any advices to help me not feel guilty that doesn't involve risk of being banned?

I became aware of a security exploit involving among other things, risk people will loose money under certain circunstances, LL has already been informed about it by another person, and it seems that person might have been punished for warning people about the existence of the exploit even though the person didn't mention any details of the procedure involved in using the exploit nor the exact areas hit by it according to my interpretation of what the person said

I believe that if I say anything else about the exploit or how I learned about it I risk being punished by LL (whether such punishment will happen or not, and whether it is deserved or not should not be discussed in this forum I guess), but I feel guilty by leaving people unaware of the details and such (since perhaps there might be a way to make oneself safe while it isn't fixed, though I lack the technical knowledge to make myself safe or even check if I'm not safe already, which would include using the exploit against myself to see if it works on me, I don't know how to use it), any advices?

What kind of exploit? You mean stealing money? You never really said what happens using the exploit.

I would rather not give any more details about the exploit in case I'm already too close to the line that whoever decides punishments on this things feels like drawing when they read what I write here

Don't rely on what you know from your friend. Report it yourself, and see what response Linden Lab gives you.

If it is something that Linden Lab is irresponsibily brushing off by not giving appropriate warning, you would be doing a lot of people a favor by warning them to protect themselves agianst theft.

However, it's possible that Linden Lab is working on it as fast as possible, and a warning will just cause more people to be exploited (through more scammers knowing about it) if you put out the warning.

With a security problem like this, there are times when keeping it quiet is the best course, and publishing it is the best course. It sounds like you don't have enough facts to know which situation this is. You should pursue all of your channels with Linden Lab personally before making a decision as to what to do.

Whatever you decide, don't do it unless you feel like you have the best information to make the decision.

An actual security exploit can be reported to LL by a secure channel, and should be. http://wiki.secondlife.com/wiki/Security_issues

By trying to publically report an unpatched security exploit, you risk informing those who would endeavor to use it for ill gains, and would probably increase the real risk to the multitude of residents who never come here or would even likely hear about it through other forums or even the grapevine.

That is my take.

I dont give one sided stories any weight.

the thing is, with security exploits if you reveal the other side you risk being punished by LL, the flow of information is quite restricted in such cases

Actually, I've changed my mind.

Report it to Linden Lab yourself, and follow their procedure.

That way, if Linden Lab does mishandle the situation, then they may have some legal liability to whomever loses money to the exploit. That at least provides a potential source of compensation to those who lose money.

The more we cooperate with Linden Lab's procedures, the more responsibility rests on them, and the more potential legal liability they have for screwing up.

If your revealing the exploit does more bad than good in the end- and you broke Linden Lab TOS to make the reveal, then you potentially have legal liability. Don't expose yourself.

If someone is going to mess up, I would rather it be Linden Lab than another resident. Linden Lab is the better lawsuit target.

Linden Lab has a duty to protect our information and money, give them every fair chance to do it. Only if you give them every fair chance to do it can we sue them if they mishandle it.

Oh, and save proof that you reported the exploit and did everything to make Linden Lab aware of it. So if they do mishandle it, the proof you save can actually help people recover from Linden Lab.

That's your guilt-free solution. You do your best to stop people getting ripped off by doing all you can to report it to Linden Lab. If that fails, your documentation of reporting could help people recover what the lose from Linden Lab, should Linden Lab not adequately deal with the problem.

I read the expliot he posted to JIRA, since it was sent out on the JIRA email list. frankly i don't think 99% of people have the technical know-how to pull off such a stunt. It's pretty much one of those things only someone who knows all the specific details of what the exploit is could pull off, and therefore shouldn't be broadcast all over the place. Nothing to feel guilty about.

you kinda half did what I'm afraid to do by mentioning the list...though it's probably worse than if I had explained all the details since it's not everyone that knows enough about the list to get the info, and those who know are more likelly to also have the knowledge to use the exploit...

the good news is I just got a comment from Soft in the SEC issue I created to make sure it was there, and according to him, they already got a fix pending

While I agree that is a good policy in general, I was myself quite recently the victim of someone who exploited some recent server problems and by doing so managed to completely drain my $L balance. I don't know whether the OP's talking about something even remotely similar, but I wouldn't dismiss it out of hand.

.

1. All L$ transactions are recorded. Past exploits that allowed people to steal L$ from another resident's account all left records. In the event that someone were to use such an exploit, it is extremely likely that it could be traced, and as long as such fraud could be confirmed, LL usually returns stolen L$ to the rightful owner. This is, for example, why Linden Lab has warned people about buying L$ from third-party sites that have little or no fraud protection, because LL will eventually return the stolen L$.

2. There is a reason why SEC JIRAs and [email]security@LindenLab.com[/email] emails are secure and confidential. While the vast majority of exploits benefit from being revealed and preventing "security through obscurity," there are some exploits that need to be kept under wraps until a fix can be implemented. This sounds like it is one of them.


I understand that you want to help prevent people from being scammed, but please understand that all that you would accomplish by discussing this here is to alert people to this possibility. As it is, simply by posting this here, some people may start trying to track down this exploit.

Normally I detest "security through obscurity," but these sorts of exploits are ones where it really is the best option.

Soft's a good guy, if he says it's being fixed, it's being fixed.

oh i know what it is!!

one second i think someone is at the door..brb

hi stranger with a knife and an SL tee shirt and black mask may i help yuuuu uuuulllllllllllggggggggggggggggggggg?


Thug 1: Check the forum..see if she posted anything yet..

Thug2: Roger that!!!
just something about our new definition of a troll!! Sarge!!

Thug1: hey i thought that was a good definition if you ask me..

Thug2: ya right.

Thug1: ok lets get the body and get out of here..

Thug2: Roger that!!!

Thug1: Get anyones name who has viewed the thread so we can kill them too, then we have to kill each other as we've seen too much