Discussing security breaches on the Kitely forums

Talk about anything, whether on topic or off topic
Post Reply
User avatar
Ilan Tochner
Posts: 5773
Joined: Sun Dec 23, 2012 8:44 am
Has thanked: 3600 times
Been thanked: 3768 times
Contact:

Discussing security breaches on the Kitely forums

Post by Ilan Tochner »

In the last few days we had a thread in the forums (which has since been deleted) that included a technical discussion about an OpenSim and Second Life content protection loophole that can be used to copy some types of content without the owner's permission. The user-provided information included instructions for how to use this loophole to demonstrate the problem and was very informative to people who didn't know how copybots work.

Following the discussion in that thread many people contacted us with one of two types of messages:

1) "Good for you for allowing free flow of information, merchants should know about vulnerabilities in order to take them into consideration when they sell content".

2) "Please remove this how-to steal thread from your forums, it makes you look like you're endorsing copyright violations".

This is where our personal beliefs about the subject of Security Through Obscurity (see: http://en.wikipedia.org/wiki/Security_through_obscurity) collide with our goal of helping protect content creators. We believe people should be educated about security breaches that can affect them. Hiding flaws makes sure that only the bad guys who will take advantage of these flaws will know they exist and honest people will be left unaware of the potential problems. However, by allowing exploit instructions to remain on our forums, we may increase the number of people who take advantage of existing design flaws in Second Life and OpenSim-based grids to illegally copy content from people. That can also, in some jurisdictions, create various legal liabilities for us.

After much thought and multiple PMs and emails with the various people who approached us we decided to henceforth mandate that how-to instructions for taking advantage of bugs and design flaws in Kitely and third-party software will not be permitted on our forums. Even though it is very easy to find this information on third-party sites, our new policy also prohibits linking to such instructions on third-party sites.

If you believe you encountered a security breach then please contact us via private message or email so we'll have a chance to address it, if it can be addressed, without alerting would-be ill-doers to the existence of a loophole they might not already be aware of.
These users thanked the author Ilan Tochner for the post (total 6):
Constance PeregrineDundridge DreadlowSierra JakobOlivia LothirielDakota SkydreamerAdagio Greenwood
User avatar
Constance Peregrine
Posts: 2333
Joined: Sun Dec 23, 2012 11:35 am
Has thanked: 2769 times
Been thanked: 1443 times

Re: Discussing security breaches on the Kitely forums

Post by Constance Peregrine »

As I think I read this, this is what "some" hackers believe when they find ways to hack into systems, that by exposing them this helps to get rid of them.

That said, I am a believer in transparency in all things. And reading that article I can see your quandary.

For every security measure their is a way that can be found to hack it....I think the idea with most any software is to try and minimize this.

As that article references in this regard:
A variant of the basic approach is to rely on the properties (including whatever vulnerabilities might be present) of a product which is not widely adopted, thus lowering the prominence of those vulnerabilities (should they become known) against random or even automated attacks. This approach has a variety of names, "minority"[6] being the most common. Others are "rarity",[7] "unpopularity",[8] "scarcity", and "lack of interest".
Lack of interest is why most sites on the net are not attacked by way of DDOS...

In any case, whatever you folx decide is fine by me.
Laissez faire et laissez passer, le monde va de lui même!
My little sounds store https://www.kitely.com/market?store=2040306

Ephemeral wanderer...
User avatar
Sierra Jakob
Posts: 266
Joined: Tue May 14, 2013 9:22 pm
Has thanked: 185 times
Been thanked: 200 times

Re: Discussing security breaches on the Kitely forums

Post by Sierra Jakob »

I do think it is wonderful how transparent Kitely is being about the process. That helps us all to make informed decisions. Ilan has answered our questions with such clarity and calm. Oren and Ilan are obviously very well informed and I'm grateful to be learning from them.

It is clear by the conversations we've all been having over the past few days that allowing items to be exported means more than just additional buyers. There are risks as well. I fully support discussions about how those risks may affect each of us, and how we can make the wisest decisions. I thank Ilan and Oren for providing a place where we can have such discussions. I think Ilan has made it clear now that when a user exports assets in an OAR, they have full access to ALL the assets. That is what we all need to know and consider before we decide to make our items exportable.

For example, at this point, my current thinking is that I will never make an item exportable if I have used any asset which I purchased with the license agreement that I not give the asset in a re-usable form to anyone. So basically, the only exports you will see from me are those things that I made from scratch on my own, or have employed free open-for-use-by-everyone assets.

I cannot support the posting of explicit instructions on how to raid and steal the creations and work of other people. Risking sudden widespread theft or the panic of creators and honest merchants, only risks the Sim economies. Surely there are other methods to create change in a more orderly fashion. Posting such explicit instructions in the Kitely is inappropriate and puts Kitely in a difficult position. Ilan and Oren deserve better from us all.
These users thanked the author Sierra Jakob for the post (total 3):
Constance PeregrineOlivia LothirielDakota Skydreamer
Garden Castle - Market & Demo Info: http://www.kitely.com/market/product/42 ... ob-Designs
Image
User avatar
Dundridge Dreadlow
Posts: 616
Joined: Mon May 06, 2013 2:23 pm
Location: England
Has thanked: 590 times
Been thanked: 337 times

Re: Discussing security breaches on the Kitely forums

Post by Dundridge Dreadlow »

Thank you Ilan and Oren.
These users thanked the author Dundridge Dreadlow for the post (total 2):
Sierra JakobConstance Peregrine
ImageImageImageImageImageImage
PS. Kitely is awesome.
User avatar
Ada Radius
Posts: 354
Joined: Sun Dec 23, 2012 6:20 pm
Has thanked: 455 times
Been thanked: 351 times

Re: Discussing security breaches on the Kitely forums

Post by Ada Radius »

I'm in the other camp - I don't think it's fair nor ethical for some programmers, and all of the thieves, to have this information. I think that all creators of sounds, animations, and textures should know that the UUID's for any of these assets, no matter who owns it or what the perms are on it, are very easy for others to find and bring inworld. No copybot required. Along with the reasons why the grid devs can't fix this without breaking the whole system. I think this information should be in the TOS and included with whatever ad copy any grid posts about their copy protections. Don't tell us we're protected when we're not, and tell it in such a way that a nonprogrammer will understand it. We creators should not even be surprised when our artwork gets ripped off, we should have a game plan for it. We need to know the risks, all of them, before we pick up our virtual pencils. The news isn't 100% bad - there are ways to construct some kinds of textures (the ones with alpha channels, for example), so that even with the UUID, an ordinary thief wouldn't get enough to recreate it. But without the critical information on how these thefts occur, texture artists won't be able to plan around it.
Ada
These users thanked the author Ada Radius for the post (total 3):
Constance PeregrineSierra JakobDakota Skydreamer
User avatar
Constance Peregrine
Posts: 2333
Joined: Sun Dec 23, 2012 11:35 am
Has thanked: 2769 times
Been thanked: 1443 times

Re: Discussing security breaches on the Kitely forums

Post by Constance Peregrine »

Ada Radius wrote:I'm in the other camp - I don't think it's fair nor ethical for some programmers, and all of the thieves, to have this information. I think that all creators of sounds, animations, and textures should know that the UUID's for any of these assets, no matter who owns it or what the perms are on it, are very easy for others to find and bring inworld. No copybot required. Along with the reasons why the grid devs can't fix this without breaking the whole system. I think this information should be in the TOS and included with whatever ad copy any grid posts about their copy protections. Don't tell us we're protected when we're not, and tell it in such a way that a nonprogrammer will understand it. We creators should not even be surprised when our artwork gets ripped off, we should have a game plan for it. We need to know the risks, all of them, before we pick up our virtual pencils. The news isn't 100% bad - there are ways to construct some kinds of textures (the ones with alpha channels, for example), so that even with the UUID, an ordinary thief wouldn't get enough to recreate it. But without the critical information on how these thefts occur, texture artists won't be able to plan around it.
Ada
I do agree with parts of this.

Forewarned is forearmed, it has been said....

And the fact of the matter is that all grids have copybot issues, with a history as long as the decade or so they have been around.

All software has had hacking issues since the first code was written-))

OARs ability in Kitely is a paradigm changer, however...I personally think it is wonderful they do them here and I would likely not be around if they didn't...but it does come with issues, mostly to do with educating people.
Laissez faire et laissez passer, le monde va de lui même!
My little sounds store https://www.kitely.com/market?store=2040306

Ephemeral wanderer...
User avatar
Dundridge Dreadlow
Posts: 616
Joined: Mon May 06, 2013 2:23 pm
Location: England
Has thanked: 590 times
Been thanked: 337 times

Re: Discussing security breaches on the Kitely forums

Post by Dundridge Dreadlow »

Knowing the back door is open at number 14 if you climb over the gate is a completely different thing to informing the world about it complete with directions instead of telling the owners. Knowing someone CAN climb over the gate is different to putting up a stepladder with a sign saying the door is unlocked.

A normal person would see a fence with a gate, and think meh, and not bother to climb in, even if everyone knows someone CAN climb over.

There is no reason to make it easy.
These users thanked the author Dundridge Dreadlow for the post:
Sierra Jakob
ImageImageImageImageImageImage
PS. Kitely is awesome.
User avatar
Sierra Jakob
Posts: 266
Joined: Tue May 14, 2013 9:22 pm
Has thanked: 185 times
Been thanked: 200 times

Re: Discussing security breaches on the Kitely forums

Post by Sierra Jakob »

Ada Radius wrote:I'm in the other camp - I don't think it's fair nor ethical for some programmers, and all of the thieves, to have this information. I think that all creators of sounds, animations, and textures should know that the UUID's for any of these assets, no matter who owns it or what the perms are on it, are very easy for others to find and bring inworld. No copybot required. Along with the reasons why the grid devs can't fix this without breaking the whole system. I think this information should be in the TOS and included with whatever ad copy any grid posts about their copy protections. Don't tell us we're protected when we're not, and tell it in such a way that a nonprogrammer will understand it. We creators should not even be surprised when our artwork gets ripped off, we should have a game plan for it. We need to know the risks, all of them, before we pick up our virtual pencils. The news isn't 100% bad - there are ways to construct some kinds of textures (the ones with alpha channels, for example), so that even with the UUID, an ordinary thief wouldn't get enough to recreate it. But without the critical information on how these thefts occur, texture artists won't be able to plan around it.
Ada
As far as I can tell, Ada, we are in the same camp. I completely agree with you that accurate knowledge is key to making good decisions for creators and merchants. I am grateful that the knowledge about textures in particular was shared. However, I do think that passing out the key, a map, and an invitation to thieves is nonproductive.
These users thanked the author Sierra Jakob for the post:
Dundridge Dreadlow
Garden Castle - Market & Demo Info: http://www.kitely.com/market/product/42 ... ob-Designs
Image
User avatar
Constance Peregrine
Posts: 2333
Joined: Sun Dec 23, 2012 11:35 am
Has thanked: 2769 times
Been thanked: 1443 times

Re: Discussing security breaches on the Kitely forums

Post by Constance Peregrine »

did somebody say map???

Image
These users thanked the author Constance Peregrine for the post (total 3):
Dundridge DreadlowOlivia LothirielMykyl Nordwind
Laissez faire et laissez passer, le monde va de lui même!
My little sounds store https://www.kitely.com/market?store=2040306

Ephemeral wanderer...
User avatar
Olivia Lothiriel
Posts: 15
Joined: Sat Jun 15, 2013 9:15 pm
Has thanked: 34 times
Been thanked: 29 times

Re: Discussing security breaches on the Kitely forums

Post by Olivia Lothiriel »

Ilan Tochner wrote:In the last few days we had a thread in the forums (which has since been deleted) that included a technical discussion about an OpenSim and Second Life content protection loophole that can be used to copy some types of content without the owner's permission. The user-provided information included instructions for how to use this loophole to demonstrate the problem and was very informative to people who didn't know how copybots work.

Following the discussion in that thread many people contacted us with one of two types of messages:

1) "Good for you for allowing free flow of information, merchants should know about vulnerabilities in order to take them into consideration when they sell content".

2) "Please remove this how-to steal thread from your forums, it makes you look like you're endorsing copyright violations".

This is where our personal beliefs about the subject of Security Through Obscurity (see: http://en.wikipedia.org/wiki/Security_through_obscurity) collide with our goal of helping protect content creators. We believe people should be educated about security breaches that can affect them. Hiding flaws makes sure that only the bad guys who will take advantage of these flaws will know they exist and honest people will be left unaware of the potential problems. However, by allowing exploit instructions to remain on our forums, we may increase the number of people who take advantage of existing design flaws in Second Life and OpenSim-based grids to illegally copy content from people. That can also, in some jurisdictions, create various legal liabilities for us.

After much thought and multiple PMs and emails with the various people who approached us we decided to henceforth mandate that how-to instructions for taking advantage of bugs and design flaws in Kitely and third-party software will not be permitted on our forums. Even though it is very easy to find this information on third-party sites, our new policy also prohibits linking to such instructions on third-party sites.

If you believe you encountered a security breach then please contact us via private message or email so we'll have a chance to address it, if it can be addressed, without alerting would-be ill-doers to the existence of a loophole they might not already be aware of.

Great way to handle this :P thank you, I had been unaware of this but find comfort knowing it was looked at in all angles keep up the good work team kitely :P
your pal olivia
These users thanked the author Olivia Lothiriel for the post (total 2):
Ilan TochnerDakota Skydreamer
“Fashions fade, style is eternal.”
Post Reply