This story was updated to correct information about how QuickTime vulnerabilities are exploited in Second Life. An option for viewing media must first be selected. More than two months after security researchers released exploit code that steals money from Second Life users, residents of the virtual world remain vulnerable to …
Hardly SL's issue
Linden Labs put out a warning about this months ago. And their reasoning for not blocking it was perfectly sound... It's not their problem because it's really Apple's problem.
They said what to do if you were worried, and give advice to avoid trouble. If people are too thick to follow advice in security warnings, then they get what's coming.
Played it, got bored. I used to have video feeds switched off anyway when I played the game, as it reduced the unbearable lag. As for being forced to install Quicktime? Well if I hadn't already given up, that would have been the nail in the coffin for me regardless (I use the quicktime alternative codec).
How can this be?
"There were close to three-dozen such bugs [in quicktime] last year"
How is this possible? All the mac fanboys have been assuring me that Apple are incapable of writing exploitable code!
Worrying stuff, but is it Linden's fault?
Surely the same vulnerability, in Apple created software, that allows for taking over of Second Life accounts also allowed for the taking over of computers running Firefox, IE, or Opera -- does that mean they are all insecure by design and security was not thought about in their design?
The potential for vulnerabilities in other libraries does seem to lie with LL to find ways of protecting users but, then again, I seem to recall that the JPEG library was open to exploitation for a while -- and that affected many companies software, none of whom were criticized fro not thinking of security.
I'm not sure about newer versions, because settings persist when you upgrade, but all the versions of the Second Life client, and the First Look Windlight client, come with audio and video streams disabled by default -- so I'm not sure where you get your information about them being enabled. Also, even with streaming enabled, I still find it necessary to click the "play" button to access media on land.
Your claim that credit card details are necessary to own land in Second Life isn't quite accurate either -- it is only necessary to have payment information if you own Linden land, privately run parcels are open to anyone, and with the wages some scantily-clad dancers get they simply don't need to have payment info on file (I know people who don't).
Second Life has many shortcomings, and there are plenty of ways to rip people off, ranging from pure social engineering to exploiting 3rd party software -- but the same could be said of almost all web browsers and mail clients.
Sorry to come across as a fanboy, seriously I'm not, I just feel your criticism could be more constructive and that the article comes across a little too much like FUD -- when accuracy would be a better method of criticism.
Paris Hilton because, like the aforementioned scantily clad dancers, she has a disturbing attraction despite not being real.
Re: Hardly SL's issue
Do you think that the average sadville user would be able to comprehend the implications of a security problem? You vastly overestimate the general population's ability to follow instructions, or even to understand the importance of such warnings. The onus should be on the vendor to make their product safe, not the user to work around the vendor's security flaws (and irrespective of Apple's involvement, the product is Linden's, as is the responsibility -- if you can't trust a third party then write your own).
It never ceases to amaze me how many otherwise intelligent people waste their time and money on this dross.
Quicktime not my problem
Not a Sadville user, I have better things to do with my time. That also means that Quicktime was removed from all computers I use since I discovered that there is a first-rate alternative that works fine, takes almost no resources, loads real quick and, cherry on top, is free.
So, whether you prefer putting the blame on Quicktime or Linden Labs, for me they are both to be put in a sack with a rock and thrown overboard in the middle of the Pacific.
Self-promoting FUD - that's sadville
As has been pointed out, audio and video streams in SL do *not* play by default. A user (not 'player', as SL is *not* a game any more than a telephone is a toy) must choose to activate audio or video streams, or the scarcely used third-party Voice feature.
As has also been pointed out, credit card information is needed only for 'owning' virtual land directly from Linden Labs, which is unnecessary for any purpose (doing business, taking US$ out of SL, et c.). The major landlords and others dealing in serious amounts will not take payment in (hackable) Linden Dollars.
Risks connected with using Microsoft Windows to access SL (or anything else) far outweigh any of the actual risks associated with the points raised by the self-promoting FUDster being given the softball treatment in this article. I am happy to forego QuickTime video streams (but not much else) when I access SL via Ubuntu Linux.
Lastly, I would like to ask that El Reg take another look at its 'Sadville' characterisation. Just as the word 'phony' came from the very real scams that were a part of the phenomenon of the telephone right from the beginning, online shared virtual environments of course have their losers and knaves. All hype aside, however, in a very few years, the '3D web', in one guise or other, will be as standard as the telephone is now.
Writing as one who has never engaged in avatar 'sex' or any of the other 'mum's basement' stuff, I would like to speak up for those of us who use SL as a communication tool to meet other real people with real lives, and an environment and medium for creating and learning. I make and sell shoes in SL during my few hours a week there, and have pulled out about US$250 after one year; nothing serious, but akin to making pottery for fun and selling it at fairs. Pretty humdrum stuff, and hardly a reckless danger zone, or indeed, 'Sadville'.
Great work Linden Labs!!
Interesting to note, however whether it really is the fault of Linden Labs, whether they CAN do anything about blocking or mitigating the QT vulnerabilities. This hasn't been made at all clear in this article.
We're thinking of rolling out Second Life as a platform for our students to work with at the University where I work. Our head honcho VC is really into it, we have our own island!
Methinks I'll be recommending a ban of any credit card transactions made with SL in future.
---Does anybody know whether LL can really do anything about it in their own code?
I'm going to have to watch this Shmoocon hacker conference session if its going to be made freely available.
Again, no information in this news article about LLs real involvement or even any links to the Shmoocon site or anything!
Score : C-
Fixed in the new version
The latest beta of SL first look client (test) disables your QT if its not patched and updated. Moot point very soon then.
'in a very few years, the '3D web', in one guise or other, will be as standard as the telephone is now'
Just like in the 90s when we were told that computer games and TV would all be virtual reality by now, and we would all own one of the highly attractive headets.
Or just like tomorrows world telling us in the 60s that we would all have robot housemaids by now to save us the trouble of cleaning the house.
If it happens at all it will take far longer than just a few years that you predict.
Mines the silver foil one, and can you bring the hover car out front for me. thanks
Au contraire.... I think Idai is quite correct. The significance of SL (and its multi million user base) over other similar environments (like WoWC) is that it more or less mimics the 'real' world, albeit a rather prettified version thereof where everyone is young and beautiful....:) It is therefore better perceived as a 3D social networking environment than a game.
As such, and as several posters have commented, it is already being used by organisations as diverse as high tech bluechips and transgender support groups to create a virtual face to face environment.
At present, it's clunky in all sorts of ways, but the fact that its now popular enough for the usual bottom feeders to start exploiting security exposures would seem to me evidence that it (or something similar) will be a significant driver for progress within the WWW over the next 5-10 years. The two biggest challenges that these virtual environments face is malware, as reported here, and good old fashioned bandwidth and connectivity....
RE: Re: Hardly SL's issue
All the people I know who "play" in "sadville" understood the Quicktime warning and disabled it. This includes people who's only real use of computers is email and Second Life -- though, it has to be said, I've found most people are fairly technically literate, even the "strippers".
As for Second Life and the like being the future, I'm not so sure about that -- but then I don't take it all that seriously. It is, after all, just a social environment built for enjoyment.
RE: Great work Linden Labs!!
I doubt there's much more that LL can do other than what they have: If you install SL you have to choose to enable video feeds, and can only do so if your quicktime is up to date. In addition, I have generally found that you need to explicitly start video playing on most packets or, at least, when you first log in.
It should also be pointed out that LL won't allow you to buy more than a certain amount of currency in your first few months and your credit card company will probably refuse to allow payments if you start to use it more heavily -- at least this has been the case for the UK users I know.
I really do wish people would stop calling Sadville a game. It's a simulation and as a gamer it's annoying to be heaped in with these no-lifers.
@ Tim Bates et al
Linden Labs makes their code, or at least a version of it, available as open sauce. That is one of the reasons these guys know that it is a weakness in Sadvilles' code that makes it possible to exploit vulnerabilities in Quicktime. Turning off sound and video by default is not much of a solution, and does not address the basic flaw in the code. They need to sanitise their inputs and outputs (forgive me if I have using the wrong terms, I am not a programmer). And I seem to remember the /b/tards or Goons or someone similar warned Linden Labs about this problem at least year ago and were ignored.
Some hacker looks for fame by finding new, talked about, applications.
RE:>"they simply did not think about security when they developed this application"
IMHO its not true. Their forums disscuss such cases and bear in mind that they MUST think about security all the time as there are:
1: milions of mind "mutating" humans
2. real money involved
You can see security measures in code backing up SL: code splitting mechanism where only server run sensitive data instead of client etc.
I would translate article describtion for others to understand:
"Firefox does nothing to stop QT exploit!" and your cc details can be be stolen.
its all the same, SL at least blocks volunerable QT versions!
@ David Farinic
yes but only after the sploit was made public and then it took quite some time for them to respond. Also keep in mind that if you use 3th party libs ( QT ) in this case you should at least test it for security flaws before implementing it. only then could you say that your looking out for your users.