1. By and large, we didn’t learn to not put –gate on the end of things to signify a scandal.
You know, if it had been called the Watercock hotel instead of the Watergate hotel, the entire landscape of media for the last several decades would have been far different, or at least much funnier.
2. Most of us didn’t learn to get Linden Lab’s name right.
You’d think people would start getting that right eventually, wouldn’t you?
3. We didn’t learn to rethink our our basis for trust and for exercising caution and software hygiene when faced with the allure of shiny features.
Security professionals are doubtless still tearing their collective hair out over that, as they have for years.
So, give me all your money, while we’re on the subject, and maybe there could be a shiny feature in it for you… possibly. Thanks heaps!
 |
LOL! Bravo!
Better yet, they should have named the hotel the Watercockup.
One lesson for us is that security risks are not only found in web browsers like MS-Explorer, but in any app. Just because a Second Life TPV didn’t plant adware (I hope), doesn’t mean it didn’t do something nasty in the background. Which begs the question: how would Symantec approach this kind of threat?
Maeve – ideally anti-malware software should inform you not just of actual detected problems but of software that comes from known dodgy developers. By this point, in my mind, the emerald team is a big pile of dodgy developers who use shiny features to attract the unaware
Also, watercock, emeraldcock – I can imagine the lulz, hilarious
Maeve:
I suppose someone who doesn’t realize that apps that aren’t web browsers can have security vulns would probably also not stop to think that SecondLife viewers generally *have* a web browser *inside* them that may not respect the security settings and plug-ins on their desktop default web browser.
That goes triple for viewers that implement Media On A Prim.
So they need *more* vigilance than an web browser, not less.
The third point is the one that knocked me sideways. You are right – basic precautions have been hammered into peoples mindsets for, what, decades now? And they still didnt register? (shakes head).
Ah well we live and learn. At least in theory. Not even going to think about the possible mirth in gate/cock
BTW just what is the correct name? Been so long since i didnt refer to them as the ?$#%?*&%( s that i forgot
Of course, usually an open-source project is supervised by a dev team who have a lot of work and love invested in their code base. They can (in general) be expected to work diligently to protect that investment and reputation by scrutinizing what goes into the code, and benefit from the “to many eyes, all bugs are shallow” principle. Commit access to the code repository is tightly controlled by a few core developers…often just one, and many people read the diffs to keep up with what’s changing.
But SecondLife viewers are different. Just about all SL viewers are built on a huge, twisty code base that is simply *given* to the downstream. A few script kiddies with a bare minimum of technical knowledge can build and distribute elaborate binaries that *nobody* else is supervising. (In fact this is where most of the viewers capable of copying content without permissions or doing other nasty hostile crap come from.)
Such gangs of digital thugs have no investment in the grid or the SL community at large. And most of them are too young to realize that once a reputation as a software thug is attached to their real life identity (which can happen despite serious efforts to maintain proxies, cutouts and aliases), their future employability doing anything but writing more malware is just about gone.
The “I’ve turned 23 now and Mom and Dad kicked me out, so I’m reformed and going white-hat and becoming a security expert” song has been sung many times. It doesn’t wear well.
So people need to know who they’re getting their code from, and consider how much trust they are granting.
Basic precautions can fall by the wayside in the face of “100,000 daily users can’t be all wrong.”
Honestly, this question goes right to the heart of open source development. Open source evangelists have always been touting the fact that since everyone can see what they are doing, it keeps everyone honest. This works fine for large scale projects like the various Linux operating systems because there is a large base of people watching the code. The smaller the universe of people who are watching the code, the increased chance of something slipping through undetected, especially if the bad actors are obfuscating their code. As far as anyone can tell, no one outside of the Emerald project was reviewing Emerald’s code, with the possible exception of the Lab in it’s approval process.
What I think we need is for more peer review within the TPV community. We need people to be looking at the code from these various viewers, making suggestions and calling out problems. (I wish I knew how to code, or I’d help with this myself.)
ugh.. still blaming the kiddies are we…? are you all just that dense.. the blame goes to those who “allowed” the “opening of the code” and the “marketing of others IP/work” to be a simultanious CON JOB for them to cash in on….
theres a BOD at Linden Lab…hidden from responsablilty “more” than the anonymous scriptie avatars it seems… and THAT to me is the amazingly psychotic thing you’all let manifest for the last 6 years while selling shoes and playing dollies.
anyhow… its now over.
but will be rebirthed in facebooks netowrks with google3d in another 3 years
Gee C3…the people who actually commit the crimes are responsible for them.
Oh, the final build number of Emerald? 2600. Very funny.
@c3 So you’re justifying the actions of the kiddies and saying it’s Linden Labs fault somehow for releasing their viewer code to allow others the opportunity to create their own viewer? That’s like justifying rape because “she was asking for it,” or “look at the way she was dressed.”
One clarification… “script kiddies” is a pejorative applied to particularly annoying people who (and this is a key item) can’t write or modify code on their own.
Like baby birds, they’re always spending hours or days begging for scripts to be written for them, to accomplish what they could learn to do on their own in ten minutes. Hence the name “script kiddies”.
One or two members of the SL blogging community have taken to misapplying the term in recent years, but it isn’t really an appropriate descriptor for the kind of people we’re talking about.
When a “developer” who’s under 18 puts their “skilz” to work putting three-line exploit patches on a multi megaline C++ app, as far as I’m concerned they’re essentially a script kiddie.
I’d say that would be a task well beyond any script-kiddie I’ve ever met. If they can even manage the equivalent of “Hello World” (or “Hello Avatar”) they’ve graduated beyond that status. That doesn’t mean they can’t be dicks though.
@Tateru – Historically, i’ve seen the perjorative applied much more liberally than just to those who cannot code for themselves, (by people well beyond the boundaries of the SL blogosphere,) but your point is well taken. By using c3′s choice of wording I only intended to imply the context, not the sentiment
I guess my standards for non-kiddie-hood are higher too.
And I’m not alone: http://old.honeynet.org/papers/enemy/
We should get Timeless Prototype in to comment on all this.
ugh.. either or binary geek preprogrammed logic….. theyre BOTH at fault…. yes both.. not 0 or 1…
welcome to realife.
and yes, LL is more responsible for the outcome then the anonymous children adults who feed on such greedy systems like LL. alone. the code kids could not have reached a system that had millions paying indivisuals and creatives spending time on the “platform” as a creative value platform.
theirs tons of free 3d apps online for dozen of years… many weeekned programmer stuff.. even blender is a glorified freeware app attempt…. they dont have any market or mindshare.. that ONLY comes with MONEY spent…
and MItch Kapor and the BOD raised that money/offered that money.. they created the mess of unfairness between content makers and the platforms maker/keepers.. that has been the model of SL and Web2.0
Check Youtube rcently— built on others stolen IP… now its barren of anything but cat videos…. but google NOW can make deals with the same media companie it stole from….
web2.0 ethical/ moral?…blame the children?..well ok…. but for every spolied bratt, theirs a worse parent.
back to you binary show.
It’s gotta be Prok again.
The erratic capitalization isn’t enough to cloak the weltanschaung.
And here I am, I thought I was just about the only person who used that word
Ah, so what you’re saying is that LL is the true culprit, lining their pockets off the work of others, and keeping down the poor starving artists and “creatives”. Fair enough point, comrade.
The true “realism” here is that very little gets done in a capitalistic society without someone trying to make a buck off if it. Whether it’s a humble blogger just trying to cover her hosting fees, or a large multinational corporation that answers to shareholders, money makes the world go round. If that is somehow evil to you, take every single CD in your house and shred them, because the recording industry has been making money off of the backs of artists for generations.
When it comes to open source projects, one of the questions you have to ask yourself is, “Where does the money come from?” Anything beyond the mere hobby project is going to require funding. Open source browsers do it through that search bar in the upper right corner. Linux distributions charge for tech support. Emerald presumably was going to do it through its datamining schemes