Crime Wave Thwarted in Second Life 183
Ponca City, We Love You writes "The Mercury News reports that a vulnerability in the way Second Life protects a user's money has been identified. Risks for users are reportedly limited because the researchers say the flaw can be quickly patched. The flaw exploits a known problem with Apple's QuickTime - when a virtual character passes by an infected object planted by hackers, the Second Life software activates QuickTime so it can play the video or picture. Hackers can direct the Second Life software to a malicious Web site that then allows them to 'take over the user's avatar and force it to hand over its Linden cash. Second Life is recommending that users disable streaming video playback in the Second Life viewer except when you are attending a known and trusted venue.' The hack raises tough questions for operators of virtual worlds. Should they be as secure as banks and guarantee the safety of money and property that characters in the world possess?"
Old recommendation, Quicktime prob killed soon (Score:5, Informative)
We are able to track attacks, and rest assured, if we discover a malicious stream, we will vigorously pursue the attacker. This will include account termination and legal action if appropriate, as well as the appropriate assistance for affected Residents.
Re:SL's economy is a giant sinkhole anyway (Score:3, Informative)
Oh noes. What's that you say? There are furry tentacle-rape freaks on SL? Guess what? I don't care. They don't bother me, and I don't bother them. Personally, I've had a lot of fun on SL which has had nothing to do with sex or money... but don't let my little anecdote get in the way of your rant.
Re:Not-so-virtual (Score:5, Informative)
Re:I'm sorry (Score:5, Informative)
Re:SL's economy is a giant sinkhole anyway (Score:5, Informative)
In three years sent in Second Life I have not done any of this. I must some weird and very persistent aberration, then. Or maybe you're just wrong.
"As the Linden (the currency of Second Life) is not based on anything"
It is based on the USD, and maintained at a rather fixed rate by LindenLab acting as a central bank. It's not perfect, but it has worked remarkably well so far.
"Linden Labs simply dumps currency into the market whenever they feel like it."
No, they sell some L$ only when they rate drops under 265 L$ per 1 USD to maintain the rate, and they buy back the L$ when the rate goes higher than 266 L$ per 1 USD (though they apparently never have had to do that). That's not "whenever they feel like it".
"So economic problems are pretty common"
Err, no. The L$ has been exceptionnally steady ever since LL introduced the measures I pointed out above, and the vast majority of players have zero problems with it. Only those who want to play games with their money and that of other people are taking risks. You're obviously confusing economy with finance if you conflate financial institutions like the "banks" and "stock exchanges" with the economy itself. But then, that's to be expected on a technology-oriented website like
Re:SL's economy is a giant sinkhole anyway (Score:3, Informative)
Being some random griefer who sends flying phallic objects across the Metaverse doesn't make you an expert in anything except flying genitals. So let's step through your insolent propaganda point by point.
Perhaps you're not aware of the number of corporate entities [blogs.com] using Second Life, not even for direct profit, but simply as a platform to deliver product information, such as Sun Microsystems [sun.com], or the educational institutions [simteach.com] using it as part of a prototype distance learning initiative, such as Bowling Green State University [bgsu.edu]. Maybe you're not aware of the high-profile full-time businesses [wikipedia.org] in Second Life, or the many [businessweek.com], many [sun.com] articles reputable business publications have written noting the unique opportunities that exist in SL. There's much more than just sex and money. As in real life, there is entertainment, education, experimentation and economy. You know little about these because you spend all your time making the experience inconvenient [secondlife.com] for others.
This was no surprise to anyone not stupid. [reuters.com]
A quick look through the SL Economy metrics [secondlife.com] and blogs shows you're full of it. There is an actual regulation to the currency in SL, you're just ignorant of it.
Again, your ignorance shines through. Do you do any investing in the real world? Do you know what happens when you invest 100k in prime real estate in California and an earthquake devastates it? Unless you took out insurance of some kind with an organization who certainly makes more than they will ever put out (on a sidenote, there are investement insurers in SL), you are SOL. Linden is careful to use the terminology "unit of trade" for the Linden dollar, because the Metaverse is not a seperate governmental body, has no legal jurisdiction in the real world, and wants to avoid the IRS putting their grubby mitts any further in. If you are foolish enough to make an unwise investment in SL, then, just as in real life, you learn that a fool and his money are soon parted.
In conclusion, please know what the hell you're talking about before you respond. And stop griefing the Metaverse, it's obnoxious.
Re:an alternate, and more entertaining solution (Score:3, Informative)
http://slurl.com/secondlife/bel%20Highland/171/143/33 [slurl.com]
Should be near where you can get the baby unicorn. NSFW link:
http://www.secondlifeherald.com/slh/2007/09/afternoon-delig.html#more [secondlifeherald.com]
It might be a custom thing though so it might not actually be there.
It gets worse. All QuickTime files now threats. (Score:5, Informative)
This isn't a Second Life problem. It affects all QuickTime players. QuickTime has a recently discovered vulnerability which allows it to be used as a way to inject executable content into the user's machine. This can attack far more than Second Life.
See US CERT Vulnerability Note VU#659761 -- Apple QuickTime RTSP Content-Type header stack buffer overflow [cert.org]. "Apple QuickTime contains a stack buffer overflow vulnerability that may allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service condition. ... We are currently unaware of a practical solution to this problem.. ...
"Note that QuickTime is a component of Apple iTunes, therefore iTunes installations are also affected by this vulnerability. We are aware of publicly available exploit code for this vulnerability.
Testing indicates that QuickTime versions 4.0 through 7.3 are vulnerable on all supported Mac and Windows platforms."
CERT suggests disabling all the ways QuickTime can be launched:
This vulnerability was first published on November 23, 2007.
You should turn streaming off by default, anyway. (Score:3, Informative)
Not just because of this, but because it reduces the security of the SL client, in a number of ways.
First, there's vulnerabilities in the plugins and the browser software. Yes, they're using a pretty secure browser based on Gecko, without user-loaded or downloaded XUL components, but still these are complex programs that you really don't need. About the only web-based technology in SL that's reasonably safe is the new search... since it's generated by Linden Labs, and they have better avenues of attack.
Second, If you look at the Linden blog on this, you see that one of the messages reads: There are SL "landowners" using streaming audio and video to track visitors by their IP address. This allows them to cross-reference addresses and identify players living in the same household, players with multiple accounts, people playing from work, and so on. And these kinds of "web-bugs" inside SL can not only get the "landowner" a pretty reliable ID for you (your account name), they can also distinguish whether users you're "verified" by a credit card or paypal.
This kind of tool is useful to track griefers, I guess, but anyone who "owns" land in SL can do it... including those charming guys with their spammy ad-farms.