Crime Wave Thwarted in Second Life

Ponca City, We Love You writes "The Mercury News reports that a vulnerability in the way Second Life protects a user's money has been identified. Risks for users are reportedly limited because the researchers say the flaw can be quickly patched. The flaw exploits a known problem with Apple's QuickTime - when a virtual character passes by an infected object planted by hackers, the Second Life software activates QuickTime so it can play the video or picture. Hackers can direct the Second Life software to a malicious Web site that then allows them to 'take over the user's avatar and force it to hand over its Linden cash. Second Life is recommending that users disable streaming video playback in the Second Life viewer except when you are attending a known and trusted venue.' The hack raises tough questions for operators of virtual worlds. Should they be as secure as banks and guarantee the safety of money and property that characters in the world possess?"

Old recommendation, Quicktime prob killed soon

[AySz88]

If you take a look at the Second Life blog [secondlife.com], you'll see that the referenced recommendation was from a couple of days ago (November 30). A paragraph in the blog seems to say that if LL starts noticing exploits, they'll kill all QuickTime on the grid and maybe roll back exploit-induced transactions - expect this to happen soon.

We do have the ability to turn off all videos on the grid, but have instead chosen to respect the existing in-world content and experiences which rely on streaming video, as we know that many of you enjoy these. We do recommend that you employ caution when using QuickTime in Second Life, only enabling it in environments that you trust, and are familiar with.

We are able to track attacks, and rest assured, if we discover a malicious stream, we will vigorously pursue the attacker. This will include account termination and legal action if appropriate, as well as the appropriate assistance for affected Residents.

Re:SL's economy is a giant sinkhole anyway

[RichardX]

My most insincere apologies for undermining your point of view, but I use Second Life for reasons which do no include sex or money. To me, it's like Lego, but even more fun in many ways. You can build 3D objects, with an extremely limited toolkit where somehow the limitations make it more fun, and then you can give those objects behavior via scripting. Then it gets really fun when you share in those objects with other people you meet there.

Oh noes. What's that you say? There are furry tentacle-rape freaks on SL? Guess what? I don't care. They don't bother me, and I don't bother them. Personally, I've had a lot of fun on SL which has had nothing to do with sex or money... but don't let my little anecdote get in the way of your rant.

Re:Not-so-virtual

[SJ2000]

Yes, you can using Linden Labs own exchange to turn US$ to L$ vice versa. Look on their website

Re:I'm sorry

[wertarbyte]

Every time I post on Slashdot, it takes forever for me to Submit the post, because I get probed on a few ports (which timeout).

Set your packet filter to REJECT instead of DROP. Dropping packets i usually a bad idea and sounds like some kind of obscure desktop firewall in "stealth mode".

Re:SL's economy is a giant sinkhole anyway

[Jesrad]

"You're either renting land, throwing cash into a bizarro stock market, or going to a furry cybersex sim."

In three years sent in Second Life I have not done any of this. I must some weird and very persistent aberration, then. Or maybe you're just wrong.

"As the Linden (the currency of Second Life) is not based on anything"

It is based on the USD, and maintained at a rather fixed rate by LindenLab acting as a central bank. It's not perfect, but it has worked remarkably well so far.

"Linden Labs simply dumps currency into the market whenever they feel like it."

No, they sell some L$ only when they rate drops under 265 L$ per 1 USD to maintain the rate, and they buy back the L$ when the rate goes higher than 266 L$ per 1 USD (though they apparently never have had to do that). That's not "whenever they feel like it".

"So economic problems are pretty common"

Err, no. The L$ has been exceptionnally steady ever since LL introduced the measures I pointed out above, and the vast majority of players have zero problems with it. Only those who want to play games with their money and that of other people are taking risks. You're obviously confusing economy with finance if you conflate financial institutions like the "banks" and "stock exchanges" with the economy itself. But then, that's to be expected on a technology-oriented website like /.

Re:SL's economy is a giant sinkhole anyway

[ronadams]

Being some random griefer who sends flying phallic objects across the Metaverse doesn't make you an expert in anything except flying genitals. So let's step through your insolent propaganda point by point.

1. "...they're [sex and money] the only reasons anyone uses it [Second Life], despite claims to the contrary by media-whorish Linden Labs."
   Perhaps you're not aware of the number of corporate entities [blogs.com] using Second Life, not even for direct profit, but simply as a platform to deliver product information, such as Sun Microsystems [sun.com], or the educational institutions [simteach.com] using it as part of a prototype distance learning initiative, such as Bowling Green State University [bgsu.edu]. Maybe you're not aware of the high-profile full-time businesses [wikipedia.org] in Second Life, or the many [businessweek.com], many [sun.com] articles reputable business publications have written noting the unique opportunities that exist in SL. There's much more than just sex and money. As in real life, there is entertainment, education, experimentation and economy. You know little about these because you spend all your time making the experience inconvenient [secondlife.com] for others.
2. "A bank called "Ginko" that recently went insolvent sent shockwaves through the economy lately."
   This was no surprise to anyone not stupid. [reuters.com]
3. "As the Linden (the currency of Second Life) is not based on anything, Linden Labs simply dumps currency into the market whenever they feel like it."
   A quick look through the SL Economy metrics [secondlife.com] and blogs shows you're full of it. There is an actual regulation to the currency in SL, you're just ignorant of it.
4. [Your last statements]
   Again, your ignorance shines through. Do you do any investing in the real world? Do you know what happens when you invest 100k in prime real estate in California and an earthquake devastates it? Unless you took out insurance of some kind with an organization who certainly makes more than they will ever put out (on a sidenote, there are investement insurers in SL), you are SOL. Linden is careful to use the terminology "unit of trade" for the Linden dollar, because the Metaverse is not a seperate governmental body, has no legal jurisdiction in the real world, and wants to avoid the IRS putting their grubby mitts any further in. If you are foolish enough to make an unwise investment in SL, then, just as in real life, you learn that a fool and his money are soon parted.

In conclusion, please know what the hell you're talking about before you respond. And stop griefing the Metaverse, it's obnoxious.

Re:an alternate, and more entertaining solution

[CronoCloud]

Anonymous coward is telling the truth. I've seen one that someone made. Pictures? Wouldn't you like to know. :-) But this might be a location to check out:

http://slurl.com/secondlife/bel%20Highland/171/143/33 [slurl.com]

Should be near where you can get the baby unicorn. NSFW link:

http://www.secondlifeherald.com/slh/2007/09/afternoon-delig.html#more [secondlifeherald.com]

It might be a custom thing though so it might not actually be there.

It gets worse. All QuickTime files now threats.

[Animats]

This isn't a Second Life problem. It affects all QuickTime players. QuickTime has a recently discovered vulnerability which allows it to be used as a way to inject executable content into the user's machine. This can attack far more than Second Life.

See US CERT Vulnerability Note VU#659761 -- Apple QuickTime RTSP Content-Type header stack buffer overflow [cert.org]. "Apple QuickTime contains a stack buffer overflow vulnerability that may allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service condition. ... We are currently unaware of a practical solution to this problem.. ... "Note that QuickTime is a component of Apple iTunes, therefore iTunes installations are also affected by this vulnerability. We are aware of publicly available exploit code for this vulnerability. Testing indicates that QuickTime versions 4.0 through 7.3 are vulnerable on all supported Mac and Windows platforms."

CERT suggests disabling all the ways QuickTime can be launched:

• Block the rtsp:// protocol
• Disable the QuickTime ActiveX controls in Internet Explorer
• Disable the QuickTime plug-in for Mozilla-based browsers
• Disable file association for QuickTime files

This vulnerability was first published on November 23, 2007.

You should turn streaming off by default, anyway.

[argent]

You should turn off streaming media and automatic loading of web profiles by default.

Not just because of this, but because it reduces the security of the SL client, in a number of ways.

First, there's vulnerabilities in the plugins and the browser software. Yes, they're using a pretty secure browser based on Gecko, without user-loaded or downloaded XUL components, but still these are complex programs that you really don't need. About the only web-based technology in SL that's reasonably safe is the new search... since it's generated by Linden Labs, and they have better avenues of attack. :)

Second, If you look at the Linden blog on this, you see that one of the messages reads:

Way to go LL, help griefers some more why dont you? Using video streaming to IP log griefers as they crash sims is one of the important ways to fight griefing and document who the real abusers are. Eliminating this ability only helps griefers, much as your stupid idea to enable people to hide groups. Far more than helping to get rid of griefing or give us more security features, you keep enabling griefing with your stupid decisions like this one.

There are SL "landowners" using streaming audio and video to track visitors by their IP address. This allows them to cross-reference addresses and identify players living in the same household, players with multiple accounts, people playing from work, and so on. And these kinds of "web-bugs" inside SL can not only get the "landowner" a pretty reliable ID for you (your account name), they can also distinguish whether users you're "verified" by a credit card or paypal.

This kind of tool is useful to track griefers, I guess, but anyone who "owns" land in SL can do it... including those charming guys with their spammy ad-farms. :)