[opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?

[Patnad Babii]

What emerald has been doing is exactly what BOTNET does, it is against laws 
and I believe they should be prosecuted. It is a felony and is punished in 
alot of states for as much as 10 years in prison.

LL should show no mercy for them, cause if they let allow this (this is not 
the first time Emerald devs has been caught), what next is gonna happen? a 
new viewer that will crash random websites?

Or maybe it could be used to introduce other malicious code to steal 
identity, steal Credit cards, steal bank info?



-----Message d'origine----- 
From: Arrehn Oberlander
Sent: Saturday, August 21, 2010 7:08 PM
To: opensource-dev at lists.secondlife.com
Subject: Re: [opensource-dev] Malicious payloads in third-party viewers: is 
the policy worth anything?

As someone who was using the Emerald viewer at the time this was going
on, I researched this subject with some concern.

It doesn't matter who the target was at all, whether he is a good guy
or a bad guy, it's not of consequence. ModularSystems is responsible
for using my login process to send a sizeable body of undisclosed,
irrelevant traffic to harass someone. This isn't just 'embarassing',
it's unacceptable from inception to execution.

This simply adds to the ongoing pattern of Third Party Viewer Policy
violations already exposed regarding ModularSystems builds of Emerald
that speak to a culture of irresponsibility in the persons that
control the ModularSystems site. I am not lawyer, but just looking at
the third party viewer policy I can pick out a number of criteria that
might not be met.

TPVP 2.d : "You must not launch Denial of Service ("DoS") attacks,
engage in griefing, or distribute other functionality that Linden Lab
considers harmful or disruptive to Second Life or the Second Life
community. "  This appears to be violated by code in the viewer's
login page 
http://webcache.googleusercontent.com/search?q=cache:jD_B973EpVUJ:modularsystems.sl/app/login/+http://modularsystems.sl/app/login/

TPVP 1.C.iii There must be disclosure of "Any surprising or unexpected
functionality, including any limitations on features and functionality
generally available to Second Life users through Linden Lab's
viewers.". The leakage of pathnames in by emdku code does not appear
to have been disclosed, despite it being an internal topic of
discussion months earlier. The leakage of any information, regardless
of how innocent, to other avatars via the path of baked textures
hasn't been disclosed even now to my knowledge.

TPVP 3.B.iii Distribution must adhere to the terms of the GPL 2.0.
ModularSystems may not be distributing emkdu in a way that qualifies
it as a separate work under the GPL. It's transparently distributed to
the user's system without notification. No alternatives (such as
llkdu, openjpeg) or opt-out options are presented, and the library is
linked by the emerald runtime. Since the emkdu source is not
distributed, the distribution of the viewer may be in violation.
Compare this with other viewers such as CoolViewer and Imprudence with
specifically deal with distribution of closed source binaries as a
completely separate, user-initiated, optional process to fullfill GPL
2.0 compliance.

TPVP 6.3 : "Your Second Life accounts must be in good standing, must
not be suspended, and must not have been permanently banned or
terminated". The operators of the Modular Systems website possess
accounts that have been permanently banned or terminated and readily
acknowledge this.

===

Beyond the above, the way in which these issues were addressed are
concerning. The emdku issue was only addressed because someone from
outside ModularSystems exposed it. The DDoS came to light because it
was exposed from the outside. There may not be a history of
ModularSystems successfully policing themselves. It appears that those
who try end up leaving the project.

External communication similarly does not inspire confidence. On the
ModularSystem web page, there is no mention of emkdu and how in
released builds it leaked information. Neither is there a patch or new
download listed. The tone of communication is slanted to draw diminish
critics, instead of clearly articulate information for users to make
an informed decision. As a user I had to read other blogs and talk to
developer peers personally to find out what was really happening.
ModularSystems didn't tell me.

On this thread an Emerald developer stated that many of these issues
stem from the people who control ModularSystems being less than
responsible and embarrassing the team. One has to ask if this is the
case, why not vote "No Confidence" and move your website and your
builds to someplace with greater credibility, and change LL's official
point of contact for Emerald from "ModularSystems" to something else?
_______________________________________________
Policies and (un)subscribe information available here:
http://wiki.secondlife.com/wiki/OpenSource-Dev
Please read the policies before posting to keep unmoderated posting 
privileges