Architectural and coding errors
But OpenSim isn't just repeating the big mistakes of the early Internet, but many of the smaller ones, as well.
"At the time of OpenSim's creation, it was not that complicated to predict a couple of hacking approaches that could be used in OpenSim like they used to be on the Web," said Olivier van Helden, Web developer and owner of the Belgium-based Speculoos OpenSim world.
For example, he said, OpenSim stores executables, libraries, preferences and data in the same place, and shares access permissions across everything.
"You could -- as I do -- keep all these files in different places," he said. "But it requires additional work to sort it out, make scripts to read the preferences in the right order and force the log, stores and caches directories locations."
In addition, large OpenSim worlds typically use multiple servers, one for centralized services such as user inventories, and the rest to run individual regions or groups of regions.
"Many aspects of the security can be set on the [central] grid server, but overridden on the [region] simulators," he said.
This is a security problem for grids that allow third-party region connections.
"While many experienced Webmasters could customize their OpenSim installation to make it really secure, the standard, out of the box configuration is not secure," he said. "And that makes as many security holes as the number of inexperienced simulator managers."
The Linden legacy
One obstacle that OpenSim faces when considering encryption, authentication, or additional content protection is that for most of its history OpenSim hasn't had its own viewers, but has piggy backed on Linden Lab. In fact, even today, almost all users enter OpenSim through Second Life-compatible viewers.
"We use Linden Lab protocols, and that restricts what we can do," said Justin Clark-Casey, OpenSim core developer and president of the Overte Foundation that oversees OpenSim licensing issues. Clark-Casey's work for OpenSim is on a volunteer basis -- during the day, he's a freelance developer working on enterprise virtual worlds projects.
"In a normal Linden Lab situation, there's no need for that security," he said. Second Life is a walled garden, and all regions and central services are run on Linden Lab's own servers.
Despite that, he said, OpenSim developers do bear security in mind and are doing their best as they go along, he said.
"I look at every commit that comes in to check for security problems, and there's the idea taht many eyes make all bugs shallow," he added. "But then again, you had the Heartbleed bug... and OpenSim has been growing so organically, with code from so many people over the years."
Sign up for CIO Asia eNewsletters.