[opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?

[Ann Otoole]

I hate replying to a policy thread here but will make this one time exception 
for my humble input for LL's consideration:

What I think LL should consider is something in the TPV policy that prohibits 
any tpv from connecting  to any non LL server for any reason when a LL grid is 
selected for login. This simple  policy, if correctly followed, would have 
prevented the incident. It  would also eliminate a tpv team from monitoring 
logins and usage but  then where exactly did they get to do that in the first 
place? It is a  missed policy bullet. There is no reason a client should connect 
to  anything except an LL server when an LL grid is selected. LL needs to be 
totally security conscious about the login  process and what rigid requirements 
must be met for connecting to the LL  grids.

I.e.; I watch my port activity. Everyone should. But not everyone would know 
what they are looking at. But had they been watching I bet they would have been 
wanting to know what all those connections to that host were all about right 
away. Had I been using Emerald and saw thirty something connections to 
iheartanime dot com appear I would have been raising hell immediately. What you 
connect to on the internet can be and is monitored sometimes and being open to 
forced connections to something really bad would be extremely unfortunate for 
many that have tom be squeaky clean. 


I use Kirstens and I don't even care much for it's connection for motd. However 
it does tell me when the latest release is available and that is very useful 
information. Maybe there is a way for LL to provide motd bullets for tpvs so 
they can get the word out about updates or something.

There has to be a better way.

Regards

Ann Otoole InSL




________________________________
From: Brian McGroarty <soft at lindenlab.com>
To: Thomas Grimshaw <tom at streamsense.net>
Cc: opensource-dev at lists.secondlife.com
Sent: Sat, August 21, 2010 10:33:52 AM
Subject: Re: [opensource-dev] Malicious payloads in third-party viewers: is the 
policy worth anything?

On Sat, Aug 21, 2010 at 7:04 AM, Thomas Grimshaw <tom at streamsense.net> wrote:
>  Loading 1mb of content per user is hardly a denial of service attack.
> Crosslinking occurs everywhere on the web, this is simply nothing but
> paranoid bull.

"Crosslinking" drops the context of hiding gibberish requests to a
critic's website in a hidden frame that will never be revealed to the
user. This isn't a mere hyperlink to another page or naively stealing
someone else's image hosting.

My read (but I'm no lawyer) is that this looks like 2.d.iii of
http://secondlife.com/corporate/tpv.php and we're already having that
discussion. If anyone can come up with specific reasons why this might
have had legitimate reason to be there, or how this one could be yet
another oversight or mistake, that would be helpful. I sure haven't
heard any to date.

-- 
Brian McGroarty | Linden Lab
Sent from my Newton MP2100 via acoustic coupler
_______________________________________________
Policies and (un)subscribe information available here:
http://wiki.secondlife.com/wiki/OpenSource-Dev
Please read the policies before posting to keep unmoderated posting privileges



      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.secondlife.com/pipermail/opensource-dev/attachments/20100822/9ea33c96/attachment.htm