JEVN Exploit!

Hey is that even they don't know my sever is, they still can steal my items from vendors? AWWWW.... I figured out why my business run down after I use that system. Can anyone tell me is that I only need to hide my server, then ppl can't steal my stuff or no mater they find your server or not, they still can steal my stuff?

I don't think 'everyone' didn't know about it. They ones that did just aren't being as vocal about it.

I said nothing about him behaving childishly, thank you for putting words in my mouth. And if he stated an opinion, do I not also have the right to state my opinion, especially when I labeled it as such?

I don't care who knows who in real life. Just because you know this person doesn't give him an automatic 'I win!' card. In addition to that, he pretty much blantantly called me a thief for some reason I cannot fathom, especially considering I probably have far more stake in this than he does, as I've been using the JEVN system for quite awhile and have saved an insane amount of time using this system, as well as having a log of every single transaction I've ever made conveniently searchable through gmail. I don't think my comments were very far off the mark. I also did not say that the exploit was "common knowledge" (nice quote work there by the way), only that I had known about it, and it was even mentioned in the user group. I'm sure it's possible that a majority of JEVN Users didn't know about it, but then again, judging from the amount of people that get on that group every day and say 'help m3 2 set up me JAVEN serv3r', it's fair to say that a lot of JEVN users don't follow the conference conversations either.

No, instead, Dimitri and several other people want compensation for thefts that haven't occured, or even worse, 'potential theft', and I maintain that that is utter bull. Sure, you are free to state your opinion about that, but if it's anywhere near as outlandish as that, people also have the right to call you on it.



Ah yes, just like all the real people that have sued microsoft for bugs that have potentially caused them millions of dollars worth of damage? Yeesh... there's this wonderful part in the EULA that protects them from that for the most part: 'We are not responsible for any damages financial or otherwise resulting from the direct or indirect use of this product' etc. In fact, if you are reading this on a windows system, you've even agreed to it when you installed Windows, or took your brand new shiny computer out of the package. Are you suggesting that every scripter that creates anything from the simplest 'Hello Avatar!' script release a virtual EULA in a virtual world protecting them from being virtually sued by anonymous avatars?

Try actually reading what I wrote.

He stated an opinion and he has as much right to do so as you or I do.

I used quotes on MY words (no one else's) to ephasize.


If a few knew about it then what right did they have to withhold that info from the rest of the JEVN users? By NOT telling everyone they put those who did not know at risk and that is just flat wrong no matter how you try to spin it.

And you can take your "holier than thou" attitude and shove it where the sun don't shine.

Symantics.

I don't know esmay's reasons for not alerting every single person in the world that there is a potential exploit for the JEVN system. There are several good ones that I can think of off the top of my head, but I hesitate to list them because they won't satisfy the vocal minority of people here that can't think logically. But that's never stopped me before, so here's a good one:

esmay is in the business of selling stuff. A lot of stuff, but in this instance, networked vendor software. She learns about the exploit, and wants as few people to be potentially affected as possible, so indeed, instead of blabbing about it to everyone and their mother, she gets to work fixing it, knowing that if she had told everyone, there would have been a rush of people asking for refunds for their non-transferable/copy items (which are almost NEVER refunded, by the way, for obvious reasons), which would have taken away time that she could have been fixing the exploit, in addition to severely crippling her ability to help customers with immediate concerns.

Do you think that Microsoft reveals publicly every exploit in it's software? Did you know that in some cases, according to the DMCA, it's actually ILLEGAL for a third party to reveal that information? No - and it's for the same reasons. No, you may not like that, but it's how things work, and for the most part, it's better for everyone, even if it's not immediately better for the individual.

Get back to me when you can stop twisting what I say around. People have a right to know when thier INVESTMENT is placed at risk by others whether you like that fact or not.

This has nothing to do with MS.


Neither Dmi or I were aware of any emulator that enabled someone to steal items from our vendors until it came up in the group ims today. I am not the only one (obviously from some of the posts made by OTHERS plural) that does not appreciate being kept in the dark about it. I would not have asked for a refund. I would have waited until the problem was fixed and then continued to use the vendors. Problems should be fixed immediately and not be allowed to continue for 3 or 4 weeks as has been stated elswhere. The right thing to do was advise system users that there is a problem and give them the choice of discontinuing use until it was fixed or not. It was MY money that was used to purchase the system and MY products that are at risk. Regardless of what you think I DO have a right to know when MY investment is at risk. As does anyone else who has purchased the system.

I do have better things to do than argue with and be insulted by someone who knows nothing about me or my business. You are wrong and you know you are. Otherwise you wouldn't keep coming back here to argue about it. Have a nice life.

something has dinged me for some reason. this thread has a "sitcom" feel

what if there is no exploit?

Then I'd have to say there will be alot of very pissed off people.

Mulch I know all this amuses you. You don't stand to lose anything by it. But those who do stand to lose don't find it funny at all.

amnd I'd say a good chance those who have defended the exploit creator adn those who say no big deal probably all ahve the emulator adn jsut want thier 25k L's wortth out of it. Part of business is keeping theft to a minimal amount. and to that one person who ahs used them for a long time...well sounds to me as if you were told about the time this emulator was created so good chance you WERE one of the ones who got one. As for group IM's. we werent' aware of this situation at all til today. and some of us are jsut starting out. Not easy on us at all when we gotta shut down because someone was trusted with a script that should not have been and worse yet, sounds as if he is already privvie to the new coding as well. Of course to you this won't mean anything, except that whehn the servers are updated he can update your emulator as well. It cost us all L's and not jsut a few. When he created this thing adn it became knowledge an announcement should ahbve been made through notecards or a ballot. Carlos should ahve been removed from group adn the non-secure servers should ahbve been pulled form the market immediately, sintead of letting him ahve time to distribute these at 25k each adn costing us all god only knows how much more i our time and efforts which could be stolen. Again Esmay was too trusting adn kind, and still is since apparently Carlos has the new coding as well

this of course means that the "fix" is no fix at all tila new one is come up with that he has never seen the coding for. Since his knowledge of the existing code going into the upgrade means he'll just do it again.

it started looking like it looked

i'm just saying, these 2 might have put out a forum theater to make someone else look bad

seemed forced

something just doesn't sit right...

confront the seller and ask ASAP

don't just take those 2s word for it

either they are not smart enough about tact and admitting using an exploit on forums or there is no exploit so there is no fear "saying" exploit in the forum

either way, i wouldn't just take their word for it

"exploit" or "ponzi," this is an interesting situation

wow

Microsoft was used as an example because they are familiar. I apologize if I didn't make that clear enough.



There is nothing so dangerous as a person who is completely conviced beyond a doubt that they are right. You speak of rights as if this is some fundamental, universal concept that all of mankind should adhere to.

Does esmay not have a right to protect HER investment? Does esmay not have a right to protect her customers from panic caused by good intentioned but ill-informed people? Sure, that may sound odd to you, because you can only see things from your own perspective. And I'm also saying it merely as devil's advocate. But I assure you that you have no more 'right' to these things than esmay does in her persuits. The right you DO have, according to Second Life's interface, is to remove your items from the vendor at any time, throw them away, rez them on your land, etc. When Second Life comes out with enforceable consumer protection laws, then I'll retract that paragraph.



You too! ^_^



I'm not a super-fantastic scripter, but the techniques used don't sound all that difficult if they do indeed work. I certainly wouldn't pay 25K for something like that when I could make it myself. That's almost... 100USD! For what, a couple bucks worth of clothing? O.O

I don't think a single person here has defended the exploit FINDER. And I don't think a single person here has suggested that this problem not be fixed, if it exists. You are fighting a battle against an enemy that doesn't exist, and just creating disinformation and concern for people.

Since this is a store vendor, I wasn't thinking in terms of computer software but more in terms of a security ssystem. In America, you can sue anyone for just about anythnig. Like if you are a dummy and smoke, you can sue the cigarette makers! You have a massive exploit, you tell no one, that is reckless disregard.


Anyway, I don't care. I am just glad I didn't buy one of those vendors, I always thought the pricing was way too high.


Kyrah has a vendor that rocks

Mulch, I don't say this to many, but *you* are an idiot. We both admitted to using it, obviously you don't read. And if this didn't exist, why hasn't Esmay stepped up and said so? And I did ask the seller, she knew about it existing.

The exploit IS real. After it was announced, several of us who own and operate JEVN systems spent a few minutes independently hacking our own servers with alts. It does work, and anyone with scripting knowledge can do it in a few minutes. I set all my servers into maintenance mode last night awaiting the upgrade (and tried the exploit on it, they don't respond to buy requests in maintenance even from a hacked vendor.)

We actually found out it's worse than previously claimed, because there's two ways to hack it, and one of which lets you hack it anonymously. Send the item to you with no money transaction, but stick anyone's name on it you want as the 'buyer'. That's what prompted me to shut mine down temporarily.

for that tidbit Karsten. as it is I spent until 5 am reconfiguring another vendor ssytem msyelf, tuerning off adn removing all my JEVN stuff. Then we went adn bought an encrypted set up, which I ahve yet to configure due to lateness of the hour. now for more sleepness nights replacing all thwe items I spent weeks on.

I just placed my servers in maintenance mode for now. I'm not sure what to think about the situation. I await to hear from the creator

....I have taken the suggestion of some and switched over to the KDC's which ARE encrypted. No password, no access. And I know the perp doesn't have that code. Esmay is a nice person, form what little I have spoken to her, but there's a limit to how nice a person should be. This costs all of us, but esmay herself it'll cost more than the rest of us, maybe even the rest of us put together. I wish I could say or do something to help her but all I can say is this, I hope you have learned a lesson about trusting ppl too far with your codes.

Dmitri, it's obvious that you have absolutely no clue about what is going on. Esmay has never trusted anyone with any 'codes'. There's no situation in which she was being 'too nice'. I have no idea where you got that idea from. None at all.

Want to try it yourself? It's easy! Get an object scanner, or make one yourself. Find the key of a JEVN server. Make an object that sends it random emails, accepts emails, and forwards them to your account. After a bit of trial and error, you can probably deduce the protocol that the JEVN vendor uses to communicate. That's why it's called an emulator. Carlos never had the source code to the vendor. If he did, there would have been no reason to emulate it!

All I can deduce from this is that the fundamentals of security appear to have been completely omitted. Well that and not rectifying the situation pretty much straight away when the flaws have come to light.

Keeping quiet about security flaws is never the correct procedure as a programmer - doing something about it straight away is. Once one person knows, it doesn't take long for that to propogate.

Security vulnerabilities do come up in all software from time to time - it's the way that you address them that matters. It looks like it hasn't really been addressed at all and simply kept quiet. That's far from best practice and with a system involving commerce it's shocking.

Ok, I really didn't feel like reading thru all 8 pages of this thread but I will ask - has esmay given any type of statement or anything about the issue? I own (but thankfully do not use) her vendors and I haven't received anything in world about it. That would be the businesslike thing to do at this point. In fact, I'm surprised that this thread wasn't started by her with the intent of providing information and avoiding speculation and rumor.

As a mall owner, is it appropriate for me to alert my merchants of this thread? Or should I leave well enough alone?

Anyway thanks and I'm soooooooooooooooooo glad I'm an old fashioned prim with a picture on the wall merchant heheheh

Esmay has said she has a fix nearly ready to be released. She has JEVN 3 (currently in the JEVN 2 series) nearly ready that addresses this problem. As I understand it, it's a couple days from being released. She was holding off on a public announcement because she was going to roll out the new version and get everyone to upgrade instead of causing public hysteria. She's been working on JEVN 3 for a while I guess, and considered it more time effective to finish that system than try and reverse patch JEVN 2. By making this exploit public knowledge, yes, JEVN users got informed, but so did every crook in SL who probably rushed to immediately wite their own exploit for it. Not exactly a winning situation.

I remember reading above that she's known about this for over a month, though. If that's the case, its unacceptable. I feel for Esmay, I really do, but that's just not right. A while back, an exploit was found in the SLBoutique wallet system, which caused my centralized L$ account to be drained of some cash. Of course, this wasn't *my* cash, it was on account for other people. Yes, it really sucked. However, I immediately shut down the wallet network, processed each wallet deposit manually for some time, and then reworked to code to a system which was much, much harder to hack (I'll never say impossible, heh). I haven't had a problem since then <knock on wood>.

That being said, if you find out about an exploit, you should immediately notify your customers, and you don't stop working on it until you plug the exploit. Anything more than a few days is FAR too long.

Step 1: Remove/de-activate part of system that can be exploited
Step 2: Notify customers (doing this second prevents a dishonest customer from using the exploit against other customers)
Step 3: Patch the part of the system being exploited
Step 4: (if necessary) Give the customers the updated, patched version of the system.

I did this in under 48 hours when it happened to me. If you're going to take building a system that is far reaching throughout SL, you also have to take on the responsibility. I think Esmay should have either had a patch out within a few days, or folded up shop and refunded all of her customers at least partially. If its been a few months, and she was just hoping the problem would go away - that's unacceptable.

Hopefully Esmay can get on here and tell her side of the story.

Regards,

-Flip

Hey Flipper, we simulposted. Please read my post above yours if you haven't already.

I was informed by a friend and then asked another friend who uses JEVN and was directed here. That's as much official notification as I've received. Replacing the "broken" vendor with a replacement that is SAID to be better is not an option for me. Because it was SAID that the original was safe when in fact it wasn't. And even if it was thought to be safe, once it was found NOT to be, every person who has purchased JEVN should have been informed - the same way as when there is something new for us to purchase from the creator.