Discussing security breaches on the Kitely forums

[Constance Peregrine]

In the last few days we had a thread in the forums (which has since been deleted) that included a technical discussion about an OpenSim and Second Life content protection loophole that can be used to copy some types of content without the owner's permission. The user-provided information included instructions for how to use this loophole to demonstrate the problem and was very informative to people who didn't know how copybots work.

Following the discussion in that thread many people contacted us with one of two types of messages:

1) "Good for you for allowing free flow of information, merchants should know about vulnerabilities in order to take them into consideration when they sell content".

2) "Please remove this how-to steal thread from your forums, it makes you look like you're endorsing copyright violations".

This is where our personal beliefs about the subject of Security Through Obscurity (see: http://en.wikipedia.org/wiki/Security_through_obscurity) collide with our goal of helping protect content creators. We believe people should be educated about security breaches that can affect them. Hiding flaws makes sure that only the bad guys who will take advantage of these flaws will know they exist and honest people will be left unaware of the potential problems. However, by allowing exploit instructions to remain on our forums, we may increase the number of people who take advantage of existing design flaws in Second Life and OpenSim-based grids to illegally copy content from people. That can also, in some jurisdictions, create various legal liabilities for us.

After much thought and multiple PMs and emails with the various people who approached us we decided to henceforth mandate that how-to instructions for taking advantage of bugs and design flaws in Kitely and third-party software will not be permitted on our forums. Even though it is very easy to find this information on third-party sites, our new policy also prohibits linking to such instructions on third-party sites.

If you believe you encountered a security breach then please contact us via private message or email so we'll have a chance to address it, if it can be addressed, without alerting would-be ill-doers to the existence of a loophole they might not already be aware of.

[Constance Peregrine]

As I think I read this, this is what "some" hackers believe when they find ways to hack into systems, that by exposing them this helps to get rid of them.

That said, I am a believer in transparency in all things. And reading that article I can see your quandary.

For every security measure their is a way that can be found to hack it....I think the idea with most any software is to try and minimize this.

As that article references in this regard:

A variant of the basic approach is to rely on the properties (including whatever vulnerabilities might be present) of a product which is not widely adopted, thus lowering the prominence of those vulnerabilities (should they become known) against random or even automated attacks. This approach has a variety of names, "minority"[6] being the most common. Others are "rarity",[7] "unpopularity",[8] "scarcity", and "lack of interest".

Lack of interest is why most sites on the net are not attacked by way of DDOS...

In any case, whatever you folx decide is fine by me.

[Sierra Jakob]

I do think it is wonderful how transparent Kitely is being about the process. That helps us all to make informed decisions. Ilan has answered our questions with such clarity and calm. Oren and Ilan are obviously very well informed and I'm grateful to be learning from them.

It is clear by the conversations we've all been having over the past few days that allowing items to be exported means more than just additional buyers. There are risks as well. I fully support discussions about how those risks may affect each of us, and how we can make the wisest decisions. I thank Ilan and Oren for providing a place where we can have such discussions. I think Ilan has made it clear now that when a user exports assets in an OAR, they have full access to ALL the assets. That is what we all need to know and consider before we decide to make our items exportable.

For example, at this point, my current thinking is that I will never make an item exportable if I have used any asset which I purchased with the license agreement that I not give the asset in a re-usable form to anyone. So basically, the only exports you will see from me are those things that I made from scratch on my own, or have employed free open-for-use-by-everyone assets.

I cannot support the posting of explicit instructions on how to raid and steal the creations and work of other people. Risking sudden widespread theft or the panic of creators and honest merchants, only risks the Sim economies. Surely there are other methods to create change in a more orderly fashion. Posting such explicit instructions in the Kitely is inappropriate and puts Kitely in a difficult position. Ilan and Oren deserve better from us all.

[Dundridge Dreadlow]

Thank you Ilan and Oren.

[Ada Radius]

I'm in the other camp - I don't think it's fair nor ethical for some programmers, and all of the thieves, to have this information. I think that all creators of sounds, animations, and textures should know that the UUID's for any of these assets, no matter who owns it or what the perms are on it, are very easy for others to find and bring inworld. No copybot required. Along with the reasons why the grid devs can't fix this without breaking the whole system. I think this information should be in the TOS and included with whatever ad copy any grid posts about their copy protections. Don't tell us we're protected when we're not, and tell it in such a way that a nonprogrammer will understand it. We creators should not even be surprised when our artwork gets ripped off, we should have a game plan for it. We need to know the risks, all of them, before we pick up our virtual pencils. The news isn't 100% bad - there are ways to construct some kinds of textures (the ones with alpha channels, for example), so that even with the UUID, an ordinary thief wouldn't get enough to recreate it. But without the critical information on how these thefts occur, texture artists won't be able to plan around it.
Ada

[Constance Peregrine]

I'm in the other camp - I don't think it's fair nor ethical for some programmers, and all of the thieves, to have this information. I think that all creators of sounds, animations, and textures should know that the UUID's for any of these assets, no matter who owns it or what the perms are on it, are very easy for others to find and bring inworld. No copybot required. Along with the reasons why the grid devs can't fix this without breaking the whole system. I think this information should be in the TOS and included with whatever ad copy any grid posts about their copy protections. Don't tell us we're protected when we're not, and tell it in such a way that a nonprogrammer will understand it. We creators should not even be surprised when our artwork gets ripped off, we should have a game plan for it. We need to know the risks, all of them, before we pick up our virtual pencils. The news isn't 100% bad - there are ways to construct some kinds of textures (the ones with alpha channels, for example), so that even with the UUID, an ordinary thief wouldn't get enough to recreate it. But without the critical information on how these thefts occur, texture artists won't be able to plan around it.
Ada

I do agree with parts of this.

Forewarned is forearmed, it has been said....

And the fact of the matter is that all grids have copybot issues, with a history as long as the decade or so they have been around.

All software has had hacking issues since the first code was written-))

OARs ability in Kitely is a paradigm changer, however...I personally think it is wonderful they do them here and I would likely not be around if they didn't...but it does come with issues, mostly to do with educating people.

[Dundridge Dreadlow]

Knowing the back door is open at number 14 if you climb over the gate is a completely different thing to informing the world about it complete with directions instead of telling the owners. Knowing someone CAN climb over the gate is different to putting up a stepladder with a sign saying the door is unlocked.

A normal person would see a fence with a gate, and think meh, and not bother to climb in, even if everyone knows someone CAN climb over.

There is no reason to make it easy.

[Sierra Jakob]

I'm in the other camp - I don't think it's fair nor ethical for some programmers, and all of the thieves, to have this information. I think that all creators of sounds, animations, and textures should know that the UUID's for any of these assets, no matter who owns it or what the perms are on it, are very easy for others to find and bring inworld. No copybot required. Along with the reasons why the grid devs can't fix this without breaking the whole system. I think this information should be in the TOS and included with whatever ad copy any grid posts about their copy protections. Don't tell us we're protected when we're not, and tell it in such a way that a nonprogrammer will understand it. We creators should not even be surprised when our artwork gets ripped off, we should have a game plan for it. We need to know the risks, all of them, before we pick up our virtual pencils. The news isn't 100% bad - there are ways to construct some kinds of textures (the ones with alpha channels, for example), so that even with the UUID, an ordinary thief wouldn't get enough to recreate it. But without the critical information on how these thefts occur, texture artists won't be able to plan around it.
Ada

As far as I can tell, Ada, we are in the same camp. I completely agree with you that accurate knowledge is key to making good decisions for creators and merchants. I am grateful that the knowledge about textures in particular was shared. However, I do think that passing out the key, a map, and an invitation to thieves is nonproductive.

[Constance Peregrine]

did somebody say map???

[Olivia Lothiriel]

In the last few days we had a thread in the forums (which has since been deleted) that included a technical discussion about an OpenSim and Second Life content protection loophole that can be used to copy some types of content without the owner's permission. The user-provided information included instructions for how to use this loophole to demonstrate the problem and was very informative to people who didn't know how copybots work.

Following the discussion in that thread many people contacted us with one of two types of messages:

1) "Good for you for allowing free flow of information, merchants should know about vulnerabilities in order to take them into consideration when they sell content".

2) "Please remove this how-to steal thread from your forums, it makes you look like you're endorsing copyright violations".

This is where our personal beliefs about the subject of Security Through Obscurity (see: http://en.wikipedia.org/wiki/Security_through_obscurity) collide with our goal of helping protect content creators. We believe people should be educated about security breaches that can affect them. Hiding flaws makes sure that only the bad guys who will take advantage of these flaws will know they exist and honest people will be left unaware of the potential problems. However, by allowing exploit instructions to remain on our forums, we may increase the number of people who take advantage of existing design flaws in Second Life and OpenSim-based grids to illegally copy content from people. That can also, in some jurisdictions, create various legal liabilities for us.

After much thought and multiple PMs and emails with the various people who approached us we decided to henceforth mandate that how-to instructions for taking advantage of bugs and design flaws in Kitely and third-party software will not be permitted on our forums. Even though it is very easy to find this information on third-party sites, our new policy also prohibits linking to such instructions on third-party sites.

If you believe you encountered a security breach then please contact us via private message or email so we'll have a chance to address it, if it can be addressed, without alerting would-be ill-doers to the existence of a loophole they might not already be aware of.

Great way to handle this thank you, I had been unaware of this but find comfort knowing it was looked at in all angles keep up the good work team kitely
your pal olivia