DarkLife Robbed – Developer Blames Open Source SL
by Pixeleen Mistral on 25/02/07 at 5:51 pm
DarkLife creator robbed of $400 USD – fingers griefers as suspects
by Ouchquack Stern, spastic bastard
“ZING!”
The sound DarkLife players yearn for is reminiscent of the muted strum of a harp in the key of “C”. The meta-game players — both the Mages with their wands, robes and pointy magic hats, and the Fighters with swords, armor and shields — spend hours to slay monsters so they can go up a level and hear that sound. But that heavenly chord was twisted to evil purposes, and used against the intrepid players Saturday evening, as a dozen seasoned players gathered around the Shrine in the center of Navora to whisper about the hackers who have made their beloved game unsafe.
a gathering of people at the Shrine in Navora
DarkLife is basically the Second Life version of the old table-dice-pencil-and-paper role playing game “Dungeons & Dragons” in that it is ‘turn’ based, players ‘level’ to advance and there’s a lot of hack-and-slash fighting with some magic tossed in. DarkLife’s kind of role play is the old fashioned kind — “I kill the dragon. Arrrrr!” Not the modern take on ‘role play’ which is practically synonymous with fetishistic sex-play.
DarkLife developers Mark Busch and his pal Pirate Cotton have been running the game-within-a-game for nearly three years now, and over the years they’ve attracted thousands of Second Life citizens — all of whom have paid nearly L$500 to don the backpack that stores their experience, gold, mana, health and level for their combat-based advancement. And with every level advancement players get more ‘level up’ points to apply to their abilities so they can use more powerful weapons and magic items and inflict greater damage on the many monsters in the Navora sim. Each new weapon costs $L50 and a fist full of DarkLife game gold, the Linden dollars going into the pockets of the game developers in a constant stream of ‘KA-CHING! KA-CHING! KA-CHING!’ That is, until a couple days ago when it all went distressingly wrong — and a felony was committed in Second Life.
Mark Busch, DarkLife co-founder
“We’ve been robbed for about $400 USD (United States Dollars),” said DarkLife creator Mark Busch in an instant message to Pirate Cotton, as relayed by Cotton to the Second Life Forums. Mark Busch and Pirate Cotton confirmed the post in extensive interviews by the Herald. “On the 17th my account got robbed by some dude named ‘CheckOutThis Hax’ and ‘Data Lindman.’”
Busch speculates that CheckOutThis and Data are one in the same, and they are also alts of one Cleint Hax who hacked into DarkLife a few weeks before with a hack that raised Dark Life player victims level after level in a matter of seconds – ‘ZING, ZING, ZING, ZING!!!’
This reporter visited Navora on Saturday night to ask some locals about the felony burglary, when griefers OpenSource Hax sat on the head of Dark Life player Sammy Grigges while one StealingCashFromDarkLife Allen started hacking Dark Life player packs and boosting levels at a prodigious rate — ‘ZING,ZING, ZING!!’
Trevor Langden, DarkLife security
Long time DarkLife players Ethan Pow and Trevor Langdon, both members of the DarkLife Security Force, quickly booted everyone from Navora and closed the sim, in response to the griefers. Within minutes Pow created a temporary group and invited legitimate members into the sim so they could safely continue their play. That made the sim safe from griefing, but slowed commerce down to a crawl.
“When I fixed the bug the other night this hacker came back (Saturday) and when he noticed he couldn’t steal any more cash he went on messing up people’s (game stat storing) backpack,” Mark Busch told the Herald. “Its typical behavior for a teenage hacker: using prank names, messing things up, talking big” and generally throwing tantrums when things don’t work the way he wants.
Busch says the griefer pulled the level-up prank a few weeks ago, and Pirate Cotton reported the activity to Linden Lab through an abuse report and direct contact. Then a few days ago the griefer tapped into the DarkLife vendor refund account and took $400 USD worth of Linden dollars. They insist that both pranks, and the ability to talk in group chat without being in any DarkLife group, are hacks requiring knowledge of the channel number the game developers use for privileged communication — like money transfer. But how did Hax know the channel number?
According to Mark Busch there are three possibilities:
- A recent Second Life bug relegated every bought item to ‘copy-mod’ — even scripts
- Hax found a new bug in Second Life
- Hax used a scanner to find the channel *
- *Unlikely: there are a reputed 4 billion channels – at 100 scans a second it would take two years to test all the channels.
The fourth possibility, one that Mark Busch doesn’t want to address, is the possibility that the hack was an inside job. When pressed he admits that he and Pirate have extended access to that kind of information to two employees — and they could have shared info with their relationship partners. Possible, but unlikely as all have been long time paid employees and the hackers have just recently cropped up. Not so coincidentally – according to Busch – right after Second Life went ‘open source.’
“Before (SL went open source) there were some minor hacks, but I was able to track them down to bugs in DarkLife itself,” Busch told the Herald. After the theft “I was able to track down what this hacker did but it’s not a bug in DarkLife. How did he get the channel number? The most obvious answer is the HUGE buy-mod bug a month of two ago. The other is that he used the open source (of Second Life) to find a new bug that allows access to scripts.”
Busch says he reported Client Hax weeks ago, and IM’d Spike Linden about the activity in Navora Saturday night, but was told to file an abuse report and the Lindens will do what they can. Essentially the same thing one is told when a noob runs around nekked in a Welcome Area — not the kind of investigation and customer support one would expect for one of the most successful content creators in Second Life who is faced with a breach in security that is crippling his business. (Spike Linden did not reply to a request for comment).
As of Sunday afternoon Dark Life was still restricted to group members. Business – usually brisk on the weekend – was crawling at a snails pace.
“Maybe if they freeze his accounts I could still get the L$ back before he sells it,” Busch said. “He is still online, and able to talk on the DarkLife Players group even though he is not IN the group.” What are the odds that Linden Lab will step in and help in time? “It seems unlikely,” said Busch. Meanwhile, the ‘KA-CHING! KA-CHING! KA-CHING!” sound of L$ falling into DarkLife coffers has fallen all but silent in Navora.
Wayfinder Wishbringer
Feb 28th, 2007
(I gotta start proofreading these posts. Spelling was awful. LOL)
IntLibber Brautigan
Feb 28th, 2007
Known Patriotic Nigra, aka /b/, griefer Chirp Chirnov, banned from SL, also now known as Enron Dagger, is likely behind this hack, as Chirp was first developing techniques for messing with weapons system messaging back in January, which enabled him to scan for the Laura Weapons System message channels used by Goreans, and to send them faked messages that killed his victims. This isn’t the first time someone has developed this particular hack, that I know of, but its the first time an outsider has used this ability for malicious purposes. The griefers do have the ability to scan millions of channels, and likely did use this method to hack into the system.
If Chirp isn’t directly responsible, it is likely he, as Enron Dagger, shared this information with others.
Mark Busch
Feb 28th, 2007
Thanks for all the informative comments.
LindenLab just informed me (ofcourse AFTER I mailed them again asking for an update) that “the outcome of the investigation as it was determined to fall under the category of abuse”.
Nothing yet said about the actions that were taken. I am very curious if LL attempted to follow the ‘money-trace’.
It shouldn’t be very hard for them to do. Either the accounts still hold the L$ (in that case I assume it will be returned to my account), or he (or she? naaaa…) gave it to another Avatar. But in the end the money is either still in SL, or it has been sold.
If it was sold, the USD could still be in the ‘hackers’ account (again then I assume I will get it back), or it was deposited to a paypal or check.
In last 2 cases there is little change I’ll see the money again. The chance of getting this guy prosecuted might be small too, but it would be good message to other ‘hackers’ if LindenLab would send there investigation-results to the authoroties of the ‘hackers’ country and/or his ISP, and announce it publicly. Hopefully that will at least give this thief some sleepness nights.
I also hope to hear soon what they did to prevent this guy from coming into secondlife again (and thus DarkLife) because he seemed determined to mess up as much as possible. He (or a friend), using the SL name ‘Takit Leavit’ even payed a DarkLife player to tell our moderators that he was a regular trustworthy DarkLife Player and messed up some darklife-accounts when he came in.
As for security, Yo Brewster is absolutly right, if I would use some sort of security on every piece of communication, the game would not run fast enough. Right now the current version is already too slow sometimes (our new release will be much better on that part) but really, as a game developer you don’t have the luxury of using theoretically good security schemes. If the game becomes too slow to be played then you might as well not build it at all.
In our new release I will use owner and creator checks as much as possible (in the hope that won’t slow it down too much) and I will also build more security checks that hopefully will detect hackers BEFORE they can do any harm. Also we will not use scripts anymore that give out money (that was already in the design, not a result of theft).
Also we already have a pretty good(but still too small) team of moderators who have provem themselved on the latest attack.
They will soon get instructions and tools to search for and ban griefers who try to abuse, cheat or hack on our SIM.
I am confident that, when we open up the game again, we are prepared for future attacks (unless LL does something awefully stupid like introducing another permission-bug).
shockwave yareach
Feb 28th, 2007
Dear Mark,
The security needs to be in place for financial transactions only. A better way to make your general system (combat, weaponuse, etc) more secure is to change comm channels every day.
Have a one-way hash function to select the comm channel based on the date, have all the gear use that same function, and sniffing the thousands of channels becomes nearly pointless since the channel will change shortly. By adding the hour SLT to the mix, everyone can change channels simultaneously every hour instead of every day, meaning even a lucky detection of the channel has less than an hour to exploit it.
Mark Busch
Feb 28th, 2007
Thanks, that seems like a good idea!
However the llGetOwner and llGetCreator are also powerfull security measures which should be included as well. When hackers get insight in your scripts (by accident, or by permission bugs from our dear friends at LL) they could look at your hash function, and talk on your channels anyway. Then it’s very nice that your scripts can still detect the false messages, and ignore them as well as inform you, so you can ban and report the abusers.
Also a small addition to your idea would be to slighty let the channel transition overlap. So for 1 minute or so your scripts will listen on both the old AND the new channel. This will allow more ‘relaxed’ checking of the time, and also could prevent loss of messages due to server lag.
Wayfinder Wishbringer
Mar 1st, 2007
Those are both excellent suggestions. Especially the thought about the security system informing you if someone tries to hack the channel. Then you have proof positive that can be forwarded as an abuse issue (which will then of course, likely be ignored, but… LOL).
Mark Busch
Mar 1st, 2007
will most likely be ignored yeah (still haven’t heard anything from LL yet), but at least you can ban this person, and start thinking about how they gotten the channel number, and if they can abuse it another way
Wayfinder Wishbringer
Mar 1st, 2007
Hey, that much is true. Although with all the unmoderated and uncontrolled alts running around, sim ban isn’t all that effective any more. Still, those are really about the shortest and most effective ways I can think of in handling such things. Except of course, for “shut the sucker down and make more reliable investments than SL”. XD
Mark Busch
Mar 2nd, 2007
Yeah we’ve figured out a slightly smarter way to secure DarkLife from alt accounts, but I won’t go into details because we’v yet to see how it works in practise
Rock Ramona
Mar 2nd, 2007
hey,ive got a great idea.if everyone came to play The Lord of The Rings Online which will be opening up for open beta March 30th,then you wouldnt have to worry about losing anything,ive played Dark Life and i admire the boys for what they did,where they did,and it makes me sad they got ripped off to,but ll doesnt give a flip about it and they never will,so come have fun with me,go to http://www.turbine.com for deatils and ill see yall soon!!!