least LL was smart enugh to segerate the CC info (to what extent is to be known)
Shame about the real name and address info. It wasnt necessary to expose this to the web servers. In SL this is just as important as CC info.
Welcome to the Second Life Forums Archive
These forums are CLOSED. Please visit the new forums HERE
Security Breach Because of SL Blog? |
|
|
Von Tripp
Registered User
Join date: 28 Apr 2006
Posts: 6
|
09-09-2006 03:57
least LL was smart enugh to segerate the CC info (to what extent is to be known) Shame about the real name and address info. It wasnt necessary to expose this to the web servers. In SL this is just as important as CC info. |
|
Osgeld Barmy
Registered User
Join date: 22 Mar 2005
Posts: 3,336
|
09-09-2006 04:01
This is shit happens? Tell that to all the tee-ed off SL residents calling their credit card companies, changing paypal passwords etc etc. cry sorrow misery since the dawn of the public internet its been widly stated to use credit cards just for internet use, in the early 90's there was movies about ID theft ect ect this didnt just pop up yesterday besides if the worst happens, which it did to me on the 1st of this month with some gas station recipts... lame considering i used to pull the same stunts in 1989 (and got busted for it) you spend a whole 10 seconds online, or 5 min on phone problem solved, you will get your new card within 5-10 biz days and you account transfered within the next biz day |
|
Osgeld Barmy
Registered User
Join date: 22 Mar 2005
Posts: 3,336
|
09-09-2006 04:02
Shame about the real name and address info. It wasnt necessary to expose this to the web servers. In SL this is just as important as CC info. i agree, altho ive been getting snail mail spam from ppl in a city 10 hours away latley, its the new telemarketing thing i guess |
|
Foolish Frost
Grand Technomancer
Join date: 7 Mar 2005
Posts: 1,433
|
09-09-2006 04:25
Shame about the real name and address info. It wasnt necessary to expose this to the web servers. In SL this is just as important as CC info. Ah, you design web interface systems for thousands of users? And are a security expert? I doubt it. Why, because anyone who's been in that line of work knows for a goddamn FACT that the only way to be absolutly positive you have your data secured is to unplug the computer, bury it in wet concrete, and set a security guard on it. And that only works if the security guard does NOT have a jackhammer. If the data can be be inserted and alterered by the web interface, then it very likly can be accessed by those with the right knowledge. Programmers base their designs around the idea the tools (php, mysql, etc) do what they SAY they are going to do. They secure things according to the laws available to them at the time of the design. When exploits are found, it's like finding out that your bankrobber can walk through walls. It's frustrating at best, a situation like this at worst. |
|
Yiffy Yaffle
Purple SpiritWolf Mystic
Join date: 22 Oct 2004
Posts: 2,802
|
09-09-2006 07:22
Isn't the Blog third party web software? I serously don't think they made the blog. They didn't make the forums. It's clearly a invision board.
_____________________
|
|
Chronic Skronski
SL Live Musician
Join date: 23 Jun 2006
Posts: 997
|
09-09-2006 09:14
They didn't make the forums. It's clearly a invision board. Scroll all the way to the bottom of this page. Now, go up a couple of lines. (You'll see it's an ancient version of vBulletin, which is teeming with vulnerabilities.) _____________________
A man without religion is like a fish without a bicycle.
|
|
Soleil Mirabeau
eh?
Join date: 6 Oct 2005
Posts: 995
|
09-09-2006 09:15
Two issues. Both front page diggs. But imagine if it turns out they were related. Wow. Where is the other one? _____________________
 |
|
Joshua Nightshade
Registered dragon
Join date: 12 Oct 2004
Posts: 1,337
|
09-09-2006 09:43
Copying and pasting between threads is awesome. I conqur. _____________________
 Visit in-world: http://tinyurl.com/2zy63d http://shop.onrez.com/Joshua_Nightshade http://joshuameadows.com/ |
|
Huns Valen
Don't PM me here.
Join date: 3 May 2003
Posts: 2,749
|
09-09-2006 14:56
Let me get this right. Linden Labs used public domain unvetted software on one of their web servers which had direct access to the main personal information database. They are idiots and if this happened at my company, both the IT director and the CTO would be fired on the spot. Heads must roll for such a basic IT security mistake with such major ramifications. Any organisation storing customer information, has to compartmentalise the security systems, so that the web sites using public domain software only has access to the information that it needs, usually via a separate, one way, data feed. Is there any way to secure data 100% without dropping the hard drive containing it into a volcano? No. But, in this case, it would seem they took an unnecessary risk. It does take more time to do this "the right way," but if they had done so, that 1337 0-dAy sP10i7 would have resulted only in some minor irritation, vs. exposing sensitive customer data. _____________________
|
|
Gigs Taggart
The Invisible Hand
Join date: 12 Feb 2006
Posts: 406
|
09-09-2006 15:01
Let me get this right. Linden Labs used public domain unvetted software . Open source software is not public domain, and it's not unvetted. Try again. _____________________
|
|
Gigs Taggart
The Invisible Hand
Join date: 12 Feb 2006
Posts: 406
|
09-09-2006 15:04
Someone on Slashdot stated that the SL Blog runs on the same MySQL cluster where the main-account passwords and payment information resides. That would have been me. I'm just guessing. It does seem like it's all the same cluster running everything, considering the pattern of outages and what the affect. _____________________
|
|
Broccoli Curry
I am my alt's alt's alt.
Join date: 13 Jun 2006
Posts: 1,660
|
09-09-2006 15:22
Scroll all the way to the bottom of this page. Now, go up a couple of lines. (You'll see it's an ancient version of vBulletin, which is teeming with vulnerabilities.) Um... doesn't that show people that it was ripe for hacking, by advertising the exact version number? I wonder if this was the same kind of thing that got Torley hacked a while back? Broccoli |
|
Joshua Nightshade
Registered dragon
Join date: 12 Oct 2004
Posts: 1,337
|
09-09-2006 15:27
Um... doesn't that show people that it was ripe for hacking, by advertising the exact version number? I wonder if this was the same kind of thing that got Torley hacked a while back? Broccoli With Wordpress it's default in the theme that most sites use which plugs the version number of the software right in the front page of the site, as at the bottom of this board. The version of Wordpress being utilized by the system for the LL blog is available in its RSS feed: http://blog.secondlife.com/feed/ The version they have installed is v 2.0.2 which is out of date by about six months. http://wordpress.org/development/2006/03/security-202/ I personally hide the version number in both my normal site and my feeds to make it harder for anyone interested in attacking my site to find out what vulnerabilities they don't have to bypass. But that's just me.  _____________________
Visit in-world: http://tinyurl.com/2zy63d http://shop.onrez.com/Joshua_Nightshade http://joshuameadows.com/ |
|
Yiffy Yaffle
Purple SpiritWolf Mystic
Join date: 22 Oct 2004
Posts: 2,802
|
09-09-2006 15:48
Scroll all the way to the bottom of this page. Now, go up a couple of lines. (You'll see it's an ancient version of vBulletin, which is teeming with vulnerabilities.) Gah well i made a mistake on brands. Odd though cuz i remember a topic about invision boards after torley got hacked that time a while back. :/ Oh well. Yea it is a rather old version too... Not sure why they havent updated it, but if their about to kill the forums it doesn't matter. :/ _____________________
|
|
Yiffy Yaffle
Purple SpiritWolf Mystic
Join date: 22 Oct 2004
Posts: 2,802
|
09-09-2006 16:25
LL should switch to invision anyway. Id like to have a dragable 'My assistant' window, to alert me about stuff hehe.
_____________________
|
|
Joshua Nightshade
Registered dragon
Join date: 12 Oct 2004
Posts: 1,337
|
09-09-2006 16:33
LL should switch to invision anyway. Id like to have a dragable 'My assistant' window, to alert me about stuff hehe.  _____________________
Visit in-world: http://tinyurl.com/2zy63d http://shop.onrez.com/Joshua_Nightshade http://joshuameadows.com/ |
|
Moopf Murray
Moopfmerising
Join date: 7 Jan 2004
Posts: 2,448
|
09-09-2006 16:34
This is correct. Here's how it is done: Each important thing gets its own user account and home directory, and everything is chmod'ed so that the accounts can't see each others' stuff. There is also zero visibility between the databases - they have different MySQL users set up and each user has permission to access its schema only. I haven't had a situation where one app needed to see anothers' tables, but if that happened I would either use a cron job to squirt it into a table both apps could see, or set up a view (if MySQL ever got around to supporting views.) AFAIK this is the favored approach in information security. Letting a wiki see columns containing peoples' RL info, when it should not have access to that at all, just isn't done. It's an unnecessary risk. Is there any way to secure data 100% without dropping the hard drive containing it into a volcano? No. But, in this case, it would seem they took an unnecessary risk. It does take more time to do this "the right way," but if they had done so, that 1337 0-dAy sP10i7 would have resulted only in some minor irritation, vs. exposing sensitive customer data. Yup. It may require being a little more complex than this but, in principle, this is exactly what should happen. Apps that don't require access to certain information should not be granted that access by default. _____________________
|
|
Alex Fitzsimmons
Resu Deretsiger
Join date: 28 Dec 2004
Posts: 1,605
|
09-09-2006 16:35
Josh, stop it! The people in the library are going to start looking at me funny again, the way I'm giggling! _____________________
"Whatever the astronomers finally decide, I think Xena should be considered the enemy planet." - io Kukalcan
|
|
Joshua Nightshade
Registered dragon
Join date: 12 Oct 2004
Posts: 1,337
|
09-09-2006 16:39
Josh, stop it! The people in the library are going to start looking at me funny again, the way I'm giggling! Your library friends should think no differently of you than my coworkers do of me.  I hope you're registered at SC, Alex. ;D _____________________
Visit in-world: http://tinyurl.com/2zy63d http://shop.onrez.com/Joshua_Nightshade http://joshuameadows.com/ |
|
Alex Fitzsimmons
Resu Deretsiger
Join date: 28 Dec 2004
Posts: 1,605
|
09-09-2006 16:41
Your library friends should think no differently of you than my coworkers do of me. I hope you're registered at SC, Alex. ;D Ahaha ... haha ... ha. No. Well, yes, but I don't go there. Umm ... There was a funny bit of drama surrounding that whole thing ... _____________________
"Whatever the astronomers finally decide, I think Xena should be considered the enemy planet." - io Kukalcan
|
|
Joshua Nightshade
Registered dragon
Join date: 12 Oct 2004
Posts: 1,337
|
09-09-2006 16:42
Ahaha ... haha ... ha. No. Well, yes, but I don't go there. Umm ... There was a funny bit of drama surrounding that whole thing ... Drama? In SL? _____________________
Visit in-world: http://tinyurl.com/2zy63d http://shop.onrez.com/Joshua_Nightshade http://joshuameadows.com/ |
|
Alex Fitzsimmons
Resu Deretsiger
Join date: 28 Dec 2004
Posts: 1,605
|
09-09-2006 16:43
Drama? In SL? On an unrelated (I'm lying; it's very related) note, Mulch doesn't like me very much. _____________________
"Whatever the astronomers finally decide, I think Xena should be considered the enemy planet." - io Kukalcan
|
|
Joshua Nightshade
Registered dragon
Join date: 12 Oct 2004
Posts: 1,337
|
09-09-2006 16:45
On an unrelated (I'm lying; it's very related) note, Mulch doesn't like me very much. Mulch can't think with much beyond his penis. He's like a single-celled organism in that respect. Like = sex & food. Dislike = hot and Prok. By those standards as a dark elf I'm sure Mulch likes you very much. No I kid. I love Mulchie. What'd the sonofabitch do? _____________________
Visit in-world: http://tinyurl.com/2zy63d http://shop.onrez.com/Joshua_Nightshade http://joshuameadows.com/ |
|
Alex Fitzsimmons
Resu Deretsiger
Join date: 28 Dec 2004
Posts: 1,605
|
09-09-2006 16:47
Mulch can't think with much beyond his penis. He's like a single-celled organism in that respect. Like = sex & food. Dislike = hot and Prok. By those standards as a dark elf I'm sure Mulch likes you very much. No I kid. I love Mulchie. What'd the sonofabitch do? Actually, I left over the avatar thing. It's long and involved and messy and dumb and not something I'm anxious to get back into. Also, I have to go soon. They do close this place early today. (I can't wait 'till I get a computer again!) But I've also been ... honest ... about my opinion of SC, which truthfully is less than flattering. Okay, I have like less than a minute left. I have to go. We can talk more about this later if you really want. _____________________
"Whatever the astronomers finally decide, I think Xena should be considered the enemy planet." - io Kukalcan
|
|
Joshua Nightshade
Registered dragon
Join date: 12 Oct 2004
Posts: 1,337
|
09-09-2006 16:48
Actually, I left over the avatar thing. It's long and involved and messy and dumb and not something I'm anxious to get back into. Also, I have to go soon. They do close this place early today. (I can't wait 'till I get a computer again!) But I've also been ... honest ... about my opinion of SC, which truthfully is less than flattering. Okay, I have like less than a minute left. I have to go. We can talk more about this later if you really want. ::hugs!:: _____________________
Visit in-world: http://tinyurl.com/2zy63d http://shop.onrez.com/Joshua_Nightshade http://joshuameadows.com/ |
