« What Mesh Will Do for Second Life Fashion - Illustrated | Main | Jibe Android: Unity3D Virtual World Platform for Mobile »

Tuesday, August 09, 2011

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

MaggieL

I'd like to hear the JIRA number for the "exploit". If the answer is "it's SEC-", than that's a pretty string argument against the current non-disclosure policy.

Ehrman Digfoot

I can understand why the creators may not want to reveal specific information concerning the exploit, but it seems like the entire debate centers around the exploit itself and why LL may or may not be able to fix it. The creators seem keen to place the blame firmly on LL for not fixing an “issue,” repeatedly referring to it as such, but never bother to explain the issue itself.

If the issue at hand is some part of the LSL programing structure which prevents them from maintaining a secure and proprietary control over their objects and the way their objects communicate with third-party servers (reporting health status, verifying valid methods to feed animals, etc) it seems necessary to point out that this is not LL's responsibility.

Changes to the LSL programming structure have far reaching consequences for many scripters who have worked very hard to create in SL. LSL can not secure such proprietary control, nor should changes to its structure be decided solely with this end in mind.

Wayfinder

Without knowing the exact nature of this exploit, I have heard through the grapevine that many merchants are complaining because some slimeball will put an invisible prim over their vendor, which gets paid instead of the vendor. This neither a bug nor an exploit; this is someone breaking the law. While I agree in such cases LL should step in with the heaviest possible hand (and I've believed should have been doing so for years in many similar cases)... there are ways merchants can protect themselves:

1. Use multi-panel vendors instead of single vendors

2. Set your land so that no one but you, or outside your group, can build on it.

3. Set auto-return so that items not set to group are returned after 1 minute.

While this does not solve all possible or potential exploitations, it does help. The bottom line (and the thing that has cost LL merchants for years) is that this company has not dealt with offenders as the criminals they are. In failing to police their system on a professional basis, they have encouraged griefers, thieves, vandals, hackers (the bad kind) and other criminals to exploit their system.

There is a fourth method of dealing with this:

4. Stop doing business on Second Life, and with Second Life. Find something more stable and more profitable in which to spend one's time.

That is a sure end of all such problems.

DJQuad

There are many other breeables that don't rely on vendors in this way. A lot have switch from that particular vending system, including me.

I'm a bit confused as to why Petables relies on it when there are so many other options available. If there's a problem you find a way to work around it like it like every other scripter does.

I don't believe that's the reason the turtles will most likely shut down. Breedables is a competitive market to survive in. No pun intended.. :)

Galatea Gynoid

@MaggieL: Indeed. Things like this are the reason why it's a bad idea to *not* release exploit info. If you want it fixed, you have to make it public knowledge. Giving the vendor time to prepare a patch and fix the issue before releasing info is reasonable, but letting it go for months without releasing the info is not. You harm security more than help it by keeping such things secret for extended periods of time. You *help* the bad guys by keeping their tricks both unpatched and secret, preserving and increasing their value (the latter due to supply/demand: a less well known exploit is worth more money to those who hold it and can use or sell it, not to mention ignorance on the part of victims helps too).

DJQuad

Without being too specific, the exploit is done by moving the vendor between a parcel which allows scripting and one that doesn't. There's a lot more to it than that but I'm not going to give a step-by-step for obvious reasons. :)

Ann Otoole InSL

Using scripted vendors carries risks. Always has. Always will.

The only security in content is built in lldie() if a license is determined to be invalid. Of course this means the creator must have a rather solid back-end system to enable hueristic analysis and data analysis to track down unlicensed products without trampling on valid products. Which, these days, would likely be on mysql so the creator best be a real dba and network security guru or be able to afford such talent. As soon as you bust the horde of SL they come at you with amazingly anonymous style capabilities.

I too sometimes wonder why LL has chosen to allow known exploits to remain in operation. The same horde has been exploiting SL via various means since long before I arrived. Probably from SL day one. I wonder why that is? Oh well no sense worrying about it. The records brok... brok...brok

Adeon Writer

I'm calling shenanigans on this 5 year long "exploit"

And I'm thinking it's more about a poorly written script.

Ananda

Sorry to see this happen... I assume the ongoing losses finally pushed things to where they could no longer afford to keep the sim up and running. Matthew Anthony is a friend and a really awesome guy, I don't doubt he investigated this from every angle he could and wasn't able to find a way to bypass this database vulnerability, it's certainly not just a matter of "picking the wrong kind of vendor."
Good luck in whatever you move on to from here, Matthew!

Nexii Malthus

@Adeon Writer, a known vulnerability is related to transaction throttling, much like many other undocumented throttles out there like for sounds. I'm sure you can imagine what happens if a affiliate vendor tries to pay the real creator but can't?

It's pretty stupid move on the other hand to put so much trust to give entire ownership of a scripted vendor to a complete stranger, a throwaway young account even, without any background or verification checks in place or any other mechanisms to establish trust. Such as simply checking if the person even has a place to put the vendor at.

EileenK

As of this morning and probably for a while yet, Petable Turtles are still in business. I bought food a few days ago, and am sticking it out to the bitter end.

In fact, I am doing more than that. Monday night, I hatched out seven eggs that I had been saving (I'm one of those people who can't put eggs in the trader. It just breaks my heart). I reboxed one extra male but kept the other six young. I now have thirteen turtles. Yes, you know what that does to my food bills.

BUT FOOD IS WHAT KEEPS Petable alive. I urge any one who loves turtles, if you have space and eggs you've always wanted to see as little shell babies, please hatch them. If you can up your food consumption, you keep Petable in business.

And yes the server can glitch, but I'm going to bet against a calamity and on the laws of supply and demand. If we want a supply of live turtles, we need to demand more food.

Cold Spitteler

"Without being too specific, the exploit is done by moving the vendor between a parcel which allows scripting and one that doesn't. There's a lot more to it than that but I'm not going to give a step-by-step for obvious reasons. :)" - DJQuad

Unfortunately, it is much EASIER then that, and can done with as little as 11 lines of LSL. I have a SEC- JIRA issue on this back in 2007 and was pretty much told tough shit.

shockwave yareach

Wayfinder -- my usual approach to compensate for the invisiprim trick is to have a seperate PAY prim on the item, and when touched, that prim moves forward, in front of the invisible prim. The prim is textured with "Touch me to buy" on it, inviting touchs which move the payment cube in front of the invisiprim. It is not failproof though, as people automatically hitting PAY rather than touching still pay the wrong person.

Putting up a sign saying "All Payment go to Sleepy Kitty -- if pay says the money will go to someone else, IM Raving Madcow and get 3 free items as reward." helps too. Then your customers are happy to hunt the scumpuppy's prim down. And all the creator is out is a few copies of an item.

Alia Baroque

Matthew Anthony is one of the biggest mecenates in Second Life, he amazed me often with his collections of rare vintage sculptures, builds, art and creativity he collected passionately in all these years.
Till now he's been an active innovator on the grid, a great supporter for creativity itself in second life and a generous soul towards charity fundraising to an incredible level. Allowing thieves and griefers in general to win shall never be an option, for how much frustrating it is, and that SL as RL wise.
I do wish him here officially a fast recover from bad luck and hard times as to all creators that occasionally fall in still waters. As long we support the grid, the grid lives, even if sometimes sacrifice is required, just patience and not giving up is the answer, because Second Life is worth it.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Your Information

(Name is required. Email address will not be displayed with the comment.)

Wagner James Au
Dutchie Second Life furnishings
Sinespace virtual world Unity free home
Samsung Edge computing reports NWN
my site ... ... ...