The login screen and this attack happened before you select the grid. On Sun, Aug 22, 2010 at 8:22 AM, Ann Otoole <missannoto...@yahoo.com> wrote:
> I hate replying to a policy thread here but will make this one time > exception for my humble input for LL's consideration: > > What I think LL should consider is something in the TPV policy that > prohibits any tpv from connecting to any non LL server for any reason when a > LL grid is selected for login. This simple policy, if correctly followed, > would have prevented the incident. It would also eliminate a tpv team from > monitoring logins and usage but then where exactly did they get to do that > in the first place? It is a missed policy bullet. There is no reason a > client should connect to anything except an LL server when an LL grid is > selected. LL needs to be totally security conscious about the login process > and what rigid requirements must be met for connecting to the LL grids. > > I.e.; I watch my port activity. Everyone should. But not everyone would > know what they are looking at. But had they been watching I bet they would > have been wanting to know what all those connections to that host were all > about right away. Had I been using Emerald and saw thirty something > connections to iheartanime dot com appear I would have been raising hell > immediately. What you connect to on the internet can be and is monitored > sometimes and being open to forced connections to something really bad would > be extremely unfortunate for many that have tom be squeaky clean. > > I use Kirstens and I don't even care much for it's connection for motd. > However it does tell me when the latest release is available and that is > very useful information. Maybe there is a way for LL to provide motd bullets > for tpvs so they can get the word out about updates or something. > > There has to be a better way. > > Regards > > Ann Otoole InSL > > ------------------------------ > *From:* Brian McGroarty <s...@lindenlab.com> > *To:* Thomas Grimshaw <t...@streamsense.net> > *Cc:* opensource-dev@lists.secondlife.com > *Sent:* Sat, August 21, 2010 10:33:52 AM > > *Subject:* Re: [opensource-dev] Malicious payloads in third-party viewers: > is the policy worth anything? > > On Sat, Aug 21, 2010 at 7:04 AM, Thomas Grimshaw <t...@streamsense.net> > wrote: > > Loading 1mb of content per user is hardly a denial of service attack. > > Crosslinking occurs everywhere on the web, this is simply nothing but > > paranoid bull. > > "Crosslinking" drops the context of hiding gibberish requests to a > critic's website in a hidden frame that will never be revealed to the > user. This isn't a mere hyperlink to another page or naively stealing > someone else's image hosting. > > My read (but I'm no lawyer) is that this looks like 2.d.iii of > http://secondlife.com/corporate/tpv.php and we're already having that > discussion. If anyone can come up with specific reasons why this might > have had legitimate reason to be there, or how this one could be yet > another oversight or mistake, that would be helpful. I sure haven't > heard any to date. > > -- > Brian McGroarty | Linden Lab > Sent from my Newton MP2100 via acoustic coupler > _______________________________________________ > Policies and (un)subscribe information available here: > http://wiki.secondlife.com/wiki/OpenSource-Dev > Please read the policies before posting to keep unmoderated posting > privileges > > > _______________________________________________ > Policies and (un)subscribe information available here: > http://wiki.secondlife.com/wiki/OpenSource-Dev > Please read the policies before posting to keep unmoderated posting > privileges >
_______________________________________________ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
