch with her? This is a link I found
http://www.ics.uci.edu/~lopes/opensim/HypergridReferenceGuide.htmlfrom http://opensimulator.org/wiki/Hypergrid
- I suppose I am missing something thru lack of the tech knowledge needed but it also appears to me that those of us in non commercial applications don't need to be especially concerned. We all share all over the hyperverse mostly full perm items, that, btw, most of the hypergrid connected commercial grids make very good use of.
*** Cinder Roxley
Aug 17, 2016
Indeed, arbitrary data can be injected into the database (including computer viruses, where, if nothing else, once antivirus picks up a signature will quarantine or erase the db's data storage) by not only other grids but by anyone with access to the internet.
- Furthermore, there are many unsophisticated open ended attacks that simply just haven't been done. For example, one could open a large amount of partial requests to the asset server given a single large mesh object contained in the database. The requests remain open. Eventually, the victim server can't handle the amount of open requests and crashes. This is just one example.
*** Minetheree Athanasios
So, Cinder, you are talking about a hypergrid traveler with bad intentions could feasibly jump to a grid and cause these issues...so it seems.
- So this would be an example of where the hypergrid protocol would itself need fixed?
- Maybe so, or certainly so, I have never heard of this happening either, and I keep a decent hand on the pulse of opensim.
- Wouldn't this be a case of opensim code making sure this does not happen in the destination places?
- I don't really know much of all this tech, just a laywoman really, tho I do know enough about computers to know the old adage that I also know very little.
- I am still unsure that it is the hypergrid protocol itself that is the issue, but more that grid services and basic opensimulator code could deal with these issues.
- Although I suppose if it was all used commercially the hypergrid could also have further work done on it specifically.
- But it is not all commercial by any means.

*** Mike Dickson
- Aug 17, 2016
Nods, there's much about the implementation that isn't secure, doesn't scale, etc. As Douglas said it was a research project, a good proof of concept. But exposing the internals of the grid over networked protocols isn't practical for commercial (or likely military use). There are definitely better ways to do it. And hopefully with attention to evolving the grid services and protocols it can be done in ways that do scale and allow exchange in secure fashion. 
*** Douglas Maxwell
- Aug 17, 2016
It is simply too easy to compromise Open Simulator.
- I understand where you are coming from and for most civilians, data protection is a dry subject that doesn't usually affect them directly. Until it does. (cue ominous music) This usually manifests itself through identity theft and fraud.
- Our problem with the OS code in its current state is that it is too easy to exploit. In our examination of Open Simulator security, we were able to copy entire sims from various grids without using a client AND not even having an account on the remote grid. It was just like visiting a web page and letting content fill a cache. We deemed this "openness" to be too dangerous. That is what I mean be unauthenticated access to the databases. If you want details on exactly how we did it, I'd be happy to share.
- We then brought the harvested content into our test grid and the ownership/creator tags were all washed. The permissions for all those objects are stored in the database, we simply copied down the assets and left the permissions behind. This is a major problem that needs to be fixed. We think web tokens may be the way to go here.
- It is my personal opinion that the metaverse economy hasn't blossomed like SL did in the previous decade because of a lack of real content protection. Without proper content protections in place, the solution providers and creators in the Open Simulator ecosystem don't have the confidence their hard work won't be stolen and distributed without restraint. Confidence in the economy is what makes the economy work.
- Of course we have the DMCA and instructions for takedowns. Realistically, that is pretty much the same as making a citizen's arrest. It is also tedious for prolific creators to send notices to every violator and it is unlikely they would have the financial resources to pay an attorney to follow through should there not be compliance. It is even more unlikely you can actually name the real identity of the violator in a complaint.
- Don't underestimate the importance of securing your digital life. Would you keep your social security and credit card numbers on a notecard in your inventory? (I hope not.) The more value and commerce that is performed, the more likely it is for a criminal element to try to exploit any vulnerability.
- Lastly, I spoke to Maria about this here:http://www.csoonline.com/article/2887254/data-protection/are-metaverse-pioneers-making-the-same-old-security-mistakes.html
- If you need an example, here is a quick writeup of a recent Hack:
http://www.hypergridbusiness.com/2016/08/avi-labs-hacked-grids-down/
- I hope this helps.
*** Mike Dickson
- Aug 17, 2016
Very well said Doug. An excellent synopsis. And to me really the most important point is we can do better and hopefully make this a platform that VW's can grow with.
*** Douglas Maxwell
- Aug 17, 2016
+Minetheree Athanasios You are absolutely correct: "So if this unauthenticated access to databases is the basic issue the Army has, then I can imagine the reason why is that such an opening needs to be squashed (or whatever tech term is used) because NO SUCH ISSUES CAN BE ALLOWED IN GOVERNMENT USE whether or not they actually happen, just that they CAN happen."
- We have policies that we must adhere to when deploying software to our networks. You just gave a good synopsis of one of the policies governing how to deploy a database. We can't allow a database to be accessed by anyone or anything without verifying identity.
- So... if we are going to use Open Simulator or some future derivative, then it must be hardened to adhere to our security policies.
- I'm not just a drone following the rules blindly, these policies are derivatives of guidance from some very smart network security advisors from both the Dept. of Defense (DoD) and National Institute of Standards and Technology (NIST).
*** Minetheree Athanasios
- Aug 17, 2016
Interesting article your first link Doug. The HGB one I had read as I read all her stuff.
- So, yes, it is clear that for some applications using opensim the issue is very important. A deal breaker.
- I get that and I get there are lots of security holes. I have also read several times from other sources that entire regions can be copied, tho I don't know how and don't need to know.
- I also think opensim core and your group should have kept working together. I was reading and watching how that went down, and it bothered me a bit.
- I do wonder if regardless of all this, if all this work would change the nature of opensim and give it more growth. As it stands now the hypergrid connected aspect is doing very well....however, I understand that even so they are operating in unsecure situations that can be a problem.
- I am unsure growth will follow to the commercial grid type iterations. Even as we know that SL has been in decline for some time now, so have followed the similar iterations outside it.
- There is also a wealth of knowledge, much of it untapped for one reason or another... tech people who have no interest in any commercialism. And those tech people have done their own things such as the Arriba fork that is still being used by some.
- I am basically unsure if the two opposing ideals are compatible, and if they are not, how this will wash out over time.
- As the article states, closed grids such as SL and the few others have less issues due to them running their own instances on their own equipment.
- Perhaps, as I have seen some write, this will all eventually become two distinct platforms with the commercial places doing their thing and the "free meta" proponents doing theirs. I don't know really, it will be interested to watch how it all develops.
- In any case, those who are keen on the security issues and related opensimulator code issues have much more invested, especially the Government, to doing all this.
- If that code seems needed in the other aspects I would hope the devs would use it.
- Thank you all for your thoughts.
*** Minetheree Athanasios
- Aug 17, 2016
We posted over each other there Doug, thank you.
I am well aware government has top notch people working for them.
I do understand protocols of such nature.

*** Talla Adam
- Aug 17, 2016
Thank you for taking the time to share your insights +Douglas Maxwell. I'm personally very interested in your work on a html5 web viewer for Opensim quite apart from the security aspects & Halcyon. Please keep us posted on progress when time allows. Thank you.

*** David Daeschler
- Aug 17, 2016
I am very happy to be working with the MOSES team on some very complex goal oriented projects. That our goals for the Halcyon platform aligned so well with what they were looking for made it an obvious collaboration. Having a good reason (keeping people safe) to implement some of our more ambitious software designs makes it a pleasure.

*** Minetheree Athanasios
Yesterday 6:45 AM
I'm unsure what your message is, David, in saying "(keeping people safe)".
- I, and my peers, feel perfectly safe in the hyperverse, using the hypergrid all the time. My peers are more often than not very well experienced SL users, who either still use SL sometimes, or have completely left...but they are often old (in SL style "old"). They have their eyes open and see clearly the issues.
- But of course the mentality, the mindset, the feelings, if you will, are quite different than that which a devoted closed commercial grid person would feel.
- Perhaps that message makes them "feel" more secure, for one reason or another.
- But for us, and for me, out in the free Meta many things have less concern for us. Griefing, for example, is nothing for us. We can simply reload the latest OAR, if that is needed, or just ignore them. We can do these things under our own powers and it is of no real consequence, we have no need to depend on others.
- (keeping people safe) must mean some kind of mental feelings of safety then...because there is no real physical safety involved...unless of course someone takes things to extremes and stalks or whatever in our real life world.
- If that is the message then I think it is a bit melodramatic to say such things.
- We aren't discussing people's feelings, rather real or imagined, and I am aware some people get so immersed they get reality a bit tangled up sometimes, but the need by the Military, of which I am convinced via Doug's comments in this thread, to have -0- open code that can allow outside influences. I get that part.
- I also get that in your grid, Inworldz, these things have some probative value.
- What I see as reality tho, is that most people could care less about these things. They don't really affect them personally and they are just there to relax/escape/have fun.
- I also don't see the "masses" being much interested. The reality is that these things are mostly of specific interest to "some", but by no means all, creators.
- The Kitely market shows this plainly.
- So keeping people safe, I don't see your point.

*** David Daeschler

Yesterday 7:00 AM
MOSES is used for military training to keep soldiers safe in foreign territory. Its mission is much bigger than what you were talking about above. 

*** Minetheree Athanasios

Yesterday 7:50 AM
Yes, of course MOSES wants that. I think that has been made clear. And I don't want to nitpick. You said:
- "I am very happy to be working with the MOSES team on some very complex goal oriented projects. That our goals for the Halcyon platform aligned so well with what they were looking for made it an obvious collaboration. Having a good reason (keeping people safe) to implement some of our more ambitious software designs makes it a pleasure."
- Obviously, back in the days of early opensim, MOSES, if it was around at all, was not on anyone's agenda for even the thought of any collaboration.
- So it is more of an event of convenient and useful, to you and your grid, that things worked out as they did.
- Keeping our military safe is always a first priority to me, I am an American. I really don't like hearing of military men and women being killed in ultimate service for the rest of us.
- But that is not the same as "keeping people safe" in opensim, there is, or course, a much more lenient need to, and most aren't even interested in the conversation.
- Now, on the other hand, I have seen some people write simplistic easily digestible words like "the hypergrid is unsafe". But those words are disingenuous.
- "unSafe" in the style of MOSES and "unsafe" relating to day to day opensim are quite different things, and more importantly they don't really address the real issues, as has been discussed in this thread, quite well.
- Saying the hypergrid is unsafe without further defining what this is about, does nobody any good and reading some peoples words when they do finally try hypergating is often something like "I was so scared to hypergrid" and "Wow, this is so much fun".
- Anyway, I got my own base questions answered by Doug, which he did quite eloquently and in a more laypersons understanding. I do appreciate this as it now changes how I look at some things, and I am always interested and open to do that, especially as I get older and more malleable-))

*** Talla Adam

Yesterday 11:32 AM
I deleted a couple of comments. Let's keep the discussion on topic only please. Thanks everyone.
*** +Minetheree Athanasios
I think David means a number of things by "keeping people safe" but Douglas has explained very well what the security problems are with Opensim and if some improvement can be made by the work they are doing in collaboration with Inworldz then I think that is to be welcomed and the broader community should be kept informed which is why I started this topic.
- I'm sure people's creations on which they make money are a big concern to David too and part of what he means by staying safe. He runs a commercial grid so it should be. We have seen Kitely address content security in their own unique way, which has worked very well to date. I would love to see Inworldz take a similar approach and maybe open up to Hypergrid too but that's just me thinking. In any event the Hypergrid has many grids with different approaches to content security. Littlefield blocks exports but not Hypergrid so clearly not everyone is willing to share and share alike nor should they be expected to. It a wonderful thing to share and I hope that remains a big part of the Hypergrid but everyone owns the free Metaverse - not one group. If security can be address in a practical way that leaves options open for sharing as well as content security then I hope we can keep an open mind and encourage the developers to do their best.

*** David Daeschler

Yesterday 11:38 AM
Honestly, the only thing I meant by keeping people safe was that our collaborative work will be used to help soldiers prepare for dangerous situations. That's it. I didn't realize it would be read any other way. My concentration is improving the Halcyon software to provide a better platform for meeting the goal of massive and scalable 3d simulation. All the other open/closed content stuff is secondary, and will be determined by the requirements set forth by users and collaborators.

*** Minetheree Athanasios
- Yesterday 12:00 PM
- No worries Talla, I am curious of the distinctions, those little quibbling things that interest me from time to time.
- It has been answered very well by Doug, who has no problems giving clear answers. I respect that.


**********************************************************************************

News and Notes

    ***********************

    The Hypergrid WIP Show

    The Hypergrid WIP is a one hour "show & tell" of works in progress or recently completed. All builders from beginner to pro are invited.  Presentations are in voice and text.  For text presentations, best bring the text in a notecard and paste it into chat.  Voice presentations may be captured in video.  Stills and videos from the show may appear in this blog and elsewhere.

    Next WIP show 

    • Next WIP show: Sun. Aug 28, Noon SLT 
    • Cookie II location (fourth Sunday of the month)
    • HG address below: paste into the World Map next to Find. Click Find, TP
    • grid.kitely.com:8002:Cookie II 
    • in Kitely: paste into Nav (top) bar of Firestorm, Enter.
    • hop://grid.kitely.com:8002/Cookie II/68/369/22
    • Narasnook  location (second Sunday of the month)
    • Pandora allows presenters to run high threat OSSL functions.
    • world.narasnook.com:8900
    • Put the line above in your World Map next to Find.  Click FindTP
    • At Narasnook, use World Map to search for Pandora
    • Cookie II location (fourth Sunday of the month)
    • HG address below: paste into the World Map next to Find. Click Find, TP
    • grid.kitely.com:8002:Cookie II 
    • in Kitely: paste into Nav (top) bar of Firestorm, Enter.
    • hop://grid.kitely.com:8002/Cookie II/68/369/22

      Previous Articles from the WIP show 


      HG links-- depending on your interests 

      Radio in the virtual world

      Metaverse beginner help

      Schools in virtual worlds

      • I publish 5 or 6 days a week, skipping 1 or 2 days in midweek
      • For more on topics like this, follow Selby Evans in Google+ 
      • What do we do in Virtual Worlds? 
      • Google search this blog: Search bar, upper left--or:
      • Put site:virtualoutworlding.blogspot.com at the end of the search terms 
      • Annotated screen shots made with Jing
      • All original content on this blog is Creative Commons License, attribution only. 
      • Second LifeLindenSLurl, and SL are trademarks of Linden Research Inc. 
      • This blog is not affiliated with Second Life or anything else. 
      • Ads are from Google.

      1 comment:

      1. Just to clarify my role vis. the comments attributed to me above: I am an independent developer who has made a number of substantial contributions to the Halcyon code base (mesh, materials, MOAP, multiple layers and attachments, etc). I'm not affiliated with the MOSES team nor am I employed by InWorldz. I will continue to contribute to Halcyon and in particular am interested in hypergrid like capabilities in the future. That may not be a strong need for InWorldz or MOSES but I do believe it is in general for Halcyon to see broader adoption.

        ReplyDelete

      Note: Only a member of this blog may post a comment.