"Fixed An Exploit" - whaaaaa?

For once, I agree with Enabran. I not only hope, i EXPECT it. Laws should be pretty clear on this area in most civilized countries.

I know a few details, but I'm not about to name names.

The short of it, or so I'm told, is someone distributed a hacked SL client that gave whomever used it Liason-powers. You know, take copies of any object, modify permissions at will, make L$ out of thin air, that kind of thing.

Obviously, Linden Labs doesn't much care for that and fixed it before the damage got too widespread.

EDIT: Gah, beaten to the punch!

Agreed - in this one matter I'll support the Lindens on, they need to find the culprit, string em up by the short hairs and squeeze every ounce of pain out of them.

As for future scripts...I've never been too concerned with my scripts being stolen - I'll simply use it as an excuse to write yet something else original.


- Newfie

WTF right does LL have fixing this bug when the critical issue of me being extremely hot and overtly sexy has not been resolved?!?!?!

LL needs to enable XML-RPC over HTTPS so people can verify transactions. In fact, I think I'll hotline this right now.

As for the rest.. well, I wouldn't worry too much about it. It's improbable that anything will come of it. People who can modify complicated scripts can generally write their own and are unlikely going to risk themselves getting involved with this sort of thing.

...someone dumped a few million linden on GOM a couple of days back... I hope there is no connection.

Good attitude Newfie!!

If I do get my hands on some of the scripts, I will gladly turn them back over to their creators if I can and maybe hit some up for lessons. <winces as head hurts at the thought of trying to learn it> Or just trash it if need be. Either way works for me, since the idea of me learning to script is as laughable as my sister using photoshop.

Pretty sure they run a script which constantly totals the amount of L$ in all accounts and if it doesn't match some amount then they red flag.

The only possible dupe bug in SL is if you create lots of new user accounts.

Agreed.

Can we start a thread just for people who will stand up and be part of a Federal criminal complaint to aid LL in prosecution?

o.O

You have GOT to be kidding me...

What kind in TWIT tries something like this, when the logs are going to lead right to his door? C'MON!

We're talking credit cards, tracable hostings, tracable SL connections...

GOOD LORD! How can someone be smart enough to do it and so increadibly STUPID to do it?

I see Linden cleats running at top speed and getting ready for a bristol stomp dance on someone's pin-head. No sympathy here, either.

It is a tad strange, when you think about the technical prowess required.

I guess the lure of the ultimate hack is too much for some people.

Though, could be an ex employee. That'd be unfortunate though, as you can get into pretty hot water because of the obvious motive.

Yes, but if they have/had the GOM code for their ATM, then they might be able dump code straight to GOM.

(I say this with the disclaimer that I could easily be wrong, depending on how many checks and balances there are between Second Life, the ATM's, GOM avatars, and GOM.)

Well, seeing how this is all news to me as I've been gone a whole three hours..

This sucks. Does this also explain certain peices of source code hitting the open recently? I haven't managed to find any code myself (I'd sure like a peek at a few), but an exploit of this magnitude is agreeably grounds for an emergency patch. And I hope that LL will add measures to stop this (or, say, prevent altered versions of SL from even running).

Yeah, I hear a lot of "oh we're fine".

Who knows how truthful it is. Hopefully they're scraping the LL website a helluva lot more now

I proposed this about two months after I joined SL. Unfortunately, the transactions section is buggy as hell. Hopefully that has been fixed.

Well, someone has a new story to tell their kids.. and it will begin with, "I was stupid, soo...."

Let's cheer the Lindens as they stop the idiot into jail.. or the poorhouse. Or give them the beat for the stomp!

Oh, come on. There's enough in the script library / wiki to cover anything you will see in these.

Other than a couple of volumedetect sploits that will no doubt get plugged eventually, you're not going to see anything new.

And try to re-use these scripts you will no doubt get banned permanently.

No, the only problem is the GOM / SLExchange / etc. But, again, if they scrape the transactions section everything should be fine.

Really, this is mere sky is falling.

People post SL client code to the script forums?

There is no SL client code as far as I know.

Oh right, and heck, now that I think about you'd have to forge an IP address to sending the email from LindenLabs.

No doubt everyone checks the IP address of the source emails when they hit the server side. Forging that would be quite a feat.

LL should share this sort of security more with people to help strengthen the security of the economy.

As a security-minded individual and proponent of open-source technologies, many of which form the foundation of SL, I feel I should point out that good security can never be guaranteed through any level of obscurity.

As a creative person in SL, I don't want any of my work to be blatantly copied, and I make use of the tools Lindens have given us to prevent that, and I expect them to work.

But, I see the GOM terminals, etc, from a different viewpoint. There are ways to create tight code that enables secure transactions without the need for invisible code. Some of these that can be used even by inexperienced scripters include tactics like random channel selection for communications, checks for asset#, etc. Other more advanced techniques should not be beyond the abilities of the good people who have created these terminals, and should definitely be used. The responsibility is theirs to protect the assets entrusted to them by their customers.

In short, your code should be secure enough that you can freely allow me to see it, and I'd still be unable to take advantage of that. If it isn't, then you have not taken every measure to ensure my deposits are protected.

If anything, I think the lesson residents need to learn from this is that even trustworthy businesses are not infallible, and it wouldn't hurt vendors to open up their code a bit for peer-review with a focus on making it more secure, because the Lindens SHOULD be concentrating on fixing TPs and physics and all the other stuff that makes life here a worthwhile experience and not forced to deal with assholes who want to prove how l33+ they are.

Do I think the Lindens did the right thing patching this exploit as quickly as possible? Absolutely. I still applaud those who share their hard work so that others can learn and improve on it.

Below is the text of Chris Linden's response to my request for a statement regarding today's events, as posted in the Hotline.

Yeah, I often hit it from that perspective too. LL is clueful about this too, I suspect. However, in the long run, this is the case. However, in terms of priority, sometimes security through obscurity helps you get stuff out there, get feedback.. spiral development methodology.

It's all about timing. But isn't everything?



yeah. People could reverse engineer java byte code for the longest time and it was never an issue. Hell, javascript is totally open as well.

I honestly don't see this as a serious problem everyone is making it out to be. And I think that's the real risk, blowing this out of preportion.

Yeah, totally. The entirety of the Seburo source code is sitting on someone's hard drive right now. Not a big deal at all.

oh come on, seburo is no big deal.

multithreaded rezzing of bullets .. la la.

honestly, there is no technology in SL that isn't a lot easier to rewrite then to risk stealing.

stealing code is never really worth it. because at the point where it becomes worthwhile, it's so obvious you have stolen it.