"Fixed An Exploit" - whaaaaa?

Chip is definitely good people.

I'm going to play devil's advocate here, though I am completely in agreement that the nitwit that did this needs to encounter the working end of a red-hot poker. Having said that:


When one gets into a contract, they are making a commitment to perform their agreed to tasks - in this case building in-world content. As is stated in the user agreement (which we all had to agree to on initial joining of SL), the Lindens can shut down the whole system for any reason, at any time, with or without notice. That means that you in essence made a contract agreement based on the assumption that SL, your access to it, and your content would exist all the way through to the end of the contract. An assumption which, btw, you agreed upon joining SL may very well turn out false.

So if property goes kaput in the system, for *any* reason, is LL responsible? Nope, they warned that may happen. Does your r/l client who contracted r/l money know you made a promise (contract) you might not be able to keep? Probably not. Is there a clause in the contract that says you're not responsible if SL suddenly disappears? I would guess not either. (Please correct me if I'm wrong on that).

To me, it's sounding like the person that should be sweating here is the person that issued that pretty FDIC-backed cheque, rather than the person it's aimed at. I'm betting your customer wont be looking to LL for compensation if you breach your contract.


- Newfie

Whilst what I believe may be irrelevant, I assume therefore you have heard of Harmony and therefore will realize that the statement was false.

Thanks for your tip, Newfie. Fortunately, the university that hired me and I had the foresight and acumen to agree on a clause that says if a LL gridmonkey trips over the power cord and the world ceases to exist I will be responsible for the acquisition and expense of the crayons and construction paper I'll require to continue my work during the downtime; however, they will pick up the cost of the tin cans and string required to discuss the workaround.

Anyway, if you'd like to publicly post the details of your RL biz contracts, too, maybe you should start a new thread . . . I think this is getting off topic.

Sounds like unauthorized access to me...

Yes, unauthorized access, but not grounds for any type of major criminal charges i.e. no one's gonna get sued for lost of profits ingame.

Breaking and entering? Possibly.

But then again, I seriously doubt it. This kind of thing has happened in other online places before and always the result is an account suspension/ban and that' the end of that.

Problem is, this is just the first attempt.

There will be others.

One will succeed, and LL won't know it.

That's what worries me more. Not this act, but the ones to come, and the system to deal with them not being in place.

Nala, incase you didn't see...so far what's been done...

ok looking at the press style release above there is no ground for anything other then what LL did. LL was not harmed financially nor were they denied access to thier own systems. Also since LL does not support $$ to L$ or reverse transactions (They do not own GOM) there is no loss to the enduser.

LL did the right thing AND DID IT WELL

anyone that has delt with majorly hacked games will tell you that a 24 hour response time is amazing.

Definitely. I wonder how they'd go about supplying information to anyone who decided to pursue legal action.

By thier own TOS....subpoena. ISPs can't release any information for any reason even if justified without one.

Yes, and you agreed that is was when you installed the client software...



This and the rest of the TOS which you may have neglected to look over before starting your account can be found here https://secondlife.com/tos.php. I suggest you have a look before you make any unwise decisions based on what you 'think' you are allowed to do regarding Second Life. Opening an account, installing and using their software binds you to this agreement legally.

pwned

A breach of the TOS isn't a breach of the law - well certainly not criminal law.

Unauthorized access of data on a remote system is a criminal offense. I have rules for my house that say you're not allowed to steal the television. My rules sure aren't the law, but you can bet I'm calling the cops if you make off with my tube.

It's one thing to make something do what it's not meant to. If that something is able to do something illegal, it's quite another to distribute it.

It would have been far more prudent and still had satisfied any curiousity if this individual had simply notified LL anonymously.

Bill Linden was fired in beta and wiped from history due to malicious actions against a resident. I am in no way saying Bill Linden was involved with this situation.

Thanks for the details.

Yes but it sounds like the data was transmitted and then decoded client side from the press style release that was given out.

Philip said explicitly that the server was tricked into sending the contents of the script. That is, the contents of a script would never have been transmitted under normal circumstances. There was nothing about encryption mentioned, only that a "complex series of actions" convinced the asset server to send the contents of the scripts. This fits the bill of unauthorized access to private data on a private network.

It is no better than my prowling around some poor pensioner's apartment and making Xerox copies of her personal documents, leaving through the door whose lock I jimmied, and posting her documents on the town square. People get nailed for that sort of behavior.

Ok then in that case you are right. Sorry must have missed that part between calls here at work. *soup nazi voice* "NO DSL FOR YOU!"

Not in all cases no, but a breach of contract (which is what the TOS is) can open up a person to certian liabilities as stated within the contract. If a software company holds all the rights to their software, and deem it within its usage contract (TOS) to be unlawful to tamper with it in any way, it is unlawful, and therefore a "breach of the law" criminal or otherwise to be decided by the courts.



quote taken from http://www.yalelawjournal.org/archive_abstract.asp?id=303

so.. evidently, yeah, modifying -- ie. reverse engineering, copyrighted software without permission of its creator is, infact, outlawed ("breach of the law" so in this case the breach of the TOS that I was referring to is a breach of the law..

Blaze, I have to believe you don't conduct business on SL, or perhaps you haven't thought this through.

Seburo isn't just a gizmo on SL. It is a device that someone went to the trouble and sweat to design, market, support, update, etc etc. They make their LIVING off these devices.

Blaze, how about someone comes and rips of your paycheck for the next 6 months. Would that concern you? In RL terms, this is called a Computer Crime. It is a Federal crime that can carry a coupla decades of real prison time.

So it IS a pretty big deal.

------ After posting note...

Durn. 14 pages in this thread? LOL

Hey, here's what I understand of all this:

The people that did this obviously intended to do it, knew what they were doing, knew the potential consequenses of their actions. As Foolish Frost pointed out, they were stupid as a box of rocks, but there you go. Criminals aren't known for having exceptional common-sense.

It's great that Linden Labs got on this so quickly, and it's great that these people were permanently banned from Second Life. But it's not enough.

The damage is permanent. Since they apparently sent out this source code across the internet, their intent was to do harm, both to individuals and to Second Life, and they used their computers to do so. That is a Federal offense with (if I remember correctly) a 20 year slam to make it stick.

These people should have immediately been reported to the FBI, their computers confiscated, and shown what happens to people who intentionally try to damage the lives of others. I have no compassion for such people.

As for how far-reaching this damage is... it is hard to tell at this point. As far as I know, even GOM and IGE has to verify transactions with the user online during a sale. So it is POSSIBLE the code will not allow account access.

HOWEVER, it is also possible that these high-power codes might be exploited and the entire Second Life system compromised, which will effectively put an end to the economic system on SL. It will have to be shut down, completely redesigned and rewritten (if implemented at all) and people who make their livings off of SL will suffer tremendously.

I do know the value of the L$ is dropping. Whether or not this is a related issue or not, I don't know.

I would fully expect Linden Labs to file charges to the hilt, to set an example with these people. However, I am also concerned about a certain aspect of Second Life, and I will cover that in the next message.

I have been concerned for several days now, ever since I learned that part of the Linden "God" powers *includes the ability to read/modify/copy nomod/nocopy items, including scripts and objects*.

In other words, if I send a nomod/nocopy item to a Linden, they have the full ability to copy/mod it to their heart's content.

Even Lindens should not have this power. It is not their script, it is not their build, they have no rights to my intellectual property.

Since from what I've heard (I don't know first-hand) it was an aspect of this God-power that these people exploited, I can now see why I became concerned as soon as I heard of this fact.

IMHO: the only one who has rights to examine a script, to reproduce an object, to override permissions-- is the BUILDER of that item. There may be one or two Lindens who have that extreme power in an extreme emergency (such as if someone uses a script to nuke a sim and Lindens have to find out how it was done), but it certainly should not be under the control of anyone but VERY limited high-security, high-executive privilege.

It honestly makes me wonder how many other security risks exist on SL. If this was not an economy-based board, I wouldn't worry. But since it is, and since we are all aware of a number of basic common-sense design flaws in SL, I have to wonder what other security risks might exist on the system.

By court subpoena in calif. court - if possible.

Will have to involve US$ damages...Not what if's...

Of course they have that right...


...