Slashdot Mirror

← Back to Stories (view on slashdot.org)

Crime Wave Thwarted in Second Life

Posted by Zonk on from the watch-what-you-walk-near dept.

Ponca City, We Love You writes "The Mercury News reports that a vulnerability in the way Second Life protects a user's money has been identified. Risks for users are reportedly limited because the researchers say the flaw can be quickly patched. The flaw exploits a known problem with Apple's QuickTime - when a virtual character passes by an infected object planted by hackers, the Second Life software activates QuickTime so it can play the video or picture. Hackers can direct the Second Life software to a malicious Web site that then allows them to 'take over the user's avatar and force it to hand over its Linden cash. Second Life is recommending that users disable streaming video playback in the Second Life viewer except when you are attending a known and trusted venue.' The hack raises tough questions for operators of virtual worlds. Should they be as secure as banks and guarantee the safety of money and property that characters in the world possess?"

34 of 183 comments (clear)

  1. short answer - No by timmarhy · · Score: 3, Insightful

    It's not real people. look after your actual life for a change....

    --
    If you mod me down, I will become more powerful than you can imagine....
    1. Re:short answer - No by sqrt(2) · · Score: 3, Insightful

      Yeah! I can't even imagine what kind of losers would spend that much time on a website.

      I've never actually seen this "Second" life, and I can't imagine why people would spend real money on it, but apparently a lot of people do. It must be worth it to them for the entertainment value.

      --
      If you build it, nerds will come. Soylentnews.org
    2. Re:short answer - No by SJ2000 · · Score: 5, Insightful

      "Real worlds and virtual worlds don't mix" Alert the eCommerce sites, eBay better shutdown now.
      Can't have the virtual world mixing with reality can we?

    3. Re:short answer - No by iminplaya · · Score: 5, Insightful

      What kind of real items are you buying in Second Life? Furniture for your house? Food for your stomach? Yeah. That virtual steak sure was tasty. Clothes for the kids? He's not barefoot. He's got his shoes right there on his USB stick. Can't you see them? The frostbitten toes are just his imagination. IT"S A GAME! If somebody cheats, kick them off, undo, and move on. Jeeze, do you call the cops if someone doesn't pay the rent when he lands on your "Park Place"? Oh, I can see the Nigerian scam now. There's 3000 dollars in un-collected "GO" money. If you send me just $49 and your credit card number and bank account number, I'll send it right to you in six to eight weeks. Will my get out of jail cards work when the cops mash my door down and bust me with my bag of weed? You are crazy.

      --
      What?
    4. Re:short answer - No by SJ2000 · · Score: 2, Insightful

      I'm just tired of people's crap about SecondLife when all they appear to know about it is crap they read, experience it properly then I'll respect your opinion. If this isn't the case then speak up, currently your analogies don't even parallel was occurs in SecondLife. All I did was take apart your previous post and rebutted, not really much to it other then that. What didn't you understand? I'll rephrase it

    5. Re:short answer - No by walt-sjc · · Score: 3, Interesting

      Yes, Linden dollars do equate to real dollars. You can buy them, or you can create them by creating objects people buy or offering a service that other people pay for. Why do people buy? It's part of the game. Nearly every game out there costs money. Many are subscription. SL is similar. You can always play and not spend any real money at all. as most places to visit are free, and there is plenty of free items out there.

      It's entertainment. People are willing to pay for entertainment.

    6. Re:short answer - No by ronadams · · Score: 3, Insightful

      Except that real money is involved in Second Life. There's more to it than just a game -- when money can be made and lost, the stakes and consequences are higher.

      --
      Appended to the end of comments you post. 120 chars.
    7. Re:short answer - No by sqrt(2) · · Score: 2, Insightful

      If I was spending real money on a hobby, I'd expect a reasonable amount of security. Don't even think farther than that. When you spend money online, don't you want it to be secure? That's the issue.

      I'm sure there exists casual SL players. Probably some that play even less than you spend on slashdot. You can easily spend hours and sink tons of real money on any hobby, if people want to throw it away on a virtual world that's their business. Some people play WoW, I can't understand that either, but a lot of my friends play it and really enjoy it. It's worth the time and money to them because it's enjoyable. Wouldn't be to me, and I'm guessing not to you either, but that's why we're not WoW subscription holders. If I was though, I'd expect a certain degree of security when handling my transactions, credit card info, and account.

      --
      If you build it, nerds will come. Soylentnews.org
  2. an alternate, and more entertaining solution by User+956 · · Score: 5, Funny

    Risks for users are reportedly limited because the researchers say the flaw can be quickly patched.

    Yes, well, the other solution to this flaw is to simply spend all your money on entrance to the tentacle hentai simulator.

    --
    The theory of relativity doesn't work right in Arkansas.
  3. Not-so-virtual by Calydor · · Score: 5, Insightful

    The hack raises tough questions for operators of virtual worlds. Should they be as secure as banks and guarantee the safety of money and property that characters in the world possess?"

    Considering that you buy Lindens with real currency, then yes. Yes, they should be just as secure, since it's real money you're dealing with.

    --
    -=This sig has nothing to do with my comment. Move along now=-
    1. Re:Not-so-virtual by icepick72 · · Score: 2, Insightful

      But I buy monopoly money with real money and there's no need to guarantee the safety of it because I've purchased play money. Linden dollars don't do anything either outside the context of a game. You have your virtual and real worlds mixed up.

    2. Re:Not-so-virtual by cos(0) · · Score: 3, Insightful

      You can buy anything with currency. The real test might be, does the government have an interest in protecting the integrity of Linden currency to the extent of US currency?

      Alternately, can one buy US currency with Linden currency? However, this test would merely cause theft of Linden currency to be a crime with "real" damages; it would not require the storage and management of currency to be as secure as with banks.

    3. Re:Not-so-virtual by SJ2000 · · Score: 5, Informative

      Yes, you can using Linden Labs own exchange to turn US$ to L$ vice versa. Look on their website

    4. Re:Not-so-virtual by bob.appleyard · · Score: 2, Insightful

      No guarantee of safety? If someone steals your property (ie. the game or its fake money) would the poilce not deal with it as theft? It's exactly the same thing with Second Life, someone buys a product (game money) and that is taken from them without consent. Just because you don't value their property doesn't mean it has no value.

      --
      How dare you be so modest!! You conceited bastard!!
  4. Old recommendation, Quicktime prob killed soon by AySz88 · · Score: 5, Informative
    If you take a look at the Second Life blog, you'll see that the referenced recommendation was from a couple of days ago (November 30). A paragraph in the blog seems to say that if LL starts noticing exploits, they'll kill all QuickTime on the grid and maybe roll back exploit-induced transactions - expect this to happen soon.

    We do have the ability to turn off all videos on the grid, but have instead chosen to respect the existing in-world content and experiences which rely on streaming video, as we know that many of you enjoy these. We do recommend that you employ caution when using QuickTime in Second Life, only enabling it in environments that you trust, and are familiar with.

    We are able to track attacks, and rest assured, if we discover a malicious stream, we will vigorously pursue the attacker. This will include account termination and legal action if appropriate, as well as the appropriate assistance for affected Residents.
  5. Re:I'm sorry by Deltaspectre · · Score: 2, Interesting

    On a weird side related note, after posting that I noticed Firestarter was flashing red and 16 attempts on various ports from an IP that resolves to slashdot.org were recorded... What gives for that?

    --
    My UID is prime... is yours?
  6. Real life banks are not secure. by WK2 · · Score: 4, Insightful

    Real life banks are not secure. They are just as likely to be hacked as any other web site. In the U.S., they are FDIC insured, though.

    --
    Write your own Choose Your Own Adventure. http://www.freegameengines.org/gamebook-engine/
    1. Re:Real life banks are not secure. by twistah · · Score: 3, Interesting

      Well, that's true, but there are lot of regulations in the U.S dealing with bank security. Sarbanes-Oxley Act (SOX), Gramm-Leach-Bliley Act (GLBA) which deals with customer information and several others must be complied with. Other countries have them too; for example, J-SOX is Japan's SOX equivalent. This means that the bank gets audited, often by two sets of outside auditors, which helps security at least somewhat. Most banks and credit unions also often go through penetration tests and vulnerability assessments, if only to keep their examiners happy (as in, the NCUA, OTS, or whoever they happen to be chartered with.)

      It's interesting to consider how these things may apply to Second Life and Linden Labs. At some point, some regulation must come into play. For example, if credit cards are processed, they must comply with the credit card industry's PCI standards. I am not saying compliance with these various regs is an answer to their problems, I just think it's interesting to consider how these apply to something non-traditional like SL.

  7. SL's economy is a giant sinkhole anyway by Carbon016 · · Score: 5, Insightful

    As someone who has been quite directly involved in Second Life (or at least griefing it), I know SL pretty thoroughly, and I especially know there are two attractions to Second Life: sex and money. They're readily interchangeable, and they're the only reasons anyone uses it, despite claims to the contrary by media-whorish Linden Labs. You're either renting land, throwing cash into a bizarro stock market, or going to a furry cybersex sim. News about security problems is common because there's so much money going through the system and a lot of people looking to exploit it, as well as a wealth of disorganized, terrible code.

    A bank called "Ginko" that recently went insolvent sent shockwaves through the economy lately. Yes - there are Second Life banks, (multiple) Second Life stock exchanges, and all sorts of economic institutions: however, the operators of these venues often don't know the difference between an interest rate and their shoe so most people that end up dumping their funds into them lose all their money. Some people have thousands if not tens of thousands of dollars tied up in the game. As the Linden (the currency of Second Life) is not based on anything, Linden Labs simply dumps currency into the market whenever they feel like it. So economic problems are pretty common. Guaranteeing anything is a difficult proposition for the companies running the games: most have simply said "the *unit of currency here* is not money, nothing is guaranteed" to avoid lawsuits when someone messes up and loses a grand because a sim went down. So it's a dangerous game and the only real winners in "investing" in Second Life are LL.

    1. Re:SL's economy is a giant sinkhole anyway by RichardX · · Score: 2, Informative

      My most insincere apologies for undermining your point of view, but I use Second Life for reasons which do no include sex or money. To me, it's like Lego, but even more fun in many ways. You can build 3D objects, with an extremely limited toolkit where somehow the limitations make it more fun, and then you can give those objects behavior via scripting. Then it gets really fun when you share in those objects with other people you meet there.

      Oh noes. What's that you say? There are furry tentacle-rape freaks on SL? Guess what? I don't care. They don't bother me, and I don't bother them. Personally, I've had a lot of fun on SL which has had nothing to do with sex or money... but don't let my little anecdote get in the way of your rant.

      --
      Curiosity was framed. Ignorance killed the cat.
    2. Re:SL's economy is a giant sinkhole anyway by cruachan · · Score: 2, Interesting

      Well all this says is that you're a not very nice person who is obsessed by being an asshole (griefing), sex and money. Of course there are loads of people in SL doing the cybersex thing, and if that's what you go looking for then that's what you'll find. But it's a bit like going to Amsterdam, just touring the red light district, and then concluding everyone in Amsterdam is just interested in buying and selling sex.
      Myself I run a quite profitable RP-orientated design business which nets me around USD$500 a month. I don't earn at real-life pay rates, but SL has basically replaced the time I used to spend playing other games and the like, so I now have entertainment that pays me :-). Most of the people I deal with are there for entertainment in various forms, and certainly not the cybersex obsessed griefers you hang with.

    3. Re:SL's economy is a giant sinkhole anyway by Jesrad · · Score: 4, Informative

      "You're either renting land, throwing cash into a bizarro stock market, or going to a furry cybersex sim."

      In three years sent in Second Life I have not done any of this. I must some weird and very persistent aberration, then. Or maybe you're just wrong.

      "As the Linden (the currency of Second Life) is not based on anything"

      It is based on the USD, and maintained at a rather fixed rate by LindenLab acting as a central bank. It's not perfect, but it has worked remarkably well so far.

      "Linden Labs simply dumps currency into the market whenever they feel like it."

      No, they sell some L$ only when they rate drops under 265 L$ per 1 USD to maintain the rate, and they buy back the L$ when the rate goes higher than 266 L$ per 1 USD (though they apparently never have had to do that). That's not "whenever they feel like it".

      "So economic problems are pretty common"

      Err, no. The L$ has been exceptionnally steady ever since LL introduced the measures I pointed out above, and the vast majority of players have zero problems with it. Only those who want to play games with their money and that of other people are taking risks. You're obviously confusing economy with finance if you conflate financial institutions like the "banks" and "stock exchanges" with the economy itself. But then, that's to be expected on a technology-oriented website like /.

      --
      Maybe we deserve this world ?
    4. Re:SL's economy is a giant sinkhole anyway by ronadams · · Score: 2, Informative

      Being some random griefer who sends flying phallic objects across the Metaverse doesn't make you an expert in anything except flying genitals. So let's step through your insolent propaganda point by point.

      1. "...they're [sex and money] the only reasons anyone uses it [Second Life], despite claims to the contrary by media-whorish Linden Labs."
        Perhaps you're not aware of the number of corporate entities using Second Life, not even for direct profit, but simply as a platform to deliver product information, such as Sun Microsystems, or the educational institutions using it as part of a prototype distance learning initiative, such as Bowling Green State University. Maybe you're not aware of the high-profile full-time businesses in Second Life, or the many, many articles reputable business publications have written noting the unique opportunities that exist in SL. There's much more than just sex and money. As in real life, there is entertainment, education, experimentation and economy. You know little about these because you spend all your time making the experience inconvenient for others.
      2. "A bank called "Ginko" that recently went insolvent sent shockwaves through the economy lately."
        This was no surprise to anyone not stupid.
      3. "As the Linden (the currency of Second Life) is not based on anything, Linden Labs simply dumps currency into the market whenever they feel like it."
        A quick look through the SL Economy metrics and blogs shows you're full of it. There is an actual regulation to the currency in SL, you're just ignorant of it.
      4. [Your last statements]
        Again, your ignorance shines through. Do you do any investing in the real world? Do you know what happens when you invest 100k in prime real estate in California and an earthquake devastates it? Unless you took out insurance of some kind with an organization who certainly makes more than they will ever put out (on a sidenote, there are investement insurers in SL), you are SOL. Linden is careful to use the terminology "unit of trade" for the Linden dollar, because the Metaverse is not a seperate governmental body, has no legal jurisdiction in the real world, and wants to avoid the IRS putting their grubby mitts any further in. If you are foolish enough to make an unwise investment in SL, then, just as in real life, you learn that a fool and his money are soon parted.

      In conclusion, please know what the hell you're talking about before you respond. And stop griefing the Metaverse, it's obnoxious.

      --
      Appended to the end of comments you post. 120 chars.
  8. Re:I'm sorry by deftcoder · · Score: 3, Interesting

    Anti-spam thing.

    Every time I post on Slashdot, it takes forever for me to Submit the post, because I get probed on a few ports (which timeout).

    They're ports commonly used by proxies and such.

    --
    Peace sells, but who's buying?
  9. omgwtfbbq by slyn · · Score: 3, Interesting

    Ummmmmmm...

    Can someone explain to me why Quicktime is so fucked up? I'm dead serious, and I ask this as a mac user.

    It seems like all the time there are new exploits for all different types of services (firefox exploits, myspace exploits, this, etc.) with one thing in common: It's not [necessarily] the services fault, it's Quicktime's. Is there something about the architecture of Quicktime that makes it particularly exploit friendly? Or does it not do enough checking to see if the file is malicious? Is Quicktime crack-friendly on both platforms or is it a shitty port like iTunes for windows and thus mostly windows only exploits?

    I tend not to use Quicktime because it takes to long to load movies, (unlike VLC, which "streams" them and so it begins playing them almost immediately), but if any more exploits begin showing up for Quicktime, I may seriously consider not using it at all.

  10. Re:I'm sorry by wertarbyte · · Score: 4, Informative

    Every time I post on Slashdot, it takes forever for me to Submit the post, because I get probed on a few ports (which timeout).
    Set your packet filter to REJECT instead of DROP. Dropping packets i usually a bad idea and sounds like some kind of obscure desktop firewall in "stealth mode".
    --
    Life is just nature's way of keeping meat fresh.
  11. This comes from a BLOG owner by SmallFurryCreature · · Score: 4, Interesting

    Can I tell you a little secret about life? It is pointless.

    You are born, you die. In between you have to work a lot of hours to... well to postpone the dying part or at least make the dying part less unpleasant.

    Luckily, in the west we have become good enough at postponing death that we have some spare hours in our days. So we got to waste them, some watch sports, some have sex, some read books and some play games.

    It is ALL useless.

    Blogging got to rank near the top of most useless activities and as such you are in no position to critize second life players. You are a pot, so keep quiet about the color of kettles.

    I wish people were a little bit more honest about their personal time wasters. Friend of mine follows all the soccer tournaments in the world, yet thinks playing games is a waste of time. Eheh.

    Stop blogging mate and save the world or accept that you are wasting your time just as much as people who care about some silly online game.

    --

    MMO Quests are like orgasms:

    You may solo them, I prefer them in a group.

  12. In a Related News Story by poena.dare · · Score: 3, Funny

    In a Related News Story... Police are still trying to explain how one million iPhones with infected copies of QuickTime have managed to induce their owners to foolishly hand large sums of cash to complete strangers. "What's especially troubling," confided one investigator, "is that we can't get 10 feet into an Apple Store before our team members are compromised!"

  13. Re:I'm sorry by deftcoder · · Score: 2

    Or netfilter rules with a DROP policy. :)

    I am only forced to use Windows at work. :/

    --
    Peace sells, but who's buying?
  14. Re:an alternate, and more entertaining solution by CronoCloud · · Score: 2, Informative

    Anonymous coward is telling the truth. I've seen one that someone made. Pictures? Wouldn't you like to know. :-) But this might be a location to check out:

    http://slurl.com/secondlife/bel%20Highland/171/143/33

    Should be near where you can get the baby unicorn. NSFW link:

    http://www.secondlifeherald.com/slh/2007/09/afternoon-delig.html#more

    It might be a custom thing though so it might not actually be there.

  15. It gets worse. All QuickTime files now threats. by Animats · · Score: 4, Informative

    This isn't a Second Life problem. It affects all QuickTime players. QuickTime has a recently discovered vulnerability which allows it to be used as a way to inject executable content into the user's machine. This can attack far more than Second Life.

    See US CERT Vulnerability Note VU#659761 -- Apple QuickTime RTSP Content-Type header stack buffer overflow. "Apple QuickTime contains a stack buffer overflow vulnerability that may allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service condition. ... We are currently unaware of a practical solution to this problem.. ... "Note that QuickTime is a component of Apple iTunes, therefore iTunes installations are also affected by this vulnerability. We are aware of publicly available exploit code for this vulnerability. Testing indicates that QuickTime versions 4.0 through 7.3 are vulnerable on all supported Mac and Windows platforms."

    CERT suggests disabling all the ways QuickTime can be launched:

    • Block the rtsp:// protocol
    • Disable the QuickTime ActiveX controls in Internet Explorer
    • Disable the QuickTime plug-in for Mozilla-based browsers
    • Disable file association for QuickTime files

    This vulnerability was first published on November 23, 2007.

  16. Opportunity by raftpeople · · Score: 2, Funny

    If the goal is simulating real life, the solution is: An Insurance Company!

    Possibly, Lloyds of Linden?

  17. To those asking... by achenaar · · Score: 2, Interesting

    "does anyone really play this thing?"
    The answer is yes. A few. Enough.
    When I first made my Second Life account one bored weekend many moons ago, I was just checking to see if any VR style system had anything going for it. I'd been wandering from one MMO to another looking for some escapism and mostly just finding frustrating grind fests and vacuous time wasters.
    I was initially pretty unimpressed by the graphics but eventually I started to see *past* the visuals and started visiting classes to teach noobs how to get along in SL. (Thanks again Bob Bunderfeld)
    Then it clicked. It wasn't about playing a game any more. It was literally a creative medium.
    Take, for example, WOW. I liked it, it was fun. Smiting hordes of enemies, chatting to the other players. Good times were had by all. But the investment of time weighed in heavily and I realised that if I wanted to have any of the perks that high level characters get I'd need to play the damn thing every hour of my life for weeks.
    When I started in SL I was a huge noob with respect to how the system worked but I had other skills. I wasn't too bad at 3d modelling (lightwave, maya et al) and I'm a pretty decent coder. The thing I found is that I could use those skills to help form my identity in SL. I started out building models of things, then tried my hand at scripting. Before long I'd built a fairly decent smoke machine that I went around selling to club owners for their dancefloors.
    I started writing scripts for commission and I made a bit of money from it. Not huge dough but enough to make me feel like I was spending my time having fun/being productive at the same time.
    There's a lot more to SL than 3d IM, although for a lot of people that's all they'll use it for. You can build and script and texture and sell and buy all sorts of things.
    For instance, my missus makes horses in SL (Hoof It!) to sell to folks and together we've made some pretty neat products. She builds the horses and textures them and I script them so they can be ridden and rear up and poo and make noises and suchlike.
    Try doing that in WOW.
    Seriously though, if you've got some free time, just give it an hour or two and you might find quite a lot to love about Second Life.

    Regards,

    Achenaar

  18. You should turn streaming off by default, anyway. by argent · · Score: 2, Informative
    You should turn off streaming media and automatic loading of web profiles by default.

    Not just because of this, but because it reduces the security of the SL client, in a number of ways.

    First, there's vulnerabilities in the plugins and the browser software. Yes, they're using a pretty secure browser based on Gecko, without user-loaded or downloaded XUL components, but still these are complex programs that you really don't need. About the only web-based technology in SL that's reasonably safe is the new search... since it's generated by Linden Labs, and they have better avenues of attack. :)

    Second, If you look at the Linden blog on this, you see that one of the messages reads:

    Way to go LL, help griefers some more why dont you? Using video streaming to IP log griefers as they crash sims is one of the important ways to fight griefing and document who the real abusers are. Eliminating this ability only helps griefers, much as your stupid idea to enable people to hide groups. Far more than helping to get rid of griefing or give us more security features, you keep enabling griefing with your stupid decisions like this one.
    There are SL "landowners" using streaming audio and video to track visitors by their IP address. This allows them to cross-reference addresses and identify players living in the same household, players with multiple accounts, people playing from work, and so on. And these kinds of "web-bugs" inside SL can not only get the "landowner" a pretty reliable ID for you (your account name), they can also distinguish whether users you're "verified" by a credit card or paypal.

    This kind of tool is useful to track griefers, I guess, but anyone who "owns" land in SL can do it... including those charming guys with their spammy ad-farms. :)