Sad news...... Scripts are vulnerable now

I mean what does "ripped empty" mean? The scripts are actually vanishing?

Just like socks.

Assume all you want. But do you know whether this is BS, or are you just guessing ... and spreading a silly counter-rumor?

I didn't do it!

I smell a mustelid!

No good trolling me, you can't inline images in "Scripting Tips".

Well call it a counter-rumour if you like but I think a healthy dose of scepticism is a pretty reasonable course of action in the face of one "trustable friend" and another "trustable friend, who, like, totally would have posted in this thread if this rumour was false".

I don't know anything. That's my point really. After reading this thread I am no more or less likely to believe that there is a bug that makes it possible to steal scripts.

I mean seriously, random people email stupid shit from "trustable friends" about how there's a new virus out that can format my brain every couple of weeks. I don't hide in my tin foil cocoon every time. I investigate. If there's no evidence whatsoever I assume it's false.

Sorry about that, for a moment I forgot it was SL No the objects remain, but when an avatar buy one of each in the shop I use the term: "ripped empty". It happens so rarely that it is worth noticing

It's called "religion".

Getting back on topic: A few months ago, the maker of Zyngo claimed that his machines (including scripts) were cloned. Below is a quote from a notecard apparently distributed to the Zyngo support group
I have not further details but someone did mention "the rollback exploit".

There must be some truth to the fact that the machines were cloned scripts and all, because I know of people who in good faith bought second hand Zyngo machines, only to have them removed by LL on the basis that the machines are clones.
However, what is not know is if the machines were cloned because of an exploit, or because the manufacturer inadvertently released some with full perms.
Apparently there is no way for anyone other than the manufacture and presumably LL to identify cloned machines.

I see ... so, when you say "This is BS," what you mean is "Are you sure?"

I'll keep that lack of clarity on your part in mind when I read your posts in the future.

Jesse's post, on the contrary, made it quite clear that this is hearsay.

I guess we can all choose to deliberately misread what we don't want to understand.

I'm not going to fall too far into this ridiculous semantic game but if you think "Sad news scripts are vulnerable now" followed by a message with phrases like "scripts have not been secure for a couple of months now." is a report of hearsay rather than a declaration of fact than it's probably better that you keep in mind a lack of clarity when you read /everything/.

If Jesse's post made it clear that this is hearsay and not fact then my posts which try to point out that very same thing wouldn't have been necessary.

Elanthius, you called it "BS". There's a big difference between BS and hearsay. Hearsay might be true.

If the intent of your post was to point out that it was hearsay, then (a) just say that, and (b) I would have considered it evident.

But I got the impression you just wanted to be nasty, so I jumped on it. I guess I'm in a bit of a mood myself, and so I apologize.

That's all I have to say about this.

there's a big difference between, say:

(sympatico/compadre-style) "dude, i just found out, it sounds like scripts are rippable now..." "dude, really?? awww, god... [stomps feet] that's bullshit, man!!" "yeah, it is."

and

"Come on this is BS. Either give us reproducable steps or I'm going to assume it's fake. Don't come in here and spread silly rumours unless you tag them as such."

you know what you said, mate... keep it cool.

meanwhile, the rest of us will tread lightly, and carry the largest sticks we can find, ready to bash up the wankers responsible for this... i hope that all reputible reportable info has been forwarded on to the lab. anyone using such an exploit surely qualifies for instant banishment...

I don't really blame Elanthius. As I've mentioned, Ive been in a fowl mood too because I hurt like heck right now. In the other thread he made a couple of statements about the people doing the hard work of releasing the good 3rd party viewers and I more then slightly bitched at him about it. He is just paying me back for that and I would be the first to admit that turn about is fair play.

Back on topic: I did send a query this morning to our forum resident White Hat; Day Oh this morning. This is how some of the exploits have been done in the past but he too thought that LL had hardened the system against this. He has been trying but has not been able to repro it yet. But then again that is the info that I was given, that the "trick" is complicated. I gave him the name of my contact and he will continue to see if he can dig up something on it. If he can trace it then I asked him to report back here if there is any way to protect against it such as obsfucation.

I don't want to add to the bad mood, but I've posted something to the effect before: you shouldn't assume any particular content is completely secure. I have seen a ridiculously wide variety of exploits that allowed for the wholesale ripping/cloning/full perming of content. Most have actually been fixed - kudos to LL. But in reality, nothing has been secure, for more than a few months, if ever.

However, you can pretty much rest assured that only a handful of people probably know how to do this, much less actually do it. At least some ways that are known seem to be actively watched, to the point where the last time someone used one, their account disappeared within the day. Much like copybot, you can expect a big uproar over a thankfully small event.

Also, note that discussion of the mechanics of exploits is against the ToS. So Elanthius, you'll never see a reproduction posted here. This is probably good news to everyone else.

You could see a full reproduction posted by someone with a handle like "Zombie Frank Zappa" to some full-disclosure security site through a TOR gateway.

Jesse,

Do you get the binary - which can be reverse engineered, or the source code.

This breach would explain an otherwise inexplicable actuvity of a certain person (a repeatedly banned but repeatedly re-registering known exploiter of the SL system) over the last few months.

It's clear to me that LL have no interest in defending against these people. Perhaps they philosophically believe that "information wishes to be free". Perhaps they will only act when they are under threat from another platform.

Nonetheless, I've given up trying to reason about this. It's plain that LL are not defending any interest but their own, and that it will take a competitor in *their* space to make them take any reasonable action.

Until then - code as if you cannot rely on ANYTHING AT ALL from the SL platform.

/esc

*Edit: In case you miss the dripping sarcasm in this post. It means that it is, in practice, pointless to code anything non-trivial using LSL until LL have a serious competitor taking their revenue away.

This is why the security industry has the provably beneficial (if somewhat controversial) practice of full disclosure after vendors have done nothing to resolve an issue.

Since all we are hearing from those supposedly 'in the know' right now are hints and dire warnings, can someone at least explicitly state whether or not there is anything content creators can do in the way of protection/detection. I'm a bit willfully thick when it comes to hints and roundabout discussions when it comes to matters this important to me


.

On my business account I was suspended for 3 days when I posted reproducable steps on how to move people's content by sitting on it, this is what CAUSED the show stopper linden bug hotline.

I can see why the original posters would be totally against posting the repro steps.

Full disclosure doesn't require you to post under your own name. There's plenty of security announcement sites that will happily allow you to post as "Ghost of Lindens Past" or something of that nature.

linking to such a post through ll territory would be just as likely to get you banned... stupid but true

Email the link to Random Linden through a remailer.

Post it on Slashdot as an AC.

Yep that is the person(the perp, not my reference source). So far some of the other things the perp said seem to also be accurate: It is a complicated hack, it is not being widely disbursed and if you do it wrong, you will be banned instantly, if you do it right, there is still a fair chance of a ban. Which is pretty much verbatim as to what Tyken said.

Would still love to get some repro, or at least some confirmation as to whether obfuscation or any other steps help or prevent it.(hmm not sure if you can use obfuscate code any more since MONO rollout. Has anyone tried?)