SL Developers/Content Creators

Would you all be interested in a coalition of content developers and third-party developers (aka, libSecondLife and web site developers) to create a more secure development process?

This group would protect the rights of content creators and developers.

Please e-mail me if you're interested, or sign up at www.safesl.org for more info.

Thanks.

Whilst it sounds a good idea, unless Linden Lab actually enforce their ToS properly (which would actually have meant the libsl project would never have happened, and neither would copybot have been such a problem), we can't get very far.

Neither will anything unless it has LL support. Resident groups are all well and good - the anticopybot group had over 600 people in it the last time i looked - but if they just ignore us then we can't get anything done.

Lewis

Have you considered linking to this and working with http://sldevelopers.com/ ?

MM

Status Quo: LibSL has LL support. Developers basically don't have LL support. To get some support at all, let's work with LibSL Simplified and just the way I see it. If ways can be found to better protect our content, why not?

That doesn't mean I support the idea of an open source client in any way, I just accept it as an unchangeable fact. Let's make the best of it.

PS: yes, I'm a turncoat when faced with the task to keep my sales up in a world that has changed. I call it adapting to a different market situation. We did our best demand a better DRM system, LL can't / won't do anything, so all we can possibly do is to adapt.

As reverse engineering/creating derivative products is still a ToS offense, I don't want to be involved in anything that works closely with those hackers at libsl.

I still would like to know how they get permission to break the rules. I have no confidence in open source stuff and the day SL goes to an open source client, 90% of the player base will quit.

Lewis

Well, it's an interesting pitch. But please tell me, how can we trust any of the libSecondLife developers, after what we have wintessed recently? Quite honestly, right now I don't know if you, Dr Tardis, have any valid standing any more within the libSecondLife community yourself, nor whether the people supposedly responsible for releasing CopyBot in a malicious form into SL have really been ousted, or if the apparent villans are, in fact, now in charge of libSecondLife. The messages posted on the libSecondLife site have painted a very self-contradictory picture.

The concept of working with what seems to be the only group of third party developers that LL has elected to trust is promising. But if you want Content developers in SL to accept a rose of peace from your group, we'll have to have more than just your word on it that the thorns are not poisoned, and that we will actually know who we are dealing with.

Trust must be earned. And that is much more difficult to do when the group asking to be trusted is the same group known to be the source of our most recent plague.

Please, tell me how we can be assured that this offer is legitimate. Will SafeSL members be bonded and insured? I honestly do want to believe that the people behind SafeSL are serious about wanting to work in such a positive manner with content developers in SL. But so far, I haven't seen enough to give you my trust.

Wait, what? I don't tend to argue with people in the forums, just throw some sarcasm into threads once in a while. But how can this be the case? Wouldn't it draw in -more- users, as the OSS version may very well have more/different features that people want?

MM

You have a point there, Ceera. But can we ever know if the persons who were held responsible are really the accountable ones, and the only ones? And if they don't join in again under a different name? I don't think even LibSL members would know that. After all, they don't really know each other too. The internet is a very anonymous space, so it's either accept under reverse or paranoia, I guess.

Libsl have proven beyond any reasonable doubt that an unregulated open source group cannot be trusted.

How can you possibly be sure that the third party oss client doesn't send your login details to someone else, and you find all your stuff stolen the next time you try to log in after they changed your password? After all, stealing land and money is only the next step after the copybot item stealer.

Yes I am sure that there are oss developers who do it for the common good, and the pleasure of providing something that others can enjoy - but it can also be abused for personal gain by the unscrupulous. Do I remember reading that the 'godmode hack' this group created netted over $1000 in sales?

Lewis

Well Ishtara, as my grandparents would have said... "Fool me once, shame on you. Fool me twice, shame on me." A good deal of caution is not misplaced when dealing with strangers who don't have good references.

I am quite honestly at a loss as to how to trust them at this point. I'm quite open to suggestions as to how they might prove that they are acting in good faith.

If there's lack of trust, then perhaps thats' actually good reason itself to work closely together? This way people concerned with security have at least some chance to be up to date on possible issues, rather than stay in the dark. And if there's indeed good intentions here, then it's easier to tell that as time passes. o.O;

... the source code for application is open to view for everyone. Including unbiased reviewers who'd spot this sort of backdoor/exploit. So there's always option to either compile the source yourself, or ask someone savvy enough and reliable enough to do that for you.

You are, so far, the most outspoken anti-libSL person I've come across. As such, you make a good Devil's Advocate.

libSecondLife is not a team or company in any conventional sense of the word. A small subset of the subscribers to the mailing list (less than 10) that have been developing the library on a regular basis. The rest are just consumers of the code. I found out the hard way that some individuals can't be trusted. The 3 people who built and distributed CopyBot betrayed me just as much as anyone else. In fact, I've been doubly-betrayed, because they didn't just make it possible to steal my content, but they made me and everyone else who was part of the libSL group look bad.

So This will not be a libSecondLife project. I've already talked to the new head of libSL, and he wants to be a member of the coalition, but the coalition will be composed of anyone who wants to join, and anyone who is a member can have their products approved by going through the validation process. Every time you say "I can't trust libSecondLife", it's like saying "I can't trust anyone who uses Windows" because of something that happened in Redmond. It's really not a fair characterization, and I for one would appreciate you directing your ire toward the 3 people responsible, rather than the many who had nothing to do with this.

My only tie to libSecondLife is that I started the forums, and if you haven't noticed - I love forums.

As to the rest: You're right, there's no reason to trust me, as I don't know most of you. I generally keep to myself and use SL more for experimentation and learning than socialization. So why am I asking you trust me? I'm not. I'm asking you trust a process, one that you can help develop. Specifically, I'm asking you to help build a process by which we, as developers, can cross-check each other's work for bugs and Trojan Horses.

One thing I want to do is confirm personal identites: you meet with another member in person, and the two of you cross-confirm your identities. As you do this with more and more people, your ID's confidence rating increases. This does present a minor problem, in that people who present an on-line identiy that is disparate from their personal identity will have a problem verifying their ID.

I also have an idea on how to confirm the digital signature of an application, and how to confirm that an application being distributed is the one that was reviewed. When everything is working, you will be able to track who reviewed an application and what their confidence rating is as part of this system.

So if you buy a program that several people, all with high confidences, have reviewed, and it matches the MD5 that they all supplied, you have a fairly good idea that the program is safe.

Will this stop another CopyBot? no. What it will do, though, is let the community know who can be trusted. It gives the community confidence in trusted products and gives developers an incentive to get their products signed: when people trust you, they're more likely to buy from you.

Isn't a "regulated open source group" something of a contradiction?



By reading the source code.

What about those of us who aren't coders? Are we just meant to 'trust' an anonymous group of individuals that it won't hijack our account?

If SL goes to the 'only open source clients' model... how can we possibly ensure compatibility across the different interpretations?

I just honestly can't see why Linden Lab would basically throw away their only product - and only source of income - by opening SL up to the open source community.

Lewis

No, you can trust a friend who is a coder, probably. Or, like i mentioned, you can probably trust the strength of peer review -- the idea that whole wide world is limited to only evil coders who would never point out such exploit even with the source in plain view for everyone is rather... far-fetched. Or in worst case, you can still utilize LL's official client and leave use of open source versions to these who do trust them.


I don't know where you take this "only" part here from. The open source movement appear to be added as option (say, to allow development of SL client on hardware not directly supported by LL) ... as far as compatibility goes, it's similar to other web applications. There's protocols and standards of communication which the applications have to meet. That's why you can communicate on IRC even though there's dozens of clients available out there, both open source or not. That's how the web browsers somehow manage to render the same page in at least similar way. That's how the whole underlying data transmission or any piece of hardware put in your computer manage to work in the first place. o.O;

How?

I love when these proposals come about because they, and their responses are usually Long on the Big Talk, but they tend to Fall short of Practicle applications.

I mean, Yes, as a Proposal it sounds good, But have you thought it out beyond the Proposal stage? DO you actually have any Means, Method, Resources, Or Plan for your Enforcement? Just how do you Propose to Be Everywhere on the SL grid? What Methods will you use to determine IF your Member Actually has the legal claim over the items he is claiming were stolen from him? Will you Only Go After exact copies, or is mere Similarity enough? If Similar, How Similar?
You have to remember that everything you do has to Fall within TOS, and being an Organized group, you MUST make sure that your every action is on the side of the Angels. Since we are discussing the Losses of creators due to Dishonest actions by others, you have a Special responsibility to Investigate Extremely thoroughly to make sure you are NOT used by an Unscrupulous Person to Damage an Honest NON-Member. LibSL Claims to be an Honest group, and the recent actions were the acts of some Uncontrolled and Irresponsible persons within thier group. Maybe true, Maybe Not (And i see by Dr. Tardis' Post that LibSL wishes to be part and Party to your Little Club, If that isn't leaving the Fox to Guard the henhouse, I don't know what is). Tell us by what means YOU intend to Control, and Monitor ALL of your members to see to it that you don't end up going down that road as well? LL has Ten Times the Tools available to Residents, So, If they couldn't rein in LibSL, How do you Intend to rein in Your Members, Or control the actions of those NOT in your group?

Angel.

Those are all good questions.

The short answer is - I can't do any of that by myself. That's why I'm asking for help.
Some of our ideas may require changes to SL itself to work. I'm hoping that if we can get a large enough group together, we can induce Linden Labs to make some of those changes. There's actually been a long topic on the libSecondLife mailing list about just this topic: how do you locate and enforce duplicate items?

In fact, there is an idea I've been kicking around. I don't know if LL will go for it. I don't know if the folks at libSecondLife will go for it. But it is one way to at least identify individuals who are performing illict activities.

The thing is, Angel, if we don't act, nothing will get done. I admit that I don't have all the answers, but a few hundred of us, working together, just might come up with something new.

The fact that you're asking those questions tells me that you might have something to contribute. If you think you do, I encourage you to join up, post your ideas and questions, and tell other people.

www.safesl.org yes, there's not much there yet, but I am posting ideas as fast as I can. When others start commenting and expanding on those ideas, we might actually get something going.

emotional panic solve nothing

Well, LL fooled us many times, and we still make the mistake to trust them again... I expect soon to hear LL's suggestion to clean the grid and get SL a teen rating. That worries me a lot more than a copy tool.

Burning buildings, standing in the welcome areas on fire telling newbies not to play SL - seem to recall that worked very well once before.... Resident groups do have power, they just have to be organised enough to exert it.

You know Dr Tardis, If your group is really interested in mending fences and gaining the trust of the SL community, a good start might be into putting forth a real concentrated effort into developing a tool that will counter, or somehow minimize, the damage the CopyBot menace has unleashed unto our world.

It shouldn't be too hard to do. Afterall, LL has entrusted you with the same open source access that they currently work with. LL won't touch it because they simply aren't interested in starting an "arms race," whatever that means But that doesn't mean it can't be done.

Surely, a group of talented independent developer's, such as the ones representing LibSL, should be able to stand up to the challenge and tackle this issue. You created the menace, it would be nice if you would pick up after yourselves and cleaned it up.

Anything less than that is just water under the bridge at this point.

First of all, understand that I'm not here as a representative of libSL. Individual members of libSL will have the same representation as any other citizen in SafeSL. The "group" of libSL will have no representation as such.

I'm not sure what you mean by "Afterall, LL has entrusted you with the same open source access that they currently work with." Linden Lab hasn't given anything to libSecondLife, and certainly hasn't provided any source code that I know of. Once in a while, Lindens have responded to individuals' questions about specific parts of the protocol, but that's a far cry from official support. If LL wanted to provide official support, they'd post complete protocol specifications. As it is, people have to painstakingly pick apart packets to see how the data going back and fort corresponds with what's happening on their screen.

I think this "LL Supports libSL" misconception is unfortunate, especially since it's not really true. Certain libSLers have made it sound like LL somehow provides libSL preferential treatment, when it's not the case. Linden Labs has simply stated that they won't punish anyone who develops their own client software, as long as the software isn't used in exploits.



One way I intend to minimize the impact of things like CopyBot is by notifying the public at large when stolen content is discovered. By tracing the creator of the stolen content, we can let people know that it's stolen, and where the REAL content can be acquired. It's my hope that this will not only help reduce theft, but also drive people that would have bought the stolen goods to the real content creators, actually increasing their business in the long run.

Simply put, when you play by the rules, we endorse you. When you don't, we let the world know. (and it would have to be a provable offense. This is where SL's new attribution information comes in to play)

How do you know a closed source application isn't getting personal information from your computer? There is no way to know. But presumably for an OSS application there will be enough honest coders who will look at the code and alert everyone else if there is something malicious in the code.

LL won't be giving away their only source of income. They still own the servers. I have seen no mention of of an open source server project, just a project for the client. Actually if the client software went totally open source, it would save LL money since they won't have to pay to develope it.

What you call 'closed source' I just call regular software - which you pay for. If I install Microsoft Word, for example, from a proper Microsoft CD which I bought in PC World, then I can be pretty sure it isn't going to log my passwords and send them off to a hacker.

However, if I get an email from a stranger to see naked pictures, which can be found in the attachment "files.scr" then it's quite possible that I am not likely to get quite the surprise I was expecting.

Maybe I'm odd, but I very rarely download any executable files off of the internet without being sure of its source, and make sure that Norton/Adaware/Spybot etc are all running properly before installing.

You say that there are 'always enough honest coders' ... if that's the case, why did the 78 libsl members not do something or alert people before the 2 dishonest membes released copybot on the world?

Lewis