Now that is very interesting, because using physical objects was something that I recall being suggested in a speculative thread about sim-crashing devices on the SL forums. Somebody suggested using no-script buffer zones, and other people pointed out that replicators could just use physics to cross them.

It may be a coincidence, and certainly doesn't mean that it wasn't an accident, but the reference immediately came to mind when I saw that line.

I believe this latest incident was an accident. I can't know that the original creator of the flower in fact put the script in it; the owner of the flower, a self-avowed experimenter with AI and a newbie, was probably just experimenting.

Anything to ensure "learning" and "freedom of creativity," eh, Ordinal? That's what's important to develop the *platform*.

But those of us who live and work on the platform and call it a *world* don't like having our owned land being made some script kiddy's sandbox. It causes damages, move-outs, even people quitting SL. That's not acceptable.

I know of your dedication to the concept of free scripts, copyable scripts, scripts, scripts, scripts, being able to learn, and do, and eye-see-hand-do all over the grid.

But I want to eye-see-hand-do TOO and my scripts that are just ordinary unglamourous non-replicating non-flower scripts first stopped working due to sim overload, then were deliberately shut off.

Why are we always the ones who have to PAY for scripterati's free, free, free?

I know that it was clearly too tempting not to construct a "tekkie-wiki" rant out of this, but the simple fact is that having objects move physically was immediately jumped on by everyone as being a solution to no-script zones as a barrier, because it's really obvious. I mean, really obvious.

If you don't like residents being able to script stuff and prefer that all programming be controlled by the politburo, rather than, say, have LL take action to ensure stability rather than just assume that everybody is all happy-friendly and won't exploit aspects whenever they can then, well, we may have to agree to disagree.

Um, why jump to extremes? Who said residents shouldn't be able to script stuff on their own? that's silly. Uh, how would I have a customized rental box then, duh, plus hundreds of other things I own or have commissioned, and sell? I don't urge that "all programmning be controlled by the Politburo" and you know better than that. I've argued very carefully what I think are the limits on these free scripts that circulate -- I'm for people charging even a little to insert a little more quality control. I'm for people using the scripting library that has commentary and correctives when they practice inworld, rather than just touch/copy/paste everything in sight.

Every time anyone tries to have a rational discussion with the scripterati of Second Life, they leap to extremes and begin wailing, "Oh, you want to take away freedom and creativity...oh, you want to run everything by the Politburo and even cease actions." Well...why such extremes? What, you don't recognize *any* type of control short of "the Politburo?" What, I'm supposed to *endlessly* roll over for scripterati's creativity expansiveness, even suffering the loss or damage of my property and my tenants' property? Why? Your rights aren't extended endlessly in RL -- why would they be in SL? Don't they stop when they begin to infringe on *other people's rights to create and enjoy their homes, too?* Or do you brook no control whatsoever? Surely there's a balance? What, you never met a script you didnt' like? You can't recognize that maybe somebody should put a little thought into the ramifications of having things called "seed lillies" replicate like kudzu everywhere and stalling and crashing sims and destroying things?

I don't understand, if every created script has a UUID, why it is so difficult to instantly kill it and delete it thoroughly. why does it take so long? Why are there still many of the same scripts left inworld after these crashed, continuing their damage, days later?

There are actually already restrictions on scripting in SL, but they're generally rather arbitrary and not that much use. For instance, there are delays on lots of functions, where the script is supposed to sleep for X seconds after using it, and fine, that sort of thing stops a new scripter from writing a loop with llGiveInventory and sending hundreds of notecards a second to everyone in the vicinity. However, by having different scripts that are told by a main script to give an object or rez an object etc, you can get around this quite easily, and in fact many popular and useful objects couldn't work if you couldn't.

There are also better things like the "grey goo fence" which caps, or is supposed to cap, rapidly replicating objects - apparently it failed here, but it's worked in the past and it's quite new anyway so certainly won't be perfect yet. It doesn't affect slow self-replicators for instance which might be something that needs addressing - I don't know the details of this attack. And there are also limits on and bugs in functions that just... don't make any sense, and don't seem to perform any service apart from pissing scripters off.

I'm joking about the politburo (although I *have* actually heard people suggest this quite seriously, that LL should review *every script* before it's allowed to run, which would be great in a way as they might find my bugs but somehow I think is unlikely to happen). But it's all very well saying "scripting needs to be controlled" - the question is how, and what will it break? It's very hard for LL to tell what any change in LSL will really do as the people making the decisions frequently don't know what residents are using the functions for. How could they, with thousands of scripters out there who are just as clever as they are?

It's not an issue of quality control really - grid-crashing scripts are usually specifically written by people who know what they're doing. It's pretty rare that someone comes into SL and has the skill to write something that could crash the grid but not the familiarity with the environment to know that it might do that, and in any case they're still not picking the script off the shelf.

I don't know why it seems to be so hard to kill scripts off, particularly as the fence relies on the concept of "families" of objects (one object rezzing another which rezzes another etc) so must track those families.

You've made some interesting points, Ordinal. There are already significant checks on scripts, to be sure. The layman like myself who lives or works on a virtual world views these as necessary for the very functioning of the world itself, and not even sufficient. They seem like the most common-sense ordinary restriction you'd have to place on a phenomenon so as to prevent the world itself from losing its viability. But it seems the scripterati find this an onerous burden. I personally want to benefit from like "give inventory" for a cross-sims notecard-giver with a server and client that delivers my news service. If the scripts in it have to "wait" to prevent overloading sims with notecards, that's fine. I remember the scripter fretting that people would experience delays if several simultaneously asked for the notecard at the same time. To which I can only say, so? That's good, and it's tolerable to wait a few seconds, if that means we can prevent flooding of the world. This is the difference in perspective.

Perhaps the "gray goo fence" worked on this attack
but I have to marvel at the mentality of people who experiment with stuff like this. What was there plan for *stopping* the replication. Do they think it just "knows" or that it just stops naturally at the boundary of a sim? I can't buy that if they are programmers in RL, interested in AI, and tinkering with a thing like this in the first place, that their newbie status even should shield them -- what, they have all that knowledge and they don't have the logic to understand the consequences???

When you say, "It's pretty rare that someone comes into SL and has the skill to write something that could crash the grid but not the familiarity with the environment to know that it might do that, and in any case they're still not picking the script off the shelf," that's seemingly the case here -- a newbie who seemed to be experimenting, unless of course he's an alt. It's as easy as pie to make alts now.

I see your point about the inability to know how scripts will be broken. But is it when scripts are broken that they become dangerous? I can't imagine a script review board examining every script. Again, that's going to extremes.

It means a change in culture, from "SL is my sandbox and my sense of entitlement extends everywhere even past your rights". That's very hard to change -- until you do, by example, by lecturing, even by changing the lingo on the website from things like "land is your blank canvas" to something like "buy some land and make a neighbourhood in cooperation with others". These not even so subtle cues can do wonders to change people's expectations.

The scripts that have crashed the grid are not broken scripts gone amok in a new patch. They are fairly garden-variety. They appear to always be the same - self replication. OK, so...why do we need to have self-replication again? For artificial life experiments. OK. Well... would it be too much to ask that controls be put on these experiments so they don't crash others homes?

I can't speak for the scripter of this device but it is well known that, when designing self-replicators, one has to be *very* sure to hardcode in a replication limit, and one that can't be broken accidentally by some error in SL. The piece on self-replication in the Wiki makes this very very clear.

When I say "broken" scripts, what I mean is scripts that performed entirely innocent functions which now just don't work. It's very unlikely that they'd be dangerous, but SL might find that one tiny change to the way permissions work breaks every vehicle, or some such. (Something like that nearly happened in one of the recent updates and there had to be a huge campaign by scripters to have it fixed before release.) The only way to avoid this sort of thing is to release proper details of changes to the SL scripting community so that they can say "hold on a second, don't do that, it'll break X Y and Z", but unfortunately LL's "development lifecycle" isn't really very good for that, and it's usually just left up to people to discover the details of the changes they make for themselves.

And there's no specific self-replication function in LSL... all of these things are actually the application of other, far more useful functions. Self-replication for instance is just rezzing a new object and copying the original script across to it, both of which are fairly basic (well, script copying is unusual, but it's still handy). If you start banning underlying tools what you end up with is (a) a load of broken objects and pissed-off customers and really pissed-off scripters who have to field the complaints, and (b) griefers who just move on to something else. And let's not forget that self-replication is actually, in itself, immensely useful to people involved in research and also production of useful objects, who are quite capable of controlling it and would never dream of crashing SL.

Even in games without scripting people find ways to crash grids. I was talking to a friend who used to play Eve Online. Someone worked out that, if they got a hundred or so ships in one area of space, and then had all of their ships release drones, then that overloaded the server. The response? Entirely change the way that drones work. My friend left at that point - he'd spent ages building up skills and so on to use drones, and then they just changed things to make all of his time pointless, and it wasn't the first such instance, it was the straw that broke the camel's back.

Restricting the use of LSL is not a simple matter. It's far better to use

(a) technical tools which target the effects of potentially dangerous scripts, not their mechanisms, since the mechanisms can change so often (e.g. the grey goo fence, and that has pissed me off personally but I recognise that it's a good idea so I'm happy with its existence);

(b) social tools, like proper dispute resolution and consistency in dealing with griefing, and going after sim crashers effectively. An FBI agent knocking on the door investigating "cyber-terrorism" beats any number of script changes. Technical solutions are just a new challenge to crashers.

Just wanted to pop my head in and mention that I haven't had time to comment meaningfully, but I have been following along when possible. The conversation has been interesting and edifying, thanks to you both for your thoughts.

I often wonder why the Lindens don't have some sort of even informal board that at least asks the question each time they do a game patch (it's hard to call it anything other than a game patch given the roulette you get with it), hey is this going to break anything major? I remember changing my rental scripts to 3 different scripts to decrease the chances that I'd get stuck with any one of them going down, after I got burned once with one of the patches destroying a script's timing device, firing off "expired" notices to everyone who had paid already. Yuck.

But...that would be like the Politburo, eh? I wonder why it couldn't be conceived of like a clearinghouse, however. I suppose it's only a matter of time before someone does a website like that with a name like "Broken Dreams" (paging Jeffrez Gomez!) Of course...there *is* a clearinghouse called "The IRC Channel". On that channel, I remember being fascinated once to see how a Linden was backed against the wall, after he had gotten the go-ahead from Philip to finally deprecate the evil bounce/eject "security" script which constitutes a weapon.

There was a huge howling in the IRC channel, and later Philip explained, even from within LL itself, OMGODZORZ you can't deprecate that script, it means there will be...no elevators in SL.

Elevators? You mean, the 14 and a half elevators we might find in the whole of SL, some not working, which are put in vanity office towers?

Or, OMGODZORZ it affect other things that need push like...um...ermmm...vehicles? That don't work any way due to sim seams? This is where I had the famous argument with Aimee Weber, urging the Lindens, if they couldn't deprecate a script because of this alleged horrible loss of um elevator capacity or warfare creativity, at least to make a *policy* that anyone using eject scripts without warning, and so as to bounce home, not a few meters, would be considered shooting and in violation of the TOS. Would that be so hard? Of course not. Now, sporadically, Lindens *do* have police blotter reports for "aggressive bounce scripts" and "over-active security scripts" but they don't make definitive statements on it such as to bolster those of us trying to make civilized areas. The only thing we can do is ban their use from our lands, which many landlords in fact do because while they give an illusive security to one, they aggravate 10 others.

While we're on the subject of sim seams, if we can't drive a vehicle across them, how is it that things can replicate across them? Even trying to rez a house over a sim seam makes it explode. Why don't griefer balls explode? This has always been a mystery to me, even allowing for physics floating, which vehicles have to.

IOW, if your issue is that you need to retain the right of a script to copy, which of course makes sense, then why not make it only be able to be copied on that sim?

Please explain why the gray goo fence "pisses you off". Will you recognize no restrictions on scripting creativity without either protesting, becoming angry and resentful, and plotting to restore what the Lindens have taken away in the name of greater harmony for a balance of social interests, between sandboxers and settlers?

I haven't noticed that any of these G-men the Lindens have brought in have stopped any of these replicating attacks. It's an insufficient deterrent until the feds nab their man and the story is publicized.

The reason things pop occasionally when they go over a sim divide is because of communication speed between sims. A prim moves into a new sim, and its position relative to other prims isn't updated properly, so SL thinks that the prim has gone over the distance limit for linking, and bang. At least that's sort of it as far as I'm aware. Grey goo is going to be single-prim stuff which wouldn't have that problem.

It's still quite rare for things to explode over sim boundaries though; I have objects moving over them all the time, literally once every couple of minutes all day at the moment, and I've never had one explode, though I've had hundreds of other really annoying effects from sim transition that are, I believe, also down to inter-sim communication. Speeds of 10m/s or less help.

I said that the grey goo fence pissed me off because at the time it was introduced I was working on a fairly extravagant rezzing script that was still within the limits that we were told about - but they weren't the real limits, so I had to spend ages tinkering with timers to find what they actually were.

One doesn't have to limit the script language, but at least introduce stronger script accountability. The creator of a script (or instance of a script) should be clearly associated with it. And this should be a real person... maybe even a paying customer?

Something to make them know that "they can be found" if their script goes awry.

If LL doesn't want to keep freebies (as opposed to newbies) from scripting, limit the script functionality that they can access until they convert to paying customers.

Also, just as with graphics, it would be really wise to have safe sandboxes for script creation. Of course the logic option would be for this to be off-line, like the new drawing capabilities. Again, I am sure people would pay a modest amount for such a local tool to play instead of trying to create in-game.

If LL did create strong accountability, they might be able to allow even more powerful scripting - things that make the game a more interesting place and reward those who can script-craft well.

As an aside, I would definitely be interested in hearing more about the Eve rules-change for drones. My impression is that Eve's builders have kept a pretty hands-off relation with Eve...

And do check out my trackback above for additional security comments on this topic.

Thanks,

Stev

At the moment, the original creator is identified, as well as the owner, but not the last person to modify the script, so there's no accountability. Someone could wipe the contents, write in a new script and you'd still be listed as the owner. LL might have some sort of tools to check who has changed what, though, since each new version has a new asset key if I'm not mistaken.

Really, though, a lot of this comes down to *willingness* to enforce regulations. I get an impression that LL would really love not to enforce any behaviour regulations at all - you know, like Stephenson's Metaverse, maaaan - and would prefer to have it all a blank slate... except that people use this to take down the entire grid. Instinctively they resist putting tools into place that could help there. (That's not to mention the strange situation with enforcement of behaviour standards, that's a whole other subject.)

There are sandboxes for scripting (also some not for scripting) but they do tend to get a bit full, so builders who aren't making things of enormous size tend to avoid them if they can.

I'll see if I can get any more details from my friend who was in Eve.

I'm not sure the laissez faire attitude makes sense, much less reflects any Glorious Stephenson theory - my vague recollection is that the Game/Metaverse did enforce rules pretty thoroughly... Hiro's hot motorcycle still had to obey physics, everbody was forced to "log out" when they lost a duel, the 'verse was actually pretty mundane when you get right down to it.

By the way, it also enforced geography in a way the real web doesn't... no teleporting (for good dramatic effect, of course).

The more I learn about SL, the more things confuse me. If you want a virtual world to be popular, it needs to accomodate dense crowds, be highly reliable, and maintain control.

>Someone could wipe the contents, write in a new script and you'd still be listed as the owner.

What has happened in a lot of these recent attacks on the entire grid, and some in which my sims have been singled out, is that any object clicked off with the box "share with group" is open to any rogue group member who can come in and edit the prim, i.e. drop in a script or tamper with a script if it is moddable.

If the group is open in FIND and doesn't require any invitation, anybody can join the group for a second, find a share-with-group object, invade it with a malicious script, then leave the group, and leave no finger print. I'm not sure that the script they drop inside a prim that might have my name on it in fact retains their name. I'm gathering that it doesn't.

I'm not sure that the Lindens have records showing date and time and name of who joins groups -- they should, but it may be something they never bothered with. Only through eyewitness reports and manual tracking has this been able to be curbed. I eliminate all share-with-group items now as a matter of course. It's a shame that the very tool that enables people in a group to share a build and do things together to edit and move that build is the very thing the griefers use to destroy them.

The practical problem is that newbies confuse "set to group" and "share with group" (the user interface doesn't help you there in sorting it out) and sometimes something will get left in "share". That enables yet another round of malicious scripts.

It's a game-world's microcosm of the problem of the liberal society and terrorism, and the answer shouldn't be to close groups, give up collaboration, and give up all your rights to the national security state, the answer should be more complex and nuanced. The policy of having subscriptions with no identification presented appears to be a source of trouble.

A policy I've mulled over is whether the Lindens should keep a better watch on known groups of griefers like W-HAT factions and instantly place under suspicion all their new alts who keep joining the same groups. There's ample evidence time and again that the same people keep coming in and getting alts and doing the same thing in the same way.

Of course, here we run up against various universal principles established in Nuremberg. Can you try someone merely for their membership in a group, or restrict them from employment/access to a world merely for group affiliation? Or must they be tried for their own concrete deeds?

This is one of those vexatious things that is hard to fix, because you can't turn off "share with group" to eradicate this problem.