On the blog for the extremely popular Emerald Second Life viewer, in a post entitled "Shennanigans" [sic], the anonymous developers deny allegations (such as those made on the SL Universe forum), that they were recently involved in a DDoS attack on a rival developer. What actually happened, they explain, was "a silly idea":
This idea was to target a blog owned by a creator of a malicious viewer, and boast of the traffic Emerald has captured. The method for doing this was to add links to the Emerald log in page linked to said blog. Each time anyone logged in, our page loaded up and also the other page loaded up – simply to show off our volume of traffic... This was a poor attempt at boasting that failed miserably. Once we discovered this, these links were deleted and the dev concerned was disciplined.
More here, with apologies to Emerald users, and promises that this won't happen again. However, I tend to think we'll be hearing more about this soon. Especially since the third party Emerald viewer is used by 1 in 3 daily Second Life users.
The source of the the apparent DDoS was a series of 31 iFrame tags found at the bottom of the html document.
(Resisting urge to say Emerald Dev was framed.)
Posted by: Adeon Writer | Friday, August 20, 2010 at 04:38 PM
You could put some more in it Hamlet. what do you think about it? do you support such a act? Does their apology even make sense, dive a little deeper.
Posted by: Frans Charming | Friday, August 20, 2010 at 04:39 PM
That really is a terrible attempt at justification; it doesn't make any sense at all. Multiple hidden iframes to assorted content on someone else's site is "boasting"?
Posted by: Ordinal Malaprop | Friday, August 20, 2010 at 04:40 PM
Frans, I think it's worth blogging about, so here it is. I also think it's the weekend now and I'd like a fucking martini.
Posted by: Hamlet Au | Friday, August 20, 2010 at 04:48 PM
This does, indeed, make no sense whatsoever.
Why would you "boast" by invisibly including 24 links? I mean, really?
Their apology, regardless of its truth does not make sense. Furthermore, claiming to have included "the other page" are somewhat misleading, including "the other page" twelve times, as well as twelve images, would be more accurate.
At some point you have to draw a line. This would be a good one.
Posted by: Katharine Berry | Friday, August 20, 2010 at 04:49 PM
The allegations are pretty watertight if you go and look at the source on the code of the login page they give you on SLU, you clearly see 24 iframes linked to the site in question.
http://webcache.googleusercontent.com/search?q=cache:jD_B973EpVUJ:modularsystems.sl/app/login/+http://modularsystems.sl/app/login/&hl=en&strip=0
I am an Emerald user (although I was is probably more of an effective term now), I love the client and the interface, but I can't be party to DDoS'ing. It's illegal in the UK being a party to it can mean a jail term of up to 10 years.
This act is also in direct contravention of the TPV policy - where? The bit where it says you cannot use the viewer for griefing or any other type of net attack.
It's beyond silly shenanigans. it's illegal behaviour and implicates every single user of Emerald.
Posted by: Toxic Menges | Friday, August 20, 2010 at 04:49 PM
Oh, apologies, it was 32 iframes, not 24 iframes.
Posted by: Katharine Berry | Friday, August 20, 2010 at 04:51 PM
Oh, for anyone interested and also lazy, here is a quick link to a DOM view of the archived page
Posted by: Ordinal Malaprop | Friday, August 20, 2010 at 04:51 PM
YouTube user TOBSDA has posted a video related to these events, due to mild language I won't link to it here.
Posted by: Adeon Writer | Friday, August 20, 2010 at 04:52 PM
I liked the Emerald viewer. But it's off my computer now, never to be put back on.
I want no part of this, prank, DDOS, boasting, whatever you want to call it, manipulating your user base to harm a third party is immoral at best, illegal at worst.
Posted by: Velvet Bikcin | Friday, August 20, 2010 at 05:37 PM
+1 vote for Imprudence. Similar feature set, far less drama.
Posted by: Lum Lumley | Friday, August 20, 2010 at 06:06 PM
Hear, hear, Hamlet! Enjoy your martini.
Posted by: Loraan Fierrens | Friday, August 20, 2010 at 06:27 PM
Hamlet says: "... I think it's worth blogging about, so here it is. I also think it's the weekend now and I'd like a fucking martini."
Fucking solid, man. Pour one for me too, my friend.
The only thing that really matters is how all of Emerald's customers feel about these events. The customer is king, and it is the king who ultimately decides the fate of a kingdom.
Posted by: John "Pathfinder" Lester | Friday, August 20, 2010 at 06:30 PM
I'm trying to wrap my brain around all the former Lindens joining that team while certain others quit.
It is quite interesting.
Posted by: Ann Otoole InSL | Friday, August 20, 2010 at 07:31 PM
Emerald gives me the willies - I don't use it for just this sort of reason.
Posted by: Valentina Kendal | Friday, August 20, 2010 at 08:19 PM
I <3 Cool VL Viewer. No nonsense, just a solid viewer with a few cherry-picked enhancements (rather than entire Walmart warehouse fill of kitchen sinks).
Posted by: Galatea Gynoid | Friday, August 20, 2010 at 09:59 PM
Bah, I really, really liked the Emerald viewer. Even more so when LL rolled out the 2.x viewers.
But this is immoral unprofessional bullshit that a 5 year old child would know is wrong.
If LL is going to drive off other TPV developers with their very strict policies and requirements then they have NO CHOICE but to ban the Emerald viewer in light of this illegal act.
I am quite pissed off to think that I was used in this way, and will not ever knowingly do business with the individuals purportedly running Modular Systems again.
Posted by: Fogwoman Gray | Friday, August 20, 2010 at 10:51 PM
This has hit my tolerance limit too. I liked Emerald as a viewer very much, and I ignored the various reports of drama and shadiness regarding its developers because I figured its open-source nature would prevent any significant fallout from affecting it. But now I've seen two significant holes in that transparency - a closed-source DLL and a web page that gets loaded dynamically. And I've now seen that the Emerald devs aren't above using those holes to pull some stupid and dirty crap.
Fortunately, my favorite other other viewer Imprudence is on the TPV list again and the latest version now has most of the features of Emerald that I'd left it for. More, in fact - Imprudence supports Alphas whereas Emerald doesn't. And it's been developing in conjunction with OpenSim, so it's got neat new features that _no_ Linden Grid viewer has. Finally, someone has implemented the ability for regions to change visitors' Windlight settings!
Ah, competition. It drives everyone to do better.
Posted by: Nica Pennell | Friday, August 20, 2010 at 11:58 PM
...Hitler = Bad
...Emerald = Bad
...Mozzerella triangles at the Olive Garden = Good
Posted by: Little Lost Linden | Saturday, August 21, 2010 at 12:12 AM
If this is a case of some immature jerk working at Emerald who buried some code --- which was quickly found and rectified -- then perhaps the move to implicate the management of modular systems is a bit hasty. I do not know.
Also, I would not worry about being implicated in a DOS attack if it is unintentional This means that everyone infected by a Trojan or other malware used in a similar manner by a remote device can also be implicated. It is not going to happen.
Emerald has helped me as a photgrapher being the first to ad all these cool new settings. But the nature of the beast is such that perhaps a bit tighter control is necessary on the source code in the future.
Posted by: eddi haskell | Saturday, August 21, 2010 at 12:26 AM
Modular Systems has gone from "a developer" to "Fractured Crystal". Though given their wording ("a plan was hatched"), it seems that they were quite clear on what was going on.
In any event, if it was an "immature jerk who buried some code" and everyone else managed to be completely ignorant of it, I would note it to be the immature jerk who runs the project.
Posted by: Katharine Berry | Saturday, August 21, 2010 at 03:16 AM
There have never been so much scandals about Emerald than since LL failed to imposed the viewer 2.0. Strange isn't it?
Posted by: Nini | Saturday, August 21, 2010 at 05:31 AM
What do people expect? These third party viewers don't make money, they are just for fun projects sadly, sadly I don't know why Qarl Linden joined this "for fun" project but how on earth Emerald makes money or how they are commissioned is beyond me. I've seen enough BS from them to stay clear of using their viewer. One day a "for fun" developer from Emerald will log in to everyone's account send their Linden to themselves and withdraw and fly to Mexico.
Posted by: Metacam Oh | Saturday, August 21, 2010 at 07:27 AM
More than 24 files. The Google Cache copy appears to no longer be available (probably someone from Emerald requested it to be removed) but the full list is: http://pastebin.ca/1921405
There are 20 requests there just for one dynamically-generated page on the victim site, almost certainly with the intention of generating excessive server CPU usage and bringing the site down that way. Then there's another 12 images totaling about 1 megabyte. The person who was targeted spoke up, and apparently this adds up to about 800 GB of data transferred over the week for which he still has records. That would've cost about $1600 for just that one week if he didn't have "unlimited" transfer on his hosting plan. Remember that this ran for a fortnight, and would probably have continued for longer if the issue hadn't become public.
Posted by: Mako Mabellon | Saturday, August 21, 2010 at 07:53 AM
I've had enough of Emerald too, its a good viewer but some of the people behind it are just too damn dodgy and this just goes to show what they are willing to do. Imprudence for me too now.
Posted by: Talwyn Mills | Saturday, August 21, 2010 at 08:01 AM
@Metacam well the code is open source so if your worried look through it and examine it for yourself. Hell for that matter compile it yourself.
http://code.google.com/p/emeraldviewer/source/checkout
Posted by: shamus | Saturday, August 21, 2010 at 08:02 AM
Yay... another PRIVACY issue in Emerald.
As a part of this attack, they provided the IP addresses of their users during this time period to a third party. Think of this... to do the attack, the user would have had to connect to the 3rd party site (which they would not have gone to normally), which likely logged the IP address as a part of the website logging.
Are you guys still using Emerald? WHY? I think they have shown they are not mature, not professional, and are flagrant with your private data.
It's a shame. But a few rotten apples always ruin it for the rest.
The team should kick out the team member responsible, to show they are willing to regain the trust of their user community.
Posted by: Steel Halasy | Saturday, August 21, 2010 at 08:04 AM
That "excuse" for what happened is the lamest thing I have heard in a long time. The pastebin source linked to in Mako's post makes it very clear nobody was "boasting" about anything.
Traffic fraud doesn't include the same page repeatedly because the goal is to get as many unique IP/URL combinations as possible. Instead, the targets are high CPU and high bandwidth, the exact *opposite* of what a traffic fraudster "boasting" about traffic would do.
These guys are bad mojo. Either they are rotten to the top or they aren't managing their minions, but either way they keep creating "incidents".
One such "oops" I could understand, but the string of them simply shows they are incapable or unwilling to act ethically.
Posted by: John Lopez | Saturday, August 21, 2010 at 10:37 AM
I've been telling my friends for a while now about various security issues and rumors that seem to dwell in the Emerald sphere. Only now are many dumping the Viewer. I like the official v2 viewer but when I go 3rd party is it with Imprudence or with Kirstens. Recent posts about all three viewers are on my blog for the bored or the mildly curious (just click my name below).
Posted by: Uccello | Saturday, August 21, 2010 at 10:42 AM
@shamus You are correct: anyone may inspect the Emerald code, but unfortunately not all of us have the expertise to do so. I wouldn't know where to begin looking for "bad" stuff, however I have used Emerald in the past assuming (hoping?) that other people with the necessary skills would be keeping an eye out for malicious code. Moreover, I assumed (hoped?) that the Emerald devs would police themselves. After all, as you pointed out, anyone can inspect and build this thing themselves; why would the Emerald devs risk getting found out?
Sadly, my faith in this team has been degraded in light of recent events -- one event alleges that an Emerald dev left the group when he TRIED to police the code and was not able to do so.
Realizing that anytime I install a compiled binary I am taking a risk, I have to evaluate that risk using what I have heard and to balance that against the product's utility. I certainly can't prove that it contains malicious code (anymore "we promise!") but instead have to rely on what has been reported by people who DO know how to inspect its behavior. I suspect the majority of Emerald users are in this same boat.
Posted by: Whatcha Eaton | Saturday, August 21, 2010 at 12:31 PM
Yeah, me, too! I'm really angry at Emerald!
What did they do?
(I'm serious. I'm not a computer geek, just an SL "resident." Can someone explain this in English, please?)
Oh, Kirstens S20 is my viewer of choice. :o)
Posted by: Morgan Kochel | Saturday, August 21, 2010 at 12:47 PM
What a shame. I really really REALLY enjoyed their product. But I can't even see in a best-case scenario how that which Modular Systems has admitted to is a good thing. Uninstalling now. Damn it.
Posted by: Mistletoe | Saturday, August 21, 2010 at 01:15 PM
@Morgan Kochel's "What did they do?"
Someone configured it so when the Emerald viewer is launched many requests were made to another website. These requests would be created from the user of Emerald's computer, creating what is known as a DDOS, or "Distributed Denial of Service Attack".
The "Distributed" part because they were using the viewer users computers to process the requests. (All of the Emerald viewer users would be generating these requests).
The "Denial of Service" part because those requests were design to increase the hosting costs for the targeted website and even cause it to go offline (once the user's paid for allowances were exceeded or the volume simply overwhelmed the server).
From reports, they burned over a thousand dollars worth of bandwidth before being detected.
Their excuse doesn't hold water either, as I mentioned earlier.
Posted by: John Lopez | Saturday, August 21, 2010 at 01:20 PM
John: to be precise, they would've burned through $1000 or so of bandwidth if it wasn't for the fact that their victim website was hosted on a provider with an unusually high (nominally "unlimited", in fact) amount of inclusive transfer. The more damaging part of the attack in this case was actually the CPU consumption one.
Posted by: Mako Mabellon | Saturday, August 21, 2010 at 02:04 PM
the bad thing about it, it's the project leader, fractured, who did all the bad things to his/her own project. she/he rent/run/own the servers and domains and (if it exist anyway) the company. that is a total abuse of the peoples trust, it is bad for lindenlab, it is bad for the users, it is bad for the free/open source approach in general. go away with your emerald client, i like to see you 2 regions far from me.
Posted by: OtherGuy | Saturday, August 21, 2010 at 11:10 PM
The developers of Emerald are banking on the majority of its users ignorance to continue what they are doing.
Ask the average Emerald user what they think of recent events and you get something like : "Huh? What? Emerald is cool. STFU!"
I personally would love to see Emerald scrubbed from the TPV directory, its devs banned from SL. I do not feel that would be too harsh a reaction in light of what has happened.
Anyone who defends them at this juncture is just being stupid and is highly misinformed on the matters at hand.
Posted by: SoyaKnow | Saturday, August 21, 2010 at 11:44 PM
I forgot to add this in the first post..but if LL acknowledges these goings on, at what point do they become legally liable for continuing to allow Emerald to access SL? I mean, Emerald has been essentially used as a botnet-it is malware.
Surely they care enough about their users to not allow something like this? Or do they...
Posted by: SoyaKnow | Sunday, August 22, 2010 at 12:00 AM
Like many respondents to this article, I was a user of Emerald for a while. This is about the fourth scandal by my reckoning this year in regards to Emerald and the Modular Systems crew.
I moved away from using Emerald in January and their recent behaviors and scandals cements my intention to stay away. The over-the-top immaturity and hubris of it developers is reaching almost epic levels and frankly big daddy Linden will eventually have to intervene and probably pull a hugely unpopular move by banning the viewer. The other option is to something even more unpopular by ignoring the antics of these now self-admitted unrepentant cyber-criminals. Time for the gene pool to be cleaned of these scum-bags.
Posted by: II Singh | Sunday, August 22, 2010 at 12:25 AM
Imprudence has temp uploads, client side AO and even support for alpha and tattoo layers, so I'm really finding it hard to think of a reason to stick with Emerald now it's probable spyware and proven malware (using traffic from users to attack a rival website? There's no other word for that than malware).
If we want the Emerald team to take these concerns seriously, the best approach seems to be voting with our feet.
Posted by: Nat Merit | Sunday, August 22, 2010 at 06:42 AM
This is pretty pathetic, I hope you don't support any of this. There is no way to deny what has happened.
Posted by: Disappointed | Sunday, August 22, 2010 at 07:14 AM
I used emerald all the time until this. I hope to use it again, but, thats not going to happen until I get a real explanation. So far there's been three security screw-ups at Modular. 1. Secretly creating an IP-SL name database, 2. the pathname broadcast exploit, and 3. this dumb scheme. In my view the most serious is once the secret code was pointed out to them they simply morphed it to an encrypted forms yet let it remain. LGG quitting turned on all kinds of warning bells. A viewer has a lot of access while running on a resident's PC. Modular and Emerald should know by now that they have an unspoken trust relationship with their user. A trust that is now breeched. When and How are they going to establish trust once again? Ignoring it only gets people angry.
Posted by: argo nurmi | Sunday, August 22, 2010 at 07:17 AM
For all those who still don't believe: this appeared for like 5 minutes on the Modular Systems blog and was yanked. I found it via Google cache..will put up screen shots too in case the cached page disappears. Shady shady.
http://webcache.googleusercontent.com/search?hl=en&q=cache%3Ahttp%3A%2F%2Fblog.modularsystems.sl%2F2010%2F08%2F22%2Femerald-off-with-his-head%2F&btnG=Search
Posted by: SoyaKnow | Sunday, August 22, 2010 at 08:09 AM
Hamlet, this really deserves a more indepth look - as you can see a lot has happened over the weekend, and you are the biggest blog on SL goings on. I really hope you do an updated version of this post to take into account all that has happened so the casual reader who doesn't have time to go look at everything that has happened can see and make up their own mind.
Thanks from the whole of the SL population.
Posted by: Toxic Menges | Sunday, August 22, 2010 at 09:07 AM
And the post is back up at the blog. I dont know why it was pulled to begin with.
I agree with Toxic, please do more indepth on this!!!
http://blog.modularsystems.sl/2010/08/22/emerald-off-with-his-head/
Posted by: SoyaKnow | Sunday, August 22, 2010 at 09:17 AM
Emerald has been withdrawn from the TPV directory , Fractured resigns - the whole saga is a mess - we need Hamlet to tell us the inside view.
Posted by: Hitomi Tiponi | Sunday, August 22, 2010 at 01:26 PM
I think that this time you have been too candid, Hamlet. Modular Systems have fired people before because of way less harmful things, like exhibiting a funny message of the day (but which Emerald users failed to capture the humour in it). Launching a carefully orchestrated DDoS attack on a site created by a "rival" cracker who is known to release an illegal viewer, just because he made some snarky comments about Emerald, is not to be taken so lightly.
Emerald has always been under an "arms race" against former developers, or developers who branched their code and released their own Emerald spin-offs, but included illegal features (if not actually illegal, at least, not compliant under the LL ToS). A lot of effort has been made to detect those spin-off viewers, intercept them, and eliminate their users. As more and more people use Emerald, the rate of success of keeping those spin-offs off the grid has increased dramatically. On the other side of the "code war", the illegitimate viewer developers, having full access to Emerald's code, are always looking for ways to elude Emerald's hunt-and-kill strategies.
What are those strategies? Usually they flood a user with a blacklisted viewer with special requests until the user drops the connection, or the sim crashes, or both. Over time, these strategies have become more evolved and more efficient; although LL might have worked against that "arms race" by introducing some security patches which would render those strategies ineffective. Which would require that the Emerald developers invent new strategies to attack the spin-off viewer, which in turn would develop better defences, and so on... a LOT of the code in Emerald is just to deal with this.
Hitting the source — crushing websites where those spin-off viewers can be downloaded from — is just another strategy. It might have failed, and the problem is that it was so visible, but I'm sure they'll think of something else. After all, with 20,000-30,000 users regularly using Emerald at all times of the day, it's very tempting to have all these users send DDoS requests every second or so to an external website. Most likely none of the Emerald users would be seriously affected by that; they might not even notice. But hitting a website with 20,000-30,000 hits per second, specially if it's not well protected to deal with such an intense load, should bring most of them down, one way or the other. Even a site hosted on a service with unlimited bandwidth would attract the attention of the system administrators, as they see their incoming network traffic be clogged with such attacks, and might remove the offending site well before it crashes all the network (thus accomplishing the intended purpose anyway).
It's not exactly "nice", and just shrugging it off "as a joke" is really not enough.
Well, Fractured Crystal resigned, and so did Arabella. I wonder how long Qarl ex-Linden will remain with them. Unless he's going to take charge of Modular Systems, kick all the crackers out, keep the few remaining legitimate developers, and turn Emerald into the best viewer ever without any more nasty side-effects.
I find that highly unlikely.
But I also find it curious that all this has happened so recently, and, as some noted, seems to time perfectly with LL's launch of the SL 2.0 viewer, which continues to lose residents to Emerald, which has so much more functionality and a cleaner interface...
Posted by: Gwyneth Llewelyn | Tuesday, August 24, 2010 at 03:44 AM
Slight mistake on my part: Arabella didn't resign.
Posted by: Gwyneth Llewelyn | Tuesday, August 24, 2010 at 03:49 AM
wow, 1 megabyte of data generating 800 GB of traffic would be 800,000 logins over the week. Give or take a few. Supposing a "worst case" where the real size of the page was 2 mb, we get 400,000 logins, over a week. That is between 57,000 to 114,000 logins a day.
Emerald popularity is pretty impressive.
I guess this explains LL's patience with it
Posted by: Renmiri | Wednesday, August 25, 2010 at 09:41 PM