User:Samuel Linden/Office Hours/2010-04-07

[11:32] Samuel Linden: Hi everyone
[11:32] Kathy Swashbuckler: yo
[11:32] Samuel Linden: sorry I'm late
[11:32] Chaley May: hello
[11:32] Luchador Magnifico: hi
[11:32] Samuel Linden: and sorry for no notice on the office hours last week
[11:32] Youri Ashton: hey samuel
[11:32] Samuel Linden: we were in the midst of releasing 2.0
[11:32] Bronson Blackadder: hiya sam :)
[11:33] Samuel Linden: so we had a topic suggestion
[11:33] Samuel Linden: from Ghost Menjou
[11:33] Youri Ashton: crashing...
[11:33] Youri Ashton: black screen and huge lag spike, brb
[11:33] Samuel Linden: https://wiki.secondlife.com/wiki/User:Samuel_Linden/Office_Hours/OfficeHourTopics
[11:34] Samuel Linden: suggested topic was webkit security
[11:34] Samuel Linden: is that ok with folks?
[11:34] Bronson Blackadder: yep :)
[11:34] Chaley May: yeah
[11:34] Luchador Magnifico: not for me, you need to dress more up to date
[11:35] Luchador Magnifico: I'll come back when you look better
[11:35] Luchador Magnifico: bye
[11:35] Bronson Blackadder: oh kay
[11:35] Samuel Linden: great
[11:35] Samuel Linden: anyone else?
[11:35] Master Source: its about secutiry of media ?
[11:35] Samuel Linden: yes, this jira:
[11:36] Bronson Blackadder: so what new things are being done about security?
[11:36] Samuel Linden: https://jira.secondlife.com/browse/VWR-17772
[11:36] Master Source: ok
[11:36] Samuel Linden: well I have a couple of updates on that
[11:36] Samuel Linden: we patched webkit with the latest security fixes this week
[11:36] Samuel Linden: we plan to release that in a point release in the next couple of weeks
[11:36] Samuel Linden: that will be an ongoing process
[11:36] Samuel Linden: we also added checkboxes for javascript and plugins
[11:37] Samuel Linden: if you are running viewer 2 release you should have those
[11:37] Samuel Linden: and we have defaulted avatar media to off
[11:37] Samuel Linden: so that's what we've done
[11:37] Youri Ashton: okay, that was odd
[11:37] Samuel Linden: we are investigating Google's SafeBrowsing API
[11:37] Samuel Linden: are people familiar with that?
[11:38] Master Source: not me
[11:38] Youri Ashton: did see the UI and HUD attachements, but the rest was black!
[11:38] Bronson Blackadder: noy entirely no
[11:38] Bronson Blackadder: but go ahead :)
[11:38] Samuel Linden: http://code.google.com/apis/safebrowsing/
[11:38] Samuel Linden: it is essentially an anti-phshing/anti-malware blacklist maintained by google
[11:38] Samuel Linden: firefox and chrome both use this
[11:39] Youri Ashton: hmm... that sounds great
[11:39] Master Source: i would assume if someone has bad intentions, they create a new site which isnt on it yet?
[11:39] Master Source: (on the blacklist)
[11:39] Youri Ashton: although Ie is the worse in those problems.....
[11:39] Samuel Linden: so bad intentions is a fairly general concept
[11:39] Samuel Linden: the blacklist is not a silver bullet
[11:39] Samuel Linden: no single security fix ever is
[11:39] Master Source: yeah but an improvement nevertheless
[11:39] Bronson Blackadder: but its better then notyhing
[11:40] Samuel Linden: what it gets you is a list of known bad sites that will be checked against
[11:40] Samuel Linden: and that list will be updated every 30 minutes
[11:40] Samuel Linden: this will likely be on by default, but opt in/out
[11:40] Samuel Linden: we are targetting the 2.1 timeframe for this
[11:40] Master Source: will linden lab itself also include some sort of blacklist, if they get told (by residents) about 'bad sites'
[11:40] Bronson Blackadder: cool :)
[11:41] Sebastean Steamweaver: I missed something - which is opt in/out?
[11:41] Samuel Linden: we haven't finalized plans for our own contributions to the blacklist
[11:41] Samuel Linden: use of the blacklist will be opt in/out
[11:41] Sebastean Steamweaver: I'm sorry, just arrived.
[11:41] Sebastean Steamweaver: Ahh
[11:41] Samuel Linden: http://code.google.com/apis/safebrowsing/
[11:41] Sebastean Steamweaver: Sounds like a good idea.
[11:41] Master Source: okay..i think it would be great to have such a blacklist itself
[11:42] Bronson Blackadder: so is this why flash on moap works with firefox and not IE?
[11:42] Samuel Linden: no
[11:42] Samuel Linden: that is due to the fact that sl requires the flash dll, not an activex control
[11:42] Samuel Linden: IE uses an activex control
[11:43] Bronson Blackadder: I tried letting torley know last week
[11:43] Bronson Blackadder: taht when people taht have IE as a default try updating flash
[11:43] Bronson Blackadder: it doesnt fix teh issue of not being able to see flash on moap
[11:43] Bronson Blackadder: I think I lost him on it
[11:44] Bronson Blackadder: it took along time for me to get flash to work on moap
[11:44] Samuel Linden: they need to download the flash dll specifically
[11:44] Bronson Blackadder: yeah
[11:44] Bronson Blackadder: for IE and other browsers on teh adobe site
[11:44] Bronson Blackadder: but teher is no documentation stating this
[11:45] Bronson Blackadder: only teh generic go update flash from adobe
[11:45] Chaley May: the only thing that doesnt work for me is the 360 panorama website that shows a view of a sim
[11:45] Chaley May: dont know what it uses though
[11:46] Samuel Linden: yeah, there are some sites that don't work
[11:46] Samuel Linden: we can't yet guarantee 100% compatabilitiy with your web browser
[11:46] Chaley May: but it works for everyone else
[11:46] Chaley May: i have installed IE and chrome
[11:47] Samuel Linden: I am not really sure why, but you can file a jira for it
[11:47] Bronson Blackadder: chaley are you able to see youtube videos on moap?
[11:47] Chaley May: yes i can see youtube
[11:47] Bronson Blackadder: ok then its not a flash thing
[11:48] Samuel Linden: so do folks have other suggestions regarding security issues?
[11:48] Bronson Blackadder: so far I'm good thanks :)
[11:48] Bronson Blackadder: sounds like you got a good start going on it on your end :)
[11:49] Samuel Linden: well we are attempting to listen to feedback from you all
[11:49] Xugu MadisonXugu Madison wants a Tester avatar...
[11:49] Chaley May: http://www.avatrian.com/Peek360/viewer.php?id=340
[11:49] xstorm Radek: hhhhmmmm may be some one can learn how them kids on teen grid can be doing copybotting ?
[11:49] Ardy Lay: Might want to watch JIRA for residents that close issues they disagree with. Saw some of that going on this morning.
[11:50] Samuel Linden: we are looking into it
[11:50] Master Source: yeah other residents than the creator should not be able to do that ..its kinda annoying
[11:51] Chaley May: SLs MoaP never seemed any more insecure than using a normal browser so I never had an issue :)
[11:51] Bronson Blackadder: well sam it sounds like you got a good start going on security :)
[11:51] Samuel Linden: Chaley, the main difference is that you don't have to click to navigate in Shared Media
[11:52] Master Source: yeah but MoaP associates residents with sites..it's not the same that way
[11:52] Samuel Linden: Master, that isn't really true
[11:52] Master Source: its not?
[11:53] Youri Ashton: I just noticed a message on AW Groupies IM ( http://techcrunch.com/2009/12/31/web-2-0-suicide/ ), but I asure you, its the biggest bull i heared in a long time. web 2.0 is a replacement or upgrade rather of the internet we have now, is even discontinued to my knowlage. and NOT for things like facebook and twitter
[11:53] Samuel Linden: sites have no way of knowing your linden name
[11:53] Master Source: true..but if im the one visiting a site, and im the only one on that sim...the correlation is pretty easily made ..right?
[11:53] Chaley May: unless sent in the url
[11:53] Tillie Ariantho: Hello! :)
[11:53] Samuel Linden: Chaley, it can't send it in the URL
[11:54] Chaley May: i think it can
[11:54] Samuel Linden: yes, if you are the only one on the sim a script can associate avatar with IP
[11:54] Samuel Linden: how can you send an sl name with a url?
[11:54] Master Source: yeah ...is there a way to 'hide' that..maybe with a proxy or what not?
[11:54] Master Source: so IP's can't be associated with avatars
[11:55] Samuel Linden: don't get me wrong
[11:55] Chaley May: associating IPs with avatars has always been possible with parcel media :)
[11:55] Samuel Linden: it is possible to guess an association of an SL name and an IP
[11:55] Samuel Linden: yes, what Chaley said
[11:55] Xugu Madison: Samuel; I frankly think IP reveals are overblown, but having a media prim right next to teleport routing for a sim would mean you could statistically match IPs to avatars based on avatars arriving and an HTTP request shortly afterwards
[11:55] Master Source: okay yes..but now it's hardly used..but yeah true..never throught of it
[11:56] Chaley May: actuall parcel media can associate IPs more efficiently since you can target an avatar with a specific URL
[11:56] Master Source: a friend of me really wants it cause he plays 2 avatars and does no want people to know he's both lol
[11:56] xstorm Radek: a IP address can not be seen by other viewer do to its link to the linden lab servers and there are a number of jump in and out befor its seen by other users
[11:56] Samuel Linden: Xugu, that won't work reliably due to the way Shared Media loads
[11:56] Xugu Madison: Sam, interesting...
[11:56] Tillie Ariantho: xstorm: not for media stuff.
[11:57] Samuel Linden: ip address is not in itself a security exploit
[11:57] Youri Ashton: no floating sphere avi with excessive text messages xstorm? :p
[11:57] Xugu MadisonXugu Madison mostly wishes people would stop treating IPs as secured, assume they're not, and work from there. Virtually everything can reveal your IP, better just to not need to worry
[11:57] Samuel Linden: any website you visit has your ip
[11:57] xstorm Radek: and trying to link data such as media your giving them per. to see you
[11:58] Samuel Linden: oh, I forgot to mention one other change we've made
[11:58] Chaley May: most people are easily convinced to look at websites without MoaP or parcel media.. if someone wants your IP they will get it
[11:58] Ardy Lay: I think I get a different IP address each time I turn on my computer.
[11:58] Samuel Linden: we've fixed up our cookie jar to be more secure
[11:58] Master Source: yeah websites have your IP..but you're pretty usless to them...they have not much info abotu you...in SL you know alot more about a person
[11:58] Youri Ashton: nyx, wrong avi here :p
[11:58] Xugu Madison: Ardy, depends on your ISP, but that's fairly rare these days
[11:58] Tillie Ariantho: securing the cookie jar is good.
[11:59] Samuel Linden: cookies are also now robust, and shared accross media instances
[11:59] Nyx TesterNyx Tester sneaks his hand into the cookie jar
[11:59] Xugu Madison: Cookies? *hungry*
[11:59] Samuel Linden: ok all
[11:59] Samuel Linden: any final thoughts?
[11:59] Youri Ashton: cookies can be abused unfortunately
[11:59] xstorm Radek: i have a static IP but people get to see it from a place in another state or town
[11:59] Youri Ashton: but hell, what not? :p
[11:59] Yuu Nakamichi: when are you normal OHs Samuel? :)
[11:59] Master Source: mine totally reveals even my neighbourhood
[11:59] Samuel Linden: this time
[11:59] Samuel Linden: 11.30 - noon PST
[12:00] Yuu Nakamichi: great thx
[12:00] Xugu Madison: Master; yeah, that's the things I hate, when IPs are mapped to physical locations, and somehow this is meant to be good
[12:00] Samuel Linden: https://wiki.secondlife.com/wiki/User:Samuel_Linden/Office_Hours/OfficeHourTopics
[12:00] Samuel Linden: use this for next week
[12:00] Samuel Linden: thanks everyone
[12:00] Master Source: yeah i never got why they do that
[12:00] Bronson Blackadder: thanks for the OH sam :)
[12:00] Xugu Madison: Thanks Samuel!
[12:00] Youri Ashton: a hud is easier :p
[12:00] Sebastean Steamweaver: Thanks Samuel
[12:00] Samuel Linden: bye all
[12:00] Uni Ninetails: tyty
[12:00] Master Source: and sam..great hair lol
[12:00] Youri Ashton: thanks for being here samuel! :)
[12:00] Samuel Linden: thanks

User:Samuel Linden/Office Hours/2010-04-07

Navigation menu

Search