Spitfire Clay

From the ones who took down the onyx project had this to say:
There was an even bigger issue with those versions, though. Apparently Zwagoth did not know the X11 protocol (for Linux) or Carbon (for Mac) very well, and didn't know how to get the window's handle or title. Instead, he embedded the current working directory for the process into the J2C's comment section. When using a custom-built version of the Mac version of Emerald, or any build of the Linux version, it is also likely that the viewer resides in the user's home directory. An example decoded comment would be "/home/tomsheldon/EmeraldViewer-i686-1.4.0.2270" (this is an actual decoded comment that I saw when looking around the grid for people on Emerald.) There is the possibility for using this information to determine other accounts that people have created outside of SL, or their RL name.


All of this was brought to my attention (and that of several others) by a former Onyx developer who took issue with what they were doing. Apparently, only the Onyx team knew that this sort of "feature" was in the Emerald Kakadu library, not even other core Emerald developers were informed. It is likely that this leak was leveraged by the ModularSystems bots that were crawling the grid just a month ago.


Someone who wishes to remain anonymous made a program that was capable of reading the encoded messages in the baked textures produced by Emerald, and gave it to me and a couple of others. Phr0z3n (an Inertia developer) then made a C++ version of the program and added it to Inertia's radar.

After seeing that even people with their tags hidden (A lot of Lindens that shouldn't have been running Emerald actually) could be identified as running Emerald, I mentioned the issue to a few Emerald developers. They were shocked, to say the least, but the feedback I'm getting is that JCool doesn't intend to remove it and is just going to change the encoding. As such, I am writing this article to warn people and will be providing patches to remove this "feature" from the binary builds of the Emerald Kakadu library in the near future.


Inertia is a copybot viewer made by Hazim, Cryogenic, SimmanFederal,phr0z3nt04st


Soft Linden's reply:
from Brian McGroarty <soft@lindenlab.com>
to * <*@gmail.com>
date Sun, Jul 18, 2010 at 4:03 PM
subject Re: Security and Privacy Breach
hide details 4:03 PM (10 minutes ago)
Yep. At the very least, the paths with names included are completely
unacceptable.

I appreciate the source pointer and the image example. Both are going
to help a lot with this. I've asked for half an hour on Monday in
order to make sure the decision makers understand exactly what's
happening here.

I think I should provide some background for people who aren't familiar with the emkdu library. Up until several versions ago, Emerald was using the slower openjpeg decoder to decode all images in SL as they did not have distribution rights for LL's proprietaru LLKDU library. JCool (Fractured Crystal) Purchased a single-developer license for a newer version of the Kakadu library and asked Zwagoth Klaar to make a version of it in the same style as the LLKDU library.

With this library, they added an encoded comment to an avatar's baked clothing.

Source code to detect this is located here:
indra/llimage/llimagemetadatareader.cpp at master from HazimGazov's Inertia - GitHub
indra/newview/llviewerimage.cpp at master from HazimGazov's Inertia - GitHub
indra/newview/llvoavatar.cpp at master from HazimGazov's Inertia - GitHub

Full Source recompile is location here: http://github.com/HazimGazov/Inertia/tree/master/indra


Quote from their site
Why open source? Won't the lindens fix anything interesting that's added in?

I code for the sport, and it wouldn't be any fun to play against an open net, would it? The lindens are welcome to (actually, I'd expect them to) fix any bugs or exploits exposed in the Inertia source. The open-ness of the project also allows maintainers of similar projects (such as OpenSim) to fix any issues that may affect them as well. The end result is that Inertia is quite similar to the Onyx project, but we value transparency and invite anyone to join.

Hypatia Callisto

moar emerald dramaz, huzzah!

__________________
"To begin with," said the Cat, "a dog's not mad. You grant that?"

"I suppose so," said Alice.

"Well, then," the Cat went on, "you see, a dog growls when it's angry, and wags its tail when it's pleased. Now I growl when I'm pleased, and wag my tail when I'm angry. Therefore I'm mad."

"I call it purring, not growling," said Alice.

"Call it what you like," said the Cat.

Ann Otoole

seventy percent seventy percent we can't be having no seventy percent seventy percent

Free Xue

That's all I got.

__________________
"We're not going to give up on destroying the health care system for the American people."
~U.S. Congressman Paul Ryan

Siggy

Interesting post - thanks for the heads up.

__________________
And as it was in the beginning, so too shall it be in the end. That bullshit is bullshit, it just goes by different names.

Liona Clio

/AnnoyedEmeraldUser on

So, when hackers find a security hole in a 3rd party viewer, Linden Lab bans the viewer, am I interpreting this correctly?

If so...what happens when the hackers find a security hole in the official viewer?

__________________


"Well, my days of not taking you seriously have certainly come to a middle."

“I will go to the animal shelter and get you a kitty cat. I will let you fall in love with that kitty cat. And then on some dark, cold night I will steal away into your home and punch you in the face!” - Sue Sylvester, "Glee"

Ann Otoole

other than LL looking for any excuse to stop the emerald takeover, which is likely all that matters, the main thing is modsys needs to deal with their coding and deal with the who is coding and get this kind of crap cut out.

assuming, of course, there is not more bullshit here than meets the eye.

If all the emerald users say fuck LL and quit we can call it a day even faster and LL can close up shop and then see if they can get them a new job in the second hand rentals biz like T did.

Dickie Swansong

Logins have not been disabled. Explain yaself.

Anya Ristow

1) Note that this does not appear to be part of Soft's email.

2) While I love drama as much as anyone, I'll believe this when it happens.

Imnotgoing Sideways

So, wait... Are these screenshots of Emerald displaying the information or the Enertia client you were using to extract more data? (O.o)

Why do I smell another much ado about nothing? (o.O)

__________________
Link

Wildefire Walcott

I am completely oblivious to all the TPV drama but this right here is laughably ridiculous. There's such a thing as Google, folks.

__________________

Ann Otoole

what it reads like is ripper viewers are allowed by Soft Linden because LL wants to kill emerald because it makes LL look stupid. So they need the ripper viewers logging in to make bad pictures.

Hypatia Callisto

I think it looks even more stupid when you believe everything you read written by some idiot with an axe to grind. I'm no Emerald lover but I'm not exactly going to believe anything Spitfire Clay says. It's probably all mashed together out of context.

Kate M.

Immy,

See the original posting here for more details: I ♥ Anime - Griffblog - I told you so.

Basically, the developers of inertia figured out a way to read the data Emerald was already broadcasting to the entire grid.

I should emphasize that windows users do not have this problem; only users running emerald on Linux or Mac have to worry about this.

If LL does disable emerald logins, they will be responding to a TPV that is intentionally broadcasting user RL data. This problem may have started as a bug, but when the developers declined to fix it, it became an intentional violation of the TPV policy.

Serendipity

since we are on it how do I download stuff from Sl for me? I saw this cute little dress and I don't wanna pay for it so I got Emerald to download it to my Computer... I have a grey Computer if that helps...

Ann Otoole

so they can allow windows versions and block the others. In the meantime the devs can fix it. or stop being devs.

assuming it is not all bullshit.

well one way or another it is bullshit of some sort lol

and LL will take any straw for a reason to ban emerald because emerald usage numbers make SLv2 look like what it is.

Ann Otoole

Too bad we can't set the settings directory to somewhere other than a structure that has the user name in it eh? Maybe LL needs to ban all viewers.

Kate M.

Users who didn't install it in a directory tree don't have their user name exposed. All it does is broadcast the directory in which the viewer executable is running. For some people, that happens to inclide their user name or RL name

Imnotgoing Sideways

I'm just going to say, right here and right now, that I believe that Hazim and his internet piss war BS is what cost us Woodbury University. I don't know and I don't care what he wants to accomplish with his actions, but I do hope he finds a way to utilize his abilities in a way that will land him a six-figure salary and not a starring role as Bruno's butt buddy in prison.

Spitfire Clay

This has nothing to do with hackers.
Imnotgoing Sideways, This is Hazim's quote on how it works:

I think I should provide some background for people who aren't familiar with the emkdu library. Up until several versions ago, Emerald was using the slower openjpeg decoder to decode all images in SL as they did not have distribution rights for LL's proprietaru LLKDU library. JCool (Fractured Crystal) Purchased a single-developer license for a newer version of the Kakadu library and asked Zwagoth Klaar to make a version of it in the same style as the LLKDU library.

With this library, they added an encoded comment to an avatar's baked clothing.

Trasee Darkwatch

__________________
______________________________________________
(\__/)
(='.'=) This is Bunny. Copy and paste Bunny into your
(")_(") signature to help him gain world domination

Spitfire Clay

Imnotgoing Sideways, if I recall, your name was listed in the modular datamining list.

Anyways , I have reproduced this bug by recompiling indra at master from HazimGazov's Inertia - GitHub .

This bug even affects the current version of emerald 2270 and a few other versions.

hazimgazov

Not necessarily. All new installations of Emerald (regardless of the version) will now use a newer version of emkdu. It uses the reference implementation of AES instead of of the janky encryption used before. As far as I know, nobody's really looked at the new library in-depth yet; However, it shouldn't be terribly difficult, since the library was compiled in debug mode (thanks for that,) and the debug symbols for vanilla kakadu and the compiled reference AES implementation should be more than sufficient. All wassert() calls are left intact, which should provide needed context.

Aside from the new encryption (which will require a key to decode, presumably only held by the developers of the emkdu library,) It's been mentioned that if the library isn't able to determine the window's title, it will use the last part of the full path instead. I have confirmed that under circumstances that it will embed the path into the image as it did under mac and linux, but I haven't confirmed that only the last part of the path will be used. I will try to keep people up to date as to the behaviour of the new library as soon as I'm able to pin it down.

TL;DR: New emkdu library, uses different encryption, may embed path even under Windows now.

If an Emerald dev would care to correct me, this would be a good time.

__________________
KING OF DOUBLE PROAST AND NINJA EDIT.

Spitfire Clay

Its not a security hole. It was hard coded by the Modular Dev.

Credit goes to ex-Onyx/Emerald/Cryolife dev Cryogenic and Hazim for sniffing ModularSystems out.

Free Xue