Posted on

Hackers exploit flaw in Apple QuickTime to rob Second Life residents

If you logged into Second Life yesterday, you’ve seen the announcement from Linden Lab:

We were alerted a short time ago that a QuickTime exploit has been discovered which may allow an attacker to crash or exploit the Second Life viewer. The Second Life viewer uses Apple QuickTime to play videos and streaming media. This exploit affects QuickTime usage on every platform that uses it, and to date, Apple has not released a fix for the exploit.

While the Lindens are very clear that this is an exploit in QuickTime and not Second Life specifically, they were less than forthcoming about the exact details of the exploit. Mercury News fills in the details.

Charles Miller…and Dino Dai Zovi…, two experienced hackers, say they have found a vulnerability in the way Second Life protects a user’s money inside the virtual world from being stolen. It has significance because that currency, dubbed Linden dollars, can be converted into real world dollars.

According to Mercury News, QuickTime can be directed to a malicious website that “allows them to take over the Second Life avatar.”

Personally, I’m not clear about how this could work. Each land parcel in Second Life has an associated video stream, so the landowner would have to add the URL to their land — it’s not something a hacker can do without the landowner’s permission. I understand that malicious websites can exploit vulnerabilities in computers, but there’s a big gap between planting a virus and taking complete control of the Second Life client. Assuming that this malicious code is able to do that, one can’t use the Second Life client alone to plant viruses in-world, as Miller says. Many script-kiddies try that daily, and accomplish only annoyances — replicating cubes with offensive pictures, for example. Eventually, those cubes either meet behind-the-scenes defenses and get cleaned up with no harm done — they’re hardly viruses.

This isn’t the first attempt to steal Linden dollars. Previous attempts have been crude scripted objects in-world that depend on residents accidentally granting debit permissions.

To protect your Linden dollars from this hack, open Second Life and click Preferences in the login screen. From there, go to the Audio & Video tab and disable video streaming.

Posted on

To copy, or not to copy: that is the question

A number of customers have pointed to the increasing problems with attachments in Second Life. That is, it’s not uncommon for attachments to: go missing, stop working, become invisible, or become damaged in some other way. And when your item isn’t copyable, you’re faced with asking the item’s maker for a replacement or buying another. Whenever this happens to Terra skydiving equipment, I will exchange your broken item for a new one, but I have noticed a rise in these incidents.

Why aren’t my parachutes copyable? As you know, products need to have either Copy or Transfer permissions, but not both. (“Transfer” means that you are able to give away or resell the item) The blight of freebie sellers has proven that Copy/Transfer is an invitation to scammers and cheats. In response to customer demand to easily buy parachutes as gifts or to set up legitimate skydiving shops, I changed all of my skydiving gear over to No-Copy/Transfer.

Now, however, the sheer number of lost or damaged chutes leads me to reconsider the Copy/No-Transfer option. With the copy permission, you could make backup copies, and even have 1 parachute copy per outfit. There’s little chance that you would lose it.

So I put it to you, my customers: which permissions would you rather have for your parachute? Copy or Transfer?

Posted on

Lindens perform a Havok brain transplant

Yesterday morning I was startled by a pig flying past my window, which heralded the Linden Lab announcement that the Havok 4 physics engine is in beta testing. No, your eyes aren’t playing tricks. The upgrade the Lindens have promised as being just around the corner (for the last four years) appears to be… well… still just around the corner, but now we can see the corner at least.

By upgrading the Havok physics engine from version 1 to version 4, Linden Lab promises several improvements, including these (from the Linden blog):

  • Reduced simulator crashes
  • Less lag in the physics engine
  • More reliable prim linkage
  • Stacked dynamic objects react when supporting objects are removed
  • Improved collision management – uniform spheres collide as spheres, rather than as faceted shapes
  • Penetrating dynamic objects will be automatically pushed apart by Havok4’s collision solver
  • Vertical simulation extent has been increased to 1024 meters
  • Some slight dynamic changes – avatar movements have changed slightly

To achieve only a few of these goals, particularly “less lag in the physics engine”, would vastly improve the flight experience for virtual pilots. I do wonder, though, about this point, “Vertical simulation extent has been increased to 1024 meters”. I don’t mean to be needlessly cynical, but that claim seems 1984-ish when currently the simulation extent is 4096 meters. Increased? Really? I hope it doesn’t “increase” any more.

I took the SL beta viewer for a test spin yesterday (download it here). To me it seemed to be more than just a little rough around the edges, although I can imagine just how much work it must have been to get it to this level of functionality. Replacing the physics engine would be like performing a brain transplant. I know Dr. McCoy was able to replace Spock’s brain, but he was only able to accomplish it under the influence of an alien knowledge device. I doubt the Linden devs have the benefit of alien tech.

So it’s impressive to see Havok 4 in action and mostly working. That said, it’s not even close to “prime time”. I logged some of my observations, which included sluggish controls, out-of-place collision boxes, and severe time dilation. Please log in to jira.secondlife.com and vote for/comment on issue SVC-722. I know the Lindens have already reviewed it, but more testing is better. And if you have access to an alien knowledge device, please mail it to Linden Research Inc, 945 Battery St., San Francisco, CA 94111. Include snacks. I have a feeling that a few developers will be working late nights for a while.

Posted on

Good news on the TerraVend front

Owners and operators of TerraVend vendors should be happy to know that the TerraVend 3 vendors are almost done and so far they’re working quite well. You will notice a very fast setup time — no more long delays or hanging while the vendor waits for updates from the server. The new vendors should be available in about a week. Keep an eye on this blog.

To those who aren’t familiar with TerraVend, it is a vendor system in Second Life that lets you sell Terra Aeronautics products on commission. I provide the vendors, products, and displays, and you run your own shop and earn Linden dollars that you can spend in Second Life or sell on LindeX for real money. The vendors are free and you get paid your L$ commission immediately at the time of sale.

When TerraVend 3 is available, I will post a link here.

Posted on

Inter-object email failures force temporary TerraVend closure

This is a notice for all members of the Terra Authorized Dealers group, who own and operate TerraVend vendors.

As most have noticed, there have been serious technical issues with the vendors. Email communication breakdowns between sims have made running the system almost impossible — a significant percentage of the total number of vendors are not able to properly communicate with the servers. For that reason, I have decided to shut down TerraVend until I can design a system that does not rely on email — email in SL has proven just too unreliable. By tomorrow, TerraVend vendors will no longer be able to register with the server, and after that I will completely remove the servers. The vendors will automatically go into an “offline” mode, in which they accept no payments.

It could be anywhere between two weeks to two months before I can redeploy TerraVend. When I have a reliable replacement, I will announce it at www.cavers.ca. I apologize for any inconvenience this long downtime may cause. I hope all of you will want to try the new system when it’s complete.

For those of you who wish to continue selling skydiving gear, one proven method of reselling is to buy a small stock of equipment and sell them from boxes. You may wish to try that until the new TerraVend is up and running.

Thank you all very much for taking part in TerraVend!