Op/Ed: Why Releasing Server Code is A Terrible Idea

by Alphaville Herald on 05/03/08 at 7:08 am

by d3adlyc0d3c, ex-griefer

For awhile now rumors have been circulating that Linden Labs has been considering open sourcing their server/grid code, a welcome idea for many. While some residents see this as an opportunity for freedom, to break away from the ‘establishment’, I see this very differently.

Releasing the server code will result in a final blow to the in-world economy. This act will lead to certain individuals finding even more ways to circumvent digital rights management and permissions system including stealing scripts – something residents have not had to worry about for the most part.

Individuals could log conversations of enemies that are connected to their server and use this information against them. This is a grave threat to privacy and security across the metaverse.

Had it not been for the fact that the client code was released I would never have found the security holes that I found shortly after leaving the PN. I fear that many people will find similar holes, some of even greater magnitude, if the server code is made public.

Open source is NOT the way to go if you’re are running a business for profit. Open sourcing LL server’s will result in malicious individuals all over Second Life devising new methods to DDoS the grid and wreak havoc on a whole new level. I ask that residents that share my views contact every Linden they can and make it clear what this means.

2007 has been the worst year SL has ever seen. Content theft is rampant, this past year ushered in a griefing problem of greater magnitude than we have ever seen before (which I, regrettably, contributed to), problems with the asset servers, etc, etc.

Let’s make 2008 a better year by keeping the server code where it belongs – in the hands of LL. There is just too steep a price to pay, even if LL misses the opportunity to fix some bugs sooner because they were unable to collaborate with other developers. It would be well worth it for us to suffer longer compared to the disasters that will befall us if this code is released.

Mark my words, SL will whither and die if server code is made available to the masses. It may not happen immediately, but guaranteed, it WILL happen.

88 Responses to “Op/Ed: Why Releasing Server Code is A Terrible Idea”

  1. d3adlyc0d3c

    Mar 6th, 2008

    ‘Anyone can break linden labs codes’

    Yeah well then use proper terminology instead of exposing your ignorance by using phrases like the above, Anyone that can ‘break codes’ as you put it wouldn’t say it like they didn’t know what they were talking about like that. No one with brains calls it breaking codes.

    Lets not forget that up until I left PN, people inside and outside were calling me the ‘PN Wonderkid’ and anti griefer groups said I was the ‘last remaining threat in the PN’ among many other things. If you don’t want to look like an idiot than don’t sit there and try and pretend that it was any different. I was the best and the people that claim otherwise now that I left were the very people saying it before, but we all know that. Honestly, whats so good about being the best griefer anyway? It’s the same thing as being the biggest asshole, which is what most of you are. I decided I don’t want to be an asshole anymore. I may be opinionated and I may still be arrogant but I don’t bother anyone and I have peace of mind. What do you have?

  2. Marc Woebegone

    Mar 6th, 2008

    yep, as suspected, another spam article…. even Profky couldn’t get her thoughts together, lol, having to post three thoughts in three separate posting in three separate sentences three minutes apart…. i guess her kaopectate hadn’t kicked in yet….

  3. Whatever

    Mar 6th, 2008

    I’m still not Intlibber, but you’re welcome to believe I am.

    What’s your claim to fame again? Shoopedlife? And you’re boasting about what a l33t hax0r you are? Show me where ANYONE called you the “PN wonderkid”. Show me where “Philip Linden himself had issued an edict” against you personally. Kid, you’re no Plastic Duck.

    You write an article that shows you know nothing about commercial software development and open source. Then you get pissed when people call you on it and start puffing yourself up to deflect the criticism. You are laughably wrong and making yourself look like the self-important script-kiddie that you are.

  4. Gareth Nelson

    Mar 6th, 2008

    “Also building a grid doesn’t make you a ‘leet haxxor’. When you can code your own then you can come here and brag.”
    http://opensimulator.org/cgi-bin/viewcvs.cgi/branches/gareth/ogs/?rev=24
    http://shell.garethnelson.com/coolstuff/2000x2000grid.pdf
    First ever 2-sim grid: http://shell.garethnelson.com/coolstuff/opensim-border.jpg
    Design for automatic sim registration: http://shell.garethnelson.com/coolstuff/zomg_automatic_grid.pdf

    Next generation protocol (partially implemented): http://shell.garethnelson.com/coolstuff/gmmp.txt
    New client-side scripting: http://shell.garethnelson.com/coolstuff/sl_python.png

    Please also don’t try to condense “smashing the stack for fun and profit” into a paragraph. It’s patronising and makes you look even more silly.

    d3adlyc0d3c – what have you *created*? We all know what you’ve destroyed

  5. Ric Mollor

    Mar 6th, 2008

    It seems as if LL is slowly getting backed into a corner where they will have to either consider licensing the server code to others or open sourcing it. A few of the move obvious reasons are.

    1. The competition is coming and they are getting better and better. At the moment no single project offers *ALL* of the functionality of Second Life but a complete copy of SL’s feature set isn’t required to lure users away. SL is competing with all other forms of entertainment for users time.

    2. As the competition grows stronger LL will have to rely more on the differentiating factors between SL and it’s competitors. Right now that’s primarily user generated, scripted attachments and items. Does Linden Labs really want SL to become known primarily as a platform for avatar sexual activity? Currently things are moving in that direction.

    3. The SL economy is in a freefall with no bottom is sight. Even if every exploit was fixed today enough free items currently exist one can ‘play’ SL without any need pump money into the economy. As more people try SL there will certainly be more users that decide to create, then donate the items to the community good.

    4. There seems to be no system in place to enforce patented ideas within synthetic worlds. Even if one creates the greatest ‘must have’ item and content theft is non-existant there is no protection from another creating a ‘work-alike’ item and giving it away for free. It may be possible to patent virtual creations but that is largely uncharted waters at the moment.

    5. Though the OpenSim project current only replicates a subset of LL’s server code the viewer enhancements from the RealXtend team go far beyond what LL offers. As (and if) these projects catch the interest of more OSS programmers it will become increasingly difficult for Linden Labs to compete.

    6. Though Linden Labs intention is for Second Life to operate under the protections of a ‘common carrier’ service that status has not been fully explored and may change at any time. There are *plenty* of things that occur within SL that may bring legal actions and Linden Labs may open up the server as a tactic to make the common carrier defense stronger.

    Linden Labs is going to have to do *something* relatively soon as the hype bubble has burst and SL is losing it’s luster. As always, their actions will be entertaining since they seem to have no concept of creating rapport with their customer base.

  6. Razrcut Brooks

    Mar 6th, 2008

    @ youvebeen framed : youvebeen busted .
    @ RoFLKOPTr and dandellion Kimban : The world applauds. You have researched the word “argumentation” and posted your findings on the SLH. Wow. Thank you so much for educating us with your tireless work.

    Now, please disect Prkofy Neva’s comment (the funniest comment on this thread, I might add!) :”d3adlyc0d3c is a Linden Lab double agent who was caught, bribed, blackmailed, and turned, and is now being exploited to drop propagandistic ideas and disinformation into the minds of the masses through its agitprop megaphone, the Second Life Herald.”

    There has to be at least 2 or 3 invented words in that sentence!

  7. anon

    Mar 6th, 2008

    Christ, first I take off and you find some ham-handed rationale about Angel Fluffy substantiated on another furry’s testimony and only now grudgingly accept that it was bullshit, then you berate codec for finding PN boring and taking off? Has it become that much of a cult of personality where you have to stay forever in the group or be seen as some sort of e-traitor? PN is not North Korea and N3X15 is not Kim Jong-Il. You don’t need to shoot the people running across the border and take away their radios. Stop it.

    I’m not going to claim I think it was cool for codec to disclose exploits to the Lindens because that would be a lie and I could possibly see the reasoning for thinking it was “selling out”, but PN would have been dead had he not came up with some of the stuff he did. Not in the “let’s go our separate ways” sort of dead but the “you guys aren’t doing anything funny anymore and you need to figure out some other way to do it or we’re done here” way. This doesn’t give him a free pass, but it does mean you give him the benefit of the doubt. Stop bitching and claiming you’re hackers too: *chan is essentially based on self-effacing humor and you damn well know you’re not hackers (even N3X15 who admitted he can’t do C++). PN was not created as “settle down, join LL’s ways of virtual world” but there is a reason both we had Fort Longcat and W-HAT has their Baku sim and island. It isn’t a place to “own furfags”, it’s a place to poke fun at them because they are what they are. You don’t need to do much to SL to point out how absolutely insane most of it is – I toured a couple sims with Anal_Joy a few weeks back and just walked around laughing at the various weird shit scattered over the mainland. Codec seems to be doing that in his own way by experimenting with CopyBot, etc, so don’t go claiming the moral high ground.

    In summary, “RoFLKOPTr”, : his e-articles aren’t going to change anything for PN, he doesn’t have an inflated view of himself (anything more than is warranted), and you are not a super-hacker. In my PN you would have been permabanned as soon as you said “lulz” in a serious manner (that’s the stupidest word ever), but I guess times have changed.

  8. youvebeen framed

    Mar 6th, 2008

    Oh no, you can check my IP! Wow, that’s really news to me.

    And yes I do think the Herald is often useless and am happy to tell others when it is! After all, isn’t that the point of this message board? I thought you get off on that!

    You still haven’t explained why you ripped their story off.

  9. hurr durrr

    Mar 6th, 2008

  10. Inich Deerhunter

    Mar 6th, 2008

    Cool u no? Wat he tink juss odd n he trying to devise us.

  11. I'm confused

    Mar 6th, 2008

    I have a serious question.

    OpenGrid and OpenSim are not the same, I read above in the comments; what may be the difference?

    I have seen a friend fool around with a sim he had on his own computer without being connected to SL or even the internet. I dont know if that was open sim or open grid or something completely different?

    He didnt have any inventory, and this is what I am most curious about. He told me that was because he wanst connected to LL’s inventory server…

    If it will become possible to run our own sims on our own computers, and invite people over to our sims, will we then be connected to the LL servers for our inventory? Or would we have to copy the inventory to our harddrive to be able to use anything from it on our local sims? And would others need that information too in that case, or do they access a local inventory at the computer the sim is running on?

    Cause it seems to me, that if everyone you invite to your sim is ruthed, and you have to make everything from scratch, it’s not really worth it, is it?

  12. d3adlyc0d3c

    Mar 6th, 2008

    @Gareth Nelson

    I couldn’t tell you anything about what I have created – aside from most PN weapons and the client I modified – without revealing too much about myself. Since there are still a half dozen butthurt retards such as yourself obsessed with me thats just not an option.
    LOL @ self proclaimed retard who thinks he’s a hacker.

    PS: Smashing the stack for fun and profit is a bunch of tl;dr for anyone reading the comments who isn’t interested in that kind of thing plus I was at work when I wrote that and didn’t have time to elaborate more, not that it matters.

    @intlibber

    ‘I’m still not Intlibber, but you’re welcome to believe I am.’

    Yes, you are. Give it up.

    ‘What’s your claim to fame again? Shoopedlife?’

    lmao, firstly I didn’t develop shoopedlife. I modified it later on to exploit some vulnerabilities in LL’s servers.

    ‘Show me where ANYONE called you the “PN wonderkid”. Show me where “Philip Linden himself had issued an edict” against you personally.’

    I don’t need too those are well known facts. If you don’t know them then you should ‘lurk moar’, as they say. Of course I’m not plastic duck. I’m d3alyc0dec so get it right.

    ‘You write an article that shows you know nothing about commercial software development and open source.’

    Oh yeah because your opinion is right….because you say so?
    Don’t like it? Don’t read it.

    ‘Then you get pissed when people call you on it and start puffing yourself up to deflect the criticism. You are laughably wrong and making yourself look like the self-important script-kiddie that you are.’

    I never puffed myself up at all I stated facts. They are verifiable facts. Do your own research because I have neither the time or the patience to do it for you – you aren’t that important. All I know is that for me being a ‘self import script kiddie’ you’ve been butthurt at me for months and stalking me all over the herald. I bet it really pisses you off knowing that after everything that happened Im still around and doing well. When am I going to pay for the crap I did? Maybe in the next life, int, but for now I’ll just lol at your frequent attempts to troll me and fire right back.

  13. Razrcut Brooks

    Mar 7th, 2008

    @ I’m confused : Do not feel bad as I am also confused as well. Will we be able to communicate with our friends on LL servers? Will we have access to SEARCH?
    It would seem that that for it to run seamlessley, our inventory would have to be saved in our client versus LL server’s. I imagine that if and when private grids become more mainstream, they will be populated mostly by new users. Us oldbies will more than likely tend stick to LL servers and sims until one can transition smoothly between the new “worlds”. Whatever happens, I find this interesting and get the impression we are in the infancy stages of something we cannot imagine yet. Future grids could be so commonplace with internet users that they might make SL look like the Commodore 64 compared to what we could see. Eventually, there will be a standard interface that comes pre-installed on PCs once a winner emerges in the future.
    I agree 100% with d3adlycOd3c that releasing the server code is dangerous. But, maybe this dangerous step is inevitable. Maybe this step will encourage their code to become more mainstream-the future standard. LL could become the Microsoft of virtual worlds by encouraging users to create platforms that mesh with theirs. We, the current users, could suffer short-term, but in the grand scheme of things, our sacrifice may allow the emergence of internet socializing, entertainment and research in a manner we cannot wrap our minds around right now. “Surfing” the net will become…literal.

  14. whisper2u

    Mar 7th, 2008

    Inich, OpenSim is the simulator software in question. When you first begin to set it up and use it, your mission is to get 1 single sim working on your home server first. Once you progress to having 1 sim working, then you can move on to learning how to set up your own home “grid” which is a collection of sims that border each other. I have had a 5×5 square group of 25 sims running on 1 computer in about 1.5 gigs of ram in test mode for about a year now and the sim software is getting better and better every day, its up from version .3 to version .5 now. Once you have your own home grid running flawlessly (grin) you can then, if you want to, connect your home Grid to a much larger external grid which is collection of Grids from other people doing the same thing you are doing. There are some mostly free open public grids forming out there with names like DEEP GRID, and OPEN GRID, and CENTRAL GRID however Central Grid charges money.

    When you decide to throw in with a Public Grid, you must then turn your home sims’s asset server functions over to the Public Grid to which you will attach. That will allow your planes, trains and automobiles to follow you as you troop around the other sims, and it will allow other people to bring their junk into your sims.

    And it represents the final problem with OpenSim, and the general SL setup in general: How To Virtualize the Asset Servers so that we get rid of the need to turn your asset functions over to a Central Asset Server when you join a Public Grid. That is one nasty bottleneck that is left when all the other server functions are spread out through the 1000 sims. Its being worked on I think. Soon communal inventory like scripts and textures will be flushed into the various sims and updated regularly, and your personal inventory will follow you across sim borders just like your vehicles do, faithfully materializing on the other side intact every time :)

    Can you smell the fresh air coming out of there? It smells like Breakfast! I’m going down in there now… byeeeeeeeee

  15. Witness X

    Mar 7th, 2008

    Just a pathetic attempt to cover his ass by pretending to switch sides – “oh noes, you mean the crap I was doing wuz ILLEGALZ?? PLEAZ DOn’ TAZ ME!”

  16. Near

    Mar 7th, 2008

    “In my PN you would have been permabanned as soon as you said “lulz” in a serious manner (that’s the stupidest word ever), but I guess times have changed.”

    I think the door hit your ass on the way out, because the only thing I’m hearing is BAWWWWWWWWWWWWWW.

  17. Greefin Oh

    Mar 7th, 2008

    Well if and when SL dies, there’s a new/old game in town. EA Land. I haven’t seen any furries yet. But I did make a Nigra just for kicks.

  18. d3adlyc0d3c

    Mar 7th, 2008

    ‘I agree 100% with d3adlycOd3c that releasing the server code is dangerous. But, maybe this dangerous step is inevitable. Maybe this step will encourage their code to become more mainstream-the future standard. LL could become the Microsoft of virtual worlds by encouraging users to create platforms that mesh with theirs. We, the current users, could suffer short-term, but in the grand scheme of things, our sacrifice may allow the emergence of internet socializing, entertainment and research in a manner we cannot wrap our minds around right now. “Surfing” the net will become…literal.’

    Those are some very valid points and I hadn’t considered that releasing the code WOULD likely eventually make LL the Microsoft of virtual worlds. I sincerely hope that it turns out that way.

  19. Gareth Nelson

    Mar 7th, 2008

    d3adlyc0d3c – I didn’t actually know who you are until reading this article. So much for being “obsessed” with you.

    The fact you can’t show what productive things you have done because it’d reveal too much about you shows what is fairly obvious: you’re a wimp, hiding behind your l33t-speak name. You then post this story with the title “ex-griefer” and expect everyone to respect you for some reason. If you have achieved anything of value which you are hiding in order to protect your identity then it doesn’t matter – under the name of d3adlyc0d3c you have nothing to show but childish vandalism. Coding a virus and building a bot army takes skill, that does not make it worthy of respect.

  20. dandellion Kimban

    Mar 7th, 2008

    deadly… if in any case you could speak any language than english, your language skills would be enough to “decipher”. Communication is a skill that you might need to work on.
    When I told you that you are making fun of yourself, I haven’t mention FBI. I told you that you are acting like a kid that wants to show up with something “underground” it has done. If you do it underground, then it stays underground. Or you really expects that anybody will be impressed with the things you say you’ve done? C’mon, grow up.

    roflkoptr, I know what I am talking about, but this have gone from serious talk long ago. As always with Herald. We know that herald doesn’t mind if the discussion is intelligent as long as pageviews roll.

  21. Gareth Nelson

    Mar 7th, 2008

    To clarify btw, the virus comment is an example rather than an accusation. I don’t know whether d3adlyc0d3c has coded any viruses but I doubt it. I was simply showing an activity that takes skill but still amounts to mere vandalism.

  22. Gando

    Mar 7th, 2008

    “Open source is NOT the way to go if you’re are running a business for profit.”

    “Ok you miss the point, those companies didn’t create that software. How much did the company that created it make off of it? Smartass. Thats my point. ”

    The news of 2007 and 2008 proves your point moot. Many companies release their software and many companies contribute to or fund open source and make truck loads of money. Google is a great example, but there are other large and small companies like IBM, Intel, Sun, MySQL, Jboss, rPath, Montavista, Oracle, Red Hat… Open source isn’t done just by geeks as a hobby and there is a lot of money to be made with it. One should expect that people who provide web services also contribute back to the LAMP code they use, that way their patches are included in the future updates of the great products they leverage.

    Right now it’s unknown how many exploits are out there for any closed source software. Opening up software gives greater potential for non-griefers (hacker) to find and patch exploits and potential exploits.

    When an exploit is found and abused, the open source community will patch it much faster than most companies can.

    -G

  23. RoFLKOPTr

    Mar 7th, 2008

    @d3adlyc0d3c:

    It’s not called “research”… it’s called “Google”… and, to tell you the truth, I had never heard the word “argumentation”, nor had I bothered to read dandellion’s comment until your comment bashing him, lol. Even with leaving the PN, you’re never going to rebuild your reputation. You’re still the same dick/asshole you’ve always been… except you’re no longer focusing it upon the faggots, since you’ve become one yourself.

  24. Whatever

    Mar 7th, 2008

    “Oh yeah because your opinion is right….because you say so?”

    Why, yes, that is why I’m right.

    Is that the best rebuttal you can formulate? You’re completely clueless and I wasn’t the only one to tell you. That article cost you any rep you thought you had as a coder.

  25. d3adlyc0d3c

    Mar 8th, 2008

    @Whatever
    Oh yes because a handful of butthurt idiots posted that cost me my rep. Grow up.

    @Gareth Nelson

    ‘you’re a wimp, hiding behind your l33t-speak name’

    Yeah okay, just like you’re butthurt. Please go fap some more while you think up ‘new and creative’ ways to insult me, retard.

    It’s not worth arguing with a self proclaimed retard.

    Unfortunately neither of you speak for everyone which is what makes you so hilarious. Speaking of self important…..

  26. Whatever

    Mar 8th, 2008

    I count two uses of “butthurt” and “retard”, but still no rebuttal to any of the points people made about how wrong you are on open source. Waiting…

  27. [T]he[E]nd[I]s[N]ear

    Mar 9th, 2008

    @ pixeleen mistral

    Lurk moar you stupid fagot, i think its funny how you go on bragging the same as deadly has for the past 10 post’s. You guys actually think you are something then prove it.

    @ Deadly

    I admit, you made some great stuff for PN, but you know, it isn’t all that great any more. You may think your the bad ass great scripter, programmer, hacker, what ever you call yourself. your no threat deadly, like everyone says. your a pussy hiding behind a PC wanting some furry e-cock and e-money for the so called “great” scripting you do.

    Fuck that-

    both you guys
    LURK MOAR

    Caps= cruise control for cool!

  28. Gareth Nelson

    Mar 9th, 2008

    He also hasn’t got a rebuttal for how he’s a wimp.

  29. Hazim Gazov

    May 11th, 2008

    Opensim is backed an pretty much run by LL behind the scenes. The source code is already out and there is no way to stop it, sorry toots.

  30. Hazim Gazov

    May 11th, 2008

    >d3adlyc0d3c is a Linden Lab double agent who was caught, bribed, blackmailed, and turned, and is now being exploited to drop propagandistic ideas and disinformation into the minds of the masses through its agitprop megaphone, the Second Life Herald.

    Don’t worry folks. One thing that *won’t* change once the server code is opened is Prokofy Neva’s ability to pull a conspiracy / leninism / bolshevism / racism theory out of her ass about any situation whatsoever.

  31. Hazim Gazov

    May 11th, 2008

    a side note to gareth, d34dl7c0ck, and whatever other fools are posting in this.

    Internet. arguing. special olympics. serious business. stop feeding the troll.

  32. Witness X

    May 11th, 2008

    Actually, I think he hasn’t responded because he can’t. Something’s happened.

  33. Hazim Gazov

    May 12th, 2008

    I can see it in the headlines: Prokofy Neva finally loses it, goes postal on fellow special olympics participant d3adlyc0d3c.

  34. deadlycodec

    Apr 18th, 2009

    Actually I do have a rebuttal, I just had difficulty communicating it for awhile. The discussion came up again today and after some careful thought I was able to articulate exactly why I still believe OSS is shit.

    Here ya go:
    Do you think OSS is more secure or less so? I know the general consensus is that OSS is more secure but the problem is that people are using a comparison of both Linux and windows operating systems to illustrate the point which is totally invalid. There are at least several times more computers running windows operating systems than there are running Linux in the world. There is at least hundreds of times more applications for Windows. The result is that of course there are more security problems for windows and windows applications. People also forget that the majority of exploits being used to compromise computers are not in actuality exploiting the operating system, but they are exploiting common software on operating systems that was developed completely independently by totally different and unrelated organizations. To see what I mean, check out http://www.milw0rm.com. Based on that assessment it seems that while both OSS and ‘security by obscurity’ are not fullproof, it would appear that it is easier for people to find buffer overflows or other vulns in open source software as opposed to software that is not. On the other hand, OSS makes it easier for collaboration but in the end, many people who find exploits are going to submit them in hopes of recognition whether they find them in OSS or otherwise. They’ll also submit lesser bugs like that too and it’s not incredibly difficult for a dev to fix a bug once it is identified so I think in some respects OSS as a means for collaboration is overrated and thus it can be concluded that it is in actuality NOT superior, but inferior.

    I’d like to here another rebuttal from you though, Gareth, since you know, you’re the open source expert on here or something apparently. I’m willing to bet it’ll be something more along the lines of ‘duuurrr it took you ages to respond stupid’ or something equally irrelevant.

    “Don’t worry folks. One thing that *won’t* change once the server code is opened is Prokofy Neva’s ability to pull a conspiracy / leninism / bolshevism / racism theory out of her ass about any situation whatsoever”

    True dat. Another thing that won’t change is your butthurt at me for outperforming you. Cry moar?

  35. deadlycodec

    Apr 18th, 2009

    I think that in the end, a lot of you are confused about WHY the open source versus closed source argument exists in the first place. OSS is a valuable learning tool because it has been shown that learning by example is the best way to learn, especially when it comes to programming. This whole ‘information should be free’ line of thinking doesn’t really apply to software developed for profit since obviously businesses don’t really want people to learn from their innovation since that results in more competition and more competition results in less profit.

    Basically at some point someone somewhere assumed that the whole argument was relevant to security and then the rest of you conformists jumped on the bandwagon without really taking everything into account.

  36. deadlycodec

    Apr 19th, 2009

    The firefox versus internet explorer argument is the same. FF is less common than IE and thus less people are exploiting it. Even with the ‘benefits of collaboration’ the FF updates released in late 2008 and early 2009 made the software rather buggy and unstable compared to IE. Additionally, as firefox has become more popular as more and more people are catching on to the fact that it is more secure, it has in fact become less secure than it was before. When firefox meets or exceeds the popularity of IE it will be known for being just as insecure if not more so.

    Additionally, when a given piece of software inevitably evolves (ie is updated) inevitably NEW exploits are inadvertently introduced. With OSS the danger is that if the problems are not discovered quickly by people with good intentions, it WILL be exploited by malicious individuals.

    In this case collaboration can be a bad thing since really anyone can contribute code that is less than optimal, potentially resulting in the introduction of even more vulnerabilities. This sort of thing would usually happen by accident but it is possible for a malicious person to develop improvements and deliberately ‘slip in’ code that he or she intends to exploit en masse later. Don’t underestimate the profitability for this line of thought when it comes to more common software. Malware is a booming business for spammers, identity thieves, and pay-per-install adware affiliates. Closed source software isn’t really prone to this.

    I think a perfect example is that I could devise improvements to the Second Life client in such a way that would allow me to later exploit the people that use it. I could even submit the patch anonymously and have it integrated with the new releases of the client available for download on Linden Lab’s own servers!!!

  37. deadlycodec

    Apr 19th, 2009

    The irony is that the very arguments that suggest that ‘security by obscurity’ is a sham actually prove that it isn’t!! The very thing that makes Firefox and Linux more secure than popular alternatives IS the fact that it is less common (aka more obscure).

    For example, there are numerous Linux distros including Redhat, Ubuntu, FreeBSD, SuSe, Debian, and Fedora just to name a few. A given exploit that affects software on one of them is exploited differently on the others if it can even be exploited at all. If tomorrow, magically debian linux became the universal standard for operating systems we’d see at least as many viruses, worms, and vulnerabilities in the software within the first year and the same people would be begging for windows. In fact, keeping extremely popular OSS secure would be damn near impossible since every fix and upgrade could potentially contain another vulnerability and the code is totally exposed to everyone! There have been exploits that affected windows that took quite some time for people to find because people weren’t able to simply download the source and look for shitty coding. Instead they had to search blindly or bruteforce bofs. I think the wmf exploit that widely affected windows xp sp1 and sp2 is a good example of this in action though I can’t be bothered to check and see how long it took people to find it.

  38. Adipex phentermine.

    Sep 22nd, 2009

    Adipex without a prescription.

    Adipex fastin facts. Adipex. Adipex p phentermine ecureme com.

Leave a Reply