In the whole internet OpenSim is not exempt to hackers and griefers. As a young technology, it's even more exposed.
We have some tools included in the server and the viewer to protect our grids against them. However, to achieve an efficient protection, it would be good to have a centralized service, like the ones existing for smap control, for example.
We feel there is a need to combine our efforts, between grid owners, as wel as server and viewer developers, to set up an efficient solution, which could be easily adopted by standalone or grid maintainer.
So, this is just a draft, which could serve as a basis for further discussion, or just as a placeholder for our own thoughts in this matter.
- A grid owner can subscribe to a black list service, and get a regularly updated ban list he can implement in his own grid
- This list is merged with the content of the existing ban system
- Each grid still has the ability to add users to it's own ban list, without interfering with the shared black list
- The list is alimented by grid owners, through a procedure allowing them to select in their own in-world ban list which ones need to be shared
"Client" side (grid and region owners
- The simplier method for implementing a black list would be go through a web service (using same techniques as ossearch or osprofile), connected to the grid database, and exchanging ban list data with a server.
However, while easy to implement for providers already using a web interface, this method relies on additional software (web server, php, mysql), and this would disallow using the service "out of the box" with OpenSim distribution or Diva distribution, for example.
"Provider" side (the black list maintainer
- A web sever sending ban lists via XML
- An interface to send single ban requests (should be moderated)
- A process to receive ban updates from grid owners, in XML format (could be moderated or inclusion could be triggered by rules
- A process to formally de-ban a user (which would make the user disappear from subsribed grids ban-lists
Of course, the black-list server has to be secure, and there will probably be a need to form a team of trusted volunteers to answer requests and monitor the blacklist.
There are a couple of very great web interfaces for OpenSim. We should make a clear documentation for them on how to protect against unwished registrations. As each web interface use a different technology, there are no global method as for now to integrate an anti-spam or anti-bot filter to registration pages.
This is something we (speculoos) could easily set up for our own use. We could share it with some friends, with other grid owners we know. But there are chances that other grid owners will do the same work on their behalf.
If we think about it together, we could end up choosing methods and exchange formats which could be easily share, allowing collaboration.
That's why, before beginning to develop our internal system, we wrote this note, hoping for comments. We will likely try to organise a meeting around this subject soon. Unless somebody else does before, in wich case, we'll participate.