Hacker Friendly

According to the SL forums, the Lindens have given their blessing (at least for now) to the libsecondlife project.

In English: People within Linden Labs (the company that owns the massive video game Second Life) are aware of, and are provisionally approving and supporting, an independent effort to reverse engineer the protocol spoken between their client and their servers. There is even talk about a major project underway to move much of the protocol to a more transparent HTTP framework.

To me, this is strong evidence that the folks at Linden Labs are really trying to transition from a plaything to a platform. This could be an incredibly forward-thinking and bold move: By opening up the application to any and all clients, they are inviting innovation into the project from all sides. I believe many SL players are hoping that SL becomes the next NCSA Mosaic (which then spawns the next generation browser wars, this time for 3D and telepresence).

Of course, this will not happen without open and standardized protocols. While there are rumors of a future “roll your own grid” server release, LL will have to figure out how to do this without strangling one of their major sources of income: land use fees. You can bet that as soon as a server is available, cut-rate land farms will immediately spring into existence.

There are several technical hurdles that exist before players can run their own servers. For example, how do you handle credentials, cash, and permissions in a decentralized manner? Does every “critical” transaction need to phone home to an official LL server? What about bad actor servers? Clever crypto can solve much of this, of course, but it isn’t a trivial problem. But with enough eyes, they can be solved. This is precisely where I would like to see things go: an open platform, with open protocols, and competition consisting of providing server resources, competing currencies and economies, free exchange of arbitrarily large binary data blobs (just like we have on the web), competitive client development, and massive, massive interlinking.

LL can win big if they take the lead in this. Like Netscape in the 90’s big.

I’m intrigued by some of the anti-tinkering rhetoric on the forums. (Granted these are mostly taken from the same person, but they’re almost archetypical and worth looking at…)

What I want to know, is why are individuals allowed to reverse engineer the client and make things like “god mode” when such things are expressly forbidden by the Terms of Service?

(aside: as linked above, the Lindens are specifically granting permission to proceed with libsecondlife, which is unrelated to the “god mode” feature as far as I can tell. Besides, exceptions to a TOS are routinely granted by companies when it’s in their interest…)

Does libsecondlife provide a guarantee that software developed by the project is free from malware/phishing? And what proof is offered for verification?

(aside: libsecondlife is GPL’d: No warranty, full code disclosure.)

Rather then open source the protocol, or the viewer, I’d much rather see viewer authentication. If your viewer is altered, you don’t get access to SL. If you send data not originating from the viewer, it gets rejected. Isn’t this how many online games prevent “client hacks”?

(aside: this is the trusted computing approach, and is considered highly controversial. This should not be needed at all with a strong enough server architecture, much as you can view the web with whatever browser you like, even with code you write yourself. Ask yourself: where would the web be if every website required a Microsoft-approved and verified web browser?)

Wouldn’t it make more sense to keep the number of people who have the information to do so to a minimum? For every coder with good intentions, there’s another one who wants to sell their god mode exploit, or simply use it for griefing.

(aside: this approach is known as security through obscurity, a.k.a. if we criminalize knowledge, then only criminals and the police will have it. But who gets to pick who is on the cops team?)

All I want, is the most secure, stable platform possible without giving up security for free development.

(aside: so do I, but I believe security, stability, and free development can only happen at the same time.)

That thread is well worth a read. The arguments on all sides make perfect sense if you can shift your thinking from “SL as a fun game I play” to “SL as one of many platforms for online interaction and publishing”… I hope we are moving towards the latter.

There’s more libsecondlife info available on the wiki dedicated to the reverse engineering effort.