[opensource-dev] Malicious payloads in third-party viewers: is the policy worth anything?
nexisentertainment at gmail.com
Tue Aug 24 14:27:40 PDT 2010
They used a custom build of the KDU JPEG compression library to embed
information in baked textures, such as the installation directory and
the title of the window. The outrage around this is that Emerald
1. Disclosed private information without informing users about the
username, usually on Linux, though).
2. Obfuscated this system by hiding it within a closed-source library
3. Continued to lie about the purpose of this system.
4. LINDEN LAB CONTINUES TO IGNORE THE TPV VIOLATIONS. If I had pulled
this crap with my tiny viewer, I'd have been banned back into the stone
age. The double standard Linden Lab uses infuriates many who were
forced to do many difficult changes to comply with the TPV, only to find
out that Linden Lab has no intention of enforcing it.
5. Reportedly, Emerald merely changed the encryption method used when it
was discovered. I don't even know if they changed their KDU library to
comply yet, or if they're covering their bums still by making a storm of
apologetic blog posts while continuing the same old crap.
On 8/24/2010 1:50 PM, Harold Brown wrote:
> What I find interesting is that people are neglecting to realize that
> ANY viewer, even a LL viewer could have been used to do the same thing
> by changing the WEBPAGE the login screen pointed to. Or for that
> matter distributing a object using the new Media functions to load a
> webpage with the exact same iframe set.
> On Mon, Aug 23, 2010 at 8:03 AM, David M Chess<chess at us.ibm.com> wrote:
>> Could we move all this stuff to a new "emeraldgate" list, or something?
>> That I could then carefully not subscribe to?
>> Policies and (un)subscribe information available here:
>> Please read the policies before posting to keep unmoderated posting
> Policies and (un)subscribe information available here:
> Please read the policies before posting to keep unmoderated posting privileges
More information about the opensource-dev