October 19, 2009

Everybody knows Emerald steals passwords


The following dialogue is quoted from memory - I had similar conversations in the past, so this is quite symptomatic:
Random Avatar: I don't trust a viewer that hides code in an open source project.
Peter Stindberg: How do you hide code in open source software?
Random Avatar: Code obfuscator! It is common knowledge on the Linux mailinglist that Emerald has some shady stuff hidden in the source.
Peter Stindberg: So you personally found hidden code in the Emerald source?
Random Avatar: No, it was discussed on the list.
Peter Stindberg: So someone you know and trust found hidden code and posted it on the mailinglist?
Random Avatar: No, it got widely discussed on the list.
Peter Stindberg: But you personally saw hidden code posted on the list?
Random Avatar: [does not answer anymore]

Even though I lately use Emerald more and more often, I am not a big fan of that viewer. Early version crashed quite a lot on me (<= 10 minutes) - newer versions still crash typically after 60-90 minutes. Some features seem to be incorporated in a haphazard way. All in all it looks a bit chaotic from a development point of view, with many people adding very exciting new features, but with no coordinated development roadmap and little bugtesting. I also don't like that in public perception features get attributed to Emerald that were first shown in other viewers, like the "worn" tab, or inventory-double-click which dates back to the old Nicholaz viewers. But for that only the public perception is to blame, and not the Emerald team. Anyways, no other viewer has experienced such a rumor mill and is source for so many conspiracy theories. Allegedly, Emerald sends your passwords to a hidden server, secretly steals your L$, tracks your every move, eavesdrops your IM's, will steal YOUR creations or allow YOU to steal OTHER's creations (depending on who you listen to). And no, I did not make that list up, those were issues brought up in open chat very much like the chat I quoted from memory above.

  • Fact is, that Emerald is open source. Which means everybody has access to the sourcecode, and can examine the code and can compile the code to get their own executable fileset. In fact, making the modified code open source is one of the requirements of the license imposed by Linden Lab if you want to make an alternative viewer. There is only ONE viewer I am aware of that does NOT publish the code, and this is Kirsten's Shadow Viewer. There would be WAY more reason to think anything shady (pun not intended) might be hidden in the Kirsten viewers, but I heard no allegations so far.
  • Fact is, that if Emerald would steal your passwords, we would know by now! For whatever reason there are a whole bunch of folks out there who would have a heyday if something shady could be proven to be hidden in Emerald. Which means that not only in theory the code can be checked by anybody, but I am pretty sure the code IS ACTIVELY checked by 3rd parties, thoroughly, with each new release. I am convinced same 3rd parties run packet sniffers and all sorts of tools to catch Emerald with a smoking gun. The person who proves that Emerald does something illegal will be the hero of the day, and many will take their chances and thoroughly check it. If Emerald would be a Trojan Horse, we would know it by now.
  • Fact is, that Emerald has a whole bunch of functions that prevent theft and griefing! Emerald protects your clothing layers, uploading only baked layers to the server, so no one can steal individual layers of your clothing. Emerald detects a whole range of griefing attacks and stops them dead in their tracks.
Use Emerald if you like - a lot of great features speak for it. Don't use Emerald if you don't like. If you have security concerns, simply don't use it. But please stop spreading unverified rumours! The code is out there for anybody to see.
Post a Comment