client source opened - sky falling?

For these jumping up and down and cheering at the idea of peer review magically finding all exploits already possible and ones to be submitted as client 'improvements'... a couple hopefully little sobering links.

http://www.ghs.com/linux/manyeyes.html

... and the classic ...

http://www.acm.org/classics/sep95/

... which pretty much boil down to

as small addition, please keep on mind the 'peer review' for projects like linux kernel or mozilla may be to a degree successful because there's enormous interest in both projects and as such number of people taking a look at the code is also very high...

... but to expect equal sort of interest in review of 'fixes' for SL client (especially done by people with both interest and experience at the highest level) ... it's pure wishful thinking. As such, any possible attempt to get exploit code into the source has far lower hurdle to clear. And it only needs to make it there once.


I don't know what LL was expecting with this development, but the execution of it is typically shoddy -- dropping it like unannounced bomb in the middle of the night, and without even set up repository which makes one wonder just how this theoretical submission and review of fixes-to-include is expected to work... combined with all the other questionable points already raised in this thread (like apparent schizopreny of "people can made all sorts of better clients but if you use 3rd party client then you are a fool and only blame yourself if your login gets stolen) ... it's altogether just anything but impressive :|

Well, that's a little extreme, I don't think anyone's saying that they'll all be found. However, I do feel that more will be found this way then by one group trying to reverse engineer the protocol.



That's a little extreme too. I'm sure you don't use a compiler that you wrote yourself, compiled on a compiler that you also wrote yourself, compiled on... No one's written every line of code that's running on their computer.



At a minimum, LL could decide to never roll in user-submitted code, and only make server/protocol patches based on bugs found. Even if they did only that, I would see it as a net benefit.



Agreed, and I wondered about that too. I figured it would end up as a resident-managed SourceForge project, or a dedicated website with a CVS repository, or something like that... kinda like the way the Wiki exists today. And eventually they'll figure out how to roll patches back into the official source tree. The best outcome would be if this was set up quickly and competently. The worst would be if LL never does anything about this, and people are free to exploit security holes that are now exposed and never get patched. I think the reality will be something in between.

Anyway... this discussion seems to veer between "This is the end of SL" and "This means no more bugs or exploits from now on". Once again, I think the reality lies somewhere in between, with a net positive result. IMO, of course.

Just thought I'd bring some shades of grey back between the black and the white

Edit: Looks like there's more stuff set up since the last time I looked. There's a new FAQ up, and Wiki pages talking about a JIRA bug tracker, maybe an SVN repository?, procedures for submitting code, etc.

we still have to deal with at the mean time a very unstable client.That has more bugs and holes its not funny. What worse what we have now or open source. Matters not at this stage.

Let's see...a large, trustworthy company created MS Windows; lots of kids and students messed with the source code of Linux to use it for hacking and whatnot. Guess which operating system has evolved into the more stable platform? Guess which gets victimized most often by malicious software?

Think large trustworthy companies are safer? Try doing a Google search on

inurlservice|authors|administrators|users) extwd "# -FrontPage-"

For a list of usernames and passwords, courtesy of MS FrontPage. (The passwords are encrypted, but relatively easy to figure out with the help of free and freely available hacks.)

The choice is not between open source and a stable, bug-free client where CopyBots are impossible; the choice is between open source and Second Life as it was at the beginning of 2007--lag, crashes, teleportation problems, CopyBot, and all. At least with open source, the programmers among us will be able to spot the vulnerabilities and do something about it without having to wait for the LL cubicle coders to fix things.



I'm one of many who have in fact entrusted my usernames and passwords to a variety of internet-based commercial sites to open source browsers. (Unless you're dealing with a company like MicroSoft, all of us are using 3rd party browsers when we access our banks, pay bills, etc. online.) Granted, I wouldn't even install a browser some stranger gave me in a dark ally. I imagine there will ultra-quickly develop websites for communities of programmers to post their analysis and evaluation of various clients and plug-ins.



Well then, better the larger SL community than the much tinier LL team to make the effort.

Plus, nobody has to police all the content--just the content they want to use. If I see a third-party client or plug-in that I like, all I have to do is satisfy myself to that client's or that plug-in's reliability and security (more likely the programmers who created it and are putting it out there for me to download), not the reliability and security of every plug-in offered in every Internet back ally.



The kind of malicious code that could get your password and make you lose L$ is the kind you have to download and install. Those who install such software will probably do so in some sort of "trojan horse" scheme, where they agree to install the software thinking it's something else--a better client, for example, or a hack that lets them walk through walls or something. That's why people will be just as careful about where they download 3rd party clients and plug-ins as they are about downloading free screensavers or porn under MS Windows. Oops. IOW, people will be exploited. But just knowing that there are evil hackers out there trying to steal our accounts keeps most of us very very careful.



Nope. Though clients might be able to make a list of what you have in your inventory, from SL's perspective it's what's on their servers that counts. ("Prim data" is different from an object in your inventory; a texture or "blueprint" is different from the object itself in your inventory.)



Kinda. An open-source client lets people do what people did with CopyBot under the closed-source client in use at the time. For some people it might even be a bit easier to do, since LL is releasing information on how, for example, texture information is being sent to the client.

The reason this isn't causing a lot of panic is because there are ways of copying things without going open-source; open source isn't the problem, sending data over a data conduit is the problem, and any SL scenario requires it be done. Probably equilibrium will be maintained, with technical ways of grabbing textures requiring as much skill and knowledge as simply looking at what you want to copy and reproducing it from scratch. Remember, CopyBot came before open source.



They run their client by compiling it on their own computer and running the program that results. They don't have to submit it to LL. If they did submit it to LL, LL would reject it.

But remember--nobody's saying the can steal any content they want; we're just saying they would be able to do what CopyBot does. CopyBot can't steal any contents it wants; it was a way to get textures.



It won't affect most of us at all. We'll go on using SL as downloaded from SL, just as we do now.

"Open source" here means that LL will freely let anybody inspect the program we download and install on our computers, and let them change it if they want to. (They'll be able to see it in an "interpreted" programming language that's easier to see what's going on than the 0's and 1's we download as a "compiled" program.) LL will be keeping an eye on the results, and once in a while they'll incorporate some of those changes to the program they have available for us all to download. Some of the programmers who make changes will also let us download their version if we prefer.

We'll be able to choose different versions of SL, that have different menus, different buttons, different layouts, etc. Some versions might automate some of what has to be done manually now. Some programs will just make available little programs that "plug in" to a regular SL program (though not the one offered on SL's website until they make a version that has a place for those programs to plug into). For example, land speculators might have a plug-in that automatically searches and parses land sales, and gives them a window that filters out private sims, snow sims, or sims with more than 10 avs present; others might create a chat program that lets you log in to chat with your friends, but doesn't run all the graphics, so you can chat in SL from a computer that doesn't meet the minimum requirements to run the full program; others might create a security script that automatically detects certain behavior and bans offenders from your land.

But like I said, most people won't do anything different than they do now. Every so often they'll have to download the official LL update to keep on playing, just like they do now.



It's the latter; LL will review any fixes they are sent, and only after their programmers verify that they really are enhancements do they get incorporated, tested, and released. In the end, they use less man-hours to get more done because so many people are voluntarily helping them. It may take 10 man-hours to find a problem, 10 hours to fix it, and 10 hours to test it and get it ready for people to download; if LL has 10 programmers working 8 hours a day, this means they could find, fix, and release 2-3 problems a day. But if 500 volunteers each contribute 2 hours a day to finding and fixing problems, then the Lindens can spend all their time testing and either accepting or rejecting solutions some of the 50 proposed fixes they'll receive each day (some of which will be duplicates). If it takes 10 hours to identify a single good solution, then those same 10 Linden programmers can release fixes for 4 problems a day. In fact I believe the numbers are much more favorable for open-source.



But people do use Firefox all the time for online banking, shopping, etc. where they type in their credit card numbers, pins, usernames, and passwords.



However, an open-source client can be told to "pay" another av all ones' L$, or buy a piece of land that triggers a withdrawl from ones' credit card, even if (like Kitty) you have a unique number only for SL.



It's true that this move is going to cost some people their incomes. Most people will welcome getting added features for no extra charge, but some people will be quite negatively affected. I sympathize with you--knowing that something similar can come along at any time and affect my income just as easily. But what's the alternative? Go back to buggy whips? Better to keep our eyes peeled for new opportunities than to stave off progress. In your case, maybe enough people will not trust the new clients that you'll still be able to earn your tier with your HUD scripts.

BTW, open source is not the problem; you'd face the same problem if LL simply added those features to their old closed-source client, or if someone else writes a script that does the same thing yours does and releases it for free.

could you make that remark any long then what you did.

Copybot was not just a way to get textures. It could steal all content except scripts.

coco

That's a nice myth you have there. The only reason Windows has so many known vulnerabilities it because it's the target of the vast majority of hackers. If all those people were pounding away at finding exploits in Linux, OSX, or any other OS, they'd be seen as just as insecure and with just as many holes.

My take on it...

The official client, as put out by LL, probably including lots of input from the open source community, will remain entirely without backdoors and safe to use. It will probably become more stable too.

As long as you only use teh official client, or those on the LL-approved list, your password, linden balance and so on remain as safe as they are now. This was never under threat from the open-sourcing.

Unofficial clients will appear. Copybot was one such. Apparently, some of the camping chair occupiers may be others. These unofficial clients are where the threat lies. Open-sourcing effectively gives full permission to run a copybot on the grids. And there is currently no effective protection against copybot. The "!quit" is ignored by the MkII copybots, and the DMCA routine is ineffective when alt accounts are disposable, and the newer protection system that LL announced in the wake of the original copybot issue is not yet live.

Basically, it's copybot all over again, but this time LL is effectively declaring they will do nothing to stop it as far as client software is concerned.

My prediction for the economy:

The value of primwork, textures, and just about anything fully visible by the client will collapse. An exception exists (maybe temporary) for items with a strong brand name and obvious identity. The only existing markets that will survive untouched are for scripts (where the code is visible only to the server), and service industries (education, entertainment, and escorts). I predict a new market may soon open up in the realm of real objects being sold through SL, as a sort of 3D equal to amazon and other online retailers.

Open source will not affect the value of land at all.

I never said it couldn't. I did further the explanation by adding that the only people affected by that type of hack would be people who were tricked into downloading that particular viewer app. That kind of exploit would never make it through code review for an official Linden-released version.

As for open-sourcing being a conduit to new hacks... in the short term, yeah. There's bound to be a bug that someone will notice and take advantage of using a custom viewer. However, "good guys" will also notice it and find a workaround and Lindens will be able to roll it into an official update. Will it be a major egregious hole? Probably not. You have to remember that libSL already had an understanding of the major data patterns and had the means to already take advantage of it. In the short term, a few issues will likely come up that will be cleared quickly. In the long term, we'll have a much more stable viewer application.

Agreed.




Use of CopyBot-like bots is still against ToS and is an immediate bannable offense. IIRC, Lindens did enact some server-based code to combat (or at least slow) CopyBot.


Disagree. If a solution is to ever be found, it will likely be found that involves both the client software and server software that involves permissions verification and probably encryption.


Disagree. Open sourcing changes very little if anything. There's always been mechanisms to leech textures through GLI. That still exists and will exist because there's absolutely nothing SL can do to change the basic memory management of a video card on the driver level. The type of people who would take advantage of it have already done so. Everybody recovered from the GLI hack. CopyBot did not collapse the economy. Every store that closed due to "the threat" has reopened and has moved on.
[/quote]


These sectors will continue to thrive because its the natural progression of economics, not because open-sourcing.
[/quote]


I see ultimately a plugin architecture developed, where people can easily create and sell widgets. I don't see any kind of marketplace existing in any official Linden-released build. It goes against the immersion factor.


It's success should and will be watched closely by land barons. If opening the client viewer is as successful as everyone hopes, I see them possibly opening the sim software or licensing it out closed to third parties who can host their own islands. That will definitely cause price ripples. But granted, this is dependent on a bunch of ifs coming to fruition, and will be down the road at least a year.

You missed my point about copying. The early copybots we saw so far were just proof of concept models. With open sourcing, it now becomes easier to build a copybot style client.

Yes, you can issue a DMCA and even possibly result in getting that account banned. By which time that guy has opened up 3 new accounts already anyway, not to mention the fact that your work would already have been released into the public sphere by him anyway.

And yes, it has always been possible for a dedicated person to steal textures, and to a lesser extent other data that gets sent to a client. This open sourcing change means a hacker community could now openly create a client dedicated to this purpose and much easier to use than any previous system. There's nothing to stop them as long as they say it is for academic research only after all.

Actually, that's the myth. Desktops, yes. Most of the worlds websites run on UNIX (inc Linux) systems.

I have a question on what would be possible at this level of open-sourcing.

Could one create extensions to LSL? I'm thinking that one could write LSL functions to do things not currently possible in LSL and then use these in scripts that would run so long as the player has the mod installed.

Also, consider that there is a large modding community for other MMORPGs. People will download mods for these games from trusted sites knowing that these mods aren't really going to suddenly send their +5 Sword of Slaying Everything Except Squid to the mod author. I think that trusted mods are feasible - and already a reality.

No, lsl scripts are run on the sim. Adding new functions would involve sim code changes.

TP problems, and CopyBots can't be prevented by an open source client. Some performance increase might be possible, but actual network lag can't be affected, since we can't make changes to the protocol by changing only the client - although the ability to move useful functions into the client will minimise the amount of script lag caused in the world, provided the "give it away" problem can be solved.



CopyBot was a way to get prim models and texture keys. It could not, actually, download textures. With the open source client it will be possible to download textures, because the JPEG2000 encoding scheme is exposed, and I can understand that a lot of people would be very worried by that. When you edit a prim that's not yours, or that doesn't have modify permission, the Object tab of the build window comes up blank - but it's the client suppressing that data, not the server. The client still has the data, it needs it to draw the prim, and I can easily see someone modifying the client to show the data anyway in this case, or allow the texture to be opened in the flat viewer window. This is why I'm surprised that LL have done this without using some kind of trapdoor-type code to protect this data.



Well, no. What I think would be the best possible direction to go at the moment would be for open source to be restricted to things that must be native to the client (such as bug fixing and improving the UI), and then for some kind of plug-in scripting language (LUA perhaps?) to be integrated into the client. The integration would be limited, so that it wouldn't be possible for such a script to read someone's password or give away all their L$. Client plug-ins could then be written as LUA scripts.. and then, with LL's cooperation, stored on the asset server and sold and moved around in the same way regular objects and scripts are on SL. So instead of buying a hud, you'd buy a "client plug-in", have it show up in your inventory, open "tools -> active plug-ins", drag and drop the plug-in from your SL inventory into the plug-ins window, and SL would download the LUA script and link it to the running client (possibly for the next restart). Hey, we have this neat platform here for sharing and distributing stuff so let's use it

Point taken. But my point was that these problems were also not prevented by the actual closed-source client.



Thanks for further educating me. I'm not a programmer and won't even bother looking at the client code, but I have no problem understanding that our clients--closed or open source--have to be able to display the shapes, movements, and textures there to be "seen" (even if they're not actually visible under the client due to distance, something in the way, etc.). So at the very least I was expecting that sort of visual data to be available to programmers, even to do with as not intended. Even as a non-programmer, I can think of ways (that I couldn't implement) of intercepting this data in the old closed-source model. I imagined it would in some ways be easier for some people (though just as impossible for me) to do this when all the little hooks and addresses are layed out in whatever passes for "plain English" for programmers. Your example of the JPEG2000 information underlies one way this open-source move makes copying easier. I just want people to remember that open-source doesn't make it possible--it already was.



Your scheme sounds like a half-measure. I believe LL is philosophically committed to open-source and all that that implies; why then cripple that system by not fully embracing it? If they still believe it is more stable and secure to keep this stuff under control, then why go open source at all? Proponents of open source are aware of the ways it can be abused and the dangers it brings, but believe its advantages outweigh those disadvantages. I believe LL is willing to take risks--risks that affect you and me--in the belief that most of us will be glad they did. If they're right, they'll make money. If they're wrong, all the creative people and busted businesspeople will leave, and perhaps only Anshe will lose bigger than LL.

From what I gather is happening (and I am not a scriptor nor have any interest in producing any Client front end) there is great debate and fears over various issues concerning security.

Maybe there is or can be provision for an approval system, for any proposed Client Viewer that will attach itself to the Server? A small but warranted charge for the approval system would create funds for Linden Labs to carryout that function? At least that way, there would be the same security enforced as is currently (or better) and maybe offer some peace of mind to us 'ordinary' users with a vested interest.

On that note, my main concern with regard to textures, beleiving that currently every item/object/creation/texture brought into or created within Second Life, carries the UUID both for the original creator and its subsequent owner/group? Our system requires that only our texture be used to display our movies within Second Life, which we thought was unique and therefore potentially free from, hi-jacking from those would be persons, intent on doing little more than causing chaos and showing 'undesireable' media in place of that which a client has paid hard earnt cash for.
I accept that almost everything is downloaded onto the Clients system for rendering, otherwise programmes like SL could not function correctly. I would have hoped that whilst in the cache is was encrypted somehow?

I would welcome several factions creating 'off grid' worlds where they can carryout such things as combat, letting off bombs and all similar activities, relating to what can only be described in the real world, terrorist actions. At least if you partake in accepting the downloading and installing of a 'off grid' client veiwer, you would be doing so to take part, as a positive action. Its a pity such things can't be done in real life

I would also welcome the opportunity in having our own developers, or any 'estabished' developers, add in certain features to the game, that would open up even further avenues for trade and commerce. For the most part I agree with the Open Source, on the basis we are a community, and any true community will florish far greater, with minimal guidance and or restrictions imposed by the fianances and time scales of Linden Labs acting as custodian. Maybe people are far more nervous at the prospect that the reins have been handed to the people and we can't perhaps target and lay all the blame on a single entity?

It's our world, not theirs!!

That's quite true, and I'm sure that open source will bring about a lot of great improvements to the client and the rest of the system. But the "it was already possible so this doesn't change anything" thing doesn't ring true - that's like saying that since locks can be picked, I might as well leave my front door unlocked when I go on holiday.



The personal nature of SL means it can't be like a typical open source project, though. If there isn't a modular way of distributing plug-ins, the result will be either that very few new features are added, or that we wind up with a large number of code forks (that is, different versions of the client with different add-ons) which people have to choose between and none of which are "trusted" by LL. And since we will need a method for distributing them, why not pick the one which we know everyone will be involved in - Second Life itself?

Nothing more than blatant self serving FUD.
http://trends.newsforge.com/article.pl?sid=04/07/27/2122215

And a great quote from here: http://www.technewsworld.com/story/33504.html

Consider, on this, what Bruce Schneier says in the introduction to the second edition of his book Applied Cryptography about the difference between security and obscurity: [QUOTE=Joannah Cramer]http://www.acm.org/classics/sep95/

Second Life is not a self-hosting compiler,
thus this is irrelevant to Second Life in and of itself. You'd have to compromise GCC first, which means slipping a backdoor into a Linux distribution first, undetected, before this technique is of any use for compromising Second Life. And if you can pull that off, you could do far more worthwhile damage than grief and steal L$ in a damned video game.

I rate your FUD attempt an F. Get yourself some more current material.

All this open sourcing of SL makes me wonder if LLs were forced into an early descion relating to this as theres a relativly new player on the block http://www.multiverse.net/ its in Beta atm and tho not a patch on SL whilst in Beta its still worth a visit imho and it is becoming non beta this year, the obvious benefits for them is that there is SL and im sure they will be learning from LLs mistakes first so who knows what 2007 will bring

I for one will continue having SL and Multiverse on my PC as choice is always good and having a serious competitor to SL will keep LLs on their toes as Multiverse has some serious money behind it also so 2007 will be an interesting year for some im sure

In the meantime i will sit this one out as change is good on the whole and tho there will be an increase in idiots here as you do not even need an email addy to join SL just an internet connection, i do not think that open source will be the problem, its the ease of joining SL that brings those people here and as has been suggested in other threads LLs are probably grooming SL for sale sometime in the not to distant future and businesses do this everyday, Phillip Linden needs to ensure his retirement fund somehow im sure hes not really a philanthropist but a businessman with a vision which at the time was revolutionary but competitors will always want to mimic a successful business model and now LLs has had to grow up as new competitors start catching them up.

LLs is a business in a fast changing technological world and if it is to survive it has to adapt and change as market forces drive it forward and if it fails im sure there will be other 3d worlds equally as good, if not better by then to step upto the plate as they will have had SL to base their business model on so instead of doom and gloom lets look to the future and if SL gets unbearable for some then they can quietly leave for pastures greener

Just my 2L$ worth

I don't think you understand the threat. There is nothing to patch. Griefer clients don't necessarily exploit bugs in the server. They do things that are normally reasonable, but in a way that causes problem -- and at speeds that a normal user could not do. Even if the server clamps the input rate (which would help), a griefer tool could be persistent in a way that people rarely are. And, running multiple clients on the same machine, a griefer could thwart the rate control.

And the Copybot threat is significant. I haven't seen anyone address that problem. To compare it to the ability to copy a website is a flimsy analogy. Technically the same thing, but who wants a copy of someone's website? On the other hand, lots of people would like copies of that nice hair or bling or whatever.

I like the idea of an open source client, but we need to address the problems it will cause. Putting the client in open source makes most of these problems a matter of reporting and hoping for action, increasing the customer support burden on LL.

I think I do.

If there is an exploit-possiblity in current (official) client, then it should be solved as quickly possible and patch as fast possible.

"Griefers"-clients show indeed a certain behaviour... doing things at not normal speed, performing illegal actions and so are trackable. I have seen this happening in another game I played, where they banned the users of 3 exploits in one row. And made it server-side impossible. That the client goes Open Source, does not mean there will not happen anything server-side by LL anymore.

Concerning the Copybot-problem, I don't see that as problem straightly related to the Open Source-matter. As I understand anyone can make a slighty modified Copybot right now in the current situation.

To that, if I listens to all what is written by some people here, I almost would get the feeling that there are 100.000 "badies" out there just waiting to strike.
And that in my opinion not the case. I think it will maybe be an handfull who are after that and capable to do that (meaning have the time, the knownlegde and cirumstances to do so).

Morweb.

What is the ratio of hackers pounding away at Windows to hackers pounding away at Linux, out of sheer curiousity?

I wasn't aware that this information was published, or even knowable.

The author has obvious self interest in the matter he's talking about, yes. But seeing how refutal you cite goes entirely into inane ad personam attacks rather than simply address raised concerns it's quite telling.


Note the latter relies on none of these 100 safecrackers being able to indeed crack the lock. That's a big "if" and when it doesn't happen you don't have "security" but the cracked safe and compromised content of the letter. Yes, you can make the safe stronger with this new knowledge *after* it happens but that's not security, that's "too little, too late" as far as the letter you were trying to protect is concerned.

True ^^ i don't give this software access to any sensitive data though, and for one that does get it this is generally a gamble -- i'll presume large projects especially ones ran by commercial organizations or utilized by very large amounts of people up to this point aren't out there to get my cc number or similar sensitive data, because potential backlash from the customers and loss of regular revenue that comes from customer base of this size simply makes it not worth it. That or if it's large scale open source project like Mozilla then i'll trust there's enough people checking out the submissions to generally keep it 'safe enough'. Other open source projects like boost or similar utility libraries i have no qualms with, they're very specific in what they do and also utilized at large enough scale already.

On the other hand though relatively obscure things like custom client for some random MMO that receives access to user's real money ... a dream target for handful of people trying under cover of anonymity get themselves into other people's wallets.


Aye, the tracker is actually up and running (if only as beta) but this is a bit of concern to me. It appears the bug patches are to be submitted through it and well, it ain't the most convenient piece of software for reviewing submissions, which makes the whole 'peer review' thing quite a tad problematic :|

Repository is said to be considered which i think is linden speak for "we hope someone goes ahead and does it", so not expecting much from it -.^