"Fixed An Exploit" - whaaaaa?

Very interesting point Jarod...

Here is another point that is even MORE chilling...

How many of those people extracting a considerable RL income from Second Life are actually claiming those earnings on their tax returns? If for some reason this went to court, how many people would be charged with tax evasion because they never claimed the extra income on their tax returns?

I would caution against mentioning SL to RL incomes in a public forum

Please do carry on...

Just my two cents... I think Martha Stewart is looking for a cell mate - LOL

Wow, I go to sleep and all hell breaks loose in the meantime. Does anybody know what object code has been released at all? I'd obviously be keen to know if anything of mine has been open sourced for me!

I'm going to be really interested to see LL's response to this over the next few days.

Haha, yeah I guess you've got a point there! Silly me overlooking that obvious fact!
So I guess if the Lindens shut down SL, they'd owe Anshe Chung some US$50,000+, right? Because it's her property, and all. They can't just delete it, right?

You're wrong. Theft of intellectual property is theft; there are plenty of people in jail for stealing copies of data or source code. You are saying stealing intellectual property is only a crime if you erase the victim’s hard drive or something?

Exploiting a hole in an online service by modifying software supplied by the service provider is also a crime. It is a crime in other MMORPG’s also, equally a crime for any online service of any kind. That such cases are rarely prosecuted does not make them any less a crime.

It is not uncommon for software to have bugs. Bugs in SL are accidents, not "theft". If Linden makes diligent efforts to track down and prevent bugs, which I believe they do, they aren't guilty of gross negligence either.

Your argument that stealing intellectual property from Linden Labs and SL residents should be compared to the effect of unintentional software bugs in order to decide if its a crime or not is absolutely ridiculous.

A couple of people in this thread have serious difficulty understanding the difference between right and wrong. Criminals often say, "the victim had it coming". People who think that's a reasonable argument are themselves just one stupid move away from jail time.

Buster

No, actually they can shut down SL any time they want, and there's nothing Anshe can do about this because Anshe *AGREED* to this under the TOS.

And that is exactly why I won't buy 10 islands.

Perhaps this arguement could stand if they find no laws were broken and IF they had posted the information to our closed community forums. Instead it was (at least from what I've read on the boards) posted to a publically viewable website for anyone to see & obtain the previously private information. Right there is a blantant crossing the line outside SL. So I disagree with you. If they've broken laws they deserve to be charged.

On the website are these huge grand numbers "Transactions Today (US$): 74,329.54" Eventually finding a way to get some of that may be very tempting to someone with actual hacking abilities and the ability to keep their mouth shut. Unlike many I'm not against hacking* when it's used to make the things we do more secure. Had they hacked the SL client AND gone only to Linden Labs and reported to them security flaws and told noone else I think they would have been doing a favor to the community in the long run.
There are so many above average technically capable people here that I'm a bit surprised it hasn't happened before. Honestly, until they stop advertising SL as a place to make tons of real money we can't be surprised that stuff like this happens. Shocked? Yes. Horrified? Yes. Surprised? No.

-Sun


*ideally when legally employed to be doing so

Not if you've previously agreed that all data residing on Linden's servers is temporary, may be erased at any time, and has no intrinsic value its not.

It didnt happen serveral times, you lied.

When using the Service, you may accumulate treasure, experience points, equipment, or other value or status indicators and contribute to the environment ("Accumulated Status". THIS DATA, AND ANY OTHER DATA RESIDING ON LINDEN 'S SERVERS, MAY BE RESET AT ANY TIME FOR ANY OR NO REASON. ALL CHARACTER HISTORY AND DATA MAY BE ERASED IN WHICH CASE EACH CHARACTER MAY BE RESET TO NOVICE STATUS. YOU ACKNOWLEDGE THAT, NOTWITHSTANDING ANY COPYRIGHT OR OTHER RIGHTS YOU MAY HAVE WITH RESPECT TO ITEMS YOU CREATE USING THE SERVICE, ALL OF YOUR CONTENT AND ACCUMULATED STATUS HAS NO INTRINSIC CASH VALUE AND THAT LINDEN DOES NOT ENDORSE, AND EXPRESSLY DISCLAIMS (SUBJECT TO ANY UNDERLYING RIGHTS IN THE CONTENT), ANY VALUE, CASH OR OTHERWISE, ATTRIBUTED TO CONTENT OR ACCUMULATED STATUS.

Looks to me like she agreed to the fact that nothing she could own in SL could be of any intrinsic value! Regardless of whether we all lose all our "accumulated status" due to Linden Labs shutting the place down or due to some illegitimate action in-game, I think there's basically nothing that could happen in SL that would constitute legal damages.

Since you are digging around in the TOS look up the part about intellectual property rights.

-Sun

Its chilling only if one believes that many people earning considerable income from SL are dishonest and prone to commit a felony.

What I find chilling is that people regularly wonder about this question and appear to relish the gloating-potential of it all.

Did you not catch the "notwithstanding" portion? Or...?

Quote:
Originally Posted by Catherine Cotton
I said that the GOM was hacked several times. You asked for some links. I gave you a damn good article. Which you apparently didn't read. Just because you would like ppl to jump threw hoops for you doesn't mean they will. I am not providing you with several links. Do your own damn homework woman.



eboni

----------------------------------------------------------
Do not call me a liar. If you had looked it up on Google as I had mentioned you to do you would of found these links. Unfortunately you didn’t do that so I will post 2 more links. Libel noted and saved.

http://www.dragonscoveherald.com/blog/index.php?p=447

You may however imply that the SL Herald is lying all you wish.

Here is a direct quote from that article:


9/22-04
"As Dan Hunter has reported on Terra Nova, the Linden dollar/US dollar money exchange, Gaming Open Market, has been hacked again. Thankfully, the Lindens are working with Jamie Hale (aka Zeppi Schlegel) to rectify the situation. Obviously we are going to see a few of these episodes before we get the kinks out and the security up. Hopefully everyone will have enought patience to see this through."

The word "again" implies it has happened more than once.



6-22-04

http://www.alphavilleherald.com/archives/000302.html

“Our friends at Gaming Open Market have suspended trading in all game currencies except Second Life Lindens after being defrauded for $3K US by a buyer of ISK and SWG credits. As might be expected, it is the usual scam taking advantage of the fact that PayPal refuses to honor purchases of "virtual" goods. (Remember Julian Dibbell's problem with this last October?). Also, as might be expected, the lazy fucks at Sony are doing nothing to help GOM in this matter. Kudos once again to Linden Lab for being supportive of GOM. Jamie Hale's press release follows. “



I shall not reply to you again as IMO you add nothing to these forums but unconstructive hatred. It was a error on my part to ever reply to this type of poster.

------------------------------------
To the poster of this forum I am sorry if this is even a tad off topic. Please continue it's a good discussion

Cat

Uhhhh... no. Linden dollars aren't nearly liquid enough to the point where you would see even a hundreth of that 75,000$.

In times of crisis, people tend to imagine things or know things that they don't. There are lots of people making this issue much larger than it really is. The game wasn't hacked apparantly. It was only the client. There is absolutely no way you will get this guy in criminal court because the hacker didn't do anything to deserve it. This exploit is 99% Linden Lab's fault. I don't know what the person edited in the client executable to do this, but under no circumstances should the server have ever sent no modify scripts to clients that do not own them.

I can think of a few ways this could have been accomplished with a client hack:

1. Forging player IDs to trick the server into thinking you owned the script
2. Hidden variable in client that enables "god mode." This means the server's basic administration could be exposed with absolutely no authentication and that administrative packets require no authentication and that the general user client is shipped with hidden administrative interfaces.
3. The server sends all the scripts to the client and the permissions just filter out which ones you are allowed to see. The scripts could still be plucked with a packet sniffer.
4. Script permissions were managed client side.

All of these methods are stupid and the fact that any one of them are allowed by the server means there are probably far worse things lurking in the server software that Linden Labs doesn't know about like buffer issues that would allow an attacker to take over their machines. I say "Linden Lab's doesn't know about" because whoever programmed this game had to have known about this issue before it happened. There is simply no way they couldn't have. And since this game was probably programmed by a team of people who had to develop standards for client/server negotiations the fact that this slipped by multiple people makes me extremely angry.

amen.

I meant in reguards to the action the hacker had to take to do this. The fact he was able to do it is Linden Labs fault. The actions the hacker took with this are a big deal, but nothing you could end up in criminal court for.

We could have some major problems down the road because some of the scripts stolen aren't going to be secure simply because SecondLife residents shouldn't be required to write secure scripts and often don't.

This is a big deal.

Oh no, I realize they aren't that liquid. But an outsider reading the articles that seem to mention SL as the land of money making and then seeing those kinds of numbers is bound to tempt someone smart who may try. My only point was that it's surprising this is the first time (publically anyway, don't want to assume) that anyone has tried anything of this nature.

I'm not chicken little-ing, just talking outloud a bit I guess.

-Sun

You know, the thing that always gets me about that stuff, is that the effort put into that, could have been the same effort that others here have put into their codes/scripts/designs etc, and they could be making $ too. Instead, now they could be caught and be in legal trouble. Makes you wonder about genius

and yeah it's been awhile, but i'm back *i think*....

kat

I don't even develop and i'd sure as hell want tp problems anyday.

Actually if a friend I used to have is to be believed, a lot of hackers are recruited by the FBI with a choice of working for them or going to jail.....maybe that's where some our female hackers go to?

Or their ENTIRE livelihood. And I doubt SL would shut the doors without warning on people, since part of their selling point is that you can make RL money with SL.

My thoughts EXACTELY!!!!!

You are quite wrong here. As has been proven in courts all around the world countless times now, unauthorized access is unauthorized access regardless of the means taken to do so. Your personal feelings of "the hole was wide open, so it wasn't the hacker's fault" mean nothing.

llEmail() security enhancement proposal that allows programmatic verification of the sending object:
/13/2b/54398/1.html

This could help curb security breaches in the future for systems that rely on llEmail().