[opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?

JB Hancroft jbhancroft at gmail.com
Sun Aug 22 07:56:01 PDT 2010


Hi Ann,

You suggested: * "What I think LL should consider is something in the TPV
policy that prohibits any tpv from connecting to any non LL server for any
reason when a LL grid is selected for login."*

I'd change that to require that any TPV *disclose* the specifics of any and
all non-LL servers that they are connecting to, and the details of why they
are doing so.  Otherwise, some of the possible value-added functionality
gets crippled.

The real issue here is the TPVP is just legal CYA for LL, it's not something
they actually monitor or enforce.
There is no assurance being provided by LL or by the TPV developer, that
they have any sense of reasonable security, including processes that limit
rogue devs from pulling the kind of stunts that the Emerald team seem to
favor.

If the TPVP really matters, we'll see Emerald shut down from the TPVP
program, because of this accumulated nonsense.
If not, then it confirms that it's all just a paper chase.

Regards,
- JB

On Sun, Aug 22, 2010 at 8:22 AM, Ann Otoole <missannotoole at yahoo.com> wrote:

> I hate replying to a policy thread here but will make this one time
> exception for my humble input for LL's consideration:
>
> What I think LL should consider is something in the TPV policy that
> prohibits any tpv from connecting to any non LL server for any reason when a
> LL grid is selected for login. This simple policy, if correctly followed,
> would have prevented the incident. It would also eliminate a tpv team from
> monitoring logins and usage but then where exactly did they get to do that
> in the first place? It is a missed policy bullet. There is no reason a
> client should connect to anything except an LL server when an LL grid is
> selected. LL needs to be totally security conscious about the login process
> and what rigid requirements must be met for connecting to the LL grids.
>
> I.e.; I watch my port activity. Everyone should. But not everyone would
> know what they are looking at. But had they been watching I bet they would
> have been wanting to know what all those connections to that host were all
> about right away. Had I been using Emerald and saw thirty something
> connections to iheartanime dot com appear I would have been raising hell
> immediately. What you connect to on the internet can be and is monitored
> sometimes and being open to forced connections to something really bad would
> be extremely unfortunate for many that have tom be squeaky clean.
>
> I use Kirstens and I don't even care much for it's connection for motd.
> However it does tell me when the latest release is available and that is
> very useful information. Maybe there is a way for LL to provide motd bullets
> for tpvs so they can get the word out about updates or something.
>
> There has to be a better way.
>
> Regards
>
> Ann Otoole InSL
>
> ------------------------------
> *From:* Brian McGroarty <soft at lindenlab.com>
> *To:* Thomas Grimshaw <tom at streamsense.net>
> *Cc:* opensource-dev at lists.secondlife.com
> *Sent:* Sat, August 21, 2010 10:33:52 AM
>
> *Subject:* Re: [opensource-dev] Malicious payloads in third-party viewers:
> is the policy worth anything?
>
> On Sat, Aug 21, 2010 at 7:04 AM, Thomas Grimshaw <tom at streamsense.net>
> wrote:
> >  Loading 1mb of content per user is hardly a denial of service attack.
> > Crosslinking occurs everywhere on the web, this is simply nothing but
> > paranoid bull.
>
> "Crosslinking" drops the context of hiding gibberish requests to a
> critic's website in a hidden frame that will never be revealed to the
> user. This isn't a mere hyperlink to another page or naively stealing
> someone else's image hosting.
>
> My read (but I'm no lawyer) is that this looks like 2.d.iii of
> http://secondlife.com/corporate/tpv.php and we're already having that
> discussion. If anyone can come up with specific reasons why this might
> have had legitimate reason to be there, or how this one could be yet
> another oversight or mistake, that would be helpful. I sure haven't
> heard any to date.
>
> --
> Brian McGroarty | Linden Lab
> Sent from my Newton MP2100 via acoustic coupler
> _______________________________________________
> Policies and (un)subscribe information available here:
> http://wiki.secondlife.com/wiki/OpenSource-Dev
> Please read the policies before posting to keep unmoderated posting
> privileges
>
>
> _______________________________________________
> Policies and (un)subscribe information available here:
> http://wiki.secondlife.com/wiki/OpenSource-Dev
> Please read the policies before posting to keep unmoderated posting
> privileges
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.secondlife.com/pipermail/opensource-dev/attachments/20100822/5b8755b8/attachment.htm 


More information about the opensource-dev mailing list