More scripts to be released?

Hackers should get capital punishment.

Actually, I told the lindens everything I know, they told me not to talk about it with anyone, so that's why I can't say too much here.

Like I told cristiano, I can't tell you because the lindens (er.. a linden) told me not to.

Well that is good at least - I am fine with you not disclosing what you know, as long as you have told them.

Ignore this...

SHAN'T ! (and didn't)

lol, sry

I think it's a waste of something to show up in #secondlife and start bragging about it. It's stupid. However, I disagree that it's a waste of "technical brilliance" to pick something apart. I think it shows amazing dedication, attention to details, and astounding technical acument.

The Lindens banned five accounts. Unless all of those were alts, maybe, just maybe, one of those guys was someone who, right now, is slapping his friends on the back of the head. For all we know, it was two different people: one who found the bug and another who exploited it.

That said, I don't think the guy who found the exploit is a loser, but I think the guy who exploited th exploit is.

To draw an extreme parallel, this is why I have the "virus" in my sig. Alot of evil, horrible things are "spectacular from a purely strategic angle," but if we don't think about them, and have only monsters experimenting with them, we're all seriously screwed.

I actually tried the virus in your sig, lol, I can see how it can easly get out of hand.

I didn't say it was a waste of technical brilliance to find the exploit - that is a great thing, people should find vulnerabilities. I said it is a waste of technical brilliance to use it to hurt people. I had someone contact me regarding a potential vulnerability on Snapzilla that I closed immediately. He could have just been a jackass and done damage, but instead he helped me. That is what I am referring to. The finder of the exploit is one thing - it is what you do with that knowledge that makes all the difference.

You said that much, much better than I ever could. Thank you.

...

This is a crock. Linden Lab is not a covert government organization conducting top secret investigations. What possible reason could they give for wanting to withhold from the public any information that would help us protect our work.

I'll believe this when I hear it from a Linden. Until then I'll have to agree that this is just childish posturing as I can't think of any reason you'd post it to begin with if you've been told to "not to talk about it."

Per chance a Linden does corroborate, I'll take the issue up with them.

Then the Lindens need to post something. If there is an issue with security that might affect us and you know about it ... that means it is in the wild and we are all at risk.

Announcing a potental problem without simultaneously providing a patch or details serves no purpose but to sow paranoia and encourage those who can write exploits to hunt for it .. which in turn *increases* the chance of a 0day exploit catching everyone unprepared.

Keeping it "secret" only serves the interest of the attacker in matters such as this.

We dont need specifics ... however if there is indeed a threat, it is imperative to know exactly what is at risk.

-AP

OK fine, the advised me that it would be best not to talk about it.

I've already provided enough info for you to take action. What it boils down to is: "If you have a script in-world, it may have been viewed." Respond to this the same way you would if you had, say, accidentally dragged an open permission copy to a stranger, posted it on Usenet, etc. If the script has any passwords, change them. If you had any valuable intellectual property in there, figure out how to cut your losses.

OK fine, then why have you brought it up? If we believe you, you've only succeeded in frightening us and making the Lindens look bad.

I agree with you - it is a crock, and they have no right to demand his silence, so here goes.

1) They were notified several weeks ago about this vulnerability.
2) The person who has admitted to doing this still has access to SL under another account via a different ISP.
3) There are far more than 13 scripts involved - he is going to be releasing more at his whim to the website.
4) The vulnerability is still possible - the fix does not fully address it.
5) THe Canadian contact information is incorrect - he is in the US.

Sorry, but there is no security through obscurity here.

Why do I make the lindens look bad? I'm not the one who started this thread, am I? And even he isn't making them look bad, he's just making sure no one else gets screwed by thinking their networks are safe because they weren't in the original release.

The lindens are watching and editing this as we speak...

Apparently at Second Life, security does come through obscurity.

nimrod, you may think the guy has a "cool personality" but here's some food for thought. The only reason JS (assuming it's him) didn't mess with you is that he didn't feel like it. If he'd thought it would be funny to screw you over, he would have done it in a heartbeat.

I was acquainted with PS, one of the other people involved, when he was in-world. We weren't really "friends" per se, we just knew each other. He did some stuff to annoy me last week and later apologized... but then he turned around and took part in this exploit.

These people are vindictive. They enjoy hurting others. If they thought for an instant that it would be gratifying to turn on you, they'd do it. Think back to seventh or eighth grade. Think of the way people would betray their friends if they thought it would get them any increase in social standing. That is the kind of logic you can expect from these people. They are driven by emotion rather than logic, and care ONLY for themselves. To them, you're just another potential tool to be used - they really do not give a shit about you.

Let me just say that right now I have no confidence that this vulnerability has been truly fixed. Therefore everyone has to operate under the assumption that their scripts are viewable by anyone determined enough to want them.

How would they screw me over? By giving me false information? That's not my problem, LL has to sort through it to find the truth in what I told them. Maybe by hacking some scripts that I made? Sorry they can't I'm not a scripter.

Yes the original poster only posted a conjectured warning. Huns also only t advicedhat it would be wise for everyone to assume the threat still existed. You implied that you were under a Linden command to withhold information we might find useful in protecting our work. I suppose you don't see the difference though so I won't waste any more of your time talking about it. The topic, and important subject is collecting all the facts.