Being listed in the directory is a sign that viewer devs have self-certified compliance, but it's also an unconcious sign to users that the viewer is legit, even if not intended.
On Sun, Aug 22, 2010 at 3:56 PM, JB Hancroft <jbhancr...@gmail.com> wrote: > Hi Ann, > > You suggested: "What I think LL should consider is something in the TPV > policy that prohibits any tpv from connecting to any non LL server for any > reason when a LL grid is selected for login." > > I'd change that to require that any TPV disclose the specifics of any and > all non-LL servers that they are connecting to, and the details of why they > are doing so. Otherwise, some of the possible value-added functionality > gets crippled. > > The real issue here is the TPVP is just legal CYA for LL, it's not something > they actually monitor or enforce. > There is no assurance being provided by LL or by the TPV developer, that > they have any sense of reasonable security, including processes that limit > rogue devs from pulling the kind of stunts that the Emerald team seem to > favor. > > If the TPVP really matters, we'll see Emerald shut down from the TPVP > program, because of this accumulated nonsense. > If not, then it confirms that it's all just a paper chase. > > Regards, > - JB > > On Sun, Aug 22, 2010 at 8:22 AM, Ann Otoole <missannoto...@yahoo.com> wrote: >> >> I hate replying to a policy thread here but will make this one time >> exception for my humble input for LL's consideration: >> >> What I think LL should consider is something in the TPV policy that >> prohibits any tpv from connecting to any non LL server for any reason when a >> LL grid is selected for login. This simple policy, if correctly followed, >> would have prevented the incident. It would also eliminate a tpv team from >> monitoring logins and usage but then where exactly did they get to do that >> in the first place? It is a missed policy bullet. There is no reason a >> client should connect to anything except an LL server when an LL grid is >> selected. LL needs to be totally security conscious about the login process >> and what rigid requirements must be met for connecting to the LL grids. >> >> I.e.; I watch my port activity. Everyone should. But not everyone would >> know what they are looking at. But had they been watching I bet they would >> have been wanting to know what all those connections to that host were all >> about right away. Had I been using Emerald and saw thirty something >> connections to iheartanime dot com appear I would have been raising hell >> immediately. What you connect to on the internet can be and is monitored >> sometimes and being open to forced connections to something really bad would >> be extremely unfortunate for many that have tom be squeaky clean. >> >> I use Kirstens and I don't even care much for it's connection for motd. >> However it does tell me when the latest release is available and that is >> very useful information. Maybe there is a way for LL to provide motd bullets >> for tpvs so they can get the word out about updates or something. >> >> There has to be a better way. >> >> Regards >> >> Ann Otoole InSL >> >> ________________________________ >> From: Brian McGroarty <s...@lindenlab.com> >> To: Thomas Grimshaw <t...@streamsense.net> >> Cc: opensource-dev@lists.secondlife.com >> Sent: Sat, August 21, 2010 10:33:52 AM >> Subject: Re: [opensource-dev] Malicious payloads in third-party viewers: >> is the policy worth anything? >> >> On Sat, Aug 21, 2010 at 7:04 AM, Thomas Grimshaw <t...@streamsense.net> >> wrote: >> > Loading 1mb of content per user is hardly a denial of service attack. >> > Crosslinking occurs everywhere on the web, this is simply nothing but >> > paranoid bull. >> >> "Crosslinking" drops the context of hiding gibberish requests to a >> critic's website in a hidden frame that will never be revealed to the >> user. This isn't a mere hyperlink to another page or naively stealing >> someone else's image hosting. >> >> My read (but I'm no lawyer) is that this looks like 2.d.iii of >> http://secondlife.com/corporate/tpv.php and we're already having that >> discussion. If anyone can come up with specific reasons why this might >> have had legitimate reason to be there, or how this one could be yet >> another oversight or mistake, that would be helpful. I sure haven't >> heard any to date. >> >> -- >> Brian McGroarty | Linden Lab >> Sent from my Newton MP2100 via acoustic coupler >> _______________________________________________ >> Policies and (un)subscribe information available here: >> http://wiki.secondlife.com/wiki/OpenSource-Dev >> Please read the policies before posting to keep unmoderated posting >> privileges >> >> >> _______________________________________________ >> Policies and (un)subscribe information available here: >> http://wiki.secondlife.com/wiki/OpenSource-Dev >> Please read the policies before posting to keep unmoderated posting >> privileges > > > _______________________________________________ > Policies and (un)subscribe information available here: > http://wiki.secondlife.com/wiki/OpenSource-Dev > Please read the policies before posting to keep unmoderated posting > privileges > -- “Lanie, I’m going to print more printers. Lots more printers. One for everyone. That’s worth going to jail for. That’s worth anything.” - Printcrime by Cory Doctrow Please avoid sending me Word or PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html _______________________________________________ Policies and (un)subscribe information available here: http://wiki.secondlife.com/wiki/OpenSource-Dev Please read the policies before posting to keep unmoderated posting privileges
