Is Metaverse Neutrality Dead at Linden Lab?
Linden Lab, makers of the virtual world of Second Life, have been having a hell of a time over the last several weeks defending against the metaversal version of denial-of-service attacks: When users add objects to the Grid that are able to replicate themselves, dividing and redividing exponentially, LL’s servers are soon choked by the processing power required to maintain all these objects, and the world grinds to a halt. Now, Linden Lab is contemplating a solution that would create a privileged class of users with access to the full range of SL scripting and object-creation abilities on the Grid, with everyone else limited as to the functions available or the locations in which their scripts and objects will work. I’d suggest that a solution like this will kill Second Life rather quickly, or at least prevent it from becoming what CEO Philip Rosedale and SL’s most optimistic boosters believe it can become: a kind of 3D extension and next generation of the World Wide Web.
The thing that makes the Web work is that anyone can create content there. In addition, everyone can create the same range of content. This is what has given rise to the most fascinating and revolutionary content out there, to the mashups, the new forms of media, many of the games. Had content-creation on the Web been limited to a privileged class of users, we would not have half the things we take for granted on the Web today.
The same is true for Second Life. If Linden Lab wants its world to thrive and be useful to the largest number of people, it will have to find a solution that’s more metaversally neutral than creating a class of “trusted” users. I’d submit, however, that this is not much more difficult than the solution LL is contemplating.
When self-replicating objects first hit the Grid, LL’s move was to code limitations into the function that passed things from one object to another (e.g., a self-replication script), allowing them to do so only on land owned by the owner of the object. But that proved far too restrictive to allow SL to go on the way it had; people were already renting space from each other, leaving their vendor kiosks on each other’s land, bringing other useful objects to each other’s virtual McMansions that needed to use the hamstrung function. LL soon had to roll back the change.
Now, LL is considering another such restriction, only it’s one that will apply to only a limited number of people. (No word yet on how one qualifies as “trusted.”) But if Second Life is to thrive, LL will have to find a solution that treats all users equally. Again, it’s instructive to look at the Web, although things are different in Second Life because of the “presence” that avatars have when they visit someone else’s plot of land.
Every scripted object that an avatar carries or creates is something that effectively gets embedded in the code of the SL location they’re occupying — as if your personal set of widgets got embedded in the code of every Web site you visited. The problem is how to keep other people’s sites safe from the harm your widgets can create.
This shouldn’t require a trusted class of users, but only an enhanced ability to control what scripts are running on your land. It may involve having the owner of the land trust a visitor, so that that visitor’s scripts are given free rein. If you’ve mistakenly trusted someone who bombs you with self-replicating objects, you can un-trust the user and the scripts will cease. In any case, they won’t spread across the entire Grid, because they won’t be trusted everywhere.
Now, this isn’t necessarily the best or even a very good solution, but it’s an example of a solution that doesn’t require the creation of a trusted class. Other, better solutions should therefore be possible. Second Life survives and attracts users only because it’s nearly as free and open a space as the World Wide Web: it enjoys metaverse neutrality, the condition in which all users are treated equally. Linden Lab ought to keep this in mind as they pursue a solution to the problems they’ve been facing lately.
Feeds
“because it’s nearly as free and open a space as the World Wide Web”
Here’s where a portion of your comment breaks down: SL isn’t even “nearly as free”. It’s a closed, proprietary system. Period. Therefore, a comparison to the internet isn’t truly appropriate under the circumstances. There are plenty of restrictions inside SL that one wouldn’t find on the net.
Now this doesn’t mean your suggestion isn’t valid. Just that your premise: “The thing that makes the Web work is that anyone can create content there doesn’t yet apply to SL - and may never apply.
I’ll grant you that “nearly” is definitely overstating the case, csven, but the second part of that sentence still stands: “it enjoys metaverse neutrality, the condition in which all users are treated equally.” I’m trying to lean more on the equality bit in this post.
Also, I’m curious as to why you take issue with the contention that anyone can create content in Second Life. . . ? Because it’s really “anyone — except for whoever LL decides shouldn’t be allowed to”?
JavaScript suffered the same sort of problems now facing Linden Lab - before the JavaScript Security Model was defined, JavaScript enabled all kinds of attack vectors that made phishing, cross-site scripting (still a major risk) and all those pop-up and pop-under windows a standard feature of web surfing.
The JSM applies the concept of “origin” - for example code can only act upon data that has the same server name, port number and protocol. JavaScript code is effectively sandboxed into the site that it’s retrieved from. Additionally, browser users can add extra restrictions like blocking access to the winow.open() method and the status bar.
The net effect of this approach is to take control away from the person who wrote the code and give it back to the person whose computer executes it. This approach could also be applied to LL. Since the “executors” are effectively the land owners, they should be able to decide who can execute code, and perhaps even decide what LSL functions objects can call.
There’s more info on the JavaScript security model at http://www.devarticles.com/c/a/JavaScript/JavaScript-Security/.
That’s exactly the kind of thing I was thinking of, Gavin.
There’s an option in land settings “allow outside scripts to run” something like that. Trouble is we all group deed our land (not only for mainland tier bonus but for management) and that means nobody- even owners/officers of the group count as the land owner for this (so it seems- I get errors on my rezzing things if this is unchecked).
“Allow non owner/group rezzing scripts to run y/n” default to no, on every land parcel including waterways/protected land. Wouldn’t this solve it? With the new group roles you can allow people into your land groups with no rights other than membership if you need to do it that way. If they cut off the bottom rungs of the ladder, SL is dead to innovation.
“Also, I’m curious as to why you take issue with the contention that anyone can create content in Second Life. . . ? Because it’s really “anyone — except for whoever LL decides shouldn’t be allowed to”?”
Not exactly. I called it out because last I checked there are still community standards. Try creating something that violates those standards and watch LL deal with it as the owner of the world. The web doesn’t function that way.
Ah yes, true, true. Me, I’m thinking those too will have to fall away eventually if SL is to fulfill its potential.
I think LL actually operates much more as a hosting provider or ASP than as the World Wide Web. For one thing, they operate a single walled garden, much as the AOLs or CompuServes of the past. More importantly, they are essentially selling bandwidth to property owners who must run a base application environment… upon which scripts can run. Most hosting providers (at least the responsible ones) expect their customers to run their server software in a safe, “Internet-friendly” manner. New scripts are often “proven” in a sandbox before being brought into production, and customers are held responsible for spamming, infringing content, etc. IMHO, LL taking steps to increase accountability for script authors AND script executors (i.e., land owners) is the right way to go… even if it means a few toes are stepped on along the way.
Agreed, Denials. But you say “Most hosting providers (at least the responsible ones) expect their customers to run their server software in a safe, “Internet-friendly” manner.” Also agree with that. But that’s not what LL is contemplating. Hosting providers don’t generally split their customers into “trusted” and “non-trusted,” do they? You’re generally trusted until you screw up, and then you’re out, right?
That’s right, the screw-ups are generally punished in some way. The problem is that LL has, as far as I can tell, assumed the responsiblity of the land owners (e.g., to try to prevent malicious code from running), while at the same time treating all script authors as a single “class.” If an ISP notices massive spamming or DNS attacks emanating from a single server do they shut down their whole network? No, they focus their efforts on the pain point. Trust and responsibility should go hand-in-hand. Given that LL hasn’t said yet how they will determine who is trusted or not, it would really be speculation for me to support or criticize their implementation at this point. That said, I would be supportive of a trust network centered on land owners. The land owners should in turn be empowerd to block and root out offending agents.
ah, but you could simply empower landowners to block offending agents on their land without having to create a trust network.
That’s true. But if the landowners are going to be held responsible for what scripts do on their land, then they need tools for assessing the associated risks. Being able to classify scripts based on level of trust could be very useful to these landonwers. Highly trusted (e.g., the land owner wrote the script themselves and it ran without errors in the sandbox) scripts could be given more leeway than untrusted scripts. Who wrote the script is only part of the issue, since resource hogging can occur with bugs as well as with malicious acts.
unfortunately, as we say in product security engineer profession, it takes them to loose Challenger _AND_ Columbia before they start to scratch their heads so I thought LL is still on the way to learn how to deal with security of their product.
And, yes, I also believe more into federal (world web alike) approoach then into thinking that LL should be god of everything. I mean, there shouldn’t be particular business owner of “space”, that way it is more secure. Single company will always be in trouble with security.
Will We See A Dumbed Down Virtual World Beat Second Life?…
Linden Lab’s response is to offer freedom only to an elite class of users who they trust, Mark Wallace of 3 Point D reports: When users add objects to the Grid that are able to replicate themselves, dividing and redividing exponentially, LL’s server…
Split off each parcel land as if it was it’s own webpage. One webpage acts up, shut it down.
In fact, I’m not entirely sure why the entire ‘world’ has to be accessible as something I can stroll across (for the most part). Why can’t I just port to each parcel of land?
Whats gonning to happen when/if SUN or Intel do another “Press meeting at 2pm pst” to Hype themselves as virtual worlds leaders, and the grid is down? Millions of egg on face I would think?
Seems this is the blog report from 30 days in the future.
I like Second Life, but a real platform or business?….better of in the sims online making pizzas.
Seems the 3d metaverse can’t be a Linden labs “product”
If not open on the web, i dont think its anywhere.
bliss
open x3d based worlds..come on in…..
build your future metaverse, dont just blog about it:)
all the pieces are there….and no “grid down” messages…
@ bllius: I really think that’s the way things are going to end up eventually. There will be some isolated islands, some communities of people who have come together contiguously in various sizes, and even a few larger communities that resemble the mainlands we have now. But eventually the idea of mainland as separate from estates will fall away.
why dont they just implement ‘tick quota’ as in MOO? you get allocated a certain amount of virtual processor/storage resource, and when you use it up, your code stops executing — stops runaway recursion dead in its tracks: then they can make ticks purchasable, or awarded to popular creators by community vote, or arbitrarily assigned by the admins… simple model with lots of possible social controls…
@darrel: Umm, this is starting to get into the territory that LL has been pushing so much effect into. The problem is that however you define a tick and a tick bucket, there will be those that can figure a way around your barriers. There is already a fairy strong set of logic to try to stop these attacks before they can grow very far, this attempt to classify “trusted” users smells like LL is giving up on a purely-heuristic approach to combating attacks
I think the idea of trusted users is a good idea as long as it is not too restricted. If someone gives a credit card number / debit card, charged for one buck and refunded to verify, they should be considered trusted. Maybe some other verification could be possible. The attacks seem to be people that log on anonymously and then have full scripting ability. Limit scripting to anonymous users, maybe limiting an item they own to not rez objects or only rez a small number of objects, maybe a max number per day. Being new to Second life, I’m not sure if this is easy, but it should be possible. The idea of giving landowners more control over scripting is also a good idea.
I don’t believe their is anyway to eliminate the attacks, a person with a stolen credit card could get through the verification process but the chance of someone going to that extreme is small. Of course they could also just purchase a full membership anyway, so restricting scripting to paying users is ridiculous.
An anonymous user may find a way around scripting limits, and someone who is verified may engage an attack anyway. More code needs to be implemented in the core systems to prevent these attacks or mitigate the damage. Users will always find a way around preventative measures, the internet has tought us that. It is just necessary to find a happy medium between security and ease of use.
LL needs to find that happy medium in order to keep SL alive and usefull. In the meantime I’m enjoying myself, and I’m sure if LL screws this up and SL doesn’t become “the ultimate metaverse” someone will come up with one that will. It may just take longer.