The longer it goes, the harder it is to fix
But adding in authentication, encryption and content protection now could break compatibility with the viewers, and with previous versions of OpenSim.
"I think that's why OpenSimulator developers have been so reluctant to address security," said Maxwell. "They know the plumbing has to be changed. I believe we're in this mess mostly because its inconvenient, and people want to go the path of least resistance."
But it's not too late to change things, he said.
"It's time to put on the breaks and say, 'Stop everybody, we have the rethink the way we do this'," he said.
Maxwell himself is working to add encryption and other security features to the core of OpenSim, and will make the fixes public, but he doesn't know whether it will be adopted by the wider community.
"If someone decides to adopt it, they can advertise that they have military-grade security in their grid," he said.
Adding security in later is harder, and not as effective, said Bruce Schneier, a well-known authority on security and CTO at Cambridge, Mass.-based Co3 Systems, Inc.
"If there's anything we've learned, it's that adding security at the end is a lousy strategy," he said.
OpenSim's Clark-Casey disagrees.
"I know there's a mantra that you have to have security in front the start or it's broken forever," he said. "I don't believe that. But, then again, I'm not a security expert."
Sign up for CIO Asia eNewsletters.