Safarying

Tuesday, April 5, 2022

Lessons from a Hypergrid Honeypot

The following is a Guest Article by Nara Malone of Nara's Nook. 
You can visit her grid at world.narasnook.com:8900 
Follow Nara's writing blog at naramalone.com 
The Nara's Nook Grid blog is at narasnook.com
The backstory: Nara and two writer friends, Siobhan Muir and  Tina Glasneck, founded their own grid 'Nara's Nook' in OpenSim about ten years ago. After several years of experiments in digital storytelling on the hypergrid, the resident authors branched off into other projects, leaving the grid online, but unattended. That was not good - their distraction was exploited by bad actors, who damaged the Nook. Here's Nara's take on this experience.
Nara’s Nook grid was an intentional hypergrid honeypot, not originally with intent to lure troublemakers so we could learn to secure things better. We left the grid portal unguarded to empower potential users to slip in, watch shyly from the shadows if they needed to, and eventually to experiment with the various elements of 3D storytelling on their own or by joining our projects. There was always a pot of stone soup simmering on the back burner, a fresh baked something or other to go with it, and plenty of wild honey or wild spirits to spike brewing creativity. Our doors and windows were left wide open. We left the porch light on, and NPC powers enabled for curious wandering souls.

I knew the risks. I knew the rewards. I felt that we were far enough out on the edge of everyone’s awareness that we could sacrifice in-world security for creative freedom. I made my choices with eyes wide open because the rewards were worth it to me. The grid reaped the artistic rewards for many years.


Then the bears showed up.

My mistake was thinking was that since we freely gave what we made and had nothing in the form of virtual world content worth stealing, there was no good reason to lock things down.

 Unseen and unnoticed, troublemakers were stuffing our grid inventory full of more stuff than would fit in that the backup of cargo ships docked off the L.A. Harbor in 2021. Imagine each of those containers stuffed with hair, shoes, clothes, furniture, cars, and a thousand other virtual consumer goods. Imagine how your computer would run with all that junk jammed into your hard drive.

I discovered the situation when I was backing things up to move everything to a new server and a new version of Opensim. I don’t recall the exact numbers, but we had some 360 users, and our inventory was massive even for such a small user base.

Clearly changes were needed. When I learned the same thing was happening to other small grids, I took our hypergrid honeypot meant to attract users and turned it toward the traditional purpose of a cyber honeypot—an intentionally insecure system that allows the exploitation of vulnerabilities so you can study them to improve your security policies.

I knew the security holes that allowed all this to happen before I started researching:

1) We had no gatekeeper deciding who could be a grid member. That was the biggest flaw. Anyone could create an account without needing approval from us.

2) We had “secret” groups of users with a lot of power. Getting hypergrid users into the groups was such a headache to make work, in the version of Opensimulator we were using, we didn’t lock those down either. Instead, we all agreed that users should not tell anyone about those groups. I’m sure you can imagine how well that worked as a security measure.

3) I had created some regions I meant to upload builds of mine to. But RL and the craziness of the last couple of years was so distracting that I never got around to it. Newly created regions have most abilities enabled by default. These and unmonitored sandboxes became tools of squatters.

But Why?

Understanding the motivation is essential to securing against it. Why did anyone need use little grids for anything but what the owners intended? Opensim is free and opensource—you can have your very own grid, on your own computer, and do what you want there. It made no sense. When I discovered the answer, we double locked the gates, windows, and doors.

Prim laundering. They used our grid to make it look like the stolen content they imported to Opensim was coming from the Nook.

That was a terrible situation for us. Our team consists of artists, coders, engineers, musicians, authors, blender gurus. Contracts we have with galleries, publishers, agents, and distributors would be violated by our distribution of stolen IP.

Our Solutions

The only manageable solution to the inventory situation was to save inventory archives for core users who were paying the server bills and dump the rest. My apologies to our many hypergrid friends who had their accounts cut.

As far as content on other grids that may indicate it came from a user at Nara’s Nook--we have always stipulated that any content we gave away was no transfer. So, anything from the Nook, given out on another grid, is not there with our blessing. We do this because of contracts we agreed to with creators of content incorporated in what we gave away.

Maintaining an open community where creators can learn and grow across a variety of skill-sets has been harder to solve. We made the tough decision to be more of a social/educational resource than a residential resource. We port the riskier aspects of our storytelling experiments to a WebGL platform that is easier for readers to access and removes the need for participants to have an inventory on our grid.

We updated the grid with the newest version of Opensimulator. The regions with content we give away are up and open. We no longer have private member regions. We have a new Hypergrid Story project in progress.

We’re back

I like to think we’re back better. We’re excited about exploring the future of fiction with Opensim at Nara’s Nook.


Words and images by Nara Malone


No comments:

Post a Comment