client source opened - sky falling?

Just compare the installed user bases of the various OS's. It's hardly rocket science.

Sure it could. Even though it didn't, it surely could have requested them, downloaded them, and stored them someplace else on your HD.



Eh? JPEG2000 encoding happens when you UPLOAD, not DOWNLOAD.

Here's a quick primer on how textures work:

1) Texture artist goes into GIMP (or PhotoShop or whatever), spends minutes to hours to days working on a neat new texture, using all the tools (layers, channels, effects, etc); ALL of which gets saved into an XCF or PSD file before the result of all that artistic effort gets saved into flat, plain TGA format for upload into SL.
2) The artist uploads the texture in SL, paying the requisite L$10 fee. During the upload process, the image is compressed using JPEG2000, then stored into the Asset Server Database.
3) The Artist then applies the texture to one or more sides of one or more prims in a build, or uses it in a particle system, or puts its key in a script somewhere.
4) When the client is directed to draw the texture, it obtains the key, and requests the texture asset from the asset server (currently via the sim server) using this UUID key.
5) The client recives the texture, in compressed JPEG2000 form, decompresses it back into a raw, displayable image format, and uses it to draw the requested object(s).

Now, you can get a client which downloads textures it sees and stores them for you locally on your HD. However, what you have is a lower-quality flat-image version of the XCF/PSD that made the image in the first place. You don't have the artist's work; you have a cheap knock-off of it. It would not even be considered a "print" by professional art standards. More like a low resolution color photocopy of a print. Still, it's good enough for use INSIDE the SL universe for what it was intended to be.

As a result, there's little point in doing this if you are planning to re-upload the texture to SL. Why? Simple: It's already been JPEG2000 compressed once, which means the image quality has been degraded due to the lossy compression scheme that JPEG2000 is. Compressing it again means MORE loss of image quality. Some people who don't know this or don't care might do it this way, but why, when there is no need? You HAVE the texture UUID key. You can use the texture on anything you want. The ONE thing you can't do with it is put it into your inventory as a texture image, because there is no way to add an inventory item via UUID. Still, it represents the one real problem with textures and asset IDs: once you have them, you pretty much can use them.



Not really any way TO protect it. Like you said, the client has the data because it has to have it in order to draw it. Given this, it is IMPOSSIBLE to protect this data from being garnered without some kind of end-to-end DRM (that means your computer would have to be fully DRM-enabled, preventing access to the data at the hardware level; something which has yet to come to pass anywhere, thank the heavens).

Well it would have to be a considerably more statistically rigorous assertion to qualify thereas, that is a certainty. However, this is not the statistic that is of interest. The statistic we want to look at is not available: namely, what OSes are installed on the machines of those doing the cracking?

We do not know enough about the black hat hacker demographic. Do most people who develop exploits for windows run only windows? I have a dual boot system on several of my boxes, with a windows partition for use by my wife, who is not a Linux junky, and linux partitions for my own use. It is not impossible, nor necessarily even unlikely for black hats to have a similar setup. Indeed, my own experience with black hat types leads me to believe this to be the case. Said inviduals worked hard at cracking both systems. They just had better luck with windows, and their cracks stayed effective longer, in the absence of patches. Which increased their motivation to work against windows....a self-reinforcing renewal process.

Not true. There are lots of hackers hacking away at UNIX/Linux based servers because most of the world's servers run on some flavor of UNIX (increasingly, Linux because it's free and open source) and the data contained on servers is much more appealing to a would-be hacker than what's on somebody's personal computer. Anybody who's administered a server knows that people try to hack it hundreds of times per day, or even more depending on the visibility of the site and the potential value of the data. But UNIX/Linux was designed from the ground up to be a secure, networking OS which Windows never was. Windows has inherent security and stability flaws which Linux simply does not.

That isn't relevant when you're talking about client vs. server. And servers, unlike most clients, have logs that record exactly how many times people try to access the server vs. how many are authorized.

Most people are dishonest. Most people like to see others squirm. Most folks love to give other people grief and pain.

Any perceived roadblocks in that concept are just wishful thinking.

You're right, it is something far worse: a gross generlization.

To get any sort of meaningful statistic, you have to have a LOT of context for it. The metric you propose is so broad that any meaningful number would still be meaningless for a comparison based on security.

Not all Windows boxes are networked AND hooked to the Internet. Thus, security for them is moot. However, the VAST majority of Linux/Unix boxes ARE networked AND hooked to the Internet.

Thus, the installed base of *nix is a lot bigger that you are grossly generalizing over, and there are a LOT of people hammering away at *nix systems every day, if my webserver logs are any indication.

Wow you're awfully cynical. There are certainly a large number of people who are like that, but "most" has not been my experience. It's just that the ones who are like that, are often capable of doing a lot of damage which makes them seem bigger than they are.

I'm sorry you live in such a world and thankful that I don't.

Yep.

To illustrate further... if you're a hacker, and you break into somebody's personal computer running Windows, what are you going to get out of it? The thrill of giving one person a virus, maybe. One person's porn stash, maybe. If you're lucky, one person's credit card and bank account information.

Now what are you going to get if you break into a bank's data server? Thousands of people's account info.

What are you going to get if you break into Linden Labs' data servers? Everybody's credit card info, everybody's textures, everybody's inventory. All that stuff is kept on the servers, for thousands and thousands of users - not on the individual users' personal computers. Now if you're a hacker, where would you be focusing YOUR energy? On the servers of course... as anybody who's every administered a server knows.

I don't know a thing about Linden Labs' infrastructure as I'm pretty new to SL, but I can guarantee you their servers are not running Windows. Nobody in their right mind does this. Windows is simply too vulnerable to exploit, Linux not so much.

While you're all busy screaming and wailing about the possiblity of more Copybots and other exploits in SL and the Client due to it's open source nature you should take a deep breath and really consider what the past has taught us.

1. Copybot didn't really do what people thought. All of you who went bonkers over it are really hotheaded idiots who didn't know what was happening. Blaming libsecondlife for whatever evils y'all blamed them for when they were trying to make SL a /better/ place for everyone when some asshat grabbed their code and did something mildly naughty with it is sort of moronic.

2. Yes, copybot didn't do much other than recreate prims faster than a normal person could on their own. Oh, yeh. It replicated textures that the user of the copybot program couldn't save or even keep if they logged out.

3. You're missing the bigger picture. There were exploits for stealing textures LONG before copybot ever came to the table. Mabye some of you have heard about GLIntercept?

You have to realize that any society (Interweb, SL, etc.) has it's bad elements. But, there are enough of the good elements to balance it out. Traditionally open sourcing a program has always lead to better development and implimentation. Plus, having fresh eyes look at the client source may clear up alot of those bugs that most of you spend the remainder of your time complaining about.

<sarcasm>

Cash it in, SL is going to hell. Give it up you reactionary fool.

</sarcasm>

Perse.

Edit: Oh, I forgot the one major exploit in SL..

Zooming in on a texture you wanted and taking a screenshot of it.

..

Answer: The folks using haxxxor client A can happily steal all they want, and the guys with client B are absolutely unable to stop it, since client A makes use of server-side loopholes or weaknesses of the network protocol (I mean the unencrypted prim and texture data sent to every client).
The trustworthy and honest 95% of the open source community can do nothing in this case, since SL is no Linux and no open source browser - there's a client software and a server park, and the server software can only be changed by LL themselves. All one could do is report the supposed hack used by client A. It then depends on LL, if they're both willing and able to find and fix the exploit option. Which is questionable. So much for all the comparisions with popular stand-alone open source products.



If anyone finds a possibility to steal content or to grief in new and better ways, it won't be based on client bugs. It will be server bugs and weaknesses that make such things possible, or the unencrypted data sent to every client. Again, the open source community can do nothing to fix the bugs and exploits in these cases, they can only report back to LL. The options to easily steal textures have been reported over and over, until the CopyBot was developed which was able to steal prim data in addition. Nothing has ever been fixed in that regard.

As for other bugs: LL mentions the alpha texture bug, which is about the only client-side bug I can think of that badly needs fixing. Everything else that bothers us at the moment is a server / database issue: Prim drift, reverting texture values, incredibly high packet loss, content that can't be loaded, inventory bugs, presence issues, vendor problems (due to presence bugs or an over-eager grey goo fence), permission bugs. We may get a new shiny client that displays prim hair with alpha textures correctly and has an optimized user interface in japanese, but none of the aforementioned problems will be solved by this new client (which I won't use in the first place, since it could easily be used as a phishing tool).


You ask on the blog how open sourcing the client may impact SL's security, then you read a few things and suddenly you know all the REAL facts it seems.

The original CopyBot most likely stopped working as soon as SL required a new client version. So far every update and fix required a new client, which made any potential open source client useless. LL has announced that this will be changed, future updates won't need a client download anymore (one reason for this change may be to stay compatible to future open source clients). The "exploit" used by CopyBot is still possible. It just didn't make sense to develop a new one with the ongoing client software changes. Now everyone can feel free to implement the copybot code in their own complete clients, to create a "backup tool" that gives a shilling about owner permissions.


Comparisions to other open source applications are useless, since those apps are complete products, not a mere network client depending on a server software that can still only be changed by a small development team.
All the bugs you mention are server issues (yes, even the crashes - my client only crashes when the grid is crouching through the US evening hours with 20k users online). We can talk again about this when LL open sources the server software as well.

As for Linux: if it was as widespread and commonly used as Windows, it would have to deal with just as many security issues and viruses. Look at the Mac OS, another operating system developed by a big company, claiming to be secure and virus-free. It has nothing to do with open source, only with popularity. If no one worth hacking uses it, it won't get hacked.

Please don't spread misinformation. It's true, body textures were gone after relogging. What everyone feared though: CopyBot duplicated complete linksets including textures, and the user kept those items in their inventory with full permissions and an altered creator name. That's exactly what it did: it created full perm copies of unscripted linksets like shoes, hair, furniture, prim plants, complete houses etc.

LibSL has shown that a handful of people can come together with good intentions, and one idiot among them uses their work for malicious purposes. What we've seen so far was a client with a godmode hack, soon followed by the CopyBot. No other useful applications that I'm aware of.

You're right about GLIntercept. It was possible to steal textures long before. It has been reported to LL. It has not been fixed. Soon people will find more exploits and report them. Guess what will happen?

Isn't everyone tired of arguing the same exact points over and over and over and over and over again?

Let's do it one more time, then.

-peekay

I Asked for Information, I Got it, I Assessed it Based upon Simple Logic and Reason Rather than Blind Panic, and Baseless supposition. And my Assesment, Based on Observation of the Past events And the Information Given on What Open sourcing makes available is, a Possibility exists for exploitive hacks to be Generated, but it is Offset by an equal, or Greater Possibility for Fixes, or Preemptive Changes being created at the Same Time.

The Facts of the Past Months bear me out on my contention that Copybot was a Great NON event No Matter the Reason. the FACT is it turned out to be a Big Fizzle. Some say it just hasn't happened Yet, I say, a Lot of Other things Haven't happened yet, that Doesn't mean thier Occurance is Imminant. I Create Content as Well, and i WAS concerned about Copybot, but Once i Learned the Facts about it i could See it wouldn't perform as advertised.

As to Open Sourcing, Once it has been explained to me, By Persons Both For, AND AGAINST it I Made my current assessment as i Listed above. I see NO reason to take to the lifeboats, or start hording Canned Goods Yet. there seems to be Less here than there was to the supposed threat posed by Copybot, and More than sufficient reason to Wait, and Give it a Chance. SO, I'll Give it a Chance.

You say "Duck and Cover", I say "Be Calm and Give it a Chance"
Shall we take this up again in Four more Months, and see who's point of View Seems to have been the Better choice?

Angel.

I've used libSL to make some cute non-player character avatars who can do simple tasks for me, engage in AIML directed chat with real avatars. I plan to use one to man the booth at my store and answer simple questions and refer complex ones to me.

I just need to find a small trenchcoat so I can make a mini-me bot.



As noted above, this assertion is based on a lack of knowledge about usage and "hacking", not actual knowledge about usage patterns. And, as was also noted, inaccurately represents the relative popularity of *nix vs. Windows in the server market.

Sad that you have such a negative view on the people (in SL) around you. And it is not very objective either.

Morwen.

No, I don't want to argue the same points over and over again and you can't make me!

It is Interesting that i have found quite the Opposite of Michi's observation to be true of the General populace.

some quotes:
The evil that men do lives on after them while the Good is Oft interred with thier Bones.
Shakespeare i believe.

If you pass through life Looking for the Evil in Men you shall surely find it.
Abraham Lincoln.

and Finally

"People judge the world by thier own example."
I have no idea who First said it, But it was my Aunty's favorite.

Angel.

I'll have to take your word for that. I had assumed that since often it was my client that crashed, while other people continued to do their SL thing uninterrupted, that there might be issues with the client receivng corrupted or unexpected data, and hoped that someone might be able to come up with a client that would do a better job handling corrupted or unexpected data. I'd also wondered if there might be ways for a client to reduce lag--by checking for faster routes, for example, or some form of caching (if the server doesn't just feed all the data at all times without checking first to see if it's needed). Also, I'd thought that some scripts may cause crashes, and while they would be considered server-based, it would be possible to have a client that could accomplish the same thing without requiring the scripts.

However, I believe my point stands either way. We are not choosing between an open-source client and a neat bug-free closed-source client; we are choosing between open-source and the client as it existed at the beginning of 2007. Did you mean to imply that that client was in fact bug-free and that all of SL's problems are server-based? I take you as merely pointing out that the specific issues I mentioned were unrelated to the SL client.



I think the SL client is analogous to a web browser; the browser depends on the web site for content (and can only send information if the web site is prepared to accept it), but is a complete product in itself. In a similar way, the SL client can be seen merely as a viewer (and sender) of information that comes from the SL server. The same web site can run on, say, Internet Explorer, but not on, say, Firefox. Browsers can display the same web sites differently.

The anlogy doesn't really hold up though since even though the browser is now open source it's like there being only one website which in this case Linden Labs controls and which is split into seperate sections but it's still the same 1 site.

My logic and reason tells me: the client software can help one to find exploits, but it's impossible for open source programmers to fix them. How could they, without access to the server software?

A non event? It revealed how easily not only textures (we knew that before) but also prim data can be duplicated and the permission system of SL can be circumvented. It has caused LL to completely rethink and overhaul their position on copyright issues. In other words, to give up. Where content creators had LL behind them before, now all they have is the option to file a DMCA lawsuit. "Someone stole the 3D shoes that I sell for 85 cents", every judge will be most eager to deal with such an infringement. And everyone out there who happened to download the CopyBot source code can easily implement it into the now also available complete client code (or just write their own "backup" function using the same now discovered loopholes that, according to LL, won't ever be fixed). I'd hardly call that a non event. I'd call it a disaster.

A word of advice: You can write words in bold and use a larger font size, in addition to writing in caps and underlining them. It adds even more emphasis.

We can certainly do that. Let's see in what a state the grid is, in 4 months from now.


Yes, I think that the majority of issues we currently have to deal with are server- or rather database-related.

I'd say SL is much more than a website. It's a 3D development application, almost a web-based operating system. One can't use a browser to crash the internet, but the countless grid terrorists have shown that they only need a SL client to client to crash the grid.

Actually one CAN use a client to crash a server on the Internet. It's called a Denial of Service (DOS) attack, and basically it involves writing a program that causes zillions of clients to access the server at the same time, exceeding its resources so that nobody can get in.

They happen all the time and are the bane of sysadmins' existence, but web servers still exist and people can usually still get into them.

This is incorrect... please read my posts above in this thread. The majority of the world's servers run some flavor of UNIX (increasingly Linux) and there is much more data contained on servers that is "worth hacking" than people's PC's.

If Linux were as inherently vulnerable to hacking as Windows, we'd all be in serious trouble.

Well, I apologize for that bit about the stuff being kept.

Not having used the program myself, I was only going on what others have told me about it and what I have read. Of course prims were kept. The scripts were not, however.

But, still. One can simply rebuild the prims by sight and then grab the texture using GLIntercept or zoom into an area, take a screen shot and then do some magic in Photoshop/Gimp.

And.. Yes. With every society, there is some bad element. But, do we generally judge a whole group by the actions of a rotten few? Some do, some don't.

You live and learn.

Perse