Posted by: Fractured
on Mar 04, 2010
Tagged in: Untagged
Various recent events have stirred up yet another storm of misinformation and rumor about certain third party viewers; this has once again brought to light the fact that most people know little about most of the harmful viewers in circulation; the viewers that violate licensing agreements to stay closed source, the ones equipped with content theft tools and weapons designed to intentionally crash other viewers and sims, or otherwise ruin Second Life for others.
These viewers generally remain private, closely guarded and shared either with close friends or for a significant fee, the reason being that exploits are quickly identified and neutralized when released in a public manner.
The result of this is that nobody can be sure of the capabilities of these viewers, information posted on blogs and forums is woefully inaccurate at the best of times, and even more often misinformation spread by those who want the public to remain in the dark. We spent a long time discussing this, and we've come to the conclusion that sharing the information that we've gathered and independently confirmed about these viewers is the right decision, as it will give people the answers they need to make informed decisions on how to protect their content.
This is why we have chosen to make public the Onyx project here at Modular Systems.
Onyx is a project in which a group of our core developers explicitly spend time locating and fixing the vulnerabilities that can be used to crash Second Life viewers or simulators, that are used to violate the permissions systems, or to infringe upon the rights and degrade the experience of Second Life users. This is done both by testing for potential new vulnerabilities, maintaining watch over the most popular forums and websites for sharing these viewers, and by acquiring copies of said viewers to test and identify any exploits they may be using.
Confirmed exploits are patched in Emerald if it is possible for us to do so, and immediately communicated to Linden Lab so that they can make the necessary changes to render them ineffectual.
Since the project began it has remained private, because it was not important for anyone to know it existed as long as the exploits were fixed. We are changing this now because the Onyx project is undergoing significant changes, both as a result of Linden Lab's Policy on Third Party Viewers and the changes this policy will cause developers of these harmful viewers to make as they struggle to hide their identity.
We are creating a public site for Onyx; on this site we plan to list every viewer we are aware of, which of them are known to have malicious features, and what those features are. Think of it as a viewer reference that actually includes viewers that don't want to be found.
We are announcing this because you can help us. Our resources are finite, and there are a lot more people developing these malicious programs than there are trying to stop them.
Together we can limit the spread and functionality of these viewers.
What we need you to do is send us information on anything that:
* could be used to crash a viewer (most significantly on-demand)
* could be used to crash a sim on-demand
* could be used to violate the permissions system
Also more importantly, any malicious viewer, especially any that we do not currently have any information listed on or any for which you feel our information is incomplete or inaccurate.
Viewers sent to us will be analyzed and their nature listed on the viewer list. Don't worry about any sort of "access control" or "security" a malicious author may have put in place; its not an issue for us, although any details would be welcome if available.
In any of the above cases we encourage you to also report them as a SEC JIRA entry at http://jira.secondlife.com/ ; this both guarantees that Linden Lab knows about it, and ensures that if a bounty is issued by Linden Lab, it will be received by you, not us.
Any materials can be sent via email to onyx@modularsystems.sl for immediate review.
We expect there may be some controversy over this; however, we feel that by working with all of you, instead of alone, we can do far more to combat malicious viewers, whether they be for content theft, to attack other residents, or both.
