Kill the SL open source project

You are just uninformed, is all. There are several, they just don't get the same kind of press and notoriety. And that will change over time as people do more and more work with the open source and bridging the worlds inside and outside of Second Life.

I could give you examples of what I personally have done, with no motivation for profit whatsoever, but I am quite sure that they would fail your highly subjective "worthwhile" criteria so I think I will save myself the insult

Here is but one example of an exploit that was fixed, though.... Before libsecondlife exposed this vulnerability, it was possible to make another avatar talk. Not just appear to, like scripts do, in green text. You actually could make them say stuff, by injecting a script dialog response on channel zero for any arbitrary avatar key. If they were in the same sim, the sim saw the dialog response as coming from them, and made them talk on whatever channel the dialog specified (including but not limited to channel 0).

Aside from being annoying (like making people say "I like pie", or turning their lightsabers or animation overriders on and off), it was actually possible to force avatars to issue commands on *any* channel to their vendors or other scripted objects that were coded specifically to listen only to their owner. And since many vendors and the like don't listen on channel 0, you may not even be aware of it happening because you don't see your avatar's chat on any channel other than 0. If a hacker owned the same brand of vendors as you (or any other scripted object), then they knew *exactly* what commands to make you issue, right?

Thanks to open source code reviews and concerned citizens, that is no longer possible. In fact, the fix for that issue (making script dialog packets session-specific) turned out to be implemented for several other exploits as well.

That is only one of the exploits that I am personally aware of being closed as a direct result of an open source movement, but since I am not a part of or contributor to the libsl team nor am I a Linden, I am not privy to the others. But I would bet you my L$ balance for the next month that there are some that were closed that you would be very very happy about if you knew


.

OK Kitty, here is an examples of a bug fix: Vendors where the script wasn't in the root prim were accepting payment but not running the script (e.g. it would take your money but not give you the item you were buying); the problem was pinpointed and fixed (Item VWR-200 from JIRA, previously presented in response to your request for examples of positive results from going open source).

When the arrival of the Open Source code was blogged, this was in line with my response. Take the development of the client away from the hard pressed people at LL, allow the creativity of people that can make it work better, BUT... always seek approval/authortentication from LL. Anyone downloading one without a key, should either have the client blocked, or very serverly limited access.

I predict it won't be long before certain elements of the server code will become open source, with the intention that companies/individuals can host their own sims... in any event, these will still link back to the main asset and login/account servers if they are to be linked to SL. Otherwise they will become simply autonimous sims.
This was done a long time before SL was conceived with Adobe Atmosphere, although this did not require direct loggin with Adobe servers, if you hosted your own chat server (there was no 'monitary' implications attached to Atmosphere). If a link to SL is required to port account details/inventory and or L$'s to the Company/Individuals server, this will require authentication by LL's loggin servers in the first instance.

is it possible to seperate logging into Linden Labs asset servers / Account details from the game client?

This would allow you to log in with a Linden Labs application (hopefully secure) then run your client from any source.

Im not a programmer or anything ife that so forgive me if its an impossible idea.

You only login to the SL servers to retreive inventory, L$'s etc.. that connection always remains to maintain your ingame identidy and exchanges.. along with using the ingame chat, maps, participation and interactivity with other users also logged in. The sole reason for releasing server code to open source would be to allow other companies/organisations/individuals to host their own sims. You could, as in the case of Adobe Atmosphere, create autonimous sims that would be considered 'off world' with no direct link to SL, but still play the same, even have its own economy/community. A very useful prospect for corporates wishing to create an inhouse 'VR Intranet'.
However it is possible under license agreements to have those 'sims' still linked to the LL servers, whereby the hosting location is the only thing considered 'off game'.

Interesting I wasnt refering to your earlier post though.

My question more is related to seperating your ability to access yoru account from the veiwer. Thus protecting people when they download these third partyclients.

If it was possible to do your logon would all be safe with some application (controlled by LL) - then the client would go find that application when it starts up - never having access to your password information, etc.

I dont know if its even possible. But if you had a secure account youd be free to logon with veiwers from wherever (and like you mention go to servers hosted by whoever).

I suppose there could be a third, closed, login program into which you entered your login details, and which encrypted them and passed some other login details to the client, which then passed them on to the server - perhaps in the form of a session key from SL or something like that.

But really, if you install a third-party client (unless you download the source, check it and compile it yourself, which is beyond most people) you're never going to be completely safe. It could be doing anything - not restricted to just SL-related things either.

Thats why I said, all third party clients should be fully authenticated by LL, in much the same way as drivers etc are certificated by MS. Certificates are one way of layering the security, along with SSL login.
Anyone/company serious about wishing to host their own sim, would have no problems being transparent about their motives.
The main problem for those who are likely to get hijacked, is the rush to download the 'latest free goodie bag' version of the client from less transparent sources, but that is no different to their OS/PC being hijacked by adware through their own inexperience.

In the case of autonimous sims that are not linked to SL, thats like playing a game on your PC thats not connected to the internet and becomes an enclosed world. No transactions/actions would reflect upon the SL account. This would serve the corporate/private enclosed intranet style, and be developed to incorporate VPN connections from across the globe. This use of the SL platform was already part of the Adobe Atmosphere development, whereby users were encouraged to make their own sims and invite those users they wished to participate. Admitingly there was no money basis to the programme, but this was all pre-SL. The basis for trade and commerce were all there, as you could create avatars and buildings, and give them for others to use, add a layer of finacial transactions and you have SL.

(appoligies for only skim reading thread and then replying)

some examples of benifits of open src.
get client on different hardware/ platforms easier.
support aplication development easier, ie eporters/ offline editors

//waiting for boost to download as to be able to build part of the client to help max a max pluging.

I actually am very open to the concept of OS in general. Good things have come from it in the past.
In the case of SL though, the most noted things are LAndbots, and Shooped Life, which I would consider to be bad things. I don't know if the are any implementations who came out of the OS community ( the first look stuff maybe?), but unless someone points me to it, I would call the SL OS project a failure for the time being.

That doesn't mean it shoulkd be discontiued for any price, but personally, I was expecting a lot more, after all the fuzz that was made...I hope the great breakthgrough will come soon...

Open source is the way to go! This is coming from a techie point of view. I make my living working with primarily open source products. I contribute what I can to open source. I see absolutely NOTHING wrong with the SL client being open source. Things like landbots will be created, but so what? That would have been created anyway via use of reverse engineering. It is up to LL to put up obstacles against things like this... but apparently they don't really care enough to take any actions. Open source is definitely not the cause of problems here,.. it's the response from LL that is important.

The project is really just getting off the ground, so it's far too early to conclude that it's either a success or a failure. It's also rather unfair to keep referring to Landbots and Shoopedlife in discussions about open source - these things were possible even prior to releasing the source code.

If I recall correctly, there were some 1500 downloads of the source on the day of its release, and before midnight, a bug fix had already been submitted. There were some 40 contributions on the Jira the last time I looked. Individually, these contributions probably won't profoundly affect us - we're likely to never even notice. That does not in any way lessen the value of the contributions to the project overall. A fix is a fix. It's the cumulative effect of these contributions we need to consider. They add up to a more stable, robust experience for us all. And it's only going to get better and better as the open source community begins to grow together and develop a more unified vision under Rob's leadership.

I have full faith that great things are in store for Second Life as a result of open sourcing it.

The open source version of SL isn't like an open source version of Linux, where anyone can put it up on the internet and say "hey come check it out; I've fixed X problems, so come download it."

Open source for SL is controlled by the Lindens, where the code is available to the public, yes, but ultimately all bug fixes and features MUST be submitted to the Lindens before being released as a new version. The only versions of SL that we can download are through LL itself. One would assume that LL checks and double checks any submitted code for malicious and/or unintentional errors.

Open source saves time, money, and eventually our sanity as end-users, because bugs are fixed much more quickly and the code is kept as streamlined as possible...Just look at Microsoft as an anti-version of open source... HOW many CD's does Windows live on now???

I'd give the Lindens a little credit for checking submitted code for major errors or malicious intent...they'd hardly release a version that'd let some coder/hacker collect our credit card info.

It's a shame, really, that people don't hear more about the good things coming out of open source efforts with regard to Second Life. They assume that since there is not a regular occurrance of people posting exploits on the forums and how to reproduce them, that exploits and bugs are not getting fixed.

So they naively think "I never heard anything about open source contributors doing anything worthwhile". All the while ignoring the fact that they don't want anyone actively posting the exploits here in the forums before they are fixed, and would scream bloody murder if they did.

And to top it off, they think that the open source viewer is the cause of all the bad things they are seeing, when that is rarely the case. Reverse engineering has enabled most of that.

ShoopedLife can send a bogus hardware mac to get around a poorly designed (security by obscurity) banning method. Big damned deal. I was doing that by substituting the hardware mac with a newly-generated per-session UUID in June 06 just to see if the servers would bark at me for doing it (I am not a griefer or criminal hacker either, just curious), long before the open source client, just using Ethereal to sniff packets and doing packet modification on the outgoing data.

I would be willing to bet *none* of the bots people are worried about came from the open source client code, although perhaps a little bit of knowledge about avatar movement or something came from that. But the core capabilities were there long before.

It really bothers me that the main thrust of all these threads is that someone might use the open source client for evil, even though there are other and simpler ways to accomplish evil purposes, and yet conveniently ignore that good stuff is getting done just because the good stuff is in baby steps most of the time and doesn't get the sensationalized press coverage.



.

Right. More than that, they went to great lengths before releasing open source to make sure that the client code CAN'T do that. They have architected the system such that the data doesn't even live in a place where the client can get to that.

As much as people might think LL has dropped the ball on a lot of stuff, LL is not going to endanger the entire business by just dropping their pants and handing out a backdoor like that.