These forums are CLOSED. Please visit the new forums HERE
Kill the SL open source project |
|
|
RobbyRacoon Olmstead
Red warrior is hungry!
Join date: 20 Sep 2006
Posts: 1,821
|
04-15-2007 10:48
That right there is what takes all these companies into trouble. History repeats itself and the hackers shake their heads saying "When will they learn" Examples, please... Can you give a well-known example of where a company open-sourced a project and it turned into a hacker's field day? _____________________
|
|
Dnate Mars
Lost
Join date: 27 Jan 2004
Posts: 1,309
|
04-15-2007 10:50
Hmm... Could use some linkies here, because everything that I've found so far via Google is completely unimpressive and was already possible using a custom proxy capable of packet injection and modification (libsl has this) and the official client. Well, from what I know, it is just that. Open source is a good thing. People will not agree on it. That is just a fact. With open source you will have the good and the bad. The white hats and the black hats, the ying and the yang, the positive and the negative. I do believe in the long run, that open source will help SL grow and become the next web. It won't be long before LL isn't the only ones providing clients and servers. And that is a good thing. _____________________
|
|
Cocoanut Koala
Coco's Cottages
Join date: 7 Feb 2005
Posts: 7,903
|
04-15-2007 12:16
Example B: Copybot. Though that was before it was legal to do such things, except that the Lindens let the LibSL people do it anyway.
coco _____________________
|
|
tristan Eliot
Say What?!
Join date: 30 Oct 2005
Posts: 494
|
04-15-2007 12:19
If the 3D metaverse becomes a widespread reality, I will be thankful that LL has used open source to hammer out bugs and exploits. Could you imagine using the 3D web with a bug ridden Internet Explorer 15 full of its usual security holes? I for one am thankful this work is being done so MS doesn't control that too.
BTW, I believe the open source project has already produced some bug fixes, but of course those don't get the attention that the bots get. Go figure. |
|
Cocoanut Koala
Coco's Cottages
Join date: 7 Feb 2005
Posts: 7,903
|
04-15-2007 12:21
This is a very good point!. Although it would be very risky for a hacker to try to transfer somebodies L$ to their own account. They would have to be very quick to sell the L$ on ebay before LL closed their account. I predict that Linden Lab are eventually going to force people to register their details in order for their avatar to have the ability to receive L$. Not just to prevent hackers, but also to prevent money laundering, gambling etc. Not so sure about that. From what I've read, there is someone who was hacked when the entire SL data base was hacked some months ago, who created an object that takes $500 of her money at a time, and has also bragged to her in person about it, but the individual remains on SL and the object keeps on taking the money, for months now, and LL has done nothing about it. The above is hearsay - just what I've read on the forums. But it and other stories do make me think that often it's every avatar for himself. coco _____________________
|
|
Cocoanut Koala
Coco's Cottages
Join date: 7 Feb 2005
Posts: 7,903
|
04-15-2007 12:30
This will not end well. Folks have entrenched positions on this. Basically it is the technically minded versus the non-technically minded folk. This has also been argued many times before. Ah yes, the stupid, unenlightened Luddites versus the sophisticated, knowledgable, and incredibly smart computer technicians who maybe graduated from Devry University. OR - maybe it's people who can see past bits and bytes versus people who simply aren't mentally equipped to and have no concept of any rule of law. Yes, I've seen those arguments many times before, too. coco _____________________
|
|
VooDoo Bamboo
www.voodoodesignsllc.com
Join date: 4 Oct 2006
Posts: 911
|
04-15-2007 12:40
Examples, please... Can you give a well-known example of where a company open-sourced a project and it turned into a hacker's field day? http://news.netcraft.com/archives/2006/01/31/php_apps_a_growing_target_for_hackers.html http://www.informationweek.com/hardware/personaltech/190500192?rssfeed_pl_ptp http://security.itworld.com/4340/060717hackersopen/ http://www.zdnet.com.au/news/software/soa/Special-report-open-source-and-security-safe-or-sorry-/0,130061733,120264375-3,00.htm http://firingsquad.com/news/newsarticle.asp?searchid=5790 Trojan horses plague open source Patrick Gray, ZDNet Australia, December 24, 2006 At least three commonly used open source software packages were altered by black-hat (bad-guy) hackers to contain "Trojan horse" code this year. And even the national think tanks say................. http://news.zdnet.com/2100-3513_22-929669.html Shall I go on? Its all over the net. Not hard to find at all. Like most things dealing with computers its all mixed on what people think. You know... Microsoft people hate Apple... Apple hates Microsoft. Windows users hate Linux, Linus users hate Windows and bla bla bla. This article I think says it all.... If Open Source were the panacea some think it is, then every security hole described, fixed and announced to the public would come from people analyzing the source code for security vulnerabilities, such as the folks at OpenBSD, the Linux Auditing Project, or the developers or users of the application. But there have been plenty of security vulnerabilities in Open Source Software that were discovered, not by peer review, but by black hats. Some security holes aren't discovered by the good guys until an attacker's tools are found on a compromised site, network traffic captured during an intrusion turns up signs of the exploit, or knowledge of the bug finally bubbles up from the underground. Why is this? When the security company Trusted Information Systems (TIS) began making the source code of their Gauntlet firewall available to their customers many years ago, they believed that their clients would check for themselves how secure the product was. What they found instead was that very few people outside of TIS ever sent in feedback, bug reports or vulnerabilities. Nobody, it seems, is reading the source. The fact is, most open source users run the software, but don't personally read the code. They just assume that someone else will do the auditing for them, and too often, it's the bad guys. _____________________
VooDoo DESIGNS www.voodoodesignsllc.com
|
|
Zaphod Kotobide
zOMGWTFPME!
Join date: 19 Oct 2006
Posts: 2,087
|
04-15-2007 12:53
Even after this post, I'm still waiting for the examples robbyracoon asked for.
And while you're digging around google for that, can you source your statement I quote here? "At least three commonly used open source software packages were altered by black-hat (bad-guy) hackers to contain "Trojan horse" code this year." None of the stories below speak to that, but of two themes: Malware authorship collaboration Open Source style Bugs or flaws in Open Source software being targeted by hackers. Where are the cases where commonly used open source software packages were altered by black hat hackers to contain trojan horse code? What are the specifics on that? And how does that implicate the open source model in general as being untrustworthy for a project like Second Life? http://news.netcraft.com/archives/2006/01/31/php_apps_a_growing_target_for_hackers.html http://www.informationweek.com/hardware/personaltech/190500192?rssfeed_pl_ptp http://security.itworld.com/4340/060717hackersopen/ http://www.zdnet.com.au/news/software/soa/Special-report-open-source-and-security-safe-or-sorry-/0,130061733,120264375-3,00.htm http://firingsquad.com/news/newsarticle.asp?searchid=5790 Trojan horses plague open source Patrick Gray, ZDNet Australia, December 24, 2006 At least three commonly used open source software packages were altered by black-hat (bad-guy) hackers to contain "Trojan horse" code this year. And even the national think tanks say................. http://news.zdnet.com/2100-3513_22-929669.html Shall I go on? Its all over the net. Not hard to find at all. |
|
VooDoo Bamboo
www.voodoodesignsllc.com
Join date: 4 Oct 2006
Posts: 911
|
04-15-2007 12:55
No offense but if it still needs to be explained to you that deep.... Then its useless anyway.
_____________________
VooDoo DESIGNS www.voodoodesignsllc.com
|
|
Zaphod Kotobide
zOMGWTFPME!
Join date: 19 Oct 2006
Posts: 2,087
|
04-15-2007 12:58
Please. You make a assertion of "fact", you toss a few URLs out there which contain no support of that "fact". I ask for further clarification, and this is the best you can come up with?
No offense but if it still needs to be explained to you that deep.... Then its useless anyway. |
|
Jeff Kelley
Registered User
Join date: 8 Nov 2006
Posts: 223
|
04-15-2007 12:58
I log in my real bank account, an account with real money, many many many euros, with...
Mozilla. |
|
VooDoo Bamboo
www.voodoodesignsllc.com
Join date: 4 Oct 2006
Posts: 911
|
04-15-2007 13:00
Please. You make a assertion of "fact", you toss a few URLs out there which contain no support of that "fact". I ask for further clarification, and this is the best you can come up with? I guess I don't understand what part of this your not getting other then the fact that you must be a strong open source supporter and choose to turn a blind eyes which is fine, to each his own. Either you like it or you don't, its as simple as that. And why I am willing to bet my life your a Linux user  Ah never mind... Answered my own question. Your profile... "Occupation: Information Technology". Thats why. Most in that area are "Anti-Microsoft" and pro everything else. I am in the same area myself however I just have another view. And since I know this is coming next I will just answer it now... The only reason Microsoft has so many problems with security is not because of Microsoft but because its the most widely used OS in the world (Your skins crawling now I know) and its a fact which in return means its also the most target software company in the world for computer pros needing attention. _____________________
VooDoo DESIGNS www.voodoodesignsllc.com
|
|
Zaphod Kotobide
zOMGWTFPME!
Join date: 19 Oct 2006
Posts: 2,087
|
04-15-2007 13:06
You misunderstand. The part of this I'm not getting is what factual material you actually have to back up your statement. So far you've not provided any. I'm simply asking you to do so.
As for your bet, as an IT professional, I am a: Windows user Mac user Linux user SCO Unix user Debian user And for the occasional kick, a commodore 128 user  My primary workstations at home are Windows XP. I guess I don't understand what part of this your not getting other then the fact that you must be a strong open source supporter and choose to turn a blind eyes which is fine, to each his own. Either you like it or you don't, its as simple as that. And why I am willing to bet my life your a Linux user Ah never mind... Answered my own question. Your profile... "Occupation: Information Technology". Thats why. Most in that area are "Anti-Microsoft" and pro everything else. I am in the same area myself however I just have another view. |
|
VooDoo Bamboo
www.voodoodesignsllc.com
Join date: 4 Oct 2006
Posts: 911
|
04-15-2007 13:08
I would rather go back to commodore 128 or Apple ][e or c (have not made that symbol in a long time) at this point with my green crt and the BBS. Less problems.
As for examples... Take the first link... "The open source bulletin board system phpBB has experienced a series of security problems, and has been banned by some web hosts." There are millions of web sites that use phpBB and they have been getting nailed left and right for some time now. _____________________
VooDoo DESIGNS www.voodoodesignsllc.com
|
|
Ordinal Malaprop
really very ordinary
Join date: 9 Sep 2005
Posts: 4,607
|
04-15-2007 13:15
OpenBSD recently had to change their slogan from "Only one remote hole in the default install, in more than 10 years!" to "Only two remote holes in the default install, in more than 10 years!". That's not a terribly poor record, all told.
Trying to claim that open-source systems are just as insecure as closed-source because of a couple of holes is a losing fight to get into, because clearly they aren't. I can't think of a single open-source project that's been as prone to exploits as an equivalent closed one. Certainly in the case of OSes they are far, far better. Now, I suppose it might just be coincidence, but I suspect that it might not be. The use of bots in SL was taking place before open-sourcing arrived, and would have continued to. It happens with WoW and so on as well, to a ridiculous degree. Blizzard spends a lot of time trying to enforce that; they do not run an open development-friendly world but rather a closed game world, and they can afford to clamp down on novel developments absolutely because resident participation beyond certain defined levels is not part of WoW. That isn't LL's attitude and it isn't what happens in SL. As well as that, if they are trying to make SL the future standard of virtual worlds, which they are, code has to be open. Enforcing standards of behaviour with regards to bots - and scripts, and residents for that matter - is a different thing to trying to restrict how that behaviour comes about. _____________________
http://ordinalmalaprop.com/forum/ - visit Ordinal's Scripting Colloquium for scripting discussion with actual working BBCode!
http://ordinalmalaprop.com/engine/ - An Engine Fit For My Proceeding, my Aethernet Journal http://www.flickr.com/groups/slgriefbuild/ - Second Life Griefbuild Digest, pictures of horrible ad griefing and land spam, and the naming of names |
|
Ordinal Malaprop
really very ordinary
Join date: 9 Sep 2005
Posts: 4,607
|
04-15-2007 13:17
I would rather go back to commodore 128 or Apple ][e or c (have not made that symbol in a long time) at this point with my green crt and the BBS. Less problems. As for examples... Take the first link... "The open source bulletin board system phpBB has experienced a series of security problems, and has been banned by some web hosts." There are millions of web sites that use phpBB and they have been getting nailed left and right for some time now. Yes, it really falls down compared to all of those closed-source BBs out there, where nobody can view the code. Oh, hold on. _____________________
http://ordinalmalaprop.com/forum/ - visit Ordinal's Scripting Colloquium for scripting discussion with actual working BBCode!
http://ordinalmalaprop.com/engine/ - An Engine Fit For My Proceeding, my Aethernet Journal http://www.flickr.com/groups/slgriefbuild/ - Second Life Griefbuild Digest, pictures of horrible ad griefing and land spam, and the naming of names |
|
Zaphod Kotobide
zOMGWTFPME!
Join date: 19 Oct 2006
Posts: 2,087
|
04-15-2007 13:22
"At least three commonly used open source software packages were altered by black-hat (bad-guy) hackers to contain "Trojan horse" code this year."
Not one of your citations supports this statement. If one does, can you point it out for me? There isn't a software platform in existence of any significant complexity which doesn't have flaws that are potentially exploitable. This is not the fault of the open source concept or model, per se. If you want to breath new life into this argument, which has been had dozens of times now at great length, you really need to demonstrate with concrete evidence and established facts why Second Life SHOULDN'T be open sourced. Those of us who support it have bent over backwards to provide solid reasons why it should be. And I'd just as soon search the forums and blogs for the relevant threads than rehash it all again here. Actually I'd prefer that you do that. I would rather go back to commodore 128 or Apple ][e or c (have not made that symbol in a long time) at this point with my green crt and the BBS. Less problems. As for examples... Take the first link... "The open source bulletin board system phpBB has experienced a series of security problems, and has been banned by some web hosts." There are millions of web sites that use phpBB and they have been getting nailed left and right for some time now. |
|
RobbyRacoon Olmstead
Red warrior is hungry!
Join date: 20 Sep 2006
Posts: 1,821
|
04-15-2007 13:23
http://news.netcraft.com/archives/2006/01/31/php_apps_a_growing_target_for_hackers.html http://www.informationweek.com/hardware/personaltech/190500192?rssfeed_pl_ptp http://security.itworld.com/4340/060717hackersopen/ http://www.zdnet.com.au/news/software/soa/Special-report-open-source-and-security-safe-or-sorry-/0,130061733,120264375-3,00.htm http://firingsquad.com/news/newsarticle.asp?searchid=5790 Trojan horses plague open source Patrick Gray, ZDNet Australia, December 24, 2006 At least three commonly used open source software packages were altered by black-hat (bad-guy) hackers to contain "Trojan horse" code this year. And even the national think tanks say................. http://news.zdnet.com/2100-3513_22-929669.html Shall I go on? Its all over the net. Not hard to find at all. Like most things dealing with computers its all mixed on what people think. You know... Microsoft people hate Apple... Apple hates Microsoft. Windows users hate Linux, Linus users hate Windows and bla bla bla. This article I think says it all.... If Open Source were the panacea some think it is, then every security hole described, fixed and announced to the public would come from people analyzing the source code for security vulnerabilities, such as the folks at OpenBSD, the Linux Auditing Project, or the developers or users of the application. But there have been plenty of security vulnerabilities in Open Source Software that were discovered, not by peer review, but by black hats. Some security holes aren't discovered by the good guys until an attacker's tools are found on a compromised site, network traffic captured during an intrusion turns up signs of the exploit, or knowledge of the bug finally bubbles up from the underground. Why is this? When the security company Trusted Information Systems (TIS) began making the source code of their Gauntlet firewall available to their customers many years ago, they believed that their clients would check for themselves how secure the product was. What they found instead was that very few people outside of TIS ever sent in feedback, bug reports or vulnerabilities. Nobody, it seems, is reading the source. The fact is, most open source users run the software, but don't personally read the code. They just assume that someone else will do the auditing for them, and too often, it's the bad guys. One of those links is pretty well unrelated, as it deals with hackers using open-source methodologies and tools (like CVS and SVN) to develop their own hacking tools and manage their development process. [Edit] Actually, another one of those links is an exact duplicate (redirected by McAfee) of that one. Another is of great interest to me personally, as it deals with PHP, but that is a programming language not a service-based application. One link is a couple paragraphs of opinion with *NO* data to back it up. All in all, that set of links is very underwhelming and makes me wonder whether you've read them all. No offense intended in that, I just wonder, no more than that. I certainly don't think it proves the point you intend to prove, at any rate. And in *ALL* cases mentioned in your links, the security flaws that are described (when some actually are described) are fixable by developers that are not "on the company payroll", not bound by some corporate update schedule. Not one of those security risks can be considered an artifact of open source development, endemic to that model of software development alone... Such things happen with proprietary software as well, and by and large the open source community responds faster and with more robust fixes than the corporate dev houses. _____________________
|
|
RobbyRacoon Olmstead
Red warrior is hungry!
Join date: 20 Sep 2006
Posts: 1,821
|
Added some more info
Microsoft loses the server wars O.O04-15-2007 13:31
I guess I don't understand what part of this your not getting other then the fact that you must be a strong open source supporter and choose to turn a blind eyes which is fine, to each his own. Either you like it or you don't, its as simple as that. And why I am willing to bet my life your a Linux user Ah never mind... Answered my own question. Your profile... "Occupation: Information Technology". Thats why. Most in that area are "Anti-Microsoft" and pro everything else. I am in the same area myself however I just have another view. And since I know this is coming next I will just answer it now... The only reason Microsoft has so many problems with security is not because of Microsoft but because its the most widely used OS in the world (Your skins crawling now I know) and its a fact which in return means its also the most target software company in the world for computer pros needing attention. Heh. I worked at Microsoft for three years, still use their development tools and operating systems (and several other apps), and overall think that the big MS is not evil. But I support open source just the same, and use Linux (on my servers) and Open Office and tons of open source stuff because it gets the job done well for a price that can't be beat. And, last time I checked, Second Life itself was built on an open source technology infrastructure. Can't be all bad You seem to be reverting to insults and inflamatory patter now, which is disappointing, because I'd hoped to actually get some good discourse out of this thread before it went that far downhill. What can I say, it's Sunday, it's sunny, I was feeling optimistic /me goes outside to play. P.S.: Microsoft is clearly not the dominant player when it comes to web servers. I found that info by clicking the "next" button on the first page you linked to. And even that site itself, Netcraft, is run on FreeBSD using Apache, with Perl _____________________
|
|
Goosey Gealach
Where'd my 'yo' go?
Join date: 12 Sep 2006
Posts: 80
|
04-15-2007 13:31
I'm reminded of a story I read in New Scientist once. To distill it to one sentence, it said: "Firefox has fixed more security holes than IE in the past 6 months, therefore IE must be more secure." I was appalled, not because they were badmouthing Firefox, but because of the unscientific methodology at work in that statement. It only makes sense if you can assume IE was more secure than Firefox at the beginning of that 6 month period, by a difference greater than the difference between the number of holes Firefox fixed and the number of holes IE fixed, so the meaning of the statement changes to "IE is more secure than Firefox because I say so."
A similar (though perhaps more subtle) methodological flaw is at work, here. Even if you can give examples of why open source software is not 100% secure, that only proves that it's not 100% secure. It in no way proves that open source is A Bad Thing and in fact is pretty meaningless until it's compared to the security record of closed source software. Come to think of it, it's not that similar, but never mind. |
|
Yumi Murakami
DoIt!AttachTheEarOfACat!
Join date: 27 Sep 2005
Posts: 6,860
|
04-15-2007 15:18
I like the idea, but you then get things liked Shooped Life - the client which lets you dodge SL's "hardware hash" banning by transmitting bogus hardware hashes.
I think they should continue with the OS project, but place an authentication key within copies compiled by Linden Labs, which is checked on login ( http://www.cs.cmu.edu/afs/cs.cmu.edu/user/jch/netrek/rsa ). If the key doesn't match, the client can only visit land areas that are flagged as allowing modified clients, and the default is no. |
|
Ziibly Isan
Scary Beyblade Fan
Join date: 20 Oct 2006
Posts: 33
|
04-15-2007 17:07
Campbot (in various forms), landbot, searchbot, etc. The only thing people seem to use the open-source for (whether it's the official viewer or libSecondLife) is personal monetary gains. Hardly commendable, or the great wonderful things all the open source apologists said would come from it. By worthwhile, I mean worthwhile (useful, beneficial) to the entire community. You seem too biased to understand that. Nevermind, the topic's gone past that anyway. ETA: Though to be honest, with the way this virtual world is structured who DOESN'T make something in/for SL with intention to gain some L$ out of it? |
|
Kitty Barnett
Registered User
Join date: 10 May 2006
Posts: 5,586
|
04-15-2007 17:56
By worthwhile, I mean worthwhile (useful, beneficial) to the entire community. You seem too biased to understand that. Nevermind, the topic's gone past that anyway. The only readily available examples are personal profit-driven projects, some of which are detrimental to the community (libSL itself is open source so I don't really make a distinction between something based on that or on the official open sourced viewer). So far open source is still far in the negative impact, and I personally don't see that changing. |
|
Zaphod Kotobide
zOMGWTFPME!
Join date: 19 Oct 2006
Posts: 2,087
|
04-15-2007 18:38
Please give evidence showing how open sourcing Second Life's viewer is having a negative impact. And cite examples which aren't also posible using libSL. LibSL is not part of the official Linden Lab release of the viewer source code, so it must be differentiated in this discussion. This discussion is about Linden Lab's release of the viewer source code into open source. It is not the same as libSL.
You don't know of anything worthwhile to the entire community that's been done with the source, I don't know anything worthwhile that's been done with it, nor has anyone else in this thread pointed to something worthwhile so far and the bug fixes aren't anything to write home about either. The only readily available examples are personal profit-driven projects, some of which are detrimental to the community (libSL itself is open source so I don't really make a distinction between something based on that or on the official open sourced viewer). So far open source is still far in the negative impact, and I personally don't see that changing. |
|
Zaphod Kotobide
zOMGWTFPME!
Join date: 19 Oct 2006
Posts: 2,087
|
04-15-2007 18:47
As I opined previously, baby steps. The project isn't "there" yet. We cannot expect immediate improvements to the platform when the project is in such an infant stage.
We're seeing fixes trickling in via the jira, and that is great. That they are or aren't substantial is subjective. We're also seeing land bots. "BFD". We'd see land bots from the libSL project as well. As I said previously, when the open source contributors get on the inside of the development process, that's when the party starts. We're still back stage, pre show. Give it time. zk |