[Edited to correct authorship facts]
On the 17th February, Katrina wrote this on this site:
Patch for firestorm uploaded to there, Will make more patches available, and maybe actual compiled viewers, at a later date (but soon)
At much the same time, Sione Lomu was working on a more generic patch which provides not just a media blacklist but also a pop up warning about attempts to access media URLs. This patch was made available to the Phoenix team and others.
I am a huge advocate of Open Source Software (OSS), and have been for many years. And Sione and Katrina’s hard work, and the work of developers like Tonya Souther show exactly why. Because with OSS we have choice. If a printer driver does not work and it is open source, then we can hack it and fix it ourselves, or pay someone to do it. If software does not speak our language, we can provide our own translations. If there are bugs in the software we can fix it, or get it fixed without petitioning the acolytes of some huge cathedral like software company. “Given enough eyeballs, all bugs are shallow“.
And that is exactly what has happened here. The Second Life viewer had a proven security vulnerability, exploited by those who would harvest our personal information without our knowledge or consent, and sell it on. All it took was people familiar with the viewer code to make a patch and submit the source code against the OSS viewer code, and we had a solution.
Not a perfect solution – Henri Beauchamp noticed a bug if the audio engine was not initialised when a parcel media request was received. He fixed this in his Cool Viewer. Cool Viewer, incidentally, is a wonderful nostalgic viewer that keeps some of the better design elements Linden Lab did away with, whilst carefully applying patches and updates. I have no idea how Henri has the time to do all this!
But again the power of open source is demonstrated, because Henri’s fix is merged with updates from the Phoenix team that munge the URL displayed enough to keep the viewer TPV compliant (hiding the “secret” stream URLs) but ensure that all users of Phoenix will have that most important of commodities: Choice.Now users can choose whether they will even care about spyware. They can choose to switch off the added media security, or they can keep it switched on and choose which parcel media they will actually load. I have compiled the Phoenix source code, and you now see a pop up as shown here.
The decision of the Phoenix team looks right to me. Look at the highly suspicious nature of that Redzone URL. Even if he changes domain, zFire will not be able to hide the fact that his URL seems to pass way too much information back in its body.
I have done some testing with Phoenix, and can confirm that no data gets returned to RedZone unless you specifically allow the URL. It does pop up multiple times in a RedZone sim – once each time you are scanned until you select allow or deny. This is hard to prevent, but not onerous in any case. On other sims you are not bombarded with media requests – although I did realise just how many sims try to give me media I really don’t want. If nothing else, this patch tells me how sensible it is just to keep the media settings off!
In any case, many many thanks to Sione and the others for giving us this patch and giving us back our freedom of choice. Thanks also to the developers implementing it.
Redzone users hate it – but only because they know that given the choice, people will not choose to have their personal data collected and permanently stored in the insecure database of some random guy who will sell it to anyone and everyone. Redzone users are right. Given freedom of choice, people will tend to reserve their right to privacy.
But choice is a good thing.