JEVN Exploit!

Last night, while going around shopping, I was shocked to see how pervasive this particular vending machine is. It is definitely a mess, with all kinds of finger pointing going on. My question would be why has it taken weeks for a fix for it, and why was the system left up in the meantime?

I'm not arguing that in the least, I would like to have been notified also, I'm just saying that information is a two-edged sword. There's plenty of people out there, possibly even some people who actually use JEVN, who would giddily exploit this to it's maximum potential, and now all of them know about it as well as us. That's why I chose to shutdown until JEVN 3 emerges.

Actually if the creator of this vending system had done the correct thing and acted upon the information as soon as they knew then they wouldn't have left so many people vulnerable if the information then subsequently got out as it has now. It shows complete disregard for security issues and for their customers. You act upon that information straight away, issue a patch or updated system and it's then the customer's fault if they haven't upgraded (after all you cannot force them and many will not).

I do hope that verison 3 of the system will be both free and also include a very visible disclaimer that it must be used because of the security holes in version 2. If either of those are omitted then the creator will lose even more credability than their inaction and silence up to now has already drained.

It's all looking very amateurish at the moment, I have to say.

I just did - and while I think that's a step in the right direction, I still think the situation could have been handled in a much better fashion. Cristiano's question of why it took so long to get a patch out is still very valid. Moopf's concerns about the appearance of this being taken rather lightly would concern me too. I was also on the horn to LL within minutes of finding the exploit in my system, to see what suggestions and ideas they might have; they're always quite helpful, and no one knows the systems better.

Regards,

-Flip

Unfortunately, no - she logged off sometime last night, and probably doesn't know this thread exists yet.

I've been watching the JEVN gain ground over the past few months. I personally could never trust anyone else to supply this kind of thing, though my concerns were admittedly more about having someone track my sales on the side and not actually having this sort of exploit.

I have to admit that I wonder if an open source system would be preferable. Though I've not given it much thought tbh. Then again, when HTML comes to SL, something like that might be a waste of time.

Not picking on you or anything, but I'm curious as to how YOU heard all this and the majority of us JEVN owners didn't. And if someone official bothered to say all that, why not notecard it and hand it out or simply post it here. Or are you esmay in disguise? LOL sorry I couldn't resist that. I'm at work and a little bored here lol. Anyway though I would like to know where your info came from.

I agree that patching JEVN 2 immediately would've been the better solution, but what's done is done. I'm not attempting to defend anything, I'm just relaying what I've been told about why it was done the way it was. Ideally, esmay needs to make a post here when she gets back in world.

And esmay has always delivered updates free to all the JEVN users, so I have no doubt this will be repeated with JEVN 3.

I found out last night same time as most of the JEVN users did, on the JEVN Users group. I've since talked to esmay quite a bit in instant message. That's all.

I DID hear about it about 2 weeks ago. It was discussed on the JEVN Users group just like everything else. The only explaination I can think of is that 'the majority of JEVN users' were not logged in at the time. It's that simple.

I made a test one, unfortunately it's kind of crappy. Now I know more about ACID transactions I hope to rescript it sometime.

A simple network vendor is actually really easy. The problem is if you actually want to make sure people recieve their items and make sure the central server can keep up with simultaneous transactions!

A little bit of insight from a former pharmacutical systems patcher (Thousands of Microsoft servers accessed 24/7 with clinical data * multiple montly security patches = full time staff of Hotfix installers)..

While this is a screwed up situation, I can understand about the developer trying to keep hush on the exploit. When Microsoft finds out about an exploit, they don't let their customers know immediately- they let them know about the exploit after they have devised a Hotfix to patch the said exploit. Informing the customers to the nature of the exploit is informing and inviting potential hackers to the exploit. It's kinda messed, but the less people who know about the exploit, the less damage that can be perpetrated. Much like Microsoft trusts the security companies and white-hat hackers to keep hush on holes that they find, it seems that Esmay trusted Carlos that the exploit wasn't going to be disclosed while she worked silently on a solution.

Even though MS isn't necessarily JEVN, I can understand Esmay's position, in that she was not just looking after JEVN's financial well-being, but after the well-being of her customers as well.

Ok everyone, FYI, I am suspended. I have been sent the a sim call 'The Corn Field' and it *really* sucks! There's corn all over, with a sloooww tractor you can ride around, I found a TV, and pushed play, and it plays a show called 'Boy in Court'. Kind of funny, but it's no fly, and there's corn..... everywhere...

That being, what good is version 3 when the person who created this HAs the code and probably already has a new device to exploint version 3? I am very sorry to say version 3 needs to be scrapped as it stands and totrally recoded form the bottom up, with his expulsion from group and no knowledge of future patches given to him at all.

That's not true. Knowing how the vendor works won't help them break it. The new vendor is going to have password authentication between vendor and server, if they don't know the passwod that YOU provide, it doesn't matter if they know the protocol or not, and frankly, you don't need to have the source to discover the protocol. Takes a couple of minutes jacking with a vendor/server, that's it. I don't have access to the source, and I managed to duplicate the exploit in a couple of minutes.

With all due respect this is all smoke and mirrors. How long do you realistically think a developer of this vendor system should take in fixing a hole. Apparently they've known for weeks. That's 100% totally unacceptable. But it's kind of indicative of amateurs producing stuff they really don't understand the implications of. Second Life is powerful, and you can produce things really easy. That's not to say you produce them right or know how to deal with the ramifications if you get them wrong. I'd say that's pretty clear in this instance.

And plus, you're incorrect, most exploits in Microsoft etc. software are announced without their say-so and before a patch may be available. There are a whole host of sites that issue security advisories and they work like this:

1. Somebdy finds a security flaw.
2. They email the vendor with details of the flaw and also post it to a security advisory site.
3. Around 1-2 days later the secuirty advisory goes live on the sites it was posted to and in this time you tell the original reporter what has been done to resolve it so it can be added to the report that there is a fix. Otherwise the report goes live on the net anyway and you inform them of a fix after that point.

The creator of this vending system had much more time than that. They're messing with people's money. That's not good. More respect needs to be shown to their customers. Yes I produce vending systems in SL (before anybody else brings that up) but I also produce e-commerce systems as my business in RL, and have done for many years now, so understand the implications and ramifications of security and take them extremely seriously. This person obviously does not. By a long way, I might add.

Which is why my JEVN vendors are offline for the time being, replaced by, no kidding, some of Moopf's.

It has been almost 24 hours and Esmay still hasn't posted.


Excellent business practices.

Well, she gave out notecards to everyone in the JEVN group, I got ahold of one, and a lot of it is not true. I don't understand why I was suspended and not the creator of the object as well.

BOTH stated that the exploiter has been elping her to code the new fix. IT has been admitted and stated by both. I cannot in good fgaith accept ANY fix he has been privvy to the code on as beig safe, so unless she removes him from group and reports him for his content theft, I will ahve to ask for a refund as I KNOW no device he has worked on will be safe and it wil alreadya hve been hacked in the same fashion

..you can already bet he has a device which will literaly ahdn him that password. It's not going to stop until he is out of group, no longer privvie to the codes and she NEEDS to AR him as we all do for content theft.

Woo-hoo, I met "The anti-bush sign guy" In the corn field, he said he's getting out tomorrrow, he was suspended for "distrubing the peace" for 7 days.

That should distract the angry mobs long enough to make a getaway!

Is this really true? Esmay is rewarding the guy who has admitted stealing and exploiting from her vendors by giving him a job and expecting people to have trust in this new system? I think this beyond crazy.

In a word.... yes.

I have already pulled my JEVN servers and begun the long process of setting up a new system and have asked Esmay for a refund. I don't feel I can trust Carlos to not do something like this again and as long as he is working with Esmay on her system I will not use it. It's nothing against Esmay but I learned long ago if someone will do something like create and sell an exploit once they will do it again at some point.