client source opened - sky falling?

Given that apparently the client source is now opened:
http://blog.secondlife.com/2007/01/08/embracing-the-inevitable/

My most immediate concern is that, from a rational point of view, unless there's been some feature changes or protocol cleverness that I'm not aware of, CopyBotII is probably only a couple of days away (presuming the existance of a suitably capable and motivated programmer).

Additionally, I'm quite concerned that there will be "omg greiftoolz!" builds of SL (client-rez-based abuse is something that springs to mind); and - more importantly - that such builds will most likely be backdoored to secretly leak the user's login details to their creator. (Or just quietly drain the L$ balances of their users. Or give their valuable Inventory stuff away. Or sell their land for $L1 to their creator. &c &c).

It looks like LL have announced this one in the middle of the night their-time, so I figured I might as well put the Great Forum Gripe-Machine in to gear as nobody else seems to have started a thread for this yet.

My question to the assembled forum masses is simply: Are we boned? Has some careless Linden found the Sky prims, unlinked them and set them Physical?

I know that the opening of source will set up for a huge range of awesome and creative opportunities, but I'm also pretty concerned about the potential/probability of Bad Things coming along too. Put your "evil git" hats on and invent some plausible bad-use situations

Yes, just like Firefox, Thunderbird, Gnome, KDE and a whole bunch of open source network based applications have secret backdoors installed in them to steal credit card numbers.

</sarcasm>

Simple, don't download any software from an untrusted source, whether it's open source, freeware, shareware or proprietary. Most interesting changes will hopefully be merged back into the main Linden supplied viewer, so you can still get a copy you trust with all the exciting new bits and bobs (and yes, bug fixes) the community supplies.

Yes agreed. Although it may now be possible for people to desiugn their own viewers the client app we currently use supplied by Second Life will continu to be available, and any changes to the official version will be approved by Linden (source FAQ)

I think textures might be an issue but that is not now new, however as I understand it server side software is not being released which also addresses security issues.

In fact I think this could lead to further growth in Second Life

Now, what does this mean? Several things:

* If they are open sourcing the Client, that means that anyone can see the entire communication system between the servers and the end computer. Expect that copybot in now not only possible, but impossible to really ever put an end to again effectively. I'm not saying the sky is falling, but I AM saying the market of SL is going to have to change and adapt.
* We are going to see a LOT of bug fixes, and at first it's going to be uncoordinated and cross purpose. Don't worry. within a few weeks, a group will get together and start organizing the bugfixes and additions to the client aggressively.
* Expect the Server software to follow suit, but probably not immediately. Keep in mind, running second life servers will never be as cheap as running a web server. The bandwidth is much higher, and you HAVE to have a dedicated server for it. Instant $99 minimum a month, if you get the worst/cheapest server you can find.


As it is, hacking attacks are going to get really bad soon, but LL will have a lot of time to work on the server software to harden it against the jokers...

The problem of Naughty clients isn't me, nor is it you. It's the Script Kiddiots, who will get ripped off by the truly bad people.

There's not a plethora of untrustable builds of Firefox because there's no Magical Motivation for people to use them. Compare with "run this client instead and it will let you orbit people betterz0r!".

For my sins, I once (in my younger, stupider days) fell foul of a shiny-evil tool for Habbo which then allowed its author to run off with my precious "furni" from my rooms - sum RL purchase price of maybe a few dollars and not really worth bothering.

The reality is copy bot was the first of many unofficial clients, the genie is already out of the bottle. The hope now is the with the full source the focus will be on improving the client for all of us.

I dont think anyone would complain about a more efficient renderer, or a light client for low end machines, or better inventory management, or on and on and on.

So people trying to do wrong are the ones who will get ripped off?

I can live with that

My sentiments exactly. SL is not the internet. No large, trustworthy company will create the new clients; instead lots of kids and students will mess with the source code in the hope to turn it into a more effective griefer tool.
SL is viewed as a combat zone by many, with the attractive option to constantly create better weapons. Now they have an additional weapon if they find the right security loopholes.

Even if the server side is secure enough to prevent circumventing permissions and restrictions of all sorts - does anyone think it won't hurt the grid stability (well, the little stability that we have left) if lots of coders poke around for loopholes, in the hope to pull a Baba and make some quick money with godmode or copy hacks?

This is probably the most important aspect of the change. Instead of a handful of Lindens coding for the Client, we could have a handful of Lindens overlooking the "official" build of the Client, which would use the volunteer debugging and coding from thousands of non-Lindens

About the copybots... well, I hope it's only growing pains for SL. More people means more tools and more troubles. The "Save as..." command in browsers hasn't destroyed the website-building business in the 2D internet. Just keep on being creative and learning your tools

Ok, so most folks jump at the possibility of the negative outcomes of LL's decision to open-source the SL client. But I tend to fall on Foolish Frost's side on this issue and see how it will open the doors to implementing lots of useful and innovative features that LL has simply not got the time or manpower to implement. So a few people create a client for griefing / rip-off purposes? Such things are to be expected: We've had people like that since the beginning of time and somehow civilisation has flourished. No, the sky isn't falling. But at the same time it's important for LL to do everything they can to ensure that SL has bullet-proof server-side security.

One thing that might help stop this is that you won't be able to make money by selling modified versions of the Second Life Viewer, because it's licensed under the GPL. Essentially that means that, even if you sell it, you can't stop the person you sell it to giving it away to everyone else.

his is waht people been dreaming for for the past 2 years!. Now if we last that long. BTW the web translation os japanese part is a little screwy.JFI

Sure people will try to use the source for griefing... and that is where the true Open Source community can do a lot... An exploit appears? Patch it fast and making the complete exploit impossible.
It is proven by for example by Firefox and Thunderbird (and others) that the Open Source community can act faster and stronger on problems as big companies as Microsoft can for example.

Sure bad things will happen, but I see this as good move that will bring lots of stabilty and usefull expansions and improvements.

Morwen.

I am, for the first time, going to take a "wait and see" attitude with this. Of course there are going to be griefer versions of the viewer. Of course, Linden Labs isn't going to have the tools server side to handle it. But if SL has survived this long, I'm going to believe it will hold together a bit longer!

Besides, if it means more bug fixes, then I'm game!

Yes, this is it. Its all over. This is the end of Second Life. In fact I'd cash out now if I were you.

Another thing occurs to me.

It may be only a matter of time before Linden release a version of the server code that may allow people to run their own private Island on their own server and/or choose to allow Linden to host their Island.

But mainland will remain the private preserve of Linden, this could mean that Islands will become two a penny (and virtually valueless on land values) but the price of mainland may soar as that will remain Lindens exclusive preserve, the same applies to the Linden Dollar if a further big increase in Second Life population occurs.

I can also now see the UK PLC gaming companies and Horse betting gaming exchanges being possibly interested in hosting a version of SL on their own servers, the reason being no taxation and access to the American markets. The class 5 servers Linden are now using show real performance gains, who knows what a corporation with deep pockets could achieve. This could drive the Linden dollar value

Just some musings

let the hacking begin :/

Only the viewer is now opensource, so I do think that should a "Griefer viewer" arise, then the patch should be applied by LL.

Anyway, I think we can be positive about opensource viewers. Lots of things could be improved. For example I joined 2 months ago and I've always been wondering why I can't tell to the client where I want my SL cache to be and if I want to move to a place different than the default location, I have to use a workaround.

The list of improvements could be long. Let's be happy!

This thread has degraded into a general discussion. As there are no official SL general discussion forums, it is being locked.

</strife>

If content theft wasn't trivially easy enough already, I think this puts the final nail in the coffin for a content creation based economy, but hey, at least we'll have 4000 different UI's to choose from! If anyone needs me I'll be out in the yard digging a bomb shelter.

Feel free to join us over at http://sl.stratics.com to continue this discussion.

Broccoli

I can dig fast since I am a rabbit.....But gesh.panic from people already with this issue?!

I don't think it's panic, Usagi. I think it's being a realist. Even setting content theft aside, L$ balances are worth a whole lot of real money. People are supposed to trust 3rd party clients with their logins when doing so even one time could very easily result in your username and password being sent not only to LL's login server but also to the author of the client? How long do you suppose it will be before someone who's used a 3rd party client logs in to find their L$ balance has been cleaned out? I give it a month.

My personal opinion is that looking at the SL world as if it were the world wide web in general is a mistake, and a massive underestimation of the importance of the SL economy in SL's popularity and growth. We've already been at the point where anything sent to the client is up for grabs but at least it wasn't widespread. It will be now, and it won't require any special knowledge or effort on the part of people who'll be using clients specifically designed for the purpose of mining content. I'm not trying to be an alarmist. I just honestly don't see what's to stop or hinder this from taking place now on a massive scale, and I think any expectation that this won't seriously impact the economy is naive.

Time will tell I guess, but my gut reaction isn't celebratory. Not by a long shot.

The client application only sends requests to the server applications, and receives data packets from the server. If "doctored" data gets sent to the server, the server will reject it. Opening the client application source code will not mean that there will be exploits and account hackings built-in to new official version updates.

It may be possible to have "rogue" versions of clients to automate some behavior of the logged-in avatar, but its effectiveness will be limited to those people dumb enough to download an unofficially sanctioned version.

The sky is not falling.



The Lindens have given absolutely no indication of this whatsoever, at least in the forseeable future, that I have ever read. Can you provide any kind of backup to this assertion, or are you pulling it out of your ass?

Caveat Emptor. If someone uses a third-party application, it is their own accepted risk. If you don't want to risk it, don't use one. If you use a "rogue" client build with nefarious intentions, you deserve it.




CopyBot was overblown. Stores reopened after false panic. No real damage was done. More of the same here.

What's possible now will remain possible, due to vulnerablilities outside of anyone's control (GLI, etc). New client won't change any of that.

CopyBot was actually a net positive because it led to holes being closed. As will open-sourcing. Maybe it'll even lead to an effective watermarking mechanism to further hinder texture theft efforts.