Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
Yes, but most viewers have decent legit developers who won't put that stuff on the login page. On Tue, Aug 24, 2010 at 9:50 PM, Harold Brown labrat...@gmail.com wrote: What I find interesting is that people are neglecting to realize that ANY viewer, even a LL viewer could have been used to do the same thing by changing the WEBPAGE the login screen pointed to. Or for that matter distributing a object using the new Media functions to load a webpage with the exact same iframe set. On Mon, Aug 23, 2010 at 8:03 AM, David M Chess ch...@us.ibm.com wrote: Could we move all this stuff to a new emeraldgate list, or something? That I could then carefully not subscribe to? __ ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges -- “Lanie, I’m going to print more printers. Lots more printers. One for everyone. That’s worth going to jail for. That’s worth anything.” - Printcrime by Cory Doctrow Please avoid sending me Word or PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
Sure true but the differences is for a normal sl viewer to do this they need to specify their own login screen using url parameters or someting while with Emerald has there own custom login screenpage with users see evrytime they login into Emerald while what you say is true but that user count is WAY lesser then thousand of emerald users loging in continue it was stupid to do but this also proven the point is that Emerald (or anny other viewer) can do what they whant with SL's code it gives wrong view of what Third party viewer should be and to fix this so it never hapens again disalow custom login page's to be hosted on the viewers server but instead allow it so it can be hosted on secondlife servers (for a fee maybe idk) and everey time they wanna update the page, let LL control it to see if its user safe (could allow dynamic xml stats for custom news and stats but limited to basic html code with it) annyway my 2cents -- From: Harold Brown labrat...@gmail.com Sent: Tuesday, August 24, 2010 10:50 PM To: David M Chess ch...@us.ibm.com Cc: opensource-dev@lists.secondlife.com Subject: Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything? What I find interesting is that people are neglecting to realize that ANY viewer, even a LL viewer could have been used to do the same thing by changing the WEBPAGE the login screen pointed to. Or for that matter distributing a object using the new Media functions to load a webpage with the exact same iframe set. On Mon, Aug 23, 2010 at 8:03 AM, David M Chess ch...@us.ibm.com wrote: Could we move all this stuff to a new emeraldgate list, or something? That I could then carefully not subscribe to? __ ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
They used a custom build of the KDU JPEG compression library to embed information in baked textures, such as the installation directory and the title of the window. The outrage around this is that Emerald developers: 1. Disclosed private information without informing users about the disclosure in their privacy policy (installation folder can contain the username, usually on Linux, though). 2. Obfuscated this system by hiding it within a closed-source library 3. Continued to lie about the purpose of this system. 4. LINDEN LAB CONTINUES TO IGNORE THE TPV VIOLATIONS. If I had pulled this crap with my tiny viewer, I'd have been banned back into the stone age. The double standard Linden Lab uses infuriates many who were forced to do many difficult changes to comply with the TPV, only to find out that Linden Lab has no intention of enforcing it. 5. Reportedly, Emerald merely changed the encryption method used when it was discovered. I don't even know if they changed their KDU library to comply yet, or if they're covering their bums still by making a storm of apologetic blog posts while continuing the same old crap. Rob Nelson On 8/24/2010 1:50 PM, Harold Brown wrote: What I find interesting is that people are neglecting to realize that ANY viewer, even a LL viewer could have been used to do the same thing by changing the WEBPAGE the login screen pointed to. Or for that matter distributing a object using the new Media functions to load a webpage with the exact same iframe set. On Mon, Aug 23, 2010 at 8:03 AM, David M Chessch...@us.ibm.com wrote: Could we move all this stuff to a new emeraldgate list, or something? That I could then carefully not subscribe to? __ ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
well the developer of the emkdu dll file is PHOX. From the interview on treettv, Fractured purchased the license to develop it, PHOX did the actual developing, Fractured was asked to step down, PHOX is still on the team of emerald developers. PHOX and Fractured are very close. All the way back when it was VLife and PhoxSL. they were nearly identical. So i would almost bet that its a blitz attack on the public. Fractured walks away. PHOX stays. Fractured and PHOX still have control over the program cause PHOX is still committing code. and as far as the licensing goes. If PHOX is the developer of the emkdu file( remember this is the bad file in the emerald viewer) and they are still planning to use emkdu who is developing it? PHOX? On Tue, 24 Aug 2010 17:27:40 -0400, Rob Nelson nexisentertainm...@gmail.com wrote: They used a custom build of the KDU JPEG compression library to embed information in baked textures, such as the installation directory and the title of the window. The outrage around this is that Emerald developers: 1. Disclosed private information without informing users about the disclosure in their privacy policy (installation folder can contain the username, usually on Linux, though). 2. Obfuscated this system by hiding it within a closed-source library 3. Continued to lie about the purpose of this system. 4. LINDEN LAB CONTINUES TO IGNORE THE TPV VIOLATIONS. If I had pulled this crap with my tiny viewer, I'd have been banned back into the stone age. The double standard Linden Lab uses infuriates many who were forced to do many difficult changes to comply with the TPV, only to find out that Linden Lab has no intention of enforcing it. 5. Reportedly, Emerald merely changed the encryption method used when it was discovered. I don't even know if they changed their KDU library to comply yet, or if they're covering their bums still by making a storm of apologetic blog posts while continuing the same old crap. Rob Nelson On 8/24/2010 1:50 PM, Harold Brown wrote: What I find interesting is that people are neglecting to realize that ANY viewer, even a LL viewer could have been used to do the same thing by changing the WEBPAGE the login screen pointed to. Or for that matter distributing a object using the new Media functions to load a webpage with the exact same iframe set. On Mon, Aug 23, 2010 at 8:03 AM, David M Chessch...@us.ibm.com wrote: Could we move all this stuff to a new emeraldgate list, or something? That I could then carefully not subscribe to? __ ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges -- Using Opera's revolutionary e-mail client: http://www.opera.com/mail/ ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
PHOX and Fractured are very close. All the way back when it was VLife and PhoxSL. they were nearly identical. So i would almost bet that its a blitz attack on the public. Fractured walks away. PHOX stays. Fractured and PHOX still have control over the program cause PHOX is still committing code. and as far as the licensing goes. If PHOX is the developer of the emkdu file( remember this is the bad file in the emerald viewer) and they are still planning to use emkdu who is developing it? PHOX? According to a blog post on blog.modularsystems.sl, which was subsequently pulled (cached: http://bit.ly/9OfxUd), Linden Lab has demanded that Emerald cease use of emkdu entirely. ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
Really wish that was true but you saw Katharine's comments in irc. Absolutely nothing has changed with Emerald except for the servers. Here is hoping that both Philip and legal are not deceived so easily. Jesse Barnett On Monday, August 23, 2010, Tateru Nino tateru.n...@gmail.com wrote: And now, perhaps, we can get back to the important stuff, like the viewer itself. ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
I don't want to start a war of any kind, but let me suggest that you ask for evidence before believing what people say in chat or elsewhere. There are people who would love to see Emerald crumble, and have no problem deceiving, misleading or plain lying. I have seen this done on this list, in forums (SLU especially) and in group chat. So, be very wary of whose word you believe. For my part, the interview on treet.tv was enough to convince me to remain an Emerald user. That combined with knowing Jessica enough to trust her word. On 08/23/2010 04:24 AM, Jesse Barnett wrote: Really wish that was true but you saw Katharine's comments in irc. Absolutely nothing has changed with Emerald except for the servers. Here is hoping that both Philip and legal are not deceived so easily. Jesse Barnett On Monday, August 23, 2010, Tateru Ninotateru.n...@gmail.com wrote: And now, perhaps, we can get back to the important stuff, like the viewer itself. ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
I would love to see emerald continue and grow. I for one actually like emerald. however. I find it odd that 3 of the devs are known for creating copybot/griefer clients. And with emerald alone 2 of the devs have created malicious code inside of emerald. Yet only one of the devs was asked to leave. While mr user data leakage remains on the team. Personally it appears to me that this is nothing more than a set up to shadow or sweep away the dirt that has been being flung around about the viewer. Fractured is asked to step down and walk away. But Fractured is the dev that purchased the license to build emkdu. Phox built the emkdu with user data leakage. And now they will be using a clean emkdu. Who is building the emkdu now? Fractured? Phox? of did one of the other devs run out and purchase a license to do so? Changing the server which hosts the client does nothing for saving face. And as long as Phox is a part of the team,(considering the fact that Phox and Jaycool are closer than twins) Fractured will still have access to changing code. If LL allows this to continue the TPVP is a joke. Hopefully the rest of you that use emerald will be more cautious about the client when you run it. After what we have seen thus far.god only knows whats next. On Mon, 23 Aug 2010 05:21:35 -0400, Miro Collas miro.col...@gmail.com wrote: I don't want to start a war of any kind, but let me suggest that you ask for evidence before believing what people say in chat or elsewhere. There are people who would love to see Emerald crumble, and have no problem deceiving, misleading or plain lying. I have seen this done on this list, in forums (SLU especially) and in group chat. So, be very wary of whose word you believe. For my part, the interview on treet.tv was enough to convince me to remain an Emerald user. That combined with knowing Jessica enough to trust her word. On 08/23/2010 04:24 AM, Jesse Barnett wrote: Really wish that was true but you saw Katharine's comments in irc. Absolutely nothing has changed with Emerald except for the servers. Here is hoping that both Philip and legal are not deceived so easily. Jesse Barnett On Monday, August 23, 2010, Tateru Ninotateru.n...@gmail.com wrote: And now, perhaps, we can get back to the important stuff, like the viewer itself. ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges -- Using Opera's revolutionary e-mail client: http://www.opera.com/mail/ ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
Could we move all this stuff to a new emeraldgate list, or something? That I could then carefully not subscribe to? _ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
On 8/22/10, Phox p...@modularsystems.sl wrote: The website in question suffered no ill effects, and to imply that loading a .php and a few images is an attempt at DDOS is just ridiculous, our login page consists of a .php script a hi-res picture, and our website doesn't go down as a result. Your website did go down because of the load, though - a whole bunch of times in fact! There's even still an entry in the Emerald FAQ about it[1]: Due to a problem with our webhost 500 errors are increasingly common with new traffic. Please wait a few seconds and try to reload the page, it may take a few tries before you get through. The only reason it doesn't anymore is because you moved to a bunch of really chunky and expensive dedicated servers. http://blog.modularsystems.sl/2010/07/19/emerald-user-statistics/ says that you're using two of http://www.hetzner.de/en/hosting/produkte_rootserver/eq4/ - each of which is about as powerful as some of the older Class 5 Linden Labs servers that host 4 regions each - plus a third unspecified dedicated server. Hazim was using cheap shared hosting. What's more, the guy from the Emerald project who did this knows just how much load the Emerald login screen puts on Emerald's servers, because he apparently pays for and runs them! On 8/22/10, Katharine Berry kathar...@katharineberry.co.uk wrote: No it doesn't. If it was a PHP script then I could've made much of the code much simpler when I made the thing. It was very deliberately not a PHP script, for reasons of load. Yep, looking at the headers it's definitely static HTML. We've got an Accept-Ranges header, a Content-Length header (both of which you can get from PHP scripts but wouldn't normally), and most importantly an ETag in the same format lighttpd uses for static content. Also, the login page wasn't just making one request for a PHP-generated page from Hazim's website - it was making 20 requests for the same page. [1] http://www.modularsystems.sl/wiki/wikka.php?wakka=FAQ ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
I hate replying to a policy thread here but will make this one time exception for my humble input for LL's consideration: What I think LL should consider is something in the TPV policy that prohibits any tpv from connecting to any non LL server for any reason when a LL grid is selected for login. This simple policy, if correctly followed, would have prevented the incident. It would also eliminate a tpv team from monitoring logins and usage but then where exactly did they get to do that in the first place? It is a missed policy bullet. There is no reason a client should connect to anything except an LL server when an LL grid is selected. LL needs to be totally security conscious about the login process and what rigid requirements must be met for connecting to the LL grids. I.e.; I watch my port activity. Everyone should. But not everyone would know what they are looking at. But had they been watching I bet they would have been wanting to know what all those connections to that host were all about right away. Had I been using Emerald and saw thirty something connections to iheartanime dot com appear I would have been raising hell immediately. What you connect to on the internet can be and is monitored sometimes and being open to forced connections to something really bad would be extremely unfortunate for many that have tom be squeaky clean. I use Kirstens and I don't even care much for it's connection for motd. However it does tell me when the latest release is available and that is very useful information. Maybe there is a way for LL to provide motd bullets for tpvs so they can get the word out about updates or something. There has to be a better way. Regards Ann Otoole InSL From: Brian McGroarty s...@lindenlab.com To: Thomas Grimshaw t...@streamsense.net Cc: opensource-dev@lists.secondlife.com Sent: Sat, August 21, 2010 10:33:52 AM Subject: Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything? On Sat, Aug 21, 2010 at 7:04 AM, Thomas Grimshaw t...@streamsense.net wrote: Loading 1mb of content per user is hardly a denial of service attack. Crosslinking occurs everywhere on the web, this is simply nothing but paranoid bull. Crosslinking drops the context of hiding gibberish requests to a critic's website in a hidden frame that will never be revealed to the user. This isn't a mere hyperlink to another page or naively stealing someone else's image hosting. My read (but I'm no lawyer) is that this looks like 2.d.iii of http://secondlife.com/corporate/tpv.php and we're already having that discussion. If anyone can come up with specific reasons why this might have had legitimate reason to be there, or how this one could be yet another oversight or mistake, that would be helpful. I sure haven't heard any to date. -- Brian McGroarty | Linden Lab Sent from my Newton MP2100 via acoustic coupler ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
On Sun, Aug 22, 2010 at 1:22 PM, Ann Otoole missannoto...@yahoo.com wrote: What I think LL should consider is something in the TPV policy that prohibits any tpv from connecting to any non LL server for any reason when a LL grid is selected for login. This simple policy, if correctly followed, would have prevented the incident. It would also eliminate a tpv team from monitoring logins and usage but then where exactly did they get to do that in the first place? It also prevents third-party viewers from notifying users that updates are available, including security updates. Whole bunch of other stuff too - for example the official Second Life login screen doesn't actually work on unofficial viewers. Besides, both incidents like this and undisclosed monitoring of usage violate the TPV policy anyway (and at least one of Emerald's privacy issues didn't involve connecting to any non-LL server at all). Have you taken a look at Imprudence's Privacy Policy, for example (http://imprudenceviewer.org/wiki/Imprudence:Privacy_policy)? This is roughly the level of disclosure the policy calls for regarding data collection associated with viewer use (the information related to the website goes beyond what the policy requires). I assume Emerald has a similar page somewhere too. ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
[opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
On Sat, Aug 21, 2010 at 7:48 PM, Phox p...@modularsystems.sl wrote: (Since then, all additional metadata information has been removed from emkdu). The change in encryption was simply a result of inertia being able to decode the viewer window title information. It is my understanding that the emku was placing the hidden viewer window title information into the baked textures. So in one sentence you are saying the information was removed. And in the next you are saying it is still there just encrypted better so others cannot decode it and out you. Which is it? ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
Found this morning, forgive me for not noting where, but it puts it in context: Anonymous said... Why did they do that? Well, you may recall that Emerald (more specifically the libemkdu library in it) was caught leaking personally-identifiable information about its users in an encrypted form that could be read by Emerald developers. They were then caught continuing to do so after the developers in question claimed the problem was fixed, just with stronger encryption that made it harder to prove. iheartanime.com is the website of the person who figured out how to decrypt the secret information they were leaking both times, and the website on which he publicised this issue. It's basically a vendatta attack against someone who revealed the Emerald developers had been up to no good. From: Simon Disk Sent: Sunday, August 22, 2010 9:47 AM To: Phox Cc: opensource-dev@lists.secondlife.com Subject: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything? On Sat, Aug 21, 2010 at 7:48 PM, Phox p...@modularsystems.sl wrote: (Since then, all additional metadata information has been removed from emkdu). The change in encryption was simply a result of inertia being able to decode the viewer window title information. It is my understanding that the emku was placing the hidden viewer window title information into the baked textures. So in one sentence you are saying the information was removed. And in the next you are saying it is still there just encrypted better so others cannot decode it and out you. Which is it? ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
Hi Ann, You suggested: * What I think LL should consider is something in the TPV policy that prohibits any tpv from connecting to any non LL server for any reason when a LL grid is selected for login.* I'd change that to require that any TPV *disclose* the specifics of any and all non-LL servers that they are connecting to, and the details of why they are doing so. Otherwise, some of the possible value-added functionality gets crippled. The real issue here is the TPVP is just legal CYA for LL, it's not something they actually monitor or enforce. There is no assurance being provided by LL or by the TPV developer, that they have any sense of reasonable security, including processes that limit rogue devs from pulling the kind of stunts that the Emerald team seem to favor. If the TPVP really matters, we'll see Emerald shut down from the TPVP program, because of this accumulated nonsense. If not, then it confirms that it's all just a paper chase. Regards, - JB On Sun, Aug 22, 2010 at 8:22 AM, Ann Otoole missannoto...@yahoo.com wrote: I hate replying to a policy thread here but will make this one time exception for my humble input for LL's consideration: What I think LL should consider is something in the TPV policy that prohibits any tpv from connecting to any non LL server for any reason when a LL grid is selected for login. This simple policy, if correctly followed, would have prevented the incident. It would also eliminate a tpv team from monitoring logins and usage but then where exactly did they get to do that in the first place? It is a missed policy bullet. There is no reason a client should connect to anything except an LL server when an LL grid is selected. LL needs to be totally security conscious about the login process and what rigid requirements must be met for connecting to the LL grids. I.e.; I watch my port activity. Everyone should. But not everyone would know what they are looking at. But had they been watching I bet they would have been wanting to know what all those connections to that host were all about right away. Had I been using Emerald and saw thirty something connections to iheartanime dot com appear I would have been raising hell immediately. What you connect to on the internet can be and is monitored sometimes and being open to forced connections to something really bad would be extremely unfortunate for many that have tom be squeaky clean. I use Kirstens and I don't even care much for it's connection for motd. However it does tell me when the latest release is available and that is very useful information. Maybe there is a way for LL to provide motd bullets for tpvs so they can get the word out about updates or something. There has to be a better way. Regards Ann Otoole InSL -- *From:* Brian McGroarty s...@lindenlab.com *To:* Thomas Grimshaw t...@streamsense.net *Cc:* opensource-dev@lists.secondlife.com *Sent:* Sat, August 21, 2010 10:33:52 AM *Subject:* Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything? On Sat, Aug 21, 2010 at 7:04 AM, Thomas Grimshaw t...@streamsense.net wrote: Loading 1mb of content per user is hardly a denial of service attack. Crosslinking occurs everywhere on the web, this is simply nothing but paranoid bull. Crosslinking drops the context of hiding gibberish requests to a critic's website in a hidden frame that will never be revealed to the user. This isn't a mere hyperlink to another page or naively stealing someone else's image hosting. My read (but I'm no lawyer) is that this looks like 2.d.iii of http://secondlife.com/corporate/tpv.php and we're already having that discussion. If anyone can come up with specific reasons why this might have had legitimate reason to be there, or how this one could be yet another oversight or mistake, that would be helpful. I sure haven't heard any to date. -- Brian McGroarty | Linden Lab Sent from my Newton MP2100 via acoustic coupler ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
Being listed in the directory is a sign that viewer devs have self-certified compliance, but it's also an unconcious sign to users that the viewer is legit, even if not intended. On Sun, Aug 22, 2010 at 3:56 PM, JB Hancroft jbhancr...@gmail.com wrote: Hi Ann, You suggested: What I think LL should consider is something in the TPV policy that prohibits any tpv from connecting to any non LL server for any reason when a LL grid is selected for login. I'd change that to require that any TPV disclose the specifics of any and all non-LL servers that they are connecting to, and the details of why they are doing so. Otherwise, some of the possible value-added functionality gets crippled. The real issue here is the TPVP is just legal CYA for LL, it's not something they actually monitor or enforce. There is no assurance being provided by LL or by the TPV developer, that they have any sense of reasonable security, including processes that limit rogue devs from pulling the kind of stunts that the Emerald team seem to favor. If the TPVP really matters, we'll see Emerald shut down from the TPVP program, because of this accumulated nonsense. If not, then it confirms that it's all just a paper chase. Regards, - JB On Sun, Aug 22, 2010 at 8:22 AM, Ann Otoole missannoto...@yahoo.com wrote: I hate replying to a policy thread here but will make this one time exception for my humble input for LL's consideration: What I think LL should consider is something in the TPV policy that prohibits any tpv from connecting to any non LL server for any reason when a LL grid is selected for login. This simple policy, if correctly followed, would have prevented the incident. It would also eliminate a tpv team from monitoring logins and usage but then where exactly did they get to do that in the first place? It is a missed policy bullet. There is no reason a client should connect to anything except an LL server when an LL grid is selected. LL needs to be totally security conscious about the login process and what rigid requirements must be met for connecting to the LL grids. I.e.; I watch my port activity. Everyone should. But not everyone would know what they are looking at. But had they been watching I bet they would have been wanting to know what all those connections to that host were all about right away. Had I been using Emerald and saw thirty something connections to iheartanime dot com appear I would have been raising hell immediately. What you connect to on the internet can be and is monitored sometimes and being open to forced connections to something really bad would be extremely unfortunate for many that have tom be squeaky clean. I use Kirstens and I don't even care much for it's connection for motd. However it does tell me when the latest release is available and that is very useful information. Maybe there is a way for LL to provide motd bullets for tpvs so they can get the word out about updates or something. There has to be a better way. Regards Ann Otoole InSL From: Brian McGroarty s...@lindenlab.com To: Thomas Grimshaw t...@streamsense.net Cc: opensource-dev@lists.secondlife.com Sent: Sat, August 21, 2010 10:33:52 AM Subject: Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything? On Sat, Aug 21, 2010 at 7:04 AM, Thomas Grimshaw t...@streamsense.net wrote: Loading 1mb of content per user is hardly a denial of service attack. Crosslinking occurs everywhere on the web, this is simply nothing but paranoid bull. Crosslinking drops the context of hiding gibberish requests to a critic's website in a hidden frame that will never be revealed to the user. This isn't a mere hyperlink to another page or naively stealing someone else's image hosting. My read (but I'm no lawyer) is that this looks like 2.d.iii of http://secondlife.com/corporate/tpv.php and we're already having that discussion. If anyone can come up with specific reasons why this might have had legitimate reason to be there, or how this one could be yet another oversight or mistake, that would be helpful. I sure haven't heard any to date. -- Brian McGroarty | Linden Lab Sent from my Newton MP2100 via acoustic coupler ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
On Sun, Aug 22, 2010 at 10:56 AM, JB Hancroft jbhancr...@gmail.com wrote: If the TPVP really matters, we'll see Emerald shut down from the TPVP program, because of this accumulated nonsense. If not, then it confirms that it's all just a paper chase. actually lets see whats going on here 1 the whole texture thing was due to the viewers install folder being baked into textures IF THIS IS LEFT AS DEFAULT then very little info is actually given the problem is some folks were doing installs into their own home folder (somebody did not account for that) 2 the whole login screen edit was mostly the person in question err being drunk at the time and not going back to fix/revert his editing (btw he is in fact stepping down and surrendering the domain) I would say that since 1 the problems are being fixed 2 former lindens (from the recent Night of Glass set of layoffs) are now being hired as part of the E-Team this is a closed issue -- Robert L Martin Phox whenish is the next beta coming out and is 2439 being blocked?? ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
this has been put many ways and this is the clearest it can be put. FC quits, hands off to Arabella (read the sandbox dialogs to gauge her reliability), FC creates new account with new name, make some meaningless webserver changes, FC comes back with a new name, lather/rinse/repeat. They have proved that they can not be trusted. I love deadlines. I like the whooshing sound they make as they fly by Douglas Adams On Sun, Aug 22, 2010 at 12:20 PM, Robert Martin robertl...@gmail.comwrote: On Sun, Aug 22, 2010 at 10:56 AM, JB Hancroft jbhancr...@gmail.com wrote: If the TPVP really matters, we'll see Emerald shut down from the TPVP program, because of this accumulated nonsense. If not, then it confirms that it's all just a paper chase. actually lets see whats going on here 1 the whole texture thing was due to the viewers install folder being baked into textures IF THIS IS LEFT AS DEFAULT then very little info is actually given the problem is some folks were doing installs into their own home folder (somebody did not account for that) 2 the whole login screen edit was mostly the person in question err being drunk at the time and not going back to fix/revert his editing (btw he is in fact stepping down and surrendering the domain) I would say that since 1 the problems are being fixed 2 former lindens (from the recent Night of Glass set of layoffs) are now being hired as part of the E-Team this is a closed issue -- Robert L Martin Phox whenish is the next beta coming out and is 2439 being blocked?? ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
Fractured has stepped down and out of the Emerald picture http://blog.modularsystems.sl/2010/08/22/emerald-off-with-his-head/ But it is painfully obvious that the comments are being heavily moderated and I know that neither of mine have gotten through. The Phox is still in the hen house and it is going to take much more then this token response to restore confidence. Anyone watching the videos and listening to their voices can see that a complete reorganization needs to be done and transparency demonstrated and verified. I hope that the upper echelons of Linden Lab are not fooled by the blog post and instead demand that more action be taken. At the bare minimum, they need to be delisted until real change has been shown. Ignoring this and giving the all clear with no other action taken on the part of Linden Lab will instead demonstrate that the TPV is a worthless scrap of paper. Jesse Barnett ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
On Sun, Aug 22, 2010 at 11:32 AM, Jesse Barnett jess...@gmail.com wrote: Ignoring this and giving the all clear with no other action taken on the part of Linden Lab will instead demonstrate that the TPV is a worthless scrap of paper. Correction, it only exist on paper if printed. The proper phrase is a worthless configuration of pixels The TPVP makes it clear what the consequences are for breaking the policy. 8c says: If a Third-Party Viewer or your use or distribution of it violates this Policy or any Linden Lab policy, your permission to access Second Life using the Third-Party Viewer shall terminate automatically. You acknowledge and agree that we may require you to stop using or distributing a Third-Party Viewer for accessing Second Life if we determine that there is a violation. So either the lab will enforce this, or they will say Well you are so popular you can screw around all you want. Is Emerald the viewer too big to fail? -- ZenMondo ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
Am Sunday 22 August 2010 schrieb L. Christopher Bird: On Sun, Aug 22, 2010 at 11:32 AM, Jesse Barnett jess...@gmail.com wrote: Ignoring this and giving the all clear with no other action taken on the part of Linden Lab will instead demonstrate that the TPV is a worthless scrap of paper. Correction, it only exist on paper if printed. The proper phrase is a worthless configuration of pixels The TPVP makes it clear what the consequences are for breaking the policy. 8c says: If a Third-Party Viewer or your use or distribution of it violates this Policy or any Linden Lab policy, your permission to access Second Life using the Third-Party Viewer shall terminate automatically. You acknowledge and agree that we may require you to stop using or distributing a Third-Party Viewer for accessing Second Life if we determine that there is a violation. So either the lab will enforce this, or they will say Well you are so popular you can screw around all you want. Is Emerald the viewer too big to fail? -- ZenMondo I just looked and emerald's not in the tpv directory anymore. ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
oh.. what this mean? we cant use emerald anymore? On 22/08/2010 2:01 PM, Lance Corrimal wrote: Am Sunday 22 August 2010 schrieb L. Christopher Bird: On Sun, Aug 22, 2010 at 11:32 AM, Jesse Barnettjess...@gmail.com wrote: Ignoring this and giving the all clear with no other action taken on the part of Linden Lab will instead demonstrate that the TPV is a worthless scrap of paper. Correction, it only exist on paper if printed. The proper phrase is a worthless configuration of pixels The TPVP makes it clear what the consequences are for breaking the policy. 8c says: If a Third-Party Viewer or your use or distribution of it violates this Policy or any Linden Lab policy, your permission to access Second Life using the Third-Party Viewer shall terminate automatically. You acknowledge and agree that we may require you to stop using or distributing a Third-Party Viewer for accessing Second Life if we determine that there is a violation. So either the lab will enforce this, or they will say Well you are so popular you can screw around all you want. Is Emerald the viewer too big to fail? -- ZenMondo I just looked and emerald's not in the tpv directory anymore. ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges -- AnSky Grid is fun enjoy with community AnSky Grid http://www.ansky.ca ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
As they shouldn't be! Although one does wonder whether users are now at risk of being banned if they keep using it On Sun, Aug 22, 2010 at 7:01 PM, Lance Corrimal lance.corri...@eregion.de wrote: Am Sunday 22 August 2010 schrieb L. Christopher Bird: On Sun, Aug 22, 2010 at 11:32 AM, Jesse Barnett jess...@gmail.com wrote: Ignoring this and giving the all clear with no other action taken on the part of Linden Lab will instead demonstrate that the TPV is a worthless scrap of paper. Correction, it only exist on paper if printed. The proper phrase is a worthless configuration of pixels The TPVP makes it clear what the consequences are for breaking the policy. 8c says: If a Third-Party Viewer or your use or distribution of it violates this Policy or any Linden Lab policy, your permission to access Second Life using the Third-Party Viewer shall terminate automatically. You acknowledge and agree that we may require you to stop using or distributing a Third-Party Viewer for accessing Second Life if we determine that there is a violation. So either the lab will enforce this, or they will say Well you are so popular you can screw around all you want. Is Emerald the viewer too big to fail? -- ZenMondo I just looked and emerald's not in the tpv directory anymore. ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges -- “Lanie, I’m going to print more printers. Lots more printers. One for everyone. That’s worth going to jail for. That’s worth anything.” - Printcrime by Cory Doctrow Please avoid sending me Word or PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
They may be waiting to make a formal announcement before they pull the plug on the viewer- didn't they make a policy of not allowing any viewer to connect that wasn't on the list? I think so- -- From: Gareth Nelson gar...@garethnelson.com Sent: Sunday, August 22, 2010 2:50 PM To: Lance Corrimal lance.corri...@eregion.de Cc: opensource-dev@lists.secondlife.com Subject: Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything? As they shouldn't be! Although one does wonder whether users are now at risk of being banned if they keep using it On Sun, Aug 22, 2010 at 7:01 PM, Lance Corrimal lance.corri...@eregion.de wrote: Am Sunday 22 August 2010 schrieb L. Christopher Bird: On Sun, Aug 22, 2010 at 11:32 AM, Jesse Barnett jess...@gmail.com wrote: Ignoring this and giving the all clear with no other action taken on the part of Linden Lab will instead demonstrate that the TPV is a worthless scrap of paper. Correction, it only exist on paper if printed. The proper phrase is a worthless configuration of pixels The TPVP makes it clear what the consequences are for breaking the policy. 8c says: If a Third-Party Viewer or your use or distribution of it violates this Policy or any Linden Lab policy, your permission to access Second Life using the Third-Party Viewer shall terminate automatically. You acknowledge and agree that we may require you to stop using or distributing a Third-Party Viewer for accessing Second Life if we determine that there is a violation. So either the lab will enforce this, or they will say Well you are so popular you can screw around all you want. Is Emerald the viewer too big to fail? -- ZenMondo I just looked and emerald's not in the tpv directory anymore. ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges -- “Lanie, I’m going to print more printers. Lots more printers. One for everyone. That’s worth going to jail for. That’s worth anything.” - Printcrime by Cory Doctrow Please avoid sending me Word or PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
There isn't anything in the policy itself which says you must be listed, there is however a note on the directory page warning users to be wary of unlisted viewers. On Sun, Aug 22, 2010 at 8:54 PM, Will wdema...@verizon.net wrote: hmm ok I may be wrong but remember a rush to update viewers from the approved list, didn't look over my shoulder and just for good housekeeping I don't venture from approved viewers. Seriously hope you are wrong or there will be little to no control over who gets to connect. -- From: Gareth Nelson gar...@garethnelson.com Sent: Sunday, August 22, 2010 3:25 PM To: Will wdema...@verizon.net Cc: Lance Corrimal lance.corri...@eregion.de; opensource-dev@lists.secondlife.com Subject: Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything? As I understand it, you don't need to be in the list, just comply with the policy. On Sun, Aug 22, 2010 at 8:19 PM, Will wdema...@verizon.net wrote: They may be waiting to make a formal announcement before they pull the plug on the viewer- didn't they make a policy of not allowing any viewer to connect that wasn't on the list? I think so- -- From: Gareth Nelson gar...@garethnelson.com Sent: Sunday, August 22, 2010 2:50 PM To: Lance Corrimal lance.corri...@eregion.de Cc: opensource-dev@lists.secondlife.com Subject: Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything? As they shouldn't be! Although one does wonder whether users are now at risk of being banned if they keep using it On Sun, Aug 22, 2010 at 7:01 PM, Lance Corrimal lance.corri...@eregion.de wrote: Am Sunday 22 August 2010 schrieb L. Christopher Bird: On Sun, Aug 22, 2010 at 11:32 AM, Jesse Barnett jess...@gmail.com wrote: Ignoring this and giving the all clear with no other action taken on the part of Linden Lab will instead demonstrate that the TPV is a worthless scrap of paper. Correction, it only exist on paper if printed. The proper phrase is a worthless configuration of pixels The TPVP makes it clear what the consequences are for breaking the policy. 8c says: If a Third-Party Viewer or your use or distribution of it violates this Policy or any Linden Lab policy, your permission to access Second Life using the Third-Party Viewer shall terminate automatically. You acknowledge and agree that we may require you to stop using or distributing a Third-Party Viewer for accessing Second Life if we determine that there is a violation. So either the lab will enforce this, or they will say Well you are so popular you can screw around all you want. Is Emerald the viewer too big to fail? -- ZenMondo I just looked and emerald's not in the tpv directory anymore. ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges -- “Lanie, I’m going to print more printers. Lots more printers. One for everyone. That’s worth going to jail for. That’s worth anything.” - Printcrime by Cory Doctrow Please avoid sending me Word or PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges -- “Lanie, I’m going to print more printers. Lots more printers. One for everyone. That’s worth going to jail for. That’s worth anything.” - Printcrime by Cory Doctrow Please avoid sending me Word or PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html -- “Lanie, I’m going to print more printers. Lots more printers. One for everyone. That’s worth going to jail for. That’s worth anything.” - Printcrime by Cory Doctrow Please avoid sending me Word or PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
On Sun, 22 Aug 2010 21:10:00 +0100 Gareth Nelson gar...@garethnelson.com wrote: There isn't anything in the policy itself which says you must be listed, there is however a note on the directory page warning users to be wary of unlisted viewers. wait... TPV listing is based on volunteer action, somebody can develop a viewer (maybe TPV compliant) and don't ask to be listed in the directory but in term of service at point 7 all resident accept to use only approved viewer to connect to Linden Grid (and if they login a time they must approve it) ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
On Sun, 22 Aug 2010 15:30:55 -0500 Brandon Husbands xot...@gmail.com wrote: As a X-emerald Dev (I am Dimentox) Most of the stuff people are saying that is going on or has gone on.. Most of the other devs had no idea. We just did our parts to make the viewer better. I left due to the fact that i did not have time to continue to work on the project. Unfortunately a few bad seeds ruin the apple. emerald *is* a TPV compliant viewer, but isn't listed this is a grey zone in ToS and TPV policy... not an dev-emerald fault ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
On Sun, 22 Aug 2010 21:10:00 +0100, Gareth Nelson wrote: There isn't anything in the policy itself which says you must be listed, there is however a note on the directory page warning users to be wary of unlisted viewers. Which is a non-sence. Quoting the TPV policy: 6. The Viewer Directory and Self-Certification We created the Viewer Directory to help promote awareness of Third-Party Viewers within the Second Life community. Unlike the other sections of this Policy, participation in the Viewer Directory is currently not a requirement for connecting to Second Life. So, the viewer directory is just a promotion tool. Also, having a viewer listed in the directory is in no way a guarantee, since LL clearly disclaims it; still quoting the TPV policy. 6.c. The Viewer Directory is a self-certification program. Linden Lab does not represent or warrant any independent testing or verification of compliance of any application listed in the Viewer Directory. We disclaim all liability associated with applications in the Viewer Directory. And the 3rd paragraph of the forewords of the directory itself: .../... However, because third-party viewers are not our viewers, we cannot guarantee that they will follow our rules. You are responsible for evaluating whether you want to use and share information with them. As you can see, being listed in the directory means nothing, and not being listed means nothing either as far as the safety of the viewer goes. I myself didn't list the Cool VL Viewer, not because it would not be TPV policy compliant (it is, 100%), but because Linden Lab requires private data about me that I won't disclose so to protect my privacy and anonimity in SL. Henri. ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
Then this is confusing, to be listed you have to within the policy approved for lack of a better word: Someone please clarify- If a Third-Party Viewer or your use or distribution of it violates this Policy or any Linden Lab policy, your permission to access Second Life using the Third-Party Viewer shall terminate automatically. To me it sounds like any viewer not on the list is not approved and that means by their own statement it will not be allowed to connect. -- From: Gareth Nelson gar...@garethnelson.com Sent: Sunday, August 22, 2010 4:10 PM To: Will wdema...@verizon.net Cc: Lance Corrimal lance.corri...@eregion.de; opensource-dev@lists.secondlife.com Subject: Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything? There isn't anything in the policy itself which says you must be listed, there is however a note on the directory page warning users to be wary of unlisted viewers. On Sun, Aug 22, 2010 at 8:54 PM, Will wdema...@verizon.net wrote: hmm ok I may be wrong but remember a rush to update viewers from the approved list, didn't look over my shoulder and just for good housekeeping I don't venture from approved viewers. Seriously hope you are wrong or there will be little to no control over who gets to connect. -- From: Gareth Nelson gar...@garethnelson.com Sent: Sunday, August 22, 2010 3:25 PM To: Will wdema...@verizon.net Cc: Lance Corrimal lance.corri...@eregion.de; opensource-dev@lists.secondlife.com Subject: Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything? As I understand it, you don't need to be in the list, just comply with the policy. On Sun, Aug 22, 2010 at 8:19 PM, Will wdema...@verizon.net wrote: They may be waiting to make a formal announcement before they pull the plug on the viewer- didn't they make a policy of not allowing any viewer to connect that wasn't on the list? I think so- -- From: Gareth Nelson gar...@garethnelson.com Sent: Sunday, August 22, 2010 2:50 PM To: Lance Corrimal lance.corri...@eregion.de Cc: opensource-dev@lists.secondlife.com Subject: Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything? As they shouldn't be! Although one does wonder whether users are now at risk of being banned if they keep using it On Sun, Aug 22, 2010 at 7:01 PM, Lance Corrimal lance.corri...@eregion.de wrote: Am Sunday 22 August 2010 schrieb L. Christopher Bird: On Sun, Aug 22, 2010 at 11:32 AM, Jesse Barnett jess...@gmail.com wrote: Ignoring this and giving the all clear with no other action taken on the part of Linden Lab will instead demonstrate that the TPV is a worthless scrap of paper. Correction, it only exist on paper if printed. The proper phrase is a worthless configuration of pixels The TPVP makes it clear what the consequences are for breaking the policy. 8c says: If a Third-Party Viewer or your use or distribution of it violates this Policy or any Linden Lab policy, your permission to access Second Life using the Third-Party Viewer shall terminate automatically. You acknowledge and agree that we may require you to stop using or distributing a Third-Party Viewer for accessing Second Life if we determine that there is a violation. So either the lab will enforce this, or they will say Well you are so popular you can screw around all you want. Is Emerald the viewer too big to fail? -- ZenMondo I just looked and emerald's not in the tpv directory anymore. ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges -- “Lanie, I’m going to print more printers. Lots more printers. One for everyone. That’s worth going to jail for. That’s worth anything.” - Printcrime by Cory Doctrow Please avoid sending me Word or PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges -- “Lanie, I’m going to print more printers. Lots more printers. One for everyone. That’s worth going to jail for. That’s worth anything.” - Printcrime by Cory Doctrow Please avoid sending me Word or PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html -- “Lanie, I’m going to print more printers. Lots more printers. One for everyone. That’s worth going to jail for. That’s worth anything.” - Printcrime by Cory Doctrow Please avoid sending me Word or PowerPoint attachments. See
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
On Sun, 22 Aug 2010 22:40:26 +0200 Henri Beauchamp sl...@free.fr wrote: There isn't anything in the policy itself which says you must be listed, there is however a note on the directory page warning users to be wary of unlisted viewers. Which is a non-sence. sorry cannot see the no-sense, The non-sense is about LL saying be wary of viewers not listed in this directory (while the TPV policy clealy states that to be compliant, a viewer does NOT need to be listed in the directory) and then we can't give you any guarantee for the viewer listed in this directory. again... is a self-certification, you may be listen submitting your data, but linden cannot guarantee you say the true :) if else isn't a self-certification ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
I was hoping for something first hand - like a post by her or some other member of the Emerald team. Sorry, but so many things have been written that are not supported by evidence. Like videos of chats logs: text can be altered so that's hardly reliable, solid evidence of anything. On 08/22/2010 05:16 PM, Michael Daniel wrote: Confirmed by Paisley Beebe, a talk show host: http://tonightlivewithpaisleybeebe.com/ Should be a good show tonight. I'm actually looking forward to hearing what Rose Borchovski has to say more than whatever BS the Emerald team cooks up. ~Bubblesort Triskaidekaphobia == Miro Dollas wrote: Do you have a cite for that, Tateru? Not saying it is false, I'd just like to see it in context if possible. On 08/22/2010 01:38 PM, Tateru Nino wrote: / Arabella has also resigned. // // On 23/08/2010 3:32 AM, Jesse Barnett wrote: // Fractured has stepped down and out of the Emerald picture // // http://blog.modularsystems.sl/2010/08/22/emerald-off-with-his-head/ // // But it is painfully obvious that the comments are being heavily // moderated and I know that neither of mine have gotten through. // // The Phox is still in the hen house and it is going to take much more // then this token response to restore confidence. Anyone watching the // videos and listening to their voices can see that a complete // reorganization needs to be done and transparency demonstrated and // verified. // // I hope that the upper echelons of Linden Lab are not fooled by the // blog post and instead demand that more action be taken. At the bare // minimum, they need to be delisted until real change has been shown. // // Ignoring this and giving the all clear with no other action taken on // the part of Linden Lab will instead demonstrate that the TPV is a // worthless scrap of paper. // // Jesse Barnett // // // ___ // Policies and (un)subscribe information available here: // http://wiki.secondlife.com/wiki/OpenSource-Dev // Please read the policies before posting to keep unmoderated posting privileges // // -- // Tateru Nino // Contributing Editorhttp://massively.com/ / ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
As a X-emerald Dev (I am Dimentox) Most of the stuff people are saying that is going on or has gone on.. Most of the other devs had no idea. We just did our parts to make the viewer better. I left due to the fact that i did not have time to continue to work on the project. Unfortunately a few bad seeds ruin the apple. On Sun, Aug 22, 2010 at 3:20 PM, Will wdema...@verizon.net wrote: Then this is confusing, to be listed you have to within the policy approved for lack of a better word: Someone please clarify- If a Third-Party Viewer or your use or distribution of it violates this Policy or any Linden Lab policy, your permission to access Second Life using the Third-Party Viewer shall terminate automatically. To me it sounds like any viewer not on the list is not approved and that means by their own statement it will not be allowed to connect. -- From: Gareth Nelson gar...@garethnelson.com Sent: Sunday, August 22, 2010 4:10 PM To: Will wdema...@verizon.net Cc: Lance Corrimal lance.corri...@eregion.de; opensource-dev@lists.secondlife.com Subject: Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything? There isn't anything in the policy itself which says you must be listed, there is however a note on the directory page warning users to be wary of unlisted viewers. On Sun, Aug 22, 2010 at 8:54 PM, Will wdema...@verizon.net wrote: hmm ok I may be wrong but remember a rush to update viewers from the approved list, didn't look over my shoulder and just for good housekeeping I don't venture from approved viewers. Seriously hope you are wrong or there will be little to no control over who gets to connect. -- From: Gareth Nelson gar...@garethnelson.com Sent: Sunday, August 22, 2010 3:25 PM To: Will wdema...@verizon.net Cc: Lance Corrimal lance.corri...@eregion.de; opensource-dev@lists.secondlife.com Subject: Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything? As I understand it, you don't need to be in the list, just comply with the policy. On Sun, Aug 22, 2010 at 8:19 PM, Will wdema...@verizon.net wrote: They may be waiting to make a formal announcement before they pull the plug on the viewer- didn't they make a policy of not allowing any viewer to connect that wasn't on the list? I think so- -- From: Gareth Nelson gar...@garethnelson.com Sent: Sunday, August 22, 2010 2:50 PM To: Lance Corrimal lance.corri...@eregion.de Cc: opensource-dev@lists.secondlife.com Subject: Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything? As they shouldn't be! Although one does wonder whether users are now at risk of being banned if they keep using it On Sun, Aug 22, 2010 at 7:01 PM, Lance Corrimal lance.corri...@eregion.de wrote: Am Sunday 22 August 2010 schrieb L. Christopher Bird: On Sun, Aug 22, 2010 at 11:32 AM, Jesse Barnett jess...@gmail.com wrote: Ignoring this and giving the all clear with no other action taken on the part of Linden Lab will instead demonstrate that the TPV is a worthless scrap of paper. Correction, it only exist on paper if printed. The proper phrase is a worthless configuration of pixels The TPVP makes it clear what the consequences are for breaking the policy. 8c says: If a Third-Party Viewer or your use or distribution of it violates this Policy or any Linden Lab policy, your permission to access Second Life using the Third-Party Viewer shall terminate automatically. You acknowledge and agree that we may require you to stop using or distributing a Third-Party Viewer for accessing Second Life if we determine that there is a violation. So either the lab will enforce this, or they will say Well you are so popular you can screw around all you want. Is Emerald the viewer too big to fail? -- ZenMondo I just looked and emerald's not in the tpv directory anymore. ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges -- “Lanie, I’m going to print more printers. Lots more printers. One for everyone. That’s worth going to jail for. That’s worth anything.” - Printcrime by Cory Doctrow Please avoid sending me Word or PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges -- “Lanie, I’m going
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
i dont think emerald is TPV compliant. data mining, DDoS attacks, User data leakage. clearly they have violated not only the TOS but the TPV. so no emerald IS NOT TPV Compliant. On Sun, 22 Aug 2010 16:55:56 -0400, Altair Sythos Memo syt...@gmail.com wrote: On Sun, 22 Aug 2010 15:30:55 -0500 Brandon Husbands xot...@gmail.com wrote: As a X-emerald Dev (I am Dimentox) Most of the stuff people are saying that is going on or has gone on.. Most of the other devs had no idea. We just did our parts to make the viewer better. I left due to the fact that i did not have time to continue to work on the project. Unfortunately a few bad seeds ruin the apple. emerald *is* a TPV compliant viewer, but isn't listed this is a grey zone in ToS and TPV policy... not an dev-emerald fault ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges -- Using Opera's revolutionary e-mail client: http://www.opera.com/mail/ ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
Yes she did. Here's the interview from treet.tv: http://treet.tv/people/gracer/blog/20100822/audio-excerpt-interview-arabella-and-jessica See also: http://blog.modularsystems.sl/2010/08/22/emerald-resurgence/ On 08/23/2010 12:17 AM, Tateru Nino wrote: Sure do. Although apparently she un-resigned shortly after, which I do not yet have a cite for. Still waking up. http://dwellonit.taterunino.net/2010/08/22/hijack-hijinks/ On 23/08/2010 5:49 AM, Miro Collas wrote: Do you have a cite for that, Tateru? Not saying it is false, I'd just like to see it in context if possible. On 08/22/2010 01:38 PM, Tateru Nino wrote: Arabella has also resigned. On 23/08/2010 3:32 AM, Jesse Barnett wrote: Fractured has stepped down and out of the Emerald picture http://blog.modularsystems.sl/2010/08/22/emerald-off-with-his-head/ But it is painfully obvious that the comments are being heavily moderated and I know that neither of mine have gotten through. The Phox is still in the hen house and it is going to take much more then this token response to restore confidence. Anyone watching the videos and listening to their voices can see that a complete reorganization needs to be done and transparency demonstrated and verified. I hope that the upper echelons of Linden Lab are not fooled by the blog post and instead demand that more action be taken. At the bare minimum, they need to be delisted until real change has been shown. Ignoring this and giving the all clear with no other action taken on the part of Linden Lab will instead demonstrate that the TPV is a worthless scrap of paper. Jesse Barnett ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges -- Tateru Nino Contributing Editorhttp://massively.com/ ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
And now, perhaps, we can get back to the important stuff, like the viewer itself. ;) On 23/08/2010 3:15 PM, Miro Collas wrote: Yes she did. Here's the interview from treet.tv: http://treet.tv/people/gracer/blog/20100822/audio-excerpt-interview-arabella-and-jessica See also: http://blog.modularsystems.sl/2010/08/22/emerald-resurgence/ On 08/23/2010 12:17 AM, Tateru Nino wrote: Sure do. Although apparently she un-resigned shortly after, which I do not yet have a cite for. Still waking up. http://dwellonit.taterunino.net/2010/08/22/hijack-hijinks/ On 23/08/2010 5:49 AM, Miro Collas wrote: Do you have a cite for that, Tateru? Not saying it is false, I'd just like to see it in context if possible. On 08/22/2010 01:38 PM, Tateru Nino wrote: Arabella has also resigned. On 23/08/2010 3:32 AM, Jesse Barnett wrote: Fractured has stepped down and out of the Emerald picture http://blog.modularsystems.sl/2010/08/22/emerald-off-with-his-head/ But it is painfully obvious that the comments are being heavily moderated and I know that neither of mine have gotten through. The Phox is still in the hen house and it is going to take much more then this token response to restore confidence. Anyone watching the videos and listening to their voices can see that a complete reorganization needs to be done and transparency demonstrated and verified. I hope that the upper echelons of Linden Lab are not fooled by the blog post and instead demand that more action be taken. At the bare minimum, they need to be delisted until real change has been shown. Ignoring this and giving the all clear with no other action taken on the part of Linden Lab will instead demonstrate that the TPV is a worthless scrap of paper. Jesse Barnett ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges -- Tateru Nino Contributing Editorhttp://massively.com/ ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges -- Tateru Nino http://dwellonit.taterunino.net/ ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
[opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
You may recall that the Emerald viewer has been leaking potentially privacy-infringing information - specifically, the directory to which it's been installed, which in some cases includes usernames - in encrypted form in baked textures. You may also recall that the developers lied and said the issue was fixed, when really they just leaked the same data but with stronger encryption to hide it better. Well, it turns out that the Emerald developers have been using their viewer to launch a Distributed Denial of Service attack on the website of the person who discovered this[1]. The attack involved loading about 1 MB of images and a whole bunch of dynamically-generated content from the Emerald login screen displayed every time a user opened Emerald to consume both bandwidth and server CPU time.[2] This served no purpose other than to try and DoS the server - none of the loaded content was visible or used. The Emerald developers have even admitted as much, though they're trying to spin it interestingly[3]. (Their explanation is total bullshit - if they just wanted to make a point about the number of Emerald users rather than attack the server, loading a single file would do.) Now, this is of course entirely in violation of the TPV policy, which forbids certain content - including DoS attacks - within third party viewers. The question is, does the Lab care and will they even remove the viewer in question from the TPV directory? [1] http://www.sluniverse.com/php/vb/general-sl-discussion/47885-emerald-problem-conspiracy-theory-3.html#post997824 [2] See http://pastebin.ca/1921405 for a copy of the actual code. [3] http://blog.modularsystems.sl/2010/08/20/shenanigans/ ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
Loading 1mb of content per user is hardly a denial of service attack. Crosslinking occurs everywhere on the web, this is simply nothing but paranoid bull. I'm not a big fan of the Emerald team either, they're arrogant, two-faced, cast themselves as elitists, and censor comments on their website that don't speak in their favour. But if you're going to make such accusations, do some research on exactly how much traffic is required to negatively impact a server (at least, one that's hosted on a proper connection). Tom. On 21/08/2010 14:40, Aidan Thornton wrote: The attack involved loading about 1 MB of images and a whole bunch of dynamically-generated content from the Emerald login screen displayed every time a user opened Emerald to consume both bandwidth and server CPU time. ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
On Sat, Aug 21, 2010 at 7:04 AM, Thomas Grimshaw t...@streamsense.net wrote: Loading 1mb of content per user is hardly a denial of service attack. Crosslinking occurs everywhere on the web, this is simply nothing but paranoid bull. Crosslinking drops the context of hiding gibberish requests to a critic's website in a hidden frame that will never be revealed to the user. This isn't a mere hyperlink to another page or naively stealing someone else's image hosting. My read (but I'm no lawyer) is that this looks like 2.d.iii of http://secondlife.com/corporate/tpv.php and we're already having that discussion. If anyone can come up with specific reasons why this might have had legitimate reason to be there, or how this one could be yet another oversight or mistake, that would be helpful. I sure haven't heard any to date. -- Brian McGroarty | Linden Lab Sent from my Newton MP2100 via acoustic coupler ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
This was one person's decision, and was deliberately done for the sole purpose of messing with the owner of the victim site (although I'd hardly call the particular individual a victim). Regardless, the team was pretty disappointed. The one person currently owns all parts of Emerald's hosting, so it was their decision, albeit a ridiculous one. They don't take the project seriously, and it's more than a little embarrassing to the rest of the people associated with the team that this kind of thing keeps happening, over and over again. Discrete On Aug 21, 2010, at 10:33 AM, Brian McGroarty s...@lindenlab.com wrote: On Sat, Aug 21, 2010 at 7:04 AM, Thomas Grimshaw t...@streamsense.net wrote: Loading 1mb of content per user is hardly a denial of service attack. Crosslinking occurs everywhere on the web, this is simply nothing but paranoid bull. Crosslinking drops the context of hiding gibberish requests to a critic's website in a hidden frame that will never be revealed to the user. This isn't a mere hyperlink to another page or naively stealing someone else's image hosting. My read (but I'm no lawyer) is that this looks like 2.d.iii of http://secondlife.com/corporate/tpv.php and we're already having that discussion. If anyone can come up with specific reasons why this might have had legitimate reason to be there, or how this one could be yet another oversight or mistake, that would be helpful. I sure haven't heard any to date. -- Brian McGroarty | Linden Lab Sent from my Newton MP2100 via acoustic coupler ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
On Sat, Aug 21, 2010 at 7:46 AM, Discrete Dreamscape discrete.dreamsc...@gmail.com wrote: This was one person's decision, and was deliberately done for the sole purpose of messing with the owner of the victim site (although I'd hardly call the particular individual a victim). Regardless, the team was pretty disappointed. The one person currently owns all parts of Emerald's hosting, so it was their decision, albeit a ridiculous one. They don't take the project seriously, and it's more than a little embarrassing to the rest of the people associated with the team that this kind of thing keeps happening, over and over again. Appreciated - it's helpful to have this put plainly and publicly. Am I right that the target server belongs to the guy who: 1) Was interviewed in a previous blog write-up about the IP username database and geolocation tool that he sought to show was built up for Emerald Point visitors, Insilico visitors, and people creating accounts via the Modular Systems website? 2) Demonstrated that Emerald wasn't removing usernames from paths before embedding them in textures even after the team's first attempted fix? I know we already talked to the team and set some conditions after the first one. The second one's been explained as a mistake that Modular Systems would be willing to publicly acknowledge and correct - the potential for collecting usernames would have to be in the viewer's privacy policy otherwise, and it isn't to date. But that one of these incidents was history and the second was supposed to be a mistake made the hidden request activity all the more confusing. -- Brian McGroarty | Linden Lab Sent from my Newton MP2100 via acoustic coupler ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
Actually, I prefer to remember him as: 1) The guy who hacked Emerald's servers before discovering the data storage issue and 2) The active developer of a malicious viewer under the lolguise of promoting exploit/bugfixing. But hey, they keep antagonizing him, so of course this kind of thing continues. Discrete On Aug 21, 2010, at 11:10 AM, Brian McGroarty s...@lindenlab.com wrote: On Sat, Aug 21, 2010 at 7:46 AM, Discrete Dreamscape discrete.dreamsc...@gmail.com wrote: This was one person's decision, and was deliberately done for the sole purpose of messing with the owner of the victim site (although I'd hardly call the particular individual a victim). Regardless, the team was pretty disappointed. The one person currently owns all parts of Emerald's hosting, so it was their decision, albeit a ridiculous one. They don't take the project seriously, and it's more than a little embarrassing to the rest of the people associated with the team that this kind of thing keeps happening, over and over again. Appreciated - it's helpful to have this put plainly and publicly. Am I right that the target server belongs to the guy who: 1) Was interviewed in a previous blog write-up about the IP username database and geolocation tool that he sought to show was built up for Emerald Point visitors, Insilico visitors, and people creating accounts via the Modular Systems website? 2) Demonstrated that Emerald wasn't removing usernames from paths before embedding them in textures even after the team's first attempted fix? I know we already talked to the team and set some conditions after the first one. The second one's been explained as a mistake that Modular Systems would be willing to publicly acknowledge and correct - the potential for collecting usernames would have to be in the viewer's privacy policy otherwise, and it isn't to date. But that one of these incidents was history and the second was supposed to be a mistake made the hidden request activity all the more confusing. -- Brian McGroarty | Linden Lab Sent from my Newton MP2100 via acoustic coupler ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
I hate to say this but, it has nothing to do with who they are focusing the attack on its is the fact that they used there users machines with out there consent, this is a clear violation of US law and can be investigated by FBI/NSA with punishment up to 10 years in jail, not to mention a clear violation of the TOS. But i guess that is the way that i see it. I love deadlines. I like the whooshing sound they make as they fly by Douglas Adams On Sat, Aug 21, 2010 at 10:24 AM, Discrete Dreamscape discrete.dreamsc...@gmail.com wrote: Actually, I prefer to remember him as: 1) The guy who hacked Emerald's servers before discovering the data storage issue and 2) The active developer of a malicious viewer under the lolguise of promoting exploit/bugfixing. But hey, they keep antagonizing him, so of course this kind of thing continues. Discrete On Aug 21, 2010, at 11:10 AM, Brian McGroarty s...@lindenlab.com wrote: On Sat, Aug 21, 2010 at 7:46 AM, Discrete Dreamscape discrete.dreamsc...@gmail.com wrote: This was one person's decision, and was deliberately done for the sole purpose of messing with the owner of the victim site (although I'd hardly call the particular individual a victim). Regardless, the team was pretty disappointed. The one person currently owns all parts of Emerald's hosting, so it was their decision, albeit a ridiculous one. They don't take the project seriously, and it's more than a little embarrassing to the rest of the people associated with the team that this kind of thing keeps happening, over and over again. Appreciated - it's helpful to have this put plainly and publicly. Am I right that the target server belongs to the guy who: 1) Was interviewed in a previous blog write-up about the IP username database and geolocation tool that he sought to show was built up for Emerald Point visitors, Insilico visitors, and people creating accounts via the Modular Systems website? 2) Demonstrated that Emerald wasn't removing usernames from paths before embedding them in textures even after the team's first attempted fix? I know we already talked to the team and set some conditions after the first one. The second one's been explained as a mistake that Modular Systems would be willing to publicly acknowledge and correct - the potential for collecting usernames would have to be in the viewer's privacy policy otherwise, and it isn't to date. But that one of these incidents was history and the second was supposed to be a mistake made the hidden request activity all the more confusing. -- Brian McGroarty | Linden Lab Sent from my Newton MP2100 via acoustic coupler ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
I don't care if it's relevant; it should still be clarified. Did nobody think? Of course not, nobody knew he would actually go through with something like that. Discrete On Aug 21, 2010, at 11:31 AM, Katharine Berry kathar...@katharineberry.co.uk wrote: 2) The active developer of a malicious viewer under the lolguise of promoting exploit/bugfixing. As I have pointed out elsewhere – I don't think that anyone was actually considering the target to be terribly virtuous. I also don't think this is terribly relevant. But given you repeatedly emphasise that he is malicious, did nobody think that it might be unwise to secretly load a website owned by a malicious party on login? Aside from WebKit/Qt exploits and the like, the SL client also considers the login frame to be trusted (admittedly, there's not much you can do with this before logging in besides changing the login location, off the top of my head). ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
our login page consists of a .php script a hi-res picture, No it doesn't. If it was a PHP script then I could've made much of the code much simpler when I made the thing. It was very deliberately not a PHP script, for reasons of load. ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
On Sat, 21 Aug 2010 15:04:16 +0100, Thomas Grimshaw wrote: Loading 1mb of content per user is hardly a denial of service attack. Crosslinking occurs everywhere on the web, this is simply nothing but paranoid bull. icmp echo requests can be a denial of service attack, and we're talking very small requests. http://en.wikipedia.org/wiki/Smurf_attack ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
I agree Gareth, but I don't believe it was a former team member. As far as I know, Fractured is still on the development team, and it would be hard to kick him out as he owns both the website and the sim. They've said that it was Fractured, and that some of the people on the development team had known it was going since the 9th on in a recording of them talking about the incident. Yes, it was a distributed denial of service attack. Multiple drones were involved, and access to the site was periodically impossible, I don't know how clearer it can get. It should have been obvious that I'm not equipped to handle 6500 times my regular amount of traffic just so Fractured can have a nice lol, and it definitely wasn't alright to use his own users to do so. As for the comment about that viewer being used to crash Emerald users on old versions of Emerald using the information EmKDU put into baked textures, it's entirely false. There are no new asset-based crashes that I can think of since the versions of Emerald that have already been blacklisted (pre-1634,) and there are no crashers in that viewer, much less Emerald-specific ones. It was more used to tell who was using Onyx when it was pointed out to me that Onyx now pretends to be Emerald by using their Tag and channel name (but uses a different build number as they're in different repos). Makes sense after people made a big stink about Onyx having features like you might see in those viewers, though. For example: Emerald Viewer 1.4.0.626 - Phox ModularSystems On Sat, Aug 21, 2010 at 9:57 PM, Gareth Nelson gar...@garethnelson.comwrote: That's the bit that stands out - this may have been one former team member's bad idea, and it could be forgiven on the basis that it was just one former team member who has now been kicked out - except of course that the rest of the team are trying to say it's not so bad. Surely it'd be better to say one former member of our team had a stupid and illegal idea, we apologise for this and have taken measures to ensure our resources are not abused in the same manner again. Denying wrongdoing is never a good way to make an apology, neither is censoring comments on your blog by the way. For the record, here's my comment that didn't get through moderation: “This was not a DDoS” Yes, it was – and your “apology” means nothing if you deny doing wrong and try to make it look like something merely “silly” instead of a criminal action. Yes, it was a stupid idea – but it was also a criminal idea. Why the hell was someone able to modify your login page to add the malicious HTML without oversight, and why are you not apologising properly? On Sun, Aug 22, 2010 at 1:50 AM, Latif Khalifa lati...@streamgrid.net wrote: On Sun, Aug 22, 2010 at 1:48 AM, Phox p...@modularsystems.sl wrote: I feel I need to take a moment here to address some of this: First of all, the issue with the login screen was NOT an attempt at DDOS, Fractured was looking at traffic graphs for the website in question and thought it would be funny to mess with them by making the traffic go from ~150 hits a day to several hundred thousand. He was simply messing with page views on the site, it was a stupid thing to do no doubt, but it was not a DDOS attack. The website in question suffered no ill effects, and to imply that loading a .php and a few images is an attempt at DDOS is just ridiculous, our login page consists of a .php script a hi-res picture, and our website doesn't go down as a result. Engineering an attack where several million requests a day were sent from all over the world to the affected web site most certainly qualified as DDoS. In some jurisdictions such attacks are considered criminal activity. The fact that attack was not successful is irrelevant. Motivation for such activity also makes no difference. What is relevant is that Emerald login page in effect turned every Emerald user into a part of a botnet. What is disturbing here are attempts to downplay the incident which does nothing to restore the confidence in the leadership of Modular Systems which is very unfortunate. ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges -- “Lanie, I’m going to print more printers. Lots more printers. One for everyone. That’s worth going to jail for. That’s worth anything.” - Printcrime by Cory Doctrow Please avoid sending me Word or PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges ___ Policies and