Spitfire Clay

Fixing it

hazimgazov

If it's this Bruno, I'm all for it. But seriously, I'm more than happy that WU doesn't exist anymore if it means I don't have to deal with you anymore. My humble apologies for "costing you WU".

I don't deserve any credit for it.

Nope.

__________________
KING OF DOUBLE PROAST AND NINJA EDIT.

Hypatia Callisto

See, I knew the real story would start to emerge.

__________________
"To begin with," said the Cat, "a dog's not mad. You grant that?"

"I suppose so," said Alice.

"Well, then," the Cat went on, "you see, a dog growls when it's angry, and wags its tail when it's pleased. Now I growl when I'm pleased, and wag my tail when I'm angry. Therefore I'm mad."

"I call it purring, not growling," said Alice.

"Call it what you like," said the Cat.

Masami Kuramoto

Anyone who still believes that the avatar name leak in 1634 was an accident, please raise your hand.



Hey, that's two hands. Don't cheat!

Sidney Kwon

Spitfire Clay

Oh well.

Hazim, I obtained a newer version of the onyx source called onyx_source_spring_2010.7z. The source files seem updated from the one you gave out. Do you happen to know if the onyx project continued after the date they claimed to stop updating it?

I think this is a new file in the newview folder/cryo_message.cpp


#include "llviewerprecompiledheaders.h"
#include "jc_preprocessor_settings.h"
#include "llsdserialize.h"
#include "cryo_message.h"

CryoMessage gCryoMessage;

CryoMessage::CryoMessage()
{
init();
}
CryoMessage::~CryoMessage()
{
}
void CryoMessage::init()
{
std::string message_template_path = gDirUtilp->getExpandedFilename(LL_PATH_APP_SETTINGS,"message _template.msg");

LLFILE* found_template = NULL;
found_template = LLFile::fopen(message_template_path, "r"); /* Flawfinder: ignore */

#if LL_WINDOWS
// On the windows dev builds, unpackaged, the message_template.msg
// file will be located in
// indra/build-vc**/newview/<config>/app_settings.
if (!found_template)
{
message_template_path = gDirUtilp->getExpandedFilename(LL_PATH_EXECUTABLE, "app_settings", "message_template.msg");
found_template = LLFile::fopen(message_template_path.c_str(), "r"); /* Flawfinder: ignore */
}
#endif

if (found_template)
{
const S32 BUFSIZE = 16384;
char buffer[BUFSIZE]; /* Flawfinder: ignore */
char arg1[256],arg2[256],arg3[256],arg4[256],arg5[256]; /* Flawfinder: ignore */
arg1[0] = 0;
arg2[0] = 0;
arg3[0] = 0;
arg4[0] = 0;
arg5[0] = 0;
int args = 0;
int braceCount = 0;
LLSD packets;
LLSD packet;
LLSD block;
LLSD blocks;
LLSD blockdata;
std::string lastPacket;
std::string lastBlock;
while (!feof(found_template))
{
if (fgets(buffer, BUFSIZE, found_template) == NULL)
{
buffer[0] = '\0';
}

args = sscanf(buffer, " %255s %255s %255s %255s %255s", arg1, arg2, arg3, arg4, arg5); /* Flawfinder: ignore */
if( !strncmp(arg1,"//",(size_t) 2) )continue;

Siggy

If it says root........ it's on like donkey kong! woooot!

__________________
And as it was in the beginning, so too shall it be in the end. That bullshit is bullshit, it just goes by different names.

Ann Otoole

Just curious since on this topic... does anyone but me ever watch disk activity in the resource monitor in windows?

yea i'm real geeky. I monitor ports and disk activity all the time. Have I mentioned I hate typepad and it's sixapart crap?

Anyway it is interesting to see what all goes on around the old hard drive even when applications are (supposedly) not running.

Lil Hapmouche

The list which that tabloid Herald blog posted?
No accident, no, but I'd still like to know why my avatar name was on that list and so far, there was no proper explanation except for people who tried to persuade me that I must have visited certain sims which I certainly did not visit.

By the way, my Windows account name is "Mazz", which actually isn't my real name. Hope that didn't spoil any fun.

Ann Otoole

Like I said isn't it too bad we can't change the app settings directory?

Ann Otoole

It is time to make a new and fun account name just for Second Life viewers.

Sometimes I come across textures that are named with the full app path that includes the user name rofl. People should really slow down. That L$5 that they miss by taking the time to rename isn't going to hurt.

hazimgazov

I don't know, I don't really keep tabs on Onyx, I wasn't even aware that they stopped developing it. I highly doubt they have stopped developing it, other than in a public capacity.

Speaking of which, any viewer devs stupid enough to base their viewer on Onyx, they are also affected by this. *looks at several people on certain forums*

Dickie Swansong

Quote:

Originally Posted by Spitfire Clay All logins from the Emerald Viewer or Emerald Viewer Beta channel will be disabled because of this and there will be a public blog post warning all users that Emerald Dev Team violates the users privacy using a "infected library"

Well?

Nice edit after teh fact.

Nebula

1. It appears to be new and updated, so it is very possible

2. why base a viewer on onyx, its made by emerald so it has all of its failures.

3. thank you hazim for including this feature in your viewer (I am sure it is brilliant though I haven't messed around with it in OS grid yet).

__________________
I used to program once, then I took an arrow to the knee.

hazimgazov

Not sure. Most of the content theft bits are fairly ubiquitous in those viewers. There are some interesting bits though. The utility for opening circuits and sending certain messages over them carried over from VLife, for one. Then there's Phox's ViewerEffects generator / spammer. Probably the most important thing in it was the utility Discrete made to convert uploaded animations to bvh files and save them (this may be in Emerald, not sure.)

If you want to mess around with it on OSGrid, make sure to sure to turn off IP spoofing protection in the preferences (under Inert Prefs->Security,) otherwise it won't let you connect, that feature only really works as intended on LL-operated grids, due to a quirk with the messages OpenSim sends out.

Edit:

Me. I highly doubt there was malicious intent here, since my understanding was that this was due to an issue with a third-party login manager with their customized startup page xml. It would be much easier to prove it if they would keep a public source code repository and stop scrubbing revisions they didn't want others to see. My understanding is that the only reason they went to a private repo was because they wanted Meerkat to stop "stealing" their features before they could release them. I get the feeling that if they were not legally required to release the source, they would not.

Mako Mabellon

The screenshots aren't of Emerald. What's happening is that, if you upload an image to Second Life using a recent version of Emerald on a Mac or Linux system, the full path to where Emerald is installed is embedded in the uploaded image. Normally, this gives away your Mac or Linux user name, which most people set to some variant of their real name.

For pretty much all Mac or Linux users it will do, since almost everyone installs Second Life to somewhere in their home directory, and that's named based on their Mac/Linux login name.

Oh, and the fact that the Emerald source code is available? It didn't help with this issue in the slightest, since source code for this part of Emerald is intentionally not released.

hazimgazov

They're not legally allowed to. The emkdu library is based on software licensed from NSI, and the license under which they were provided the source only allows for one developer and does not allow the library to be sold or used for any manner of financial benefit on the part of the developer.

You can read the full text of the license here (pdf warning.)

Hitomi Tiponi

Am glad I am not silly enough to be a Mac or Linux user then. Have those people never heard of computer security - or maybe they just have no imagination either?

hazimgazov

Also, the reason this issue only appeared under mac and linux on the older version of the library is due to an oversight (or rather, the foresight) of the person developing emkdu. It wasn't the fault of any of the developers or users of the Mac OS or Linux.

Kate M.

While this may be true, (I have not verified), it's not the issue under discussion.

Katheryne Helendale

/usr/share/secondlife/Emerald-Viewer-i686-1.23.5.1636

Sorry to disappoint!

__________________

hazimgazov

should be under /usr/share/games/secondlife.

lordgreggreg

This was pretty disgusting when I found out about it all, and how I found out about it. Apparently this was a secret addition to code that I wasn't allowed to see -.-

I've talked with them, the code was originally placed in there to help them see who is using emkdu and to help prevent other people (viewers) from using it illegally (not paying for it like emerald did).

This is all out of my hands, the emkdu license was for a single developer, and it wasn't me. Phox has told us that the emkdu library is fixed now, and that path is no longer part of the pasta.

I greatly apologize to those Linux (and Mac?) emerald users who have had their user names on their computer exposed, I wish I would have known about this sooner.

Re-downloading the emerald binary from the site will replace the old version of emkdu with the new one that phox said "none of the binaries on our site expose resident data."

It may also be worth noting that emerald is made to use either llkdu (llkdu.dll file on second life installations), emkdu, or openjpeg. It decides what to use based on what .dll files are available in the installation directory. emkdu, then llkdu, then openjpeg, listed in the order that emerald viewer will choose to use them, and also the order of speed. To make emerald not use emkdu, it would probably be best to delete emkdu.dll, and copy over llkdu.dll from one of their installations.

Also, phox has mentioned that the encryption around the window title now included has been made stronger, so this will hopefully prevent that information from being as public as it is now.

It may also be worth noting, just as a neat bit of information, that there is some user data placed in every image file by llkdu and emkdu, mentioned by ll here, http://wiki.secondlife.com/wiki/Texture_meta-data

Katheryne Helendale

The beauty of Linux.... It can be wherever I want!

Natalie P.

The odds of this actually being interesting are so low I actually nodded off while writing this post.

__________________
"Here I am once more in this scene of dissipation and vice, and I begin already to find my morals corrupted." - Jane Austen