Sunday, August 22, 2010

The Emerald Mess and Trust in a virtual world environemt

Since I mentioned the Emerald viewer in my post yesterday, I feel the need to raise a general warning about the use of 3rd party viewers.

All software you install on your PC is a potential security threat. There are a few technical security measures on modern operating systems (Linux, MacOS and Windows 7) that limits what an application can do without being given consent, but there is still a lot of headroom for creating havoc.

More specifically, any application can access the net, upload information and receive instructions on what to do without you knowing anything about it. So really, you are at the mercy of the supplier when it comes to your security on the net.

Last week, the head of the Emerald development team inserted code in the splash screen to facilitate a Denial of Service attack on a blog writer he had some grudges about. He misused the computers and network connections of EVERY Emerald user, making us all an unwilling tool for his childish prank. The Emerald project seems to be in deep shit right now, mostly because the lack of trust this incident have created.

But it could actually have been a lot worse. When you use any viewer to log into Second Life, you give that viewer total control over your account.

I don't know what security measures Linden Lab have on the server side, but in principle nothing is stopping malicious code inside the viewer to send your password to an external server, transfer money to another account, or use your avatar to send griefing IMs or do any action whatsoever.

Not only that, but nothing is stopping it from receiving commands from a central server in real time. This is an exploit normally known as a botnet.

It's a scary thought, but anyone with such a control over a popular viewer could actually destroy Second Life, or at least force the lab to roll back everything to last backup. Lets say someone managed to insert code into the latest release of the imaginary and very popular Pink (:-)) viewer: Two scenarios are particularly scary:

1. The bored prank's wet dream:
Sunday evening, with concurrency at its highest, every running Pink viewer starts to shuffle money around randomly to other Pink viewer users. If you have payment details on file, the viewer will buy as many lindens it can and transfer those too. The viewer deletes every no-copy item in anyones invent, and when it's done your avatar undresses, shows off a big Pink d**k, and jumps on the nearest avatar it can find. If that avatar too is Pink controlled, well, there is no telling what position they might start to use.... If you panic and close the viewer, another Pink users instance will log in your avatar as a bot, the bot will go around all your land, delete all builds, abandon all land, and the mad dance will continue until Linden Lab is forced to shut down the grid.

2. The cold criminal:
He is in this for the money. So, he will slowly tap accounts and buy lindens with your credit card, hiding the fact from the owner by displaying a fake sum in the top-right corner. If he is not greedy, he might be able to get real dollars out of SL before anyone raised the alarm.

To be sure, I will guess that Linden Lab has server-side and other operational security measures that may detect and stop such attacks, and there are technical and legal ways to find the ones responsible afterwards. Also, it will probably require too much work for anyone to fully exploit the possibilities. But they are scary enough even on a much smaller scale. So, using a 3rd party viewer really requires trust.

How do you find whom to trust? If the viewer is registered in the labs Third-Party Viewer Directory, then it's a sign that the authors are probably not going to mess with you (though it must be said that Emerald was on that list until recently:( )

This brings us directly to the core of trust in a virtual world where the only thing you know about a person is their avatar profile and the sum of all public statements they make: In blogs, on twitter and inworld.

Some viewer developers are active bloggers. I find that attitudes and expressions are rather exposing of the characters behind the av. There are developers I trust and developers I don't trust. I can't tell you who you should trust, because you have to make that choice by yourselves. I just wanted to tell you that yes: there are third-party viewers that is much better than the official ones, but you really do have to be a bit careful when choosing one.

No comments: