SLUniverse Forums

Macphisto Angelus

I thought of that, but this is what I decided:

Would it be better to warn people to take the no copy stuff and keep it safe against the few that have it or leave it unknown and risk the chance they may lose something very valuable (like a Starax statue) and maybe never get it back. In this case prevention won out.

Colette over there already posed a great question that needs to be thought about:

So, if you are not on a networked vendor and just have stuff in a standalone vendor (like my stuff is) it may be smart to pull them until this is plugged depending on the permissions on your items in them)
In other words does the vendor hold the same permissions as the owner had once it is copied?

Hypatia Callisto

if you're selling from a box (no actual vendor), its probably going to have the next owner perms default - no copy no mod and transfer.

Which means they can remove the items from it, but they will have it as next owner perms.

However they will be able to make copies ad infinitum, probably - till there is a fix. And no way to tell the difference, as it won't be a copybotted item. It's the actual item you sell, gotten for free.

__________________
"To begin with," said the Cat, "a dog's not mad. You grant that?"

"I suppose so," said Alice.

"Well, then," the Cat went on, "you see, a dog growls when it's angry, and wags its tail when it's pleased. Now I growl when I'm pleased, and wag my tail when I'm angry. Therefore I'm mad."

"I call it purring, not growling," said Alice.

"Call it what you like," said the Cat.

Hypatia Callisto

That has happened to me with an AO HUD... the prims went no mod because it had no mod scripts. But only if I took it back into inventory... the original copy (prims were mod copy no trans - scripts were no mod, copy, no trans) - if I rezzed that original one, the prims were mod. But only that one time I rezzed it... so it was useless for when I went to put new items in it. I would have to rez a fresh one, then put all the stuff in it from the old one.

Finally I just started using a ZHAO and I modded a smiler script to give me the randomised smiling funtionality I had with the old one. I'll probably put some emotes into it, but I currently enjoy emotes as well with my mystitool.

Macphisto Angelus

Thanks. I think the worry was over a vendor like the freebie full perms type for example. If it is loaded down with products inside the vendor that should act like a box.. and they could get your whole line in one shot.. then couple that with the infinite ability to make copies.. yikes.

I use Moopf's vendors so they are no transfer, would that make a difference in this?

Hypatia Callisto

I have no idea.

I'm not sure yet if this extends to items on the sim. It may only work with attachments. I really don't know enough to say for sure.

My first guess though if they are faking an inventory transfer, that it may not work with no trans items.

Chalice Yao

yep yep.

Derrits Mapp

Does work with No Transfer items.

Derrits Mapp

They actually responded pretty quickly to the ARs, then. Not bad at all.

Colette Meiji

So basically it is as if they force you to give them a copy?

And if the item is not copy / or contents aren't .. you are left robbed?

Beezle Warburton

Pretty much. You're left with a "Ghost" copy that will never rez again.

__________________

Second Life®, SL®, $L™, Lindens™, Linden Dollars®, Linden Lab®, Missing Image™, [RESOLVED]™
and the color gray are trademarks or registered trademarks of Linden Research, Inc.
All rights reserved.

Colette Meiji

I guess my main concern after reading this is a couple spots I have items in world with a lot of animations in them.

Would be expensive and time consuming to replace.

Aminom Marvin

They probably chalk it up to "market research" or something similarly silly. BROWSING FORUMS= IMPORTANT JOB.

The plot thickens *scratches her beard*

Color me unsurprised. I've heard of numerous verified tales of all sorts of security woes in my time in SL, and I'm not even that old (a year and a half old.) LL should give bounties to people who found exploits; in the past I know they have given such bounties, and one of my friends who is a "white" SL hacker has helped find and report some exploits.

pixel_cutter

Maybe ask the maker of the items to check their transaction history to see if she bought them.

armozel

I'm not sure about LL's corporate policies on this, but I know the history of bounties on exploits by companies on product lines is patchy at best. Not because it has no real effective use, but because some companies often don't put in a system to filter the bullshit claims for exploits (dumb asses that think they're smarter than the average lichen) from the legitimate reports. So some companies often just treat anyone that offers any substantial evidence of an exploit as a hostile agent.

I wouldn't be surprised LL has a similar unspoken hostile agent policy, but I can't be sure.

Stephanie Misfit

They have offered 10K bounties in the past for reporting exploits, not sure if that is still the case.

What I don't get about this current issue is that I've seen reports of SLProxy being used to steal objects via packet injection dating back to 2006. It makes me wonder if this current exploit is actually something new, or if it's an old exploit that has just become more of an issue because instructions are now being distributed to allow anyone to use it. If it's an issue that's been around a couple of years, should we feel confident about it being fixed now?

Yolto.com

Other consequences of the same: Topic Digest: VSTEX/ISE halt trading, ATM withdrawls.

I don't quite understand how their ATM worked if they could be robbed this way... Ours (and SLXs) work fine, you can't steal money by stealing the ATM itself. Maybe some kinda' 'overly simplified' security scheme with a password stored inside the ATM or something.

Gigs

I've got my share of bugs filed in the SEC project on Jira and before that even. Most Lindens will even play with the exploit with me so that we can see what log messages it generates.

They haven't ever seemed hostile over people reporting exploits, especially if you report it to them before making it public.

Abbey

This is an issue we are going to see more of in the future.
I know of two SL clients that can do this. One is used by bug testers for LL. Same guys who made copybot.
It seems once again this has become freely available to every joe hacker out there.

Sorry to say it, but SL just isn't safe for content creators or shoppers or anyone. LL don't give a rat's ass about security, because doing something serious about it would mean re-building SL from scratch.

SL was never designed with security.. the foundation of all SL code is based on a 1970s model of security, which is pretty much equal to no security.

Content theft has always been possible on SL. From day one. It's part of the code.

Tya

__________________
PM Website | PM Blog | Tya's Flickr | PM @ SLEX | PM @ Onrez

Aki Shichiroji

Yet we are still here.

__________________

Also See: Kitheres Industries (scifi avs, skins, and accessories) | Organica Updates | Blog

Lucifer Baphomet

Holy Nekro Post, Batman.

Who's the wiseass trying to steal Summer's job?

__________________

Charlemagne Allen