|
|
|
[
Permlink
| « Hide
]
Harleen Gretzky added a comment - 25/Jul/08 05:31 PM
If this is more than just a normal L$ transaction failure, why isn't it filed under SEC?
Harleen, I'd argue that if it's something that anyone who owns an atm device or even vendor for that matter needs to be concerned about why isn't it being more openly publicized so that the creators and owners of these systems know about this? SEC is a joke, it is a way for LL to quietly either A) fix bugs or B) ignore them and if A normally after a long delay while residents are cluelessly ignorant of their existence and you are smart enough to know that Harleen. I don't think I need to say it but I am keeping copies of all this to put back up if need be if you decide to try to get this spirited away into the either and considering that this was from an exchange press release I bet Int is doing the same thing just in case you want to make this issue "disappear" That's probably the last (at least pending a reply from you) from me on the subject since we've already had this argument several times and this is neither the time nor the place especially since we should be dealing with the issue at hand.
I'll try to spread the word around about this since if this is a malicious exploit then everyone from SLX to automated rent boxes would be effected, I suggest everyone else does the same although I really hope that this doesn't mean that pretty much all scripted commerce comes to a halt until this is fixed. Filing as a SEC would cause LL to immediately look into and maybe nip it before a panic like this starts. If it is not really a SEC they would move it back to SVC and we would know there is no reason to panic.
And I have no intention to make it disappear, why the hell would I want to do that? Or how could I even do that? It will always be in the jira-notify archives anyway. Plus there is no reason that it could not be filed here and another issue filed under SEC. Ok I've found that Cocky Daggers concerns are somewhat overblown as there is already a way to check lindex market transactions:
http://forums.secondlife.com/showthread.php?t=99525?lang=en This is already in use by Apez and SLX. I will be using this to base our transaction history checking scripting. Recommend the other exchanges do likewise Aria Paine
Genesis Xue IntergalacticSpaceTimeContinuum Robonaught Rocket Dean Hail Fiertze Ok, these are the avatar names we collected from the four stock exchanges who made fraudulent deposits. At ACE I have since determined that Aria Paine and Hail Fiertze made a few legitimate deposits via our ATMs in Sentry and Venture Square. Aria Paine then made a fraudulent deposit of 9000 L$ from Island for Unit Tests sim in a counterfiet atm device with the following data: View Node Id Sim Last Transaction This node (ATM) does not show up on our node list for some reason, so it is not making any initialization attempts when it is first rezzed. The fact it is reporting a version 1.2dev (our current ATM version) shows that the person has stolen the ATM script full perms. We are implementing an ATM owner check on our server to prevent further activity, but this sort of exploit should not be possible in the first place. If Lex is right then arguably this isn't an lsl exploit (although if they can get access to the code then that itself is quite troubling) just an oversight in not properly implementing an ownership check in your code. Supposedly it's possible to implement your system with the assumption that the code is compromised (supposedly Slexchange is setup that way) however it shouldn't be necessary to do so. Do you have idea how they may have gotten access to the atm script code?
This is the thing: They had to have used something like the 'supercopybot' I've been hearing about that can steal contents of a prim as well. ALL four stock exchanges were hit in this manner: SLCapex, ISE, VSTEX, and ACE. The only way one person could have gotten the scripts that all four exchanges use is by stealing a copy of a real ATM in each case, as all four exchanges use different ATM scripts.
The transaction records show that they always made a few legitimate deposits in a legit ATM before making an attempt with a counterfiet ATM in another sim. So its quite clear that they did something while interacting with a legit ATM that allowed them to steal the ATM scripts full perms. I agree that exchange servers should not be vulnerable even if the ATM code is known. When we worked with Unoti Qonset on installing this system, he claimed that if an ATM was not on an approved list it would not be able to interact with the system. However as you may know, Yukiko Omegamu no longer works for us, she and Quanta Torok stole a copy of our server software before damaging our database tables, any vulnerabilities those two have figured out still would only apply to us and SLCapex, not to ISE and VStex. Cocky portrayed it as an lsl exploit, however I agree, it is most likely not, I dont think his system stores enough data about transactions really to indicate what happened like ours does, but it is a permissions exploit that allows people to get full perms copies of scripts, which should be a serious issue for anybody. If it is a script theft issue, then this is even bigger a problem than previously thought. I haven't heard of any new script permissions exploits like this, other than possibly the 'supercopybot', which is talked about but not seen (and I am told keeps the original permissions). Frankly this looks more like someone with Linden powers is behind it. I'm not sure what's client > SL Server > Your server and what's SL Server > Your Server and then SL Server > Client, the latter meaing your client wouldn't be able to intercept the script communications with your external database but it seems that if they have the keys to the castle as it were (your script) then yes I'd say you have a huge problem until you can implement an unspoofable (if there is such a thing) verification of ownership. If I'm wrong (as I often am) and the atm's are sending certain data to the client that they shouldn't then that's a huge flaw in the architecture of lsl since in theory the client shouldn't be getting any data from these db calls your scripts are making because if they did... well I'd rather not even think about it.
intlibber, you should verify that all of your ATMs are still in world. Look to see if any ATMs are missing.
My advice is to take advantage of the Next User permissions to lock down your scripts. Send the scripts through an alt before deploying them. As I see it, there are several possibilities here, some of which have already been ruled out:
1) money() event triggered but money not transferred 1 seems to be ruled out by the evidence of an illegitimate ATM. With the exploit suggested in #2, I could imagine much more effective ways of making money and/or causing havoc. 3 is what I started to think before I started to read intlibber's latest comment. It fits the evidence we've heard so far, including the limited details of the system's security that intlibber has described (namely, a secret key in the ATMs). It's also a simple explanation, and with the revelation of rogue former employees that have already sabotaged the business, this is starting to look rather likely. #4 is a serious allegation, and I don't think it's a good idea to make it lightly. I think #3 should be explored fully before slinging accusations against mysterious Lindens. I'm not saying there's no exploit here... but it does seem at least convincingly possible that this is due to a rogue insider. Incidentally, if the former employee had the ability to damage your database tables on their way out, they likely had the ability to compromise one or more servers in your network in order to forge deposits later. It can be impossible to detect a skilled intrusion on a live system if the attacker has had a chance to dig in.
While I don't want this to become a flame war on JIRA, I feel like I must respond to IntLibber BnT's statements regarding Yukiko Omegamu and myself, Quanta Torok.
Firstly, I would like to state unequivocally that I have never supplied, I am not currently supplying, nor do I have any intention of ever supplying agents within Second Life the so-called "exchange code" that I received from Mr. IntLibber. Well, I take that back – I had to hire a very prominent coder to modify the ATM code back in February / March-ish in order for it to do what I wanted it to do during the development phase of my website, AndalusiaFinancial.com. Mr. Brautigan's statement: "However as you may know, Yukiko Omegamu no longer works for us, she and Quanta Torok stole a copy of our server software before damaging our database tables, any vulnerabilities those two have figured out still would only apply to us and SLCapex, not to ISE and VStex. " I don't even know where to begin, so I will just state this: I feel that he makes this statement, not because he has any information regarding my 'activities' but because I am suing him in Grafton County Court, New Hampshire to attempt to collect some of the monies I paid for him to develop and launch my website (Case #08SC00155). If I were to engage in surreptitious behavior, then I would be endangering any court proceedings. I would rather skewer Mr. Brautigan in court, rather than online. So, thank you for reading this post and I'll leave you to your dissection of the ATM code issue QT
@Int,Quanta, you've both said your piece however I think it would be better if this didn't devolve into you two sniping at each other (just preemptively saying that since that's what usually happens in cases like this) or at least take it off JIRA if you decide to do so. I don't know what the facts are, I don't want to know really but unless it's relevant to the issue I think I can preemptively state that it should be kept off here. |
|||||||||||||||||||||||||||||||||||||||||||||||
 |
|
Bug
Resolved
Critical
Avatars triggering money() events in scripted ATMs but ATM owners not receiving funds
