New item theft exploit.

And then if they move to another avatar, they lose even more. That's a solution that in my opinion benefits the creator and LL (more unique purchases) more than the average customer. A legitimate intent, to be sure, but not a solution to the problem for most IMO.

I'm sorry but this sounds like utter bullshit. You can't take something that belongs to someone else. You could probably make a copy, that is well known, but you can't actually 'take it'. And certainly not the scripts. There's nothing in SL that works that way.

This is almost certainly a packet injection attack, in which case, who knows.

Unlike the classifieds one this isn't one I'd feel comfortable experimenting with

You wouldn't say that if you saw half of the crazy stuff they only fixed this year
I want to answer questions, but 1.23 isn't fully rolled out yet. But as always, it was something simple, not really an exploit or trick. Apparently it was just how the system was designed.

this is new?

Well I checked with my resident expert, and she verified this is real. Frankly I'm angry that people have known about this for so long and said nothing about it. Very angry.

Honestly though... I've seen instances in the "incident report" of people losing their accounts for "exploit disclosure"

rumour has it, it was told to LL over a year ago and they either 'could not fix it' or didnt want to..but they have known about it for awhile



....not as neat a trick as teh old give someone a negative amount of money to 'get' money from them tho they fixed that one kinda quickly

ooo! that one was really bad

On the other side of the coin, it would appear that so few people knew about this that it wasn't causing damage and whereas I understand your anger, it hasn't really caused that much damage.

That's pure evil. Please tell me that that doesn't actually work. I've read somewhere else today that people can wear an item that takes money from you when you click it. No yellow debit box, no confirmation, goodbye $L. In that report, the amount was only $1, but I don't know if it's limited by possiblity or the hope of not getting caught and reported.

So, how do people find out if they're in one of the updated regions, and thus don't have to worry about this exploit?

Is it by going to Help>About Second Life and checking the number on the server? If so, which number should we be looking for?

Yep, "Second Life Server 1.23.4.93100" on the fourth printed line means a patched server.

For a serious exploit that Linden Lab can fix immediately, silence on the exploit is warranted.

Anything that will take months to fix, should be disclosed. You know that those aware of the exploit are disclosing it to their dishonest friends. It's the honest people who get hammered.

Disclosure may inspire some people who wouldn't have found out about the exploit to try it; but it also inspires some people to come up with ways to tell potential victims how to protect themselves.

As someone who is generally going to be the potential victim to a technology exploit, I'd rather it be revealed if it can't be fixed immediately. I'd prefer the chance to protect myself, rather than be a blind, uninformed, helpless target.

It's not as if a person who loses money (in Linden dollars or things of value) to an exploit actually has any remedy to recover it after Linden Lab fixes whatever exploit existed. Linden Lab will hide behind its TOS; it isn't responsible for the exploits that it doesn't fix for months and costs you money.

P.S.: You want to see a court throw out the Linden Lab disclaimer of liability in its TOS? Let someone lose enough money to an exploit that Linden Lab knew about, knew was used, but didn't disclose and didn't fix for a year. Linden Lab is only going to keep that liability shield when they are acting in good faith. Non-disclosure of a hidden risk is in no way good faith.

lets see what happens now.

one of my stores regions is Second Life Server 1.22.4.90499, this seems alot of numbers behind that. Should I pull my store from here?
Not much traffic anyway, so not really a big deal.. But IM up for renew in 3 days.

It will be running on the new server after today so pulling out is likely more trouble then closing for today and reopening after todays rolling restart has finished.

Tell that to all the businesses which have been ripped off. While I didn't get to see it firsthand, I was told by my contact she saw whole walls from Xcite stores and other big name creators rezzed by people. Perhaps the only thing which may have saved me from this is my relative obscurity. Its a safe bet every major creator has had their items compromised by now.

The damage can be mitigated (if you know about it), by making sure next owner perms on vendors and other items are set to be no copy or no trans. That way the thief only gets one copy and not an unlimited supply.

LL doesn't have to say *how* its done, but simply telling people that it *is* being done so they can take appropriate action to protect themselves is not an unreasonable request.

As M pointed out, us residents are paying half their bills, they need to start looking out for us else we won't be here to pay them anything.

You are absolutely right. Linden Lab really do worry me at times. They have a business model where their very own customers actually put the iceing on the cake of their product. It is the customers that create the content and make Second Life attractive to more customers. Linden Lab's highest priority should be protecting their customers - their business will fail if they don't.

Well, considering I have an inventory of over 90 dances which are *no copy* I'd have to disagree with you.

Yeah, I can transfer them to another avatar, but I rarely do. I'd better use those dances in several dance machines as no transfer assets. And they sit in inventory because I'm really unsure about the fact that if I make one misstep with them, gone is over 100 dollars worth of animations.

fail, fail, fail.

Animation makers are making more money because they make us rebuy the asset every time we need a copy, every time we have an inventory failure, which is far more money than no transfer assets where you can make a copy on your avatar any time you need it and will be there in inventory generally even if the sim eats your dance machine for whatever reason. I've lost many no-copy assets (mainly plants - which is why I make them myself now) due to this problem.

But I guess some people will try to make content creators look evol no matter how right some happen to be about this subject.

I think everything important is running 1.23 now, yay

The problem was
1. The message you use to rez an object from inventory required two parameters, really: the item ID, and the item owner ID, which could be the ID of anyone who has an inventory
2. Every object in-world that came from someone's inventory has the item ID in its properties, viewable by all

So no-copy objects that were rezzed in-world were never susceptible to being 'taken' this way, because the item was no longer in your inventory.

No-copy attachments were different though: if someone rezzed something no-copy from your inventory while you were wearing it, next time it went to rez you'd get a failure message. Unless you "dropped" the one you were wearing, which would create a second copy without question. So there was really no way to "defend" yourself, other than using the very same method to break the rules and create a copy :/

The simulator version an object was on didn't have any bearing on whether someone standing in an unpatched sim could rez the item from your inventory

I understand how hard it would be to announce the problem considering that there was no way to prevent its abuse before it was patched, but I also understand the bit of angry response, and my confidence dies a little more too knowing that there will be no announcement even now that it's patched up.

Fixes in 1.23 address both the ability to rez others' objects, and the ability to rez copies of attached no-copy items

There's one thing I want to point out now, though: I do think it's probably a good idea to think about notecards that might have had passwords or email addresses or things like that in them, since notecards are almost always next-owner-fully-permissive and they may have been compromised if they're in an object in your inventory and there was an object in-world associated with that item. Config notecards and the like.

I'm not even going to bother quoting your bullshit Kitty and you know it's bullshit but I'm glad that someone got to it before me challenging your protectionist security through obscurity bullshit (the word of the day apparently) since that is what it is. Hiding a vulnerability or exploit for such a vulnerability only makes people less prepared to protect their property as well as just allowing LL to drag their heels on fixing it, which is something that they seem to be very good at, public disclosure puts pressure on them to fix the bug and while people may be tempted to test it either in hopes of being able to exploit it (black hat) or for curiosity (grey hat arguably) or in hopes of finding a solution (white hat) the black hat implications of making it public never outweigh the fact that such knowledge should be public.

Is another reason why it is a particularly /BAD/ idea to put passwords / access methods into notecards or even in source code (or even compiled into object code).

I am not surprised that many people use these techniques, but they are bad security choices.

The main reason why a lot of places that use atm's and/or vendors in-world have their system setup with the preemptive assumption that the atm code is compromised and design their system so that atm's are verified in several ways against a list of approved atm's before any transactions will work including of course doing an owner and sanity check. Each business of course do it separately and have their own tricks but they use that general idea behind it.

There are all sorts of issues and implications from a story like this, people need to be very careful what they say for a whole variety of reasons, and people have been telling me about this since the weekend and all sorts of derivatives of this story.

Linden Lab should have made a statement, but they themselves have to be careful what they say too.