Major Exploit?

I dunno, Aodhan... after our discussion, I think, with some practice, I could counterfeit a 1024x1024 texture, too. I could definitely get a 512x512 one with some patience.

Incidentally, I bug-reported the exploit with a fully detailed reproducible case and "EXPLOIT" in the subject line as they suggest in the support wiki.

Update on this. I just got out of bed to turn the heater on, stopped to check my email, and Robin Linden had responded to a PM I sent her, describing the nature of the problem, and with a link to Aodahn's post in Answers. She's passed it all along to the developer who made the tool, so they are aware of the problem now. I'm off back to bed, damn it's cold here.

edit: I see Robin's also responded to Aodhan's post in Answers.

I just got wind of this texture exploit. I have entered this bug but can't give you a timeframe for a fix

Linden Lab takes exploits very seriously, but we don't troll the forums for them. Also, exploits + forums = widespread panic (we don't like that either) and the risk of more people using the exploit (neither you nor us like that). So, say it with me:

Posting exploits to forums: BAD.

Bug reporting exploits and then making a huge stink about it to a Linden: GOOD!

If you have found an exploit and you simply can't wait to tell someone, please bug report it with "EXPLOIT" in the summary/description/title and IM the RT number (it's the number in the auto-reply email you get) to a Liaison or Bug Hunter that's online. Ask them to please send an email to get QA to take a look at this ASAP. If you can't find someone that can help you right then, IM me (Brent Linden) and I'll get inworld to check it out ASAP.

Linden Lab would never create a tool to undermine IP rights. The work of our residents is not only valued, but cherished. You all created this world. We would never want to purposefully make it easier for someone to steal/modify/delete/return your creations (unless of course you drop your "beautiful" content on someone else's land -- they totally have the right to delete or return it then ).

There's no way to stop texture theft using the external DLL, so please stop complaining about it. It's beyond the control of any Linden as it's due to the ability to hook into an application and extract information on the client-side using the OpenGL API.

Textures have to be downloaded in order to be viewed. At some point and time, you will have downloaded the texture and it will need to be displayed on the screen. At any point in this pipeline, it can be extracted (the easiest being when it's running in the graphics engine since it is not secure at this time). 3D structure architecture can also be extracted and opened with Maya or 3D Studio because it's data that must exist client side in order to be seen.

Why are scripts safe then you may ask? Simple. A script never exists on a client machine unless they have permissions to view it (although, an exploit in the permissions system could easily change that as I believe it has recently with the Grim Babies). Textures must be viewable by everyone regardless of permissions, and will always be downloaded to your machine at some point and time.

Its an OpenGL issue, and while I understand why everyone is complaining (I know I would be too if I wasn't an OpenGL/DirectX developer myself), there is NO FIX FOR IT as long as Linden Labs is using OpenGL. Period.

I'm sorry, but I'm sick of hearing about this one.

We have not been discussing the OpenGL external tool. That is old news and as you say not a part of SL and thus not in LL control. We were discussing an INTERNAL SL tool that allowed people to steal textures in game without any external programs and zero effort.

Please at least pretend to read the posts, because not doing so tends to make you look at bit silly. Nice rant though. Too bad it had nothing at all to do with what we were discussing the past few days.

I think the equation is more like:

exploits + forums - linden_response = panic

Communication is the key.


I am a great defender of the "full disclosure" way when it comes to bugs or exploits, but I can see how it may be difficult to deploy a quick fix to the grid without causing a massive outage.


Don't you think, you should make it *easier* for the residents to submit critical bug reports, rather than make it *more complicated*? Why should a resident have to hunt up a Linden, copy out a number from the automail and tell them to check back with QA? This is a process that should be done automatically by the bug report system or by the person reading the exploit report. You just can't expect the residents to actually *tell* a Linden to mail QA ...

Bah, my huge response just got eaten by the forums!

I'll make it simpler for you. Bug report it and put EXPLOIT in the title. We'll take care of the rest, but if you want an immediate response, IM me.

I think immediate response is the key here - maybe not IMMEDIATE - but timely would be good..

I think putting EXPLOIT in the title is a good idea too - so you can pick up on it quickly.

You'll probably find that folks posting exploits on the forums know that its a bad idea - and although I'm sure there are a few disingenuous motives for doing it, several of the people I know who've done it have done so simply to apply pressure for a fix.

The worse the exploit, the greater the chance someone will post it.

Some kind of quick feedback mechanism other than a 'your bug report has been filed' form letter on exploits would probably lessen the number of posts - more than likely down to the few 'shit stirrers' that will do it anyway for the chaos factor.

Hell - I'd go so far as making it an easy to assign option on the bug reporting - automating the proccess a lil if it doesn't already.

As for your post being eaten -- how ironic

After submitting my bug report with "EXPLOIT" as the first word in the title, I got a personal response from Brent Linden a mere 14 hours later... and this was on a Sunday. So it's not like you've GOT to hunt up a linden to IM if you want any hope of your exploit being paid attention to. It just helps. Maybe if I had he'd have responded in merely 7 hours. ;)

They're apparently letting people profit financially from violating the TOS. So, I suppose so.

Heh. Bug Hunters need sleep too, ya know