Sussy McBride Robbed of L$12 In Broad Daylight!
Alleged thief Pwned Naglo still at large
by Pixeleen Mistral, 3rd shift news desk
Macnn reports that Charlie Miller and Dino Dai Zovi have proven that a recent Quicktime video vulnerability can be exploited to steal L$ spacebucks from other players - if those players walk in the wrong part of town with streaming video enabled. In light of this news it is unclear why Linden Lab has not disabled the exploit by turning off Quicktime video in-world - perhaps the Lab is willing to tolerate street crime to avoid interfering with various clubs and media events?
In the video, notorious Pwned Naglo is caught in the act of stealing L$12 from Sussy McBride. A tragic victim of a lawless world, Ms. McBride happened to wander into the wrong plot of land - a plot where a video stream was delivering a payload of pain - hijacking Sussy’s avatar and forcing her to hand over her virtual purse’s contents to Mr. Naglo. Experts speculate that Naglo may have robbed Sussy to raise money for an updated look to his rather drab default Linden furry avatar. If this sort of robbery by compulsion is now possible - what wil prevent the criminal elements from taking more serious liberties with their victims?
Will this sort of street crime never end? Who will protect the hard working residents of the grid from the foul furry criminals - criminals that give all fur avatar a bad name. The Herald call on LL to take action - before this crime wave panics the citizens. Streaming video or security - the right choice should be obvious.
Linden Labs just put out a big bulletin about a QT Vulnerability at any rate, so this would not be their fault. Furthermore, The video was most likely staged, as the video was being recorded by the "thief" in question, which would be convenient for hiding the fact that the "victim" had a pay window out, and would have been walking into their own controls. I mean, come on, I've seen Bigfoot videos less hokey than this piece of junk.
How the hell would a video/music plugin get access to your financial info anyway? My iPod does some weird shit from time to time but I've never got it hacking my credit card.
Posted by: Nikola Shirakawa | December 06, 2007 at 12:53 AM
The font seems a little too big with respect to the buttons on their screen, but maybe that's just me. Still, Linden Labs needs to get their act together before those of us left just bail on this sinking ship.
Posted by: Why Bother | December 06, 2007 at 12:57 AM
Only one solution, in my book. Ban all furries.
Also, This looks shooped. I can tell from some of the pixels and from seeing quite a few shoops in my time.
Posted by: DINGOS ATE MY BABYFUR | December 06, 2007 at 01:07 AM
*sighs* it's fake. They are hoping to create a panic at time like this.
Don't be an idiot.
Posted by: Nacon | December 06, 2007 at 01:31 AM
Not fake, it's a working proof of concept.
It makes your client crash, makes your av shout "I got hacked" and makes you pay someone $12
Standard buffer overflow stuff.
Posted by: Angel | December 06, 2007 at 02:31 AM
Also, whiles I love SLH's creative writing skills, for those who won't click teh links, or google the story some.....
Pwned Naglo and Sussy McBride are the test avatars for the two security researchers who've discovered how the exploit worked, and notified LL. It's a proof of concept exploit. This isn't some EVIL EVIL PN guy ripping off a poor noobie for their entire LL wallet. Reference the following link and be amazed.
http://securityevaluators.com/sl/
Posted by: DINGOS ATE MY BABYFUR | December 06, 2007 at 02:44 AM
Oh wow, that's easily the most phoney video ever made.
-10 credibility
Posted by: Alyx Stoklitsky | December 06, 2007 at 06:06 AM
Even if it's true I think the Lindens made the right choice. Everybody was seeing the warning notice when and before logging in and I could imagine the uproar with education and art sites if they disabled video altogether.
I mean, the Quicktime exploit does exist (it's basically a threat from all qt enabled browsers or websites). Do you want your internet provider to disable QT streaming?
Personally I prefer the variant the Lindens handled it, that is that they are giving the residents a choice.
Posted by: Nicholaz Beresford | December 06, 2007 at 06:57 AM
This is a new low, guys. honestly. why even bother?
Posted by: Patchouli Woollahra | December 06, 2007 at 07:03 AM
Get real! Of course it's fake but it demonstrates a serious QT flaw. Why bother? Would you not rather know something than be ignorant? Thanks SLH. I read about a flaw, but I didn't know to what extent it could be used. It'll probably never happen to someone but it's good to know it exists.
Posted by: Nina A | December 06, 2007 at 07:44 AM
old news is old.
SLH is made of PN fags, FAIL and AID.S
Posted by: old news | December 06, 2007 at 08:09 AM
Isnt this news.. a LITTLE late..? And honestly, everyone already knows that this happened. As Alyx explains... LL already told everyone and made it clear that you could disable streaming video at your own discression.
Posted by: Will Szymborska | December 06, 2007 at 08:11 AM
This is a great example why Linden Labs needs to stop relying on third party closed sourced software for multimedia handling
quicktime is a shitty player and a shitty format, period.
LL would be better off using mplayer or xine as a primary backend, or using a native OS multimedia handler, or making plugins that interface with various players. (on windows anyway)
that way, we arent restricted to .mov.
the best route imho would be having a custom media playback backend at the cost of most disk space and a larger download.
but for portability's sake, making it pluggable.
The linux client already has this in a sense. it makes use of a multimedia backend called gstreamer, which in itself is a pluggable architecture that allows using multiple formats.
I imagine using some directshow plugin in the windows version might be easier, and a..uh... yeah um.. quicktime... player... for the mac users.
But security wise, a custom player within SL may work better.
Posted by: Anonymous | December 06, 2007 at 09:56 AM
It seems fishy. The avatar Sussy McBride stops to shout "I got hacked" and then the money gets deposited to Pwned Naglo. Looks like the avatar types I got hacked and then clicks shout before paying Pwned Naglo L$12 ... then the video stops ... therefore further evidence of this QuickTime exploit needs to be explained. Why was this exploit, if it is indeed real, not found until now ... QT has been used in SecondLife since March 2005!
Posted by: Stacey Sugar | December 06, 2007 at 01:44 PM
This is not a theoretical exploit, as the researcher's video above demonstrates. Why SLH would choose to report this in their usual scattershot way (and why the Lindens wouldn't globally disable Quicktime streaming) is beyond me. Actually, I have a secret theory, but it would be libellous to say it here.
By the way, I notice that even the trolls can't be bothered to make comments anymore. Is SLH circling the drain?
Posted by: Sigh | December 06, 2007 at 03:16 PM
This is why the Herald is considered a joke...
Dingos ate my babyfur said:
"Pwned Naglo and Sussy McBride are the test avatars for the two security researchers who've discovered how the exploit worked, and notified LL. It's a proof of concept exploit."
If this is true, it should have been added in the article. Otherwise of course people will think this video is a fake.
More explaination please. If you want to write about news, do it. If you want to do something creative, go write a book.
Posted by: Lore | December 06, 2007 at 03:31 PM
Geez, just when I thought SLH was getting some integrity back, they knowingly post fraudulent news. In RL the editor would be fired, and never work again.
Posted by: Darien Caldwell | December 06, 2007 at 03:47 PM
Get a clue.
http://www.mercextra.com/blogs/takahashi/2007/11/30/exclusive-hackers-say-they-can-pick-pockets-of-characters-in-second-life-virtual-world/
http://www.securityevaluators.com/sl/
Posted by: Mr. Fishy | December 06, 2007 at 04:28 PM
erm Stacy, that's part of the hack. You're MADE to say 'I got hacked', you don't type it! See...Stacy proves not everyone is aware of this hack. SLH should have done this story properly. BTW Read the Linden blog about this, Stacy.
Posted by: Dear Herald, People are too Dumb to Get the Joke( plus it is a serious issue) | December 06, 2007 at 08:12 PM
True this video was just a DEMO by the researchers seeking attention. Using this exploit to steal lindens is not sensible. Its completely tracable and no way to get away with actual real dollars. It will leave a trace. So this one remains only in theory, but there many other more sensible things that can be done with the exploit. The two researchers were just seeking attention and they used stealing lindens as a shocking enough headline to get everyone attention.
The bigger threat is outside sl, a porn site have been found to re-direct users to urls that serve the exploit. it then downloads a hacking tool on your computer, giving hackers access to your machine. But your anti-virus notably Symantec and Trend Micro will be able to detect and delete it.
In sl as in the web, the best thing to do for now is to only access videos and websites that is trusted.
In sl, get your video from trusted sources.
http://myslhometv.blogspot.com/2007/11/quicktime-expoit-is-video-safe-in-sl.html
There is a real threat in sl so watch video only in your parcel or in the one of people you trust. Disable auto-loading web profiles.
Visit only websites that you trust. update your anti-virus, they are able to detect and delete most implementations of the exploit so far.
A good start is to add the following to your browser as RESTRICTED SITES. To deny your browser access to these sites:
85.255.117.212,
85.255.117.213,
216.255.183.59,
69.50.190.135,
58.65.238.116,
208.113.154.34
2005-search.com,
1800-search.com,
search-biz.org
ourvoyeur.net
these are websites already found to be serving the exploit detected by Symantec and Trend Micro.
Posted by: nightlife Overlord | December 07, 2007 at 01:38 PM
I like how you were on top of this, I reported about the live exploit 2 days ago. But you are missing another point, there is also an LL media glitch that can force you to a media stream not of your choosing. So even if you are on "safe" land that might not be the case, that is why LL said disable your media.
Posted by: Arthur Fermi | December 07, 2007 at 05:11 PM
Tag Pixeleen, you're it now! Thought you might have fun with this.
Posted by: Noelyci Ingmann | December 07, 2007 at 05:45 PM
Arthur, quoting from LL's blog post, this is how they put it:
"We do recommend that you employ caution when using QuickTime in Second Life, only enabling it in environments that you trust, and are familiar with."
And of course its always necessary to control access to your land limit access, building and scripting only to trusted people in your group.
What is the other LL media glitch?
Posted by: nightlife Overlord | December 07, 2007 at 06:30 PM
I also believe that if the issue was about a glitch that allows hackers to force anyone to a media stream not of their choosing and also doing it without going into their land, then LL would have turned off video in the entire grid.
Posted by: nightlife Overlord | December 07, 2007 at 06:50 PM
LL made it QUITE Clear why they didn't Disable Quicktime in SL, they didn't want to Impact those HONEST businesses and Sims that are dependant upon it, what they DID do was warn people If they were concerned, to Turn it off from their End unless they were in some area they trusted. I Know Because they Attached the Warning to a Mock TOS update so everyone would have to READ it, and Acknowledge it BEFORE entering SL.
The OP is just asking Why a Construction Company didn't put up SIGNSs telling her Not to Climb over the Yellow Danger Tape to prevent her from dropping in a Hole.
A Warning was given, and Ignored, and the Inevitable happened. Don't Blame LL because someone Chose to be Obtuse.
Maria.
Posted by: Maria Leveaux | December 07, 2007 at 08:16 PM
Is the video fake? Most likely. Does the fact that LL told everyone about this exploit make them "not responsible"? Hardly likely. Any company that knowingly allows a potentially dangerous exploit to remain unchecked (what, since Quicktime 4.0? And now it's at 7+?) cannot claim innocence. In RL this is called "criminal negligence" and is a CRIMINAL, not a civil action.
LL allows a known exploit to continue to exist on their system that they know can harm their customers. Instead of shutting down Quicktime or hiring a competent programmer for the one day it would take to switch to another video system... they allow it to continue. They are therefore culpable.
Staged video or not, it demonstrates the problem. What if instead of L$12 it had been L$1200... and what if it had been YOUR avatar that got ripped?
Think about it people. Wake up. SL seems full of anarchy-driven internet zombies that regularly lose touch with reality. LL has admitted this exploit exists. They have failed to take steps to stop it. Duh.
Posted by: Bllinders Off | December 11, 2007 at 03:46 PM