Second Life Forums Archive - no wonder the security updates...

eku Zhong

Apocalips = low prims

Join date: 27 May 2008

Posts: 752

10-11-2008 01:47

Kindof an eye opener ...
http://uk.youtube.com/watch?v=YSWgPQvC3s8

_____________________

http://slurl.com/secondlife/Apocalips%20Japan/111/78/24?

Dilbert Dilweg

Loading....

Join date: 27 Jun 2006

Posts: 500

10-11-2008 02:11

Interesting. But doesn't surprise me 1 bit. I will be watching to see how the bot project goes. that can be a chilling thought.. May result in grids being down for hours again lol.. Thanks for posting that tho. Everything he says seems right on. Since LL has also now disabled IFrame for SLURL site in the last couple of days.. IFrames are cool but risky business

_____________________

Founder of Sweethearts Singles Dating Site
http://date.sweetheartsjazz.com

Visit our Social network Site
http://www.sweetheartsjazz.com

To Visit us in World
Sweethearts jazz
http://slurl.com/secondlife/Sweethearts/197/148/24
Love everyone

Tod69 Talamasca

The Human Tripod ;)

Join date: 20 Sep 2005

Posts: 4,107

10-11-2008 02:52

Seen it. Old news. But useful to know of.

_____________________

really pissy & mean right now and NOT happy with Life.

Damanios Thetan

looking in

Join date: 6 Mar 2004

Posts: 992

10-11-2008 02:55

The info on 'stealing accounts' on that video was pretty vague.
The things mentioned:

1. hacking the password encryption though iFrames (slurls, already fixed)
2. hacking the password through open http request from the client (fixed in the latest security update and earlier updates) (also considering 3rd party attacks using UDP, although not clearly mentioned in the video.)
3. hacking the client through code injection using quicktime (parcel media streams), no idea of current status. I think latest security fix did 'something' to prevent this. (The quickstream hack can still be used to get IP info of clients, but cleartext UDP attacks using this vector is fixed.) But inconclusive.

The rest of the video mostly talked about using LSL commands to attack servers and sent spam through LL servers (sims). This stays possible. The most important 'fixes' LL has done in this area is adding (incremental) delays and caps to the amount of requests that can be sent through scripts atm.

Also, although the attacks will register as being sent from Linden Lab domains, it's pretty easy to figure out for LL from which scripted object the attack orginated from, find the creator and get their account data (email, IP etc.).

Of course it's possible to make the objects in SL anonymous, by using scripts and objects which have other creators, then making sure they are incorporated into freebies which then are distributed (so owner tag is different too).
Generally the work involved to do this and be untraceable is enough deterrent for most ill willing people to not be worried a lot about this.

Sadly LL can't 'fix' LSL based server attacks without seriously nerfing existing functionality or building very complex recognition algorithms to prevent stuff like http form SQL injections. (Which is not their primary responsibility in the first place.)

It's possible for them to build in improved logging of who is the 'real' creator of a specific script though, by registering the complete log of any account who made any changes to any script. Maybe LL is already logging this, but I doubt it

Glad I'm a good guy

_____________________

Kidd Krasner

Registered User

Join date: 1 Jan 2007

Posts: 1,938

10-11-2008 05:01

Damanios, thanks for posting that summary. I find most such lecture videos to be incredibly painful to watch (and this is no exception, starting with the porn music). It helps to have some sense of the contents to get me past the first thirty seconds.

Alicia Sautereau

if (!social) hide;

Join date: 20 Feb 2007

Posts: 3,125

10-11-2008 07:22

according to reports at the time that alot of debit scripts were added to freebies by alterd scripts, LL CAN see who modified scripts, think they even said it that they could

no wonder the security updates...
eku Zhong Apocalips = low prims Join date: 27 May 2008 Posts: 752	10-11-2008 01:47 Kindof an eye opener ... http://uk.youtube.com/watch?v=YSWgPQvC3s8 _____________________ http://slurl.com/secondlife/Apocalips%20Japan/111/78/24?
Dilbert Dilweg Loading.... Join date: 27 Jun 2006 Posts: 500	10-11-2008 02:11 Interesting. But doesn't surprise me 1 bit. I will be watching to see how the bot project goes. that can be a chilling thought.. May result in grids being down for hours again lol.. Thanks for posting that tho. Everything he says seems right on. Since LL has also now disabled IFrame for SLURL site in the last couple of days.. IFrames are cool but risky business _____________________ Founder of Sweethearts Singles Dating Site http://date.sweetheartsjazz.com Visit our Social network Site http://www.sweetheartsjazz.com To Visit us in World Sweethearts jazz http://slurl.com/secondlife/Sweethearts/197/148/24 Love everyone
Tod69 Talamasca The Human Tripod ;) Join date: 20 Sep 2005 Posts: 4,107	10-11-2008 02:52 Seen it. Old news. But useful to know of. _____________________ really pissy & mean right now and NOT happy with Life.
Damanios Thetan looking in Join date: 6 Mar 2004 Posts: 992	10-11-2008 02:55 The info on 'stealing accounts' on that video was pretty vague. The things mentioned: 1. hacking the password encryption though iFrames (slurls, already fixed) 2. hacking the password through open http request from the client (fixed in the latest security update and earlier updates) (also considering 3rd party attacks using UDP, although not clearly mentioned in the video.) 3. hacking the client through code injection using quicktime (parcel media streams), no idea of current status. I think latest security fix did 'something' to prevent this. (The quickstream hack can still be used to get IP info of clients, but cleartext UDP attacks using this vector is fixed.) But inconclusive. The rest of the video mostly talked about using LSL commands to attack servers and sent spam through LL servers (sims). This stays possible. The most important 'fixes' LL has done in this area is adding (incremental) delays and caps to the amount of requests that can be sent through scripts atm. Also, although the attacks will register as being sent from Linden Lab domains, it's pretty easy to figure out for LL from which scripted object the attack orginated from, find the creator and get their account data (email, IP etc.). Of course it's possible to make the objects in SL anonymous, by using scripts and objects which have other creators, then making sure they are incorporated into freebies which then are distributed (so owner tag is different too). Generally the work involved to do this and be untraceable is enough deterrent for most ill willing people to not be worried a lot about this. Sadly LL can't 'fix' LSL based server attacks without seriously nerfing existing functionality or building very complex recognition algorithms to prevent stuff like http form SQL injections. (Which is not their primary responsibility in the first place.) It's possible for them to build in improved logging of who is the 'real' creator of a specific script though, by registering the complete log of any account who made any changes to any script. Maybe LL is already logging this, but I doubt it Glad I'm a good guy _____________________
Kidd Krasner Registered User Join date: 1 Jan 2007 Posts: 1,938	10-11-2008 05:01 Damanios, thanks for posting that summary. I find most such lecture videos to be incredibly painful to watch (and this is no exception, starting with the porn music). It helps to have some sense of the contents to get me past the first thirty seconds.
Alicia Sautereau if (!social) hide; Join date: 20 Feb 2007 Posts: 3,125	10-11-2008 07:22 according to reports at the time that alot of debit scripts were added to freebies by alterd scripts, LL CAN see who modified scripts, think they even said it that they could

Welcome to the Second Life Forums Archive

no wonder the security updates...