Random Avatar: I don't trust a viewer that hides code in an open source project.
Peter Stindberg: How do you hide code in open source software?
Random Avatar: Code obfuscator! It is common knowledge on the Linux mailinglist that Emerald has some shady stuff hidden in the source.
Peter Stindberg: So you personally found hidden code in the Emerald source?
Random Avatar: No, it was discussed on the list.
Peter Stindberg: So someone you know and trust found hidden code and posted it on the mailinglist?
Random Avatar: No, it got widely discussed on the list.
Peter Stindberg: But you personally saw hidden code posted on the list?
Random Avatar: [does not answer anymore]
Even though I lately use Emerald more and more often, I am not a big fan of that viewer. Early version crashed quite a lot on me (<= 10 minutes) - newer versions still crash typically after 60-90 minutes. Some features seem to be incorporated in a haphazard way. All in all it looks a bit chaotic from a development point of view, with many people adding very exciting new features, but with no coordinated development roadmap and little bugtesting. I also don't like that in public perception features get attributed to Emerald that were first shown in other viewers, like the "worn" tab, or inventory-double-click which dates back to the old Nicholaz viewers. But for that only the public perception is to blame, and not the Emerald team. Anyways, no other viewer has experienced such a rumor mill and is source for so many conspiracy theories. Allegedly, Emerald sends your passwords to a hidden server, secretly steals your L$, tracks your every move, eavesdrops your IM's, will steal YOUR creations or allow YOU to steal OTHER's creations (depending on who you listen to). And no, I did not make that list up, those were issues brought up in open chat very much like the chat I quoted from memory above.
- Fact is, that Emerald is open source. Which means everybody has access to the sourcecode, and can examine the code and can compile the code to get their own executable fileset. In fact, making the modified code open source is one of the requirements of the license imposed by Linden Lab if you want to make an alternative viewer. There is only ONE viewer I am aware of that does NOT publish the code, and this is Kirsten's Shadow Viewer. There would be WAY more reason to think anything shady (pun not intended) might be hidden in the Kirsten viewers, but I heard no allegations so far.
- Fact is, that if Emerald would steal your passwords, we would know by now! For whatever reason there are a whole bunch of folks out there who would have a heyday if something shady could be proven to be hidden in Emerald. Which means that not only in theory the code can be checked by anybody, but I am pretty sure the code IS ACTIVELY checked by 3rd parties, thoroughly, with each new release. I am convinced same 3rd parties run packet sniffers and all sorts of tools to catch Emerald with a smoking gun. The person who proves that Emerald does something illegal will be the hero of the day, and many will take their chances and thoroughly check it. If Emerald would be a Trojan Horse, we would know it by now.
- Fact is, that Emerald has a whole bunch of functions that prevent theft and griefing! Emerald protects your clothing layers, uploading only baked layers to the server, so no one can steal individual layers of your clothing. Emerald detects a whole range of griefing attacks and stops them dead in their tracks.
19 comments:
To straiten one details out, Kirsten's Shadow Viewer, now have her code on source forge. She now complies to the GPL requirements, at least mostly, last I tried the code didn't compile. But that can be tha Kirsten is not the best on keeping track on what she does. Much of this it thanks to Boy Lane.
Emerald is also one of the very few 3:rd party viewer where you can verify the build with a crypto key.
My view as developer and coder is the Emerald team, where I'm a hang around onlooker. And sometimes get a desperate Skype to quick fix a bug or two from a sweet Russian that trusts in my coding.
If the biggest cooperation around the viewer. It have the most ideas it moving with humongous speed. It have mostly good code. The individual coders differ in skills as always. Some don't know about the differences in the various OS the viewer run on. It need's GUI and Usability help. It needs someone that can explain all the strange stuff in the GUI all the nice features added and what they do.
I would love to see McCabe and jjacek join the team. But them maybe it's best that stand on the outside and the the best parts into there project.
Oh hell ya...this Mr. Random Avatar, I know him and his family. The last time we talked I told him this:
"P.S. There are people spreading rumours about the Cool Viewer inworld. That it saves your password, and that it sends it to the "Lindens". To be honest....yes, this is true. All of it. CV saves your last password locally as every other viewer does, to make your next login more convenient. And....to make it worse....it even sends the password to the "Lindens". Otherwise you could not login into SecondLife *giggles*. Makes sense?! :)"
It is fun you mentioned Kirstens' viewer, since I use it and it feels like living dangerously, using a not GPL app (or it was, at least; I didn't knew she had published her code).
As a Windows user I've got acostumed to "closed" sofware, and tend to hope the more skilled members of the community will discover if there is something cheesy in the freeware items I am using.
It doesn't matter if Mr. Random Avatar was trying to slander the viewer or passing advice to community. He magnified the danger using a generalization (if everybody knew, bloggers would had cried it to the skies) and mixing it with the absence of specifical data (who found it?); when something like that happens you are facing hearsay, and I am glad you stopped him in his tracks.
You are right, Emerald is open source and if there was a trick in its code it would had been discovered by now.
Now the matter is, will Mr. Random Avie learn the lesson, or will he simply jump to friendlier ears?
And why I am so sure that, most times, he will choose the second option? After all, it is the easier, funnier one :-p
Well, this is the typical story of fake rumours. Sad, but happens often.
Of course using a 3rd party viewer is an option, maybe some can be dangerous, but being open code is someway a way to be sure it works ok. I use Emerald for some reasons, i love the features, and i know some of the coders.
I dealt with this very issue in discussion just yesterday, where someone was upset that Emerald messed up settings, etc., at which point it became "suspicious." I have many friends who are experienced in code and say there's nothing to the rumors. I've used it myself on and off - currently though - I'm using the regular viewer! Use the viewer that works best to meet your needs in SL. End of story.
Great post. TY.
I've been using Emerald for awhile now after listening to SO many in the fashion bloggers groups rave reviews. I haven't been able to use the standard Linden player in well over a year due to some software conflict (have no clue).
I've have used most of the viewers mentioned in these comments and they were all favorites for awhile, so kudos to all the coders who are busily trying to make our experiences better.
I will agree that it is bit like being a beta tester with the new Emerald features. Almost no documentation and many of the users are completely clueless as to what to do with the new stuff. It is a bit like navigating an adventure game in order to get into another "game" we call virtual worlds.
I think more how-to info would be a great help and to that end I wrote a tutorial on how to set up the new integrated AO and a bit on how it works. It can be found at: http://chicatphilsplace.blogspot.com/2009/10/emerald-integrated-ao-setup.html I would really like to see more of this from others. It seems like some of us could do our part in the big scheme of things and help the less techie folks with the usability issues -- even if we can't code :D.
Again, thanks for the thoughtful post.
So how do you know the compiled binary is compiled from the posted source? Personally I would feel better if LL compiled the binaries for third party viewers so we could download from a "trusted source. Oh but wait! What I would really like to see is LL actually listen to customer demand and immediately implement the features in demand. But since LL can't even manage to sync snowglobe to the last release (VWR-13868 was committed to the new main viewer but when Rob added the notecard stuff to snowglobe he apparently didn't know about VWR-13868 so now we have a bastardized snowglobe release with a left out fix) why should anyone trust them to know anything about analyzing code for vulnerabilities they can't detect till someone else points it out. Perhaps the best idea is for LL to simply get out of the viewer business if they are unwilling to hire and commit the quality and amount of resources to viewers their third party viewer competition is committing... for frikkin free.
And where is the mystery SL2009 viewer anyway and will the source code be published?
Well, apart from the digital signature (which other viewers don't even offer in the first place) there is no added guarantee that the executable and the sourcecode is identical. However if you are so security-conscious about that, it would probably be best if you compile the sourcecode yourself, or have a trusted friend do it for you.
I have my viewer compiled by a trusted source, Discrete :D Having talked to Discrete it someone i trust more that i trust more that anyone any company I ever heard off would have the money to employ to to compilation of 3:rd party stuff.
Yes i work with code professional EVERY day. The emerald team is above average coders. There are some good people at LL, I think the emerald team is better that the LL team. The emerald team thou have totally different motivation. They do what they love, many at LL do there best to get a better job and better salary, SOME really burn to make a better viewer.
The best way to make trust is to talk to the people, check out what they made, read there code if you can.
Talk to people that can read the code. The attacks on Emerald and the team is quite funny actually... The sad part is people believe them...
Peter, what's in it for YOU to flog dodgy opensource projects?
Perhaps content theft doesn't matter to you, or griefing of rentals doesn't matter to you, because you have as service business that depends on neither of these? Typical of the smug-burgher approach to SL we so often see. Try to look beyond the end of your nose and see that your translation business depends on the well-being of these other businesses.
Emerald is havoc. The developers have anonymous accounts of only 30 or 60 days or even 1 day. The Emerald devs and Emerald Point management groups have people documented, demonstrably found guilty of hands-on, serial, deliberate griefing of me and my tenants -- because of merely legitimate criticism of this crashy, dodgey, overhyped opensource kasha.
You wouldn't necessarily know if passwords were stolen "by now". And there's lots that could be in store that you can't know.
The devs routinely lie about their viewer, claiming that half the concurrency, i.e. 30,000 are using it, figures the Lindens cannot back up.
The routinely bully and harass even mild critics which makes you wonder what on earth they have to hide that they need to do that.
If this were a normal operation, it would have nothing to hide, no need for some youthful alts, and no need to be disappearing for weeks from the People list after action by Linden against their accounts.
Do the math and stop spreading naivety gullible opensource boosterism in the belief that it helps create more free advertising and customer flows to you. Anything that harms one business in SL harms all.
And of course there's not only the swiping of content from other's projects without credit "Hey, it's opensource! Wheeee!", there's the lack of accountability for deliberately malicious viewers made off the same trunks.
"Peter, what's in it for YOU to flog dodgy opensource projects?"
- Maybe he likes the concepts, the product, or the team?
"The developers have anonymous accounts of only 30 or 60 days or even 1 day."
- painting with a broad brush, there, aren't you? I've known some on the team, in-world, in their current avatars as on the team, for over two years.
"You wouldn't necessarily know if passwords were stolen "by now"."
- Not necessarily, but most probably. Hard to keep wraps on such things for long.
"The[y] routinely bully and harass even mild critics which makes you wonder what on earth they have to hide that they need to do that."
- I've seen none of that. I see exuberance for their product. Excitement for their achievement. Nobody on the team has given me a hard time when I have told them what I find wrong in their viewer. They appreciate the feedback, and offer workarounds. Unless, the criticism you speak of is the type of "criticism" you put forward here... in that case, harassment is met with harassment.
Sounds like you have an agenda. You post accusations against the Emerald team with a broad brush and nothing to back it up except hearsay and rumor, and you suggest that Peter has shady motives for posting on this in his blog.
Sorry... I rarely feel the need to post a response... It's one thing for you to have opinions, and even carry forth whatever agenda you may have - it's quite another to spout your own rumor and innuendo in libelous attacks.
For the record, I am not on the Emerald team, and Emerald is only one of a few viewers I use, routinely. I trust those I know on the team.
Hi, actually..
I've gota disappoint you prok. I know its fun to try and shock people, but.. when it comes down to it. All the code in the viewer is good productive stuff and is a way for us to give back to the community. We have tons of developers.. I don't baby sit them, nor do I haras people... but i can only imagine why some people haras you
And yeah. those stats are accurate.. cept that its up to around 38 thousand unique users daily now. So , im sorry if you don't like us making people happy with all this open source code, and I do apologize a little bit for how disorganization it is.. but we devs are really all having tons of fun with this. Can't please everyone, but it is an amazing feeling to know how many people you have helped out.
At everyone else. Ive been trying really hard to get some documentation up recently. At least that will make it easier to point to where the "worn" tab and other features originated from, just please try to understand that isn't very fun to do DX
It's funny how a function from Meerkat, I'm pretty sure that was he first viewer so spread the patches in the JIRA to export the stuff into xml. Can make so mush bad press for an other group. One cloud think two people are out after something totally different. Of the developers in teh sim, here now I have the youngest account 965 day old today.
Usually a google on my name gives up my RL info, my Nickname is actually much better to find my that my real name as it's much more uniqe in the world.
Oh but you forgot: all the "aftermarket" viewers also steal your first-born children and starve people in thirdworld countried every time you login to the grid with them.
Heh.
I like Emerald. I like meerkat especially (but it has a long way to go) - I love the speed with which Kirstens rezzes thye grid. Hell, I even love the speed of Snowglobe.
...and Snowglobe has manaeged to avoid many of the current bugs in the current official realease, some of which were (unfortunately) picked-up in the aftermarket.
With that said, I keep Snowglobe close. Always there. Ready to fire that baby-up in a second if I need to accomplish something Linden Lab has broken in the Official, and said bug has proliferated through the aftermarket.
Now if only Emerald would pick-up on the Snoglobe rendering engine abd Kirsten's pick-up on some of the handy-dandy back-up features of Emerald and... and...
Awe the heck with it. I'm going to the Electric Sheep CSI viewer.
:P
Shye ... don't feed the troll!
It's so funny you wrote this Peter ... I've found that Emerald seems to require me to login twice and I've always wondered if that was some kind of password-stealing process that's latched onto the program but I get silly paranoid sometimes.
The double-login happens if you switch "Remember resident name" OFF. It seems to be some sort of bug (I was too lazy to report it yet). If you leave that setting on the deafult (ON) a single login suffices.
I don't know Peter ... I just tried twice to log in without doing anything but typing in my password and it failed even though I typed it right. It also doesn't seem to want to retain my disabling of Voice Chat, too.
Sounds like some strange files in your second life directory. I guess you not on linux so I have no clue how that is saved or protected.
Post a Comment