Choice

28 02 2011

[Edited to correct authorship facts]

On the 17th February, Katrina wrote this on this site:

https://jira.secondlife.com/browse/VWR-24746
Patch for firestorm uploaded to there, Will make more patches available, and maybe actual compiled viewers, at a later date (but soon)

At much the same time, Sione Lomu was working on a more generic patch which provides not just a media blacklist but also a pop up warning about attempts to access media URLs. This patch was made available to the Phoenix team and others.

I am a huge advocate of Open Source Software (OSS), and have been for many years. And Sione and Katrina’s hard work, and the work of developers like Tonya Souther show exactly why. Because with OSS we have choice. If a printer driver does not work and it is open source, then we can hack it and fix it ourselves, or pay someone to do it. If software does not speak our language, we can provide our own translations. If there are bugs in the software we can fix it, or get it fixed without petitioning the acolytes of some huge cathedral like software company. “Given enough eyeballs, all bugs are shallow“.

And that is exactly what has happened here. The Second Life viewer had a proven security vulnerability, exploited by those who would harvest our personal information without our knowledge or consent, and sell it on. All it took was people familiar with the viewer code to make a patch and submit the source code against the OSS viewer code, and we had a solution.

Not a perfect solution – Henri Beauchamp noticed a bug if the audio engine was not initialised when a parcel media request was received. He fixed this in his Cool Viewer. Cool Viewer, incidentally, is a wonderful nostalgic viewer that keeps some of the better design elements Linden Lab did away with, whilst carefully applying patches and updates. I have no idea how Henri has the time to do all this!

But again the power of open source is demonstrated, because Henri’s fix is merged with updates from the Phoenix team that munge the URL displayed enough to keep the viewer TPV compliant (hiding the “secret” stream URLs) but ensure that all users of Phoenix will have that most important of commodities: Choice.

Parcel Media Pop-up

Parcel Media Pop-up

Now users can choose whether they will even care about spyware. They can choose to switch off the added media security, or they can keep it switched on and choose which parcel media they will actually load. I have compiled the Phoenix source code, and you now see a pop up as shown here.

The decision of the Phoenix team looks right to me. Look at the highly suspicious nature of that Redzone URL. Even if he changes domain, zFire will not be able to hide the fact that his URL seems to pass way too much information back in its body.

I have done some testing with Phoenix, and can confirm that no data gets returned to RedZone unless you specifically allow the URL. It does pop up multiple times in a RedZone sim – once each time you are scanned until you select allow or deny. This is hard to prevent, but not onerous in any case. On other sims you are not bombarded with media requests – although I did realise just how many sims try to give me media I really don’t want. If nothing else, this patch tells me how sensible it is just to keep the media settings off!

In any case, many many thanks to Sione and the others for giving us this patch and giving us back our freedom of choice. Thanks also to the developers implementing it.

Redzone users hate it – but only because they know that given the choice, people will not choose to have their personal data collected and permanently stored in the insecure database of some random guy who will sell it to anyone and everyone. Redzone users are right. Given freedom of choice, people will tend to reserve their right to privacy.

But choice is a good thing.

Really.

Advertisements

Actions

Information

19 responses

28 02 2011
Rooted

I second your commendations for the coders referred to, and would like to add a huge thanks to “Sione”.

28 02 2011
Verina Resident

Now, if I only had someone to tell me how to incorporate the patch, sigh.

28 02 2011
no2redzone

It is coming soon to official phoenix… I am thinking of writing some compilation instructions – but to be honest, its not for the faint hearted 😉

May be best just to wait a couple of weeks, or use cool viewer (which has the patch now) until then.

1 03 2011
Magnuz Binder

From Second Life JIRA 2011-02-28 (https://jira.secondlife.com/browse/VWR-24746?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=245271#comment-245271)
“Soft Linden commented on VWR-24746:
Thank you to the many of you who filed ARs with specific details, especially where unrelated groups of alts were disclosed. Stay tuned.”

Personally, I’m not holding my breath for another bout of lip service. Linden Labs have already lost any credibility they ever had.

1 03 2011
no2redzone

Thanks Magnuz. I agree, LL let themselves and their users down badly by not acting more decisively and more quickly. This product should have been banned long ago. Consent must be required for the data collection, not on disclosure.

However, to give due credit, I do think Soft Linden is genuinely trying to resolve this.

1 03 2011
Magnuz Binder

I’m sorry if I’m a cynic, but I believe more in Soft having been appointed to do minimal damage control. Bottom line is Linden Labs don’t want to stop this, and I can see at least three good reasons, called money, money and money.
1. It cost resources to do anything about it.
2. Scams like RZ and in-world rackets like JLU and SLPD keep the idiots who fall for them from requesting LL to do what these scams and rackets claim to do. Just handling the extra ARs otherwise costs resources, let alone actually acting on them.
3. LL want to keep the door open to make money from letting other 3rd parties, e.g. FaceBook, harvest user info from SL.

1 03 2011
Nelson Jenkins

@ Magnuz Binder

I don’t understand why LL doesn’t cripple these new SLPD fuckheads already. I’ll be the first to admit that I started the craze in 2005, and 2 years later LL removed “SL” and “Second Life” out of all the groups (then changed the TOS at the same time to make having “SL” and “Second Life” in group titles and whatnot illegal). Why this is not done anymore is beyond me.

If you have a problem with SLPD, my advice is to spend your time in a private estate where grid PDs aren’t tolerated, i.e. everywhere outside the mainland.

1 03 2011
Karen

“If you have a problem with SLPD, my advice is to spend your time in a private estate where grid PDs aren’t tolerated, i.e. everywhere outside the mainland.”

Just mute the SLPD or ban them from your parcel if they continue to be annoying.

2 03 2011
Sione

I just ran in to this and would just like to let you know, the code in those viewers is based on a patch I made, submitted to the Phoneix team and placed on Bitbucket for the other TPV’s. It has nothing to do with the patch for Phoenix on the Jira.

2 03 2011
Magnuz Binder

Oh, it was banning the head of SLPD for using RedZone which made me even aware of their existence. The guy went nuts on the RedZone forums about how he never had been banned before and how he was now adding me to his ban networks. I’m sure the ones in those networks fully understood his cause when he explained to them “Hey, I got caught with my hand in the cookie jar using spyware by this guy who was insolent enough to ban me for it. I hope you don’t mind me using this my personal vendetta as an excuse for adding him to the ban lists.”

2 03 2011
Sione

I just ran in to this and would just like to let you know, the code in those viewers is based on a patch I made, submitted to the Phoneix team and placed on Bitbucket for the other TPV’s. It has also been adapted to Firestorm by Tonya Souther.

It has nothing to do with the patch on the Jira.

2 03 2011
Tonya Souther

I don’t know who Katrina is, but the patch was originally written by Sione Lomu and extended and enhanced by me with a few added ideas from Henri Beauchamp.

2 03 2011
Voff Uggla

“Now, if I only had someone to tell me how to incorporate the patch, sigh”

“It is coming soon to official phoenix…”

March 2 and still waiting, in the meantime I’m using the Dolphin Viewer.

2 03 2011
no2redzone

Thank you Sione. I had assumed you and Katrina were the same. Looking at the code in Phoenix, I see it is indeed quite different from the patch on the Jira so it looks like there are two different patches out there. Apologies for the misattribution.

2 03 2011
no2redzone

I have now updated my post to make it clear that the patch on the Jira is not the one adopted by Cool Viewer and Phoenix. Apologies again for confusing you, Sione, with the author of the blacklist patch.

As regards “manually declining” posts, I do not decline any posts on this forum except obvious spam. I have edited just two posts and explained why (disclosure of personal information). This is a wordpress.com site, and the default setting, which I have accepted, is that the first post from any person is held for moderation (as an anti spam measure). Once that is approved, further posts are not moderated if you keep your details the same. I do not require valid email addresses to post here.

And yes, I do read sluniverse.com when I can, although I can hardly keep up with that thread. Today I was working away from home and have just returned and approved your posts. Apologies for the delay.

I hope this goes some way to restoring your faith in the integrity of this forum.

4 03 2011
Sione

It’s all good 🙂 I removed those posts from SLU

4 03 2011
Katrina

I wish to apologise to you too really, I had no idea my little plugin would get mixed up with a much better one 😄

3 03 2011
Katrina

[quote]In any case, many many thanks to Katrina for giving us this patch and giving us back our freedom of choice. Thanks also to the developers implementing it.[/quote]
May wish to change this part too, and sorry for the mix up, seems I made one at about the same time, Sione’s however is much better then my small thing. I just thought to put mine up on the Jira, in case was usefull, did not mean to steal any thunder sorry.

3 03 2011
no2redzone

Thanks, now changed. And it was my error, not yours! Thanks for the work you did too!




%d bloggers like this: