Behind the Skiddies Emerald Curtain

An interesting discussion broke out on the conceirge chat yesterday with regard to the question of whether or not the emerald viewer is scraping data. Of course, emerald developers will shrilly claim they do no such thing. Considering their track record, I decided to test it out by setting up a port scanner and logging into second life with their viewer.

Here is what I found.

When you launch the emerald viewer, it pings a login page on their site. This page is similar to the lab’s viewer login page that their client uses. In other words, the page that provides various second life snapshots taken by Torley Linden, along with grid stats, message of the day, outage info, and alerts for client updates.

This should be no big deal, right? After all, most 3rd party client developers are going to be interested in reach. Hence, by pinging their server, anyone who uses their viewer registers a hit with google analytics. The problem is, when emerald pings their server, it sends encrypted data. And that is before you even log in. This begs the question. What in the world do they need to send, that they would feel requires encryption? We could start with your computer’s mac addy, I suppose. Then, progress on to sending other data that could make you vulnerable to identity theft. Remember, you haven’t clicked the login button, at this point.

Next, when you click the login button, their viewer sends another batch of encrypted data. It also asks if you would be interested in "opting in" to being tracked for so-called "statistical purposes." Again, fine. Right? After all, if you want to give tracking access to a passel of tweenagers with an historical record of writing malicious viewers, so be it. It would however behoove you to educate yourself on how all second life clients interact with websites. Remember, the code is built upon the mozilla framework.

But, I digress.

The "opt in feature" is clearly nothing more than a smoke screen designed to instill a false sense of security where your privacy is concerned. For, even when you decline their tracking, they continue to send your data to their server. This occurs at various intervals and is as defined by their non-expiring polling cookie. You know, one of several non-expiring cookies deposited on your machine when the emerald viewer pings their site. And by the way, why are they also setting a non-expiring bgpeople cookie? Importantly, why are they serving up javascript files that have not a thing to do with the google analytics (their excuse for sending you to their server in the first place)?

Unfortunately, unlike browsers, where you can opt out of running javascript that originates from sites you may either be unfamiliar with or simply do not trust, there is no such option in any second life viewer. What this means is, accessing web sites in this manner, can result in you unknowingly downloading and executing malicious scripts that can do everything from copying your cut-paste buffer and sending it off to parts unknown, to executing commands that change your web browser behavior, and at worst case, install an easter egg for access at a later date.

This, by the way, is why it is important to use your external web browser as opposed to these built in client browsers when viewing any web-based links that show up in the client’s search results. The second life clients simply do not provide any browser-type security whatsoever. Again, the client code is built upon the mozilla framework. And this means it will interact with web sites as any other web browsers do. That is, minus the security options found in most browsers that are not only default, but that you can fine-tune, yourself. Furthermore, even if you use such precautions as relying upon your external browser, and turning off cookies in the viewer interface, the measures will meaningless when using the emerald viewer, since it relies upon pinging their site to even run.

Otherwise put, there is far more occurring behind the skiddie’s emerald curtain, than meets the eye.

27 Comments

  1. CommentsLuna Cartier   |  Monday, 14 December 2009 at 11:46

    Angela,
    Thank you for posting this information. I have been one of those people who has used the Emerald client, noting that it has some cool features that I wish the Linden viewer would offer. I also read the Concierge discussion on Sunday, after which I felt uneasy about the type of folks behind the viewer, given the types of evasive and caustic responses to Prokofy Neva's relevant questions. Your uncovering of more questionable activities going on behind the scenes makes it more clear that people should take a long look at what exactly they are allowing to happen with their Second Life account information by ANY third party. (Many of us consider their avatar as real as life, no? 🙂 ).
    It was encouraging to hear that folks like Cyn Linden are voicing concerns about these issues and I hope Linden Labs will take a firm stance and really put some safeguards in place to protect our virtual world and it's information. Thank you Angela (and you too, Prokofy!) for working to keep this issue on the front burner.
    Regards,
    Luna Cartier

  2. CommentsAngela   |  Monday, 14 December 2009 at 19:53

    Seems like they do not plan to take a firm stance.

    For example, from the November 9th brown bag meeting their attorney, Marty Linden, explicitly made this statement with regard to exporting things you did not create (emphasis added, mine).

    Marty: That would be in the establishment of the guidelines. What we have said in the past is that you can’t export things you aren’t the creator of or use functionality in one of these viewers or elsewhere to do an end run around the permissions system. You can bet that will be in the guidelines.

    Yet, in Saturday’s concierge chat, Skills Hak stated:

    Skills Hak: angela, they said our export is ok as it is but they would be happier if we added another permission check for creator bit (which is easy to bypass sadly, that’s why we didn’t add it in he first place)

  3. CommentsRene Erlanger   |  Monday, 14 December 2009 at 12:28

    Nice commentary Angela 🙂
    .
    What set alarm bells for me regarding the Emerald Viewer was the rumour (or maybe a fact) that the developer of the Cyro Life Viewer had joined the Emerald Dev team. In which case, maybe Prok's accusations has legs!

  4. CommentsAngela   |  Monday, 14 December 2009 at 19:40

    Fractured Crystal
    Previously: Jcool410, perma-banned
    Malicious Viewer: Vlife (closed source predecessor to emerald, sold for USD$250)

    Lonely Bluebird
    Previously: phox, perma-banned
    Malicious Viewer: phox sl

    Luminous Luminos
    Previously: Cryogenic, perma-banned
    Malicious Viewer: cryolife

    Btw, word on the street has it that one of SL’s most prolific sexual harassers plans to join the emerald team. No big surprise there. Esp, considering his appalling track record. He should fit right in.

  5. CommentsParx   |  Tuesday, 09 February 2010 at 04:38

    You can back this sexual harasser claim up with a name or some basic facts beyond your word on the street?

    I don't want to alarm you Angela, especially when you're so busy pursuing your anti emerald crusade, but a company the size of Linden Lab almost certainly has staff previously convicted of RL crimes. Perhaps even several.

    OMG I THINK THEY COULD BE PUTTING HIDDEN CODE IN THE LL VIEWER AS WELL TO STEAL MY MONEY, USE MY POSEBALLS, DELETE MY FRIENDS, READ MY THOUGHTS, TRACE MY ADDRESS, SEE MY AVATAR NAKED AND! AND! AND!

  6. CommentsAngela   |  Tuesday, 09 February 2010 at 05:40

    Parx wrote in part: "You can back this sexual harasser claim up with a name or some basic facts beyond your word on the street?"

    You bet. But I won't be doing so on this little blog in the inet backwaters. The people who need to know, do.

  7. CommentsParx_   |  Tuesday, 09 February 2010 at 11:15

    Ahh how convenient. There's a distinct pattern emerging around your mudslinging Angela.

    The worst part is, even on the off chance there was truth to this claim, considering the dodgy source and your avoidance of facts at all costs, it's likely to be blown off as more of your baseless bullshit. I reckon the emerald developers are secretly smiling that their most rabid opponents can't go 5 minutes without saying something retarded and making fools of themselves.

    Btw, if you weren't so obviously impaired, your blog might be more than a stagnant backwater.

  8. CommentsThoria   |  Monday, 14 December 2009 at 12:50

    Of course, you could take the trouble to look through their source before making insinuations.

  9. CommentsAngela   |  Monday, 14 December 2009 at 19:41

    Of course, I've read their source code. Please.

  10. CommentsSmiley Barry   |  Tuesday, 15 December 2009 at 04:25

    I'm not using a sarcastic tone or anything, really. Just asking a question.

    But, if you read their source code, you would know how to decrypt the info sent to their servers and, more importantly, what it sent, right? If so, why didn't you say what the content is instead of asking rhetorical questions?

    Also, I'm not going to use Emerald anymore and start using Imprudence. At least I know the developers of that viewer and that it's safe, heh.

  11. CommentsBalp   |  Tuesday, 15 December 2009 at 07:36

    Understanding what the viewer does Is probaly not in the interest of this writer speeding fear have however always been her agenda.

  12. CommentsBalp   |  Tuesday, 15 December 2009 at 21:40

    What in the traffic is encrypted, I never found any encripted data ever in any of my tcpdumps. Care to enlight us?

  13. CommentsAngela   |  Wednesday, 16 December 2009 at 09:54

    The traffic originating from the client to their server. Everything originating from their server to the client is coming in as either compressed format (for graphics) or plaintext.

  14. CommentsBalp   |  Tuesday, 22 December 2009 at 09:53

    I have dumps and analyzed all traffic, all request are end in http, and then the downloads accept gzip as compression for the http download. I can't find a single encrypted download. Even trying I can't see anything of what you say in there. Can you please point be towards it. From the client I only see uncompressed http requests.

  15. CommentsArminasX   |  Tuesday, 15 December 2009 at 06:25

    […] shares Behind Emerald's Curtain? http://ping.fm/uMcrI Scary! […]

  16. Comments@mohax   |  Friday, 01 January 2010 at 19:36

    Look, I share your concern about the background of the Emerald team, however, I'd prefer to actually see the decrypted encrypted data to know what it is sending before making published conclusions. Anyone one have any? To those saying, 'check the source' we need to remember that probably less than 0.01% of those using Emerald actually compile from source. It is trivial to patch malicious code into an otherwise safe, open code base before building the binary versions. The true test would be some packet captures and decryption using the methods available for review in the source to determine the actual content being passed from the standard Emerald binary. And no, I'm not volunteering. That is massively unfun work, doable, but unfun. I would think Linden Labs capable and motivated to do such a test considering every third person I meet in Second Life is now running Emerald.

  17. CommentsDusan Writer   |  Friday, 01 January 2010 at 18:35

    […] Virtuality Hacks on Encrypted data sent from the Emerald viewer in Second Life http://ow.ly/RHJx […]

  18. CommentsSkate Foss   |  Friday, 01 January 2010 at 19:21

    […] RT @Dusanwriter: Virtuality Hacks on Encrypted data sent from the Emerald viewer http://ow.ly/RHJx -As an Emerald user, very eye opening! […]

  19. CommentsDusty Artaud   |  Friday, 01 January 2010 at 20:49

    […] RT @Dusanwriter Virtuality Hacks on Encrypted data sent from the Emerald viewer in Second Life http://ow.ly/RHJx (via @listimonkey) […]

  20. Commentsblkstarbrand   |  Saturday, 02 January 2010 at 01:06

    […] RT @Dusanwriter: Virtuality Hacks on Encrypted data sent from the Emerald viewer in Second Life http://ow.ly/RHJx […]

  21. CommentsDarling Brody   |  Sunday, 24 January 2010 at 11:51

    Prokofy Neva was spamming concierge group with this URL today.
    So I read this article. And I read the much more interesting original Concierge chat log.

    What I found in that chat log was Prokofy being paranoid about people having his avatar's UUID. Note that SL will not function unless both scripts and viewers can get hold of an avatar's UUID. But prokofy was histerical anyway.

    Prokofy clearly has no programmer background, while I do, so I found the whole fear of someone having your key to be silly. It's like being afraid the post office knows your address!

    Continued….

  22. CommentsDarling Brody   |  Sunday, 24 January 2010 at 11:51

    Continued….

    I also read this article and was worried about the lack of technical data provided. There are no data logs to show this encripted data, and no source code presented as the source of the data.

    I decided to go digging and was unable to reproduce the so called mystery data, and was unable to locate any code transmitting somthing that it shouldn't.

    I suspect the author of this article got carried away with Prokofy Neva's paranoia and saw somthing that wasnt there. Perhaps data from a movie they were downloading, or part of a MS update.

    I'm not associated with emerald, and I dont use it. But I just had to poke around after Prokofy Neva was so amazingly rude today in the Concierge group.

    I wont be back to this forum, so if you want to reply to me, do so inworld.

    Darling Brody

  23. CommentsBaeric Constantine   |  Sunday, 07 February 2010 at 04:48

    Where is the evidence to support the claims? Factual verifiable evidence for those not able to program? If it cannot be provided then the claims are baseless, whether true or not. Its like a knowing a person is guilty but without evidence its pointless.

    Furthermore, how do we know that Imprudence is any different? We dont! For the same reasons as above.

    Similarly, what credibility do you have? I do not know you from Adam… taking your word over that of another is like trusting a person sending me an email asking for my personal data when I dont know who it is from… Thus, should another forum pop up offering similar information about Imprudence… how would we as non-programmers know what to accept? Simply, we dont.

    Thus until evidence can be given it is fearmongering.

    If Imprudence cannot offer the same tools as Emerald, and more, then there is simply no point to change. Emerald works quicker and smoother for me than most viewers I have tried… and so far I have seen various complaints about 3rd party viewers.

    Baeric

  24. CommentsAngela   |  Tuesday, 09 February 2010 at 05:52

    The people working on the Imprudence viewer do not have a track record for writing and distributing malicious viewers. You know, the kind that had keyloggers, etc? Furthermore, imprudence devs respect creator rights by only allowing export of objects created by the person running the viewer. A concept that seems to be quite beyond the emerald folk's grasp. And finally, having spoken extensively with one of the scriddies (who happens to own the emerald site, btw) and listening to him bragging about how he could not only crash sims, but actually hijack them? Told me pretty much all I needed to know. Or otherwise put. SOS under a different moniker. *shrugs*

  25. CommentsParx   |  Tuesday, 09 February 2010 at 03:54

    If readers get down this far without beginning to paint a picture of this dubious blog author and his/her strange motivations, better read this thread in conjunction with that work of fiction up above.

    https://blogs.secondlife.com/message/81348#81348

    Looks like he/she didn't even bother to create some BOGUS data to support these pathetic fictional claims. Prokofy sock puppet perhaps?

  26. CommentsAngela   |  Tuesday, 09 February 2010 at 05:42

    Of course I'm not going to create "BOGUS data" silly. Nor would I post my results bc I already knew that is the exact type stupidity that someone would pull out of their nether regions. And besides, as I stated on the forum, there are a ton of port sniffers avail (even free ones), so ppl can see for themselves. *shrugs*

  27. CommentsParx_   |  Tuesday, 09 February 2010 at 11:05

    What a crazy illogical statement. You're happy to write a blog article, but refuse to reveal the supporting evidence you found, "bc I already knew that is the exact type of stupidity that someone would pull out of their nether regions."

    I mean you don't even make sense. Try to cook up a better quality of bullshit before posting – this is just insulting.

    In the same manner as your weird sexual harasser comments above, you don't feel the need to back any claim up with a scrap of evidence, and will not discuss the nature of the "encrypted data" you claim to have found, much less post it. Aren't you curious as to what your "encrypted data" might contain? Maybe somebody here could open it up and reveal the personal information info hidden within by the evil Emerald consortium.

    Oh wait, that would be the logical thing any normal person would do, but not for you and your aluminum foil hat.
    .
    You say people should go do their own checks, well those that have (see above) found nothing. Are they also on the Emerald payroll secretly conspiring against you?

    Even the casual observer can see you're an imposter Angela, and not even a good one at that.

Leave a Reply






 

Home / Behind the Skiddies Emerald Curtain