by Phil F. Kearny
A while back Linden Lab introduced Viewer 2. It was pretty much universally hated at its introduction and is still so by a solid majority of people. I decided to give it a try and after several weeks of use I became used to it and abandoned my previous viewer which was Emerald. I was always nervous about using a third party viewer just because of the possiblility of someone being able to insert their own code in for malicious and/or commercial reasons. The Developers of Emerald always insisted that all of their code was transparent and easily viewable and verifiable. But this apparently is not the case.
Recently, one of the developers has quit Emerald and published some interesting things in his blog.
“Unfortunately, I do not feel confident enough to support it any more, for a number of reasons. I did not realize at the time that emkdu was added, that it could be used to add in code I was not able to see. These things were done behind my back, it was found out by others that code was placed in that braodcasted your viewers title bar and executable path in a obfuscated manner. This was addressed, promised to be fixed, and (luckily) people broke through the now encrypted layer to find out that it was not. Of-course, it has been promised to be fixed a third time, but now with an encryption level too high to be broken. Although replacing or deleting emkdu would resolve this issue, I also have to consider that this was hidden in the code for months without anyone knowing..
Regardless of the intentions of those who placed this code there, It has made one thing inescapably clear. I am not able to double check everything any more. I tried to find a solution to resolve this matter, but it appears that most people do not care about this to the level that I do. I made sure the other emerald devs were aware of what is going on via this. As mentioned there, closed source, hidden designs and single developer licenses have no place in emerald. People can make mistakes, but it is important that others can double check without having to break through encryption.”
Whaaaa? Encrypted stuff in Emerald? Who are these people anyhow and do you trust them? At least we know the address of Linden Lab. But what sort of encrypted stuff could it be?
http://nalates.wordpress.com/2010/08/15/emerald-viewer-scandal-erupts%E2%80%A6-again/
“For users of Emerald there are several things that have happened that are alarming. At one point the viewer was sending some user information to the Emerald servers. The dev’s said, ok its fixed and does not do that anymore. LLG found that the data was still being transmitted but then it was obfuscated using an XOR algorithm. This means that simply watching the data stream to see what is being sent out of the viewer becomes more difficult but not that hard to figure out. After another round of complaints the data is now apparently encrypted making it extremely difficult to see what is being sent. I have to ask why, when caught, they went to XOR and, when caught again, then went to encryption? I find this behavior very indicative of a problem. Not only is the code closed so is the data being sent.
Also directory paths and login ID and possibly full real life names were being baked into the AV texture. Thus allowing others to learn an avatars real identity.
The consensus on SLUniverse seems to be to stop using Emerald. I can understand that choice. I am changing passwords and will be using Emerald only with an AV without payment options. The data being transmitted is said to be information about the user’s computer and name but not passwords, but how can I know that?”
I am glad to be on Viewer2 and will gladly sacrifice some bells and whistles like jiggly bewbies.
Recent Comments