Posted on

Hackers exploit flaw in Apple QuickTime to rob Second Life residents

If you logged into Second Life yesterday, you’ve seen the announcement from Linden Lab:

We were alerted a short time ago that a QuickTime exploit has been discovered which may allow an attacker to crash or exploit the Second Life viewer. The Second Life viewer uses Apple QuickTime to play videos and streaming media. This exploit affects QuickTime usage on every platform that uses it, and to date, Apple has not released a fix for the exploit.

While the Lindens are very clear that this is an exploit in QuickTime and not Second Life specifically, they were less than forthcoming about the exact details of the exploit. Mercury News fills in the details.

Charles Miller…and Dino Dai Zovi…, two experienced hackers, say they have found a vulnerability in the way Second Life protects a user’s money inside the virtual world from being stolen. It has significance because that currency, dubbed Linden dollars, can be converted into real world dollars.

According to Mercury News, QuickTime can be directed to a malicious website that “allows them to take over the Second Life avatar.”

Personally, I’m not clear about how this could work. Each land parcel in Second Life has an associated video stream, so the landowner would have to add the URL to their land — it’s not something a hacker can do without the landowner’s permission. I understand that malicious websites can exploit vulnerabilities in computers, but there’s a big gap between planting a virus and taking complete control of the Second Life client. Assuming that this malicious code is able to do that, one can’t use the Second Life client alone to plant viruses in-world, as Miller says. Many script-kiddies try that daily, and accomplish only annoyances — replicating cubes with offensive pictures, for example. Eventually, those cubes either meet behind-the-scenes defenses and get cleaned up with no harm done — they’re hardly viruses.

This isn’t the first attempt to steal Linden dollars. Previous attempts have been crude scripted objects in-world that depend on residents accidentally granting debit permissions.

To protect your Linden dollars from this hack, open Second Life and click Preferences in the login screen. From there, go to the Audio & Video tab and disable video streaming.

Posted on

CTH-100 releases at noon Wednesday!

Be the first in your sim to own the first ever Terra Aeronautics helicopter: the CTH-100. Be at the Abbotts Aerodrome runway at noon Wednesday to get yours for L$1000.

  • Paint script lets you pick two colours and a decal.
  • Let anyone fly your helicopter. The lock script lets you choose who can fly: anyone, group members, or just you.
  • Heads-up display (HUD) attachment puts the clickable instrument panel on your screen.
  • Rotor damage detection means rotor strikes cause damage to your helicopter. (You can turn this off in the options menu.)
  • Popup options menu.
  • Smooth, easy flight model. If you can fly your avatar, you can fly this helicopter.
  • Splash and sink if you hit the water… then click a single button to recover.
Posted on

Tinker toys in space: SkyLife “Space” series relaunches

I’m happy to announce that the popular SkyLife modular building system has been updated with new modules and a new sci-fi look. The new modules have been rebuilt from scratch to work on a precise 20m grid, which allows for easier alignment of connecting corridors and hubs.

As always, the modules are interchangable and reconfigurable. You can build them like tinker toys to create your own structures: skyhomes, space stations, military bases, hangouts, and more.

SkyLife “Space” on SL Exchange:

Posted on

Lindens perform a Havok brain transplant

Yesterday morning I was startled by a pig flying past my window, which heralded the Linden Lab announcement that the Havok 4 physics engine is in beta testing. No, your eyes aren’t playing tricks. The upgrade the Lindens have promised as being just around the corner (for the last four years) appears to be… well… still just around the corner, but now we can see the corner at least.

By upgrading the Havok physics engine from version 1 to version 4, Linden Lab promises several improvements, including these (from the Linden blog):

  • Reduced simulator crashes
  • Less lag in the physics engine
  • More reliable prim linkage
  • Stacked dynamic objects react when supporting objects are removed
  • Improved collision management – uniform spheres collide as spheres, rather than as faceted shapes
  • Penetrating dynamic objects will be automatically pushed apart by Havok4’s collision solver
  • Vertical simulation extent has been increased to 1024 meters
  • Some slight dynamic changes – avatar movements have changed slightly

To achieve only a few of these goals, particularly “less lag in the physics engine”, would vastly improve the flight experience for virtual pilots. I do wonder, though, about this point, “Vertical simulation extent has been increased to 1024 meters”. I don’t mean to be needlessly cynical, but that claim seems 1984-ish when currently the simulation extent is 4096 meters. Increased? Really? I hope it doesn’t “increase” any more.

I took the SL beta viewer for a test spin yesterday (download it here). To me it seemed to be more than just a little rough around the edges, although I can imagine just how much work it must have been to get it to this level of functionality. Replacing the physics engine would be like performing a brain transplant. I know Dr. McCoy was able to replace Spock’s brain, but he was only able to accomplish it under the influence of an alien knowledge device. I doubt the Linden devs have the benefit of alien tech.

So it’s impressive to see Havok 4 in action and mostly working. That said, it’s not even close to “prime time”. I logged some of my observations, which included sluggish controls, out-of-place collision boxes, and severe time dilation. Please log in to jira.secondlife.com and vote for/comment on issue SVC-722. I know the Lindens have already reviewed it, but more testing is better. And if you have access to an alien knowledge device, please mail it to Linden Research Inc, 945 Battery St., San Francisco, CA 94111. Include snacks. I have a feeling that a few developers will be working late nights for a while.

Posted on

Ready… Set…

…Vend! TerraVend 3.0 is now live. For those of you who used TerraVend 2.x, the first thing you’ll notice is how fast the setup is. No long delays while data emails wend their way through internet tubes to the server. Version 3 is not only faster but 736.2% more reliable. OK, I made that number up, but I think you will be pleased with it.

TerraVend vendors

Also new: I have created a new group “TerraVend Merchants”. Please join the group (it’s open enrollment, so no invitation is needed) to get TerraVend announcements and product updates.

To those who aren’t familiar with TerraVend, it is a vendor system in Second Life that lets you sell Terra Aeronautics products on commission. I provide the vendors, products, and displays, and you run your own shop and earn Linden dollars that you can spend in Second Life or sell on LindeX for real money. The vendors are free and you get paid your L$ commission immediately at the time of sale.

Get a TerraVend 3 package at the top floor of Abbotts Aerodrome or on SL Exchange.