"Fixed An Exploit" - whaaaaa?

Buggy how Blaze? Specifics please?

Regards,

-Flip

I would agree if they exploited some buffer overflow in the server to interupt service and to totally acquire control of the server. But editing the client to allow you to do something that the server will allow you to do reguardless of authorization is not "unauthorized access." There isn't wasn't any authorization occuring here to make it unauthorized.

This will never even make it into a grand jury because the state's prosecuters simply wouldn't care. I seriously doubt Linden Labs will try to make it into a criminal case.

Moopf, I think you're in the clear. IIRC, the code exploits affected:

SLboutique (our old vendor code; deprecated)
SLexchange (their ATMs)
Gigas/SecondServer (not sure exactly which parts)
Francis's Seburo & ROAM
Nexcom
Cubey's Flight Code
Crys's Scan Foo
Ginko ATM

I think I'm forgetting a few, but that's off the top of my head. To echo everyone else's sentiments, I hope the bastard gets nailed, nailed hard, and his name and information are released to those of us who were affected.

Regards,

-Flip

Actually, yes. Yes it is. As has been proven in courts time and time again.

This is absolutely unauthorized access. They modified compiled byte-code to exploit a security hole. What law school did you attend where the focus was on IT/IP law?

Not to mentopn the TOS forbids editing the client in any way.

As it has been edited and given out they have broken quite a few laws

What they cant get you for on one account they can get you on the other

As for a list of stolen lsl..

Cubey Terra Flight WARP,
Gigas Server,
Ginko ATM,
Gravity Gun,
Hug script,
LCC Vendor,
Nexcom 3,
Roam,
Scan Foo,
Seburo Compact-eXploder v.1.3.47i,
SL Boutique Vendor 0.7,
SL Exchange Terminal,
Splashable Water

Yeah, breaking Terms of Service is a criminal offence. Let's hope they don't cancel the hacker's service.



The code was local on their machine. They only changed the code so it would allow them to send something the second life servers already allowed them to do. For it to qualify as unauthorized access the hack would have to circumvent some form of authorization. In this case there was none.



Hurrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr


I will totally take your word for it!

Actually, it did circumvent the authorization. Only Linden accounts are supposed to be able to do what they did. Their hack WAS circumventing the authorization.

Sorry, try again.

Before you tell me how this works and why I'm wrong, do you even know how this exploit worked? I don't, and I'm going to guess you don't either. However, considering all it required was an edited client and from what I understand in no way involved manipulating the operation of the server I'm going to guess you don't have a leg to stand on.

Problem is that they probably did it to avoid hard work. Which is even more confusing if you ask me. I've known a few hackers, some of them do it just to say they did it.. others do it so they don't have to work hard at some game or another. This one strikes me as one of the former.. and a stupid idiot one at that. I mean, they could have sat there and done it for a heck of a lot longer making loads of L$ but they posted it?!

Sometimes stupidity winds up being a public service, don't you think?

Yes, they could have routed that desire to earn them lots of LEGAL $.. but few of them I've known has decided to go this route and the ones that did made a lot of money, without the fear of jail time and the cellmate named Bobby-Sue

One doesn't need to know how it worked; only only needs to observe the results. They were able to function as a linden does, without being constrained by the permissions system. Hence, their edit to the client gave them access to abilities that they were not allowed to have. Hence, unauthorized access.

I have two legs, thank you very much. You just keep on guessing, though.

Ned, what you're completely ignoring is the small matter of Theft of Intellectual Property. Never mind the legalities of hacking one's client -- theft of someone else's property is actionable. If the Linden's don't do it, I would expect (and encourage) the other aggrieved parties to work up a healthy class action suit. This scum needs to sorely regret ever doing this.

As for the reasons, has it not occurred to anyone else that if the hacker wanted to earn money, he/she would have kept it quiet? If it was just to see if they could do it, they did it -- but if they wanted some kind of idiotic "revenge" on Linden or SL members for some sick reason, then it makes complete sense that they would also publish the stolen code, thereby spreading their damage.

This was a revenge attack. Griefing on a thermonuclear scale. The logic behind it doesn't have to make any more sense than any other griefing that goes on in SL.

I don't think the courts will consider having increase abilities in a game as a result as evidence of unauthorized access. Now, if this attack had some how divulged account information or credit card numbers you may have a criminal case, but as it stands there is none.




You don't know what a class action lawsuit is, do you?

Where exactly is the code posted? Are you saying our GOM ATM source wasn't posted after all?

It's the same thing as managing to get adminstrator access on a system your not authorized to have it on. Which has been established in the legal system as forbidden.

After monitoring this thread for sometime. It really surprises me how some people go in such nit pick details about this very unfortunate event. In truth of the matter, if charges are to be made it will be at the hands of the Lindens and it will be for them to decide in what direction to pursue this if any. Even though possibly plausible, I don't believe those who are affected will pursue legal action. Very few of us are making money hand over fist, maybe enough to quit our day job. The execption maybe GOM, but they haven't pursued actions in the past.


I just want to offer my deepest regards to all those affected, your work has been stellar in which have touch and enhanced many of us in Second Life. Your work is appreciated. Thank You!

Ricky, I'm pretty sure LL already contacted everyone whose code was posted. There were rumors about GOM ATMs being one of them, but if you haven't been contacted then your code likely hasn't been compromised.

Yeah, man. A video game is just like an operating system on a production commercial server.

I think it would be a very, very, very bad idea to give that out here. If you REALLY have to know, take it to PM's please?

The code was posted on a publically available domain and the URL was given out int he #secondlife channel. The residents of that channel decided NOT to post anything about this until the patch was developed, to limit the bleeding.

Ricky, as far as I know, you haven't been hit. OTOH, who knows if there was more than one person using this exploit once it was released.

-Flip

Oh, let's be ultra-literal to sidestep the point. You don't know what the point is, do you?

What an excellent avatar name!

J

Second life is a commercial server.

I think it is entirely unrealistic to take this view that if SL closed there would there would be warning. The past 10 or so years of the internet have proven that warnings are highly unlikely. Also, this marketing of SL as a place a come earn real money will be SL's undoing. It is a very bad marketing strategy that causes disappointment, strife, and theft amongst new users.

Not the part altered by the exploit.