Lex Neva's thoughts blog of Lex Neva in Second Life

March 19, 2008

Lex Neva comic

Filed under: Miscellaneous — lex @ 9:24 pm

Drawn by the beautiful Amon26 Yellowjacket, it’s a Lex Neva superhero comic!

lexnevacomic.png

December 1, 2007

Disable QuickTime in SL

Filed under: Miscellaneous — lex @ 3:18 pm

I know you’ve all seen the warning that there’s a vulnerability in quicktime, but I just want to urge you to disable quicktime in SL if you haven’t decided to already.

There’s now a proof of concept that this vulnerability can be used to take over your SL viewer and make it do whatever an attacker wants, such as sending them your L$.

http://www.securityevaluators.com/sl/

Just to avoid being alarmist:

  • There is no evidence that evil people have done this yet.
  • You MUST be on land owned or controlled by the attacker for them to get you.
  • You can disable quicktime and completely remove the possibility that you’ll be attacked.
  • Playing a video on land owned by a friend you trust is not going to leave you vulnerable.

So no running around and screaming. But on the other hand, this is more serious than LL’s blog post makes it seem. This vulnerability CAN let attackers gain complete control over your system, and working exploits for the QuickTime vulnerability itself can be found on the web. LL has said that they’ll be active in investigating any reports of the actual use of this vulnerability in SL, but that might not be enough. What if someone uses their control over your system to “open source” all of your products, distributing them for free?

I’ve sent an email to LL urging that they hit their big quicktime offswitch, despite what I know this would mean for several of the projects I’ve worked on in SL. In the mean time, I urge you to disable quicktime in SL, or at the very least follow these steps to disable RTSP (the vulnerable part of quicktime):

  1. Start Quicktime.
  2. Edit -> Preferences -> Quicktime Preferences
  3. File Types tab
  4. Expand “Streaming – Streaming movies”
  5. Uncheck “RTSP stream descriptor”.

It’s very likely that this will completely mitigate the vulnerability. However, I’ve seen a littel conflicting evidence on this front, so, since I have so much at risk with my products in SL, I’ve decided to go the paranoid route and only enable quicktime in SL when I completely trust the owner of the parcel I’m on.

Again, I don’t want to incite panic here, but I think knowledge about the possibilities opened up by these kinds of vulnerabilities is critical to making an informed choice.

January 8, 2007

Linden Lab Open Sources SL Client

Filed under: Miscellaneous — lex @ 3:44 pm

So, LL has gone and given away (some of) the goods: they’ve open-sourced the SL client. This is going to lead to a lot of interesting things, like largely obseleting the current modus operandi of LibSL and opening the door for lots of fun things like end-user security audits, resident-contributed features, and resident-released clients.

This just underlines the need for a trust metric in Second Life. If someone decides to release a client, I need to know that I can trust them. How do I know their client won’t steal my password and tell it to them so that they can run in and wipe my account of Lindens? How do I know their code won’t make a mess out of my computer? How do I know their code won’t inadvertently make me do something that LL’s servers consider griefing? What if their code stole all of my content and sent a copy to them?

Of course, any client that’s developed and released by a third party, due to LL’s licensing, must be open-sourced itself. However, that’s not necessarily enough to make it Safe. That code would still need to be vetted by the community to ensure that there aren’t any hidden trojans that do nasty things when you run the client. I don’t know about you, but I don’t have either the time or the energy to vette a third-party SL client’s code before I run it. I know other people are like me in that respect, and that means that a malicious programmer could release a trojan SL client and do some damage before the community caught on.

So, for now I won’t be running any client that’s not released by Linden Lab, because I have no way of knowing if I can trust the person releasing it. If we had a system like the Reputation System I proposed previously, then it would be much easier for me to make a quick and yet confident decision about whether to trust a client written by a third party. I simply need to check their Reputation Score, and think about how badly they would be affected if their reputation were tarnished. In the case of a big name in SL, someone who’s been around in the community for a long time, it’s pretty likely that they wouldn’t risk ruining their reputation by releasing malicious code in the form of a trojan SL client, because they would, essentially, lose the use of their entire SL identity in the process.

December 27, 2006

Whoa, a blog.

Filed under: Miscellaneous,Reputation — lex @ 5:38 pm

This, it turns out, is the first blog I’ve ever set up solely for myself. There’s the Suffugium Blog, and then there’s the blog I set up for my grandfather, but I’ve never had one for myself, unless you count a livejournal.

I started this blog for one reason: to write up a fairly long essay I’ve been tossing around in my brain and in my paper journal. It’s going to deal with the huge problems Second Life (and by analogy all internet gathering places) is dealing with regarding jerks: people who just don’t know how to get along with others, or who actively try to piss everyone off.

I’m going to present a pretty good solution to the problem of griefers in Second Life. A lot of people have presented a lot of solutions, and most of them are unworkable for various reasons. Mine’s different: it actually stands a good chance of working, and it clearly and neatly answers every objection I can think of that normally kills ideas of this sort in their infancy.

So stay tuned. I’ll be posting soon, once I get the whole thing composed in a clear, concise manner that presents the idea well. It may take me awhile, because my wrists ache if I type too much.

Powered by WordPress