It's been long since I posted here and due to current events I'd like to keep you updated.
Nothing much changed in regards to making new viewers. I am just logging on to SL once every few weeks and am spending all of my time for my business, where we are working on a major upgrade of the software which pays for my bread and butter. This is my main area of interst now, it is hugely satisfying work and won't change any time soon (we just started beta).
My older viewers still seem to work fine and I am really surprised to hear that people say that --despite all the Linden™ efforts in fixing crashes-- mine are still working better than theirs. Dunno if this is generally so or just in specific cases, but if the Lindens did not catch up by now, I don't know what they are doing wrong. But at least so far they kept their promise to keep their server changes compatible with older viewers.
However, it seems that yesterday Teh Laboratory has uncovered and fixed a security issue (click here for details) and made use of their latest viewer mandatory.
As far as I can tell now, there is no real issue for Nicholaz Editions. The requirement to update does not seem affect 3rd party viewers (I was still able to log in today) and as long as you use my viewers to only log on to the Linden™ servers and trusted OpenSim sites, there is no danger (
I will check which changes they made to better understand the nature of the issue. If it seems necessary or if the Lindens really lock out my versions, I will try to stuff the hole for these (EyeCandy, Bleeding Edge, OldSchool ... in this order). But I think this will need to happen.
So, just take a deep breath and relax ... it may be merely a storm in a coffee mug (I know that the idiom calls for the tea cup, but I'm living on coffee for months now :-)).
Other than that, let me say thanks for your use of my viewers and for your comments and for the occasional donations. I am still glad to make your virtual lives better.
Also, if you are looking for newer builds (mono scripting etc.), make sure you check Henry's and BoyLane's CoolViewer (see links at the right side of this blog).
I'll keep you informed about the security thingy in the comments to this post.
Cheers
Nick
PS: Here are a couple of trademark signs ... if I forgot them, please insert them in the appropriate places: ™ ™ ™ ™ ™ ™ :-)
7 comments:
Hi Nicholaz, nice to hear from you again :)
It is true, your EyeCandy is still most stable viewer I have ever used, and I use it many hours each day :) It simply does not crash!
The security problem is real and I understate an exploit has been demonstrated. The source code for the fixed viewer has not been released (yet) but according to sldev they're willing to provide the source to established alternative viewer creators, which would mean you could get it.
The problems stems from the weakness in the protocol itself, which allows UDP messages to initiate connections to sims (neighboring sims for example, or connection to sim after the teleport). Since UDP packets are easily spoofable an attacker could send the viewer a packet saying "connect to neighboring sim at my evil IP".
Part of the fix is to blacklist and ignore some types of messages coming over UDP and only allowing them via CAPS (http).
Those include EnableSimulator, CrossedRegion and TeleportFinish, but this is probably not a complete list.
Anyway, good to see you take notice of this and doing something about it, since I would really hate to have to use a different viewer. Since EyeCandy there were really no new features that would make me want to switch apart from the ability to compile scripts to mono. But what I do is develop in LSL, and when all is ready login with the official viewer, recompile to mono, and run back and relog using EC as soon as possible :)
Thanks Latif. I requested the patch already, will see how complex it is.
WB
It's simple, I have applied it to your 1.19.4 EC-f build. Well the patched files are built, build is still running.
I can't understand why they keep this code hidden all needed for the exploit is as clear, if not clearer in the release note.
/ Balp
Patched and ready to download, sorry no windows build from me (yet). No i have a computer with 3D development possibility for work, might come there someday.
http://keeponbalping.blogspot.com/2008/10/balpbuild-ec-g.html
Ok, the latest patches are released now.
First patch is UDP Blacklisting:
http://svn.secondlife.com/trac/linden/changeset/1202
Second file transfer vulnerability:
http://svn.secondlife.com/trac/linden/changeset/1283
Nicholaz:"... I will try to stuff the hole for these (EyeCandy, Bleeding Edge, OldSchool ... in this order)...."
Thankyou very much, I now can relax again :)
Nicholaz:"...make sure you check Henry's and BoyLane's CoolViewer..."
Using a viewer by a third party has not only to do with technical possibilities for me. The "trust the creator for 100%" is an equal important thing for me and I would prefer to stay on a Nicholaz viewer :)
Post a Comment