Secret SL Viewers? "Cyro" and "V-Life"

I have tried using other viewers - I used the Nicholaz one for a while when the LL one was unreliable a couple of years ago. At the time it worked better than the LL one. There was a point then, but I don't think there is now.

But now, for me, the LL viewers work well. I tried to get shadows to work on the Kirsten viewer but couldn't - but I've got them to work well on the LL 1.23 Release Candidate - on a laptop!!!

What exactly are all the extra things you can do with open source viewers that you can't do with LL ones?

Tons of FUD here. Let me repeat what I wrote a long time ago

"There are people spreading rumours about the XYZ Viewer inworld. That it saves your password, and that it sends it to the "Lindens". To be honest....yes, this is true. All of it. XYZ Viewer saves your last password locally as every other viewer does, to make your next login more convenient. And....to make it worse....it even sends the password to the "Lindens". Otherwise you could not login into SecondLife *giggles*. Makes sense?! "

Well, I've never heard that rumour and the point is not that the viewer sends your password to the Lindens, the point is that it could send it to the person who wrote the viewer.

As far as I know no password stealing viewer has been found yet but it is surely only a matter of time.

Sure it could do this if it is an illegitimate client. I don't know the two mentioned here earlier. But one could also hack every other piece of software and publish it. False sense of security you have here, honestly.

The viewer source is opensourced and licensed under GPL. That requires every publisher of a 3rd party viewer to provide identical sources for the binary created. Be ensured there is a very active opensource community around SL watching closely that these requirements are fulfilled. By having the source available the chance of malicious code is greatly reduced. But not even the Lindens are immune to some "virus" found recently in the windows updater. That was caused by the buggy AVG scanner which produces lots of false positives.

Overall you are on a much safer side when using opensourced code as you and everybody else can look into the code and find if there is any malicious piece in it compared to any closedsource software without source code being available. That not only relates to elimination of malware but also to fixed bugs, better performance and feature improvements in 3rd party viewers the Lindens are not able or unwilling to fix and/or provide giving you, the enduser an overall improved performance and usability.

One last word, if you look at the alternative viewers posted on the official SL Wiki you can be certain that these are not only community but also LL checked and endorsed viewers that do not pose any security risks (other than the official viewer by having bugs it is).

Can anyone tell me the plus points of Greenlife Emerald Viewer.

I use Hippo and its very stable for me....and from there i can log into other Open grids that i have an Avatar for....prior to that i had Onrez for a great length of time and worked well too. I also have RealXTend as a back-up viewer.

Although i can use the official LL viewers, i tend not to use them, as Windows keeps sending me a system message "Secondlife.exe" is a corrupt file regardles which version I use. I have a feeling it's some entries within Registry that are corrupt....I'm not going to bother to reformat just to clear it. The only option to unistall all official viewers.....and then work through the Registry and delete entries.

What's false about it? It would take some gnarly hacking to somehow replace Linden Labs website with some hacked version that distributes a password stealing client. (Yes, I know there are ways to do it, maybe by messing with my dns file). Similar things have happened with other websites and, well, if it did I'd have to suck it up but the chances are pretty slim.



No, because of the splintering into dozens of different viewers each viewer does not get "many eyes". The code for each viewer is pretty much only looked at by the person who codes it. You can make this claim about the official LL open source viewer. But who can say that the opensource community is closely watching these viewers that you and I have never heard of?

*Edit: Wait, one last thing. As far as I know there's also no possible way to verify that the downloaded source matches the distributed binary. So distributing some source file doesn't guarantee anything.

@Elanthius
Pointless discussion, you can do this with any program/website/viewer etc. Nobody asks you to use any piece of software you are not comfortable with. It's purely your decision

I'm not defending any of these 2 viewers I also don't know. From one link I take the vlife one is a Greenlife Emerald viewer with a trojan inside. Someone can do this with an official SL viewer too and repackage it. This doesn't mean the original is malware at all.

Running any software does the same thing. Including software published by big companies like Microsoft and Apple and Adobe and Sun. Let alone all the third party tools people use to create content in SL, run bots in SL, and so on.

This counter argument is silly. Yes if LL deliberately or accidentally distribute a password stealing viewer we are all in trouble. More likely their database will get hacked and the passwords stolen as has happened before.

It's a question of accountability. Who is accountable if the Cool Viewer turns out to be a scam? "Boy Lane" some anonymous avatar with no other contact details through which I have no recourse at all. At least Linden Lab have a reputation to maintain, a legitimate business to lose and an address in the real world I can cite in a lawsuit if they try to perform this sort of nonsense.

I don't mean to pick on Boy Lane, maybe she does publish her address and real name and tax id and email address and whatever else. But extend my point onto these viewers that no-one really knows anything about and see where that gets you.

Feel free to ask LL if they give you my RL details. Do they have yours?

Obviously you have not much of a clue what you write here. Cool SL Viewer is officially maintained by Henri Beauchamp. It includes dozens of contributions of "Avatars" throughout Secondlife. If you would take a look in the included releasenotes you can find here it http://coolviewer.googlecode.com/files/releasenotes.txt it may give you some insight how active the opensource community in fact is. CV exists in versions for Windows, Linux and Mac and as a full fork in form of the Hippo viewer. Many changes also made into other 3rd party viewers as well as into the official viewer.

Be ensured that there are more than a single "coder's" eyes having a look at that exact code. But again, you better stick with LL's official viewer .

What the hell does this mean?



Well done on picking on a specific irrelevant error (i.e. mislabelling your viewer) instead of the point I am trying to make.

I don't know how this can possibly warrant arguing about. Just from reading this thread I discovered there already was a viewer with a trojan in it and apparently the OP and other people did not know that it was infected. How did this amazing opensource community protect us from the VLife viewer?

If the scammers had been more subtle and included a password stealer instead of some crappy trojan that any basic virus scanner can detect then when do you think the opensource community would have gotten around to parsing through the source code for the VLife viewer line by line?

Since you are being very deceptive about these third party viewers and how trustworthy they are I will step up the rhetoric to make sure non-technical people understand fully. If you care about your password or any details of your SL account at all you MUST NOT use any third party viewer.

I guess I didn't make my point clear enough, because you seem to have misunderstood it. Apologies.

Are you using any third party software intended for Second Life businesses and content creators that you didn't compile yourself from source you inspected?

If so, than any of that software could inject code into your Second Life session to steal your password, or simply include any off-the-shelf keyboard capture exploits. If I were interested in ganking passwords from SL users, I'd write a Really Cool sculpted prim tool (or animation editor, or something else that would be popular with SL users) with an autoupdate mechanism and slide a backdoor in after it had become popular. It would be more likely to get used by more people than Yet Another OSS Client.

Or I'd slip a trapdoored version of someone else's third party tool into Filepile or some similar service.

Well, no. I am not. Who does that? What kind of third party software are you thinking of? I can't even think of anything. Unless maybe you're talking about, like, Windows itself or something?!?! Maybe I'm using something and just don't know about it.

Wings 3d, and the Wings 3d plugins for sculpty creation? Avanimator? Rokuro? What software do you use to run your land bots? How about Photoshop plugins?

@Elanthius
Stop writing more FUD here. I said you may trust the viewers listed on the alternate viewer wiki. Nothing else. I dont know both viewers the OP mentioned and I don't know if or where binaries and/or sources available. As such I can certainly not support or endorse them. This has nothing do with anyone working actively on 3rd party viewers for a long time and nothing with the opensource community at all. The link you try to make here is ridiculous at best.

Keep your rhetoric skills for yourself. People are able to read and judge by themselves. As I said, nobody asks you to use anything else than the official viewer. But that's purely your personal decision.

Apple, Microsoft, Sony, and many other big companies have shipped software with backdoors, viruses, rootkits, and other malware in them. Some of them have even done so deliberately. Some do so openly in the name of preventing cheating in games.

I understand your concern, I just think you're drawing the line in the sand in a very strange place.

Oh OK, then we almost 100% agree so there is no disagreement. You nor I can endorse these unknown third party viewers. I'd add that I strongly DISCOURAGE using unknown third party viewers and I think you might too. I'd personally add that I would not trust ones listed on the viewer wiki either but we can surely agree to disagree about the level of risk involved in using those.

As for Argent's post, he's playing a pretty ridiculous game of slippery slope here. The issue a question of risk levels. Agreed, no-one is 100% safe from being run over by a car, even when on the 7th floor of a building like I am now! Still, that doesn't mean I should stand in the road with my eyes shut.

I think we should close the internet. It's just full of contrary bastards being contrary.

No it's not

fu

I don't use any of that other software, I definitely wouldn't use any software that requires me to type my password into it. I think that's a pretty normal attitude. I guess I don't know about most people...

I write the bot software myself, link it to the openmetaverse library source and compile it with Visual Studio. Regardless all my bots have different passwords and have a minimum level of group access and a minimum possile amount of cash on hand in case there is a breach and someone tries to steal all my mainland parcels.

Of course it's a matter of risk levels.

The risk level from using a high profile third party client is less than the risk level from using the many third party tools that people routinely download from Filepile and run without performing any inspection at all. I spent 20 years as a system administrator, and I've seen things you people wouldn't believe. Webservers on fire in a colo in Houston. I've watched viruses bouncing off my firewall at the internet gateway. All those moments will be lost in time, like tears in the rain.

Seriously, you're pointing at a low probability attack vector. It's MUCH more likely that you'll get exploited by a proprietary plug-in or utility.

If they inject an exploit into your SL client (which is not that hard to do, there's canned code for doing it... legitimate debugging code, even) it can pick your password up when you type it into SL.

I've had to clean up computers with exactly this kind of indirect exploit in them.

I guess you don't. After some of the things I've had to deal with from the allegedly professional software developers and consultants I've had to support, I'd say you're way out on the fringe.

(so am I, by the way, I just happen to know it)