"Fixed An Exploit" - whaaaaa?

The data is stored on a commercial server.

The hack allowed the hackers to access the server as if they had administrator rights, which they did not.

But it didn't require administrator rights, or even same user rights to access the information, quite obviously. There was absolutely no authentication. There simply had to have been no authentication. You aren't too quick. Are you going to talk us into another circle?

What, exactly, do you think the hack was circumventing?

Is it possible, (I have no clue honestly) that LL adds permissions onto things like Apple's iTunes does?

For those who don't know, Apple sends the file to you when you buy it completely unencrypted. However, it is the client that actually adds the DRM to the end of the file.

If that's the same case for LL, then all that was needed was to circumvent the part that checked the permissions for viewing an object or its contents.

As for all the people who got stolen code out of this, sorry to hear it. Hope this doesn't discourage you to stop creating things.

To LL, it's gonna happen again the more SL and its property becomes worth something. Be prepared. No really. Be prepared!

To whomever did the hack, *nice* job! Tell all your buddies to come on down! We've got lots of code in SL that's worth some RL cash just waitin to be haxored!

<personal rant>

Do you think as many people would give a flying flip about this is L$ \= US$? Let's hope the L$ takes a nice big hit and we can go back to play time.

</personal rant>

You are pretty smart and are right on all counts.

I actually like the idea of people breaking shit and then we find out about it. We end up with better security this way.

I don't believe this to be a statement of fact.
/esc

Agreed. Anyone can get the source to AES. Doesn't make the keys any less secure... perhaps a little more security in LSL would not go amiss. MD5 checksums just don't cut it.

Yep, next time I rob a bank they should thank me for exposing the weakness in their security system

What you believe is irrelivant, it is, in fact, a statement of fact. PyMusique and SharpMusique take advantage of this.

Of course, Chip! Just the way Best Buy thanks me for conducting a "security audit" when I start slipping different pieces of electronic gear into my pants. Those loss prevention guys, man, they just love it when I do that!

Bill Linden

Well, true, I agree in some respect. You expose the vulnerability to LL, quietly (unless they don't listen to such things) or to the owners of the code you hacked(who will scream at LL for lack of security) and it will get fixed.

But they went about it differently, distributing their ill-gotten source code from people's products on the Internet and then gloating about it to several of those people. They aren't the Robin-Hoods you make them out to be.

Sorry cheap shot. Yes I am a sexist.
*slaps self on wrist*

Hi Aliasi,

I apologised above for the sexist remark, but such maliciousness is rarely a female thing.
I ceratinly could have made the point a bit kinder than I did. I was kind of upset at the time.

I would point out however that phreaking is a pretty tame and even "moral" occupation (to some) compared to this kind off hacking.

Stealing a phone call off Ma Bell is not the same as stealing thousands of dollars of work from a lot of creative geniuses. To me the old style phreaking and hacking was cool, many of the new ones I hear about are just plain mean IMO.

.

Thanks Angel, who's Bill Linden? Care to include some details?

That it is possible for something to lose value is not the same thing as not having any value. That's too idiotic to even dignify it with examples.

Wow, this certainally gives me pause.

I was under the impression the client side elevated privs hack was fixed discretely over a year ago. I never bothered to follow up on it though.

Very interesting and very scary. I suppose it's possible that it could be a different hack than the one I am thinking about .. but if thats the case then LL simply fixed the symptom and not the problem.

This whole thing has made me pretty skittish.

-AP

Actually, that is true - that is the reason somoene was able to make an alternative Itunes store client for Linux that allowed purchase of DRM free music.

I know exactly what I deserve, and it isn't ignorant insults.

I can document how much I was paid to build many items in SL, on an hourly basis in US dollars . . . with invoices, a hard-copy contract, and IRS reporting and all that happy crappy to back me up. That stuff was Work for Hire, though, so an institution scarier than me would be in a position to bring suit regarding copyright infringement if someone were to cop the work I did for them. You can bet I would gladly show up to testify and look the crook in the eye.



This here check on my desk was drawn on an account at a FDIC-insured bank.

On the precedent of proveable value, I could demonstrate what my other work here (or that of some other builders) may be worth . . . and it isn't Monopoly money.

To those who've been ripped off: My condolences. I hope that the crud who did this is brought to justice and that the losses can somehow be minimized. And in the face of ignorant, jeering posts from people who do not understand the value of your work . . . hugs.

ok maybe I should make myself clear. Since it seems this was not understood


THE GUY NEEDS HIS BALLS CUT OFF! HE SUCKS, SHOULD HAVE A MINI NUKE SHOVED UP WHERE THERE IS NO SUN AND HAVE IT SET OFF!

I'm not disagreeing with you guys in the least. I'm not saying "oh poor misunderstood hacker". What I am saying though is that everything is one sided here. I was merely trying to state something that may or may not have been thought of since many are obviosuly writing mad and in mass mob style.

Bra-fucking-vo. I've never heard it said better. Human life, human energy, human spirit and human effort are poured into some amazing Second Life projects. If excruciating human effort has no value to you, you have no value to me as a human.

Tell someone who has written 75,000 lines of code to bring a Second Life project to life that their effort isn't worth anything. Tell someone who has spent weeks on exhaustive QA that their work shouldn't be compensated. Tell someone who has spent days and weeks building, texturing and planning their community that this is "just a game." The secret that they have always known and that you will one day learn is that regardless of the notion that everything here is just for play, people with brains will seek eachother out and trade their hard work in exchange for the hard work of others. They will feed themselves with the work they know is their best value to trade. The medium won't matter, so long as it is populated, however sparsely, with like-minded individuals who know that to create is to sweat, to bleed, to cry.

Yeah, fu, it's not a lighthearted post. But I believe strongly in the individual, his rights and his limitless capacity for success. I'm never more enraged than when those values are trampled.

My friend gets paid to shop lift. LOL Worse part is when he used to take me with him "on the job".

*applause* The person who did this should have the hardcover edition of Atlas Shrugged forcefully inserted into his rectum.