[opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?

Marc Adored marc at inworlddesigns.com
Sat Aug 21 16:23:56 PDT 2010


This was an attempt to do 1 of 2 things or both. There is no denying
it because every other "excuse" I've seen is pure bull and doesn't
even make sense. The person responsible for doing this was either
arrogant enough to think that the userbase was large enough and there
was enough people logging in that putting links to a site could cause
it issues or they figured the extra traffic could financially harm the
person paying for the service or both. This crap about boasting
traffic I really don't get. I don't see why anyone would accept
something that doesn't even make sense. How are you boasting traffic
by hiding any knowledge of what your doing to boast? How is any person
that matters going to notice a bunch of hidden iframes on the login
page? Where they boasting to the owner of the website? There are much
more legal ways of "boasting" your traffic. They did post traffic
stats which is what I see as boasting but hiding iframes isn't even in
the same ballpark as boasting. It was a pissing match between 2 or
more devs on different projects and they used their userbase in
illegal activity. People saying it was "hardly" a DDos are trying to
discredit what it was. When it comes to laws there really isn't no
"kind of" breaking the law. Just because someones arrogance prevents
them from doing something successfully doesn't make the attempt any
less illegal. If you steel something from a store and get caught
before you leave the store you still get in trouble. Also discrediting
the victim was not a bright idea either because frankly it doesn't
matter not one bit who the victim was or what they are guilty of. The
old saying stands here 2 wrongs don't make a right. Linden must act
according to this. They should not be biased in any manor.

The facts are emerald violated the trust of their users and they have
done so a few times and do nothing to correct the problem. They
violated the TPV policy a few times also that should at least warrant
removal from the TPV list AT LEAST. I wouldn't recommend banning the
client because a lot of people use it but removing them from the TPV
list will definitely send a message and maybe MAYBE they will try to
fix the structure of the project so that someone can be held
responsible for changes to important parts of the viewer. Also I would
think that the emdku crap they are putting in the viewer violates the
TPV simply because no body can see what gets added because of it. They
could be transmitting every bit of our information somewhere and no
body knows. I wouldn't put it past some of the devs after what I've
seen and the secrecy that is growing from within.

I want everyone to know that I am not an emerald hater. I love emerald
and I still use it occasionally but I only use a copy I have compiled
myself. I do not trust dev's of an opensource project who have
something they want to hide from everyone specially ones with the
backgrounds of certain dev's on the emerald team.

I would also like to say that had this been a "first offence" it might
be different and the "we didnt know" excuse might have flown but
considering there are a few dev's that have had repeated headlines
that make them out to be liars and script kiddies with known "not so
legal" retaliation habits a bit more drastic measures should be taken.
its like disciplining your child. if you threaten and threaten but
never act eventually they learn they can do whatever they want and not
get in trouble. the TPV means nothing if its not enforced.


More information about the opensource-dev mailing list