DarkLife Robbed – Developer Blames Open Source SL

by Pixeleen Mistral on 25/02/07 at 5:51 pm

DarkLife creator robbed of $400 USD – fingers griefers as suspects

by Ouchquack Stern, spastic bastard

“ZING!”

The sound DarkLife players yearn for is reminiscent of the muted strum of a harp in the key of “C”. The meta-game players — both the Mages with their wands, robes and pointy magic hats, and the Fighters with swords, armor and shields — spend hours to slay monsters so they can go up a level and hear that sound. But that heavenly chord was twisted to evil purposes, and used against the intrepid players Saturday evening, as a dozen seasoned players gathered around the Shrine in the center of Navora to whisper about the hackers who have made their beloved game unsafe.

Gathering_at_dl
a gathering of people at the Shrine in Navora

DarkLife is basically the Second Life version of the old table-dice-pencil-and-paper role playing game “Dungeons & Dragons” in that it is ‘turn’ based, players ‘level’ to advance and there’s a lot of hack-and-slash fighting with some magic tossed in. DarkLife’s kind of role play is the old fashioned kind — “I kill the dragon. Arrrrr!” Not the modern take on ‘role play’ which is practically synonymous with fetishistic sex-play.

DarkLife developers Mark Busch and his pal Pirate Cotton have been running the game-within-a-game for nearly three years now, and over the years they’ve attracted thousands of Second Life citizens — all of whom have paid nearly L$500 to don the backpack that stores their experience, gold, mana, health and level for their combat-based advancement. And with every level advancement players get more ‘level up’ points to apply to their abilities so they can use more powerful weapons and magic items and inflict greater damage on the many monsters in the Navora sim. Each new weapon costs $L50 and a fist full of DarkLife game gold, the Linden dollars going into the pockets of the game developers in a constant stream of ‘KA-CHING! KA-CHING! KA-CHING!’ That is, until a couple days ago when it all went distressingly wrong — and a felony was committed in Second Life.

Mark_busch
Mark Busch, DarkLife co-founder

“We’ve been robbed for about $400 USD (United States Dollars),” said DarkLife creator Mark Busch in an instant message to Pirate Cotton, as relayed by Cotton to the Second Life Forums. Mark Busch and Pirate Cotton confirmed the post in extensive interviews by the Herald. “On the 17th my account got robbed by some dude named ‘CheckOutThis Hax’ and ‘Data Lindman.’”

Busch speculates that CheckOutThis and Data are one in the same, and they are also alts of one Cleint Hax who hacked into DarkLife a few weeks before with a hack that raised Dark Life player victims level after level in a matter of seconds – ‘ZING, ZING, ZING, ZING!!!’

This reporter visited Navora on Saturday night to ask some locals about the felony burglary, when griefers OpenSource Hax sat on the head of Dark Life player Sammy Grigges while one StealingCashFromDarkLife Allen started hacking Dark Life player packs and boosting levels at a prodigious rate — ‘ZING,ZING, ZING!!’

Trevor_langden
Trevor Langden, DarkLife security

Long time DarkLife players Ethan Pow and Trevor Langdon, both members of the DarkLife Security Force, quickly booted everyone from Navora and closed the sim, in response to the griefers. Within minutes Pow created a temporary group and invited legitimate members into the sim so they could safely continue their play. That made the sim safe from griefing, but slowed commerce down to a crawl.

“When I fixed the bug the other night this hacker came back (Saturday) and when he noticed he couldn’t steal any more cash he went on messing up people’s (game stat storing) backpack,” Mark Busch told the Herald. “Its typical behavior for a teenage hacker: using prank names, messing things up, talking big” and generally throwing tantrums when things don’t work the way he wants.

Busch says the griefer pulled the level-up prank a few weeks ago, and Pirate Cotton reported the activity to Linden Lab through an abuse report and direct contact. Then a few days ago the griefer tapped into the DarkLife vendor refund account and took $400 USD worth of Linden dollars. They insist that both pranks, and the ability to talk in group chat without being in any DarkLife group, are hacks requiring knowledge of the channel number the game developers use for privileged communication — like money transfer. But how did Hax know the channel number?
According to Mark Busch there are three possibilities:

  • A recent Second Life bug relegated every bought item to ‘copy-mod’ — even scripts
  • Hax found a new bug in Second Life
  • Hax used a scanner to find the channel *
    *Unlikely: there are a reputed 4 billion channels – at 100 scans a second it would take two years to test all the channels.

The fourth possibility, one that Mark Busch doesn’t want to address, is the possibility that the hack was an inside job. When pressed he admits that he and Pirate have extended access to that kind of information to two employees — and they could have shared info with their relationship partners. Possible, but unlikely as all have been long time paid employees and the hackers have just recently cropped up. Not so coincidentally – according to Busch – right after Second Life went ‘open source.’

“Before (SL went open source) there were some minor hacks, but I was able to track them down to bugs in DarkLife itself,” Busch told the Herald. After the theft “I was able to track down what this hacker did but it’s not a bug in DarkLife. How did he get the channel number? The most obvious answer is the HUGE buy-mod bug a month of two ago. The other is that he used the open source (of Second Life) to find a new bug that allows access to scripts.”

Busch says he reported Client Hax weeks ago, and IM’d Spike Linden about the activity in Navora Saturday night, but was told to file an abuse report and the Lindens will do what they can. Essentially the same thing one is told when a noob runs around nekked in a Welcome Area — not the kind of investigation and customer support one would expect for one of the most successful content creators in Second Life who is faced with a breach in security that is crippling his business. (Spike Linden did not reply to a request for comment).

As of Sunday afternoon Dark Life was still restricted to group members. Business – usually brisk on the weekend – was crawling at a snails pace.

“Maybe if they freeze his accounts I could still get the L$ back before he sells it,” Busch said. “He is still online, and able to talk on the DarkLife Players group even though he is not IN the group.” What are the odds that Linden Lab will step in and help in time? “It seems unlikely,” said Busch. Meanwhile, the ‘KA-CHING! KA-CHING! KA-CHING!” sound of L$ falling into DarkLife coffers has fallen all but silent in Navora.

Cin_squeegee_fighting
Cin Squeegee, fighting hottie

60 Responses to “DarkLife Robbed – Developer Blames Open Source SL”

  1. Prokofy Neva

    Feb 25th, 2007

    It’s not certain that this job was related to Open Source, but it’s one of the suspects. And it’s an example of how Open Source in fact isn’t creative but destructive, and doesn’t open up possibilities and doesn’t “find bugs” but in fact merely closes society by making people more and more security conscious and makes the coders more and more privileged.

    Um…I’m still waiting to hear about the bugs and exploits caught and fixed by the lovely OS movement, and what in fact it has created for us that isn’t even more buggy.

    For example, the current “First look viewer” has an absolutely deadly “misfeature” as I heard the blingsider call it — let’s call it “gross oversight created by asses who never come inworld and don’t care about inworld business”. Instead of the inworld account history, which is absolutely necessary to run an inworld business, there is now merely a grab of your browser to hoist you out of SL on to the web page which…isn’t updated for more than 12 hours anyway.

    So you can’t see who paid you or where and even your scripted boxes saying that report belatedly due to all the dbase foul-ups. You can’t total for the day, see what’s happening if someone makes a mistake and their payment bounces, you can’t do refunds efficiently or make discounts or steer people to better discount pricings or anything — you are in the dark.

    Every time I have the discussion about copybot and the smugness of scripters who say no bug or exploit or anything will ever get at their scripts because they are all “server side” I have to chuckle.

    And here, independently, in this story, the issue has been raised: “The other is that he used the open source (of Second Life) to find a new bug that allows access to scripts.”

    Some script-kiddy police will be along any minute to tell us in hysterical shrieky orthorox tones that this is Impossible and Can’t Be and Could Never Happen but I won’t buy it any more, frankly.

    Usually, hacks are caused by the Human Factor. Relationships, or carelessness. Here, we can’t say — as the various culprits are outlined and we can’t know.

    I think it’s very important to keep an open mind and to keep being openly critical of Open Source.

  2. Prokofy Neva

    Feb 25th, 2007

    Oh, and they did it all in the name of saving the database loads. I mean, at what point do we really all become utterly irrelevant as the load test we’ve only been, and they have to just turn it over to corporations???

  3. Pirate Cotton

    Feb 25th, 2007

    Hi folks. It seems most likely, to me anyway, that the abuse was formed from a combination of the full-access bug introduced a while ago and some cunning tinkering with the knowledge said bug provided.

    All well and good, but hard for anyone to block.

    I’m concerned that I’ve not heard from LL yet on the matter, mind you, it is the weekend and folks need a break. That being said, if you can’t get very quick repsonses to hack attempts then anyone could easily face a similar situation and be unable to close the stable door before the horse has bolted.

    As for open source… I note the hacker and alts are part of some open source groups in SL. I doubt those groups are ‘evil’, but I suspect he was learning some useful information or asking the right kind of questions there. I have no idea if he learnt anything from otherwise well-meaning individuals in those groups that helped in his hack attempt.

    The main point for everyone to note is to keep your game accounts low on funds. Just have enough to keep yourself liquid and be careful not to let your account grow too high, a don’t let folks know you’re going on holiday! Our hacker seems to have used the knowledge of Mark’s holiday to time his attack.

  4. Eddy Stryker

    Feb 25th, 2007

    Was the open source client used to find out when the account holder was going on holiday? It seems there are more repercussions to open sourcing the client than anyone could have imagined. What if I go on vacation and someone uses the open source viewer to find this out, and robs my house? I bet LL won’t feel so smug then.

  5. Cocoanut Koala

    Feb 25th, 2007

    Aren’t you cute, Eddy.

    coco

  6. Wayfinder Wishbringer

    Feb 25th, 2007

    First, a user with the name of “StealingCashFromDarkLife Allen” should probably be perma-banned at the IP level just on the general principle. And I think that if LL would start turning over all theft to local authorities as a matter of habit, that would go a long ways toward stopping such nonsense. The only reason people steal on SL is because they know LL won’t do anything about it. Sometimes I think there’s someone in the background with the name of Wimpalot Linden who makes all such decisions. XD

    >A recent Second Life bug relegated every bought item to ‘copy-mod’ — even scripts< This is not the first time this has happened. It has happened at least 3 times before to my knowledge. A fine example of really lousy permissions programming. What's really irritating is that builders have been after LL to firm up and expand the permissions issues for ages. Apparently LL is too busy working on "more important" things to worry about brittle object permission issues, or to expand permission abilities so that a texture merchant can sell a texture without giving away the farm (or alternately, needlessly limiting builders). Let's hear it for Linden Lab customer support! Woot!

    >Busch says he reported Client Hax weeks ago, and IM’d Spike Linden about the activity in Navora Saturday night, but was told to file an abuse report and the Lindens will do what they can. Essentially the same thing one is told when a noob runs around nekked in a Welcome Area — not the kind of investigation and customer support one would expect for one of the most successful content creators in Second Life who is faced with a breach in security that is crippling his business. (Spike Linden did not reply to a request for comment).<

    And this is where it becomes really inexcusable. The moment Linden Lab was notified of such a theft and the moment they learned that DarkLife owners had identified the culprit– they should have set up an account watch. Two choices there: 1) they could either freeze that user’s account and start an investigation or 2) Wait for him to convert L$ to US$ and then turn him over to the police. For some reason though (based on past experience) I figure they chose 3) Ignore it because they’re not “repsonsible” for such things.

    Further, a user with a name of

    To be truthful, they’d probably do well to hit him now and set an example. Whether he converts L$ to US$ or not– those L$ have real value and just like a television, stereo or automobile– that user can be charged with theft of valuable property.

  7. Anon

    Feb 25th, 2007

    This article was filled with what sounded like jokes… was this whole thing serious?

  8. Kerian Bunin

    Feb 25th, 2007

    A threaded channel scanner can scan blocks of 500,000 channels in a couple seconds, I’d guess this is how things are done, at least with the backpacks. Open listeners that aren’t properly secured are dangerous. While if the money is indeed lost, it most certainly a tragedy. Also many seem to mindlessly spout ban the ip, ban the mac address, ect. Many don’t realize the ease of the circumvention of all these methods.

  9. Prokofy Neva

    Feb 25th, 2007

    I reported Client Hax when he was minutes old, the first thing he did was start spamming me with the usual same-old, same-old MO of W-HAT regs on new alts, and yet they don’t accept those DEW-line notices, they ignore them.

  10. Kerian Bunin

    Feb 25th, 2007

    Client Hax was not in W-Hat.

  11. Pirate Cotton

    Feb 25th, 2007

    I think Client Hax / Data Lindman / OpenSource Hax / StealingCashFromDarkLife Allen / Amatamat Amat (etc) would like to be a Goon, but frankly, he’s not cool enough. While the Goons can be.. trouble (they’re certainly causing trouble in EVE Online – go Goonswarm!) this guy has nothing to do with them from what we’ve seen. Just want to make that clear.

    Threaded channel listens. Interesting. That might explain it (altough I’m not a coder), I’ll pass it on to Mark. Thankfully, the next version of DL will be much more secure, just a pity he jumped us now. Two days after the first petition, still no word from LL other than the standard “we’re investigating”. A little disapointed.

  12. Pirate Cotton

    Feb 26th, 2007

    I got home to find a message in my home-account from LL asking for some info for their investigatin, so my last comment in the post above is not fair. They are working the problem now. Thanks LL!

  13. Baba

    Feb 26th, 2007

    SLH strikes another blow for the little man!!!

  14. Prokofy Neva

    Feb 26th, 2007

    Client Hax behaved like a certain W-Hat/v-5 regular with all the same M.O.s, and it doesn’t matter if he “wasn’t in W-Hat,” technically, that’s stupid, they always cancel their subscription to the Daily Worker right before an op anyway.

    Baba sucks.

  15. Nacon

    Feb 26th, 2007

    I doubt it was an “hacker” to term… just an idiot got lucky.

    Hacker aren’t stupid as goonie, if otherwise, wouldn’t able to do shit to being with.

    In this case, I’d call it an “exploit”.

    If it was an hacker and a bright one… wouldn’t have to pick names like that. Would have done it slow and have many many accounts at once to make it seem normal.

    Or this whole thing is just made up for the herald to laugh at. har har haarr…

  16. Mark Busch

    Feb 26th, 2007

    Regarding the channel scanner: First problem I see: how long do you have to listen on a channel before you are sure it’s not the correct one? Second problem: our land has a return-policy of 10 minutes.
    And besides 50000 channel in a few seconds seems highly unlikely for secondlife. Do you actually know what you are talking about or did you just hear someone saying something like this and repeating it now?

  17. dandellion Kimban

    Feb 26th, 2007

    oh really?! open source is to blame again? yeah, right.
    I really won’t go into same disscusion about security of open source apps against “security by obscurity” principle.
    I just don’t believe that everybody is to accuse SL client going open for every security malfunction that happens. like before that there were no security holes and like SL was functioning perfectly. yes, there was no lag either in those happy times before OS.

  18. Mark Busch

    Feb 26th, 2007

    I don’t believe going open source is bad, but I do believe LL has gone opensource before there servers were secure enough. For example this guy ‘Client Hax’ (Client Hack?) was talking in the DarkLife Players group while he wasn’t even a member of the group. This makes me believe that parts of SecondLife do not have a decent server-side check, but only client side. Ofcourse if you go opensource with your client you can be sure all client-related checks can and will be removed by hackers.

  19. humanoid

    Feb 26th, 2007

    The client is open source. The server, so far as I know, is not. If you want to blame open source for this you’ll have to try harder.

  20. FlipperPA Peregrine

    Feb 26th, 2007

    Open source makes baby Jesus cry too, don’t ya know? I love when people with admitted technophobia chime in as experts, heh.

    As someone who’s had to deal with hackers, large sums of L$ in accounts, and trying to secure financial transactions through LSL, I’d say there’s a 99% chance of something in LSL/SL being the culprit, and 1% open source being the culprit. Consider the following scenarios I came up with and/or encountered while running SLBoutique:

    (1) If you have a LSL script with a money() event, that triggers a call to an external database that a payment/deposit has been made, that script can be taken out of even a “no mod” prim, and put in another prim. Then a second LSL script can be added with a money() event that pays the money back to the 1337 haxx0r’s alt account. The triggered call will still happen, connoting a successful deposit, while in truth a race condition is set up. In SLBoutique’s case, this would have allowed people to drain the SLB bank account if it went unchecked. Fortunately, early on, we started processing our transactions by using PHP w/cURL to screenscrape the L$ transactions page on the web site to process our deposits rather than relying on anything within LSL.

    (2) Given past SL “full perm” bugs the only way to really be secure is to assume that all your LSL code will be able to be seen by anyone at some point in the future. How many times has LL created bugs causing random assets within SL to go “full perm”? More than I can count on one hand, that’s for sure. This is another reason open source leads to much better security rather than relying on “security through obscurity” – if that security becomes un-obscured through an LL bug, you’re screwed.

    (3) A tip to all scripters: use llGetCreator(). A simple few lines of code in several LSL events can be a life saver:

    if(llGetCreator() != “[my avatar key]“) {
    llEmail(“me@whatever.com”, “Possible Fraud!”, (string)llGetOwner() + ” is messing about with your code!”);
    llDie();
    }

    That can be a big help with avoiding people being able to tinker with your scripts. Sorry this happened to ya, Dark Life guys; it really sucks.

    Regards,

    -Flip

  21. Wayfinder Wishbringer

    Feb 26th, 2007

    >SLH strikes another blow for the little man!!! — Posted by: Baba | February 26, 2007 at 01:47 AM<

    I’m curious Baba– how does one strike a blow for the little man by attacking the little man?

    Or are we to believe that DarkLife was a big, corporate monster? Nah, these were hard working guys that invested and scripted and built and provided a fun platform for a lot of people. They worked hard for their cash– and there is nothing wrong with earning a profit for hard work. That’s called “earning a living”.

    I’ve always wondered what it is in the mentality of hackers and griefers that they think they’re some kind of heroes by attacking everyday people. They supposedly “get back” at Micro$oft by slamming individual homeowners and small businesses with viruses, they “get back” at Linden Lab by ripping off people who are just trying to survive on SL.

    Their idea of “Robin Hood” is to take from the poor, kick them in the teeth in the process and then brag about it. That’s not being a hero. That’s not striking a blow for the little man. That’s being a Tard, capital T.

    Of course, you may have been sarcastic in your post, in which case, I fully agree. There’s a special term for those who hacked the DarkLife account: criminals.

  22. dandellion Kimban

    Feb 26th, 2007

    and please… do not use terms hacker and griefer as they mean the same. use wikipedia or whatever to learn something…..

  23. Mako Mabellon

    Feb 26th, 2007

    I really doubt open sourcing the client helped to find the channel, obtain the script source or steal the money – the client can’t listen on any channels except zero, some people have already coded script downloads using libsecondlife and the server apparently enforces permissions, and I think all the obvious money-related protocol flaws were found and fixed long ago. Most likely, it’s a security problem in the script and/or the server.

    The ability to talk in group chat for groups which the person isn’t a member of, on the other hand, might be related. libsecondlife hasn’t done much group chat stuff as far as I know, so I’m not sure how well-tested the server security for that is…

  24. shockwave yareach

    Feb 26th, 2007

    Anyone communicating Monetary data on a comm line should be encrypting the data. Not everything should be encrypted, but finance transfers should be, absolutely. This cannot protect from all conditions — frankly, nothing can stop an inside job. But it protects against punks finding the comm channel and gaming an open money transfer system.

    Finding the comm channel can be as simple as rezzing 100 .001m thin items with scripts that scan 100 channels each while buying and selling the same sword back and forth, back and forth for an hour or two.

  25. Nacon

    Feb 26th, 2007

    Flip said “A tip to all scripters: use llGetCreator(). A simple few lines of code in several LSL events can be a life saver”

    Not really, any scripter can see that and remove it. Maybe you could just “hide” it in tight complex coding without all the spaces and return-spaces. Plus, best not to label it “Possible Fraud!” subject but make it seem like just some checkup for decoy data, say… “update:23.2357.1″ with fake message “3245983.352.21.6774.32.1.357″

    and hide llGetCreator()and your key as a global key way up at the top of the script.
    ex: version = (your key here);
    patch = llGetCreator();

    If channel was the case…. should have used llFrand(); for randomized channel on each call. Blah blah blah blah, I know some of non-creative scripters are going to ask me how to make that possible to keep both ends using Frand channel, I’m not telling how. All expert should know a good trick or two.

    But seriously… if Channel was the issue… then who the fuck wrote your script?

    I’m betting that your scripts/RPG system is fairly poor security than open-source and server-side security post.

  26. Wayfinder Wishbringer

    Feb 26th, 2007

    Point is, those who use LSL shouldn’t have to go to great lengths to build security into their scripting. That security should have already been put in there by LL when they wrote the language. They knew it was to be used for commerce; they should have built anti-hacking security into the system.

    I could give several examples, but why waste the time? The good scripters out there know what I’m talking about. The users aren’t to blame because the OS has lousy security. It should have been there from the start.

    That said, if someone is a good scripter, realizing LSL has lousy security… these things can be foreseen and adjusted for. But you know, there’s only so much security a user can put in place on such a system before it bogs down (considering we don’t have unlimited code space in LSL. Man, reminds me of the dinosaur days of the Apple II+).

    But the real bottom line it comes down to is that SL is a shaky platform and a bad business investment. Stuff like this happens all the time and will undoubtedly keep happening.

    BTW, regarding the post about “please don’t use the term hackers and griefer as they mean the same”. I understand the difference… but I also understand that both mentalities are arrogant and delight in causing harm to other people. Different terms, different mindset, same results. Neither one is deserving of respect. All they do is hurt other people– and usually the ones who can least afford it because the little guy is an “easy target”. There’s nothing “leet” about that.

  27. shockwave yareach

    Feb 26th, 2007

    “but I also understand that both mentalities are arrogant and delight in causing harm to other people.”

    Hacker mindset is about learning all one can about a system to make it do things nobody else can make it do. Whether making it possible to build a wand that changes a target’s hair purple, or absconding with a billion dollars from a bank, it is the achievement which matters to a hacker. It can appear arrogant, but the best hackers prefer low profiles and avoid causing theft or harm as that leads to their detection and loss of the loophole they exploit.

    Griefers, on the other hand, are only interested in ruining other people’s good times. Their pursuit of knowledge about the system only goes as far as to find out what they can do that will obstruct as many people as possible – where to best throw the monkeywrench, so to speak. But where a hacker can take what he’s learned and use it to build a better system, a griefer can do nothing but boast about how many people he’s po’d to other griefers.

    Not even close to the same mindset or goal.

  28. Prokofy Neva

    Feb 26th, 2007

    >I’ve always wondered what it is in the mentality of hackers and griefers that they think they’re some kind of heroes by attacking everyday people. They supposedly “get back” at Micro$oft by slamming individual homeowners and small businesses with viruses, they “get back” at Linden Lab by ripping off people who are just trying to survive on SL.

    >Their idea of “Robin Hood” is to take from the poor, kick them in the teeth in the process and then brag about it. That’s not being a hero. That’s not striking a blow for the little man. That’s being a Tard, capital T.

    Thunderous applause. So well said.

  29. Prokofy Neva

    Feb 26th, 2007

    Hackers and griefers are the same thing in essense; they are continuums on the same line of legal nihilism and anti-morality.

    The hackers have never built anything in Second Life. They are a shave and a haircut away from the griefers. What have they brought us? Self-replicating prims, copybot, campbot, thisbot, thatbot — stalk-mode, hacking of vendors, hacking of all kinds of stuff. I don’t see the constructivism. It’s all destruction.

    They can take it apart; they can’t put it together. Indeed, they’re too stupid to do that.

  30. Prokofy Neva

    Feb 26th, 2007

    Gotta love how Flipper mouths off here. For one, he’s got to protect libsecondlife’s ass, as a bona fide representative of the Electric Sheep, who have never done anything but applaud, welcome, fete, and celebrate libsecondlife. Libsecondlife isn’t coterminous with every force and actor around opensource, but they hog the limelight around it and pwn it when they can. You never, ever find the Sheep EVER critical of any little thing that the gaggle of hackers and griefers who make up the libsecondlife list do. Oh, sure, if pushed, they’ll get on and say, oh, yeah, we’re not for griefing W-Hat but they never do a thing to disassociate themselves from it because they simply don’t see it. They laught at it as a “problem”. To them, the value of having a free corps of obsessive nerds tinkering around with the system so outweighs any damage they do, that they can never even entertain any other thought or scenario in criticism.

    It’s so clear to those of us who have to actually labor away on the grid that the viewer has been opensourced and become a rogue thing, one or two or more rogue versions are going around that enable people to log on and not be banned, to not be ejected, to not even appear. There are plenty of eyewitnesses to this stuff.

    Even if you can’t pin an opensource viewer per se on this heist, you can say that the entire fuck-you, I-get-to-do-what-the-fuck-I-want mindset of open source is the enabling and the contributing environment. It sets the tone in this anti-civilization.

  31. Nacon

    Feb 26th, 2007

    Wayfinder said: “Point is, those who use LSL shouldn’t have to go to great lengths to build security into their scripting. That security should have already been put in there by LL when they wrote the language. They knew it was to be used for commerce; they should have built anti-hacking security into the system.”

    Linden Labs is not there to save your business with whatever that you do with your OWN scripts… They just supply you the platform to work with other people’s platform whom on the same platform to begin with. So yes, YOU have to go to great lengths for a good security if you want to protect your doughs. No fucking matter what.

    It’s like asking USA government to make sure you won’t get eatten by a shark while you’re bleeding in the middle of Pacific Ocean near Japan without a boat.

    Meaning, it was at your own risk, not Linden Labs.

  32. Melissa Yeuxdoux

    Feb 26th, 2007

    “I think it’s very important to keep an open mind and to keep being openly critical of Open Source.”

    The first would appear to rule Prokofy out where open source is concerned, and useful criticism is informed criticism, not just _post hoc ergo propter hoc_.

  33. Wayfinder Wishbringer

    Feb 26th, 2007

    >Hacker mindset is about learning all one can about a system to make it do things nobody else can make it do. Whether making it possible to build a wand that changes a target’s hair purple, or absconding with a billion dollars from a bank, it is the achievement which matters to a hacker. It can appear arrogant, but the best hackers prefer low profiles and avoid causing theft or harm as that leads to their detection and loss of the loophole they exploit.
    But where a hacker can take what he’s learned and use it to build a better system, a griefer can do nothing but boast about how many people he’s po’d to other griefers. Not even close to the same mindset or goal. Posted by: shockwave yareach | February 26, 2007 at 05:50 PM <

    I appreciate your thoughts here… and at one time that was the case. Back in the days of the early Apples, PETs and TRS-80s, a “hacker” was truly a “leet” term, used as a compliment to those who knew how to piggyback RAM chips, cross-wire circuit boards, and make their computers more powerful. They usually shared such knowledge with others. There was reason to be proud of being a hacker.

    Unfortunately, over time, “hacking” became synonymous with illegal activity– and that is almost exclusively its use today. At least in the US, the term “geek” has become synonymous with what hacker used to be. A “geek” is someone who really knows his stuff and usually uses that knowledge to help others. I wish “hacker” still meant what it used to because it was a nice term that many of us were proud of (one doesn’t know the true joy of computing until one has solder-piggybacked RAM to a motherboard to double memory or cut a trace line to increase clockspeed… LOL). Unfortunately, as far as I am aware, “hacker” pretty much means a talented griefer.

    Now agreed, there is a small portion of hackers who only attack the large, major corporate offenders who cause so many problems for others (such as Micro$oft and their overpriced, bloated, RAM-hungry OS. Which BTW, is anyone else aware that Vista takes 2/3 of a gig of RAM just to run? Inexcusable bloat). Hackers of such companies try to make a point– they take the position of modern-day Robin Hoods. Unfortunately, even those people wind up just hurting the little guy. Every virus that is released hurts not Micro$oft, but the small guy who is forced into using Windows to run his business and feed his family. Again, nothing “leet” about hurting the little man.

    If anyone manages to return the term “hacker” to its rightful and respectful position, I’m all for that. But for now, in the eyes of most, a hacker is basically a vandal and a thief– and the true Hackers have taken the name of Geeks to make sure their honored position is kept distinct from the criminal side of computing.

  34. Wayfinder Wishbringer

    Feb 26th, 2007

    >It’s like asking USA government to make sure you won’t get eatten by a shark while you’re bleeding in the middle of Pacific Ocean near Japan without a boat. Meaning, it was at your own risk, not Linden Labs. Posted by: Nacon | February 26, 2007 at 07:21 PM <

    The US Government didn’t take your money to put you in the middle of the ocean. Nor did they build the ocean, the shark, or put you out in the middle of it. Linden Lab is the core creation body of everything that happens on Second Life. They were the ones who decided to make Second Life an economic-based platform rather than just a fun environment where everyone trades things or gives them away for the rep. So when they put together a scripting language to handle that economy, it was forseeable that language needed security built into it. It is exactly the same as Micro$oft, who lamented, “We never foresaw that we would need security on Windows.” Well duh, they flat should have. Every other systems designer on earth foresaw it, way back in the early days of DOS. One has to wonder.

    However, what you say about “entering at your own risk” is true Nacon, except for one thing: LL didn’t really tell people what those risks were when they signed up. And they often withheld information from people who made major investments in the platform. What they really need is a big freaking sign in red letters at the beginning of signup:

    WARNING! Second Life is unstable. You will experience regular crashes, data outages,lost inventory, changed inventory permissions, consistent and repetitive bugs, griefer attacks, drama queens, property theft and all other sorts of pain-in-the-butt experiences. The host company, Linden Lab, inflates its active membership figures by 90 to 95% and is willing to accept from you vast amounts of money, but we absolutely absolve ourselves of any responsibility for anything that happens on this board. Knowing this, if you still decide to invest real money in this platform, best of luck!

    LOL. Now that would be truth in advertising.

    On other matters: I do think it is somewhat interesting that vast numbers of people hassled Linded Lab to go open source for a long time. I was surprised in fact, that I was one of the seeming handful cautioned that going open-source might open up a can of worms. Open source is not always the best idea. Agreed, if they were picky and hand-chose “user-assistants” to help them re-examine code and make suggestions– that could be very valuable. I mean, free help, no cost, new mindset.

    However, they didn’t release the code that’s having the real problems, namely, the server-side code. The released the client code. That might have some value in helping to resolve client-side issues (such as graphics resolution problems and some lag issues) but it’s not going to help with the major issues (server side lag, data mismanagement, networking problems, etc).

    The results of their decision to go client-open-source remain to be seen. But I wonder how many of the people griping about open source now were among the crowd demanding it a few months ago. Just trying to be fair here. In this particular case, LL was kind of in a “cursed whatever ya do” situation. If they didn’t go open-source, people would gripe. If they went open source, people would gripe. This is one instance in which they probably should NOT have listened to the customer– and told everyone the reason why.

  35. Mark Busch

    Feb 27th, 2007

    If LSL would run really fast, security could be much better. Unfortunatly it is quite slow, so I decided not to use some random-channel-number scheme, but I assumed, with the slowness of LSL it would be impossible to scan all channels. Ofcousre bugs in SL that make everything full-mod are very bad this type of security :P

    What I would prefer is a creator tag on the script. On the listen command there should be a parameter to find out who made the script that send the message. This would be an fairly easy way to make some decent security.

    P.S. Can we finally get over this ‘hacker’ term? It might have been a positive words long long time ago, but now everybody considers a hacker someone who breaks into computers and does bad stuff, so get over it! Just think of a new name for ‘elite coders’ or something :P

  36. John Doe

    Feb 27th, 2007

    Mark Busch,
    please do get over the “hacker” term.
    For sure, you’re not able to use it correctly, so stop yourself.

  37. Mark Busch

    Feb 27th, 2007

    People use incorrect terms all the time, on all sorts of occasions… I don’t ever hear anyone complaining about that… words can get diffrent meanings, no matter what your dictionary or wikipedia says. So get over it.

  38. Kamilion Schnook

    Feb 27th, 2007

    Hm… Channel scanner.

    Well, considering it, I suppose the easiest way to do something like this is to use some tricks.
    First, I’d write a script that opens the maximum number of listens, and has a very simple listen event, like echoing the channel number. Then I’d add a function to multiply the channel numbers by the name of the script. (since copying the same script into a prim will number them.) Then I’d write another script to recursively copy the first script into a set of prims at the maximum link count, which is somewhere around 250, until the prims could hold no more. Then doing this a couple more times until I had enough of these objects on different channels to attach one linkset to every attach point on my avatar….

    That just might be able to exploit LSL in such a way that the channels that have no traffic are having no events called, therefore only the channels that were actually being used would trigger events, causing the scripts to run. 99.9% of them would be completely idle. The only way I suppose you could find this, would be to watch the Active Scripts counter in the stats bar.

    Theoretically, if your autoreturn was at 10 minutes…. they could honestly just be temp on rezzed and stay around for only 60 seconds, scanning chunks at a time with the found channel being said via llOwnerSay.

    This kind of thing could be very hard to detect.

    And this will only become easier when LSL is compiled down to mono, because of the speed increase, and not only that, the theoretical concurrency increase along with the speed increase.

    So seriously. Start using protection. llMD5String is a good start. Start building your backend away from things shouting on channels. You have llHTTPRequest and XML:RPC. Use them. An easy way to set up security is using llHTTPRequest to obtain a token for the llMD5String nonce. Setting a script up to use HTTP instead of notecards is hundreds of times faster, and a lot more scalable. And, if you obtain a SSL certificate for your server, fairly secure, and decently encrypted. Since your program is also external, it also runs orders of magnitude faster, and can EASALLY incorporate fraud protection routines. The knowledge to do this is not hard. I’m not very experienced, and I’m learning it without too much trouble.

    There’s an old adage in hackerdom — Never trust the client.
    I don’t necessarily trust the server either — unless I’ve configured it by hand. Atarack.com has given me awesome rates since day one, root on my VPS, and support. The two guys running it are top notch, high class all the way, and damn good hackers in their own right. Don’t let ‘em tell ya otherwise! And if anyone’s interested in subletting some space/bandwidth on my VPS; drop me an IM and let me know your requirements — SLLabs specializes in custom contracted scripts and services!

    And no, we can’t get over this hacker term thing. Nobody can.
    http://en.wikipedia.org/wiki/Hacker_definition_controversy

    http://en.wikipedia.org/wiki/Hackers:_Heroes_of_the_Computer_Revolution#Hacker_ethic

    The best true definition, to me, would be as such:
    1950s: amateur radio enthusiasts borrowed the term hacking from riding and defined it as creatively tinkering to improve performance.

    http://en.wikipedia.org/wiki/Hacker
    In thus, I would qualify under the ‘white hat’ category as the “Hacker: Hardware modifier” — Spending inordinate amounts of time around PC hardware. No, I don’t do the silly casemods, nor is my case a beige box. (If you really want to know, it’s an Antec Aria. I bought it for it’s ability to fit under greyhound seats.) I know how to build the best PC in terms of Price/Performance. I can also repair one without resorting to reinstalling windows. I’ve brought Win ME back from the dead. Powershell is my ally. ( http://www.microsoft.com/windowsserver2003/technologies/management/powershell/default.mspx )

    I’ve only got a year of programming under my belt, and only in LSL. So, I can’t really be considered a programmer yet.

    I don’t really care what you consider a hacker; what you describe is a cracker, someone who breaks into protected systems. Why don’t YOU think up a new name for the 3l1t3 theives? Oh, right, we already have. Crackers. Scriptkiddies. Greifers. E-Terrorists. Some of them are clever. Some of them may even be Hackers themselves. But most of them are juvenile little AOL kids, with nothing better to do with their so called ‘talent’ than cause trouble. I may be rude often, and I may be inconsiderate sometimes, I’m DEFINITELY sarcastic, but I am no thief, and I’ve never hacked on something without owning it, or without permission.
    (This includes SL permissions; a script set Modify is permission enough.)

    The one thing I truly believe in is THE RIGHT TO READ.
    Reading precedes learning, information is power.
    Never let yourself be fooled by anyone telling you otherwise.

  39. Cocoanut Koala

    Feb 27th, 2007

    Language is a fluid thing, and changes. That can be so irksome over time.

    I have a number of pet peeves. For example, “As far as . . . ” should be followed by, ” . . . is concerned,” or the like, but lately never is. And the word is not “preventative,” it’s “preventive.”

    Then we’ve got “none was” which has lost almost total ground to “none were.”

    Not to mention the sad fact that “between you and me” may well be on its way to becoming an acceptable “between you and I.” (Shudder.)

    Nonetheless, this is what language does.

    That is what is happening with your precious “hacker.” And I would venture to say, has already 90% happened. You can rail on about it all you like, but I would guess that, at minimum, 90 percent of the population considers a hacker a bad thing.

    You’re the one who will have to change, however much it irks you.

    coco

  40. Kamilion Schnook

    Feb 27th, 2007

    Yes, I suppose that’s why fuck started out as ‘to strike’.

    Fine; if you’re that concerned over a word, I’m a geek.
    In this case, I’ll cite a COMPLETELY different source — something we know is total bullshit: Everything2.com.

    http://www.everything2.com/index.pl?node_id=655847&displaytype=printable

    Which reads:

    nerd: Squareness is the hallmark of a nerd. A nerd wants to fit in, but will fall back on intellectual abilities when flustered. A nerd is often found tooling–not for the love (then it would be geeking), but rather because it’s a prudent investement of time and effort into the future.
    Nerds lack personality; Nerds do very well within the rules given them.
    Hygiene is observed; Style is generic/lacking/staid/conformist.

    geek: Obsession is the hallmark of the geek. A geek really gets into it, whatever it is. They’re getting something out of it. They’re learning a whole hell of a lot because they have the love for it.
    Geeks got personality; Geeks beat upon the rules. They spend time geeking on the rules. Sometimes they learn them well enough to start hacking them. (This is why I think about law school.)
    Hygiene is often neglected; Style is often eccentric.

    dork (orthogonal quality): A dork is someone with a glitch in their social game–they respond inappropriately (do something dorky) at inopportune times. Some people become nerds and geeks because they are hopeless dorks.
    (no comment on dorks w/r/t the ‘rules/hygiene/style’ axes)

    loser (may be orthogonal): Someone that consistently loses. Often they are bitter and otherwise socially maladjusted.
    They consistently get screwed by the rules. They tend to misunderstand them and/or reflexively react to them in a detrimental manner. Being that they can’t win, they either give up or go overboard on style/hygiene/etc.

    In this case, I’m still a geek. ;)
    And in most cases, it can be pretty clear who a loser is.

  41. Wayfinder Wishbringer

    Feb 27th, 2007

    >That is what is happening with your precious “hacker.” And I would venture to say, has already 90% happened. You can rail on about it all you like, but I would guess that, at minimum, 90 percent of the population considers a hacker a bad thing. You’re the one who will have to change, however much it irks you.< - Coconut

    Well said Coco. I was once a “hacker” and was proud of that fact, although we rarely referred to ourselves as such (the hacker community knew who we were). But like you pointed out, terminology changes over time and when “hacker” came to be widely regarded as a computer griefer, true hackers became (somewhow… beats me) “Geeks”. Although in truth, Geek somehow denotes a pimply-faced kid who spends all his time slaving over a keyboard– or a guy in a white shirt and black tie who has forgotten how to speak English. It’s just not the same. But I’ve seen quite a few “hackers” now state “I’m a Geek” and proud of it– so I guess that’s sufficient. They still hack motherboards and circuits, write code and most importantly– help people who have computer problems. Which is what true hacking was always about.

    So I don’t know what today’s equivalent of a “hacker” would be. Could be that the breed disappeared in concept the way the “SF fan” disappeared with the advent of Star Wars and the resultant mainstreaming of science fiction. Perhaps– the day of the true hacker is past and now, with computers so widespread– we’re all just “users” with various degrees of ability. It’s like this: when it gets to the point that 10-year olds are hackers, “hacker” isn’t really all that special any more. And since it has (as you pointed out) become associated with criminal activity, this one-time hacker is satisfied to be known among his friends as “the computer guy”. Good nuff for me. :D

  42. Nacon

    Feb 27th, 2007

    Seem like Wayfinder has changed the topic… again.

    Can’t stop talking about “hacker” term… meaning that you never were an “hacker”.

  43. Wayfinder Wishbringer

    Feb 27th, 2007

    LOL, what is it now Nacon, you’ve chosen me as your personal snit target? Again dude (and you’ve been told this before), get a sense of humor, lighten up and grow up. This is a blog. People can pretty much post what they feel like posting and discuss pretty much what they feel like discussing without your personal censorship. If you can post the multitudinous foul-mouthed troll posts you’ve placed on this blog, surely we can discuss idomatic usage of the word “hacker”.

  44. Maria LaVeaux

    Feb 27th, 2007

    I think you will find the Lindens have a Policy of being Very tight lipped on the progress of Abuse Investigations so it should come as no surprise that they are saying Little or Nothing with regards to something that is a Little more serious than shooting prim Penises at people. A Hack like this, If it became general Knowledge could be Crippling to SL Businesses in General, so, I don’t expect the Lindens will do much Advertising of it.
    The actual Theft it’s self constituted an amount of USD of about $400. Under Canadian Law, that is Classed as “Theft under $5000″ Not what we call an Endictable Offence (What our southern neighbors would call a Misdemeanor Theft). If RL Law Enforcement were involved i think such a small amount would not be Given a High investigative Priority Unless it could be shown that this One theft was Part of a Broader web of thefts that would exceed the Felony Theft Threshold.
    I am NOT saying this to Diminish the Crime in any way. I’m just stating that the Offended parties might be disappointed in the attitudes of RL Law enforcement in thier case.
    At the Moment, Open Source’s Involvement in the creation of the Hack is Pure speculation BUT it is a Reasonable one, As is the speculation that there could be Inside Involvement. All of these Possibilities are reasonable Until the Investigation Eliminates them. Right now, LL is the Only authority that we Know of that Is investigating, and they have a Vested Interest in the Outcome as well. If it’s shown that Open sourcing the codes has led to this Hack, How anxious would they be to Openly admit it to us? My supposition is, that they would tend to Publicly attribute it to some other cause in order to avoid a PR Mess while Very quietly Plugging up the Holes that allowed the Hack in the first Place.
    I have to wonder something else though, Each of the items Targetted were Not items created by LL, but were scripted by Sombody specificly for Darklife. Is it Not also Possible that someone First developed a script that would Function the same way, Then looked to How to Break it in accordance with the Methods used here? That would, of course Infere that the Hacker had Some Knowledge of the Full functioning of these scripts. These Attacks are not Random, they don’t seem to be Hitting anyone, or anywhere else, they are Focused on Darklife. I think the Darklife Organizers might do well to begin an Internal Investigation of thier own to see if there has been any Complicity in these Attacks.

    Just my thoughts.

    Maria.

  45. Wayfinder Wishbringer

    Feb 27th, 2007

    Good post Maria. You make valid points. Something I’ve mentioned to LL in the past though, is that the appearance of doing nothing in such a case is doing nothing. It fails to set an example, fails to allow closure for the victims, fails to let the public know that such activities will not be tolerated.

    I appreciate too that in Canada (and in most areas of the U.S.) this would be considered a misdemeanor crime. Except that it was performed on computer, as an intentional hack– which now falls under the U.S. Patriot anti-terrorist act. Yup, whole new ballgame these days. Anyone performing an intentional hack of a computer system can find themselves facing some significant Federal Prison time… no matter how much or how little damage they do.

    Of course, hackers, believing themselves to be bullet-proof, ignore such realities– until the FBI busts their door down, confiscates their equipment and drags them off the jail. Then it’s the standard innocent act. But, more and more are falling under these new laws and although most people aren’t aware of it– more and more are being arrested daily. The government is starting to recognize what a danger computer thieves pose– and less tolerance is being granted by the courts. It will be interesting to see how this all turns out.

  46. Prokofy Neva

    Feb 28th, 2007

    I totally have ceased to buy this stuff about how they have to keep a low profile on these heists and hacks.

    That’s not what RL victims of crime, especially corporate victims necessarily do.

    There’s a completely different way you can play this. You could have Linden Lab first holding worried press conferences and using their considerable media clout to say, why haven’t the Feds moved on our case?

    You could have LL publicly calling on Canadian authorities to Get Involved.

    You could have *a year after this major grid crashing* increasingly worried and even indignant and outraged pressers with even congressmen, or various Pillars of the Community.

    They could get very public and in your face. Trust me, if the Lindens and Sunmicrosystems and IBM and Anshe Chung hold a press conference and say they are sick and tired of griefers who crash the grid and fling penises, the media will be all over it and some of them will start up a watch. “Day 7 — and still we maintain our lonely vigil on the courthouse steps, where filing a motion for a duces takem subpeona against one Canadian citizen, typist of Plastic Duck, with the help of Interpol and cooperation of the RCMP” etc etc

    If they want to, they can make this absolutely saturation coverage. But they don’t. In fact, look in the people list, there’s now an account named “Plastic Dix” with the slogan “Yes, I’m who you think I am.”

  47. Maria LaVeaux

    Feb 28th, 2007

    Yes, Excellent point Wayfairer regarding the Patriot act. Instead of Local constabulary one would now be dealing with the FBI, But again, i think the relative Value of the Crime, versus cost involved in Investigation, and Litigation might continue to Place the theft of $400 dollars fairly Low on thier priorities list UNLESS it could be demonstrated that it is part of a Web of Larger Offences by the same Purpetrator/s.

    Prok, Yes, i Agree Fully it Could be Handled the way you suggest. In corporate Circles it Often is, But just as Often, Jumping the Gun with Making Public Too much information Can, and frequently Does jeopardize Investigations. In most cases it’s best Not to Announce to the Suspect that they are being confronted with the Full Investigative weight of the Federal authorities until it’s time to actually Make the arrest and prosecution. When a Corporation does Go Public with Information on an Investigation it’s usually after consultation with Both the authorities and thier own Legal Advisors and then Only because Going Public serves an Immediate Need on the part of the corporation and those members of the general Public who would be warned and protected by such announcements. If such is Not the case, the advice of Both the Investigators, and the Corporate legals would be to remain circumspect and allow the Feds thier lead time.

    Simply doing so out of Anger, or frustration serves No good purpose and Only Plays into the hands of the suspects.

    If you can suggest an Immediate Public or corporate Good that could be served by LL going Public, i should support it 100% But “The peoples right to Know” isn’t sufficient Because If there is Insufficient evidence to support a prosecution, there is Nothing for the Public to Know. If on the other hand there IS reason for prosecution, the Publics right to know is served when the Arrests are made, and Charges laid.

    People WERE injured by the actions of these Hackers, a Crime WAS committed. If the Feds (Or any RL law enforcement) are involved then i think we Can leave it in the Hands of the Experts. If they have not Yet, then i think we can continue to Suggest LL Press thier Investigation, and Involve them as necesary But in Neither case do we Really Need to Know the details of the Investigation. That it IS Ongoing, and LL Is taking this seriously is enough information for Now.

    Maria.

  48. Yo Brewster

    Feb 28th, 2007

    While trying to skim through all the messages posted here on clearly a very sensitive subject – I would like to point out that securing channels is easier said then done at this moment. Sure you can add a certain degree of security to your channel communications but you would have to communicate back and forth between objects to make sure that the communication is actually validated. The problem? LSL is dog slow – I mean – if you would have to wait 1-2 seconds to get an encrypted string back and forth over a channel, then writing games like DarkLife would simply become impossible. HTTP requests? Lol – I’m using them for my SLGadget and they take WAY to long to come back with a result + they don’t always work in SL (depending on how the grid is doing I guess). Instead of doing all this encryption, why don’t we have the option to limit channel communications to the creator of the object instead of just the owner? Just wondering… — and Mark – good luck with your DL project!

  49. Wayfinder Wishbringer

    Feb 28th, 2007

    Prok, I appreciate the points you make about the media going overboard if LL decided to make this a “public outrage” issue… but I don’t think that is what anyone has suggestion. Kind of a matter of swinging to the extreme.

    No one suggests that LL blow this all out of proportion. But an announcement to the community that “We’re on this and will handle it” might be reassuring to their customers. Then once it is settled, a simple announcement of what was done and their stance in such things would set an example– a warning to others who might try the same thing.

    That’s what would happen in RL. The company involved or the police would announce an investigation, and when the criminal was apprehended/convicted, that information would be made known to the public as a warning to others– and as closure for the victims.

    Linden Lab has long been chastised for their policy of “maintaining the privay of griefers” when dealing with intentional harm to SL members. That policy offers no closure for the victims and gives the distinct impression that Linden Lab never does anything about anything. The police blotter is a joke.

    So no, no one is suggesting that Linden Lab hype the matter all out of proportion and call in the media. We’re just suggesting that they do SOMETHING to let the community know this matter is being handled– and handled seriously. Because all too often we have seen Linden Lab absolve themselves of all responsibility, stand by, and do nothing.

Leave a Reply