Petables, a popular line of virtual animal in Second Life, is largely shutting down its operations. "At a future date when the turtles are no longer paying for their server costs and the tier for the store in Shark," co-creator Matthew Anthony writes on the blog, "we will give a week or two warning, and then shut them down completely." And if that happens, the virtual turtles will cease to be.
The reason they're leaving? A script exploit that, Anthony claims, "was reported in 2006 that Linden Lab has never addressed. This issue allows people to steal whatever they want from vendors, and there is nothing that we can do to stop it... Since March, one certain person has been stealing thousands of US dollars worth of product from us -- at one point, as quickly as over US$300 in 10 seconds." The Petables developer claims that Linden Lab would ban the thieving avatar, but the individual would simply return with another account to repeat the process, while not fixing the underlying exploit that made it possible.
This news comes only a week after Meeroos, another popular line of virtual animal, were jeopardized by another scam operation, which led to Linden Lab jeopardizing the Meeroos themselves (at least temporarily.) Ironically, the company has recently been promoting virtual animals as a key feature of SL.
Petables says this exploit also threatens other SL businesses, but the issue has not been addressed by Linden:
I have talked to many other Second Life business owners who are facing these same issues, and for Linden Lab to not actually fix this issue in the almost 6 years since it was reported to them is unconscionable. We have done everything short of go to the Linden Lab office building and refuse to leave until they at least talk about this problem, and have been ignored or dismissed every single time.
Read more here. I've contacted the Petables creators and am now contacting the Lindens for their side.
Hat tip: Scott Hamilton.
I'd like to hear the JIRA number for the "exploit". If the answer is "it's SEC-", than that's a pretty string argument against the current non-disclosure policy.
Posted by: MaggieL | Tuesday, August 09, 2011 at 12:54 PM
I can understand why the creators may not want to reveal specific information concerning the exploit, but it seems like the entire debate centers around the exploit itself and why LL may or may not be able to fix it. The creators seem keen to place the blame firmly on LL for not fixing an “issue,” repeatedly referring to it as such, but never bother to explain the issue itself.
If the issue at hand is some part of the LSL programing structure which prevents them from maintaining a secure and proprietary control over their objects and the way their objects communicate with third-party servers (reporting health status, verifying valid methods to feed animals, etc) it seems necessary to point out that this is not LL's responsibility.
Changes to the LSL programming structure have far reaching consequences for many scripters who have worked very hard to create in SL. LSL can not secure such proprietary control, nor should changes to its structure be decided solely with this end in mind.
Posted by: Ehrman Digfoot | Tuesday, August 09, 2011 at 01:10 PM
Without knowing the exact nature of this exploit, I have heard through the grapevine that many merchants are complaining because some slimeball will put an invisible prim over their vendor, which gets paid instead of the vendor. This neither a bug nor an exploit; this is someone breaking the law. While I agree in such cases LL should step in with the heaviest possible hand (and I've believed should have been doing so for years in many similar cases)... there are ways merchants can protect themselves:
1. Use multi-panel vendors instead of single vendors
2. Set your land so that no one but you, or outside your group, can build on it.
3. Set auto-return so that items not set to group are returned after 1 minute.
While this does not solve all possible or potential exploitations, it does help. The bottom line (and the thing that has cost LL merchants for years) is that this company has not dealt with offenders as the criminals they are. In failing to police their system on a professional basis, they have encouraged griefers, thieves, vandals, hackers (the bad kind) and other criminals to exploit their system.
There is a fourth method of dealing with this:
4. Stop doing business on Second Life, and with Second Life. Find something more stable and more profitable in which to spend one's time.
That is a sure end of all such problems.
Posted by: Wayfinder | Tuesday, August 09, 2011 at 01:39 PM
There are many other breeables that don't rely on vendors in this way. A lot have switch from that particular vending system, including me.
I'm a bit confused as to why Petables relies on it when there are so many other options available. If there's a problem you find a way to work around it like it like every other scripter does.
I don't believe that's the reason the turtles will most likely shut down. Breedables is a competitive market to survive in. No pun intended.. :)
Posted by: DJQuad | Tuesday, August 09, 2011 at 01:56 PM
@MaggieL: Indeed. Things like this are the reason why it's a bad idea to *not* release exploit info. If you want it fixed, you have to make it public knowledge. Giving the vendor time to prepare a patch and fix the issue before releasing info is reasonable, but letting it go for months without releasing the info is not. You harm security more than help it by keeping such things secret for extended periods of time. You *help* the bad guys by keeping their tricks both unpatched and secret, preserving and increasing their value (the latter due to supply/demand: a less well known exploit is worth more money to those who hold it and can use or sell it, not to mention ignorance on the part of victims helps too).
Posted by: Galatea Gynoid | Tuesday, August 09, 2011 at 02:02 PM
Without being too specific, the exploit is done by moving the vendor between a parcel which allows scripting and one that doesn't. There's a lot more to it than that but I'm not going to give a step-by-step for obvious reasons. :)
Posted by: DJQuad | Tuesday, August 09, 2011 at 02:02 PM
Using scripted vendors carries risks. Always has. Always will.
The only security in content is built in lldie() if a license is determined to be invalid. Of course this means the creator must have a rather solid back-end system to enable hueristic analysis and data analysis to track down unlicensed products without trampling on valid products. Which, these days, would likely be on mysql so the creator best be a real dba and network security guru or be able to afford such talent. As soon as you bust the horde of SL they come at you with amazingly anonymous style capabilities.
I too sometimes wonder why LL has chosen to allow known exploits to remain in operation. The same horde has been exploiting SL via various means since long before I arrived. Probably from SL day one. I wonder why that is? Oh well no sense worrying about it. The records brok... brok...brok
Posted by: Ann Otoole InSL | Tuesday, August 09, 2011 at 02:04 PM
I'm calling shenanigans on this 5 year long "exploit"
And I'm thinking it's more about a poorly written script.
Posted by: Adeon Writer | Tuesday, August 09, 2011 at 02:15 PM
Sorry to see this happen... I assume the ongoing losses finally pushed things to where they could no longer afford to keep the sim up and running. Matthew Anthony is a friend and a really awesome guy, I don't doubt he investigated this from every angle he could and wasn't able to find a way to bypass this database vulnerability, it's certainly not just a matter of "picking the wrong kind of vendor."
Good luck in whatever you move on to from here, Matthew!
Posted by: Ananda | Tuesday, August 09, 2011 at 10:29 PM
@Adeon Writer, a known vulnerability is related to transaction throttling, much like many other undocumented throttles out there like for sounds. I'm sure you can imagine what happens if a affiliate vendor tries to pay the real creator but can't?
It's pretty stupid move on the other hand to put so much trust to give entire ownership of a scripted vendor to a complete stranger, a throwaway young account even, without any background or verification checks in place or any other mechanisms to establish trust. Such as simply checking if the person even has a place to put the vendor at.
Posted by: Nexii Malthus | Wednesday, August 10, 2011 at 02:09 PM
As of this morning and probably for a while yet, Petable Turtles are still in business. I bought food a few days ago, and am sticking it out to the bitter end.
In fact, I am doing more than that. Monday night, I hatched out seven eggs that I had been saving (I'm one of those people who can't put eggs in the trader. It just breaks my heart). I reboxed one extra male but kept the other six young. I now have thirteen turtles. Yes, you know what that does to my food bills.
BUT FOOD IS WHAT KEEPS Petable alive. I urge any one who loves turtles, if you have space and eggs you've always wanted to see as little shell babies, please hatch them. If you can up your food consumption, you keep Petable in business.
And yes the server can glitch, but I'm going to bet against a calamity and on the laws of supply and demand. If we want a supply of live turtles, we need to demand more food.
Posted by: EileenK | Thursday, August 11, 2011 at 09:11 AM
"Without being too specific, the exploit is done by moving the vendor between a parcel which allows scripting and one that doesn't. There's a lot more to it than that but I'm not going to give a step-by-step for obvious reasons. :)" - DJQuad
Unfortunately, it is much EASIER then that, and can done with as little as 11 lines of LSL. I have a SEC- JIRA issue on this back in 2007 and was pretty much told tough shit.
Posted by: Cold Spitteler | Monday, August 15, 2011 at 11:08 AM
Wayfinder -- my usual approach to compensate for the invisiprim trick is to have a seperate PAY prim on the item, and when touched, that prim moves forward, in front of the invisible prim. The prim is textured with "Touch me to buy" on it, inviting touchs which move the payment cube in front of the invisiprim. It is not failproof though, as people automatically hitting PAY rather than touching still pay the wrong person.
Putting up a sign saying "All Payment go to Sleepy Kitty -- if pay says the money will go to someone else, IM Raving Madcow and get 3 free items as reward." helps too. Then your customers are happy to hunt the scumpuppy's prim down. And all the creator is out is a few copies of an item.
Posted by: shockwave yareach | Monday, August 15, 2011 at 11:09 AM
Matthew Anthony is one of the biggest mecenates in Second Life, he amazed me often with his collections of rare vintage sculptures, builds, art and creativity he collected passionately in all these years.
Till now he's been an active innovator on the grid, a great supporter for creativity itself in second life and a generous soul towards charity fundraising to an incredible level. Allowing thieves and griefers in general to win shall never be an option, for how much frustrating it is, and that SL as RL wise.
I do wish him here officially a fast recover from bad luck and hard times as to all creators that occasionally fall in still waters. As long we support the grid, the grid lives, even if sometimes sacrifice is required, just patience and not giving up is the answer, because Second Life is worth it.
Posted by: Alia Baroque | Wednesday, August 17, 2011 at 05:57 AM