Re: [opensource-dev] Viewer blacklist to replace the TPV
On Fri, Apr 30, 2010 at 05:21:20PM +0800, Boy Lane wrote: The questions I raised remain and I hope someone from LL can answer them. Lindens will only reply with already published official statements here, if at all. Ie, someone (once it gets Monday) will quote this from the TPV policy: 6. The Viewer Directory and Self-Certification [...] a. If you are a Developer with a Third-Party Viewer that you would like to list in our Viewer Directory, you must meet the following eligibility criteria: [...] iii. Your Second Life accounts must be in good standing, must not be suspended, and must not have been permanently banned or terminated; and [...] -- Carlo Wood ca...@alinoe.com ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Viewer blacklist to replace the TPV directory ?
Jonathan Irvin wrote: Just an idea I think would be cool is if LL made a tool (perhaps a script) that users could click on if they suspected their viewer to be bad or something and it would cause the viewer to send the info to LL for investigation. Perhaps also LL can have hashes of the viewer source code. Should it not match or something, it won't allow them to connect or it would be reported, etc. And what hash would you think a bad viewer would sent, it's own ot the offical LL viewers? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Viewer blacklist to replace the TPV
I'd like to remark that the information you found is just the data of the ModularSystems website, and all of the other viewer directory listings look about the same as Emerald's. The actual real-life name(s) of people involved aren't required to be publicly viewable, but Linden Lab does have them. Also, consider the possibility that .sl was chosen as a domain because it could be an abbreviation for SecondLife. Cute, eh? I seriously doubt anyone with malicious intent is going to bother trying to register their viewer in the directory. On Thu, Apr 29, 2010 at 8:38 PM, Boy Lane boy.l...@yahoo.com wrote: We certainly should follow the bright example of Emerald / Modularsystems, where you Discrete are a member of. A pseudo company set up and owned by known banned griefer JCool aka who revived his banned account(s) under the names of Fractured Crystal/Fractured Modularsystems. Back to their registration. JCool set up Modularsystems. A mailbox company with the following contact details: http://modularsystems.sl/ P.O. Box 5702 West Columbia, South Carolina 29171-5702 United States administra...@modularsystems.sl That is an untraceable anonymized entity without any name attached to it and unknown legal status, registered with a domain name in Sierra Leone, a country that does not even have a WHOIS. This information was used to register and self-certify Emerald in the Viewer Directory. As I as a legally uniformed hobby programmer without commercial interest can evaluate this situation and validity of the Emerald listing, it is meant to circumvent any means of the viewer directory to hold a developer accountable for their viewers. It is also meant to avoid any possible litigation from LL in case indeed some malicious code may be found in their viewer(s). Besides Emerald, Modularsystems also develops and uses a malicious viewer named Onyx that is in clear violation of ToS/TPV. So no, Discrete, all these things completely contradict your argument. As shown a listing in Lindens viewer directory doesn't add a single piece of safety or security. To look for a legitimate viewer the Alternate Viewer list in the community edited SL Wiki is a better place to, for the simple reason malicious clients may not easily slip in as this is possible with self-certification. A blacklist is a good thing and could at least complement Viewer Directory and Alternate Viewers list. But of course it would include most of the malicious viewer from the key developers behind Modularsystems which obviously you try to avoid. Additional question to Linden Lab: How can for repeated ToS violations permanently banned people just circumvent that ban by creating new accounts as many of the Emerald developers did? Is it money spent for SL that counts rather than ToS? Boy - Original Message - Date: Thu, 29 Apr 2010 16:39:16 -0400 From: Discrete Dreamscape discrete.dreamsc...@gmail.com Subject: Re: [opensource-dev] Viewer blacklist to replace the TPV directory ? To: Tigro Spottystripes tigrospottystri...@gmail.com Cc: opensource-dev@lists.secondlife.com Message-ID: g2nc38195a91004291339p41f404edgfe05a593c813c...@mail.gmail.com Content-Type: text/plain; charset=utf-8 This discussion seems to have been created with misleading intentions. Because some TPV creators don't want to reveal any personal information about themselves, they can't be posted on the TPV directory, and because of this, it's understandable they might view the directory as unfair. But, this doesn't strike me as a valid reason to criticize the list. It's certainly valid to say that the viewers on the list are not absolutely trustworthy unless a full code audit is done, but even then, do you really know that what's in the code is the same as what's in the binary? Isn't there a limit to what LL can do, given a lack of resources to perform such audits, especially when what you download requires trust that it's the same as what they've audited? But really, trust is supposed to be provided by the fact that the viewer has indeed registered using real-life contact information, because who would give such a thing knowing they could be held liable if they indeed decided to include malicious code? In general, there is no way to certify purity here, you can only provide a level of trust as a guideline. You can't rely on babysitting the users, because LL isn't going to compile every third party's code and release the binaries themselves. In this regard, you may begin to argue that indeed, a blacklist would better serve users. I argue that this is exactly the opposite. You may be able to pick out which viewers are explicitly untrusted, but you make no statements about the trustworthiness of any others. In this situation, a user is left to choose between either a viewer which is in the grey about its status, or an official Linden
Re: [opensource-dev] Viewer blacklist to replace the TPV
I don't know who you are Mr. Brandon Husbands, you are certainly not a viewer developer but a fly-by-night who want's to add some oil to the drama fire. It does not really matter. I stated facts here, not flames. Modularsytems is a company with a legal status we dont't know, created and owned by a person with permanently banned accounts due to ToS violations. Modularsystems is registered as this entity in the viewer directory. Modularsystems develops and uses malicious viewers, namely Onyx, with several other malicious projects done by key developers such as Fractured, Phox, Skills or Cryo. All who had their accounts permanently banned for ToS violations. I asked a legitimate question to LL, to repeat it once again: How can for repeated ToS violations permanently banned people just circumvent that ban by creating new accounts as many of the Emerald developers did? Is it money spent for SL that counts rather than ToS? As you haven't read my posting, rather add irrelevant accusations in your own posting, Mr. Brandon Husband, that are supposedly to confuse the reader and discredit legitimate questions, lI can only conclude you are the troll here. Boy - Original Message - From: Brandon Husbands To: Discrete Dreamscape Cc: Boy Lane ; opensource-dev@lists.secondlife.com Sent: Friday, April 30, 2010 3:55 PM Subject: Re: [opensource-dev] Viewer blacklist to replace the TPV I do not add much to the list.. But I will say... Mr lane, what ever your problem is with Emerald... You should probably let it go. This blatant flaming and trolling does not help the open source community. Your actions and flames are actually a hindrance to the community as a whole. You see i say community as we typically work together to make things better etc. It Seems you mostly wish to sabotage and wreck havoc. It is counter productive and plain rude. SO i must request... Either take this offline directloy with the people you have a problem with or quit posting this crap as I do not want to have to read it. So as they say either *** or get off the pot So either become a active positive contributing member of this community or go away. I am quite fed up with the Trolls and will no longer personally tolerate it. So please go stroke your ego else where and lets get back to discussing code and things that actually matter to us besides your grievance against emerald. Dim. On Fri, Apr 30, 2010 at 1:00 AM, Discrete Dreamscape discrete.dreamsc...@gmail.com wrote: I'd like to remark that the information you found is just the data of the ModularSystems website, and all of the other viewer directory listings look about the same as Emerald's. The actual real-life name(s) of people involved aren't required to be publicly viewable, but Linden Lab does have them. Also, consider the possibility that .sl was chosen as a domain because it could be an abbreviation for SecondLife. Cute, eh? I seriously doubt anyone with malicious intent is going to bother trying to register their viewer in the directory. On Thu, Apr 29, 2010 at 8:38 PM, Boy Lane boy.l...@yahoo.com wrote: We certainly should follow the bright example of Emerald / Modularsystems, where you Discrete are a member of. A pseudo company set up and owned by known banned griefer JCool aka who revived his banned account(s) under the names of Fractured Crystal/Fractured Modularsystems. Back to their registration. JCool set up Modularsystems. A mailbox company with the following contact details: http://modularsystems.sl/ P.O. Box 5702 West Columbia, South Carolina 29171-5702 United States administra...@modularsystems.sl That is an untraceable anonymized entity without any name attached to it and unknown legal status, registered with a domain name in Sierra Leone, a country that does not even have a WHOIS. This information was used to register and self-certify Emerald in the Viewer Directory. As I as a legally uniformed hobby programmer without commercial interest can evaluate this situation and validity of the Emerald listing, it is meant to circumvent any means of the viewer directory to hold a developer accountable for their viewers. It is also meant to avoid any possible litigation from LL in case indeed some malicious code may be found in their viewer(s). Besides Emerald, Modularsystems also develops and uses a malicious viewer named Onyx that is in clear violation of ToS/TPV. So no, Discrete, all these things completely contradict your argument. As shown a listing in Lindens viewer directory doesn't add a single piece of safety or security. To look for a legitimate viewer the Alternate Viewer list in the community edited SL Wiki is a better place to, for the simple reason
Re: [opensource-dev] Viewer blacklist to replace the TPV
My credentials are not up for discussion. Most in Second Life are well aware of who I am and what I stand for. Additionally most creditable and active community members know my contributions and projects. Though i could be mistaken in the extent to which this information travels. If I am wrong in my assumption then perhaps we can use a different forum or venue to discuss these things. Now on to your questions let us take a look at what you are saying and implying. 1 The company. Please show me what Government databases you looked in that also covers DBAs and assumed operating names, You place accusations here without proper proof nor justification. 2. The bans you mention. As far as I know, Linden Labs does not discuss with anyone outside of its company and the people which they take action upon the conditions relevant information regarding disciplinary actions and bans. So unless you are a Linden or have been one in the past i Highly doubt that the information is truly factual. 3. Are you accusing Linden Labs of pandering to the almighty dollar instead of standing up for the company integrity on their own list? Sir, that is a huge accusation. I ask again where is your factual information that has brought you to this conclusion? I would honestly say that this is indeed not a true thing you state and is borderline slander against the very company which you supposedly are a third party contribute for. 4. The toxic viewer source is posted. If you care to look at it here is the link. https://dcs.sourcerepo.com/dcs/tox_view/ feel free to look at it and take what ever changes you see that you like. Be warry as its just a general repo for my dir i work in. The Voice component is not included in the installer btw. Furthermore the Toxic Viewer is no longer in active development as it was something that was asked of me to do by my wife. And trust me you do not wanna go there. Youll just have to trust me on that. So in all honesty its a null point. Now on to my own conclusions regarding your communications. I really do not have much more to say to you in this subject. But I will offer some advice in regards to point 3. As I tell my kids. You do not *** where you eat and you do not bite the hand which feeds you. Now its not my place to parent you nor is it my place to tell you what to do.. I only offer this advice as a human being that is concerned with the direction this discussion is going. So in a nutshell I do not believe and will safely assume that no one on this list thinks that this is a proper forum for this type of accusation/discussion. May i give you one more piece of advise. Have you tried the proper channels for this type of inquisition? If I am not mistaken the url is support.secondlife.com. Once your on that page you can select new ticket/issue. That would probably be the best avanue to question these things. On a side note if you need assistance filing a ticket I would be more than happy to assist. Dim. On Fri, Apr 30, 2010 at 3:12 AM, Boy Lane boy.l...@yahoo.com wrote: Sorry, seems I have to correct myself. Mr. Brandon Husbands seems to be Dimentox Travanti. Creator of the Toxic Viewer. A project that violates GPL by not providing sources as well as distributing non-redistributable components such as the Vivox voice packages. This adds very well to your credibility Mr. Brandon Husbands :). - Original Message - *From:* Boy Lane boy.l...@yahoo.com *To:* Brandon Husbands xot...@gmail.com ; Discrete Dreamscapediscrete.dreamsc...@gmail.com *Cc:* opensource-dev@lists.secondlife.com *Sent:* Friday, April 30, 2010 3:57 PM *Subject:* Re: [opensource-dev] Viewer blacklist to replace the TPV I don't know who you are Mr. Brandon Husbands, you are certainly not a viewer developer but a fly-by-night who want's to add some oil to the drama fire. It does not really matter. I stated facts here, not flames. Modularsytems is a company with a legal status we dont't know, created and owned by a person with permanently banned accounts due to ToS violations. Modularsystems is registered as this entity in the viewer directory. Modularsystems develops and uses malicious viewers, namely Onyx, with several other malicious projects done by key developers such as Fractured, Phox, Skills or Cryo. All who had their accounts permanently banned for ToS violations. I asked a legitimate question to LL, to repeat it once again: How can for repeated ToS violations permanently banned people just circumvent that ban by creating new accounts as many of the Emerald developers did? Is it money spent for SL that counts rather than ToS? As you haven't read my posting, rather add irrelevant accusations in your own posting, Mr. Brandon Husband, that are supposedly to confuse the reader and discredit legitimate questions, lI can only conclude you are the troll here. Boy - Original Message - *From:* Brandon Husbands xot...@gmail.com *To:* Discrete Dreamscape
Re: [opensource-dev] Viewer blacklist to replace the TPV
Your credentials are very much up for discussion if you engage in here. Firstly, you do not link to your sources where you post your binary, that is in the alternate viewer directory. A posting here in the mailing list is not sufficient. As such you are violating GPL. You are also violating redistribution licenses by distributing the vivox voice components in the same place. But that's not what this whole thing is about. As for the points you brought up, I'm not the one supposed to answer anything in regards of legal status, registration, permanent bans, newly created accounts etc. of Modularsystems and their key developers. I wrote what is publically available information. As this is limited I asked the question here about this because I do not know the details and I'd like to get an answer how this is possible and why permanently banned accounts can circumvent that ban by just creating new avatars. The ToS violations and bans are verifyable by the very own statement of JCool/Fractured, also the acknowledgment of the malicious Onyx viewer: http://www.youtube.com/watch?v=SRbV9SIbdCA Again, these are facts people should be aware of. Henri raised a legitimate qestion about creation of a blacklist of known malicious viewers, instead of relying on FUD spread by LL about the validity of listings in the viewer directory. Everyone can list a viewer here, self certify, and residents believe this viewer is legitimate. Which is nothing but wrong. LL has neither the resources nor capacity to verify every single viewer entry. In addition they also stated clearly that the Viewer Directory is meant as a marketing tool for those who need the publicity it may create. What I think it only creates is a false sense of security, and it will be only a question of time until a malicious project will be listed, and be it for the LULZ of some script kiddie. I have nothing against you personally, but I have serious concerns that made me stopping developing viewers. Even though they never had any malicious features at all. Boy - Original Message - From: Brandon Husbands To: Boy Lane Cc: Discrete Dreamscape ; opensource-dev@lists.secondlife.com Sent: Friday, April 30, 2010 4:29 PM Subject: Re: [opensource-dev] Viewer blacklist to replace the TPV My credentials are not up for discussion. Most in Second Life are well aware of who I am and what I stand for. Additionally most creditable and active community members know my contributions and projects. Though i could be mistaken in the extent to which this information travels. If I am wrong in my assumption then perhaps we can use a different forum or venue to discuss these things. Now on to your questions let us take a look at what you are saying and implying. 1 The company. Please show me what Government databases you looked in that also covers DBAs and assumed operating names, You place accusations here without proper proof nor justification. 2. The bans you mention. As far as I know, Linden Labs does not discuss with anyone outside of its company and the people which they take action upon the conditions relevant information regarding disciplinary actions and bans. So unless you are a Linden or have been one in the past i Highly doubt that the information is truly factual. 3. Are you accusing Linden Labs of pandering to the almighty dollar instead of standing up for the company integrity on their own list? Sir, that is a huge accusation. I ask again where is your factual information that has brought you to this conclusion? I would honestly say that this is indeed not a true thing you state and is borderline slander against the very company which you supposedly are a third party contribute for. 4. The toxic viewer source is posted. If you care to look at it here is the link. https://dcs.sourcerepo.com/dcs/tox_view/ feel free to look at it and take what ever changes you see that you like. Be warry as its just a general repo for my dir i work in. The Voice component is not included in the installer btw. Furthermore the Toxic Viewer is no longer in active development as it was something that was asked of me to do by my wife. And trust me you do not wanna go there. Youll just have to trust me on that. So in all honesty its a null point. Now on to my own conclusions regarding your communications. I really do not have much more to say to you in this subject. But I will offer some advice in regards to point 3. As I tell my kids. You do not *** where you eat and you do not bite the hand which feeds you. Now its not my place to parent you nor is it my place to tell you what to do.. I only offer this advice as a human being that is concerned with the direction this discussion is going. So in a nutshell I do not believe and will safely assume that no one on this list thinks that this is a proper forum for this type of accusation/discussion. May i give you one more piece
Re: [opensource-dev] Viewer blacklist to replace the TPV
Sighs. Last post I am going to word this very simple like. GPL. the actual locations are different. There no page nor www site for the viewer itself. Nor is it a active thing. You have issues with this... Please contact: license-violat...@gnu.org license-violat...@gnu.org by all means. Since your insisting on the credentials. I can hand you my resume if you like. You said do not have any idea who I am nor what I do. Lets see i have contributed to many FOSS projects and have plenty of my own. Recently the LSL editor which was closed source was given to me by the copyright holder. I have open sourced it. There are plenty of other projects which are open source which I contribute. I also created DCS and have a active user base of over 150k in SL and since your so fond of if a company is real i assure you my company is. If you like I can put you in contact with my lawyers to discuss your accusations and slander which you have recently brought up about myself and my works and such. So please don't go barking at me about this or that as i do not have time for your petty games and epeen stroking. Plainly what it boils down to is you have a beef with emerald. Sorry I can not help you with this. But this is no place for your attacks on it. To put it in terms which i believe you might understand. drop it dude. No one wants to hear your crying on this list. I only chimed in cause to be honest your whines annoyed me. You are barking up the wrong tree here sir. So please cease and desist so we can get back to productive discussions. I will not reply anymore as I have contributed to this chaos way to much now. You can feel free to contact me in world or via email for further discussion or if you choose to continue with false accusations we can handle this in a lawful way but by any means his list is not the place so I will ask you one more time.. Please stop. To the rest of you I am personally sorry that you have to go through this. But I can not allow these type of accusations to go unanswered. I really am sorry that you have to go through this garbage. Dim. On Fri, Apr 30, 2010 at 3:49 AM, Boy Lane boy.l...@yahoo.com wrote: Your credentials are very much up for discussion if you engage in here. Firstly, you do not link to your sources where you post your binary, that is in the alternate viewer directory. A posting here in the mailing list is not sufficient. As such you are violating GPL. You are also violating redistribution licenses by distributing the vivox voice components in the same place. But that's not what this whole thing is about. As for the points you brought up, I'm not the one supposed to answer anything in regards of legal status, registration, permanent bans, newly created accounts etc. of Modularsystems and their key developers. I wrote what is publically available information. As this is limited I asked the question here about this because I do not know the details and I'd like to get an answer how this is possible and why permanently banned accounts can circumvent that ban by just creating new avatars. The ToS violations and bans are verifyable by the very own statement of JCool/Fractured, also the acknowledgment of the malicious Onyx viewer: http://www.youtube.com/watch?v=SRbV9SIbdCA Again, these are facts people should be aware of. Henri raised a legitimate qestion about creation of a blacklist of known malicious viewers, instead of relying on FUD spread by LL about the validity of listings in the viewer directory. Everyone can list a viewer here, self certify, and residents believe this viewer is legitimate. Which is nothing but wrong. LL has neither the resources nor capacity to verify every single viewer entry. In addition they also stated clearly that the Viewer Directory is meant as a marketing tool for those who need the publicity it may create. What I think it only creates is a false sense of security, and it will be only a question of time until a malicious project will be listed, and be it for the LULZ of some script kiddie. I have nothing against you personally, but I have serious concerns that made me stopping developing viewers. Even though they never had any malicious features at all. Boy - Original Message - *From:* Brandon Husbands xot...@gmail.com *To:* Boy Lane boy.l...@yahoo.com *Cc:* Discrete Dreamscape discrete.dreamsc...@gmail.com ; opensource-dev@lists.secondlife.com *Sent:* Friday, April 30, 2010 4:29 PM *Subject:* Re: [opensource-dev] Viewer blacklist to replace the TPV My credentials are not up for discussion. Most in Second Life are well aware of who I am and what I stand for. Additionally most creditable and active community members know my contributions and projects. Though i could be mistaken in the extent to which this information travels. If I am wrong in my assumption then perhaps we can use a different forum or venue to discuss these things. Now on to your questions let us take
Re: [opensource-dev] Viewer blacklist to replace the TPV
Sweetheart, besides not being your dude I'm not interested in your advise nor in your past. Matter of fact you distribute your Toxic Viewer in the alternate viewer list. You also distribute the vivox voice components illegally there. http://wiki.secondlife.com/wiki/Alternate_viewers As for the rest, it does not matter what I think about Modularsystems. Emerald is not even an issue here. Read the facts I posted. You don't need to like them, nevertheless these are facts, not fiction. The questions I raised remain and I hope someone from LL can answer them. - Original Message - From: Brandon Husbands To: Boy Lane Cc: Discrete Dreamscape ; opensource-dev@lists.secondlife.com Sent: Friday, April 30, 2010 5:17 PM Subject: Re: [opensource-dev] Viewer blacklist to replace the TPV Sighs. Last post I am going to word this very simple like. GPL. the actual locations are different. There no page nor www site for the viewer itself. Nor is it a active thing. You have issues with this... Please contact: license-violat...@gnu.org by all means. Since your insisting on the credentials. I can hand you my resume if you like. You said do not have any idea who I am nor what I do. Lets see i have contributed to many FOSS projects and have plenty of my own. Recently the LSL editor which was closed source was given to me by the copyright holder. I have open sourced it. There are plenty of other projects which are open source which I contribute. I also created DCS and have a active user base of over 150k in SL and since your so fond of if a company is real i assure you my company is. If you like I can put you in contact with my lawyers to discuss your accusations and slander which you have recently brought up about myself and my works and such. So please don't go barking at me about this or that as i do not have time for your petty games and epeen stroking. Plainly what it boils down to is you have a beef with emerald. Sorry I can not help you with this. But this is no place for your attacks on it. To put it in terms which i believe you might understand. drop it dude. No one wants to hear your crying on this list. I only chimed in cause to be honest your whines annoyed me. You are barking up the wrong tree here sir. So please cease and desist so we can get back to productive discussions. I will not reply anymore as I have contributed to this chaos way to much now. You can feel free to contact me in world or via email for further discussion or if you choose to continue with false accusations we can handle this in a lawful way but by any means his list is not the place so I will ask you one more time.. Please stop. To the rest of you I am personally sorry that you have to go through this. But I can not allow these type of accusations to go unanswered. I really am sorry that you have to go through this garbage. Dim. On Fri, Apr 30, 2010 at 3:49 AM, Boy Lane boy.l...@yahoo.com wrote: Your credentials are very much up for discussion if you engage in here. Firstly, you do not link to your sources where you post your binary, that is in the alternate viewer directory. A posting here in the mailing list is not sufficient. As such you are violating GPL. You are also violating redistribution licenses by distributing the vivox voice components in the same place. But that's not what this whole thing is about. As for the points you brought up, I'm not the one supposed to answer anything in regards of legal status, registration, permanent bans, newly created accounts etc. of Modularsystems and their key developers. I wrote what is publically available information. As this is limited I asked the question here about this because I do not know the details and I'd like to get an answer how this is possible and why permanently banned accounts can circumvent that ban by just creating new avatars. The ToS violations and bans are verifyable by the very own statement of JCool/Fractured, also the acknowledgment of the malicious Onyx viewer: http://www.youtube.com/watch?v=SRbV9SIbdCA Again, these are facts people should be aware of. Henri raised a legitimate qestion about creation of a blacklist of known malicious viewers, instead of relying on FUD spread by LL about the validity of listings in the viewer directory. Everyone can list a viewer here, self certify, and residents believe this viewer is legitimate. Which is nothing but wrong. LL has neither the resources nor capacity to verify every single viewer entry. In addition they also stated clearly that the Viewer Directory is meant as a marketing tool for those who need the publicity it may create. What I think it only creates is a false sense of security, and it will be only a question of time until a malicious project will be listed, and be it for the LULZ of some script kiddie. I have nothing against you personally, but I have serious concerns
Re: [opensource-dev] Viewer blacklist to replace the TPV directory ?
Just an idea I think would be cool is if LL made a tool (perhaps a script) that users could click on if they suspected their viewer to be bad or something and it would cause the viewer to send the info to LL for investigation. Perhaps also LL can have hashes of the viewer source code. Should it not match or something, it won't allow them to connect or it would be reported, etc. Jonathan Irvin ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Viewer blacklist to replace the TPV
On Fri, 30 Apr 2010 02:55:28 -0500, Brandon Husbands xot...@gmail.com wrote: I do not add much to the list.. But I will say... Mr lane, what ever your problem is with Emerald... You should probably let it go. This blatant flaming and trolling does not help the open source community. Your actions and flames are actually a hindrance to the community as a whole. thanks for your interest. please have a look to the last 2 months of mailing list archive, and send a similar advice to the many other members who flamed and trolled the list - with no useful results for the community. bye opensource obscure ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Viewer blacklist to replace the TPV
Hi guys! I'd just like to mention this part of the mailing list policies: http://wiki.secondlife.com/wiki/OpenSource-Dev If someone else is violating mailing list policy, do not reply to them on the list. Reply to them offlist if you feel you need to engage them. If you feel disciplinary action is required, send mail to the list administrator (opensource-dev-ow...@lists.secondlife.com). Engaging with them on-list may result in the moderation bit being set on your account. Personally, I kinda enjoy the entertaining drama. It's MUCH more fun than the never ending TPV discussions. I'm working on finishing up the last of my finals, so I can't really read these now, and I'll save them for later. But if someone else has a problem with this, or you two have a problem with each other, it may be something to think about. Have fun! Stickman ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Viewer blacklist to replace the TPV directory ?
There already seems to be a black list, it just isn't published. On Fri, Apr 30, 2010 at 7:08 AM, Jonathan Irvin djfoxys...@gmail.com wrote: Just an idea I think would be cool is if LL made a tool (perhaps a script) that users could click on if they suspected their viewer to be bad or something and it would cause the viewer to send the info to LL for investigation. Perhaps also LL can have hashes of the viewer source code. Should it not match or something, it won't allow them to connect or it would be reported, etc. Jonathan Irvin ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Viewer blacklist to replace the TPV di rectory ?
On Thu, 29 Apr 2010 10:56:58 +0200, Henri Beauchamp sl...@free.fr wrote: Instead of a white list for which Linden Lab actually guarantees nothing and to which some developers won't be able to register anyway because of privacy and local Law concerns, why not making a black list ? The black list would contain the viewer names of right out illegal viewers or not yet TPV-policy compliant viewers this doesn't looks like a practical solution to me, as nobody could ever mantain such a list up-to-date. opensource obscure ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Viewer blacklist to replace the TPV directory ?
On Thu, 29 Apr 2010 09:10:33 +, Opensource Obscure wrote: On Thu, 29 Apr 2010 10:56:58 +0200, Henri Beauchamp sl...@free.fr wrote: Instead of a white list for which Linden Lab actually guarantees nothing and to which some developers won't be able to register anyway because of privacy and local Law concerns, why not making a black list ? The black list would contain the viewer names of right out illegal viewers or not yet TPV-policy compliant viewers this doesn't looks like a practical solution to me, as nobody could ever mantain such a list up-to-date. Of course yes... What kind of list do you thing Linden Lab will maintain to block access to SL after the 30th ?... It's in fact just about making their black list public. Henri. ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Viewer blacklist to replace the TPV directory ?
This is a bad idea, as the TPV violators would merely migrate to a non-blacklisted viewer. On Thu, 2010-04-29 at 12:01 +0200, Henri Beauchamp wrote: On Thu, 29 Apr 2010 09:10:33 +, Opensource Obscure wrote: On Thu, 29 Apr 2010 10:56:58 +0200, Henri Beauchamp sl...@free.fr wrote: Instead of a white list for which Linden Lab actually guarantees nothing and to which some developers won't be able to register anyway because of privacy and local Law concerns, why not making a black list ? The black list would contain the viewer names of right out illegal viewers or not yet TPV-policy compliant viewers this doesn't looks like a practical solution to me, as nobody could ever mantain such a list up-to-date. Of course yes... What kind of list do you thing Linden Lab will maintain to block access to SL after the 30th ?... It's in fact just about making their black list public. Henri. ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Viewer blacklist to replace the TPV directory ?
On Thu, 29 Apr 2010 03:41:50 -0700, Rob Nelson wrote: This is a bad idea, as the TPV violators would merely migrate to a non-blacklisted viewer. If they do, and after some time, the only non-blacklisted viewers left will be the TPV compliant ones, so that's actually a good thing... Henri. ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Viewer blacklist to replace the TPV directory ?
Henri Beauchamp sl...@free.fr wrote .. On Thu, 29 Apr 2010 03:41:50 -0700, Rob Nelson wrote: This is a bad idea, as the TPV violators would merely migrate to a non-blacklisted viewer. If they do, and after some time, the only non-blacklisted viewers left will be the TPV compliant ones, so that's actually a good thing... No, maintaining a WHITELIST is way better. And I am thinking not of the bad guys now but the regular users who just want to use a client with additional features. With a whitelist they know: this I can use without problems. With a blacklist they never know if a client NOT on the list is a good one or a bad one that just didn't make it into the blacklist yet. And for the bad guys: they would just rename their client if their old one got on the blacklist. And do this each time again. So a whitelist is the only valid solution. Tillie ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Viewer blacklist to replace the TPV directory ?
On Thu, Apr 29, 2010 at 7:30 AM, til...@xp2.de wrote: Henri Beauchamp sl...@free.fr wrote .. On Thu, 29 Apr 2010 03:41:50 -0700, Rob Nelson wrote: This is a bad idea, as the TPV violators would merely migrate to a non-blacklisted viewer. If they do, and after some time, the only non-blacklisted viewers left will be the TPV compliant ones, so that's actually a good thing... No, maintaining a WHITELIST is way better. And I am thinking not of the bad guys now but the regular users who just want to use a client with additional features. With a whitelist they know: this I can use without problems. With a blacklist they never know if a client NOT on the list is a good one or a bad one that just didn't make it into the blacklist yet. And for the bad guys: they would just rename their client if their old one got on the blacklist. And do this each time again. So a whitelist is the only valid solution. Tillie ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges and as it happens there actually is a BlackList project running by the same folks that run one of the viewers on the current Whitelist. as of Friday there will be 3 lists of viewers 1 the TPVd list: run by Linden Labs functions as a Whitelist 2 the Onyx List: posted on the site of that green viewer and is a subset of the list used by the CDS banlink system 3 everything Else (including source mods of the above viewers) this would be a grey list Given that The Onyx list is complete somebody needs to state that only those viewers will draw an actual ban (or use of a hostile viewer that just has yet to be listed). -- Robert L Martin ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Viewer blacklist to replace the TPV directory ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 a self-certified whitelist that LL themselves don't stand by it is of no use either On 29/4/2010 08:30, til...@xp2.de wrote: Henri Beauchamp sl...@free.fr wrote .. On Thu, 29 Apr 2010 03:41:50 -0700, Rob Nelson wrote: This is a bad idea, as the TPV violators would merely migrate to a non-blacklisted viewer. If they do, and after some time, the only non-blacklisted viewers left will be the TPV compliant ones, so that's actually a good thing... No, maintaining a WHITELIST is way better. And I am thinking not of the bad guys now but the regular users who just want to use a client with additional features. With a whitelist they know: this I can use without problems. With a blacklist they never know if a client NOT on the list is a good one or a bad one that just didn't make it into the blacklist yet. And for the bad guys: they would just rename their client if their old one got on the blacklist. And do this each time again. So a whitelist is the only valid solution. Tillie ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEAREKAAYFAkvZchgACgkQ8ZFfSrFHsmWsTACgjD8ljoTksSV0QjU5/cGMyxII Se4AnjUfc+uOqTnqwP3nYjzNVo35xT3y =7c7Q -END PGP SIGNATURE- ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Viewer blacklist to replace the TPV directory ?
+1 A blacklist would just give potential bad actors a menu and template to use for more bad viewers that could be modified and get past the login screens. From: til...@xp2.de til...@xp2.de To: Henri Beauchamp sl...@free.fr Cc: opensource-dev@lists.secondlife.com Sent: Thu, April 29, 2010 6:30:13 AM Subject: Re: [opensource-dev] Viewer blacklist to replace the TPV directory ? Henri Beauchamp sl...@free.fr wrote .. On Thu, 29 Apr 2010 03:41:50 -0700, Rob Nelson wrote: This is a bad idea, as the TPV violators would merely migrate to a non-blacklisted viewer. If they do, and after some time, the only non-blacklisted viewers left will be the TPV compliant ones, so that's actually a good thing... No, maintaining a WHITELIST is way better. And I am thinking not of the bad guys now but the regular users who just want to use a client with additional features. With a whitelist they know: this I can use without problems. With a blacklist they never know if a client NOT on the list is a good one or a bad one that just didn't make it into the blacklist yet. And for the bad guys: they would just rename their client if their old one got on the blacklist. And do this each time again. So a whitelist is the only valid solution. Tillie ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Viewer blacklist to replace the TPV directory ?
On Thu, 2010-04-29 at 09:10 +, Opensource Obscure wrote: On Thu, 29 Apr 2010 10:56:58 +0200, Henri Beauchamp sl...@free.fr wrote: Instead of a white list for which Linden Lab actually guarantees nothing and to which some developers won't be able to register anyway because of privacy and local Law concerns, why not making a black list ? The black list would contain the viewer names of right out illegal viewers or not yet TPV-policy compliant viewers this doesn't looks like a practical solution to me, as nobody could ever mantain such a list up-to-date. Right, I agree. And for that reason its actually a negative since it would give a possibly false assurance that a viewer not being listed is ok. IMO the directory is doing what its meant to do, give an assurance that LL and the viewer creator has done some diligence and are interested in keeping its use safe and consistent with the TOS. Not being in the list doesn't give any assurance like that hence the potential for concern. The easy answer is to get a listing in the directory. If that causes some folks heartburn then you're just going to have to live on the edge and deal with some concerned users. Mike opensource obscure ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Viewer blacklist to replace the TPV directory ?
I told everyone form the start that it was a VERY bad idea to add any viewer to it. This list should have stayed totally empty. On Thu, Apr 29, 2010 at 10:56:58AM +0200, Henri Beauchamp wrote: Hi again, folks. Thinking about the TPV directory, I came to the conclusion that this tool, first intended as an advertizing one, doesn't currently reach its goal and even mistakes some users who think they will not be able to use their favourite viewer after the 30th of April if it's not listed in the directory: it is seen by many as a censoring tool. -- Carlo Wood ca...@alinoe.com ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Viewer blacklist to replace the TPV directory ?
On Thu, 29 Apr 2010 09:10:12 -0500, Michael Dickson wrote: And for that reason its actually a negative since it would give a possibly false assurance that a viewer not being listed is ok. IMO the directory is doing what its meant to do, give an assurance that LL and the viewer creator has done some diligence and are interested in keeping its use safe and consistent with the TOS. *What* assurance ?... It's a self-certification process and LL made it *very* clear they don't guarantee *anything* as to the actual compliance of listed viewers. In fact, as it is, the TPV directory *is* misleading, since it can make users believe they are safe to choose any TPV viewer listed in it. On the contrary, with a black list, non-listed viewer are *not* given a OK, they are just not *currently* detected as being dangerous, and the users are not mislead: they can choose any viewer not in the black list, but still have to make their mind and check that the viewer they pick is actually compliant. Henri. ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Viewer blacklist to replace the TPV directory ?
On Thu, 29 Apr 2010 14:04:21 -0400, Discrete Dreamscape wrote: A list of trusted entities is virtually always more robust and reliable than a list of untrusted ones. This would be only true if LL was to *guarantee* that the listed viewer can *actually* be trusted, which is *not* the case with the current implementation of teh TPV directory. Weigh the two possibilities that would occur and their consequences, given that the user is making assumptions, as you say: - User believes viewers ON the whitelist are the ONLY ones that can be used - User believes viewers NOT on the blacklist can ALL be used The latter is clearly not a situation that benefits users in any way. Not when the blacklist in question is edited by LL themselves: you then are sure that the listed viewers are illegal, which gives more reliable info than an unwarranted white list... Henri. ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Viewer blacklist to replace the TPV directory ?
Users could then assume all unlisted viewers are safe enough for use, which is far more misleading than assuming a specific few are safe. A few who are both known and have contact information on file, no less. If they don't make this assumption, an action which any smart user should choose, then in general no third party viewers would be trusted and used. If you want a blacklist, there's already an informal one at http://onyx.modularsystems.sl/viewer_reference.html . On Thu, Apr 29, 2010 at 2:09 PM, Henri Beauchamp sl...@free.fr wrote: On Thu, 29 Apr 2010 14:04:21 -0400, Discrete Dreamscape wrote: A list of trusted entities is virtually always more robust and reliable than a list of untrusted ones. This would be only true if LL was to *guarantee* that the listed viewer can *actually* be trusted, which is *not* the case with the current implementation of teh TPV directory. Weigh the two possibilities that would occur and their consequences, given that the user is making assumptions, as you say: - User believes viewers ON the whitelist are the ONLY ones that can be used - User believes viewers NOT on the blacklist can ALL be used The latter is clearly not a situation that benefits users in any way. Not when the blacklist in question is edited by LL themselves: you then are sure that the listed viewers are illegal, which gives more reliable info than an unwarranted white list... Henri. ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Viewer blacklist to replace the TPV directory ?
Not only that, but the only way the whitelist can work as a whitelist is if LL not only tests the viewers on the list, but compiles the list themselves. That means seeking out TPVs and accepting recommendations from users, not just sitting around waiting for the makers to send them in. In my opinion, neither option will work all that well. LL doesn't have the staff necessary to compile and maintain either type of list, and the current TPV directory is nothing more than a misleading half-effort as a result. LL is trying, but they just don't have the manpower. Even a wiki-style page would be better. Maya Henri Beauchamp wrote: On Thu, 29 Apr 2010 14:04:21 -0400, Discrete Dreamscape wrote: A list of trusted entities is virtually always more robust and reliable than a list of untrusted ones. This would be only true if LL was to *guarantee* that the listed viewer can *actually* be trusted, which is *not* the case with the current implementation of teh TPV directory. ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Viewer blacklist to replace the TPV directory ?
This would be only true if LL was to *guarantee* that the listed viewer can *actually* be trusted, which is *not* the case with the current implementation of teh TPV directory. The current TPV directory is a list of certified viewers. Despite claiming the list is Self-Certified those viewers on the list still had to have their viewer reviewed by LL before being listed so really all the TPV's on the TPV Directory are Certified by LL ensuring they comply with their standards policies. As it stands the TPV Directory is one step away from becoming a full blown White List. Not when the blacklist in question is edited by LL themselves: you then are sure that the listed viewers are illegal, which gives more reliable info than an unwarranted white list... I think you missed Discrete's point. Many have interpreted the TPV Directory as a true White List, which it's not, many will think that any viewer that is *not* on the black list is then safe to use. So for example if Neil Life is on the black list and SuperGriefer Viewer 1.33.7 is not there will be folks who will think SuperGriefer Viewer 1.33.7 is safe to use despite it being a malicious viewer. Ron Festa Virtual Worlds Admin Division of Continuing Studies at Rutgers University PGP key: http://bit.ly/b1ZyhY Phone: 732-474-8583 ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Viewer blacklist to replace the TPV directory ?
_ From: opensource-dev-boun...@lists.secondlife.com [mailto:opensource-dev-boun...@lists.secondlife.com] On Behalf Of Ron Festa Sent: Thursday, April 29 2010 20:27 To: Henri Beauchamp Cc: opensource-dev@lists.secondlife.com Subject: Re: [opensource-dev] Viewer blacklist to replace the TPV directory ? Despite claiming the list is Self-Certified those viewers on the list still had to have their viewer reviewed by LL before being listed so really all the TPV's on the TPV Directory are Certified by LL ensuring they comply with their standards policies. - release a viewer that's the LL source + a handful of innocent patches - apply for the directory and get listed - release a new viewer The last step doesn't invalidate the current listing as far as I know so I really don't see how the viewer directory could possibly be stamped as reviewed by LL by any stretch, let alone go as far as claiming that they're certified by LL as compliant. Since the reason for the directory is really end-user assurance the viewer directory doesn't really work in that sense because it doesn't actually offer much: LL still reserves the right to ban anyone just for using any third party viewer (whether listed or unlisted). With all the threatening (whether intended or not) language in blog posts or emails a lot of people are going by the assumption that listed means I won't get banned or that it means approved/sanctioned/verified/vouched for by LL but that's just not the case. It would be a lot better for any resident wanting to use any third party viewer to at least know that if they go by the list that their account isn't in jeopardy (no matter how unlikely a ban might be) for as long as that viewer is listed. For better or worse the perception that the viewer directory is a safelist is already there now, in spite of any disclaimers on that same page, and it's too late to still reverse that. Personally it seems best if the directory just officially became a safelist. If a malicious viewer ever makes the list then that wouldn't undermine people's trust in any other listed viewer because LL would guarantee that any viewer they list is indeed safe in the sense that noone can be banned for using it, even if they accidentally list one that turns out to not comply (which can just simply be delisted and blocked at that point to prevent continued use since it would have its own channel or it shouldn't have ever made the list to begin with). Kitty ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Viewer blacklist to replace the TPV directory ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Discrete, in both ways you can have viewers that the users think can be trusted, but actually shouldn't On 29/4/2010 15:04, Discrete Dreamscape wrote: A list of trusted entities is virtually always more robust and reliable than a list of untrusted ones. Weigh the two possibilities that would occur and their consequences, given that the user is making assumptions, as you say: - User believes viewers ON the whitelist are the ONLY ones that can be used - User believes viewers NOT on the blacklist can ALL be used The latter is clearly not a situation that benefits users in any way. Discrete On Thu, Apr 29, 2010 at 1:59 PM, Henri Beauchamp sl...@free.fr mailto:sl...@free.fr wrote: On Thu, 29 Apr 2010 05:40:15 -0700 (PDT), Nicky Perian wrote: +1 A blacklist would just give potential bad actors a menu and template to use for more bad viewers that could be modified and get past the login screens. What you must understand is that the TPV policy is in no way a mean to prevent pirates from connecting to SL with hacked viewers (or through hacked proxies)... All what pirates have to do is to make sure these viewers impersonate an official (Linden) one (which is done very simply) and then they can pursue their illegal activity without even being spotted... The TPV policy might give some better ground to LL to sue such pirates when they are lucky enough to spot and trace one, but the true aim of the TPV is to set acceptable standards for non-hacked viewers as well as to provide their user with some minimum confidence that such viewers will not try to steal their private data or put them into troubles. As such, the blacklist would provide a much better service to the users by clearly identifying viewers which are *known* to be not compliant. With the current directory, you only got a *partial* list of *possibly* compliant viewers (without any guarantee from LL) and know nothing at all about non-listed viewers. Henri. ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEUEAREKAAYFAkvZ5A4ACgkQ8ZFfSrFHsmXOBQCfcpptZyKU+Tr1uv+FsJVUj04s 6c8AmPF6F2bQpBxhVHCTLY4yrcC38sM= =Cbvj -END PGP SIGNATURE- ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Viewer blacklist to replace the TPV directory ?
That's right. However, note what I implied: a blacklist would be worse by misleading users even more, and it would discourage TPV usage in general. On Thu, Apr 29, 2010 at 3:54 PM, Tigro Spottystripes tigrospottystri...@gmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Discrete, in both ways you can have viewers that the users think can be trusted, but actually shouldn't On 29/4/2010 15:04, Discrete Dreamscape wrote: A list of trusted entities is virtually always more robust and reliable than a list of untrusted ones. Weigh the two possibilities that would occur and their consequences, given that the user is making assumptions, as you say: - User believes viewers ON the whitelist are the ONLY ones that can be used - User believes viewers NOT on the blacklist can ALL be used The latter is clearly not a situation that benefits users in any way. Discrete On Thu, Apr 29, 2010 at 1:59 PM, Henri Beauchamp sl...@free.fr mailto:sl...@free.fr wrote: On Thu, 29 Apr 2010 05:40:15 -0700 (PDT), Nicky Perian wrote: +1 A blacklist would just give potential bad actors a menu and template to use for more bad viewers that could be modified and get past the login screens. What you must understand is that the TPV policy is in no way a mean to prevent pirates from connecting to SL with hacked viewers (or through hacked proxies)... All what pirates have to do is to make sure these viewers impersonate an official (Linden) one (which is done very simply) and then they can pursue their illegal activity without even being spotted... The TPV policy might give some better ground to LL to sue such pirates when they are lucky enough to spot and trace one, but the true aim of the TPV is to set acceptable standards for non-hacked viewers as well as to provide their user with some minimum confidence that such viewers will not try to steal their private data or put them into troubles. As such, the blacklist would provide a much better service to the users by clearly identifying viewers which are *known* to be not compliant. With the current directory, you only got a *partial* list of *possibly* compliant viewers (without any guarantee from LL) and know nothing at all about non-listed viewers. Henri. ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEUEAREKAAYFAkvZ5A4ACgkQ8ZFfSrFHsmXOBQCfcpptZyKU+Tr1uv+FsJVUj04s 6c8AmPF6F2bQpBxhVHCTLY4yrcC38sM= =Cbvj -END PGP SIGNATURE- ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Viewer blacklist to replace the TPV directory ?
This discussion seems to have been created with misleading intentions. Because some TPV creators don't want to reveal any personal information about themselves, they can't be posted on the TPV directory, and because of this, it's understandable they might view the directory as unfair. But, this doesn't strike me as a valid reason to criticize the list. It's certainly valid to say that the viewers on the list are not absolutely trustworthy unless a full code audit is done, but even then, do you really know that what's in the code is the same as what's in the binary? Isn't there a limit to what LL can do, given a lack of resources to perform such audits, especially when what you download requires trust that it's the same as what they've audited? But really, trust is supposed to be provided by the fact that the viewer has indeed registered using real-life contact information, because who would give such a thing knowing they could be held liable if they indeed decided to include malicious code? In general, there is no way to certify purity here, you can only provide a level of trust as a guideline. You can't rely on babysitting the users, because LL isn't going to compile every third party's code and release the binaries themselves. In this regard, you may begin to argue that indeed, a blacklist would better serve users. I argue that this is exactly the opposite. You may be able to pick out which viewers are explicitly untrusted, but you make no statements about the trustworthiness of any others. In this situation, a user is left to choose between either a viewer which is in the grey about its status, or an official Linden viewer. This point is key, as far less warranty is provided for users that they won't be banned for using a third party viewer. I suspect that in this case, many would simply give up and use the official client rather than risk their business, etc. If you want to provide a system where users can trust the clients they use, it seems like our current one is decent enough. In any case, a blacklist doesn't appear to be any safer. Discrete On Thu, Apr 29, 2010 at 4:02 PM, Tigro Spottystripes tigrospottystri...@gmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 the disclaimer instead of being hidden in small print in the bottom should be the first thing in the page, in big bold red font, to at least start helping users be less confused about how much trust they should put on the viewers listed On 29/4/2010 16:35, Kitty wrote: *From:* opensource-dev-boun...@lists.secondlife.com [mailto:opensource-dev-boun...@lists.secondlife.com] *On Behalf Of *Ron Festa *Sent:* Thursday, April 29 2010 20:27 *To:* Henri Beauchamp *Cc:* opensource-dev@lists.secondlife.com *Subject:* Re: [opensource-dev] Viewer blacklist to replace the TPV directory ? Despite claiming the list is Self-Certified those viewers on the list still had to have their viewer reviewed by LL before being listed so really all the TPV's on the TPV Directory are Certified by LL ensuring they comply with their standards policies. - release a viewer that's the LL source + a handful of innocent patches - apply for the directory and get listed - release a new viewer The last step doesn't invalidate the current listing as far as I know so I really don't see how the viewer directory could possibly be stamped as reviewed by LL by any stretch, let alone go as far as claiming that they're certified by LL as compliant. Since the reason for the directory is really end-user assurance the viewer directory doesn't really work in that sense because it doesn't actually offer much: LL still reserves the right to ban anyone just for using any third party viewer (whether listed or unlisted). With all the threatening (whether intended or not) language in blog posts or emails a lot of people are going by the assumption that listed means I won't get banned or that it means approved/sanctioned/verified/vouched for by LL but that's just not the case. It would be a lot better for any resident wanting to use any third party viewer to at least know that if they go by the list that their account isn't in jeopardy (no matter how unlikely a ban might be) for as long as that viewer is listed. For better or worse the perception that the viewer directory is a safelist is already there now, in spite of any disclaimers on that same page, and it's too late to still reverse that. Personally it seems best if the directory just officially became a safelist. If a malicious viewer ever makes the list then that wouldn't undermine people's trust in any other listed viewer because LL would guarantee that any viewer they list is indeed safe in the sense that noone can be banned for using it, even if they accidentally list one that turns out
Re: [opensource-dev] Viewer blacklist to replace the TPV directory ?
Too many people are trying to answer the question is it possible to get a malicious viewer registered on the TPV directory. While the answer is most certainly yes the question is rather irrelevant. The important question is will malicious viewers be put in the TPV directory. I'm pretty sure that anybody intentionally providing a malicious viewer is a moron if he registers for the directory. The attention it'll attracts most certainly will lead to a user that blows the whistle. There's simply no point in registering it on the list as your risk of getting caught.rises significantly. As such I don't think you'll see many malicious viewers in the TPV directory. Blacklists on the other hand are silly as everybody and his dog can provide a viewer and use the fact that it's not on the black list to coach users into using it. As they can do this by any means and don't need to go thru official pages it'll certainly take longer before their cover is blown. So in practice when weighing both against eachother it's quite hard to imagine a real life situation where the concept of a TPV directory loses to a black list. No system is perfect and as such you can theorise all day about what could happen. In the end though that doesn't make a worse system any better. The TPV directory will in general lead to better results than a black list so that's what LL should work on regardless of its remaining imperfections. Best Regards, Dirk ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Viewer blacklist to replace the TPV
We certainly should follow the bright example of Emerald / Modularsystems, where you Discrete are a member of. A pseudo company set up and owned by known banned griefer JCool aka who revived his banned account(s) under the names of Fractured Crystal/Fractured Modularsystems. Back to their registration. JCool set up Modularsystems. A mailbox company with the following contact details: http://modularsystems.sl/ P.O. Box 5702 West Columbia, South Carolina 29171-5702 United States administra...@modularsystems.sl That is an untraceable anonymized entity without any name attached to it and unknown legal status, registered with a domain name in Sierra Leone, a country that does not even have a WHOIS. This information was used to register and self-certify Emerald in the Viewer Directory. As I as a legally uniformed hobby programmer without commercial interest can evaluate this situation and validity of the Emerald listing, it is meant to circumvent any means of the viewer directory to hold a developer accountable for their viewers. It is also meant to avoid any possible litigation from LL in case indeed some malicious code may be found in their viewer(s). Besides Emerald, Modularsystems also develops and uses a malicious viewer named Onyx that is in clear violation of ToS/TPV. So no, Discrete, all these things completely contradict your argument. As shown a listing in Lindens viewer directory doesn't add a single piece of safety or security. To look for a legitimate viewer the Alternate Viewer list in the community edited SL Wiki is a better place to, for the simple reason malicious clients may not easily slip in as this is possible with self-certification. A blacklist is a good thing and could at least complement Viewer Directory and Alternate Viewers list. But of course it would include most of the malicious viewer from the key developers behind Modularsystems which obviously you try to avoid. Additional question to Linden Lab: How can for repeated ToS violations permanently banned people just circumvent that ban by creating new accounts as many of the Emerald developers did? Is it money spent for SL that counts rather than ToS? Boy - Original Message - Date: Thu, 29 Apr 2010 16:39:16 -0400 From: Discrete Dreamscape discrete.dreamsc...@gmail.com Subject: Re: [opensource-dev] Viewer blacklist to replace the TPV directory ? To: Tigro Spottystripes tigrospottystri...@gmail.com Cc: opensource-dev@lists.secondlife.com Message-ID: g2nc38195a91004291339p41f404edgfe05a593c813c...@mail.gmail.com Content-Type: text/plain; charset=utf-8 This discussion seems to have been created with misleading intentions. Because some TPV creators don't want to reveal any personal information about themselves, they can't be posted on the TPV directory, and because of this, it's understandable they might view the directory as unfair. But, this doesn't strike me as a valid reason to criticize the list. It's certainly valid to say that the viewers on the list are not absolutely trustworthy unless a full code audit is done, but even then, do you really know that what's in the code is the same as what's in the binary? Isn't there a limit to what LL can do, given a lack of resources to perform such audits, especially when what you download requires trust that it's the same as what they've audited? But really, trust is supposed to be provided by the fact that the viewer has indeed registered using real-life contact information, because who would give such a thing knowing they could be held liable if they indeed decided to include malicious code? In general, there is no way to certify purity here, you can only provide a level of trust as a guideline. You can't rely on babysitting the users, because LL isn't going to compile every third party's code and release the binaries themselves. In this regard, you may begin to argue that indeed, a blacklist would better serve users. I argue that this is exactly the opposite. You may be able to pick out which viewers are explicitly untrusted, but you make no statements about the trustworthiness of any others. In this situation, a user is left to choose between either a viewer which is in the grey about its status, or an official Linden viewer. This point is key, as far less warranty is provided for users that they won't be banned for using a third party viewer. I suspect that in this case, many would simply give up and use the official client rather than risk their business, etc. If you want to provide a system where users can trust the clients they use, it seems like our current one is decent enough. In any case, a blacklist doesn't appear to be any safer. Discrete ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
Re: [opensource-dev] Viewer blacklist to replace the TPV directory ?
Nicky Perian wrote: +1 A blacklist would just give potential bad actors a menu and template to use for more bad viewers that could be modified and get past the login screens. Isn't just sending the login info form the laters offical viewer the bewst way to get passed techical blacklisting anyhow. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ___ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges