Sl Multiplayer Games Have Been Hacked!!!

The new craze in SL is the growing number of multiplayer games such as Slingo, Tringo, Quintzee, and the newest VGI Casino Camping Chairs. These games use standard chat channels to communicate information between the main program, and its child objects such as seats that are not physically linked together. Although they all use encryption methods such as an MD5 hash, or Base64 encryption it is not enough.

Earlier this week, VGI Casino Camping Chairs were attacked with a hack that was originally designed to attack Slingo and Tringo, and they have been manipulating those games for a little while now. The hack monitors all of the channels until it discovers the channel that the game is communicating on. It then hijacks the encrypted communications packet and stores it to relay again. Since the encrypted packets contain all the owner info for verification, it will be accepted by the main program when repeated, just as if the object had said the commands.

Every game that uses any chat communications in SL is at risk, and every one has actually been attacked, and the hacks are being sold to people underground. one hacker has been caught, and is being investigated. There are several others who have not been caught yet.

When I first got hit by the hack at my VGI locations, I immediately ceased all operations and closed all locations. with 25 hours worth of programmnig and testing, I have created the very first secure SL comunications program. The VGI Comm. Security package comes in 2 parts. The first part of the package is the security block. The security block is the main security program that changes the chanel that the game comunicates on every 5 minutes. The program uses a military standard radio communications security protocol called "Frequency Hopping" to hop between 1.5 million comunications channels in SL.

The second part of the package is the "Secure Link" script which is placed in the object to be syncronized with the security block. The security block uses 5 different channels simultaneously to talk on one, and listen on another to syncronize with each object of the game. 1 channel is securely created for each object to communicate with each other as a result. even if a hacker managed to discover 1 channel, there is no way to know if the channel he found was even the communications channel for the game. There is a 1 in 5 chance that the right one was discovered, and the channel changes every 5 minutes, so it would be impossible to do anything with the discovery.

As of right now, VGI Casino Camping Chairs are the only truely secure multiplayer games in SL. All others have hacks being distributed as you read this. This is is a serious matter as the owners of the multiplayer games stand to lose a lot of money as one hack on the VGI games inflicted a 50K loss on me, and a 15K loss on my annex owners. This is just a warning for all game owners to be careful because the following games are verified to have hacks being sold for them:

1) Slingo
2) Tringo
3) Quintzee
4) Pay Chair V5.5 Casino Camping Chairs


If you have any further questions about the security of these games, you can contact me by in world IM. Thank you, and be careful.

Wow. Well, I wouldn't mind a look at that. I'm working on some mobile scripting stuff and need a way to keep the communication a little more secure-ish than Xor.

As for "military standard radio communications security protocol", I'd edit that to read "a trick called".

would it be cynical to say this looks like a large advert in General and that absolutely no proof is offered that any of this is true?

hey kris, I can get you a copy of the one that hacked me. he has already been caught, and I can get him to give you the hack he distributed.

I have the name of one of the people using this hack. I don't think I'm allowed to say it here though. I saw them use it.
Shot the pay rate of the money chair from $3 to $21 per 10 minutes.

OMG! Call out the SL National Guard!

Dang, and I've been in the wrong business all along!

I'm no expert, but I wonder if including a timestamp in the encrypted messages wouldn't help avoid replay attacks. Is that impractical for some reason?

huh that could work actually. It would have to take in the built in delay objects have I think. 0.2 something I dunno.
Anyone else know how that would work?
That would probably be for the scripting forums.
Someone post a link if they write about it.

I think this is just a continuation of the whole certain vendor incidence where some scriptors are just not concerned with security until it is too late. The world is too large to just rely on the ofuscation of a single channel as the only form of security. I would urge any scriptor whom creates objects that deal with any money transactions to heed these warnings and invest the time needed to secure the assets of your customers.

This is all very easily thwarted by one simple statement in your listen:

if (llGetOwnerKey(id) == llGetOwner()) {

While this obviously would not keep the owner of the setup from cheating, it would stop the problem you are describing here.

If the creators of Slingo, Tringo and Quintzee did not include such an obvious failsafe in their scripts I would be genuinely be suprised.

OK I'm as dumb as a rock when it comes to scripting, but not too surprised, there will always be someone somewhere trying to hack crap for their own gain.

With that said are U saying, Games, that U have developed a system/script to circumvent the most recent hack? And if so for how much? And I'm not being snide....I'm sincerely interested.

And one other thing....how would the owner/host KNOW if the game they were running WAS being hacked?

It's not the first. Just maybe the 1st that is 4 sale.

Money Huntin' at SL Playground usez my own proprietary system that is sort of similar It iz built from a com system scripts I inherited from my predecssor (Antagonistic Protagonist) and has been in SL 4 quite awhile.

Itz kool 2 see other people doing stuff like that tho.

Is it possible to make the current player or person useing the game the owner?
But then that is the person who is hacking isn't it? Or was this done outside of the game somewhere. Like from a distance.
They could do the same with vendors then I would think. I dunno though because I never bothered with that type of scripting.

In the case of the chair, the hacker I saw was sitting in it. And the object "slot machine" was talking to the object "chair" To raise the amount. With no owner being there.

I have been surprised a lot lately. But I would think that people would have learned from way way back when a predominent early Casino got hacked.

And also, fear if you have ANY objects with mod rights then.. drop security hack in your open sourced modable table and boom, system hacked.

They have to have written this into the code....everybody uses it...

The "only truely secure multiplayer games in SL"?

How rudely arrogant.

Actually, Its not for sale. I'm just putting out a warning to the game developers in SL. I apologize if I gave the impresion that I was trying to sell something. I was just giving ideas out.

Call me a cynic, but I'm having trouble buying this. I don't know Slingo or Quintzee very well, but what information is worth hacking on a Tringo game?

Honestly, all the pertinanent info is displayed. It's not like poker where there is private info. There is no reason for Tringo to even use encryption to communicate with the cards.

And as for money chairs, I would think that most money chairs are self enclosed objects that don't listen to anything.

Most chairs are yeah.
But some that give a high payout will talk to slots that the campers play. For a prize you get an increase in the L$ per minutes. Things of that sort.

I may be misunderstanding you, but distributing items with full permissions does not make you susceptible to this kind of hacking if you are checking for the owner of the object as I described above.

The only way another person could make it seem like your objects were communicating is by editing objects owned by you. This could happen if the object had full permissions and was being shared with a group or by someobody on your friends list who you had granted modify permissions.

What you are describing would work if you were comparing creators, but there is no llGetCreatorKey() so that is not possible.

The fact the games that use public chat channels for communictation are a risk is not new news. This has been true since the begining of SL.

No. In Tringo, Slingo, and Quintzee the players cards are owned by the person who owns the setup, not by the player.

Ah I see. Cool.

Nope, nope.. your right. Not enough coffee. Owner != Creator. My bad.

*Alondria goes and makes some coffee*

Scripts in SecondLife are not safe from crackers, period.

Even your current Casino game implementation can be rather easily cracked with enough time, dedication, and lack of anything better to do.

SecondLife is not a secure enviroment. If your method of generating profit depends on scripts that communicate in a manner that must not be cracked or eavesdropped to, or if your script's source itself must not be viewed by anyone but you, then your security is flawed, and you will just need to take into account that your system will be eventualy cracked and abused in one way or another.

Making a harder shell isnt going to stop it - at most, it will just delay it.

A smarter tactic would be to anticipate abuse and trying to work a system for coping or working with it.