NikitaNightNinja

... this ( these forum chats ) is like school for me, but off the school property . I am learning here , growing , .. not sure to what ;p .,... the wonderland quotes were fun to read . N3 ;

Beezle Warburton

Wait, where's the thread where an creepy alt was dupin' people's AVs and joining their groups?

{edit}
Bizarre account copybotting avatars, clothing and even profiles and groups
{/edit}

Think this is a similar exploit?

HAI DERRITTS!

__________________

Hypatia Callisto

I think it's the same exploit, however I never heard of anyone losing their stuff afterwards.

however y'all may want to look at some of the last comments on the Jira

AC Pfeffer says:

[#SVC-676] Stopping texture theft and stop spreading of stolen items - Second Life Issues

unsure if that is the same thing.

__________________
"To begin with," said the Cat, "a dog's not mad. You grant that?"

"I suppose so," said Alice.

"Well, then," the Cat went on, "you see, a dog growls when it's angry, and wags its tail when it's pleased. Now I growl when I'm pleased, and wag my tail when I'm angry. Therefore I'm mad."

"I call it purring, not growling," said Alice.

"Call it what you like," said the Cat.

Hypatia Callisto

If people are actually losing their attachments ... jesus christ, this isn't about content creators anymore. This is about anyone walking around SL losing stuff that's theirs.

*shrugs*

I don't know if that's actually happening, but this is not good, if true. My enthusiasm about SL drops a rung lower... sigh.

And another rung lower as I deal with another fuckwit spamming stolen crap on Fashcon.

growls.

edit: Just emptied the wearable dance machine. I'd rather lose one no-copy dance than possibly 90 of them.

Keiki Lemieux

Tya, did you ever get your HUD back? If you have not submitted a ticket about this (or even if you did a while back), read my blog about this bug and submit another ticket. If that doesn't work, please contact me. There is real hope that we can get it back if it's the bug I'm thinking about.

Also, Derrits, you might want to read these posts too:

I Make HUDDLESâ„¢ » lost inventory

__________________
Read my review on Linden Lifestyles
Buy the HUDDLES™ EZ Animator Deluxe at OnRez.com
Or check out my blog about HUDDLES

Derrits Mapp

Hypatia, that quote by AC Pfeffer actually sounds pretty much the way it'd have worked, with an ghost of the item still appearing on the avatar it was attached to originally, then just saying it isn't possible to rez that item and eventually disappearing from the inventory after clearing cache.

Guess I'll go over to not wearing any no copy attachments.


Hey Beez!

Edit says: Actually, I'm not having any proof for it, but I inspected one of the custom made items that disappeared from my friend's inventory, of which only two copies existed, while it was on the avatar that stole (Yup. There we go.) our items: Her's and the creator's.

When I inspected it, it still was showing the original creator. -> No "copybot", but rather the issue AC Pfeffer was talking about.

Case closed, I guess.

armozel

It sounds like the asset server turned into the asshat server. I've had this issue to a lesser degree where I was working on an object and most of the settings get rolled back (scripts sometimes disappear and what not). I hate to be the bearer of bad news, but you have a better chance of getting another copy than anything restored. >_>

Derrits Mapp

I don't care for the items, neither does my friend. We care for items that have never been given out to anyone appearing on other people's hands and disappearing from the owner's inventory.

Again: This is NOT a copybot issue, and following AC's explanation, it's neither an asset server issue.

armozel

Derrits, there's no physical way for another client without the proper user permissions to delete, alter, or remove the 'inventory' of another user. This is all server-side, thus streamed to your client. For them to get your stuff either they hacked the server-side permissions (e.g. they got access to a Linden account) or they hacked your account (keylogger and the like). The explanation of the asset server follows because items can and do disappear because of errors within the DB that contains said assets. This tends to follow whether it's the most high tech DB deployments or a MUD's flatfile, it works on the same premise(s). :-P

Derrits Mapp

Okay, explain this:


This has happened in a matter of minutes. Francine has not been logged out during this process, which disproofs the idea of having her account hacked. (Correct me if I'm wrong.)

(Of course, you could as well make this Francine and me, BUT, I didn't see my item in Script K.'s hands.)

Hypatia Callisto

packet injection can indeed do what he described. I dont think any of us unless we're a Linden can say for sure if the database backend is protected from packet injection.

That being said, it could have been the bug that Keiki detailed, or some variation of it. The repro of that bug that affects Huddles and other attachements happens to be on that jira she posted to her site, and it does involve making a *copy* of the object as part of it.

[#VWR-6110] [ ] I was attaching a hud when my other hud with animations-content (worth 22000LD!) disappeared. - Second Life Issues

I'm sure as heck not wearing any no copy attachments till I know what's up.

Chalice Yao

And the shit hits the fan.

I was wondering how long it'd take for this to surface in forums.

Basically, there -is- currently an exploit.

1. It allows people to make copies of items they see, including contents.

2. They get next-owner perms on the items, as if they had been given the object

3. in case of no-copy items..well. that items is lost to the original owner.

Linden Labs has been notified of this exploit over a month ago, and they -are- in the process of fixing it.
Sadly enough, that exploit is a 'feature' deeply deeply rooted in the whole inventory and asset system that hasn't been thought through, and I personally think the randomly failing 1.23 releases actually might be credited to this being a hard fix.

Also, no, this is not possible with the plain SL client or copybot.

In regards to the initial post, the person logged in with a special app and stole the attached items straight from the owner inventory, as they were able to see the attachments. Due to them being no-copy..zing. there you have it.

This has been fixed afaik in the few 1.23 regions that have been deployed. The person who originally reported it to LL has tested this.

personally I'm glad this hasn't become more widespread knowledge before this 1.23 deploy. Some people have been fearing for the worst. But let's say that alot of things -have- been copied.

Again tho: not fullperm, simply next-owner perms.

final note:

GTeam knows about the exploit. Report the person who stole the attachments, and they will be banninated.

Derrits Mapp

Thank you, Chalice. I was slowly starting to feel like I was going crazy.

Really, I wasn't too happy posting on some forums about it to not spread the word if it was true, but I didn't get any answers from anybody, including support who closed a support ticket telling me to file an abuse report without any word on the actual issue. If there had been an "here's your stuff back, we're working on the fix", or had found more quiet sources outside, I wouldn't have been that into getting information.

Even though, this is such an important issue, I'd have rather seen a warning than having lost custom made items to one random jerk. (Yes. I do understand what would have happened with an official warning about this.)

So, to figure one last thing out: If you can't find somebody on People Search, but on the "All" tab, does that mean the account is gone?

Hypatia Callisto

yes, sounds like the account was banned. Better file another support ticket asking for your lost items back. Frame it as a lost inventory occurance, so they don't just autoclose it.

Joshua Nightshade

That does sound like a horrible exploit then. Glad it's been fixed though.

Derrits Mapp

I did exactly that, but it got closed saying I should file an abuse report. I guess the abuse report sent way before did it's work then, at least.

As said, the items aren't really worth too much, we've been redoing them or just spent the few bucks on new things. It's only Basic accounts anyway, not going to put even more effort into getting it back.

Thanks for the information, you guys!

Hypatia Callisto

not rolled out completely yet, though

[UPDATED] Rolling restart to deploy 1.23.3, Thu-Wed July 24-30 « Official Second Life Blog

Hopefully soon.

My dances are staying put in inventory. As much as I loved using the dance chimera to share dances with people, its not worth all these problems. SL just got a little more unfun... its not fun to lose stuff you bought to have fun with. I've spent real money on my dance collection (definitely over 100 dollars US) and it comes from all over. I buy them because its easier to buy them from people who do a good job with them... I make the little animation here and there for my own products, but I can't make the kind of work that places like Sine Wave and Animazoo do. I don't have the knowledge of dance, am not a dancer, don't have access to models to do mocap, don't have a mocap system. That stuff is seriously expensive.

Oh yea, I am sure I will hear the obligatory "you're all about the money" stupid argument from some people. Talk about projection. It's the people who do the theft who are all about the money. It costs *real money* to buy good dance collections, it costs even more money and a lot of knowhow to make professional level dance animations.

But it doesn't surprise me that some people will steal any way they can. :/

Io Zeno

Whoa, I hope LL get those items back to you, Derrits, that really sux.

I swear, there must be people who do nothing but try to find exploits in SL and maybe LL should hire them rather than keep rolling out this shit without noticing themselves, ffs.

Beezle Warburton

Microsoft is still pushing security updates for XP.

Hypatia Callisto

You're lucky... because many people have lost dance machines which are well worth over a hundred dollars. Mine was... that's why I emptied it when I realised the level of this exploit.

Beezle Warburton

Mine's safe.

It's been "missing from database" for months now.

I accidentally coalesced my crap, went to a sandbox to sift through the heap . . . rezzed it all, started picking it back up one at a time, then the sandbox imploded at the wrong moment. Trashed my danceball >_<

Macphisto Angelus

Well, since this is now a known exploit I am going to link it on the official forums so that people can protect their stuff by not wearing it. Too bad LL didn't tell people to not wear no copy items in the meantime. I know there is a line between letting an exploit out in the knowledge wild and informing the userbase, but since there is money involved by the users and no guarantee people will get stuff back it would have been good to know before.

Hypatia Callisto

yeah, I think I have some Lilith Heart trees in the same place. :/

(that was what made me want to make my own trees)

Beezle Warburton

I now used a Freebie Solop that I modded to work when worn.

Oooooo, I just had a thought . . . I wonder if the permissions system is responsible for corrupting some things. Like when you rez an object that should be moddable, but it goes no-mod because the script in it is no-mod.

Maybe it periodically gets confused when you put a mix of animations permissions in an object and then re-rez it, similar to the "you can't link no-copy to no-transfer" error.

I've had two hours of sleep, so I'm not sure if that was coherent.

Derrits Mapp

Problem with having it on the official boards is that all the kids will start looking for the tools they need. Which is why I chose this place instead of anything else. But well, can't stop ya.