Sussy McBride Robbed of L$12 In Broad Daylight!

by Alphaville Herald on 06/12/07 at 12:10 am

Alleged thief Pwned Naglo still at large

by Pixeleen Mistral, 3rd shift news desk

Macnn reports that Charlie Miller and Dino Dai Zovi have proven that a recent Quicktime video vulnerability can be exploited to steal L$ spacebucks from other players – if those players walk in the wrong part of town with streaming video enabled. In light of this news it is unclear why Linden Lab has not disabled the exploit by turning off Quicktime video in-world – perhaps the Lab is willing to tolerate street crime to avoid interfering with various clubs and media events?

In the video, notorious Pwned Naglo is caught in the act of stealing L$12 from Sussy McBride. A tragic victim of a lawless world, Ms. McBride happened to wander into the wrong plot of land – a plot where a video stream was delivering a payload of pain – hijacking Sussy’s avatar and forcing her to hand over her virtual purse’s contents to Mr. Naglo. Experts speculate that Naglo may have robbed Sussy to raise money for an updated look to his rather drab default Linden furry avatar. If this sort of robbery by compulsion is now possible – what wil prevent the criminal elements from taking more serious liberties with their victims?

Will this sort of street crime never end? Who will protect the hard working residents of the grid from the foul furry criminals – criminals that give all fur avatar a bad name. The Herald call on LL to take action – before this crime wave panics the citizens. Streaming video or security – the right choice should be obvious.

26 Responses to “Sussy McBride Robbed of L$12 In Broad Daylight!”

  1. Nikola Shirakawa

    Dec 6th, 2007

    Linden Labs just put out a big bulletin about a QT Vulnerability at any rate, so this would not be their fault. Furthermore, The video was most likely staged, as the video was being recorded by the “thief” in question, which would be convenient for hiding the fact that the “victim” had a pay window out, and would have been walking into their own controls. I mean, come on, I’ve seen Bigfoot videos less hokey than this piece of junk.

    How the hell would a video/music plugin get access to your financial info anyway? My iPod does some weird shit from time to time but I’ve never got it hacking my credit card.

  2. Why Bother

    Dec 6th, 2007

    The font seems a little too big with respect to the buttons on their screen, but maybe that’s just me. Still, Linden Labs needs to get their act together before those of us left just bail on this sinking ship.

  3. DINGOS ATE MY BABYFUR

    Dec 6th, 2007

    Only one solution, in my book. Ban all furries.

    Also, This looks shooped. I can tell from some of the pixels and from seeing quite a few shoops in my time.

  4. Nacon

    Dec 6th, 2007

    *sighs* it’s fake. They are hoping to create a panic at time like this.

    Don’t be an idiot.

  5. Angel

    Dec 6th, 2007

    Not fake, it’s a working proof of concept.

    It makes your client crash, makes your av shout “I got hacked” and makes you pay someone $12

    Standard buffer overflow stuff.

  6. DINGOS ATE MY BABYFUR

    Dec 6th, 2007

    Also, whiles I love SLH’s creative writing skills, for those who won’t click teh links, or google the story some…..

    Pwned Naglo and Sussy McBride are the test avatars for the two security researchers who’ve discovered how the exploit worked, and notified LL. It’s a proof of concept exploit. This isn’t some EVIL EVIL PN guy ripping off a poor noobie for their entire LL wallet. Reference the following link and be amazed.

    http://securityevaluators.com/sl/

  7. Alyx Stoklitsky

    Dec 6th, 2007

    Oh wow, that’s easily the most phoney video ever made.

    -10 credibility

  8. Nicholaz Beresford

    Dec 6th, 2007

    Even if it’s true I think the Lindens made the right choice. Everybody was seeing the warning notice when and before logging in and I could imagine the uproar with education and art sites if they disabled video altogether.

    I mean, the Quicktime exploit does exist (it’s basically a threat from all qt enabled browsers or websites). Do you want your internet provider to disable QT streaming?

    Personally I prefer the variant the Lindens handled it, that is that they are giving the residents a choice.

  9. Patchouli Woollahra

    Dec 6th, 2007

    This is a new low, guys. honestly. why even bother?

  10. Nina A

    Dec 6th, 2007

    Get real! Of course it’s fake but it demonstrates a serious QT flaw. Why bother? Would you not rather know something than be ignorant? Thanks SLH. I read about a flaw, but I didn’t know to what extent it could be used. It’ll probably never happen to someone but it’s good to know it exists.

  11. old news

    Dec 6th, 2007

    old news is old.
    SLH is made of PN fags, FAIL and AID.S

  12. Will Szymborska

    Dec 6th, 2007

    Isnt this news.. a LITTLE late..? And honestly, everyone already knows that this happened. As Alyx explains… LL already told everyone and made it clear that you could disable streaming video at your own discression.

  13. Anonymous

    Dec 6th, 2007

    This is a great example why Linden Labs needs to stop relying on third party closed sourced software for multimedia handling

    quicktime is a shitty player and a shitty format, period.

    LL would be better off using mplayer or xine as a primary backend, or using a native OS multimedia handler, or making plugins that interface with various players. (on windows anyway)

    that way, we arent restricted to .mov.

    the best route imho would be having a custom media playback backend at the cost of most disk space and a larger download.

    but for portability’s sake, making it pluggable.

    The linux client already has this in a sense. it makes use of a multimedia backend called gstreamer, which in itself is a pluggable architecture that allows using multiple formats.

    I imagine using some directshow plugin in the windows version might be easier, and a..uh… yeah um.. quicktime… player… for the mac users.

    But security wise, a custom player within SL may work better.

  14. Stacey Sugar

    Dec 6th, 2007

    It seems fishy. The avatar Sussy McBride stops to shout “I got hacked” and then the money gets deposited to Pwned Naglo. Looks like the avatar types I got hacked and then clicks shout before paying Pwned Naglo L$12 … then the video stops … therefore further evidence of this QuickTime exploit needs to be explained. Why was this exploit, if it is indeed real, not found until now … QT has been used in SecondLife since March 2005!

  15. Sigh

    Dec 6th, 2007

    This is not a theoretical exploit, as the researcher’s video above demonstrates. Why SLH would choose to report this in their usual scattershot way (and why the Lindens wouldn’t globally disable Quicktime streaming) is beyond me. Actually, I have a secret theory, but it would be libellous to say it here.

    By the way, I notice that even the trolls can’t be bothered to make comments anymore. Is SLH circling the drain?

  16. Lore

    Dec 6th, 2007

    This is why the Herald is considered a joke…

    Dingos ate my babyfur said:
    “Pwned Naglo and Sussy McBride are the test avatars for the two security researchers who’ve discovered how the exploit worked, and notified LL. It’s a proof of concept exploit.”

    If this is true, it should have been added in the article. Otherwise of course people will think this video is a fake.

    More explaination please. If you want to write about news, do it. If you want to do something creative, go write a book.

  17. Darien Caldwell

    Dec 6th, 2007

    Geez, just when I thought SLH was getting some integrity back, they knowingly post fraudulent news. In RL the editor would be fired, and never work again.

  19. Dear Herald, People are too Dumb to Get the Joke( plus it is a serious issue)

    Dec 6th, 2007

    erm Stacy, that’s part of the hack. You’re MADE to say ‘I got hacked’, you don’t type it! See…Stacy proves not everyone is aware of this hack. SLH should have done this story properly. BTW Read the Linden blog about this, Stacy.

  20. nightlife Overlord

    Dec 7th, 2007

    True this video was just a DEMO by the researchers seeking attention. Using this exploit to steal lindens is not sensible. Its completely tracable and no way to get away with actual real dollars. It will leave a trace. So this one remains only in theory, but there many other more sensible things that can be done with the exploit. The two researchers were just seeking attention and they used stealing lindens as a shocking enough headline to get everyone attention.

    The bigger threat is outside sl, a porn site have been found to re-direct users to urls that serve the exploit. it then downloads a hacking tool on your computer, giving hackers access to your machine. But your anti-virus notably Symantec and Trend Micro will be able to detect and delete it.

    In sl as in the web, the best thing to do for now is to only access videos and websites that is trusted.

    In sl, get your video from trusted sources.
    http://myslhometv.blogspot.com/2007/11/quicktime-expoit-is-video-safe-in-sl.html

    There is a real threat in sl so watch video only in your parcel or in the one of people you trust. Disable auto-loading web profiles.

    Visit only websites that you trust. update your anti-virus, they are able to detect and delete most implementations of the exploit so far.

    A good start is to add the following to your browser as RESTRICTED SITES. To deny your browser access to these sites:
    85.255.117.212,
    85.255.117.213,
    216.255.183.59,
    69.50.190.135,
    58.65.238.116,
    208.113.154.34
    2005-search.com,
    1800-search.com,
    search-biz.org
    ourvoyeur.net

    these are websites already found to be serving the exploit detected by Symantec and Trend Micro.

  21. Arthur Fermi

    Dec 7th, 2007

    I like how you were on top of this, I reported about the live exploit 2 days ago. But you are missing another point, there is also an LL media glitch that can force you to a media stream not of your choosing. So even if you are on “safe” land that might not be the case, that is why LL said disable your media.

  22. Noelyci Ingmann

    Dec 7th, 2007

    Tag Pixeleen, you’re it now! Thought you might have fun with this.

  23. nightlife Overlord

    Dec 7th, 2007

    Arthur, quoting from LL’s blog post, this is how they put it:
    “We do recommend that you employ caution when using QuickTime in Second Life, only enabling it in environments that you trust, and are familiar with.”

    And of course its always necessary to control access to your land limit access, building and scripting only to trusted people in your group.

    What is the other LL media glitch?

  24. nightlife Overlord

    Dec 7th, 2007

    I also believe that if the issue was about a glitch that allows hackers to force anyone to a media stream not of their choosing and also doing it without going into their land, then LL would have turned off video in the entire grid.

  25. Maria Leveaux

    Dec 7th, 2007

    LL made it QUITE Clear why they didn’t Disable Quicktime in SL, they didn’t want to Impact those HONEST businesses and Sims that are dependant upon it, what they DID do was warn people If they were concerned, to Turn it off from their End unless they were in some area they trusted. I Know Because they Attached the Warning to a Mock TOS update so everyone would have to READ it, and Acknowledge it BEFORE entering SL.

    The OP is just asking Why a Construction Company didn’t put up SIGNSs telling her Not to Climb over the Yellow Danger Tape to prevent her from dropping in a Hole.

    A Warning was given, and Ignored, and the Inevitable happened. Don’t Blame LL because someone Chose to be Obtuse.

    Maria.

  26. Bllinders Off

    Dec 11th, 2007

    Is the video fake? Most likely. Does the fact that LL told everyone about this exploit make them “not responsible”? Hardly likely. Any company that knowingly allows a potentially dangerous exploit to remain unchecked (what, since Quicktime 4.0? And now it’s at 7+?) cannot claim innocence. In RL this is called “criminal negligence” and is a CRIMINAL, not a civil action.

    LL allows a known exploit to continue to exist on their system that they know can harm their customers. Instead of shutting down Quicktime or hiring a competent programmer for the one day it would take to switch to another video system… they allow it to continue. They are therefore culpable.

    Staged video or not, it demonstrates the problem. What if instead of L$12 it had been L$1200… and what if it had been YOUR avatar that got ripped?

    Think about it people. Wake up. SL seems full of anarchy-driven internet zombies that regularly lose touch with reality. LL has admitted this exploit exists. They have failed to take steps to stop it. Duh.

Leave a Reply