Third Party Viewer Policy coming soon

...and even if they connection stuff is only released by LL as a binary, people could still see what it's sending to the servers - slproxy, wireshark, tons of tools to do that - and make their evil code send the same stuff.

Tegg, you seem to think that people are saying it can't be done because we're too busy/lofty/lazy to think about it. That's really not the case. I don't know that it actually is impossible to ever fix but I have no idea how to do it. I'd also bet that LL doesn't know how to do it either.

If they actually wanted to address the actual problem, they'd work on building signatures of the various kinds of assets so copies could be more easily spotted. That's not the goal, though - the goal is to appear to be doing something.

So you know it is absoloutely impossible to restrict viewer access to SL and what we havew is the best it ever can be?

LL will never do anything about it as long as everyone has a can't be done, don't bother attitude.

Yeah but you don't see WoW customers campaining for Blizzard to stop trying to keep them out.

Since the viewer itself is not the problem, rather how it is used, perhaps whitelisting viewers is the wrong approach.

There must be ways to detect when viewers are doing things they shouldn't, and disconnect them from the grid. Something like what was done earlier this month when they busted people for it. Perhaps even just routinely doing stings like that would prove to have significant deterrent value.

People are not suggesting that Linden Lab do nothing, but what they do needs to be effective and not degrade SL for legitimate uses.

The way your computer draws a picture on the screen is with electrical circuits called "video memory"; you have heard of this in discussions of "how much memory does your video card have". (A) It is physically impossible to prevent me from accessing the video memory and capturing the textures as they are going by.

The way that higher-level objects such as prims are processed by the Viewer is that they are received over the network circuits, into the Viewer's own "main memory" circuits, and then sent back out again over the network. (B) It is physically impossible to prevent me from accessing (eg. capturing, altering) anything that goes over the network. (C) It is also physically impossible to prevent me from messing with the main memory circuits.

My own software can take control of the computer's circuits at any point. Therefore it is physically impossible by any means of software on my computer, to prevent content theft.

The only question is how much effort would be required to write the cracking software to subvert the system. Once it is written, I can steal any textures, prims, sounds, etc. that the Viewer deals in. And I can make that software available to everyone else so that they can use it, without any technical expertise. The answer is: (A) and (B) have already been written and are widely available and in use on SL already. Currently, that is also the situation for (C).

The solutions that are physically possible, given the electronic circuitry of the computers that we own, are as follows.

(A) Nothing can be done; that's just the way the hardware works. Textures can always be stolen, end of story.

Although they are not proposing to do so, there are two possible avenues by which LL could tighten things up.

(B) LL could use encryption so that subversion of the network would not work.
This would eliminate this vulnerability, forcing people to use only (A) and (C).

(C) LL could use software techniques, part of which might require withdrawing the open source code, that could make it much harder to analyze the memory imprint of the Viewer's software codes and data codes. This would make it harder to steal prims. (It doesn't impact textures, that cat is out of the bag.) Using option (C) also necessarily ends all unauthorized third-party Viewers. In this case, it might take a professional, working full-time, as much as several weeks to totally crack it once and for all for everyone.

This time estimate is based on my experience as a designer and programmer of computer operating systems and networks (including military security networks) since 1973. I've left out the technical details of my analysis of several hours thinking about the problem and reduced it to terms that I hope everyone can understand. If you have a different technical analysis, I would be interested to hear it.

If you think that some other system has achieved the security scenario that you are proposing, you are either confused about what the scenario is and are thinking of a different situation, or else you are simply misinformed.

There are industry proposals to change the way that computer hardware and operating systems work, which might make this kind of subversion impractical. Preliminary work has been done in this area (starting in 1980, with a big push involving Intel around 2004.) The buzzwords are "curtained memory" and "secure video path". Some years from now, the answer might be different, if this is adopted. There are non-technical reasons that make it problematic.

See, now you're talking about a "black box" module that a "licensed" viewer would have to talk through. This wouldn't work at all. For starters, a rogue viewer can easily be designed to bypass the black box and return exactly what the server is expecting from a licensed black box, and the server would be none the wiser. Microsoft tried this black box approach with Windows Media Player (for the WMA-DRM "PlaysForSure" system), and it gets cracked about as quickly as it gets released. Encryption would not work at all because, by necessity, the client would have to hold one of the decryption keys, which would be a lot like handing random strangers the key to your back door.

Doing what you suggest would not be impossible. Indeed, if you throw enough people and resources at the problem, it is very possible. However, it is just not feasible. Such herculean technical efforts would almost absolutely have a far lower ROI than going after the people who distribute and buy stolen content by adding teeth and consistency to the existing DMCA takedown policies.

Linden Lab has to do something. If it just tacitly encourages other developers to develop alternate viewers without standards, it leaves itse'f open to legal liability occurring though use of those viewers at worse, or maybe bad press even if not legal liability.

If Linden Lab does all it can do to hold other viewers to some set of standards, even if it ultimately cannot stop problems caused by other viewers, it can it least say it did it's best to reign them in. If Linden Lab does nothing, it can't ever claim to have done its best.

Providing a set of standards for alternative viewers, and figuring out some sort of gold-star mechanism for those viewers (a free registry), is probably about the best it can d It won't stop content theft, they probably can't effectively ban non-compliant viewers, but it's a low-effort way of doing the best they can.

I don't think it's fair to blame Linden Lab for trying. However, based on past performance, it is fair to expect that Linden Lab will probably screw up the whole process. Charging licensing to kill development of free viewers, bizarre standards, and prohibition of any feature that makes the official SL viewer look bad for not having said feature are all possible outcomes. I fully expect Linden Lab to take a simple CYA action and turn it into an utter disaster.

As to the mention of encryption- I can't think of any reason it would benefit Linden Lab directly to prevent encryption. Previous FBI investigations of Second Life have probably resulted in the FBI going easy on Linden Lab, in exchange for Linden Lab to be fully cooperative in the FBI's efforts to spy on its own citizens and the world. And federal law is so voluminous and often vague and open-ended, I suspect that every company that has ever operated on the internet has inadvertantly violated enough federal law the FBI has leverage in encouraging cooperation with spying efforts.

Yes, but the answer to what they must do is not a technical one. It is a legal and business model problem which cannot be solved by technology.

As I and others have repeatedly belabored, it is not technically possible for them to prevent rogue Viewers from connecting to SL, because any software can pretend to be the official Viewer and there's no way around that. LL cannot tell one Viewer from another; the rogue Viewer can always just lie to LL.

There are major issues with the entire business model, and it's a very exciting and interesting thing to watch. Even if it does often seem to be a train wreck.

___________________________
Well, I've repeated myself endlessly here, and nobody wants to hear what I have to say about the technical issues. Actually, I think this is probably the end of my participation in these forums. I no longer feel like I'm helping anybody with either my technical information, criticisms, or insights. I'm going to just spend time in-world.

Feldspar that's a great engineering analysis, but... that's the thing, it's an engineering analysis. There's a lot more that can be done if you look at the whole picture.

Consider that even mere posturing and threats of permaban can reduce copying by a significant percent, even if no actions are taken at all. Most crime is opportunist crime, and when there's potential consequence that dissuades many.

Second step, add in the basic security that might be the equivalent of cheap door locks. Again, that knocks out a fair number. Light encryption or even obfuscation ~ stuff that barely qualifies as engineering.

Third, vigorous prosecution of those caught with clearly stolen stuff. Hey, Fred has Barney's new product, but there's no transaction record for the transfer on file? Bust him.

Fourth, monitoring and sting operations. Rather than harden your target, get an idea of who is stealing what, who the star players are in the theft racket, watch and learn. 99% of the time they will get sloppy, if they don't think anyone is looking. Get the evidence, then lower the boom on offenders. Get the lawyers involved if you have to.

At each step, there's an incremental change in the culture. That's how you win, overall. "Everybody's stealing, why not me too" stops being acceptable.

And at that point it's an exercise in human nature, not engineering, and that's my point.

This came in while I was in the midst of posting my swan song, so I'll reply.

Thanks, Desmond. I entirely agree and have alluded to this in most of my posts. My point is that it cannot be solved technically, so it must be solved some other way. I don't happen to think the current posturing will have any efficacy, though. I think the only thing that will work is detection and "prosecution" (by which I mean policy changes such IP blocking, perhaps not allowing anonymous accounts to build or upload, as well as legal actions in the courts). Those may be deep and difficult waters for LL to wade into, in terms of impacting their business model. So it will be very interesting to see how it all goes and what they can accomplish there.

___________________
BTW I'll continue my in-world Mentor activities and teaching. Most classes these days are taught at the "Constructive Education" school; search for "@CE" in the Events calender or join that group. And don't forget about the venerable "Some Decent Privacy" group for discussions and meetings in-world on SL privacy issues. Feel free to IM me for help or consulting.

Yep tha's what I'm thinking Desmond, I know itwon't keep out the determined theives, but at the moment we have a house with no locks on the doors and residents complaining about theft, but don't want the inconvenience of having to lock and unlock the house bcause they don't believe it will reduce theft at all and it infringes on their right to freedom.

The overall message on these blogs so far to LL is an overwhelming "Nothing will work, so don't bother trying, we'd rather you do nothing at all and let the situation stay as it is"

More like .1% of alienation for 50% protection. Making it harder for fake viewers to connect isn't going to alienate legitimate viewer creators.

You really believe 10 viewer creators will quit for every theif using the theft focused viewers?

That's because Wow customers are the ones using automated tools for fish mining.

Desmond, that's precisely what they are doing.

They're already doing about as much of that as is practical. More, really... it's one of the reasons the cache is so screwed up.

Nobody's arguing against that.

Nobody's arguing about that.

That's PRECISELY what we're saying. Adding hoops for developers to jump through that don't prevent fraud are a technical solution that doesn't work. That's the wrong approach.

Someone who is using a cracking tool isn't going to care if the guy who wrote the cracking tool had to spend an extra half an hour digging the magic key out of a copy of LL's viewer.

If every one line change requires jumping through registry hoops before you can test it, yes.

No it bloody isn't. There's ONE PARTICULAR THING that people are worried about LL trying, because it's something that DOESN'T work. Nobody is saying ANYTHING against the approaches that WILL work.

Yeah but the guy making the viewer is going to be put through more inconvenience than legitamate viewer creators, much as it's such a violation of their rights to make things any harder for them.

There's always the possibility that you don't have to jump through the registry hoops to connect to the beta grid or a standalone.

You have to keep the audience you want to deter in mind too, otherwise it's a bit futile.

In this case it concerns people who are knowledgable enough to modify the viewer to their liking which puts the barrier rather high already, particularly since you want to allow some to be able to do it easily but try and make things harder for the rest.

Locks really are the worst possible analogy because the principle simply doesn't apply: *noone* locks their door during business hours because they want to keep shoplifters out. You *want* everyone to be able to come and go into your store, and there isn't going to be any way you can come up with that's going to allow you to only let in customers but not shoplifters. Whatever security is going to be there will be inside of the store *after* customers and shoplifters alike are already inside.

The analogy breaks for a variety of reasons, but it's good enough to show the futility of suggesting that the solution to shoplifters is a locked door since either everyone can come in, or noone can.

I don't really agree with this one.

In RL, there is indeed benefit from having a cheapo lock on something to "keep the honest people out." In SL and anywhere online, it's far less.

In RL, the people who are just screwing around will see the cheapo lock and move on. The person that's a bit more determined will spend a tiny bit of effort to break the lock and steal your cookies. The owner grumbles and replaces the cheapo lock or adds more security.

In SL, only one person has to break the lock and make it available. Instant copies for anybody who wants one. All those people who would have kept moving after seeing the lock now don't even have to see it.

I just don't see that this will keep anybody but the laziest content thief out..

edit:

No. Not even close.

Right now, no houses in the world are locked.

What LL may do, and in typical LL fashion they're being vague and not answering questions, is add the exact same electronic lock to every house. These locks won't let you enter unless you say "betelgeuse" when you approach. Maybe they will change the code phrase every day. Maybe they will give different codes to different viewers that they approve of.

What the ferrit & I are saying is that it just takes one person to figure out what the magic word is (and this isn't overly hard) and they can plug that into their evil viewer. They can also tell everybody else what the magic word is. They can make thier evil viewer auto-download the magic word so users of that viewer don't even have to download it.

Sure, LL can track these viewers down and tweak thier lock - maybe make it two words or add something where you have to say the word backwards if it's a Tuesday or whatever - but this is relatively still easy to crack and still easy to distribute to people who want to use such things.

No, you censored censored, the guy making the cracked viewer is going to be put through LESS inconvenience than the people making regular viewers, because he WON'T have to register every new version of the viewer because HIS registry code is a bloody stub.

The ONLY people this kind of scheme hurts are the HONEST ones.

REALLY.

It was true in 1981, when I had the local "pirate" make me a cracked copy of a game I bought, writing it ON TOP OF the original game disk, because the copy protection mechanism had BROKEN the real thing and the publisher couldn't give me the time of day. The cracked game was BETTER than the original. It started up quicker. It didn't require the original disk to be swapped back in to save games.

In the intervening twenty-interstitial-swearword-seven years it hasn't gotten any better.

It's an ex-bleeding-parrot.

In addition to what you quoted from Cory...

I have yet to see anyone removing INT 5 from BIOS or removing the associated keyboard key from keyboards.

Hmmm..let me see if I can ungeek this. We can but up a big deadbolt on the door, it will keep out the casual thief maybe, but a pro can get in no matter what. Crime prevention is minimally effective unfortunately. You do what you can, but it's the reaction by police after a crime has been committed that is important. If the police don't get off their asses and out of the donut shop and go after the criminals, it won't make much of a difference. The serious thief will always get in.
LL is the police in this case. Unfortunately, this guy is the chief.

The bit you left off is that it's just one deadbolt on one door and once one person, after a bit of effort, breaks it they enable everybody else to just walk in with nearly-zero effort

Yes. The picture is appropriate for the level of security this adds..

edit: and I REALLY don't have anything against Tegg in-general but I wish he'd put a bit more into understanding what we're saying. It's like, flash-forward 100 years into the future, arguing with somebody with a 2004 Escolade yelling at us to bring gas prices back down. Could we, with much effort, find more oil? Er.. I dunno. Maybe. We'd be right back in the same mess shortly afterwards, though. It's the wrong question to ask.. The cost vs long-term benefit just isn't there.

/me does not like doing painful things because "something HAS to be done!!" if it doesn't actually make things better. See also: Aristotle.com.

In this case, the pro is installing a new door.