Army reveals OpenSim’s top security risks

The U.S. Army’s Moses project is one of the most high-profile users of OpenSim, with a focus on training and simulations rather than on using OpenSim as a platform for a social grid.

Douglas Maxwell

Douglas Maxwell

Last Friday, project leader Douglas Maxwell sent a note to OpenSim developers disclosing four “high priority security flaws” in the OpenSim software.

“We did this out of an abundance of caution and respectfully invite their participation as we design and implement corrections,” Maxwell told Hypergrid Business.

The note was intended to serve as a notification of disclosure, prior to the public release of the vulnerabilities, but it went to an open mailing list, so the vulnerabilities are now public.

“Luckily all this set of flaws is already known by this list subscribers, so no harm done,” wrote OpenSim developer Leal Duarte, who is also known as Ubit Umarov in-world.

Here is a brief summary of the vulnerabilities.

  1. When an OpenSim viewer communicates with the grid’s server, information about content on the grid is transmitted unencrypted, allowing eavesdroppers to get the UUIDs, which are unique object identifiers, as well as session IDs, which can make it easier to steal content and to impersonate other users.
  2. Scripts have the ability to make a grid participate in a distributed denial of service attack or botnets. “Grid owners would not even know their servers were being used in this way,” Maxwell wrote.
  3. If the grid is mis-configured in a particular way, attackers can send operating-level commands to the grid, commands which normally can only be issued by an administrator. This can be used to damage a grid.
  4. OpenSim does not have adequate restrictions on the languages used by scripts, potentially allowing attackers to access files on a server. “In other words, a user without credentials on your server can own it,” he said.

These vulnerabilities are a particular concern now, since Moses is about to release a Web-based viewer for OpenSim, Maxwell said.

“By January, we will be in a position to discuss openly the technical details surrounding the web viewer and the security implications,” he added.

Maxwell is the science and technology manager for virtual world strategic applications at the U.S. Army’s Simulation & Training Technology Center, which runs the Moses project.

(Image courtesy Douglas Maxwell.)

Screenshot of content-scraping using the command line. (Image courtesy Douglas Maxwell.)

He also released a paper about OpenSim security issues with his colleague Michael Heilman, a researcher with the University of Central Florida’s Institute for Simulation and Training and lead software engineer and architect at the University’s Virtual World Research Group.

Click to download "Securing the Hypergrid."

Click to download paper “Securing the Hypergrid.”

However, not all OpenSim users and developers have the same security concerns as the U.S. Army, prioritizing flexibility, usability and connectivity instead.

Crista Lopes

Crista Lopes

That makes OpenSim more accessible, said Crista Lopes, an OpenSim core developer and a professor of informatics at the Donald Bren School of Information and Computer Sciences University of California Irvine. She recently won a $10,000 prize for her work.

“I encourage young people and newcomers to dabble into security issues of complex software,” Lopes told Hypergrid Business. “OpenSim is a great platform to learn about them.”

She is also the inventor of the hypergrid, which allows user to teleport between grids, and even to move content and send instant messages from one grid to another.

Moses does not allow hypergrid teleports to other grids.

Meanwhile, grid owners already have many options for increasing the security of their grids.

Josh Boam

Josh Boam

“There are many options out there,” said Josh Boam, founder of the SkyLife Grid and hosting company. That includes replacing the default back-end grid management tool, which is called Robust, as SkyLife grid did. Their version is called PHP Robust.

“Everything is done via a Web server and is much faster and can handle more load,” he told Hypergrid Business. “Security in OpenSim can only be so good as the people hosting the regions. Firewalls and IP rules with access restrictions is the way to go.”

In addition, there is a limit to how much can be done to stop hackers.

“It really doesn’t matter how secure you try and make things, someone will always try and get in,” said Cliff Hopkins, founder of the Genesis Metaverse grid and hosting company.

Cliff Hopkins

Cliff Hopkins

But this is a good time to discuss security issues, he said, since Linden Lab is working on migrating uses from Second Life to its new Sansar platform.

“OpenSim is growing and Second Life is dying,” he said.

In fact, Second Life’s average concurrency has fallen by more than 34 percent since its peak in 2010, according to data from Grid Survey.

OpenSim offers a low-cost alternative for Second Life users, he said. And users won’t have to learn a new interface if they switch from Second Life to OpenSim.

In fact, some of the security issues have to do with decisions made by Linden Lab, the maker of Second Life. Since OpenSim currently uses the same viewers as Second Life, and so has to support the existing communication standards.

Melanie Thielker

Melanie Thielker

“They are rooted in the Linden Labs protocol design,” OpenSim spokeswoman Melanie Thielker told Hypergrid Business. “The Linden Lab viewer allows insecure HTTP connections and also uses unencrypted UDP network transmissions. While the HTTP part can be secured by using an expensive wildcard certificate, the UDP part cannot. This is not a flaw in OpenSimulator, but rather in the design that came from Linden Lab and stems from a less security-conscious era.”

Meanwhile, the issues connected to executing commands and uses scripting languages other than LSL are also nothing new, she added.

“Please note how he states that a ‘misconfigured’ server is open to attack,” she said. “That is simply because these dangerous options are disabled by default.”

OpenSim developers prioritize freedom of choice, she said.

“I am pretty sure the product Moses will eventually arrive at will not have these potential vulnerabilities, but that will be because it will be lacking these choices,” she said.

Finally, the ability to abuse scripts as relays and cutouts is also known, she said, and also exists in Second Life.

“Second Life has entire sims that contain 15,000 simple boxes with 255 scripts each, each of those scripts executes
malicious probes against Internet hosts or sends massive amounts of spam to open relays,” she said. “Linden Lab is aware of it and shuts them down if the activity is criminal, but not if it’s just spamming or non-exploiting probes. Therefore, OpenSimulator is again not in a position to prohibit this without sacrificing compatibility and breaking existing content.”

Another vulnerability mentioned, where content is scraped from a grid, is only possible on grids that allow users to connect self-hosted regions, said Thielker, which is a small percentage of all the public grids.

“It isn’t possible on grids that don’t allow people to connect their own regions as OSGrid does,” she said.

Thielker is also the founder of the commercial Avination grid, which donated a large amount of code to the OpenSim project last fall, which has been integrated into the soon-to-be-released 0.9.0 release of OpenSim.

Its top competitor, InWorldz, which is the most popular grid running the OpenSim software, also open sourced its code last fall. That code, Halcyon, is a version of OpenSim designed for greater security — and has been adopted by Moses as the basis for its grid.

While both InWorldz and Avination are closed grids, with users not able to teleport to other worlds, the main branch of OpenSim fully supports the hypergrid, and Halcyon does not, though Moses may add hypergrid support.

The new browser-based viewer that Moses will release later on this fall will be designed to work with the Halcyon branch of OpenSim, and it is not yet clear how much additional work it will take to make it work with standard OpenSim.

A browser-based viewer will make OpenSim much easier to use. Currently, users have to download and install special viewer software. And if a grid is not on the default grid list that comes with the viewer, users have to manually add it.

Raising the issue of the OpenSim security flaws might cause some grid owners to consider switching to Halcyon, she suggested, providing some additional momentum for the Halcyon project and steering the OpenSim community more towards the Army’s vision of the future of OpenSim.

“It’s a sad thing that the U.S. Army has to resort to such methods,” she said.'

Maria Korolov

Maria Korolov is editor and publisher of Hypergrid Business. She has been a journalist for more than twenty years and has worked for the Chicago Tribune, Reuters, and Computerworld and has reported from over a dozen countries, including Russia and China.

  • Thanks for the article, Maria 🙂

    Quote: “The note was intended to serve as a notification of disclosure, prior to the public release of the vulnerabilities, but it went to an open mailing list, so the vulnerabilities are now public.” Small detail here: it didn’t go to an open mailing list *by chance*. The MOSES team knew well what they were doing, since they had already been involved in deep discussions in opensim-dev (go and look for yourself). Therefore, it’s difficult (to say the least) to understand why this could have been done “out of an abundance of caution”. Indeed, it’s *a contradiction*,

    Hence, either: 1) “an abundance of caution” consists of sharing in the open a list of vulnerabilities (that invites attacks on Opensim grids), which is an egregious example of doublespeak or blatant incompetence (your choice) or 2) the fact that the “notification of disclosure” went to “an open mailing list” was intentional, and then the “abundance of caution” is an outright lie.

    Now prove me wrong. No sales brochures or vaporware announcements, please: I will ignore irrelevant arguments.

    • Douglas Maxwell

      Thank you for your comment. I’ll try to deconflict for you. As you pointed out, since 2011 we have attempted to get these vulnerabilities addressed and made no progress in getting through to the developers or the community. I even offered assistance to support the people who knew the code to perform the work – no takers. My notice to the developer’s list was to establish a date/time stamp so that the 90 day clock could start. By January we will have released the browser based viewer code. We will be asked numerous questions about our design decisions surrounding the data arbiter and the browser. This will involve talking about how we deal with vulnerabilities. My disclosure only provided descriptions and behaviors of the vulnerabilities.

      The date/time stamp was the point here, not the notification. As has been indicated many times, these issues were already known. They know about them, we know about them, and they know we know about them. The “abundance of caution” was to give the developers notice that in 90 days we were going to begin unfiltered discussions. That is plenty of time to organize a response or even work with us to address the issues. Instead, there was an immediate reply to my message indicating acknowledgement and they already knew. This acknowledgement is on record and freed us to begin discussions. Here we are.

      Are you can see from the responses in the article, there is no interest in working of the flaws. It is time to address these issues and more we have not yet disclosed. Let’s take a few at a time and talk about severity, proper technical responses.

      With respect to Halcyon, it doesn’t have hypergrid functionality yet. It won’t do you much good, so it doesn’t really make sense for most of you to begin using it yet. Its open source, so feel free to check it out, but we aren’t driving anyone to anything.

      • John Simmons

        Douglas, I think a lot of us are happy that you are moving forward to address issues. I hope that you keep the large group of open source / social grid users in mind, and create flexible options. You should not have gotten a cold shoulder from OS developers. I do hope that there is more collaboration in the future and that we can all eventually get a compatible and secure hypergrid, a secure and robust OS, MOAP that will run any modern web app, etc.

        • Han Held

          I don’t think the HG is his responsibility. I hope that either our developers start to address the valid concerns or that we are able to somehow nurture developers who will.

          I agree he shouldn’t have gotten the cold shoulder from core, but he’s not the first nor the last. It’s a shame that opensim coding isn’t more accessible and doesn’t draw a larger developer base.

      • Han Held

        I think Halycon is irrelevant to Opensim in a lot of ways.

        First, I think it’s intended audience is different.They have different needs and perspectives.

        The divergence between the two is too great to make code sharing possible.

        When it comes to organizations that need a closed enviroment, Halycon may be the best option for them.

        When it comes general purpose needs (an art build, a roleplay group connected over the hypergrid, a social club connected over the hypergrid) I believe that opensim is a better solution.

        Opensim empowers the individual in a way that I tend to doubt that Halycon will be able to.

        Now, with all of that said -it’s possible for sharing to occur. Code may not be able to be shared, but higher level concepts can be. Conceptual solutions to problems (ie locking down the asset server against MitM attacks) can be.

        I think that the emotional and mental focus of the opensim community should be on assessing where our software is legitimately vulnerable, and finding solutions to that (sometimes that will be education…don’t turn on every OSSL function in the book…sometimes it will require code and a change of authentication methods) so that our platform is better suited to empower amateurs and individual region owners going forward.

        There’s a lot of emotional charge coming from my side of the street that will only get in the way, and that needs to be dialed down a notch. Let’s fix our broken windows, folks…that’s what matters.

        • JC

          I totally see your point, but the chances are in time the platform will fade away due to lack of interest and use, you only have to take a serious look at user numbers, in OS people celebrate when they hit the hundreds, in all other online ventures no one would would get out of bed in the morning for anything less than multiple thousands . A huge problem that does not really affect those who have no professional interest there is security. Basically as long as no one is interested in what you do you are fine, but if you do anything at all that draws more attention than usual you are open to attacks by anyone who fancies stealing your stuff or bringing your sim down. Things were bad in SL. We had popular sims that were constantly under attack. But in OS it is pretty much open season. What
          Douge says about the security should worry people there, but they seem not to care because they are doing nothing that anyone cares much about. There is a kind of far out hippy attitude that pervades the place of, hey man make your stuff free then no one will steal it. And many people seem to hate that a few have tried to take the platform and make a commercial success of it, which is just plain stupid. So maybe it is best left to those who use it as a simple pass time until it falls of the edge of the virtual cliff.

          • Han Held

            It seems like you have a bit of an axe to grind regarding hippies, amateurs and I’m going to guess free culture in general.

            That’s fine, i guess, but that bias seems to be causing you to draw some incorrect conclusions (people don’t care about security …despite the multiple discussions about security happening on multiple fora) and that the opensim populace is collectively against commercialization (where_do_you_think_we_are.jpg).

            I mean, that’s like your opinion and that’s alright; but looking at the same scene, same events I have a hard time seeing where you’re coming from, honestly.

            Then again, I’m just some punk amateur and that, too is fine. 🙂

          • JC

            Somehow a couple of comments I made to new world notes in reply to a specific post there, are being posted here. MR Han Held in particular seems to be kicking me without telling me his intentions to do so, such is the state of the internet where faceless idiots are allowed such privileges. It’s not that I don’t stand by what I said there, it’s just that I gave no permission for them to be posted here out of context. But seeing as I am here, then what the hell 🙂 Let me add a couple of other things. It seems that a great many people involved at the top of the OS food chain seem to be fine with things the way they are. This is all fine and dandy. But would it not then be better to tell people up front just that. Tell them that this is a kind of sandbox place with no particular direction, where things get done when and if the core developers are interested in the problems at hand, and if they are not busy sorting soul destroying security issues of their own. And there are big security issues, but don’t worry about it, be happy 🙂 because that gives you a chance to learn the hard way about how to fix them, hell on earth, can you imagine that argument floating anywhere else but OS. And if after all that you still decide to go ahead and struggle to make your own way and eventually have some ideas about how to make the whole thing a bit more user friendly to the greater mass of humanity, Beware!
            Old is the tree and the fruit good,
            Very old and thick the wood.
            Woodman, is your courage stout?
            Beware! the root is wrapped about
            Your mother’s heart, your father’s bones;
            And like the mandrake comes with groans.

          • Han Held
          • JC

            For what it is worth, Someone took a couple of my posts from NWN, the ones starting “I totaly see your point….” and “I spent a year in OS….”, posted them here under my JC title. They are obviously posted in an antagonistic manner. Not being under my account I cannot remove them as I did the previouse one here. I asked to have them removed but it seems to be a big deal so maybe they will, maybe not. Just to point out that someone is posting here (no surprise) just to kick up a stink.

  • John Simmons

    I know a lot of people that would happily move to Halcyon if it had the hypergrid in operation. The sanest thing to do would to have MOSES level security as an option, but then allow services through security policy options (while still remaining as secure as possible). We need a “both and” rather than an “either or”. I wish that Douglas Maxwell and Crista Lopes were working together on this stuff!

    • I can’t but agree. But the important thing here is what you call “the” hypergrid. If Dr. Maxwell plans succeed, there’ll be no such thing as “the” hypergrid. There will be TWO DIFFERENT, INCOMPATIBLE HYPERGRIDS (pardon me for shouting, but this is important): one that’ll run the newer code, and another one that’ll run vanilla Opensim. Unless vanilla Opensim implements the new code, of course. I think such an important step to break our hypergrid in two cannot be taken without informing the users of its trascendence, and without a calm debate with the core developers. In any case, calling what the MOSES team is doing “the” hypergrid is a pure and simple theft: “the” hypergrid is the current Opensim hypergrid, which we use and enjoy daily. In any case, if the MOSES team develops a new, more secure, form of inter (non-Opensim) travel, it will be something else, in any case not “the” hypergrid, even in the case that it had the same (or better) functionality.

      Of course, making the core devs appear as a bunch of incompetents by transpiring an heterogeneous list of so-called “vulneravilities” (some of which are purely theoretical, read the paper, for example running Opensim 0.7.x) doesn’t seem to be the best approach to a calm debate, isn’t it?

      I’d also wish that the MOSES team and Diva Canto could be able to work together. Only that I can’t blame Diva on this one.

      • Douglas Maxwell

        Theft is a pretty serious accusation. We don’t really have a name for what the alternate hypergrid capability will be yet. Since we are moving towards a web browser based client, the operation of the capability will be very different. Imagine being logged into different grids under different user names in different Chrome tabs! Also, moving about the different grids should be as easy as going to a different web address. In any case, I’ll make a deal with you. Propose a name for the alternate capability and I will give it serious consideration. Just don’t call it Hypergrid McHypergridface.

        • “Imagine being logged into different grids under different user names in different Chrome tabs! ” – I would LOVE this!

      • lmpierce

        I need to point out that false accusations are not permitted. In particular, the statement referenced as a source regarding “the hypergrid” does not suggest any taking or intention of taking of any technology or nomenclature by the MOSES team – the context of that comment was a generalization to make a point about user desires and preferences. Please self-moderate any further comments accordingly.

        • Excuse me? It says it very clearly, and in many places. For example, here’s one: “a web-based version of Opensim”. Only that this will not be Opensim: this will be another, different, product, that will precisely be incompatible with Opensim. I can’t see how a new, incompatible, product can be called “Opensim”, or how a new, incompatible way of teleporting between the worlds accesible using this new non-Opensim product can be called “Hypergrid”. No false accusation here.

          • lmpierce

            “…pure and simple theft…” is the false accusation.

          • It might well be that I’m mistaken, and in this case I’ll gladly withdraw what I’ve written and apologize. But here’s as I see things: if I create a derivative of Opensim, I can say that it’s a branch of Opensim, I can say that it’s Opensim-based, but I cannot say that it is Opensim itself. Because that would imply that I’m the maker, owner, maintainer or developer of Opensim. I should call it something else. If I call it Opensim, they I’m appropiating something that’s not mine. If we allow the MOSES team to speak for Opensim instead of speaking of their own version, which they can call as they please, and which might be better, more secure, web-based, etc, I won’t discuss that, but is not Opensim, that is equivalent to condoning a coup d’etat against the current developers. I thought that I made myself clear enough. But, again, I might be mistaken. If I am not, I don’t think my wording is erroneous or false. Strong, maybe; but not false.

          • Oh, and: Douglas himself, in the following comment, says he’s willing to call it something else, so that I don’t think I’m so mistaken, after all.

          • lmpierce

            My evaluation stands. Further accusations of theft, overt or implied, will be deleted.

            John Simmons, not the MOSES team, made reference to ‘the hypergrid’, and you were responding to John Simmons’s use of the term hypergrid to infer that what the MOSES team was doing “is pure and simple theft”. Douglas Maxwell made note of this when he comment that “Theft is a pretty serious accusation”. I agree. The fact that Douglas’s further comment that alternative names are being considered does not validate your comments.

            We do not permit accusations of theft for several reasons. Any alleged theft and the parties involved are entitled to due process. Consequently, such accusations may amount to libel or defamation of character; claims by our readers do not constitute legal fact and are not due process.

            What we encourage is debate about issues, discussions about methods and technologies and links to further related content or alternative forums (except for spam). Context and tone is important and taken into consideration. To say “it might be considered theft of intellectual property” would be very different than saying “it is pure and simple theft”.

            If you have further questions or comments you can email me at [email protected].

          • Thanks for your detailed reply. I will refrain from commenting at all in the future, then. I can’t follow your legal reasoning, since I am not a lawyer. Besides, I’m from Barcelona, where things are very different. Culture clash, I’m afraid.

          • lmpierce

            I hope you will return at some point. There is a middle way, between comments that aren’t accepted and not commenting at all, and in that middle way we have some very lively discussions.

            The issue may be somewhat cultural, but it is not meant that the reasoning should be obscure. We established discussion guidelines, which you can find here:


            Having discussion guidelines puts everyone on the same playing field. Sometimes I miss a comment that should not remain, and for that we have the mechanism whereby a comment may be flagged by our readers for further review. Other times I take issue with a comment and remove it; my email is provided so that the commenter has an opportunity to interact on those decisions if so desired.

            Often times a comment is fine except for one statement, but we do not edit comments, so the entire comment is deleted. Other times I let a comment stand, but put up a notice that amounts to saying, “This comment is problematic, please consider this moving forward.”

            Your comment was not deleted, but it was necessary to point out the issue of how it was worded and what it implied. In general I make every effort to let comments stand, especially when the main theme of the comment is part of a significant ongoing discussion. In doing so, there are, at times, difficulties of interpretation. I would point out, however, that I am not presenting detailed legal reasoning in my evaluations. We use a common sense approach that is similar to other publications in the U.S. for protecting our readers, contributors and our publication. For our purposes, if a comment *appears* problematic, we react accordingly and compare it to the standards of the Discussion Guidelines. This is not a legal evaluation, but a policy evaluation.

          • Graham Mills

            My personal view is that Zonja was quite correct to take issue with use of the phrase “…since Moses is about to release a Web-based viewer for OpenSim” as, of course, it isn’t (as is made clear later in the article). The distinction is, indeed, important if Halcyon is to forge (in the nicest possible way) a separate identity and core OpenSim users such as myself are not to be inadvertently misled. The article should be updated.

            Incidentally, the notion that this very public airing of security matters is likely to benefit either or both camps may well be mistaken. I think it more likely, and with some justification, that non-techie people considering OpenSim will regard it as “a plague on both your houses” and look for a venue where there is less drama and more astute conduct of public affairs.

          • Ah, thank you. Please note also that the article attributes the phrase to Maxwell.

      • Seth Nygard

        I don’t think anyone means that there is incompetency at fault rather that these kinds of things are very common with old technologies and protocols that haven’t evolved to keep up with everything else. The same situation can be said for every forum out there not using SSL. Vulnerabilities exist and is not a matter if they will get exploited but rather when. I already know of instances where at least some of these, as well as other, vulnerabilities have been exploited.

        I will also say that the current Hypergrid, while being a great accomplishment, should be treated as a prototype for what is needed. There are many aspects that are less than ideal, many of which where to keep from needing major viewer differences.

        To move forward to something that fits the world we live in today is almost certain to break compatibility with what we currently have in places. That is not such a bad thing as long as it is planned and executed properly. The vulnerabilities are due to protocols and design not so much sloppy coding.

        We all must remember that OpenSim has followed primarily an evolutionary development process, not an engineered one. The approaches taken by the MOSES group has been to build from that but to apply an engineered approach instead. IMHO that is the only way to move forward from where we are today.

    • Han Held

      We don’t need to run to Halycon; we need to implement changes to prevent hijacking. According to Freaky Tech the client code is already there; it’s just a matter of getting the server to talk to it.

      • John Simmons

        I left out of the discussion the addition issue of current development being rather clique oriented and the fact that 9.0 is fairly awful. It isn’t just the security issues I was thinking of.

        • Han Held

          Agreed, that’s a valid issue and to be honest THAT is the biggest threat to the future of opensim. No argument there!

  • Han Held

    A large number of these claims are based on the assumption folks are using opensim 0.7.3 or older, or do not take iar and oar filtering into account or conflate bad administration with bad code.

    Opensim is a SERVER; any badly configured server is a security risk; film at 11. The answer to that is education, not forking.

    I went into more detail here:

    • Douglas Maxwell

      If you haven’t read the pdf, please do. We address the work Justin did with 0.7.3 and after. The vulnerabilities we discussed are verifiable through the 0.8.x series. We have not yet retested against the 0.9.x code.

      • Han Held

        I have read and I am continuing to the paper.

        So far, from what I’ve read many of the vulnerabilities you’re describing are matters of misconfiguration, or they are made irrelevant by modern opensim features (iar filtering, oar filtering). A malicious grid owner has access to much more precious things (credit card #) so that’s simply a great argument for running your own grid (if you can’t trust yourself…).

        There are valid concerns; specifically regarding hijacking. Freaky Tech (of Arribia Server fame) has addressed that and it’s something that should be examined.

        It’s a question of seperating the wheat from the chaff -talk about 0.7.3 only muddies the waters.

        I’ve been told by people I trust that it is possible to harm a server running opensim, and Freaky Tech has told me that there is viewer-side code to prevent hijacking …opensim simply needs to communicate with it.

        For the hypergrid/opensim civilian/non-enterprise public at large, the answer isn’t to run off in a cargo-cult manner to another platform. The answer is for the developers and users to assess what the modern risks are, educate providers and administrators on minimizing attack surface and fix the areas that make opensim vulnerable to hijacking.

        • Douglas Maxwell

          When we do a gap analysis, not every solution to a problem requires buying a new widget or re-coding software. The military has something called DOTMLPF ( ) that guides us in the appropriate response to the gap. Sometimes the correct and most cost effective solution is simply re-writing the documentation…

          You are absolutely correct, an appropriate response for some vulnerabilities is to provide clear documentation. In the case of the clear text data transmission, that is a SL compatibility discussion that needs to happen. Personally, I think it is a wonderful proposition for the open simulator to be able to legitimately argue it has better security than the commercial offering.

          I realize this first set of vulnerabilities are “soft balls” to those of us who already know about them, however they do represent severe attack vectors if exploited.

          Lastly, if you find yourself in Orlando and would like a tour of the Labs and a demonstration of the more interesting vulnerabilities, we would be delighted to host you.

  • Interesting about the DDOS thing. Considering what was happening to Great Canadian Grid a few months ago. Did they ever get to the bottom of that?

  • Carlos Loff

    I hope they add HG soon, anything that does not smell to HG is nothing to me, but that is just ME, no future in closed stuff

  • Seth Nygard

    I must correct Melanie in that an expensive wildcard certificates are not required. That old argument is no longer valid in most cases, this one included, and should not be used as a reason not to leverage the added security of an SSL/TLS connection. There are low cost, or even free, certificates that can be obtained. While many of these may not provide organization verification they do provide the encryption protection needed.

    I think the MOSES team need to be commended for their efforts and continued support of the OpenSim community. Our own devs, past and present, deserve a great deal of gratitude as well. It is however time we all started working together to improve things and bring OpenSim into something more aligned with the current technology and security landscape.

    The fact that many of these vulnerabilities come from the now rather outdated SL protocols and methods it is becoming increasingly apparent that despite some negatives, OpenSim needs to move away from its SL compatibility roots and evolve so it can become the platform we all want to use and can trust.

    • Han Held

      I wonder if this is an area where “lets encrypt” might be helpful -or if it even applies?

      • Seth Nygard

        Yes Han, Let’s Encrypt is a provider of free SSL certificates that can be used successfully.

        • Cinder Biscuits

          The root CA just needs to be added to the viewer’s certificate store. It exists already in Alchemy. Adding the CA is trivial to do.

    • JC

      I spent a year in OS when we were looking for a new start after SL. It certainly was a revelation on the financial front after being fleeced for all we had in SL for so long. But after a while you realise that what you gain on the financial side you loose in all other areas. If your needs are simple then there is no better platform. But if you have any ambition at all to create something professional, something that can be presented to the currant online user as a worthwhile investment in time and money. Then you best be prepared, and have the know how, to take the whole thing and re write it your own way. This is what the Moses guys have done.

      But I feel somehow they are dreaming if they believe that they can suddenly bring together a core team of developers who will be any different from those who have struggled to drag OS thus far. Sometimes you just have to accept that flogging the horse will not revive it, and to put it out to pasture is the only humane thing to do.

  • hack13

    Just a quick response to some of the points that were made, so people do not become complete concerned with this article. I am not saying these are things that shouldn’t be looked into, I just want to calm people’s nerves.

    Concern 1: When an OpenSim viewer communicates with the grid’s server,
    information about content on the grid is transmitted unencrypted,
    allowing eavesdroppers to get the UUIDs, which are unique object
    identifiers, as well as session IDs, which can make it easier to steal
    content and to impersonate other users.
    Explanation 1: While these connections are not encrypted, most of the information spoken about here is obtainable even in other platforms like Halcyon and Second Life, this information can be obtained by just turning on your debug console in your viewer. This is because how the viewers are designed to rely almost entirely on the grid to report on what is going on and how to monitor it. You can already provide a way of encrypting most of this traffic in opensim by placing an SSL cert in your opensim configuration. While there are some protocols that still get exposed, if you are running the grid and have full control, using special internal routing and firewall configurations this information can be protected for the most part but does become more complicated if you enable HyperGrid, but opensim has started work on this, there are already certain commits where protections are being coded in requiring logins to many exposed resources.

    Concern 2: Scrips have the ability to make a grid participate in a distributed
    denial of service attack or botnets. “Grid owners would not even know
    their servers were being used in this way,” Maxwell wrote.
    Explanation 2: While this is true, it is also very true about any platform that will allow someone to go inworld and make calls to an external service. I could go into any grid Second Life, Whitecore-Sim, Halcyon, etc and make a script that continuously sends out requests to ddos a server, and drop them on a bunch of regions, and then it looks like that grid is attacking. This is something opensim has noticed and there are new security features being placed in the scripting engine and it’s implementation of HTTP request handling. But the fact remains, due diligence is still required to help moderate this. But with the current state on Linux anyways of doing an attack in this fashion at least would not last long as HTTP server tends to get backlogged and needs restarting after a significant amount of requests has passed through, which sadly is another problem all together on that point.

    Concern 3: If the grid is mis-configured in a particular way, attackers can
    send operating-level commands to the grid, commands which normally can
    only be issued by an administrator. This can be used to damage a grid.
    Explanation 3: These are here, both in the form of the REST console, Remote Admin service, and OSSL. By default those features that allow remote console execution are disabled. Also unless you know what your doing, and Remote Admin one of them they shouldn’t be enabled. If you enable them make sure to edit the configurations to only allow specific IP addresses to make authorized calls.

    Concern 4: OpenSim does not have adequate restrictions on the languages used by scripts, potentially allowing attackers to access files on a server. “In other words, a user without credentials on your server can own it,” he said.
    Explanation 4: While this is a known large exploit, there are ways to avoid to much damage here. Make sure that you don’t enable more then the LSL language to be used in your grid. While even this can leak through at times, make sure your simulator servers are locked down use jails on your system much like you should with any application you run in a production environment. This one is something that does defiantly need to be re-evaluated but so long as you follow proper procedural deployment and jail the application you should be safe.

    Final Words, I agree all these things should be looked into and as you can tell from my explanations most have already had work started on them and have a road map to being patched. You can still properly secure a grid if you know enough about networking, application jailing/containerization, and follow standard practice of doing server audits.

    Running opensimulator for over 5 years I have found so many bugs it is not funny. Being a system administrator in both my real life job working in both sectors and my job with Zetamex Network. I have been able to bring many new methods to security, you will see in many environments of small to large businesses in the real world running very out-dated and patch needed services but they cannot just upgrade to due their environment would need major overhauls. Jailing and Containerization is one of the newest and most effective ways businesses today ship software that has known vulnerabilities into production without having compromise all the components only the parts that cannot be patched. This is not the perfect solution, and I agree people should just upgrade/patch their software, but in the cases like this you can protect so long as you watch and audit and ALWAYS audit make sure you monitor traffic, resources, etc. So you know when to pull plugs and where to place patches to your environment.

  • “allowing eavesdroppers to get the UUIDs” FYI anyone can get the UUID of a prim / linkset that are rezzed out and there are “bad” viewers out there that can allow people to steal other people’s content without needing to eavesdrop on a unencrypted transmission.
    Just saying.

    • Cinder Biscuits

      A rezzed object’s UUID is not the same as the asset id from which it was rezzed.

      • true but the point of my comment is that there are easier ways to steal content and data without hacking a secured/unsecured transmission.

    • BTW “Scrips have the ability to make a grid participate in a distributed denial of service attack or botnets” kinda pointless since most data centers have a anti-ddos protection and llHTTPRequest can only ping a server through HTTP, does not touch UDP or TCP at all and nginx is pretty good with not getting chocked by a http ddos attack, apache on the other hand is still iffy. But either case all anyone can do with using llHTTPRequest as a DDOS is to spam a website with requests.

      • TribeGadgets

        Does seem a bit of a low grade minimal skillset script kiddie way of doing it as well. Might as well add that an external LSL editor with a run mode is a security risk.

      • Quill Littlepecker

        Security expert now, diddler? LOL