Slashdot Mirror
Owning Virtual Worlds For Fun and Profit
Trailrunner7 writes "Threatpost has a guest column by security researcher Charlie Miller on the ways in which attackers can easily take advantage of vulnerabilities in virtual worlds and perhaps online games to get control of other players' characters and avatars and even cash out their real-world bank accounts. From the article: 'It turns out that Second Life uses QuickTime Player to process its multimedia. When I started looking into virtual world exploits, with the help of Dino Dai Zovi, there was a stack buffer overflow in QuickTime Player that had been discovered by Krystian Kloskowski but had not yet been patched. In Second Life it is possible to embed images and video onto objects. We embedded a vulnerable file onto a small pink cube and placed it onto a [tract] of land we owned. No matter where the cube was, if a victim walked onto the land and had multimedia enabled (recommended but not required), they would be exploited. The cube could be inside a building, hovering in the air, or even under the ground, and the result was the same.'"
Someone virtually stole all my virtual money!
"Yes sir, we'll send some one right over. They will be wearing the white suits."
So...we were just told that with every new application comes a new series of security flaws?
That's what keeps the industry running!
Have you heard about SoylentNews?
A program that interacts with a virtual world in this manner is no different from a browser or other client. And clients have historically been a huge source of attack vectors. Now, what would be useful and unique - stealing the user's stuff by infecting the client or MITMing the connection at the client machine (between the client software and the network card.) The admins could easily pick up on this and trace the trail the simoleons/swords/whatever takes - but by then, they could already have been sold for real money to some poor guy who though he got a great deal. Especially in Second Life, where it seems like transactions like that can take place very rapidly.
Emotions! In your brain!
SecondLife didn’t balk when they embedded a malformed QuickTime media file on their pink cube?
Even 4chan scans .jpeg files for embedded RAR archives... how hard is it to figure out that a QuickTime file’s structure is invalid?
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
You're thinking too small and short term...
The skys the limit once you gain a foothold on the users machine.
You can do ALOT if you don't do anything too noticable or damaging or too much at once.
And many people play games from their work machines. Or from the inside of their 'secure network'.
Seriously, the media seems to have a massive hard on for Second Life because they think it is the way the Internet ought to go. In reality Second Life is a pretty sub standard MMO with very few players. Why the hell do the fluff stories about it make Slashdot front page news?
Goes double since it sounds like this problem is fairly unique to SL. If you start seeing this in WoW and Aeon and EVE and so on then that's a story. However this is just a case of a poor excuse for an MMO having poor security. This would be the same as posting "Hey, Cadence SBP 16.3 have a security vulnerability and you need to upgrade to 16.3.014!" Nobody gives a shit, at least not enough people for it to be worth front page Slashdot. I understand if there's a security issue in a major OS, or an app that is widely used but in SL? Who cares? Not enough people to make it /. worthy I'd think.
No quicktime for Linux :p
I thought we already knew that.
Am I part of the core demographic for Swedish Fish?
what about the IRS and profit? IP rights are one thing but you still own the tax on them.
Not "track of land".
It is just a URL that you enter into a field in the in-world parcel data. The simulator hands it to the viewer (client/browser) and tells it to play that and put it onto a texture that is drawn on a 3D surface. The viewer hands the URL to Quickslime, which then plays it. SL's backend never sees the video file/data, as it is directly downloaded from the target host specified in the URL.
I supposed you could argue why don't they run some kind of scanner on the URL before allowing it to be posted. Of course, that is pointless for any number of reasons, including:
1) There is no scanner to check all possible video formats that Quickslime plays, nor one which is foolproof in terms of detecting vulnerabilities.
2) Since the file/data is not hosted by Linden Lab, a single scan would be useless, as an attacker could put up a valid file, run the scan, then replace the file with a malicious one anytime afterwards.
-SS "Teach the ignorant, care for the dumb, and punish the stupid."
They don't care what you bought and sold, they want to know you did it and how much you made from it.
Then they want you to add that to your AGI and pay tax on it.
If you buy a virtual item for real money, then sell it for more real money, you are legally required to report the difference as income to the IRS.
Bartering virtual items (gold, swords, etc.) for each other is no different. You take the value you got for it, subtract the value you originally paid for it, and that's your income from the trade, which you have to report (in dollars, not quatloos) on a 1099-B for the year you made the trade. The tricky part is defining the value of something you've never seen traded for real items.
I think the IRS or other relevant tax collection agencies (depending on the country) has yet to pounce on the players of SL's virtual revenues, or we'd have read about it in the conventional dead tree tabloids as a scandalous tax dodge or money laundering scheme by now. Going to be interesting to see what happens if or when they do.
As far as I know (disclaimer: I am not on second life) the tax is rolled into the currency exchange.
If you then buy stuff in game with it, you've already paid sales tax on it by buying the virtual currency, just as you don't have to pay some sort of value-acquisition tax when you get a new sword in WoW because that's part of the game that you paid (and were taxed) for with the monthly subscription fee.
My guess is that the few people making a profit off of selling things in second life (and I doubt there are very many at all, especially in this economy, and especially since if I recall, anything over $100 game dollars is considered crazy expensive, and the exchange rate is something like 1 real dollar to 1,000 game dollars) do owe taxes, and they probably haven't paid because the law is always very slow to adapt to new technology. That's why you can still buy stuff on the internet without paying taxes on it. You're supposed to, but the government hasn't implemented a system to track when you buy something online.
"I disagree with you" does not equal "flamebait."
to expand on what I said above, I don't think that's going to happen. What is the point of going after taxes on purchases which most likely average a couple bucks or less? The government would spend much more tracking and prosecuting people "evading" taxes than they would take in.
"I disagree with you" does not equal "flamebait."
Here's what happened in one of Linden Lab's internal IRC channel today...
[16:42] [Linden001] hey, we made slashdot: http://it.slashdot.org/story/10/08/18/2154207/Owning-Virtual-Worlds-For-Fun-and-Profit
[16:45] [Linden002] fascinating.
[17:11] [Linden003] besides, we enforced the patched version of QuickTime to close this exploit.
[17:12] [Linden003] there is no mention of that in the article either.
[17:14] [Linden003] he's writing about ancient history here (2007) -- it must be slow in the internet security guru business.
Personally, I think a heck of a lot more vulnerabilities like this could be found and/or located if there were a decent, free (as in beer) disassembler out there. You would think that the industry giants would be more than willing to donate funds to such a project, yet I have yet to see anything such as this out there. Now, some of you might say, "Well, just jump on the IDA Pro bandwagon." My answer: "Easier said than done." The IDA folks _require_ you to be associated with a business when purchasing the program, where they can track your every move, mainly because they are paranoid that the might "accidentally" sell their software to a software cracker. The funny thing about this is that most crackers wouldn't even bother purchasing the program and just bittorrent the thing to begin with for free. Anywho, my solution is this: start an open-source-disassembler project, which will hopefully attract industry donations, and then offer users of the software incentives for locating vulnerabilities, such as cash rewards (based on severity), free commercial software/hardware, etc., and maybe we might just be instrumental in creating more security experts in the not-too-distant future.
I eat spaghetti code out of a bit-bucket while sitting at a hash table, and I pay for the meal with cache!
The bad news was that due to a quirk in the way the virtual world was architected, the malicious file was downloaded straight from the attacker to the victim without going through the Second Life servers.
I'm a security researcher too and I use the Second Life platform all the time, how am I suppose to take this guy seriously after he says that? It was purposely designed this way, it's just a normal HTTP client to server relationship.
No matter where the cube was, if a victim walked onto the land and had multimedia enabled (recommended but not required), they would be exploited.
You're an idiot, the entire exploit requires the multimedia vector to be open, by disabling media you close the vector. This is true whether it be Media-On-A-Prim or Streaming Media via QuickTime.
The good news about this exploit was that you couldn’t take the “exploit” to other parts of the virtual world. The multimedia is associated with the piece of land and not the object itself. So you couldn’t just litter Second Life with little exploit cubes.
I'm assuming you are not talking about Media-On-A-Prim because that's exactly what you can do, in fact, I've developed a PoC attachment which harvests IP addresses of everyone you walk past who has Media-On-A-Prim enabled.
The exploit may be something that another avatar whispers to you or an object they hand you or it may be a particular place in the virtual world. Unlike most typical computer attacks, your avatar will be able to see and interact with the “exploit”.
Ideally, if you were exploiting people in world via the Media-On-A-Prim vector or Streaming Media you'd want the victim to not interact with it at all, let alone see it, else you increase the risk of discovery.
[Victim] Oh! Shiny!
*Victim is now a drooling idiot*
A small, insignificant niche game that practically nobody plays. For some reason, the press loves it though.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
We get this a lot, there's many images out there that'll make quicktime crash. We have an image board for showing things we're talking about, when we hit a "bad" image all the windows users disappear (crash) at the same time. A responsible Linux or Mac user then removes the image so they can return ;)
Second Life isn't a traditional MMO, it's a virtual world with no real point other than exploration and socializing, or crafting and building. The things SL is good at, it is UNEQUALED at. A huge fantasy world where you can create almost anything you can imagine, or do anything you can desire, with little or no supervision. The most wide-open game ever, maybe that ever will be. But hey, feel free to sneer at it as "not an MMO" between pork rinds and sips of Mt. Dew... it's just more interesting to read comments from people who actually know what the hell they are talking about.
Just 2 short years ago, I knew a several players that were generating some decent income from a game. 1 guy was pulling in $1000 USD per month. 2 women I knew built hair, between them they were pulling in nearly $4000 USD a month, they ended up pulling in enough per month to lease their own entire sim.
I am Bennett Haselton! I am Bennett Haselton!
This exploit they are talking about has been in this game and known about for nearly 5 years.
I am Bennett Haselton! I am Bennett Haselton!
As far as I know (disclaimer: I am not on second life) the tax is rolled into the currency exchange.
...... anything over $100 game dollars is considered crazy expensive, .....
erm.. wrong... i am on second life and 100 lindens don't get you much. a lot of the stores/vendors, even in this economy do very very well indeed.....
i DJ on second life so i don't have to buy any lindens dollars and the average tip from each person who wants to tip you is 100 lindens but it has been known to go as high as a thousand on a single tip... doesn't sound much? well i get get maybes 5-6000 lindens over a 2(sometiems 3) hour DJ slot.
multiply that by the 6 slots i do per week in two different clubs and it's not bad at all.
i occassionally buy stuff to wear but generally i save it and cash it in at First Meta Exchange for real world cash and it goes to my paypal account
i do this every 3 months which works out at sometimes around $360 USDs a quarter. i would be MOST put out if someone used an exploit to remove my lindens from my SL account however even at that, every time it goes over 20,000 lindens i transfer the 20,000 to the FMX account to await my quarterly "cashing in".
it buys me geek toys and has come in handy on a few occassions when it has helped pay part of a laqrger purchase
however 100 lindens, which you reckon is expensive really.. REALLY isn't at all, it's just one step up from the freebie store stuff and mostly , but not all the time, are not the best of items.
That was a typo - I meant $1,000 lindens.
Regarding what you make, that's great, but if the exchange rate is still roughly 4 bucks to $1,000 lindens, then you're making 8-12 bucks an hour. Decent for playing a video game, yes, but hardly a living wage, especially since I doubt the virtual clubs provide employee health insurance ;)
At any rate, $360USD a quarter is nice for an individual who wants to buy a toy at Newegg, but from the government's perspective, they'd probably spend that just in employee wages if they went after people for it. There's a lot of tax violators out there who are violating to the tune of tens if not hundreds of thousands of dollars. It makes a lot more sense to go after the larger dollars than to waste time (and money) chasing chump change.
"I disagree with you" does not equal "flamebait."
Just two short years ago, "the fundamentals of the economy" were "strong," the housing market was on the rise and, according to bankers, would never stop rising, and people actually had money to spend (even if it was borrowed from Visa). I'd be surprise if the 2 women you're talking about are still selling $4,000 worth of hair drawings per month.
"I disagree with you" does not equal "flamebait."