Sad news...... Scripts are vulnerable now

Scripts, with the exception of a couple of times, have been the one thing that have been invulnerable to copying in SL. I was vigorously defending that in another thread. Unfortunately I just had a chat with someone I trust and found that this is no longer the case and scripts have not been secure for a couple of months now. A SEC was filed, a security check could be implemented, yet nothing has been done.

I give away all of my scripts anyway and I don't really foresee anyone loosing buisiness over this. Same as the other content creators have always survived. But I did want to give everyone a heads up so that you are not as clueless as I was.

Not the first time it's happened, won't be the last time.

under what circumstances are they vulnerable?? :\

p.s. not looking for details, but if there's a general 'don't do such-and-such' tip, sure would be appreciated...

Did not care to know the particulars myself and this is not disclosure because it does not say how to pull off the trick but(nor do I care to know how to trick the sim)...................................

You can trick the simulator into giving up the script asset ID. Once you have that, you have pawned the script.

Just in case any Lindens are worried about a discussion of a SEC, get off your butts and fix it instead.

What server version are we up to now?

https://jira.secondlife.com/browse/SVC-3738

1.26.4 (as if you didn't know)

so, here's my question for Jesse, because details are always good...

1) are there any basic circumstances that stop the exploit from being feasible? (no mod object, some combination of permissions, etc... I'm suspecting "no"

2) is the script copied as is, with permissions, creator, etc in place? (ie, are the no mod/copy/transfer flags preserved, creator info? hopefully yes, which only means a copy violation)

3) must the target script be owned by the exploiter first? ( complete invalidation of transfer if not )

4) are the script contents exposed? (various features could be built in to defend against such attacks if they're not exposed. and if they are, none of the above questions mean anything, because we're screwed with plaintext exposure of scripts[which happened once before])

Well I was kind of sick of the whole mess and I just wanted to know if it was really possible and was being done. But yeah it really is that bad, just like any other asset, if you have the uuid then you can reset the perms/owner/creator. That would mean plain text readability, the same as if I gave you a mod script.

Do not know most of the answers or care to know. But do not expect that any protection scheme would really help outside of LL fixing the server code so that it does a simple check to stop this.

Heck I guess this probably really would not bother me nearly as much if any other day. Strife, you Void, Heewee, Argent, Dora and nearly all of the contributors here could of course script anything we wanted anyway without having to resort to ripping. As I mentioned, any repercussions will end up being minimal at worst. The same reason that Copybot, libsl and openGL have not hurt sales. The vast majority of the user base IS honest.

It just sucks that this bad news came on the same day as LL's cheerful "Look we have something to replace the forum with" announcement. That and my damned neck/upper spine has been killing me the last few days, I was born in Texas and so I talk funny and my mom dressed me in ugly clothes. Heh! What the hell, it can only get better from this point out! I think I'll buy a lottery ticket tomorrow

It's all about choice. Really.

missed that until you just prompted me to look... bleh, I asked for an official word on it... we're all pretty sure by language and action that's their plan... but I'm seriously tired of the say one thing, do nothing attitude LL has given it.

of course if you're already paranoid and running scripts through a whitespace and variable name stripper then I feel sorry for the person that tries to read your code =X

PS good luck with the lottery, if you win send me your pain pills, and then MY back won't hurt =)

Come on this is BS. Either give us reproducable steps or I'm going to assume it's fake.

Don't come in here and spread silly rumours unless you tag them as such.

Ouch!!! I wonder if that is the reason my shelfs are being ripped empty more than one time in the last couple of days
My first thought was: "Bye bye Second Life" (my game is financed bye my scripts)
Second thought was: never mind, I have been here for more than two years and have seen all there is to see.
Anyway, most of my scripts are complex enough, so that only a handful of people besides myself would be able to take them apart and assemble them again.
Finally, I keep a record of my customers and only genuine customers will have my support

Your third thought should be: "Wait, do I have any evidence this is true at all?"

I mean, fine, I'm open to the possibility and maybe for some ridiculous reason Jesse wants to keep it secret but you still need to do demos or provide actual evidence that it exists before I'm going to listen to another "OH NOES! If you click on this box it deletes your hard drive and rapes your mother" rumour.

Right The wolf is coming! or... is it?

So lets see here now Elanthius, you have gone from "There is no way in hell I am ever going to use another viewer besides the official viewer because Boy Lane and the others may have a plan to steal all my Lindens" to this and all in less then 24 hours?

Go ask around in the other thread and you MIGHT find someone stupid enough to do a full repro on it so that they can find themselves permanently banned. Either that or just go stick your head back in the sand because evidently even another person showing their no-mod script was read would not be enough for you. Instead you have to go out and find the source and pay the $200 for one of the viewers or have one of the owners rip one of your scripts for you right so that you can turn around and AR them right?

Other then that you might want to check my long history here in Scripting Tips and my relationship with the others here in the thread before coming in to try this crap. I could care less if you trust me or not and really do not care what happens to you or your scripts.

I don't see the contradiction. I don't trust random internet people. I don't trust them enough to use their software without strong evidence it is safe and I don't trust them enough to believe when they say they've found some mysterious, implausible secret bug without strong evidence that it is real.

And to respond to some of the other points in your rapidly expanding post if you had some sort of evidence that a read only script was "stolen" then maybe I'd take you more seriously. Right now all I have is you spoke to your trustable friend so EVERYONE PANIC.

Have a nice SL life Elanthius

There is something interesting about this topic that I just noticed. I have a friend who has reported many an exploit to LL, he's white hat (mostly); he hears about all sorts of exploits... without the details censored. Now if he knew the bug was bogus he would comment. His lack of comments and appearance in this thread; leads me to think either he has seen this or much more likely, reported the SEC in question. I wouldn't be at all surprised if Jesse and I share this friend.

Personally I believe this, not only because Jesse is a friend, but because I've been in SL for over 5 years. SL history isn't something that I learned second hand, I was there, I remember the exploits, I discovered some of them. I'm not saying this to boast, just providing my credentials. I know my way around the SL asset system and what has been described sounds reasonable. Except for the part about changing the permissions and creator. The inventory system, I was under the impression had been hardened to prevent the injection of arbitrary inventory items (back when libSL hit the grid). Knowing the UUID would get you the asset but injecting the inventory item would be a separate exploit. *musings redacted*

I have a few ideas where the sim could be leaking this information from. Reminds me of an exploit I help a friend out with (I wrote a basic LSO decompiler for the proof of concept), due to what turned out to be an endian bug in the network layer the sim was sending clients arbitrary scripts in bytecode form. For years I had been saying that it would be possible to decompile LSO back to LSL.

What does 'white hat' mean?

There is a light side and a dark side to the force. Need more be said?

Easiest reference is looking in the middle at a Grey Hat because it defines the two extremes; White and Black:

http://en.wikipedia.org/wiki/Grey_hat

Now you're scaring me but I guess I get your drift: thought it was maybe tech-speak I'd never seen before.

the bottom line is, if you haven't been in sl too long, and haven't done your homework, 'it -is- good to be just a -little- paranoid in here,' ;0 when it comes to this stuff. even a 'pro amateur' like me knows the earlier horror stories of perm/libsl exploits... so yes, this is a concerning issue. unfortunately for scripters and the lab alike, programming isn't like building a car, where if the turn signals don't quite work right, the car still runs... it's 'all about/-only- about' the locks.

go back and read jesse's op, -just the first nine words,- over again, until you grok 'em. (and, no, DON'T PANIC lol... ;0 i'm sure in any case, texture-ripping and copybotting are still much easier for the average ne'er-do-well to handle than whatever this exploit may entail...)

What do you mean by this?

It's from B-movie westerns where the good guys wore white hats and the bad guys wore black hats.

In this context, security researchers like Marcus Ranum or Bruce Schnier.

Black Hat means people who exploit security flaws for fun or profit, like Rain Forest Puppy.

Grey Hat depends on who you talk to. Hardcore white hats will call other white hats who don't follow things like "responsible disclosure" grey hats. Other people call "ethical black hats" who cooperate with the security community like Rain Forest Puppy "grey hats". It's subjective.

Only that maybe a black hat was going to steal my scripts