"Fixed An Exploit" - whaaaaa?

Title says it all!

Whaaaa?

(translation: can we have some more detail here?)


- Newfie

Move along, there's nothing here to see.

I'm going to post everything I know here about what has happened with the hope that I am not being indiscrete, or making things harder for Linden Lab. I encourage moderation to delete this message at their discretion should it make their mission more difficult. However, it seems important to show others the same courtesy I was given in a warning.

In short, some worthless piece of shit has hacked the SL client to allow it to view no-mod scripts. The source code for numerous high-profile objects and systems have been compromised, including those of important vendors.

At this time it is not possible to determine the extent of the damage. A bunch of scripts are now floating around that took god knows how many hours of development and QA to complete.

I hope the pepetrators are brought up on federal computer crime charges.

And just to kill the "FIC GOT PRIVELEDGED INFORMATION" theories before they are started. Someone spammed a IRC Channel with a link to this modified client. No one was given secret information.

i first hope that now the permissions are granted by the SERVER and not the client
there was a flaw it seems

Also a good point. I was given the heads-up via an in-world IM about twenty minute before the client update was issued. IRC was already abuzz with the topic when I got there.

And here I thought SL had zero "client trust". I wonder what else is waiting for a hack to expose.

How long has this exploit existed? Is there any way for the Lindens to look at logs and identify those who have logged in using the hacked client? I strongly believe that those who used the client should be punished for their use.

Those who knew on the IRC also decided not to post anything about this in the forums while the Lindens were preparing the update. There is still some uncertainty what the full extent of it is, but the known parts are:

1) There was a hacked Second Life client that enabled the God mode features of SL. What this means for a non-Linden account is not completely clear.
2) An exploit was used to gain access to popular scripts, including all of the major ATM machines, the Nexcom phones, Seburo, ROAM, and others. The source code was published online.

Beyond this, not a lot else is known right now. The update was to close the script exploit - it is unclear if it also affects the godmode hack.

All of our avs the moment they hit a PG area?

Actually, the server needs the client to handle a certain amount of info, such as permissions. Either on downloading a "copy" of the most handled items or just bits of character info. Sadly, some 30-something with the mentality of a selfish 2 year old, has to prove they are better than us by seeing to it hard works get poured down the drain...

Yes, the client needs some data, but... the source code for scripts? C'mon.

OMG! This is horrid!!! I seriously hope the perpetrator(s) are found and punished harshly!

The implications of an attack such as this are troubling indeed. I really, really want a statement from Linden Lab. I've spoken to some people who were affected by this breach. They're not exactly chipper about doing any future scripting projects.

Ah, so all the update is going to do is to fix a client security flaw that might affect vendors - nothing to address the crippling problems that have appeared since the last brilliant update that I had the incredible temerity to criticise?

O-K, fine... I'm ever so glad to hear that. Nice to see where LL's priorities lie.

Not with asset server and TP issues. Not with changes to texture caching that cause the client to grind to a halt at the slightest POV change. Not with nasty sim borders. Not with any of the annoying bugs that are making SL more and more unpleasant to use and degrading the entire SL experience for 'the community'.

But with the interests of SL's business people... Fine...

However, I wonder how long SL can last with nothing but the business people selling to each other - after the 'little people' slowly drift away?

I'm taking the advice posted in her sig.

Sorry, but if no one will script in SL due to exploits, then there will be NO SL. So yeah. I'd say this issue kinda outweighs some of the others (which by the way they are still working on).

Your perfromance issues are fucking meaningless compared to an issue which threatens the hard work of thousands of people who built this world. Without them, there would be no SL.

Thanks for completely missing the fucking point though.

You're very impressive, you know that? A serious security issue that had the capacity to open EVERY SINGLE SCRIPT on the grid to anyone who wanted it, and you have the nerve to start bitching that this emergency update didn't fix your little problems?

Bravo, you've just made yourself look like a real...

Damn the forum rules intersecting my lust for invective right now.

Let's see - someone's hard work being stolen and published on the Internet, or you not laggy. How fucking selfish can you be, honestly? My god. This was a serious security hole - I am sure you would be singing a different tune if it were your work, then we would never hear the end of it.

Those are the words I was looking for.


edit: I'm still stunned to have even seen a post like that one.

What a way to turn a serious issue into a personal pity party.

I'll take TP problems over blatant THEFT any day.

Gigas Group Item Servers - Read for infomation about exploite releated infomation.
/120/94/54323/1.html.

Just to restate, I have looked into these patches, This "Hack" was no easy task and this was not done by your run of the mill muppet, This has taken time. To my knowing LL has full details of who is behind it and how it was done, and more to the point how it can and has been stoped.


I offer my condolences to the other scripters that have just seen a lot of work go down the drain.

I also Advise people that if they come into contact with the stolen code,
NOT TO LOOK AT IT.
DO NOT TRY AND USE THE CLIENT
Just check if your stuff is there and then bin it.

Linden will comment soon with the needed infomation. the people affected allready know and are solving it.

I'm not even a scriptor and I see the need for this update! Good grief, then there'd be more crooked games of Slingo and Tringo than there are straight ones!

Are you completely BLIND man? With the ability to steal the ATM scripts, it allows them to send a fake "withdraw" request to GOM (or "money deposited" to SLex etc.) and fake things that way. I really don't care if I can't TP as long as my source code is safe.

Hey, man, screw it! Let the economy go STRAIGHT to hell, as long as dear Doc can teleport around Second Life in comfort. She'll enjoy all the businesses going belly up.

Hey, Doc, go buy a new router. SL is working fine over here.