hackers in SL!!

I was talking to a person named chance small the other day, and he told me how he was able to hack open my slot machines and steal the money, and i said how do u do that and he explained to me.(secretly recoding all ims). and when i woke this morning i was flat broke.clearly abuse so if you own any machines with channels in them he (and his rweinds) is hacking them open so watch out !!!

It does indead suck that there are malicious people out there that will use their abilities to harm others (with our without doing it for their own benifit out side of getting their jollies)

But I have to say: When somone shows you that you have a security hole, you should plug it.

I suggest you file an abuse report and take those machines down until you or others can find a way to code out that hole.

A note about security, gambling and chat channels.

A chat channel is an open space to chat into, any script can talk on or listen to any channel. This is a huge potential security issue.

There are a couple of work arounds:

1) llListen() allows you to specify the key to listen to. This means that no matter what else talks on that channel, you will only pay attention if its the object you expect to be talking. Just setting the name is not secure - anyone can name any object anything. This is more work! You must customize each script to only listen to the specified key of the other object. To find the key of an object use this script:

default
{
   state_entry()
   {
      llInstantMessage(llGetOwner(),(string)llGetKey());
   }
}

2) Linked messages are way more secure. Linked messages only go between parts of a linked set, so the object must all be linked together. This makes some things, such as turning a slot wheel, harder. However no one can link an object they own to one of yours, so they can't hear or communicate to your object. To use linked messages you use the llMessageLinked() call and the link_message() event.

3) Other security measures. Other security measures are possible to communicate over open channels. This is not as secure as linked messages, but sometimes linked messages can't work, and sometimes you just won't know the key of the object you are working with. If this is necessary my suggestions would include:
- Some form of rotating channel - don't communicate on the same channel all the time
- As soon as some verification process is complete close the gap by closing the open listen (llListenRemove) and starting a new listen that only listens to the key of the authenticated object.

Method 3 is far from trivial, and still not entirely secure, and should be avoided if at all possible. Number 2 is, in my opinion the safest. Also, while listening in may be bad, usually the worst case is when your object can potentially listen, and react to, someone elses object as if it was part of the game. If someone else can make a script that convinces your main listener script that someone just got the highest win then that is not good.

I havn't used the "generic" slot script or machine so I don't have much experience with it. I would highly recomend anyone with a generic slot machine to not use it, to take it out of world. Anyone who brings me one I will help make secure. Once a secure form has been made I will probably help distribute it.

I have spoken to people who flat out told me they were in SL to hack it. The best way to deal with them is to immediately send a heads-up to the nearest Linden. Hackers are not admirable and they're not our friends; they are terrorists.

I dont believe it appropriate to call 'hackers' terrorists.

The definition of a hacker is someone who finds security holes, exploits, or the like in electronic equipment. Note 'finds'. This doesnt mean that he/she will exploit the information they find.

The definition of cracker is a hacker who exploits (usually miliciously) the information he/she finds.

So, a cracker is a hacker, but a hacker isnt always a cracker (hackers can find stuff and simply relay the information to the program owners, like saying 'hey, I found a big-arse bug, here's info about it' to the people that own the program/device)

Saying that hacking is evil or terroristic is therefore, not correct, that would be like saying that tinkering is bad/evil/malicious.

What you mean, is that cracking (exploiting) is evil/terroristic behavior. And I agree with you there.

Just clarifying some stuff the politicions and now the media is getting horribly wrong .

-Chris

I thought the definition of cracker was someone with a gun in the pickup and white klan robes in the closet...

Funny, my definition is what I put tuna fish on. Yumm...

The original defination of a hacker was someone who could sit at a computer and hack out some code, or make the computer do what they wanted. Not even in the way of security at all. And still, a hacker is someone who manages to make the computer do what they want - usually normal stuff. Ah I dunno how to explain it. lol I spent a lot of my time when I was learning Linux hacking at it. Trying different things to get it to run smoothly, and work right.

Cracking is when you crack into a system and do malicious stuff or not. Anytime to gain unauthorized access to a system is cracking. If you interact with a system in an unauthorized, unintended, malicious way that too is cracking.

A terrorist is someone who does extremely heinous crimes with the hope of creating terror. They blow up trucks in buildings, they kill people, they crash planes into buildings.

I agree cracking is a serious crime. Saying a cracker or hacker is a terrorist is like saying someone who embesles money is a mass murderer. Yes both crimes are bad, but they are not the same.

I am neither cracker nor terrorist. I couldn't defeat even rudimentary security measures. However I do strongly dislike associating a computer criminal with someone who crashes planes full of people into buildings full of people.

Perspective please.

Well back to the topic for one sec, interesting as this is:

May I ask that when he told you your slot machines were hackable, why you didn't take them down and fix it? I think you are at least parcially responisbal if you just leave it sitting there and trust mankind... and also why did you come here instead of talking to a Linden and filing an abuse report? I don't mean to bash you down, I'm just rather curious as to what your thinking was.

Another thing to remeber - there are somewhere upwards of 2million chat channels. Which means you can easily put in your phone number as the chat channel and people have a much harder time trying to find what it is talking on.

It would be nice to have an online community safe from malicious activity, but the internet is far to young and unpoliced for that.

But as I read from a few securtiy manuals and hacking handbooks and from Concise Oxford English dictionary, here is what I read:

hacker / n.

1. A person who or thing that hacks or cuts roughly.
2. A person who uses computers for a hobby, esp. to gain unauthorized access to data.

the relevant definition here is #2. But as its a very vague definition it can be split into 2 parts.

White-Hat hackers:

Very helpfull people, and among the most helpful to the security of the internet as we know it. Without them the internet would be a cesspool/ virtual Ghetto.

These people enjoy learning computers and networksand gain a deep understanding of the computer world. Such people go on to become Sys admins, programmers, Web Admins, and security consultants.

Hackers such as these spend most of their time pointing out and securing against system security holes and/or reporting to the appropriate sys or net admin of such leaks so as to get them secured against possable malicious exploits.

Black-Hat Hackers:

A person who tries to gain access to a computer or to data held on one.

This is the most common understood meaning of the word "hacker" Thus gives in the public eye the hacker stigma of all hackers being "bad". Such as movies like WarGames and Hackers (the movie).

Hackers in the white-hat definition commonly regard this group in this second description with suspicion, calleing them "Crackers" as they specialize in "cracking" system security.

As a white hat hacker they generally gain access through legal pre-arranged or employeed means.

But to determine what kind of hacker someone is if you have a chance to even single one out is what their rules of ethics are and whether or not they are breaking the law.

enough of that for now but ,

as SecondLife is not in beta, and if the exploits keep happening and the "offenders" keep offending and not reporting the exploitability of the system, they in effect are breaking the law. We as users can only file user complaints as we are not legally hurt in this venture.

As exploits are being used and not reported by the exploiters they are breaking the agreement they have with LL when they clicked "accept" on install of the client. So LL can/should/ and does take action against offenders.

If one person keeps signing up under different names and is provable and makes a serious impact on the playability and performance of SL, LL can and should take legal action against this or any offender that is here to ruin their product.

But we as users can help by:

1. Seeing how to cover our virtaul butts by useing scripts and such in a way that is "fixed" or protected from exploits.

2. reporting such abuses.

3. Learn or find a way to track within our scripts of user names that access these scripts (if/when it is scripts being cracked) and reporting names and times so LL doesn't have to search through tons of server logs to find a exploited transaction.

Very good info charlie.

And it made me think of another way to 'secure' open chat channels:

- Only react to objects you own. To do this, inside your listen put everything in an if statement as follows.

listen(integer chan, string name, key id, string mes)
{
   if (llGetOwner() == llGetOwnerKey(id))
   {
      // Put everything normally in the listen here.
   }
}

Using this your script will ignore any objects you don't own. Not recomended if you have any modifiable objects lying around.

regardless anyopne who does dilberly "hack" into someome elses bank account is a thief
and should be banned from sl

I'm still curious as to why you took no action when this guy told you he could, and why you didn't simply talk to a Linden about it.

hmm isnt chance small that annoying brat who used to go around shooting ppl with a modded jetball gun and disturbing events such as my land editing class a week ago?

posting bout it wont get someone banned. You need to file an abuse report and give Lindens facts to investigate.

The lindens were made aware of it, although I dont remember if it was really the person in question or not, though I tend to not file a report if people stop after the first warning.
Whoever it was, just called me an asshole and flew away after I told him he was violating the ToS and would be reported if he didnt stop.

I added Chance small to my ignore list about a week ago because he wouldnt stop asking me for strange script requests. I worry I might have helped make that gun that he used to annoy people.

TiamaT told me about the hack on Sunday morning. I didn't make the slot machines but I patched them right away. TiamaT had already talked to a Linden by the time he got in touch with me. I saw the chat logs, it looked like Chance was trying to help out by telling him about the exploit. From what I read in the logs, it didn't look like Tiama had anything to worry about.... It's SL after all, everyone you meet is friendly and nice.

Chance was so sure he thought all channel games were hackable he made a hackers backpack that would scan listen channels, and rename itself and transmit text over the channels he thought were hackable. LSL makes it pretty easy to prevent such exploits. I doubt Chance did the hacking himself. He probably gave the backpack to someone with instructions on how to carry out the exploit.


If anyone wants a free security audit on any of their games, send me an IM.

Is everyone using double-digit channels for their objects? We have billions of channels available; it would take millenia to scan all of them.

What Jake said. We have 2,147,483,648 channels to choose from. 2 billion! Yipes.

I keep seeing scripts using '1' and '2'. Totally boggles my mind.

When I first used llListen I chose an arbitrary huge number to use as a channel, and recorded it on a notecard. Every time I need a new channel I just ++ and record it to the end of the notecard so I can remember it.

Unfortunately, I'll have to revise my system after about a billion llListen projects (give or take a few million.)

Even if the slot machine used a totally random channel, an aspiring hacker like Chance might buy a copy/modify version of the same machine to accelerate his "reverse engineering".

Ditto.
I would appreciate it if people who have a game at my casino would check if they are using insecure llListen calls...
dont wanna give the place a bad reputation.

Okay ALL of you need to know the FULL truth.

I went to TiamaT because I THOUGHT he was a friend. I told him that his machines can be hacked. He laughed and said they couldn't. I then said "I'll bet you I can." he said okay.

I did my thing, won my $10K (by hacking it), when he got back, I paid him $11K. He FLIPPED about the whole deal when he SAID I could do it, AND I paid him back!

I do not appreciate all the talking going on behind my back in game and in forums, when you guys do not know the whole story.

So now the full story be told, I'd appreciate it if you would all stopt he bad talking. I have NEVER hacked a game, and not paid back the FULL (if not more) amount that I won.

And just for future info, I also told Dave Zeeman about the problem, to try to help him out, because he does own a pretty big casino.

If you guys still think I'm a full of it hacker out there to rip people off, then please feel free to talk to Dave Zeeman, Nova Linden, and Lee Linden. I'm sure they would love to from you about the situation, since they are all fully aware of the whole thing, especially Nova Linden.

Not only is it pretty big, but it's big and pretty!

Oh yeah, Chance is fine, don't worry 'bout him. He's the one who originally got hacked, I think the Lindens have already intervened in this situation and through account history records have been able to identify Chance as a legit player, so he really doesn't hack w/o giving the cashola back.

Infact now he's flat broke, so if he does hack anyone/anything, it'll be fairly noticable, and he will be held accountable. Think of it as probation

Anyways, Chance does have the full story there, so.... yeah.

belive me the first thing i did was contact a linden,and chance did give the money back, but the point is there is no purpose for a device or script like that except to gain whats not yours.
I feel there is no place for that crap in sl. And trust me u will get caught if u use them.