Second Life Forums Archive - In reply to: "Open Source Client and money theft" in linden aswers

Kyrah Abattoir

cruelty delight

Join date: 4 Jun 2004

Posts: 2,786

01-12-2007 21:10

From: someone

Please explain what (other than personal ethics) is stopping me from making a client that looks legit but actually transfers all money and transferable assets to a nominated account? The client can obviously issue a command to give away money, so pretending the server will somehow protect users from this is misleading.

A second, more serious issue would be to create a client that steals the usernames/passwords of users, allowing complete account hijacking... do you have any plans to address this, such as use of a different password for logging into the client and for administrative tasks (logging into the website, USD transfers, resetting the client login password)

As said the client isnt considered as a "trusted element" of the SL architecture, the only person you will be able to rob is yourself, unless you manage to grab someone's login/password you won't have the required rights to manipulate any other user's balance.

of course if the user don't bother to protect himself with a strong password (alpha numeric + symbols non dictionary related passwords, 5 to 10 digits)
he just deserve to get his account hacked (kinda), don't complain about security if you do not follow the most basic security rules yourself.

Hijacking of account occur by getting the login/password of your account and if you have a proper password, the only way to get it is either by brute force (wich is i am sure detected automatically on LL's side). Or by the user sharing his PW, (which is a TOS breach leading to the account termination anyway).

Also if the user isn't completely stupid he won't use a non official client, unless the sourcecode is provided.

_____________________

tired of XStreetSL? try those!
apez http://tinyurl.com/yfm9d5b
metalife http://tinyurl.com/yzm3yvw
metaverse exchange http://tinyurl.com/yzh7j4a
slapt http://tinyurl.com/yfqah9u

Dnate Mars

Lost

Join date: 27 Jan 2004

Posts: 1,309

01-12-2007 21:31

I would think that the biggest safe guard the LL has is that they will still be releasing the client. If you want to use an untrusted client built by someone you don't know, then that is a risk you will have to take. LL is still going to be releasing a official client for everyone to use.

_____________________

Visit my website: www.dnatemars.com

From: Cristiano Midnight

This forum is weird.

Jesseaitui Petion

king of polynesia :P

Join date: 2 Jan 2006

Posts: 2,175

01-12-2007 21:45

Well I think someone might make their ill intended client download look "legit" as if it`s from LL.

Kind of like how people do to get a paypal/ebay password..

SuezanneC Baskerville

Forums Rock!

Join date: 22 Dec 2003

Posts: 14,229

01-12-2007 22:06

I think you should be pretty safe if you get your download from http://secondlife.com/community/downloads.php .

_____________________

-

So long to these forums, the vBulletin forums that used to be at forums.secondlife.com. I will miss them.

I can be found on the web by searching for "SuezanneC Baskerville", or go to

http://www.google.com/profiles/suezanne

-

http://lindenlab.tribe.net/ created on 11/19/03.

Members: Ben, Catherine, Colin, Cory, Dan, Doug, Jim, Philip, Phoenix, Richard,
Robin, and Ryan

-

Peekay Semyorka

Registered User

Join date: 18 Nov 2006

Posts: 337

01-13-2007 00:52

Someone could produce a malicious client -- and make it look "legit" -- even without access to the SL source code. There are a number professional reverse-engineering tools used by both the good guys and the bad guys to simplify exactly this type of work.

If anything, open-sourcing SL has raised the community's awareness of such a possibility. Had anyone released a malicious client a month ago, he/she would have had an easy time distributing it since no one would question it at all.

The same argument could be made against any kind of software, open-sourced or not. What's stopping anyone from distributing a trojan-horsed IE7 client? Or a Firefox2 one? A web browser which steals your passwords & credit card information as you type them in would be quite the lucrative exploit.

-peekay

Warda Kawabata

Amityville Horror

Join date: 4 Nov 2005

Posts: 1,300

01-13-2007 01:09

From: SuezanneC Baskerville

I think you should be pretty safe if you get your download from http://secondlife.com/community/downloads.php .

How about http://secondlife.com/community/downloads.php?

Just a friendly reminder to examine your download urls very carefully.

Morwen Bunin

Everybody needs a hero!

Join date: 8 Dec 2005

Posts: 1,743

01-13-2007 01:57

From: Warda Kawabata

How about http://secondlife.com/community/downloads.php?

Just a friendly reminder to examine your download urls very carefully.

Always take a peek at the status-bar.... and it will show. Never trust a link given by a "stranger".

Concerning all kind of trojans specially for Second Life spread through IE/Firefox/whatever. I don't see that happen. The target is too small. Mostly trojans and alike are used to turn desktops/networks into zombies (for spreading spam).

Phising is another matter, but most phising by mail is with a bit logic thinking to trace (a serious company will never ask for your password... never trusts links in e-mails... and so on and so on.... and for these things you don't have to be a computer expert... I ain't) and many phising-sites are recorded.

Maybe it is best to rely when possible on Second Life itself when it offers you a new version to download.

And yes, I listen and ask question when people talk about this subject. It is easy to learn these basics.
The person who maintains my two computers always explains what she does and even more important, why she does it. And she gives background information. This all in a way I can understand it. Guess I am lucky to have her for this job (and she is happy because I help her with her taxes

)

Morwen.

Peekay Semyorka

Registered User

Join date: 18 Nov 2006

Posts: 337

01-13-2007 04:18

An IE or Firefox trojan obviously wouldn't just affect SL. It could record any credit card information you send to, say, Amazon.com or BestBuy.com (in addition to secondlife.com), and send it to third-parties. Nothing "small" about such exploit.

Yet we haven't seen widespread fake-Firefox clients despite of its open-source nature.

-peekay

cHex Losangeles

Registered User

Join date: 24 Nov 2006

Posts: 370

01-13-2007 04:58

It will be just as possible for someone to write a malicious SL client as it is for someone to write a malicious contract. Once the client is written, the trick is to get somebody else to download it and run it; culturally, we're pretty good at not signing contracts without reading the fine print, and culturally we're adding a reluctance to open attachments, download software from questionable sites, etc.

IOW, I'm making an analogy between open-source clients and legal documents. Anybody can write one to do anything they want; but they can't as easily get what they want if we don't let ourselves be duped.

In reply to: "Open Source Client and money theft" in linden aswers
Kyrah Abattoir cruelty delight Join date: 4 Jun 2004 Posts: 2,786	01-12-2007 21:10 From: someone Please explain what (other than personal ethics) is stopping me from making a client that looks legit but actually transfers all money and transferable assets to a nominated account? The client can obviously issue a command to give away money, so pretending the server will somehow protect users from this is misleading. A second, more serious issue would be to create a client that steals the usernames/passwords of users, allowing complete account hijacking... do you have any plans to address this, such as use of a different password for logging into the client and for administrative tasks (logging into the website, USD transfers, resetting the client login password) As said the client isnt considered as a "trusted element" of the SL architecture, the only person you will be able to rob is yourself, unless you manage to grab someone's login/password you won't have the required rights to manipulate any other user's balance. of course if the user don't bother to protect himself with a strong password (alpha numeric + symbols non dictionary related passwords, 5 to 10 digits) he just deserve to get his account hacked (kinda), don't complain about security if you do not follow the most basic security rules yourself. Hijacking of account occur by getting the login/password of your account and if you have a proper password, the only way to get it is either by brute force (wich is i am sure detected automatically on LL's side). Or by the user sharing his PW, (which is a TOS breach leading to the account termination anyway). Also if the user isn't completely stupid he won't use a non official client, unless the sourcecode is provided. _____________________ tired of XStreetSL? try those! apez http://tinyurl.com/yfm9d5b metalife http://tinyurl.com/yzm3yvw metaverse exchange http://tinyurl.com/yzh7j4a slapt http://tinyurl.com/yfqah9u
Dnate Mars Lost Join date: 27 Jan 2004 Posts: 1,309	01-12-2007 21:31 I would think that the biggest safe guard the LL has is that they will still be releasing the client. If you want to use an untrusted client built by someone you don't know, then that is a risk you will have to take. LL is still going to be releasing a official client for everyone to use. _____________________ Visit my website: www.dnatemars.com From: Cristiano Midnight This forum is weird.
Jesseaitui Petion king of polynesia :P Join date: 2 Jan 2006 Posts: 2,175	01-12-2007 21:45 Well I think someone might make their ill intended client download look "legit" as if it`s from LL. Kind of like how people do to get a paypal/ebay password..
SuezanneC Baskerville Forums Rock! Join date: 22 Dec 2003 Posts: 14,229	01-12-2007 22:06 I think you should be pretty safe if you get your download from http://secondlife.com/community/downloads.php . _____________________ - So long to these forums, the vBulletin forums that used to be at forums.secondlife.com. I will miss them. I can be found on the web by searching for "SuezanneC Baskerville", or go to http://www.google.com/profiles/suezanne - http://lindenlab.tribe.net/ created on 11/19/03. Members: Ben, Catherine, Colin, Cory, Dan, Doug, Jim, Philip, Phoenix, Richard, Robin, and Ryan -
Peekay Semyorka Registered User Join date: 18 Nov 2006 Posts: 337	01-13-2007 00:52 Someone could produce a malicious client -- and make it look "legit" -- even without access to the SL source code. There are a number professional reverse-engineering tools used by both the good guys and the bad guys to simplify exactly this type of work. If anything, open-sourcing SL has raised the community's awareness of such a possibility. Had anyone released a malicious client a month ago, he/she would have had an easy time distributing it since no one would question it at all. The same argument could be made against any kind of software, open-sourced or not. What's stopping anyone from distributing a trojan-horsed IE7 client? Or a Firefox2 one? A web browser which steals your passwords & credit card information as you type them in would be quite the lucrative exploit. -peekay
Warda Kawabata Amityville Horror Join date: 4 Nov 2005 Posts: 1,300	01-13-2007 01:09 From: SuezanneC Baskerville I think you should be pretty safe if you get your download from http://secondlife.com/community/downloads.php . How about http://secondlife.com/community/downloads.php? Just a friendly reminder to examine your download urls very carefully.
Morwen Bunin Everybody needs a hero! Join date: 8 Dec 2005 Posts: 1,743	01-13-2007 01:57 From: Warda Kawabata How about http://secondlife.com/community/downloads.php? Just a friendly reminder to examine your download urls very carefully. Always take a peek at the status-bar.... and it will show. Never trust a link given by a "stranger". Concerning all kind of trojans specially for Second Life spread through IE/Firefox/whatever. I don't see that happen. The target is too small. Mostly trojans and alike are used to turn desktops/networks into zombies (for spreading spam). Phising is another matter, but most phising by mail is with a bit logic thinking to trace (a serious company will never ask for your password... never trusts links in e-mails... and so on and so on.... and for these things you don't have to be a computer expert... I ain't) and many phising-sites are recorded. Maybe it is best to rely when possible on Second Life itself when it offers you a new version to download. And yes, I listen and ask question when people talk about this subject. It is easy to learn these basics. The person who maintains my two computers always explains what she does and even more important, why she does it. And she gives background information. This all in a way I can understand it. Guess I am lucky to have her for this job (and she is happy because I help her with her taxes ) Morwen.
Peekay Semyorka Registered User Join date: 18 Nov 2006 Posts: 337	01-13-2007 04:18 An IE or Firefox trojan obviously wouldn't just affect SL. It could record any credit card information you send to, say, Amazon.com or BestBuy.com (in addition to secondlife.com), and send it to third-parties. Nothing "small" about such exploit. Yet we haven't seen widespread fake-Firefox clients despite of its open-source nature. -peekay
cHex Losangeles Registered User Join date: 24 Nov 2006 Posts: 370	01-13-2007 04:58 It will be just as possible for someone to write a malicious SL client as it is for someone to write a malicious contract. Once the client is written, the trick is to get somebody else to download it and run it; culturally, we're pretty good at not signing contracts without reading the fine print, and culturally we're adding a reluctance to open attachments, download software from questionable sites, etc. IOW, I'm making an analogy between open-source clients and legal documents. Anybody can write one to do anything they want; but they can't as easily get what they want if we don't let ourselves be duped.

Welcome to the Second Life Forums Archive

In reply to: "Open Source Client and money theft" in linden aswers