Linden Lab suggests viewer security vulnerability disclosure group

Personally I think Linden Lab should publicly reveal all exploits they find out about at the time they do. People are spending real money on and in this game. If one person knows about something that is detrimental then I think we should all know. Then we can take our own steps to protect ourselves until Linden Lab fix it.

If Linden Lab dont want everyone to know then noone should know outside of them and the discoverer who reports it to them. If the plan is to tell some other people then I would like to be one of those other people please.

I'll post here what Rob Lamphier (Rob Linden) is refusing to let through and "moderating off" this list, which differs little from what Tabliopa says:

I'm truly failing to see why only one group of select and special coders get to know when there is a security vulnerability, and the rest of the public using Second Life does not get that knowledge.

The coders fooling around with various open-source versions of the viewer have the least to lose. Security vulnerabilities don't harm them. They harm merchants, creators, ordinary users with credit cards tied to their accounts, and so on far more than they harm the one class of SL that usually makes sure their work is never hackable -- scripters.

So I'm failing to see why we need to have yet another example of FICing, and elevating one class of SL residents above others -- and with no demonstrable purpose.

Military technology is usually disclosed to the "civilians" a few years after it has become "state of the art" (10 years in some countries, I believe). The reasoning is about the same: you don't wish your enemies to have a clue on what you've just been able to develop. In the mean time, your allies are (often) informed about the technology you've developed, on a "need to know" basis only.

The software industry uses in general a similar concept. Hardly any company publishes announcements of the exploits they've patched *before* they are, well, patched. It's almost always an after-the-fact announcement. The exception being when someone finds out about an exploit, and, instead of using it to malicious purposes, releases the information publicly (either for others to use it for malicious purposes, or simply to put pressure on companies to patch the exploit more quickly).

There is *usually* a difference in the open source community, where exploits are *usually* publicly announced to a wide audience which is expected to provide a patch as soon as possible. But it's a different model of "crowdsourced" software development.

Linden Lab is one of those companies having a foot on either side. On one hand, on their *closed source* software (the servers), they are able to just publish the exploits after they get fixed. On the other hand, on their *open source* software (the clients), they could hypothetically crowdsource some help to fix those exploits *if* the developer community is made aware of them. But then again, this would mean that malicious use of those exploits would be widely available to every cracker and script kiddie out there — until a fix is available, which often takes months or years.

Taking a look at the SLdev mailing list it seems that this is the sort of question that gets a different answer depending on who's writing about it :) The way Rob puts it, the purpose of LL to have this "early warning list" is less to crowdsource developers to fix the exploits for them, but more for third-party developers to be able to fix their viewers at the same time as LL. Well, Jacek argues (quite well) that third-party developers are not hampered by LL's long-winded development procedures: if they get a fix for an exploit, they can deploy it as quickly as LL can send that patch ("in a few hours"). What this means is that the "early warning list" is pretty useless — LL is assuming that everybody else is as slow as them and "requires time" to apply a patch. They don't. They can do it *instantly*. With that reasoning in place, an "early warning list" doesn't really make much sense.

The other aspect of creating this "early warning list" would obviously to be a cry for help for developers to contribute code to fix the exploit. Well, Rob apparently is not considering that at all. In fact, reading the SLdev list, it seems that on most times, when external developers find an exploit by chance, they are *much quicker* than LL to patch their own viewers, and in some cases, even post the patch to the pJIRA (where LL often "buries" it in an attempt to avoid drawing too much attention until their own developer team can implement the fix on LL's own viewers — a process usually taking several months).

So, at the end of the day:

- publishing known exploits WITHOUT workaround information seems to be quite reckless; the public in general ought NOT to be made aware of those. On the other hand, IF there is a known workaround, it ought to be released immediately
- giving "advance warning" to a list of developers (specially if LL already has a patch and is NOT looking for help to developing one) is pretty useless. Developers are instantaneously quick to reply to a patch as soon as it's made available, so no "advance warning" is really *very useful*. The fear that the "wrong" people get the advance warning and are able to use the exploit for malicious purposes (even if in a very short timeframe) far outweights the advantage of giving a few honest developers advance warning for something they'll be able to fix pretty quickly anyway

So the more reasonable approach seems to be:

- don't give anyone "advance warning" at all, UNLESS there is a simple workaround for the exploit: in that case, publishing the workaround ASAP *publicly* is quite a sensible move!

As a side-note, it would also be great for LL to create a "Mythbusters" webpage where, from a position of authority, they could dispel some popular urban myths . A typical one is the belief that by writing in chat the word "!quit" every few minutes will prevent CopyBot to copy your content ;)

You're 100% correct Gwyneth - what would LL gain from disclosing a viewer vulnerability to the outside world? Revealing any of this info prior to coming out with a patch would indeed be reckless. It is however very normal that it takes LL much longer to implement updates simply because their audience is a bit larger then those of any other 3rd party viewer.

I just pick up on the kinda exploit that does the most damage imo. A person discovered a way to get free advertising listing. Another person discovered another way to do same thing. They report to Linden Lab and were told that Linden Lab already knew for quite a while about it. And that one day they will fix. So those people went public and LL fix straightaway.

The people who get hurt here are the people who bought adverts during this period not knowing that other people were getting the same and higher listings for free. They were bidding and paying their own real money against nothing.

Is a big call for Linden Lab to tell people about this kinda thing ya as it will cost them money. But is not right really to continue to take money in these circumstances. Specially when there was a fix but it wasnt considered important enough to fix urgently simply because not everyone knew about it.

These kinds of exploits that impact on other peoples money should be advised immediately I think. Is not a security issue at all really. Its more a market disclosure thing I think.

Sim crashy thingys ??? Thats kinda military stuff so ya I can see why Linden Lab maybe not want to share that until they have a fix in place.