Third Party Viewer Policy coming soon

Of course it's a never ending arms race, but it's better than saying "we're going to give up policing imports of illegal weapons completely because we can't win, but citizens still aren't allowed to have them".
All attempts to protect our ccreations in world are an arms race, should we just dump the permissions system completely too because it doesn't work 100% and it's not worth the hoops it makes residents jump through transfering items?

/me rolls up a newspaper and thwaps Tegg on the nose with it.

No, damnit. This stuff we're talking about won't help, best case, 10%. I doubt it would even help 1%.

If I (and I assume others here) had a plan that would help cut content theft down by even 25%, I think we'd be all over it. Nothing that's come up is anywhere near helping that much, though.

It isn't "if it doesn't work 100% don't do it" - it's "if it doesn't help at all, not one little bit, don't do it."

OK. You're a Client. I ask you to identify yourself by telling me your RL weight via writing it on a slip of paper and putting it into a diplomatic pouch locked with a combination that is written on the outside, and then hand it to me whenever I want to verify that it is really you.

Meanwhile, Mallet the Cracker sees what you wrote on the slip of paper, notes the combination on the outside of the sealed and locked pouch, and replicates the same actions. I can't actually SEE you, so all I have to go on to know that it is you is the contents of the pouch, unlocked with the combination on the outside. Thus, when he hands it to me through the anonymizing pathway of the Internet, how do I know it is you and not him?

You'll probably say "well, duh, don't write the combination on the outside!". How else will I know how to unlock the pouch? Unless we pre-arranged a key exchange up-front, and that's a rather personal thing, not going to happen with a viewer distributed to thousands of people online, how else will I get the combination?

Even more sinister, how are you going to prevent Mallet from seeing you write the number on the slip of paper to begin with? By "you", I mean "you" as the Client. Remember, you're in Mallet's domain. He can vivisection you down to the atomic level to see how you work, if he wants.

Again, answer question #3) How can I be sure?



In the end, that's all we have between us and the crooks. Everything else is simply window dressing. We can dream up all manner of devices and schemes to drive a wedge between us and them, but in the end, they are just as capable of removing said devices and schemes as we are, since they are also just as intelligent and driven as we are. In some cases, even legitimate ones, we ARE them. Ever locked your keys in your car? Locked yourself out of your house? Lost a password to your computer? In those cases, do you REALLY want too much security?

Circumvention isn't evil. Circumvention used in the commission of a crime is.

Users don't compile anything, Greenlife do the compiling before distrubuting it and they would be using their registered login file to do so. If you wanted to compile a viewer based on Emerald you would use the Emerald opensource files compiled with your own registered developer file.

It's not a question of 100% either or, it's where do you start and where do you commit your resources. Start deleting accounts of content thieves and see what happens.

They do that now and they create new accounts faster than they can delete them.

Right.. Now, with that in mind, reread this..

/me starts believing that either Tegg is messing with her or that he just refuses to actually read the answers that are being given, over and over.

/me goes out to get food and maybe a tasty adult beverage, or two, which seems like a much better use of my time.

I don't believe they do on any significant scale. I'm not seeing it in the incident reports. Did you see the wailing and gnashing of teeth earlier this month when they did drop the hammer on about fifty users?

I believe serious enforcement of current policy, and taking DMCA complaints more seriously are a much better place to start. Make it unprofitable for people to use content theft viewers.

Lax enforcement of rules is no deterrent.

If Linden Lab can come up with a technical policy that will block these viewers, or at least some of them, without harming legitimate developers, great, do that too.

Using the above analogy in a slightly different view.
I the client am standing in a crowded bank, I have registered an account with you previously so have a card and a pin number you supplied me with. I deposite a large suitcase of money. Mallet the Cracker sees me do so and takes note of my pin and then comes back tommorrow with a forged card and withdraws $10k and runs. Also around me are Wastedon Wildturkey who is best mates with the guy who forges cards but didn't get your pin number, Shifty Spanner who got your pin number but can't get a forged card because we did a bad deal with the guy who does them and Hityouon Theheadforcash who can mug you for the card but doesn't have the pin number. Also around me are 20 other people who may have varying moral values.
Consider the current system as I walk into the bank "Hi my name is Pete Smith please mut this big bag of money in an account with my name". over the next 4 hours the 4 miscreants and 5 other opportunistic people walk up to the teller and say "Hi, I'm Pete Smith please give me $10k from my account" and walk out with the money.

Maybe this is where you're confused, but compiled code isn't a black box that noone can figure out what it does...

If you wanted to know how the viewer is encrypting/decrypting your password out of the password.dat file it generates when you check "Remember Password" then it's certainly a whole lot easier to look at the C++ source, but it's far from impossible to just figure it out from looking at the official secondlife.exe's assembly.

And as Sindy keeps saying: it's not something people with no to low programming skills have to do, but something only *one* person has to do and then write code to mimic it and make it available to everyone else.

I'll put it another way, with a rhetorical example:

Let's say they implemented your idea.

Emerald makes a legitimate viewer with this "id" thing.

Me, Mallet, being the godly penetration specialist that I am, reverse engineers the "id", puts it in my version of the viewer, which I compile, and then I toss it up for download on a throwaway blog account / download site somewhere. I then start crowing about it "around town". People who are interested in infringement hear about it through the grapevine, download it, install it, and infringe content or otherwise make themselves a ToS nuisance. No user has had to crack anything or compile anything. They downloaded, installed, and used it just like any other legit viewer. If they or LL change anything, I simply repeat the process. It is nigh upon a guarantee that I will spend at least an order of magnitude LESS time and effort cracking it than they put into changing it to counter my countermeasure.

You see now? It doesn't require special knowledge or ability to to anything other than "know" where to find something (hello Google), and then download/install/use it.

*bump*

And at the risk of speaking for everyone: noone is arguing that LL shouldn't be spending time on the "malicious viewer problem", but rather that if they're going to dedicate people to it then there are other and different measures that time could be used to implement which are going to be more effective than trying to play hide-and-seek with login authentication.

Umm, I'm sorry but I'm honestly obviously missing something here.

If you wanted a maliscious viewer based on Emerald to connect you have the options

Get hold of this months Emerald login file and use it in your own compilation, if I could get hold of it a person of my skill could do this.

Register as a developer TeggLife and compile a malisious viewer and see how long I get away with it depending on whether I set up a false ID or gave it out to 200 people.

Crack the compiled Emerald.exe file every month or somehow wrangle the data as it's transmitted and recieved under encryption when connecting. Then use it in my Emerald lookalike viewer but this above mine and many other peoples skills.

Get the cracked file from someone who does this everymonth to compile a Emerald lookalike maliscious viewer.

The flaw in your version is that the Client does not represent a single person, but a group of people. Emerald gets an id that EVERYONE who uses Emerald has to use to log in. Everyone HAS to share the account number and PIN. Emerald puts it in a nice store display in the viewer store across the street from the bank, where everyone, including Mallet, can come over and get a copy. Let's say, for analogy's sake, that Emerald's viewer only allows you to withdraw a few dollars a day.

Then, all Mallet has to do is clone up an infinite supply of fake cards that do not have the restriction, but have Emerald's PIN written on them and puts them in a box in the alley behind the bank with a sign that says "Free Money" with an arrow pointing into the box.



The two situations are effectively identical. Well, except with the identification, you're adding extra overhead which, for security purposes, isn't justified. After all, what is the point in installing a lock which doesn't actually lock anything?

or:

Download the CrackedEmerald viewer from Mallet and/or run his built-in updater every month to update the Emerald login info module. It is likely that this will be able to be automated, requiring Mallet to do extremely little to no actual work himself.

Paging Chris Norse!

Or someone would just do the work once:
* "TeggLife" starts the official viewer
* "TeggLife" initiates a connection to the grid
* "TeggLife" makes the official viewer connect to what it thinks is the login server but is actually merely "TeggLife" itself
* "TeggLife" plays proxy and gets the official viewer to do all the hassle of authenticating. The official viewer thinks it's talking to the login server and the login server thinks it's dealing with the official viewer so everything goes smoothly
* "TeggLife" terminates the official viewer and happily does all the nefarious stuff it was designed to do

Meanwhile LL and all third party viewers will jump through the hoops of reengineering their login authentication every month and "TeggLife" wouldn't even need an update to bypass it.

Users don't "compile a viewer based on Emerald" either. They download NeilLife. All this would mean is that Neil would have to spend an extra 10 minutes ripping Emerald's key and bundling it in his client. The guys ripping the content wouldn't have to do any more work.

Obviously.

Now you're saying everyone would have to download the viewer every month? Not even Apple goes to that effort, and they're on the hook for billions. Because:

Yep, it would be that easy. Either that, or just use the tool the PN create to automatically rip the key out of the client.

Ok, I give in, I guess the only other advantage a proposal similar to mine would have is it's one more rule for them to break ,possibly an aid in any legal proceedings assuming you can reach them with that stick.
In the end they need to verify the users somehow to make anything stick anyway, but the floodgates remain open, we just watch the horses bolting past the open gate.................

Why is there always a war on what is possible and what is not between the technologically versed peoples and the general public?


Also, my two cents on the difficulties of protecting content:
-What is required for a computer to display a picture, video, 3D model? reading the file.
-What is required for a computer to be able to copy said content? reading the file.

There is a completely impossible to untangle imbrication between reading a file and copying it in the world of computers.

Why is there always a war between Accounts and Operations departments?

please devellop?

Well Accounts & their evil sibling Purchasing always have more power because they present the numbers to the upper management so anything they can make appear good on an Excel spread sheet gets a big immediate ok, unfortunately they have practically zero knowledge on what the results are in Operations in the factory to the product quality, dispatch system, customer satisfaction, and plant efficency when they just shuffle some numbers around with a few mouse clicks. The departments are always at war for good reason

Eventually I don't think we would get a requistion to call the fire brigade approved untill here is a enough damage from the fire showing impact on the End of Month report..............