Jump to content

Command Line Utillity: TOS Violation or not?


deltamodulator
 Share

You are about to reply to a thread that has been inactive for 3754 days.

Please take a moment to consider if this thread is worth bumping.

Recommended Posts

Hi, I've created a Command Line Utility scripted object which runs on Apple Mac computers with Second Life.  You have to set things up a bit, and once working you just type "computer command" into local chat and whatever you put for command will be executed on your local system.  

In one sense this is merely a convenience because you could do that anyway with a terminal window in front of your sl window so it's just a convenience.  In another sense it can be an enabler for grifers becuase they can do things like "computer netstat -n | grep ESTABLISHED | awk '{print #5}'" and get a list of connected IP addresses, many of which are SL server IPs.  

Also there is the issue of security, I think I will have to add a password or something.  The major question, however is wether or not this object is a violation of the SL TOS.  Would anyone care to comment on the issues related to this product?  Thanks in advance.  

Les

 

Link to comment
Share on other sites

I think this would hinge on what is required to "set things up a bit"

 

  • If you've found a way to do this using LSL, you should write a SEC-JIRA on it. This would be a serious issue, violating the "sandbox" scripts are restricted within.
  • If this involves changing the code of the viewer itself, then you should read and understand http://secondlife.com/corporate/tpv.php completely.
  • If all that is needed is for the user to change some system settings, the TOS doesn't cover that. We're allowed to be as stupid as we wish in that regard.
  • Like 1
Link to comment
Share on other sites

The setup involves downloading an AppleScript program and putting it in a certain folder, then adding a rule in the preferences panel of Mail.app.  Well, that plus wearing the Command Line Utility object inworld as well.  So yes, it seems to be a case where there is no violation of any agreements, TOS or otherwise.  Woohoo!  To maketplace I go, to marketplace I go...

Les

 

Link to comment
Share on other sites

I don't understand - so you'd be able to type in commands in an in-world  terminal that get executed on your local machine.

 

Anyone can already do a (as you already wrote) netstat and get a list of connected machines - or are you saying that this will enable some folks who don't have an actual command line available on their local machine to do this?

I'm very apple-ignorant - don't macs have a terminal by default?

Link to comment
Share on other sites

Thank you for allowing me to examine and review your efforts. I found your program to be well written, everything as you described and a uniquely novel solution to a complex interaction.

 

However, I agree with your decision not to release this because of security concerns that, however slight they may have been, did outweigh any potential benefits. Erring on the side of caution is never a mistake in my book.

 

Hope to see more of your work in the future! Keep us posted...

Link to comment
Share on other sites

Hello again folks, may I first thank you all for being so polite and factual in your responses and questions, it could be easy to flare up some drama about just this sort of thing.  Then I'd have to get out my anti-drama spray cans and pass them out to everyone so we could get the situation under control, lol...  But no such foolishness occurred, so let me get to a status report and answering of questions.  

As it turns out, I have chosen to withdraw the product after a brief listing time of a day or two.  Basically what happened is that I chose to overlook the security flaw in the product, which I realized was rather significant actually, in my haste to share the extremely powerful potential of such a category of products that could be developed from this one.  I had offered it full perms in the hope that someone else would develop it further, adding encryption and authentication to fix the security flaw.  Thankfully my first customer very concisely and politely and factually explained the severity of the danger posed by the security flaw and I was able to delete the listing before anyone else purchased the product.  

The reason that I feel that this type of product, done securely, is incredibly powerful is because it extends the capabilities of SL significantly.  Things like anti-griefing, griefing, magic, interactive arts, remote applications, oh just give it a moment and you will think up stuff to do with this tech that I nor anyone else would, it has that much potential IMHO.  You can save notecards to local disk easily.  You can form interactions - conversations - between LSL and AppleScript and therefore any application that runs on Apple Mac computers as well because AppleScript has the ability to control the sytem's GUI and command line.  You could not just look up those IP addresses, you could automatically or manually select them and probe them for security holes with nmap, then exploit those holes with a payload deploying nmap script, etc. etc. it's not pretty what could be done here.  Yet like any new tech, it's easiest to do destructive things.  Hopefully defensive measures and productive, beneficial tasks will be the product of scripters using the idea.  

Or am i just too stoned and overimagining everything?  :)

Les

 

Link to comment
Share on other sites

Go to https://jira.secondlife.com/secure/Dashboard.jspa and log in, using your SL username and password.

Click "Create Issue" (top right, just under your name).

In the first box, Projects,  in the new window that opens, choose Second Life Security Exploits from the drop down.

Complete the form, giving details as requested, and hit submit.

Link to comment
Share on other sites

What you describe seems to just be an email exchange between a prim and your Mac's email. That doesn't seem to be an SL security problem at all. The Applescript you plugged into Mail.app is a bit much if it passes along any old shell command as legit, but you're deliberately bypassing your own security with that.

 
Link to comment
Share on other sites

You are about to reply to a thread that has been inactive for 3754 days.

Please take a moment to consider if this thread is worth bumping.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share

×
×
  • Create New...