Not Again

Friday, IntLibber Brautigan posted a warning of an exploit allowing technically savvy residents to “capture ATM scripts in bytecode format”. This is a significant development given the number of successful Second Life businesses that use LSL scripts to transfer goods and money -- an un-patched exploit could be a significant blow to the in-world economy.

*If* it's true, the fact that they explain what the basic steps are is a bit disconcerting...

I won't post another post on my views of security through obscurity since I've made it fairly clear in quite a few other posts on these forums so I won't bore you by repeating myself.

“with the code obtained, one can make an SLX terminal give you ANY product listed on SLX for free in any quantity or clean out the avatar owning the ATM - all their money - these capabilities have been tested I am told”.

Some observers are concerned that this sort of exploit could destabilize the in-world economy, and Mr. Brautigan reports that his source “has already notified Soft Linden about this vulnerability - he also tried to notify SLX but they said ‘our system is uncrackable’".

Yes SLX is completely compromised. The bytecode can be decompiled and by looking at those scripts one can do just about anything.
I have the code in its entirety.
Additionally:
We are attacking the grid again. Our weapons actually don't directly attack the asset servers. When an object replicates all copies are a reference to the same asset but when our weapons replicate so fast and we are getting over twenty thousand of them returned per minute due to autoreturn it creates an asset for each and every one of them. We are also currently experimenting with disrupting SLX communications in-world since the admins got smart and began filtering our DDoS attacks.
We're demanding that [Name Removed for SL forum] be banned or she issue a public apology for being a french biggot and pedophile. Until [Name Removed for SL forum] is banned SLX will continue to be the target of ongoing attacks. [Name Removed for SL forum] doesn't make much money here anyways so the admins are just trying to be stubborn thinking that they can report us the the FBI and that will solve the problem. We aren't going anywhere, SLX. Comply or you will be dismantled.
If any of you are getting tired of the attacks you could simply move over to onrez and leave this [censored for SL forum]fest behind. You could PM the admins and beg them to comply. They likely will not listen but it doesn't matter to me or my associates if they go out of business.

You can also expect a delay on responses from support emails since we have spammed their inbox and Apotheus Silverman's personal email which can be obtained from a simple WHOIS on the domain.
I think the best part is that we can attack Second Life while we attack SLX. It's very convenient.

-DiSSENT

ATM's dont' handle product deliveries. The SLX MAgic Boxes do that.


right?

The scripts above aren't ATM scripts. They are excerpts from the SLX Magic Box, something you can't use to steal things from SLX. Also to get script bytecode from things, you have to own the stuff yourself. As the ATM aren't given out, the ATMs so far are safe.

If there was any danger to our customers and merchants, we'd disable item purchases and money transfers until the issue was resolved. I plan to post an announcement with a more complete explanation later today. Suffice to say this isn't the first time our LSL code has been compromised and attempted to use against us, I doubt it will be the last, and SLX was designed with that likely possibility in mind right from the start.

I have to say that I automatically discount _anything_ I read in the Herald about scripting or technical issues generally. At best it will be a bizarre distortion of the actual situation; at worst, just simply made up.

There is an article over at the Herald today which talks about some of our in-world scripts being disclosed via a new Second Life exploit. I just wanted to post here to reassure you all that there is no reason to worry; there is no security breach. Your account information, your items, and your L$ and USD are safe.

SL Exchange has been a viable and reliable service functioning securely with and within Second Life for almost four years. Shortly after first launching the site it became obvious that LSL scripts should not be "trusted" to A) work correctly or B) be secure. It is for that reason that the bulk of our security as well as nearly all of our logic / intelligence resides on our own servers. Furthermore, these routines have been specifically engineered and fine-tuned over the years so that problems with Second Life such as technical failures, security exploits, or whatever else, will have the least effect possible to SL Exchange.

This isn't the first time our source code has been compromised and there is more to read on the subject if you search our forums. I'll refrain from repeating it here so that only those few of you who care about the details will have to read it.

This bug remains and was replicated last night with a simple 'hello avatar' script.

While that does indeed comfort me about SLX's security, I am still bothered by the thought that it might (and I'm not at all convinced yet) be possible to perform the same voodoo with other items, such as all those thousands of other fine and fancy scripted items for sale in-world.

.