Welcome to the Second Life Forums Archive

These forums are CLOSED. Please visit the new forums HERE

Did you retroactively fix the fully-permed objects bought during the exploit?

Fushichou Mfume
Registered User
Join date: 30 Jul 2005
Posts: 182
10-09-2006 08:34
From the offblahg: "Unfortunately, during the course of the update, we discovered that it included a bug which caused objects purchased in-world to be fully permissive.

After we reproduced the bug in-world, we kicked everyone off the grid and restricted login to Lindens only (this was at 2am PST). Next, we identified the bug and created a fix for it, which was deployed and tested while the grid was down.

The code we rolled out this morning includes additional security protocol, which in addition to the changes going into the next release on Wednesday should help reduce these types of grid attacks in the future. Thank you all again for your patience and support throughout the night. "
----------

You did not state in this blahg post whether you actually fixed the objects that were purchased during the period the exploit existed. Are there object still floating around in peoples' inventory that is fully modifiable, which should not be?

Even if you did manage to retroactively find and re-permission all such objects, what's to have prevented the culprits from opening scripts that should have been protected and copying the content of those scripts out of SL and into external files for later examination and reuse or modificaiton?

In short, can you reassure your hardworking resident content developers, especially the folks who earn their (SL and/or RL) income from their scripted objects for sale? Are we about to have a bunch more Frans Charming-type casualties on our hands? Can you inform us as to the extent of scripts that were potentially exploited in this way?

BTW, it's great that you were so quickly responsive to the discovery of the bug and I'm sure that many LL people were called away from their beds to deal with the problem. Kudos for this; I know emergencies like this really suck.

On the other hand, however, this is yet another example of what's wrong with your QA process. A quick emergency fix slapped together and not rigorusly put through a full suite of carefully designed regression tests should NEVER be applied to a production system. Especially not a production system that affects REAL LIFE commerce.

This latest issue also exemplifies what is wrong with your entire current set of priorities. You MUST shore up your infrastructure before you continue your mad dash for expansion. There are too many serious holes in your client, server, and LSL code. You are growing too quickly for your infrastructure to deal with the new strain on the system.
Jeska Linden
Administrator
Join date: 26 Jul 2004
Posts: 2,388
10-09-2006 14:08
I apologize if this wasn't clear from the initial post. Part of the rollout last night involved inventory transformation to help repair permissions on most of the objects purchased with the permissions bug. Given the nature of the bug, it is hard for us to determine if everything was transformed or not, but it should have captured most of the affected objects.
_____________________
"The opportunity to participate in the creation of a new world is really a rare one, and so I hope you cherish it."
- Mitch Kapor on Second Life at the 2006 SLCC