(Risk) Non logged in clients can use place names and alter entities


#1

Simple Summary Below Explanation.

Flagging @chris so this can get noticed and hopefully worked on

Today while doing some testing, also confirmed with @OmegaHeron, I noticed that if I logged out I was still on his domain but his domain server did not show I was anyone, just “Agent” but no name listed.

I decided to do some other tests and verify if I could use the lobby (esc key) and it showed me other places I could transport to. On those places, I could move about as usual and access content. I could right click on something and hide it/unhide it. I did not delete anything as I did not want to ruin someone’s hard work.

This persisted even with me closing the client, reopening it and clicking the x to the login box

To sum this up, a non logged in avatar can do the following things without detection, other than if you log their IP address

  • Not show up in the online box (which is by design but allows stealth movement)
  • Use Lobby to find a “Place” to visit.
  • Visit any Domain/Place not locked down (default settings allow anonymous access - even HQ)
  • Edit entities at will which includes locking/unlocking/deleting/editing. (Serious Risk)

Until something is done to control access control to entities this will be a persistent problem and you will depend on your backups if items are deleted.

You can protect yourself by doing one or all of these things

  • Depend on your backups of and reload them should something be deleted or altered.
  • Do not make your place name public as “Lobby” works for unlogged in avatars (accessible via the ESC key).
    • This is doable by restricting access to specific usernames or not putting a picture for your “Place” as it will not list it if those are missing.

#2

It’s bothersome that the choice is - no public access or have to clean up after (clearly) non-malevolent things. A simple set of rules for who can manipulate objects in a domain just like the access list would go a long way. Don’t define any names? Everyone can do everything. Define names? Only they can place, edit, remove domain objects. If you can discern an agent identity for allowing/disallowing entry then it seems to follow you could do so for domain rights as well.


#3

Thanks for bringing this up, here is what we are doing next on security, we will be working/deploying next week:

There will be a new list of ‘editors’ on the domain settings page where you can set who you want to be able to modify content on your domain.

There will be a flag on individual entities allowing you to designate them as interactive, meaning that they can be physically manipulated or changed by scripts, etc, by anyone (not just the editors you designate in domain settings). This would be things like moveable chairs or things that need to animate, opening doors, etc.

There will be an ability to set whether you want others to be able to create new entities in your domain.

These changes seem adequate for getting basic public-accessible domains up and in the directory. Comments welcome.

BEYOND NEXT WEEK:

As we get a computational currency in place (where we can share machines with each other to earn credits), you’ll be able to impose fees for making changes in your domain. This seems like an effective direction as well that some will want to use.

You can also decide whether people need to be logged in (signed in with a real HF account), versus not logged in at all (as is the case today with accessing the Sandbox domain, for example). Giving finer grained controls on what logged vs non-logged users can do seems like another thing that makes sense to add.


#4

Thanks for letting us know the road map and general timescales on this @philip, it’s much appreciated and welcome news!


#5

Welcome and thanks for covering the changes that are coming! I really look forward to seeing this for security sake and it seems like a good plan as you have outlined.

I am very much looking forward to the computational currency and the impact that will have on all of this.