Secret SL Viewers? "Cyro" and "V-Life"

It's answered in the thread you posted. Why you don't read it?

The only way to 100% guarantee the security of your computer is to disconnect it from the internet, never re-connect again, and never install any software off a disk or any other external source except for software you 100% totally wrote yourself.

Everything else is risk. You temper the risk by using a decent firewall, anti-virus software, etc. No software, not even the official viewer, is 100% risk free.

On the other hand people have been using alternate viewers like Emerald, Cool Viewer, Nikolaz, Kirsten's etc, for years, and no-one's yet reported having a password or a single L$ stolen.

Yeah, totally, apart from that report IN THIS VERY THREAD about a third party viewer that contained a trojan.

The general solution that the greater open source community uses is based on two things: reputation and verifiability.

People who create and provide software have reputations just like any other vendor. This can take many forms. Some provide their contact information, others are merely known to other (anonymous) avatars. You just have to use your judgement about who you trust.

Verifiability is making sure that you are trusting the person that you think you are trusting; this is accomplished technically. (Is this program I downloaded really from that author I trust? And if I am downloading source code, does it actually correspond to the executable I downloaded?)

The way verification works is that the author of the program (who you have already decided to trust, based on their reputation) publishes an extra piece of information that goes along with the file you want to download. You download the file (SecondLife.exe or whatever). Then you feed the download along with the verification information into a program, and it tells you whether they match. If they do, you know that the program came from the person you intended and that it was not adulterated.

It doesn't even matter what web site you got the viewer download itself from, as long as you got the right verification data. They either match, or they don't. (This even prevents some bad person from breaking into the author's web site and replacing the good SecondLife.exe with some evil one. Yes, that sort of thing goes on. But since the evil version won't match the verification data, you can tell that you didn't get what you were expecting.)

How do you know that you got the true verification data? That answer depends on the technical details of which specific technique the author has chosen to use. There are two standard ways.

The first way is to look on the author's web site, where he has listed the data along with the download. The data will just be a long hex number that looks something like "59ec735f425c37722746be68bf12565e2380362e". This is an "SHA-1 checksum", and what you'll do is run the downloaded file through a program called "sha1sum", and see if it gives the same number. This technique relies on your having gotten the true SHA-1 checksum from the author. If someone hacked his website where you read it, they could just as well replace both the checksum and the download.

The second way is for the author to digitally sign the file that you will download. This is done by providing a companion file with the download. You will download both the "SecondLife.exe" and "SecondLife.exe.sig" files, and feed them to a program called "gpg" that will tell you if they match. But there is a trick to the signature file that makes this technique very secure. The sig file has a number in it similar to the SHA-1 number in the above technique. But it is encrypted with the author's own "signing key". So this also requires you to have gotten (another) magic number (his signing key) from the author in some trusted fashion, but you only have to get it once, and then you can use it on all his ".sig" files forever. You obtain the signing key from a web site that you trust, or email from someone you trust, given in Chat or whatever. The author's signing key is unforgable, so once you know it, anything with his fingerprint on it came from him. And anything verified with his signing key has also not been tampered with. You can tell that nobody has attached a virus to the download or replaced it with an evil lookalike program. This technique is the better of the two, because all you do is download the files and feed them to the "gpg" program. More secure, and you don't type in any numbers. Works even if the author's website is broken into (assuming you already had the author's true key all along.)

Once a download has been signed, anyone can distribute it, and you will still know it came from that author you trust. Also, other people can sign it. For example, suppose there is a third party that wants to check out the source code. The author posts the source code along with the binary that goes with it, and signs both. The third party downloads those, and then performs their source code auditing and review. Now they can in turn post a third product for you: their own signature file that goes with the binary, indicating their certification that the binary corresponds to the source code, and that they have reviewed it and think it's safe. It's not even a requirement that you trust the original author, if you want to trust this third party instead.

These are all very standard practices that open source community has been using for a decade.

What kind of fool downloads a program from some random web site, from some avatar that there is no way of knowing who it is, and you don't have any way to tell if it's even that avatar's download anyway -- and then runs it on their computer? There is no way of knowing what the program is really doing behind your back. It could be stealing data from your hard drive or watching for you to access the web and type in your credit card number. It could install things on your system to secretly communicate and do all kinds of things unrelated to Second Life, and you would never know it was happenning. It won't be detected by Anti-Virus, since it's not a virus - you put in on your system deliberately! And never mind all that, the first thing you're going to do after installing it is connect to Second Life and type in your avatar name and password. And that gives the program access to your payment info (ie. credit card) on file with Linden Lab.

I'm frankly just amazed that these legitimate authors we know don't sign their downloads, and even more amazed that people download and install them without even checking to see what they got, let alone where it really came from.

That's not a problem associated with it being a third party viewer, that's a problem associated with that specific build being a dodgy bit of software targeted towards marginally crooked people in the first place.

If someone got infected by an MP3.EXE because they downloaded a dodgy copy of "Werewolves of London" from Bittorrent, and decided to get it from last.fm instead, would you say "no, you oughta buy it from iTunes", or say that people should avoid Warren Zevon and stick to the Beatles instead?

This is all getting technical and hard to follow. Is this some kind of slur against furries?

Before we start, don't get me wrong, I use a lot of open source software and I download a lot of music, I mean, wow, a LOT of music from bittorrent.

But are you shitting me? Your question, if I understand it is this: If someone downloads an illegal copy of a song from bittorrent and finds it somehow infected them with a virus then would I encourage them to use iTunes instead?!?1

Of course use iTunes instead. Especially if you're so clueless you can't tell the difference between an exe and an mp3. I think this is a great example because SecondLife users are in a very analogous situation in which they (and frankly I too) do not possess the technical skills to tell if a binary is malicious or not. (like the moron in your example couldn't tell that you do not execute mp3s).

Your first point is also great. The problem is with that specific dodgy build created by a malicious person. Now, maybe you know Boy Lane and Kirsten and whoever else so well you know they'll never act maliciously. I personally don't know them, I'd never even heard of these people until they started releasing viewers. As far as I know their entire existence is built around this one slow burning scam to steal the L$ balances of a few thousand users. Also, perhaps you have some special skill that enables you to assess whether a build is malicious or not. Personally I don't and I doubt more than a couple dozen people in the WHOLE of second life do either. As a result, and I think you agree, I discourage anyone from using these third party viewers with any avatar that has any significant amount of power or cash.

Would you encourage them to use iTunes rather than, say, last.fm or some other small but legitimate site that doesn't have Apple's name?

Note that I had omitted that viewer, and the other one I'd not heard of before, from my list. I only included ones that I've heard positive feedback about.

I suppose instead of "etc" you meant ".". I didn't realise that.

interesting

Let us not forget that there is one company who produces software that is routinely vulnerable to being hacked and made to cough up anyone's personal information, and hundreds of millions of people - including most of you here in this forum - use it every day, often without even giving its vulnerabilities a second's thought!

The software is produced by Microsoft Corporation, and is sold under its commonly-known name, Windows.

don't forget:

securerom
Sony cds (rookits for all!)

pretty much any DRM enabled software product..

Correct me if I'm wrong, but - didn't the OP state that the VLife viewer was only available for purchase? If so, then it is not an open-source viewer and therefore not subject to scrutiny by anyone else. Additionally, this viewer, if I'm not mistaken, is sold under the auspices of allowing its users to be able to do things users should not be able to do, giving them the upper hand.

In this case, *caveat emptor* applies. If it sounds too good to be true, then it probably is.

Well all I can say is bullshit!

You don't want to use 3rd party viewers then don't do it but do not spread this crap. Those people have sterling reputations and have done nothing to deserve this. They have all given back a great deal to the community, including a LOT of patches that are now used in the regular viewer. Shame, shame, shame on you for this.

So let's turn this about. Elanthius is actually building up to a scam where he is going to start selling the land out from under all of his renters and will receive double the rent for a month. If I am not wrong, this would be a fair amount of money? We do not know what his motives are and so I would plead that no one have any business dealings with him. Other people have already done this and who can say that he will not.

You don't want your reputation trashed then don't start questioning the motives of others.

Oh great. So you're a really prolific pirate.
This is a vicious and totally undeserved slap at the reputations of some pretty hard-working and community-trusted people. You should be ashamed you even dreamed this analogy up. Remind me to never do business with you in SL and to tell all of my friends they shouldn't either because you might be running a slow-burning scam to steal their rent money. See above about willingness to pirate and brag about it.

Grrrr! In case no one can tell I am mad!

Ask Boy Lane how many hours she puts in a week compiling viewers for people to enjoy, some who's enjoyment of SL would be greatly diminished otherwise, post wind light. Add to that, all of the hours to setup the website and other misc hours. Every one of those hours with no desire for recompense. I would guess 20-40 hours and more some weeks?

This opposed to hours driven by the search for the almighty dollar. And yet which of those people who deeply care about community has ever questioned your greed or motives?

I read Elanthius as meaning that he has no compelling evidence to believe in the good motives of third party viewer creators. I don't see an accusation being made at all.

I don't have any compelling evidence to believe in the good motives of the creators of the third party viewers either. I've used Cool Viewer, Imprudence, the Nicholaz viewer, Hippo, RealExtend, Green Life, the Dale Glass viewer, Kirsten's and so on.

I don't have any evidence to suggest that any of them have bad motives either.

The security breaches in SL viewers that I have some half remembered awareness of were all in the Linden Lab produced regular viewer.

I do think I'll pass on the V-Life viewer, and the Shooped viewer, if that's still around.

My balance remains as it should be despite using every viewer I come across.

I do see it as a slight, there was no call to drag the other names into the conversation. This is quite different from asking the question about a couple of new viewers. For those that do not know, the Vertical Life viewer is not for sale, is open source and the code is available here:

http://code.google.com/p/vertical-life/

It was a viewer created by someone else with a good reputation here; Nexii Malthus. Someone says they found a trojan in it. False positives happen all of the time because of the algorithms used be the AV programs. It just so happens that on April 29th of this year the official RC release was pulled after AVs were reporting that Updater.exe was a virus/trojan. LL checked it out and there was no virus. So should everyone start telling people NOT TO USE the official viewer?????

Reputation is everything, reputation == trust, this applies to Elanthius also. He has built a reputation by being fair towards his customers. The names listed have also built a reputation over time. Anyone is free to pop in here and point out where someone was ripped off by one of the viewers. I am sure that he did not appreciate my comeback questioning his motives and trustworthiness but it is no different then his comments about Boy Lane. You do not have to accuse someone to cause harm, a program of strategically placed questions can do the same. The same harm done by posting on a web site that Nexii's hard work contains a virus without doing further research or creating a post stating that Vertical Life has to be paid for etc.

I don't see that there has been any mention of the Vertical Life viewer prior to Jesse's mention of it in this thread, or any connection made in this thread between "V-Life" and Vertical Life.

The blog post linked to early in the thread, at http://www.kabalyero.com/2009/05/23/vlife-means-trojan-horse-virus/ , doesn't make a connection between V-Life and Vertical Life.

The comments for that blog post make a connection between V-Life and the GreenLife Emerald Viewer.



What to make of that discussion I don't know. It's on the internet, after all, home of wikipedia and official government sites, and thus to be looked at with a bit of suspicion.

That blog post cites as it's source a spam comment coming from i4lolz.com. Put 14lolz.com into Google and you will probably get the idea that someone involved with that domain is up to no good. I went briefly to that site but it was taking a while to load and I didn't really want to give it much time to do whatever it might be up to.

I googled V-Life, vLife, and every other variation I could think of and came up with nothing outside of that one linked blog post. The only thing that I found that could possibly apply is Nexii's viewer; Vertical Life. Would love if someone sent me a link on either offending viewer. If no one is any more successful then I was then I would write all of this off as nothing more then just gossip.

Of course! That's why all land renters should never pay more than one week ahead because at any time they are at risk of being evicted or their landlord going bankrupt. It's a way of minimizing risk and reducing the amount of money you could possibly lose in such an unfortunate event. Who in the hell trusts estate owners? I only personally have one report of a viewer being built as a scam (now, apparently someone is providing counter evidence to that though) we have literally dozens of examples of estate owners that were scams.

Anyway, I can see some people are getting unnecesarily emotional about this issue. Personally I can't believe there is any dispute whatsoever. But my point is made and out there. It hardly seems like I need to clarify any of it yet again so I'll leave it at that.

Ok! Enough with the rumors and speculation, let me clarify a few things here:

Vlife and Cryolife are two different viewers, yes, they do have features that allow you to break the TOS should you make that CHOICE.

They are tools and like any other they can be misused.

They are not made simply to crash people and crash sims, while those features are there, they also have things like inventory backup, avatar radars, asset viewers, fun particle effects.

The creator of Vlife sells his viewer for 50k L$, and has very strong copy protection to prevent it from getting out in the open where people like /b/tards would use it to exploit SL. The source code is NOT available upon request, he doesn't particularly care about GPL violations.

Cryolife similarly has copy protection, and is currently no longer for sale, though there are people with fakes out there trying to make money selling trojaned software.

Neither viewer is packaged with any trojans or password stealers when purchased legitimately from the creators, I am friends with both, own both of these viewers. Neither would be willing to risk the income they make selling these viewers by packaging them with any malicious software.

The copy of the so called "Public Vlife" that is being distributed DOES contain malware, and it is NOT vlife, it is simply a repackaged copy of the free, open source emerald viewer(Which when downloaded from the official site does NOT contain anything malicious.)

Anyone with specific (Legitimate) questions can contact me ingame as I probably won't look at this thread again.

Hahaha, well that thoroughly resolves the question of reputation in my mind! I don't know why I ever doubted.

Touche my friend, touche.