New item theft exploit.

Seems there has been a hole in the system that has allowed some thiefs to literally steal items right off someone else. They can take full items, scripts and all. This does not just mean no copy items..any, but the permissions and creator remain on the copy.

More explanation in this thread:

http://www.sluniverse.com/php/vb/general-sl-discussion/14681-items-stolen-directly-your-inventory.html

I post this so that you can be mindful to not wear your no copy attachments out or leave no copy items around that you value. Protect your stuff.. it is only items to the thiefs but to us it is money spent.


---------

See forum GUIDELINES, link above. "Trolling (...written with the intent of inciting or getting argumentative opinions)...[is] strongly discouraged."- Katt Linden

wow interesting.

So if your items are not in one of the updated regions (or you arent if its something your wearing) then you are at risk, right?

Or maybe my stuff is already gone .. bla. (least a small chance anyhow)

I stole your shoes and gave them to Brenda.

Yeah. That is what appears to be going on.

I hope LL puts a speed up on getting all regions updated. This needed to be done already.

I wonder how many of those missing dance items were swiped like this that were reported? Sadly the only way you know is when you take off the item or take it in. It will not be in invo.

These things just get nastier and nastier as time goes by.

what about things like vendors? Many of us here on the forums have stores.

Wow. I haven't even thought about that. I don't want to sound the alarm bells, but if someone can nick a necklace off someone's avi complete with the bling scripts inside it would stand to reason they may be able to take a vendor that is not on a server with items inside.

Yikes.. I hope someone that understands this better can explain..

This is what it seems to be able to do:

Vote for the JIRA here: http://jira.secondlife.com/browse/SVC-676

That looks more like a poorly thought through "meta issue" that is in no way related to what the OP is talking about.

I am asking a couple of what if's over there Colette, you may want to follow the thread a bit to find what I hope will be the answer you are looking for.

On the jira.. LL is aware already and is already seeking to patch the hole with the roll outs. My post is more for a protect yourself in the meantime as LL is on it.

This hole has been open for a long time and stayed at a low level, so it's probably not worth expending a lot of energy fretting over it when it's about to be closed. There may be little rush of activity with new people trying to exploit it now that it's been made very public, but them's the breaks.

People really are basically honest by and large. Even with all the vulnerabilities, most of the items out there that could be easily ripped, aren't.

Yeah, these are the kind of instances when I start becoming a believer in making exploits known outright when they are a threat.

So, some people have been in the know for a "long time", the thiefs have been in the know for a "long time" and LL has been in the know for a "long time". Meanwhile we run around with the chance of losing stuff that we spent money on in the name of making sure a few dishonest people didn't get wind and try to use it.

Well, that is pretty silly logic. I would not be worried much about a necklace or something going poof, but I have a pretty nice sword I wear often that is no copy. I paid a bit for it and am not even sure if I can replace it. If I had known this earlier I would not have been wearing the thing out and about in case someone knew the trick.

There is more to be said for prevention then hiding stuff under a rock and hoping nobody finds out.. meanwhile another finds out.. and another...and another but they feel it is best to not warn others.

I dunno.. it sucks enough to put up with the asset server eating stuff but when something comes along we can prevent just by not leaving ourselves open we should be able to.

No freak out needed here.. but keep your stuff safe. That was all that was needed before.

I think this issue is more important for people who have bought no copy items.

In the case of content creators, it sucks, but lets face it, no content creator is losing anything. People who have bought your no-copy products, especially if they are attachments or items typically used in attachments (cough, animations) are most at risk.

A lot of people have lost their dance machines in crowded areas...

Take a look at VWR-6110 and vote for that one, and then wonder how many of them were a result of this exploit.

http://jira.secondlife.com/browse/VWR-6110

I've been in the process of getting rid of all my no-copy perms in preference to copy... this issue is speeding me up now.

In havok4 beta days there was one short lived server version where hitting a key combination on one specific client version gave anyone god-mode within the editor-mode, giving you full perms on anything you touched in a special way in world as if you created it.
I am surprised that this was not the downfall of sl.

Rather poor copy protection within sl is my reason to focus on scripting and less on modelling.

Everything is at risk, including scripts.

If they are no-copy scripts, they are just as gone from someone's inventory as no-copy anything else.

It's issues like this that make me as a content creator move to no transfer permissions. I'm not interested in seeing my customers suffer from stuff like this. It's bad enough that I have to.

Thanks for all the info you have offered today, Hypatia. You have helped a lot with answering questions.

Sigh. It's issues like this that make me want to get out of business all together. But you're right. I'm going to have to reconsider my perms again.

Not a bad idea. Even if LL plugs it now who is to say that one of the future updates won't allow it again? We have seen bugs leave, then resurface in future updates. Of course reading that SLU thread it seems this was a feature gone wild.

How would this exploit work (or would it) on "can't remove, only replace" assets such as shapes or skins? Doesn't seem like it should work on those at all...

Seems to only work on built items, not body items like skins. Of course there are other hacks already out that steal skins. Shapes, not really a way I know of yet. Though CopyBot can clone an avi's look but it resets after they log out, so no way to see the shape measurements or save the skin.

I'm with you on this.

The thing that really annoys me after I've been ripped off, is when I'm told after the fact by an authority figure; Oh! yes we knew about that already. We didn't let you know beforehand for your own protection.

aaaarrrrrrgggg !!!!

I am just wondering here....
If the items are on land that is no build, no script, no push or bump etc, would that keep it safe? Also what if an avatar who was wearing the items was on land with no permissions...

Is "we're aware of an exploit that does so and so and here's how you do it, and btw it looks like it'll take us a month to get it fixed" preferable?

Even knowing there's an exploit is going to make some people want to try and track it down if only for the fun of it and every additional detail beyond "exploit" is something that helps those looking to use it more than it helps regular residents protect themselves.

Full disclosure after it's been fixed is a good thing, especially involving details of "and this is what we did to prevent similar ones from occurring in the future, or we'll be able to detect them easily when they happen", but any kind of disclosure before it's fixed carries a risk of doing more harm than good.

I got a question if anyone knows?

Im curious as if this theft would show on transaction history since they become the new owner of your stuff..... will it appear as you giving it to them in transaction history or not?


This is horrible really, My friend has lost 2 chims within a few days period, most likely at the same club by the same culprit.


I was not aware of this till tonight, we all should be aware of this. Im shocked really.

Kitty, I understand the gamekeepers reasoning. Its just that we often get treated as bunnies by both poachers and gamekeepers. LL is no different to any other gamekeeper in this respect. This reasoning makes perfect sense when we're the gamekeeper, as the role of the gamekeepers is to keep as many of the bunnies from being skinned by the poachers as they can. But, it does nothing for me when I'm the bunny who does get poached and skinned. Just my bad luck ya. So I scream my little bunny scream.

Most, if not all, of the exploits and bugs in the SL codebase are down to the lack of range and integrity checking as any perusal of the codecutters blogs show. Thats not down to the script kiddies. Thats down to utopian programming by the development team. E.g.

newX(currX, offsetX)
(
return currX + offsetX
)

Where's the check ??? Huh! What for ??? Why would anyone need to check this ??? aaarrrgggg !!! bunny scream !!!

The above code is not newX as its written. Its addX. They're not the same thing at all. Its utopian to think otherwise. This is true script kiddie stuff. The client codebase when it was released was riddled with this kind of utopian coding. Where was the knarley oldskool to ensure that this didn't happen at the time it was written. Its great that LL have done alot of work since to fix this, assisted by a whole heap of outercoders, and have brought a far more rigorous internal approach in recent times than previously. So thats good.

But until the codebase is completely purged of this kinda rubbish and while I'm considered to be a bunny by any gamekeeper then whenever I get caught in a poachers trap then I'm going to scream loudly and let all the other bunnies know about it. I'd probably think differently if the gamekeeper replaced the bunnies skins after they've lost them to the poacher but thats not happening yet, so.

To finish on a positive note, I dont know if Sidewinder L is old but he certainly comes across as knarley, and he finds time on his blogs for the bunnies as well. So thats good too =)