Using llGiveMoney to send money while not online

Hey guys I'm not sure if this is possible or not. Anyways, here it goes.

Today I was at work and my friend was talking to me on AIM and asked if I could give him some linden. Since I was at work, I was unable to send him any until I got home. My question is this...would it be possible to setup a script possibly using the "llGiveMoney" command so that I can send a message to a defined e-mail and then have my avatar send him the money?

Broken Down

I send an e-mail to [email]example@somewhere.com[/email]
In this e-mail I provide a string of text like "Give L$200 to 'Friends Avatar'"
A script in the game reads this mailbox every 10 minutes or so.
It reads the e-mail and sends L$200 to my friend

This sounds kind of off the wall and I hope I explained it ok. If anyone has any advice as to rather this would be possible or not, it would be greatly appreciated.

Thanks in advance,
David

yes give money works while your offline

it only works with uuid's tho, but its not a huge deal

make an ATM object, send your email, you can use llToUpper and Lower to counter act the case sensitivity, store coupons (altho with 16kb dont expect HUGE amounts of data)...

when someone clicks the object, its nothing to check their their name (llDetected Name) and if john doe is clicking it can quickly check

A: if john doe is to receive any money
B: if yes how much !

you can cram 1-2 hundered or so uuid's in a list depending on your memory .. if you need more than that, or if the list is too slow (which it gets much SLOWER with the more stuff you put into it) you may want to think about a webserver.

possibally with some database support, then your unlimited, much faster and the lsl object would basicly be a dumb terminal only dealing with name gathering, data reqesting, and payment

easiest way to do it is via a webservice. If you really want I can make a webservice for you then you could make an object to interface. But it is 1 and I gotta go to sleep. You could have an object check the page every 5 minutes and if you send it will say send to this avatar or something like that. I just dont know how I ould make it secure. You could use a key or something like that. Anyways i will make it tommorow good nite.

That would be awesome if you could make that Script Su. I'm just beginning to look at scripting so I'm not too sure what I am doing.

Zreon...

Using email would be a simple solution - you can send email to objects via the object's key. That's about your *only* option if you don't have a web server. Plus, if this is an infrequent thing you need to do, that is, you aren't trying to set up something for sending money often to many users, email is almost certainly the easiest method.

If you do any web-server work, you could also set up a server-side function to communicate with the object via XML-RPC.

I am almsot done with my new project called Second Union. Basically you go to the webservice and if you are using a browser than it will show you a form and you will have a password.

Basically like this:
You go to it in your browser:
It will request your second life name, second union password (not your second life password), the recipient, and the amount.
Then the second union terminal will check the webpage once in a while. If the server has received a valid wire transfer request it will then tell the script who to send money to the user.
I have basically finished the webservice but I am still working on security.

I should finish in a few days. Then I will need to make a little tiny lsl scirpt to interface. It will be extremely simple and you will be able to put the script in any object in your home.

It should work like a charm .

If I've read this correctly, this is a Really Bad Idea. Email has no authentication at the protocol level. While you do have to log into your mailserver to receive mail, and maybe into your server to send mail, once the email is in transit, anyone can read it, and anyone who wants to can forge email to anyone, claiming to be from anyone.

Granted, there is some security through obscurity in that an attacker from Second Life doesn't know what sending or receiving email addresses you are using, but if I were a wannabe cracker sniffing your home or company network, I might be tempted to see what "L$200" means, and set up a free acount for the sole purpose of hosing you.

If you *really* have to do this via email, at least use MD5Sum with a password & sequence number, along with the command. The password will help prevent spurrious commands, and the sequence number will limit replay attacks.

A web server approach is probably better, but there are still a large number of ways to hose yourself.

Remember, this is real money you are passing around, here.

True... Of course, *any* way this is done needs to use some form of encryption and security.

My take was that the original poster was not looking to set up some sort of SL-wide money exchange system... he was simply trying to find a way to give some money to a few friends while he was off-line.

If that is, in fact, the case, he can easily write the "important" parts in the script, and just use some simple codes in the email.

Why not just use XML-RPC for instant transfer? Having your object check a webpage every five minutes for a possible transaction is a needless waste of resources.

Yes thats exactly what I wanted to do. Just send money to a few friends every now and then when they need it.

Also, it would be pretty easy to make a coding system like q17c3rt = L$200 so that only I could possibly know what it meant.

I am already working on a new project called Second Union. I am almost finished. I just have to get the security done.

Script Su, I'd be very interested to hear how you are securing that service - it's a hard problem given the lack of good crypto and key management in LSL. Not that crypto is the be-all and end-all of security, but it's a good building block for authentication and authorization systems.

At any rate, it is always a good idea to get a second (and third, and forth...) opinion on your security measures. To paraphrase Bruce Schneier, it's easy to design a cryptosystem that you don't know how to break.

EDIT: OK, so RSA is possible: /15/6e/146463/1.html but slow. The speed may not matter so much if this is a non-interactive service.

This really has the potential to be a fun problem.

This is a good idea, but still wide open to replay attacks. MD5 with a password and sequence number is less vulnerable, and easy on the LSL side. How easy it is on your client side depends alot on your setup there (do you have bash & md5sum? Easy.)

^shrug^ The tradeoff is yours to make, obviously, and whatever you do it will probably workout fine. The serious hackers have better things to do than screw with individual users via SecondLife, your threat is the wannabe or immature loser with too much time on their hards.

PHP has some advanced encryption techniques. I can also encrypt the source it self so that even if someone hacks server they cant access the code and figure out my encryption. I will use some kind of hash or better yet a key. And since the key it self is dugg away in encrypted code they cant figure it out. And even if they copybot the second union script they wont be able to use it. Trust me it will good.

I still think email is your best bet. Easiest... No need for an external web server... No relying on someone else's web server... etc... All you need is access to email.

Put your friends keys in a list in your script. Send an email to the object with "2 = 200" Even if someone were to guess what the email was doing, only your friends' keys are in the script.

And, if you're worried that one of your friends is going to try to rip you off by forging email, well... I wouldn't be giving that "friend" any money to begin with.

Zreon,

I actually have an "Email-ATM" device which does exactly what you're looking for (it's even free!) You can send it an email, and it will send money to a particular recipient. It doesn't depend on any external service.

Neither you nor the recipient need to be online for the transfer to succeed.

It has a few built-in security features:

1. One time pad (OTP.) When you first rez the device, it generates a set of random tokens (hexadecimal strings) for you to save (copy&paste locally.) When you send a transfer email, you have to put one of the tokens as the email's subject line.

The tokens are numbered and are sequential, i.e., on the first email you use the first token, on the next email the next token down the list, etc. This is to prevent "replay" attacks.

2. Recipient list. Only recipients listed in the configuration notecard can receive money.

3. Transfer limits. You can configure a daily transfer limit (defaults to L$ 1000 per 24 hours.)

Also every transaction is listed in your transaction history, so you can always audit them.

I thought about checking the sender's email as well, but I'm too lazy (plus that can be easily faked.) Maybe I'll add it tomorrow.

There are various dialog menus the object owner can use to reset the device, generate a new set of random tokens, list the current tokens, show the device's email address, etc.

There is also a sensor function to help figure out avatar keys (uuids) to put into the configuration notecard.

You can send arbitrary amounts of money to anyone in the recipient list, up to the daily transfer limit (and up to your account balance.) Basically, in the message body you put "name: amount" and it will send that amount to the person named.

It needs DEBIT permissions to work and will ask you for this during startup.

The only thing is, as a matter of policy, I don't allow mod rights on scripts which deal with money (especially debits) for obvious reasons. But, if you need something changed just let me know and I will consider it.

Let me know if you want it and I'll drop it onto your inventory.

-peekay

Thanks Peekay. That would be awesome if you could send that to me. I've been messing with a script lately but no luck so far.

I've dropped it into your inventory. Instructions are in its content; you'll need to configure the notecard with recipient information before being able to use it. Let me know if you have any questions / comments / suggestions.

-peekay

Hi Peekay,

any chance to get also this script for transferring L$ by email to offline-residents? Or maybe, if it's free as I understand it, you could drop it on some scripting forum...?

Thanx, Aitor

Hi Aitor, I've dropped the device into your inventory.

llGiveMoney() works whether or not the recipient is online (in this case neither the sender nor the recipient need to be online.)

-peekay

What's so obvious about keeping debit scripts closed source?

How do I know the thing doesn't plunder my account thanks to a time bomb payload a few months in the future?

(same holds true for §"@!# SL casino slot machines, at least 75% of them are rigged, and the other 25% have terrible winning odds)

You don't know. Like using commercial vendor machines, either you trust the author, or you don't.

The problem with making it open is then any "scriptkiddie" with rudimentary LSL knowledge can put *his* exploit in there and pass it off to newbies. And when that happens, the blame comes back to me and reflects on all my products. No thanks.

Those who are more skillful can rewrite the script from scratch without much trouble (with or without an exploit), so it doesn't matter if my version is open sourced or not.

-peekay