*IMPORTANT* Turn Off Media in SL - Major Security Flaw (Updated) - SLUniverse Forums
Navigation » SLUniverse Forums > Virtual World Discussion > General SL Discussion » *IMPORTANT* Turn Off Media in SL - Major Security Flaw (Updated)


General SL Discussion Discuss topics related to Second Life

 
Sponsor:
LIONHEART - We Have Your Land
Reply
 
LinkBack Thread Tools Display Modes
Old 08-17-2013, 01:44 PM   #1 (permalink)
Peeps Tsar
 
Cristiano's Avatar
#imalwayswithher
 
Join Date: Jun 2007
Location: Miami, FL
Posts: 35,554
My Mood:
SL Join Date: Dec 2002
Business: ANOmations
Client: Viewer 2
Blog Entries: 18
Send a message via Yahoo to Cristiano Send a message via Skype™ to Cristiano
Exclamation Turn Off Media in SL - Major Security Flaw (Updated)

I have been advised that there is a very serious security flaw with SL's media implementation that can result in completely compromised accounts. I do not want to give any other details, but turn off your media in SL until further notice to protect your account.

The issue has been reported to LL - it affects all viewers.

Update:

I added some clarification on this post:

Turn Off Media in SL - Major Security Flaw (Updated)
__________________
"A certain darkness is needed to see the stars" ~ Osho




Cristiano is offline   Reply With Quote
1 User Agreed:
Old 08-17-2013, 01:48 PM   #2 (permalink)
E=mc^(OMG)/wtf

*SLU Supporter*
 
Cindy Claveau's Avatar
Nevertheless, she persisted.
 
Join Date: Jun 2007
Location: Brownbackistan
Posts: 43,931
My Mood:
SL Join Date: May, 2005
Client: Firestorm
Blog Entries: 16

Awards: 4
Special Achievement In Creepy Avatar Threads 
I think I've had media turned off since the last time this was reported, almost 2 years ago.

Still not fixed, huh?
Cindy Claveau is offline   Reply With Quote
Old 08-17-2013, 01:51 PM   #3 (permalink)
Peeps Tsar
 
Cristiano's Avatar
#imalwayswithher
 
Join Date: Jun 2007
Location: Miami, FL
Posts: 35,554
My Mood:
SL Join Date: Dec 2002
Business: ANOmations
Client: Viewer 2
Blog Entries: 18
Send a message via Yahoo to Cristiano Send a message via Skype™ to Cristiano
Apparently not - the amount of information being captured and the potential for account compromise is pretty staggering. I don't want to give any more details than that, but it is very serious.
Cristiano is offline   Reply With Quote
Old 08-17-2013, 01:56 PM   #4 (permalink)
Senior Member
 
Draekan's Avatar
 
Join Date: Aug 2013
Posts: 116
Client: Homebrewed
Are you sure this isn't just some rehash of the already known issues with media such as IP addresses and other somewhat generic info being collected by outside sources? I find it a little hard to take this report of a new threat seriously with zero details on the matter.
Draekan is offline   Reply With Quote
2 Users Agreed:
Old 08-17-2013, 01:56 PM   #5 (permalink)
Peeps Tsar
 
Cristiano's Avatar
#imalwayswithher
 
Join Date: Jun 2007
Location: Miami, FL
Posts: 35,554
My Mood:
SL Join Date: Dec 2002
Business: ANOmations
Client: Viewer 2
Blog Entries: 18
Send a message via Yahoo to Cristiano Send a message via Skype™ to Cristiano
I'm sure. I would not post about this lightly. It isn't the simple IP address disclosure issue from the past.
Cristiano is offline   Reply With Quote
Old 08-17-2013, 01:58 PM   #6 (permalink)
Ginger Supremacist
 
Ramen Jedburgh's Avatar
Heya ^_^
 
Join Date: Apr 2010
Location: Illinois, USA
Posts: 4,843
My Mood:
SL Join Date: 3/9/2006
Client: Firestorm
This is why I always have media off.

Just curious, does this affect media on one's own parcel? Like you own the land using a trusted audio stream, because I do sometimes run the media on my own land.
__________________
--
Ramen Jedburgh

http://allaroundthegrid.blogspot.com/
Ramen Jedburgh is online now   Reply With Quote
2 Users Agreed:
Old 08-17-2013, 02:03 PM   #7 (permalink)
Senior Member
 
Draekan's Avatar
 
Join Date: Aug 2013
Posts: 116
Client: Homebrewed
Are there any details at all that could be shared that wouldn't give someone reading the info needed to use the exploit you are talking about?
Draekan is offline   Reply With Quote
Old 08-17-2013, 02:09 PM   #8 (permalink)
E=mc^(OMG)/wtf

*SLU Supporter*
 
Cindy Claveau's Avatar
Nevertheless, she persisted.
 
Join Date: Jun 2007
Location: Brownbackistan
Posts: 43,931
My Mood:
SL Join Date: May, 2005
Client: Firestorm
Blog Entries: 16

Awards: 4
Special Achievement In Creepy Avatar Threads 
Quote:
Originally Posted by Cindy Claveau View Post
I think I've had media turned off since the last time this was reported, almost 2 years ago.

Still not fixed, huh?
Googling this, I found the 2007 reports:

Security Experts Expose Costly Vulnerability in Second Life

A 2010 article blog-botted here on SLU:

SL Blog: Shared Media, Security, and Privacy

And now this.

Still. Not. Fixed.

As one respondent to the 2010 thread here said:

Quote:
There are a few easy things that you can do right now to help protect your privacy.

<turn off everything that we just implemented and set to ON as a default>
Cindy Claveau is offline   Reply With Quote
2 Users Said Thanks :
1 User Agreed:
1 User Likes This:
Old 08-17-2013, 02:16 PM   #9 (permalink)
Senior Member
 
Nika Talaj's Avatar
 
Join Date: Sep 2007
Posts: 3,336
Just media, or music streaming too?
Nika Talaj is offline   Reply With Quote
Old 08-17-2013, 02:17 PM   #10 (permalink)
Peeps Tsar
 
Cristiano's Avatar
#imalwayswithher
 
Join Date: Jun 2007
Location: Miami, FL
Posts: 35,554
My Mood:
SL Join Date: Dec 2002
Business: ANOmations
Client: Viewer 2
Blog Entries: 18
Send a message via Yahoo to Cristiano Send a message via Skype™ to Cristiano
Quote:
Originally Posted by Nika Talaj View Post
Just media, or music streaming too?
I'm not certain, I'll find out.
Cristiano is offline   Reply With Quote
Old 08-17-2013, 02:27 PM   #11 (permalink)
Maestra de Sombras
 
IsaDaft Trollop's Avatar
Watches and waits...
 
Join Date: Aug 2007
Location: So. CA
Posts: 2,322
My Mood:
SL Join Date: Feb. 12, 2006
Send a message via Yahoo to IsaDaft Trollop Send a message via Skype™ to IsaDaft Trollop
Quote:
Originally Posted by Nika Talaj View Post
Just media, or music streaming too?
I always have music on, but not video. So any info on this would be great.
__________________
Quote:
Originally Posted by Jopsy Pendragon View Post
Forums would be a dull place indeed if people couldn't get their knickers twisted over utterly inconsequential matters of ego in front of people they hardly know.
IsaDaft Trollop is offline   Reply With Quote
Old 08-17-2013, 02:40 PM   #12 (permalink)
Solace Beach Owner

*SLU Supporter*
 
Join Date: Aug 2008
Location: Undisclosed prepper bunker
Posts: 2,151
My Mood:
Business: Solace Beach Estates
Client: Firestorm
I work in the live music field and own venues...please do advise ASAP if this affects music streams. Also is it only something the landowner or stream owner can do, or can a visitor without land rights cause trouble? If it's the former, it shouldn't affect the live music community too much as our identities are fairly well known and an anonymous hacker isn't going to hold live music events.

I know you are posting this in good faith but without more details, it comes across as scaremongering and could hurt large communities in SL - live music and DJs/clubs. Please post or PM details so we can protect ourselves rather than shutting everything off based on fear without evidence.
__________________
Solace Beach Estates: Beautiful Residential & Commercial Land for All Budgets!
http://slurl.com/secondlife/Solace%20Beach/193/48/23
Ayesha Lytton is offline   Reply With Quote
Old 08-17-2013, 03:13 PM   #13 (permalink)
Senior Member

*SLU Supporter*
 
Darien Caldwell's Avatar
LLvangelist
 
Join Date: Apr 2008
Location: Cali
Posts: 3,886
My Mood:
SL Join Date: 10/12/2006
Business: [H]arsh Styles
Client: Always changing, and too lazy to edit.
If it's just a case of 'don't play media you don't know the source of', that's one thing, and doesn't actually require you 'disable media'.

But you're implying just having it enabled causes a compromise, even without playing media, that's a whole other thing. And really that scenario seems a bit farfetched.

It would be good to have an explicit definition of under what circumstances the vulnerability occurs.

Also, it might be good to disclose the identity of who is saying this. Source matters, to me at least.
__________________
[H]arsh Styles

The truth doesn't care if you agree with it or disagree with it. It continues to be regardless, unchanged. Denying the truth is only lying to yourself. - Darien Caldwell

Last edited by Darien Caldwell; 08-17-2013 at 03:21 PM.
Darien Caldwell is offline   Reply With Quote
Old 08-17-2013, 04:28 PM   #14 (permalink)
Old School Goth
 
Kostika's Avatar
Misanthrope
 
Join Date: Mar 2011
Location: UK
Posts: 44
My Mood:
SL Join Date: 09/06/2009
Client: Firestorm
Quote:
Originally Posted by Darien Caldwell View Post
Also, it might be good to disclose the identity of who is saying this. Source matters, to me at least.
Darien beat me to it. Yes, can you tell the source? Unfortunately rumours of this sort of thing occur too often and are often exaggerated.
__________________
femme gamer
P/K
Kostika is offline   Reply With Quote
2 Users Agreed:
Old 08-17-2013, 06:00 PM   #15 (permalink)
Peeps Tsar
 
Cristiano's Avatar
#imalwayswithher
 
Join Date: Jun 2007
Location: Miami, FL
Posts: 35,554
My Mood:
SL Join Date: Dec 2002
Business: ANOmations
Client: Viewer 2
Blog Entries: 18
Send a message via Yahoo to Cristiano Send a message via Skype™ to Cristiano
It is not a rumor, I've seen the evidence of it. I'll ask the person who brought it to my attention to come forward, if they choose to. The information has been provided to Soft Linden.
Cristiano is offline   Reply With Quote
1 User Hugged You:
Old 08-17-2013, 06:03 PM   #16 (permalink)
Peeps Tsar
 
Cristiano's Avatar
#imalwayswithher
 
Join Date: Jun 2007
Location: Miami, FL
Posts: 35,554
My Mood:
SL Join Date: Dec 2002
Business: ANOmations
Client: Viewer 2
Blog Entries: 18
Send a message via Yahoo to Cristiano Send a message via Skype™ to Cristiano
Quote:
Originally Posted by Ayesha Lytton View Post
I work in the live music field and own venues...please do advise ASAP if this affects music streams. Also is it only something the landowner or stream owner can do, or can a visitor without land rights cause trouble? If it's the former, it shouldn't affect the live music community too much as our identities are fairly well known and an anonymous hacker isn't going to hold live music events.

I know you are posting this in good faith but without more details, it comes across as scaremongering and could hurt large communities in SL - live music and DJs/clubs. Please post or PM details so we can protect ourselves rather than shutting everything off based on fear without evidence.
My concern about posting the details is that it points out exactly how the exploit is being used, something I do not want to say anything else about. Call it scaremongering if you wish. I don't post something like this lightly or without investigating it. I have seen the evidence of it being used and what information is being taken from users to access accounts.

It is not an identity disclosure risk, though that is part of it. It is a full account compromise risk, which is why I posted about it. Do with the information what you will. I will post more details as I have them. I don't think it would affect those who control their own streams. This is about going onto land that has media set onto it that is not under your control.
Cristiano is offline   Reply With Quote
Old 08-17-2013, 06:32 PM   #17 (permalink)
Woke Woman
 
Shiloh Lyric's Avatar
It's all relative
 
Join Date: Aug 2008
Location: Pennsylvania
Posts: 11,463
My Mood:
SL Join Date: This time: 10/12/2010
Client: A few different ones

Awards: 1
SLU Creepy Avatar Competition 2014 Participant 
I'm a little unsure about what to do...all of my media is unchecked except for "Enable Media Filter (increased security)". Should I uncheck that, also?
__________________
The power of the people is stronger than the people in power!


http://www.flickr.com/photos/shilohlyric/
http://shilohlyric.wordpress.com/
Shiloh Lyric is online now   Reply With Quote
1 User Laughed:
Old 08-17-2013, 06:35 PM   #18 (permalink)
GAF

*SLU Supporter*
 
bronxelf's Avatar
Goth when goth was. Also, socially unacceptable.
 
Join Date: Dec 2010
Location: New York City
Posts: 13,156
My Mood:
SL Join Date: May 13, 2008
Business: Beautiful Freak/Club Gothika/House of Rain/Pale Empress/Cursed Events
Client: Firestorm.
Send a message via AIM to bronxelf Send a message via MSN to bronxelf Send a message via Yahoo to bronxelf Send a message via Skype™ to bronxelf
Im just looking for clarification, like Darien - is it media *enabled* or is media+filter+only calls you recognize (like the club stream which has been the same for years) ok, just don't wander around with media auto-on?
__________________
bronxelf is offline   Reply With Quote
Old 08-17-2013, 06:39 PM   #19 (permalink)
Peeps Tsar
 
Cristiano's Avatar
#imalwayswithher
 
Join Date: Jun 2007
Location: Miami, FL
Posts: 35,554
My Mood:
SL Join Date: Dec 2002
Business: ANOmations
Client: Viewer 2
Blog Entries: 18
Send a message via Yahoo to Cristiano Send a message via Skype™ to Cristiano
As soon as I know that, I will post the details. In the meantime, I was told to disable media. Based on the way streaming works, I don't imagine your own streams are an issue, but only media not controlled by you on other land that you visit.
Cristiano is offline   Reply With Quote
3 Users Said Thanks :
Old 08-17-2013, 06:45 PM   #20 (permalink)
Woke Woman
 
Shiloh Lyric's Avatar
It's all relative
 
Join Date: Aug 2008
Location: Pennsylvania
Posts: 11,463
My Mood:
SL Join Date: This time: 10/12/2010
Client: A few different ones

Awards: 1
SLU Creepy Avatar Competition 2014 Participant 
Draekan, you laughed at my question...why? Exactly? I've never claimed to be all that tech savvy, so if you feel it was a stupid question, or an amusing one, on my part, I'd like to know why. Were you being funny, helpful or just being a dick?
Shiloh Lyric is online now   Reply With Quote
1 User Likes This:
Old 08-17-2013, 06:52 PM   #21 (permalink)
GAF

*SLU Supporter*
 
bronxelf's Avatar
Goth when goth was. Also, socially unacceptable.
 
Join Date: Dec 2010
Location: New York City
Posts: 13,156
My Mood:
SL Join Date: May 13, 2008
Business: Beautiful Freak/Club Gothika/House of Rain/Pale Empress/Cursed Events
Client: Firestorm.
Send a message via AIM to bronxelf Send a message via MSN to bronxelf Send a message via Yahoo to bronxelf Send a message via Skype™ to bronxelf
Quote:
Originally Posted by Shiloh Lyric View Post
I'm a little unsure about what to do...all of my media is unchecked except for "Enable Media Filter (increased security)". Should I uncheck that, also?

You're ok, Shiloh. Just... don't turn anything on in SL until Cris gets more info. Listen to club streams in Winamp or something.
bronxelf is offline   Reply With Quote
1 User Said Thanks:
2 Users Agreed:
Old 08-17-2013, 06:54 PM   #22 (permalink)
Senior Member
 
Cincia Singh's Avatar
Nitwit magnet
 
Join Date: Mar 2008
Location: Chicago USA
Posts: 4,110
My Mood:
SL Join Date: 06/07
Client: Firestorm, SL Beta Viewer, NiranV
Blog Entries: 6
If it's being discussed on SLU do you really think the dicks who would use the exploit don't already know about it? Are there inept dicks on SLU who couldn't figure it out but might use it if you tell everyone? And WTF happened to my tinfoil hat?
__________________
*My concern can be measured in micro give-a-shits, and I'm working on nanotechnology!*
Cincia Singh is offline   Reply With Quote
Old 08-17-2013, 07:00 PM   #23 (permalink)
Senior Member
 
Draekan's Avatar
 
Join Date: Aug 2013
Posts: 116
Client: Homebrewed
Quote:
Originally Posted by Shiloh Lyric View Post
Draekan, you laughed at my question...why? Exactly? I've never claimed to be all that tech savvy, so if you feel it was a stupid question, or an amusing one, on my part, I'd like to know why. Were you being funny, helpful or just being a dick?
Someone got super sensitive i see. How could someone not laugh when the preference name and description is so blatantly obvious? Filter = a control mechanism for content. Increased security = speaks for itself. You really needed to ask about turning off a feature labeled as such in a thread about a dangerous exploit. Hilarious.

Last edited by Draekan; 08-17-2013 at 07:10 PM.
Draekan is offline   Reply With Quote
2 Users Said Awww!:
1 User Said Yay!:
1 User Laughed:
1 User Hugged You:
1 User Said Thanks:
1 User Agreed:
1 User Likes This:
Old 08-17-2013, 07:10 PM   #25 (permalink)
Senior Member
 
Cincia Singh's Avatar
Nitwit magnet
 
Join Date: Mar 2008
Location: Chicago USA
Posts: 4,110
My Mood:
SL Join Date: 06/07
Client: Firestorm, SL Beta Viewer, NiranV
Blog Entries: 6
Quote:
Originally Posted by Draekan View Post
Someone got super sensitive i see. How could someone not laugh when the preference name and description is so blatantly obvious? Filter = a control mechanism for content. Increased security = speaks for itself. You really needed to ask about turning off a feature labeled as such. Hilarious.
It's attitudes like yours that make people love you. Please, keep sipping the kool-aid.
Cincia Singh is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are On




SEO by vBSEO