Second Life Forums Archive - Open Source InWorld version of SecondServer.net / SlExchange.com

Adam Zaius

Deus

Join date: 9 Jan 2004

Posts: 1,483

12-14-2004 00:18

*hits nexus with a spellcheck*.

I should probably chip in a comment or two here,

An open source competitor would be great, I personally, have zero qualms with a new project being opened up. Hell, I might be able to offer some advice on topics such as securing communications, and help integrate SecondServer to be compatible with any such design.

But, I do forewarn any potential developers - be prepared for a long yard. I'm sure Apotheus can agree with me here, when I say that this is not going to be easy. There has been easily over 1000 hours of coding for various sections of SecondServer.net, and I suspect there is another 1000 hours going to be involved in each of some future projects we have planned.

I also have to strongly recommend you find some dedicated hosting for any such project. SL has some 'issues' with long term memory storage, scripts randomly dying and otherwise, if you want to focus on being primarily in-world, try have some form of off-world backup for storage/retrieval.

-Adam

_____________________

Co-Founder / Lead Developer
GigasSecondServer

Moopf Murray

Moopfmerising

Join date: 7 Jan 2004

Posts: 2,448

12-14-2004 00:50

From: Nexus Nash

Let me explain why an open source version would be a bad idea...

Nexus gets MrX's vendor system... wow it's open source! yay lets go see what triggers a "give object" when someone is bought! Now lets go see what the names of the object holders are! OH cool they are called object 1

Now everyone knows the give object query is [serveruuid]@lsl.secondlife.com subject is GIVE_OBJECT message is [useruuid],[objectname]

WOW! now all I have to do... is find myself an object distributer... get the uuid (about 2 secs) take a peak inside and see the names of the object, and make my own email sender! Nexus just got an infinite supply of that users stuff! wow! And you guys are worring about privacy with the CURRENT system which is behind closed doors.

Nexus, either you're over simplifying this to prove your point, or your not writing very secure systems if this is an example of your process. There are many ways of securing the communication that would not lead to such blatant insecurity by just seeing the code. I think you've just over-simplified this to back up your point though

_____________________

Adam Zaius

Deus

Join date: 9 Jan 2004

Posts: 1,483

12-14-2004 01:54

From: Moopf Murray

Nexus, either you're over simplifying this to prove your point, or your not writing very secure systems if this is an example of your process. There are many ways of securing the communication that would not lead to such blatant insecurity by just seeing the code. I think you've just over-simplified this to back up your point though

Rather.

We have two classes of communication, trivial, and important. (aptly named I may add), trivial messages are unsigned, and sent in the clear. Important information is affixed a 32 character hash, which is per-character modulo'd against a random 1-time-pad entry. (the pad is then deleted). On receipt, this hash is rebuilt from the plain-text message, and compared to the affixed hash. If they match, they are accepted as a valid signed message, and the pad is marked as 'used'. We update the pads using notecard keys, which are signed with the last key listed on the previous pad.

-Adam

_____________________

Co-Founder / Lead Developer
GigasSecondServer

Moopf Murray

Moopfmerising

Join date: 7 Jan 2004

Posts: 2,448

12-14-2004 02:07

From: Adam Zaius

Rather.

We have two classes of communication, trivial, and important. (aptly named I may add), trivial messages are unsigned, and sent in the clear. Important information is affixed a 32 character hash, which is per-character modulo'd against a random 1-time-pad entry. (the pad is then deleted). On receipt, this hash is rebuilt from the plain-text message, and compared to the affixed hash. If they match, they are accepted as a valid signed message, and the pad is marked as 'used'. We update the pads using notecard keys, which are signed with the last key listed on the previous pad.

-Adam

Exactly my point Adam

Security through closed source only is never a viable option, which is why I thought that Nexus was over-simplifying to prove his point. There is no reason to believe that an open source system would be any less secure than a closed source system. I didn't think the Gigas vendors were relying on being closed source, which is why I thought Nexus' example wasn't particularly fair.

_____________________

blaze Spinnaker

1/2 Serious

Join date: 12 Aug 2004

Posts: 5,898

12-14-2004 02:59

Yes, I'm using offsite storage. It actually solves a lot of problems.

(see the pic at the bottom for what the basic/prototype idea of what my inworld version of secondserver is, feedback welcome)

Here is the prototype so far:

it

a) sends email and gets the catalog / dialogue (see pic) strings in reply via procmail
b) stores catalog emails in cache (cache=msg

c) when you click on catalog option in the dialog (again, see pic) it
i) rezzes the pictures windows and at the same time
ii) in another script it sends another email and gets a list of items for that catalog option
d) right now procmail just returns a hardcoded list of short description, notecard uuid, texture uuid, price, object name, but i can easily do a mysql exec 'select blah blah' | awk.. | sendmail..
f) llsays the list out to the picture windows which sets the text / texture
g) if you touch on them or pay (anything) it sends the object name in an email which will (haven't got to this yet) send it to another box which will send the object into the persons inventory

took me about 4 hours (ok 6 if you include going out for a beer)

Obviously I need to now

a) secure delivery by scraping secondlife.com/account and signing messages as described above
b) manage inventory / sellers in a mysql database with vendor atm and procmail (probably just use getinventorylist and an agreed upon standard)
c) probably some handy seller UI stuff which would be cool inworld as well.. (i have an xml-rpc graphing object I did inworld i'd like to re-use), and probably xytext for cool seller reports

This is about the extent I really think it needs to go. I already have some wget stuff I push the account page into awk to check the account page, so I see max another 20-40 hours or so for this, probably less if I get some sharp assistance.

If anyone has some better suggestions about how the buyer UI should be done, I'd be interested. Right now I just get the orientation of the attachment to determine where the picture windows go, but I'm not sure that's best. You can view 9 objects for sale at a time, and I was thinking of sending some description out to the say channel as well or IM it.

If someone else wants to do a website based on the inventory data, by all means. though I'm not clear as to how texture data will be automatically exported. however, It will definitely all be available to anyone that wants it.

also is there a better way to handle emails other than procmail? I always find it kinda annoying, but I've never found anything easier to use

_____________________

Taken from The last paragraph on pg. 16 of Cory Ondrejka's paper "Changing Realities: User Creation, Communication, and Innovation in Digital Worlds :

"User-created content takes the idea of leveraging player opinions a step further by allowing them to effectively prototype new ideas and features. Developers can then measure which new concepts most improve the products and incorporate them into the game in future patches."

Foster Virgo

Registered User

Join date: 16 Jun 2004

Posts: 175

12-14-2004 03:20

Seem like this system inworld defeats the whole purpose of why it's web based. The web based system you can systematically browse objects with multiple pictures and information much faster than an inworld vendors. It would be an overall downgrade of a good system that works well as a web based megastore.

_____________________

"An official Red Ryder carbine action two-hundred shot range model air rifle with a compass in the stock and this thing that tells time!" Ralphie

blaze Spinnaker

1/2 Serious

Join date: 12 Aug 2004

Posts: 5,898

12-14-2004 03:24

sorry, i thought it was clear by the picture .. you are browsing multiple objects.

as for multiple pictures, i guess someone could put multiple pictures in one picture if that was really exciting for them (I'd be surprised if a lot of sellers use that feature though in world or out of world),

Also, people can just temporarily rez the object if they are so interested - hard to temporarily rez via the web

one possibility would be to add multiple levels of pictures, so we can get more info on the screen, I guess.

_____________________

Taken from The last paragraph on pg. 16 of Cory Ondrejka's paper "Changing Realities: User Creation, Communication, and Innovation in Digital Worlds :

"User-created content takes the idea of leveraging player opinions a step further by allowing them to effectively prototype new ideas and features. Developers can then measure which new concepts most improve the products and incorporate them into the game in future patches."

Anshe Chung

Business Girl

Join date: 22 Mar 2004

Posts: 1,615

12-14-2004 03:28

This look cool

And thanks to Ulrika for supporting it too. It would be really lovely if this can grow into save, easy to use and transparent system for everybody

_____________________

ANSHECHUNG.COM: Buy land - Sell land - Rent land - Sell sim - Rent store - Earn L$ - Buy L$ - Sell L$

SLEXCHANGE.COM: Come join us on Second Life's most popular website for shopping addicts. Click, buy and smile

Antagonistic Protagonist

Zeta

Join date: 29 Jun 2003

Posts: 467

12-14-2004 07:04

From: someone

That still doesn't solve the problem you quoted me on.

What's the point? Why do you want the Gigas code? Take Gigas code generalize it... and you have a normal vendor, you won't even be able to connect to the Gigas network. no offence, I don't want you to connect to the gigas network using the same protocols we are going with our closed source vendor. Think about for a minute... think of the griefing/cheating people would do!

I don't want something anyone can hack at... I want customer confidence, it takes one idiot to a) revoke L$ change when you buy somethign and you pay too much, b) simply not give the item. If that happened NO one would ever trust those vendors again! So keeping the code secure is the 1st priority.

P.S. An obscure code is not a secure code... it's waist of memory!

No one wants the Gigas code. No one wants to connect to the Gigas network. This discussion was about a seperate, but perhaps similar, product. With an open network that lots of people have. I dont get what makes you think anyone wants to connect to your stuff. No one has even come close to saying that. Personally, I wouldn't want to connect to a server I knew nothing about. I would much prefer to use an open one. its just a matter of trust.

You are sounding almost delerious, no offense.

Anyway, my offer to help stands, so long as it is gone about in at least a semi-structured fashion. If done properly it shouldnt be a terribly complex task. Mostly busywork really. Let me know.

-AP

Newfie Pendragon

Crusty and proud of it

Join date: 19 Dec 2003

Posts: 1,025

12-14-2004 07:14

From: Foster Virgo

Seem like this system inworld defeats the whole purpose of why it's web based. The web based system you can systematically browse objects with multiple pictures and information much faster than an inworld vendors. It would be an overall downgrade of a good system that works well as a web based megastore.

This system wouldn't defeat the purpose of a web-based system, it would serve the purpose of being an in-world system. That's the one thing the web-based systems can't do at the moment - to use the web system, one has to go out-of-world. The point here would be to provide a service that encompasses and embraces SL, not work as an outside system that does little to actually improve sales tools in SL.

- Newfie Pendragon

Open Source InWorld version of SecondServer.net / SlExchange.com
Adam Zaius Deus Join date: 9 Jan 2004 Posts: 1,483	12-14-2004 00:18 hits nexus with a spellcheck. I should probably chip in a comment or two here, An open source competitor would be great, I personally, have zero qualms with a new project being opened up. Hell, I might be able to offer some advice on topics such as securing communications, and help integrate SecondServer to be compatible with any such design. But, I do forewarn any potential developers - be prepared for a long yard. I'm sure Apotheus can agree with me here, when I say that this is not going to be easy. There has been easily over 1000 hours of coding for various sections of SecondServer.net, and I suspect there is another 1000 hours going to be involved in each of some future projects we have planned. I also have to strongly recommend you find some dedicated hosting for any such project. SL has some 'issues' with long term memory storage, scripts randomly dying and otherwise, if you want to focus on being primarily in-world, try have some form of off-world backup for storage/retrieval. -Adam _____________________ Co-Founder / Lead Developer GigasSecondServer
Moopf Murray Moopfmerising Join date: 7 Jan 2004 Posts: 2,448	12-14-2004 00:50 From: Nexus Nash Let me explain why an open source version would be a bad idea... Nexus gets MrX's vendor system... wow it's open source! yay lets go see what triggers a "give object" when someone is bought! Now lets go see what the names of the object holders are! OH cool they are called object 1 Now everyone knows the give object query is [serveruuid]@lsl.secondlife.com subject is GIVE_OBJECT message is [useruuid],[objectname] WOW! now all I have to do... is find myself an object distributer... get the uuid (about 2 secs) take a peak inside and see the names of the object, and make my own email sender! Nexus just got an infinite supply of that users stuff! wow! And you guys are worring about privacy with the CURRENT system which is behind closed doors. Nexus, either you're over simplifying this to prove your point, or your not writing very secure systems if this is an example of your process. There are many ways of securing the communication that would not lead to such blatant insecurity by just seeing the code. I think you've just over-simplified this to back up your point though _____________________
Adam Zaius Deus Join date: 9 Jan 2004 Posts: 1,483	12-14-2004 01:54 From: Moopf Murray Nexus, either you're over simplifying this to prove your point, or your not writing very secure systems if this is an example of your process. There are many ways of securing the communication that would not lead to such blatant insecurity by just seeing the code. I think you've just over-simplified this to back up your point though Rather. We have two classes of communication, trivial, and important. (aptly named I may add), trivial messages are unsigned, and sent in the clear. Important information is affixed a 32 character hash, which is per-character modulo'd against a random 1-time-pad entry. (the pad is then deleted). On receipt, this hash is rebuilt from the plain-text message, and compared to the affixed hash. If they match, they are accepted as a valid signed message, and the pad is marked as 'used'. We update the pads using notecard keys, which are signed with the last key listed on the previous pad. -Adam _____________________ Co-Founder / Lead Developer GigasSecondServer
Moopf Murray Moopfmerising Join date: 7 Jan 2004 Posts: 2,448	12-14-2004 02:07 From: Adam Zaius Rather. We have two classes of communication, trivial, and important. (aptly named I may add), trivial messages are unsigned, and sent in the clear. Important information is affixed a 32 character hash, which is per-character modulo'd against a random 1-time-pad entry. (the pad is then deleted). On receipt, this hash is rebuilt from the plain-text message, and compared to the affixed hash. If they match, they are accepted as a valid signed message, and the pad is marked as 'used'. We update the pads using notecard keys, which are signed with the last key listed on the previous pad. -Adam Exactly my point Adam Security through closed source only is never a viable option, which is why I thought that Nexus was over-simplifying to prove his point. There is no reason to believe that an open source system would be any less secure than a closed source system. I didn't think the Gigas vendors were relying on being closed source, which is why I thought Nexus' example wasn't particularly fair. _____________________
blaze Spinnaker 1/2 Serious Join date: 12 Aug 2004 Posts: 5,898	12-14-2004 02:59 Yes, I'm using offsite storage. It actually solves a lot of problems. (see the pic at the bottom for what the basic/prototype idea of what my inworld version of secondserver is, feedback welcome) Here is the prototype so far: it a) sends email and gets the catalog / dialogue (see pic) strings in reply via procmail b) stores catalog emails in cache (cache=msg c) when you click on catalog option in the dialog (again, see pic) it i) rezzes the pictures windows and at the same time ii) in another script it sends another email and gets a list of items for that catalog option d) right now procmail just returns a hardcoded list of short description, notecard uuid, texture uuid, price, object name, but i can easily do a mysql exec 'select blah blah' \| awk.. \| sendmail.. f) llsays the list out to the picture windows which sets the text / texture g) if you touch on them or pay (anything) it sends the object name in an email which will (haven't got to this yet) send it to another box which will send the object into the persons inventory took me about 4 hours (ok 6 if you include going out for a beer) Obviously I need to now a) secure delivery by scraping secondlife.com/account and signing messages as described above b) manage inventory / sellers in a mysql database with vendor atm and procmail (probably just use getinventorylist and an agreed upon standard) c) probably some handy seller UI stuff which would be cool inworld as well.. (i have an xml-rpc graphing object I did inworld i'd like to re-use), and probably xytext for cool seller reports This is about the extent I really think it needs to go. I already have some wget stuff I push the account page into awk to check the account page, so I see max another 20-40 hours or so for this, probably less if I get some sharp assistance. If anyone has some better suggestions about how the buyer UI should be done, I'd be interested. Right now I just get the orientation of the attachment to determine where the picture windows go, but I'm not sure that's best. You can view 9 objects for sale at a time, and I was thinking of sending some description out to the say channel as well or IM it. If someone else wants to do a website based on the inventory data, by all means. though I'm not clear as to how texture data will be automatically exported. however, It will definitely all be available to anyone that wants it. also is there a better way to handle emails other than procmail? I always find it kinda annoying, but I've never found anything easier to use _____________________ Taken from The last paragraph on pg. 16 of Cory Ondrejka's paper "Changing Realities: User Creation, Communication, and Innovation in Digital Worlds : "User-created content takes the idea of leveraging player opinions a step further by allowing them to effectively prototype new ideas and features. Developers can then measure which new concepts most improve the products and incorporate them into the game in future patches."
Foster Virgo Registered User Join date: 16 Jun 2004 Posts: 175	12-14-2004 03:20 Seem like this system inworld defeats the whole purpose of why it's web based. The web based system you can systematically browse objects with multiple pictures and information much faster than an inworld vendors. It would be an overall downgrade of a good system that works well as a web based megastore. _____________________ "An official Red Ryder carbine action two-hundred shot range model air rifle with a compass in the stock and this thing that tells time!" Ralphie
blaze Spinnaker 1/2 Serious Join date: 12 Aug 2004 Posts: 5,898	12-14-2004 03:24 sorry, i thought it was clear by the picture .. you are browsing multiple objects. as for multiple pictures, i guess someone could put multiple pictures in one picture if that was really exciting for them (I'd be surprised if a lot of sellers use that feature though in world or out of world), Also, people can just temporarily rez the object if they are so interested - hard to temporarily rez via the web one possibility would be to add multiple levels of pictures, so we can get more info on the screen, I guess. _____________________ Taken from The last paragraph on pg. 16 of Cory Ondrejka's paper "Changing Realities: User Creation, Communication, and Innovation in Digital Worlds : "User-created content takes the idea of leveraging player opinions a step further by allowing them to effectively prototype new ideas and features. Developers can then measure which new concepts most improve the products and incorporate them into the game in future patches."
Anshe Chung Business Girl Join date: 22 Mar 2004 Posts: 1,615	12-14-2004 03:28 This look cool And thanks to Ulrika for supporting it too. It would be really lovely if this can grow into save, easy to use and transparent system for everybody _____________________ ANSHECHUNG.COM: Buy land - Sell land - Rent land - Sell sim - Rent store - Earn L$ - Buy L$ - Sell L$ SLEXCHANGE.COM: Come join us on Second Life's most popular website for shopping addicts. Click, buy and smile
Antagonistic Protagonist Zeta Join date: 29 Jun 2003 Posts: 467	12-14-2004 07:04 From: someone That still doesn't solve the problem you quoted me on. What's the point? Why do you want the Gigas code? Take Gigas code generalize it... and you have a normal vendor, you won't even be able to connect to the Gigas network. no offence, I don't want you to connect to the gigas network using the same protocols we are going with our closed source vendor. Think about for a minute... think of the griefing/cheating people would do! I don't want something anyone can hack at... I want customer confidence, it takes one idiot to a) revoke L$ change when you buy somethign and you pay too much, b) simply not give the item. If that happened NO one would ever trust those vendors again! So keeping the code secure is the 1st priority. P.S. An obscure code is not a secure code... it's waist of memory! No one wants the Gigas code. No one wants to connect to the Gigas network. This discussion was about a seperate, but perhaps similar, product. With an open network that lots of people have. I dont get what makes you think anyone wants to connect to your stuff. No one has even come close to saying that. Personally, I wouldn't want to connect to a server I knew nothing about. I would much prefer to use an open one. its just a matter of trust. You are sounding almost delerious, no offense. Anyway, my offer to help stands, so long as it is gone about in at least a semi-structured fashion. If done properly it shouldnt be a terribly complex task. Mostly busywork really. Let me know. -AP
Newfie Pendragon Crusty and proud of it Join date: 19 Dec 2003 Posts: 1,025	12-14-2004 07:14 From: Foster Virgo Seem like this system inworld defeats the whole purpose of why it's web based. The web based system you can systematically browse objects with multiple pictures and information much faster than an inworld vendors. It would be an overall downgrade of a good system that works well as a web based megastore. This system wouldn't defeat the purpose of a web-based system, it would serve the purpose of being an in-world system. That's the one thing the web-based systems can't do at the moment - to use the web system, one has to go out-of-world. The point here would be to provide a service that encompasses and embraces SL, not work as an outside system that does little to actually improve sales tools in SL. - Newfie Pendragon

Welcome to the Second Life Forums Archive

Open Source InWorld version of SecondServer.net / SlExchange.com