SLUniverse Forums

NikitaNightNinja · 07-26-2008, 11:56 PM

... this ( these forum chats ) is like school for me, but off the school property . I am learning here , growing , .. not sure to what ;p .,... the wonderland quotes were fun to read . N3 ;

Beezle Warburton · 07-27-2008, 05:20 AM

Wait, where's the thread where an creepy alt was dupin' people's AVs and joining their groups?

{edit}
Bizarre account copybotting avatars, clothing and even profiles and groups
{/edit}

Think this is a similar exploit?

HAI DERRITTS!

Hypatia Callisto · 07-27-2008, 06:09 AM

Quote:

Originally Posted by Beezle Warburton

Wait, where's the thread where an creepy alt was dupin' people's AVs and joining their groups?

{edit}
Bizarre account copybotting avatars, clothing and even profiles and groups
{/edit}

Think this is a similar exploit?

HAI DERRITTS!

I think it's the same exploit, however I never heard of anyone losing their stuff afterwards.

however y'all may want to look at some of the last comments on the Jira

AC Pfeffer says:

Quote:

The latest method of theft is not a texture grabber, not a copybot tool, but a process which intercepts the data-stream direct from the asset LL servers, I guess we can thank open-source for that. That data-steam is then 'injected' back into the asset server under a new owners name.

So no longer do creators and businesses have to only worry about texture and prim/sculptie theft, they now steal the ENTIRE OBJECT - including all scripts - ie. Fully working. Already, hundreds of high-value items have been stolen this way.

Even worse : the creator name is NOT replaced using this technique ... so its not a way to ID the stolen goods - so it looks just like a legitimately bough item, and works like it too.

So the thousands of creators who have been relaxed about content theft "as it didn't really apply to them" (their assets being more in the scripts) ... can start joining the crowds now. Your items with precious scripts are also now being stolen.

It's totally out of control.

Quote:

Yes we have been monitoring expensive stolen SL items using this technology, 100% functional with original SL creator.

[#SVC-676] Stopping texture theft and stop spreading of stolen items - Second Life Issues

unsure if that is the same thing.

Hypatia Callisto · 07-27-2008, 06:13 AM

If people are actually losing their attachments ... jesus christ, this isn't about content creators anymore. This is about anyone walking around SL losing stuff that's theirs.

*shrugs*

I don't know if that's actually happening, but this is not good, if true. My enthusiasm about SL drops a rung lower... sigh.

And another rung lower as I deal with another fuckwit spamming stolen crap on Fashcon.

growls.

edit: Just emptied the wearable dance machine. I'd rather lose one no-copy dance than possibly 90 of them.

Keiki Lemieux · 07-27-2008, 12:14 PM

Quote:

Originally Posted by Tya

oh def, one night i was working away and i accidentally did a "detach all"

this is stuff that i never take off, like my huddles.

well go to put it back on, huddles gone. with all my animations that i have collected over 3 1/2 years. My pc got an earful that night.

Tya, did you ever get your HUD back? If you have not submitted a ticket about this (or even if you did a while back), read my blog about this bug and submit another ticket. If that doesn't work, please contact me. There is real hope that we can get it back if it's the bug I'm thinking about.

Also, Derrits, you might want to read these posts too:

I Make HUDDLESâ„¢ » lost inventory

Derrits Mapp · 07-28-2008, 11:06 AM

Hypatia, that quote by AC Pfeffer actually sounds pretty much the way it'd have worked, with an ghost of the item still appearing on the avatar it was attached to originally, then just saying it isn't possible to rez that item and eventually disappearing from the inventory after clearing cache.

Guess I'll go over to not wearing any no copy attachments.

Hey Beez!

Edit says: Actually, I'm not having any proof for it, but I inspected one of the custom made items that disappeared from my friend's inventory, of which only two copies existed, while it was on the avatar that stole (Yup. There we go.) our items: Her's and the creator's.

When I inspected it, it still was showing the original creator. -> No "copybot", but rather the issue AC Pfeffer was talking about.

Case closed, I guess.

armozel · 07-28-2008, 11:28 AM

It sounds like the asset server turned into the asshat server. I've had this issue to a lesser degree where I was working on an object and most of the settings get rolled back (scripts sometimes disappear and what not). I hate to be the bearer of bad news, but you have a better chance of getting another copy than anything restored. >_>

Derrits Mapp · 07-28-2008, 11:32 AM

Quote:

Originally Posted by armozel

It sounds like the asset server turned into the asshat server. I've had this issue to a lesser degree where I was working on an object and most of the settings get rolled back (scripts sometimes disappear and what not). I hate to be the bearer of bad news, but you have a better chance of getting another copy than anything restored. >_>

I don't care for the items, neither does my friend. We care for items that have never been given out to anyone appearing on other people's hands and disappearing from the owner's inventory.

Again: This is NOT a copybot issue, and following AC's explanation, it's neither an asset server issue.

armozel · 07-28-2008, 11:35 AM

Derrits, there's no physical way for another client without the proper user permissions to delete, alter, or remove the 'inventory' of another user. This is all server-side, thus streamed to your client. For them to get your stuff either they hacked the server-side permissions (e.g. they got access to a Linden account) or they hacked your account (keylogger and the like). The explanation of the asset server follows because items can and do disappear because of errors within the DB that contains said assets. This tends to follow whether it's the most high tech DB deployments or a MUD's flatfile, it works on the same premise(s). :-P

Derrits Mapp · 07-28-2008, 12:11 PM

Okay, explain this:

This has happened in a matter of minutes. Francine has not been logged out during this process, which disproofs the idea of having her account hacked. (Correct me if I'm wrong.)

(Of course, you could as well make this Francine and me, BUT, I didn't see my item in Script K.'s hands.)

Hypatia Callisto · 07-28-2008, 12:42 PM

packet injection can indeed do what he described. I dont think any of us unless we're a Linden can say for sure if the database backend is protected from packet injection.

That being said, it could have been the bug that Keiki detailed, or some variation of it. The repro of that bug that affects Huddles and other attachements happens to be on that jira she posted to her site, and it does involve making a *copy* of the object as part of it.

[#VWR-6110] [ ] I was attaching a hud when my other hud with animations-content (worth 22000LD!) disappeared. - Second Life Issues

Quote:

1. Open build menu.
2. rez new box object.
3. rename it “Object A”.
4. Attach “Object A” to Left hand.

- Open inventory list and use filter key “object” make easier what will happen. -

5. You see “Object A” under the Objects folder.
6. Copy “Object A” and paste it in same folder.
7. Rename new “Object A” to “Object B”.
8. Drop “Object B” on floor (rez it).
9. Wear “Object B” directly from floor.

Observed:
“Object A” dissapear from inventory.

“Object B” appear under the Library folder as “worn on left hand”, but it just a shadow. You can’t rez it. And relogging make it completely disappear.

Should be:
“Object A” should remain under Objects folder as unweared.
“Object B” should located under Objects folder.

I'm sure as heck not wearing any no copy attachments till I know what's up.

Chalice Yao · 07-28-2008, 01:29 PM

And the shit hits the fan.

I was wondering how long it'd take for this to surface in forums.

Basically, there -is- currently an exploit.

1. It allows people to make copies of items they see, including contents.

2. They get next-owner perms on the items, as if they had been given the object

3. in case of no-copy items..well. that items is lost to the original owner.

Linden Labs has been notified of this exploit over a month ago, and they -are- in the process of fixing it.
Sadly enough, that exploit is a 'feature' deeply deeply rooted in the whole inventory and asset system that hasn't been thought through, and I personally think the randomly failing 1.23 releases actually might be credited to this being a hard fix.

Also, no, this is not possible with the plain SL client or copybot.

In regards to the initial post, the person logged in with a special app and stole the attached items straight from the owner inventory, as they were able to see the attachments. Due to them being no-copy..zing. there you have it.

This has been fixed afaik in the few 1.23 regions that have been deployed. The person who originally reported it to LL has tested this.

personally I'm glad this hasn't become more widespread knowledge before this 1.23 deploy. Some people have been fearing for the worst. But let's say that alot of things -have- been copied.

Again tho: not fullperm, simply next-owner perms.

final note:

GTeam knows about the exploit. Report the person who stole the attachments, and they will be banninated.

Derrits Mapp · 07-28-2008, 03:26 PM

Thank you, Chalice. I was slowly starting to feel like I was going crazy.

Really, I wasn't too happy posting on some forums about it to not spread the word if it was true, but I didn't get any answers from anybody, including support who closed a support ticket telling me to file an abuse report without any word on the actual issue. If there had been an "here's your stuff back, we're working on the fix", or had found more quiet sources outside, I wouldn't have been that into getting information.

Even though, this is such an important issue, I'd have rather seen a warning than having lost custom made items to one random jerk. (Yes. I do understand what would have happened with an official warning about this.)

So, to figure one last thing out: If you can't find somebody on People Search, but on the "All" tab, does that mean the account is gone?

Hypatia Callisto · 07-28-2008, 03:57 PM

Quote:

Originally Posted by Derrits Mapp

So, to figure one last thing out: If you can't find somebody on People Search, but on the "All" tab, does that mean the account is gone?

yes, sounds like the account was banned. Better file another support ticket asking for your lost items back. Frame it as a lost inventory occurance, so they don't just autoclose it.

Joshua Nightshade · 07-28-2008, 04:02 PM

That does sound like a horrible exploit then. Glad it's been fixed though.

Derrits Mapp · 07-28-2008, 04:02 PM

Quote:

Originally Posted by Hypatia Callisto

yes, sounds like the account was banned. Better file another support ticket asking for your lost items back. Frame it as a lost inventory occurance, so they don't just autoclose it.

I did exactly that, but it got closed saying I should file an abuse report. I guess the abuse report sent way before did it's work then, at least.

As said, the items aren't really worth too much, we've been redoing them or just spent the few bucks on new things. It's only Basic accounts anyway, not going to put even more effort into getting it back.

Thanks for the information, you guys!

Hypatia Callisto · 07-28-2008, 04:26 PM

Quote:

Originally Posted by Joshua Nightshade

That does sound like a horrible exploit then. Glad it's been fixed though.

not rolled out completely yet, though

[UPDATED] Rolling restart to deploy 1.23.3, Thu-Wed July 24-30 « Official Second Life Blog

Quote:

Update 2008-07-25 10:04pm : Those regions (about 1/10 of Second Life) that had been running server version 1.23.3 are now running server version 1.23.4. (90% of the grid remains on 1.22.4.)

Hopefully soon.

My dances are staying put in inventory. As much as I loved using the dance chimera to share dances with people, its not worth all these problems. SL just got a little more unfun... its not fun to lose stuff you bought to have fun with. I've spent real money on my dance collection (definitely over 100 dollars US) and it comes from all over. I buy them because its easier to buy them from people who do a good job with them... I make the little animation here and there for my own products, but I can't make the kind of work that places like Sine Wave and Animazoo do. I don't have the knowledge of dance, am not a dancer, don't have access to models to do mocap, don't have a mocap system. That stuff is seriously expensive.

Oh yea, I am sure I will hear the obligatory "you're all about the money" stupid argument from some people. Talk about projection. It's the people who do the theft who are all about the money. It costs *real money* to buy good dance collections, it costs even more money and a lot of knowhow to make professional level dance animations.

But it doesn't surprise me that some people will steal any way they can. :/

Io Zeno · 07-28-2008, 04:29 PM

Whoa, I hope LL get those items back to you, Derrits, that really sux.

I swear, there must be people who do nothing but try to find exploits in SL and maybe LL should hire them rather than keep rolling out this shit without noticing themselves, ffs.

Beezle Warburton · 07-28-2008, 04:33 PM

Quote:

Originally Posted by Io Zeno

Whoa, I hope LL get those items back to you, Derrits, that really sux.

I swear, there must be people who do nothing but try to find exploits in SL and maybe LL should hire them rather than keep rolling out this shit without noticing themselves, ffs.

Microsoft is still pushing security updates for XP.

Hypatia Callisto · 07-28-2008, 04:34 PM

Quote:

Originally Posted by Derrits Mapp

I did exactly that, but it got closed saying I should file an abuse report. I guess the abuse report sent way before did it's work then, at least.

As said, the items aren't really worth too much, we've been redoing them or just spent the few bucks on new things. It's only Basic accounts anyway, not going to put even more effort into getting it back.

You're lucky... because many people have lost dance machines which are well worth over a hundred dollars. Mine was... that's why I emptied it when I realised the level of this exploit.

Beezle Warburton · 07-28-2008, 04:59 PM

Quote:

Originally Posted by Hypatia Callisto

You're lucky... because many people have lost dance machines which are well worth over a hundred dollars. Mine was... that's why I emptied it when I realised the level of this exploit.

Mine's safe.

It's been "missing from database" for months now.

I accidentally coalesced my crap, went to a sandbox to sift through the heap . . . rezzed it all, started picking it back up one at a time, then the sandbox imploded at the wrong moment. Trashed my danceball >_<

Macphisto Angelus · 07-28-2008, 05:06 PM

Well, since this is now a known exploit I am going to link it on the official forums so that people can protect their stuff by not wearing it. Too bad LL didn't tell people to not wear no copy items in the meantime. I know there is a line between letting an exploit out in the knowledge wild and informing the userbase, but since there is money involved by the users and no guarantee people will get stuff back it would have been good to know before.

Hypatia Callisto · 07-28-2008, 05:19 PM

Quote:

Originally Posted by Beezle Warburton

Mine's safe.

It's been "missing from database" for months now.

I accidentally coalesced my crap, went to a sandbox to sift through the heap . . . rezzed it all, started picking it back up one at a time, then the sandbox imploded at the wrong moment. Trashed my danceball >_<

yeah, I think I have some Lilith Heart trees in the same place. :/

(that was what made me want to make my own trees)

07-27-2008, 05:20 AM	#27 (permalink)
Beezle Warburton Stabbity! GAH! Join Date: Aug 2007 Location: Darkmere Posts: 2,490 SL Join Date: October 24, 2006 Business: Cortech Enterprises SLShopper Ads: 13 My Mood:	Wait, where's the thread where an creepy alt was dupin' people's AVs and joining their groups? {edit} Bizarre account copybotting avatars, clothing and even profiles and groups {/edit} Think this is a similar exploit? HAI DERRITTS! __________________ Cortech Enterprises Alternate Location Cortech at Shop.OnRez Second Life®, SL®, $L™, Lindens™, Linden Dollars®, Linden Lab®, Missing Image™, [RESOLVED]™ and the color gray are trademarks or registered trademarks of Linden Research, Inc. All rights reserved. Last edited by Beezle Warburton; 07-27-2008 at 05:27 AM.

07-27-2008, 06:13 AM	#29 (permalink)
Hypatia Callisto i haz a mousie but i eated it. Join Date: Jun 2007 Posts: 697 My Mood:	If people are actually losing their attachments ... jesus christ, this isn't about content creators anymore. This is about anyone walking around SL losing stuff that's theirs. shrugs I don't know if that's actually happening, but this is not good, if true. My enthusiasm about SL drops a rung lower... sigh. And another rung lower as I deal with another fuckwit spamming stolen crap on Fashcon. growls. edit: Just emptied the wearable dance machine. I'd rather lose one no-copy dance than possibly 90 of them. Last edited by Hypatia Callisto; 07-27-2008 at 08:47 AM.

07-26-2008, 11:56 PM	#26 (permalink)
NikitaNightNinja Member Listed,black . Alien M.U.T.T. Join Date: Jul 2008 Posts: 55 My Mood:	... this ( these forum chats ) is like school for me, but off the school property . I am learning here , growing , .. not sure to what ;p .,... the wonderland quotes were fun to read . N3 ;

07-28-2008, 11:06 AM	#31 (permalink)
Derrits Mapp Member Join Date: Jul 2008 Posts: 72	Hypatia, that quote by AC Pfeffer actually sounds pretty much the way it'd have worked, with an ghost of the item still appearing on the avatar it was attached to originally, then just saying it isn't possible to rez that item and eventually disappearing from the inventory after clearing cache. Guess I'll go over to not wearing any no copy attachments. Hey Beez! Edit says: Actually, I'm not having any proof for it, but I inspected one of the custom made items that disappeared from my friend's inventory, of which only two copies existed, while it was on the avatar that stole (Yup. There we go.) our items: Her's and the creator's. When I inspected it, it still was showing the original creator. -> No "copybot", but rather the issue AC Pfeffer was talking about. Case closed, I guess.

07-28-2008, 11:28 AM	#32 (permalink)
armozel Androgynous Android I aim to misbehave Join Date: Jul 2008 Location: Earth Posts: 636 SL Join Date: 2005/6 (Had another older account, lost due to forgetting name...) Blog Entries: 4 My Mood:	It sounds like the asset server turned into the asshat server. I've had this issue to a lesser degree where I was working on an object and most of the settings get rolled back (scripts sometimes disappear and what not). I hate to be the bearer of bad news, but you have a better chance of getting another copy than anything restored. >_>

07-28-2008, 11:35 AM	#34 (permalink)
armozel Androgynous Android I aim to misbehave Join Date: Jul 2008 Location: Earth Posts: 636 SL Join Date: 2005/6 (Had another older account, lost due to forgetting name...) Blog Entries: 4 My Mood:	Derrits, there's no physical way for another client without the proper user permissions to delete, alter, or remove the 'inventory' of another user. This is all server-side, thus streamed to your client. For them to get your stuff either they hacked the server-side permissions (e.g. they got access to a Linden account) or they hacked your account (keylogger and the like). The explanation of the asset server follows because items can and do disappear because of errors within the DB that contains said assets. This tends to follow whether it's the most high tech DB deployments or a MUD's flatfile, it works on the same premise(s). :-P

07-28-2008, 12:11 PM	#35 (permalink)
Derrits Mapp Member Join Date: Jul 2008 Posts: 72	Okay, explain this: This has happened in a matter of minutes. Francine has not been logged out during this process, which disproofs the idea of having her account hacked. (Correct me if I'm wrong.) (Of course, you could as well make this Francine and me, BUT, I didn't see my item in Script K.'s hands.)

07-28-2008, 01:29 PM	#37 (permalink)
Chalice Yao The Purple Kinda at work. Somewhat. Join Date: Dec 2007 Location: Somewhere purple, Germany Posts: 1,122 My Mood:	And the shit hits the fan. I was wondering how long it'd take for this to surface in forums. Basically, there -is- currently an exploit. 1. It allows people to make copies of items they see, including contents. 2. They get next-owner perms on the items, as if they had been given the object 3. in case of no-copy items..well. that items is lost to the original owner. Linden Labs has been notified of this exploit over a month ago, and they -are- in the process of fixing it. Sadly enough, that exploit is a 'feature' deeply deeply rooted in the whole inventory and asset system that hasn't been thought through, and I personally think the randomly failing 1.23 releases actually might be credited to this being a hard fix. Also, no, this is not possible with the plain SL client or copybot. In regards to the initial post, the person logged in with a special app and stole the attached items straight from the owner inventory, as they were able to see the attachments. Due to them being no-copy..zing. there you have it. This has been fixed afaik in the few 1.23 regions that have been deployed. The person who originally reported it to LL has tested this. personally I'm glad this hasn't become more widespread knowledge before this 1.23 deploy. Some people have been fearing for the worst. But let's say that alot of things -have- been copied. Again tho: not fullperm, simply next-owner perms. final note: GTeam knows about the exploit. Report the person who stole the attachments, and they will be banninated.

07-28-2008, 03:26 PM	#38 (permalink)
Derrits Mapp Member Join Date: Jul 2008 Posts: 72	Thank you, Chalice. I was slowly starting to feel like I was going crazy. Really, I wasn't too happy posting on some forums about it to not spread the word if it was true, but I didn't get any answers from anybody, including support who closed a support ticket telling me to file an abuse report without any word on the actual issue. If there had been an "here's your stuff back, we're working on the fix", or had found more quiet sources outside, I wouldn't have been that into getting information. Even though, this is such an important issue, I'd have rather seen a warning than having lost custom made items to one random jerk. (Yes. I do understand what would have happened with an official warning about this.) So, to figure one last thing out: If you can't find somebody on People Search, but on the "All" tab, does that mean the account is gone?

07-28-2008, 04:02 PM	#40 (permalink)
Joshua Nightshade Banned Join Date: Jun 2007 Location: NYC Posts: 22,229 SL Join Date: 10-11-2004 Business: abstract avatars! SLShopper Ads: 16 My Mood:	That does sound like a horrible exploit then. Glad it's been fixed though.

07-28-2008, 04:29 PM	#43 (permalink)
Io Zeno MAD DOG Rabid Join Date: Jul 2007 Location: New York City Posts: 12,335 My Mood: Awards: 1	Whoa, I hope LL get those items back to you, Derrits, that really sux. I swear, there must be people who do nothing but try to find exploits in SL and maybe LL should hire them rather than keep rolling out this shit without noticing themselves, ffs.

07-28-2008, 05:06 PM	#47 (permalink)
Macphisto Angelus Ghostariffic! all statused out Join Date: May 2008 Location: OpenLife Grid Posts: 2,319 SL Join Date: 10-21-2004 My Mood:	Well, since this is now a known exploit I am going to link it on the official forums so that people can protect their stuff by not wearing it. Too bad LL didn't tell people to not wear no copy items in the meantime. I know there is a line between letting an exploit out in the knowledge wild and informing the userbase, but since there is money involved by the users and no guarantee people will get stuff back it would have been good to know before.