Welcome to the Second Life Forums Archive

These forums are CLOSED. Please visit the new forums HERE

JEVN Exploit!

Karsten Rutledge
Linux User
Join date: 8 Feb 2005
Posts: 841
12-16-2005 07:17
From: Selene Gregoire
By Carlos' own admission he did SELL the exploit to at least one person. And he also admitted to GIVING it to another person other than Esmay, the creator of the vending system. So that makes at least 2 people other than the creator and himself that got the emulator. The one person who it was sold to started this thread. The one person it was given to has not said a word that I know of about any of this. We have no way of knowing what permissions were granted to this silent person and how many that person may have distributed.


I've been told by the person who was the subject of a JEVN exploit thread that got deleted that Carlos is now freely distributing the exploit with 20-30 vendors pre-programmed in that you can select from, including her own, Vindi Vindaloo's, JEVN itself, Ravynclaw(sp?) and many others.

This person also alleges that the exploit has been set up to send the money you pay it for the items to Carlos (there were a lot of holes in her story regarding this, including 'not noticing' until she'd given him like 20K of cash on a buying spree, but that's the story.)

Anyone who hasn't dropped their servers into maintenance mode by now is pretty foolish.
_____________________


New products, updates, rants, randomness.
Addictive high-quality games for sale: Greedy Greedy, On-A-Roll, Mancala and the newly released Khet laser strategy game.
Moopf Murray
Moopfmerising
Join date: 7 Jan 2004
Posts: 2,448
12-16-2005 07:37
From: Karsten Rutledge
I've been told by the person who was the subject of a JEVN exploit thread that got deleted that Carlos is now freely distributing the exploit with 20-30 vendors pre-programmed in that you can select from, including her own, Vindi Vindaloo's, JEVN itself, Ravynclaw(sp?) and many others.

This person also alleges that the exploit has been set up to send the money you pay it for the items to Carlos (there were a lot of holes in her story regarding this, including 'not noticing' until she'd given him like 20K of cash on a buying spree, but that's the story.)

Anyone who hasn't dropped their servers into maintenance mode by now is pretty foolish.


And Esmay still hasn't patched version 2? Quite honestly it's absolutely ridiculous that she didn't straight away. And then didn't when the threads started a few days ago. And still hasn't! Is version 3 out now at least? Yes? No?

It's going to take one hell of an effort for her to regain the trust of customers after being so completely inadequate and unprofessional in dealing with this security hole.
_____________________
Karsten Rutledge
Linux User
Join date: 8 Feb 2005
Posts: 841
12-16-2005 07:40
From: Moopf Murray
And Esmay still hasn't patched version 2? Quite honestly it's absolutely ridiculous that she didn't straight away. And then didn't when the threads started a few days ago. And still hasn't! Is version 3 out now at least? Yes? No?

It's going to take one hell of an effort for her to regain the trust of customers after being so completely inadequate and unprofessional in dealing with this security hole.


Last I was told (which was yesterday I believe), V3 is completed and 'in testing' and expecting release in the next couple of days.
_____________________


New products, updates, rants, randomness.
Addictive high-quality games for sale: Greedy Greedy, On-A-Roll, Mancala and the newly released Khet laser strategy game.
Moopf Murray
Moopfmerising
Join date: 7 Jan 2004
Posts: 2,448
12-16-2005 07:53
From: Karsten Rutledge
Last I was told (which was yesterday I believe), V3 is completed and 'in testing' and expecting release in the next couple of days.


Wow. Just wow. I really hope that people give her vendor systems a wide berth from now on because of this unbelievable and total inaction on rectifying what's out there already. This vendor creator doesn't know what she's doing I'm afraid to say.

I hope version 3 is rock solid for her sake and, more importantly, her customer's sake, because if there is a security hole in it, the creator looks like she'll just stick her head in the sand and do nothing about it judging from what's happened here.
_____________________
Casey Benton
Registered User
Join date: 27 Jul 2005
Posts: 39
12-16-2005 08:19
From: Dmitri Polonsky
We have no way of knowing how many you sold it to. And personally, I think the mis-statement was closer to the truth.


Actually, if you read the original, that's not a mis-statement. People are just adding a 'to' to the end of the line that isn't there.
Yumi Murakami
DoIt!AttachTheEarOfACat!
Join date: 27 Sep 2005
Posts: 6,860
12-16-2005 09:10
From: Moopf Murray

I hope version 3 is rock solid for her sake and, more importantly, her customer's sake, because if there is a security hole in it, the creator looks like she'll just stick her head in the sand and do nothing about it judging from what's happened here.


I would protest, and encourage others to do so, against the ongoing usage of JEVN even if version 3 is secure.

We do not want to develop a situation where someone releases a product lacking a security system - thus beating to market any scripter who was waiting until their security was completely coded before release - and then, when the security flaws are exposed, "gets away with it" by getting to keep all the money and in-world coverage they got while the people who actually tried to code secure systems in the first place get passed over.

I can see people here who've been affected by it. Moopf, Kyrah, how'd you like to have had every vendor sale that JEVN have had? You could have done - except that you, apparantly, made the fatal mistake of doing a proper job securing your vendors. While JEVN didn't take that time, but claimed the market because nobody bothered to check.

I've been working on a money handling script for release, and later a networked script, for release and the number of different "gotcha" conditions that come up under load testing is quite ridiculous, as is on occasion the amount of rejigging required to fix them. If folks carry on using JEVN, that sends folks like me the message that it's ok to just go ahead and release anyway because no matter how much potential harm my code does I can just release a patch after the event, laugh all the way to the bank, and bask in grid-wide placement. That's no way to do business, in RL or SL.
Luciftias Neurocam
Ecosystem Design
Join date: 13 Oct 2005
Posts: 742
12-16-2005 10:21
re: "hackers"


I guess no one calls them "crackers" anymore. I'm old enough to remember when that was actually a debate, and a hot one at that.
Mike Westerburg
Who, What, Where?
Join date: 2 May 2004
Posts: 317
12-16-2005 10:33
From: Luciftias Neurocam
re: "hackers"


I guess no one calls them "crackers" anymore. I'm old enough to remember when that was actually a debate, and a hot one at that.



I agree 100% with this sentiment :)
I swear, the modern media and al that giving us hackers a bad name.... Didn't anyone teach them what being a hacker really means? I know the dictionary regards it as being those that can compromise a computers security but dangit, anyone who ever used a piece of duct tape to fix a car fender is a hacker... Poor, poor MacGuyver, his hacks will live on in infamy....
_____________________
"Life throws you a lemon, you make lemonade and then plant the seeds"
Moopf Murray
Moopfmerising
Join date: 7 Jan 2004
Posts: 2,448
12-16-2005 10:39
From: Yumi Murakami
Moopf, Kyrah, how'd you like to have had every vendor sale that JEVN have had? You could have done - except that you, apparantly, made the fatal mistake of doing a proper job securing your vendors. While JEVN didn't take that time, but claimed the market because nobody bothered to check.


Nope, not really :) I have a web-linked vendor system (in fact I think it was the first publically available one when we first got the email facility). It's still running with a few customers but I never really promoted it after a few months (took a sabatical from SL) and I'm not that interested now, to be honest. I do still have the Vendopf for sale and, I'd guess, I've sold a massive amount more of those than Esmay has sold of her system - that's not a networked vendor but suits many people's needs.

It does bother me that people without the pre-requisite skills in coding, knowledge of security or understanding of how software should be updated in instances such as the one in this thread, are writing such commerce systems in SL though. It does make you wonder what other hornet's nests are out there.
_____________________
Karsten Rutledge
Linux User
Join date: 8 Feb 2005
Posts: 841
12-16-2005 10:41
From: Mike Westerburg
I agree 100% with this sentiment :)
I swear, the modern media and al that giving us hackers a bad name.... Didn't anyone teach them what being a hacker really means? I know the dictionary regards it as being those that can compromise a computers security but dangit, anyone who ever used a piece of duct tape to fix a car fender is a hacker... Poor, poor MacGuyver, his hacks will live on in infamy....


Yeah, it always entertains me how word defintions get changed to fit common usage. I have a thick older unabridged dictionary that's definition of hacker is 'a skilled and enthusiastic user of computers.' These days if you punch hacker into a dictionary, you get 'someone who breaks into computers.' Sigh.
_____________________


New products, updates, rants, randomness.
Addictive high-quality games for sale: Greedy Greedy, On-A-Roll, Mancala and the newly released Khet laser strategy game.
Mike Westerburg
Who, What, Where?
Join date: 2 May 2004
Posts: 317
12-16-2005 11:00
From: Karsten Rutledge
Yeah, it always entertains me how word defintions get changed to fit common usage. I have a thick older unabridged dictionary that's definition of hacker is 'a skilled and enthusiastic user of computers.' These days if you punch hacker into a dictionary, you get 'someone who breaks into computers.' Sigh.



It is just as funny how non-sensical words seem to spring into existance these days like bling and phat. Even though they aren't in the dictionary today, I will bet 10 to 1 they will be sometime in the future. If the word Doh made famouse by Homer Simpson can be then I am sure bling will make it too. If you were to run around many,many,many years ago shouting that you have bling, people would call the short bus to pick you up. If you called a girl phat back then, you would most likely end up on your ass with a red welt across your face.

to keep my post close to the topic though- this is some crazy shiz, a SIM called Cornfield with a slow tractor, no build, no fly and no out-houses. talk about inhumane punishment! Can you at least watch the corn grow?

And about the hornet nests that may be out there, if they are European Hornets, leave em alone, they can be mean buggers, they will even attack at night. If they are Bald Faced hornets then they are usually passive and easy to get along with but still can attack at night. :p
_____________________
"Life throws you a lemon, you make lemonade and then plant the seeds"
Karsten Rutledge
Linux User
Join date: 8 Feb 2005
Posts: 841
12-16-2005 11:04
From: Mike Westerburg
to keep my post close to the topic though- this is some crazy shiz, a SIM called Cornfield with a slow tractor, no build, no fly and no out-houses. talk about inhumane punishment! Can you at least watch the corn grow?


No fly, no biggy. Corn is tasty. Tractors go vroom vroom. But no BUILD? GASP. I'd just stake myself, except of course that you, you know, can't make a stake.
_____________________


New products, updates, rants, randomness.
Addictive high-quality games for sale: Greedy Greedy, On-A-Roll, Mancala and the newly released Khet laser strategy game.
nimrod Yaffle
Cavemen are people too...
Join date: 15 Nov 2004
Posts: 3,146
12-16-2005 11:05
From: Mike Westerburg

to keep my post close to the topic though- this is some crazy shiz, a SIM called Cornfield with a slow tractor, no build, no fly and no out-houses. talk about inhumane punishment! Can you at least watch the corn grow?

If you stay there long enough! But there's also no outside communication, and you can't see the MG in the map. I tested posting a classified (search for "nim" and map the location to see where it is) and it shows up in the MG, as opposed to the corn field where I posted it from. (P.S. I *can* recieve objects from SLE, I got bored and tested it.)

Kars: This tractor is slower than walking though, it's not vroom vroom, it's more like putt putt sputter sputter.
Karsten Rutledge
Linux User
Join date: 8 Feb 2005
Posts: 841
12-16-2005 12:32
From: nimrod Yaffle
Kars: This tractor is slower than walking though, it's not vroom vroom, it's more like putt putt sputter sputter.


I wouldn't have my tractors any other way.
_____________________


New products, updates, rants, randomness.
Addictive high-quality games for sale: Greedy Greedy, On-A-Roll, Mancala and the newly released Khet laser strategy game.
Zodiakos Absolute
With a a dash of lemon.
Join date: 6 Jun 2005
Posts: 282
12-16-2005 17:24
I have to retract some of the things that I've said thusfar in this thread.

Last night I set out to create an emulator for my own JEVN servers to see how difficult it would be. I'm not a super-duper advanced scripter or anything, but I do have a little bit of experience with the techniques needed to do such a thing.

I unfortunately didn't need any of them. It took approximately an hour and a half to have the server cheerfully giving me any item I wanted - and making it log the sale as coming from a various member of the white house. I'm kind of in shock right now.
nimrod Yaffle
Cavemen are people too...
Join date: 15 Nov 2004
Posts: 3,146
12-16-2005 21:38
From: Zodiakos Absolute
I'm kind of in shock right now.

You shouldn't be, I told you it was possible, didn't I?
Zodiakos Absolute
With a a dash of lemon.
Join date: 6 Jun 2005
Posts: 282
12-17-2005 03:31
Possibly, but by your own admission, you are a thief (which you have been suspended for), and possibly a liar, according to some of the other people in the thread (who have had their own credibility called into question as well). Forgive me if I was skeptical.
nimrod Yaffle
Cavemen are people too...
Join date: 15 Nov 2004
Posts: 3,146
12-18-2005 17:10
From: Zodiakos Absolute
Possibly, but by your own admission, you are a thief (which you have been suspended for), and possibly a liar, according to some of the other people in the thread (who have had their own credibility called into question as well). Forgive me if I was skeptical.

Wait.. I admited to taking the items with the emulator. So that makes me a liar... then was I lying about it? Guess so. And if you didn't believe it was possible (since you think I'm a liar), then I didn't steal anything and I'm not a theif/liar. I think you proved yourself wrong. I don't get it, I can't be a liar/theif if it wasn't possible.
Ravenelle Zugzwang
zugzugz.com
Join date: 23 Jul 2004
Posts: 267
12-18-2005 17:26
From: nimrod Yaffle
Wait.. I admited to taking the items with the emulator. So that makes me a liar... then was I lying about it? Guess so. And if you didn't believe it was possible (since you think I'm a liar), then I didn't steal anything and I'm not a theif/liar. I think you proved yourself wrong. I don't get it, I can't be a liar/theif if it wasn't possible.



Thanks for letting us all know about the issue with the vending machine, I do mean that sincerely. Now, I believe you need to go sit on the bench, you aren't exactly on the "he's a good guy list" . You have way too much cocky attitude toward people for what your part in all of this was.

Shame on you for stealing.
Starax Statosky
Unregistered User
Join date: 23 Dec 2003
Posts: 1,099
12-18-2005 17:33
becasue she misspelt "too"! :)
1 2 3 4 5 6 7 8