Is there currently some kind of permissions exploit out there?

LL could stop the use of GLIntercept, there are plenty of techniques that could be used to do so. For instance, scanning the in-memory DLL list for GLIntercept specifically, or more generally timing glTexImage2D to see if it's much slower than it should be. Look at the way anti-cheat software scans for wallhacks for prior art here.

There are also a wide variety of anti reverse-engineering techniques that can be deployed to try and stop people hacking the SL client itself. Until there is a firm alternative plan in place this is what I'd be doing.

On the other hand, such a thing is always going to be an arms race (at least until LaGrande and friends go mainstream), and the whole DRM system SL has going here would be rather hard to enforce in a fully open source world so it's not surprising that Cory Linden is thinking about alternatives. In fact it's very cool that he is.

Anybody can steal any image, JavaScript or CSS from web sites at any time yet people still make livings as web designers, I fail to see why the same could not be true for Second Life.

The general opinion in the particular case of GLIntercapt seems to be that the "issue" is unfixable. It's a legit debugging tool that can be used on any openGL app, which Second Life happens to be. The best defense against it being used for widespread texture piracy was presumed to be obscurity. It seems to work for Mac at least...they aren't exactly obscure (I risk offending a ton of Mac geeks if I don't clarify that) but they do have security holes that pop up. But macs have a small user base, so they hardly ever make waves. Jarrod, on the other hand, was purposely trying to break that layer of obsurity.

Now, there is valid debate over whether "security through obsurity" actualy works but I'm not qualified to put my foot in that pool.

I didn't ensure anyone knows how to exploit it (I don't even know there is one, just asking if other people are experiencing this weird behaivor which might indicate a problem), which is exactly what Jarod did. Also, what makes you think I didn't contact LL?

that's cutting hairs very fine.

telling everyone there's an exploit, in this age of web searches and script kiddies, isn't so far from telling people where get the tools.

my point is that you've picked a slippery slope wrt responsibility... that happens to have placed you on the "safe" side. makes it look like you have a leg to stand on when criticizing jarod.

but that doesn't change the real issue... should ll let people know about problems like this? isn't part of responsible disclosure? especially since there is so much first life money involved?

and do you think security through obscurity is a good idea?

I'd be the Midnight in question, and I took issue with it for all the reasons you mentioned. Broadcasting tools and techniques that can be used to steal content on the forums when there exists no method for SL content creators to protect themselves serves absolutely no purpose. It's information that's only useful to someone who might want to try it themselves. Potential exploits should be reported to those who can actually do something about them (LL) through an appropriate private channel (emaill). Anything else can only make the problems worse. It's simple common sense.

You always have to pick the lesser of two evils. LL doesn't exactly have a great track record in providing a secure platform for content creation with IP ownership. Given that, I'd prefer they be as obscure as possible.

I don't know how you can possibly begin to claim that asking is a potential exploit going on, with zero details on how anything is being exploited vs "hey, this is exactly how you do it and the program you need to use and here is even the link to the fucking website" is anywhere close to cutting hairs very fine.

Responsible disclosure is a very important part of security. Responsible disclosure dictates that you make a flaw widely known once there is a fix for it, not before.Just because a flaw exists and some people are aware of it does not mean you openly broadcast it and point out how to exploit it when there is nothing in place to prevent it. You work behind the scenes to make sure affected parties protect themselves as much as you can. I definitely have not gone down any slippery slope by pointing out that what Jarod did was irresponsible.

in your opinion. an opinion that makes you come out smelling like roses.no, not if damage can be done. you let people prepare.in this case, everyone is the effected party. how can they protect themselves if they don't know how severe the exploit is, and if the don't know how easy it is to use the exploit. i think saying, "here's the program that can exploit you." is a very emphatic way to show just how easy the exploit is.no. that's not the slope i'm talking about. the slope i'm talking about is the one about how much to disclose about exploits. the distance between what you did and what jarod isn't as great as you think.

The difference between the two is night and day. Trying to find out if an exploit exists is not the same as broadcasting the method of how to use an exploit. The former can yield information that can be turned over to LL without revealing the details - the net effect of which would be helpful. The latter can serve only to make an existing problem worse and has no benefit - the net effect of which is harmful.

But Cris doesn't even *know* whether there's an exploit or not, nor any details, and he's trying to figure it out so he doesn't get burned by it.

(Jinx, Chip)

Yes, by all means, please show me how animations are exploited based upon me saying "hmm, some people bought stuff from me in an unusual pattern and it concerns me based upon past experience". I'll wait, post the directions since I apparently provided the roadmap in your estimation.



Not when the disclosure of that information causes far more widespread damage than would have been caused by not disclosing it. News flash - if you say to a group of previously unaware people "hey, it is easy to steal everything using this little program here click the link" and they then begin to use the tool to do exactly that, you have just contributed to it - when remaining quiet and working with LL to try to find ways to protect against it would have ensured that the exposure remained minimal. Yes, there is always a race of time to try to fix an exploit before it has widespread exposure - but you seem to advocate broadcasting it widely before even given them a chance to fix it, further putting users at risk.



If there were steps they could take to prevent this problem themselves, then I would agree with you. That is not the case with this issue.



Again, there is a huge distance. One is asking if something is unusual is happening to try to get a consensus of whether or not there is a problem. The other is ensuring that the exact details of an exploit are spread as widely as possible to as many people as possible - including those who will have no qualms about using that information to steal content. The two are quite far apart. One is a vague question, the other is a damned Google satellite map with driving directions.

I totally see where you are coming from. And, some people are less averse to risk than others.

If I am independently wealthy, and wouldn't be put into a bad situation if SL stopped generating any revenue for me, then it's not a bad idea for me to go into business full-time in SL, if I feel rewarded by that activity.

If I allow myself to become dependent on SL as my only or primary source of income, I am putting myself into a seriously bad situation.


I can think of a way to get around both of those things.

in your opinion.

i happen to disagree.

ah but his theory is that if there is an exploit knowledge about it should be discussed only in certain ways. ways that he happens to approve of.

if there had been an animation exploit, then he would have been broadcasting that fact broadly.

and in this day and age of web searches, the difference between saying the knowledge is out there and providing the knowledge is not as great as it used to be.

And? I can think of many ways. Nothing is absolute.

Right now though most people who are using GLIntercept and similar tools are probably just users. They aren't programmers, they are just following instructions.

In other words, they don't have the ability necessary to bypass even quite trivial checks like those. Maybe a few (like you) can think of some ways around, and maybe a few of those few can implement them.

And maybe a few of those few of those few are crooked and would be willing to sell or give away such a program. But SL is small, and a few of a few of a few is such a very small number of people that it's probably zero given the current population. When SL gets as popular as WoW or CounterStrike then maybe LL will be facing dedicated, skilled, funded attackers. But not yet.

As somebody who has some experience of dealing with anti-cheat/anti-re code (legitimately!) I would say this - yes, LL v hacker is competing on a level playing field with todays PC technology, so you won't always win. But you won't always lose either, and given a large team of very smart programmers who have the ability to push updates at any time vs your average hackers, my bet would be on the former.

Look at Blizzard vs WoW!Sharp if you want a concrete example ...

lol

Reminds me of Artificial Intelligence. When you're wise enough to be able to create Artifical Intelligence then you're wise enough to realize it's pointless.


Wise people aren't hackers. When somebody becomes wise enough to be a dangerous hacker then they stop hacking.

Ah, if only that were true .... unfortunately ability doesn't always come hand in hand with wisdom.

I just went and asked my grandad for his opinion. He's an hundred forty two tommow and so he's obviously very wise. He said - "Ugh...". Then he paused for several minutes in deep thought and said "Ugh..." again.

So there you have it.

and he's not hacked a damn thing in his life!!

Well only a Japanese soldier ithat he found asleep in a bunker back in the days when he wasn't so wise. But that doesn't count.

On what basis? If the information being made public can't help content creators become more secure how is it of benefit to them except to discourage them from creating? It can't result in increased security. It's only useful to those who would use the exploits to steal and can only increase the number of script kiddies using 3rd party tools to get around what little protection we do have. Explain to me how that's of benefit to content creators.

Hahahaha, you guys are so terrible!!!

Bwahaha, this forum is awesome. Everyone is nuts here

Every graphic designer knows the moment you publish anything on the net, it's out there to grab. I consider Second Life the same. Nothing of whatever you create is safe. And whatever they claim in their TOS, you have no foot to stand on if your stuff isn't copyrighted.
There is an idiot on SLexchange selling textures i published on the net as free stuff. Poor fewls who buy em eh? Do i mind? Of course not. Not any of all the copycats on the internet (and yes Second Life) have the brains to come up with a new idea, they never feel the excitement of creating something new from scratch.
They can get a few bucks in a game (yes, a game) like Second Life, but in the real world having a job as a designer? No, never, they lack the skills and the fantasy to come up with something of their own.
Second Life your prior income? Please, don't do! If you are skilled and smart (and some of you definatly are) get a job as a rl designer, thats where the real money is

PS: I do love SL, and i do make nice money of it (i love shopping in rl), but i see that as a lucky ticket, this month im lucky but what next month?

All creative works are copyrighted the moment you create them. Filing them with the copyright office is only a formality that makes it easier to prove ownership in court.

*bats eyelashes at Chip*