[JIRA] Updated: (SVC-5066) Cryolife detection installations done by residents bears danger of distributed denial of service attacks on freebie consumer

Ellla McMahon (JIRA) no-reply at lindenlab.cascadeo.com
Mon Nov 23 09:00:01 PST 2009


     [ http://jira.secondlife.com/browse/SVC-5066?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ellla McMahon updated SVC-5066:
-------------------------------

     Issue Type: Bug  (was: Meta Issue)
    Component/s:     (was: Interop - Agent Domain)

> Cryolife detection installations done by residents bears danger of distributed denial of service attacks on freebie consumer
> ----------------------------------------------------------------------------------------------------------------------------
>
>                 Key: SVC-5066
>                 URL: http://jira.secondlife.com/browse/SVC-5066
>             Project: 2. Second Life Service - SVC
>          Issue Type: Bug
>    Affects Versions: 1.32 Server
>         Environment: pretty basic Vista, default client
>            Reporter: Luisa Bourgoin
>
> Short: Cryolife detection installations done by residents bears danger of distributed denial of service attacks on freebie consumer
> there is widely known code out there, CryoBan,  distrubuted open source, which main purpose is of luring shop owners
> into some form of doing proactive content protection. basically, it's a placebo.
> but wait there is more
> 1) it DOES NOT RELYABLE detect Cryolife so it should be entirely useless. The client can simply stop chatting about it's presence on channel ${whatever}.
> 2) it can be misused as a denial of service attack ... by distributing tainted freebies that utilize simple hidden chatty scripts to brandish any wearer as Cryo user. Any prim worn can look like Cryolife.
> 2a) I assume the design has been made for purpose 2), and releasing it as "open source" does merely fool the eye at first glance, but nobody who looks twice can deny the possible mallicious useages. Okay, that's the most paranoid view of matters
> 3) "sends a "cryo::ping" packet to everyone" seemingly the people behind don't stop on business, releasing this and that. I doubt the incentive, especially seen on the background of formerly featured mindset.
> (pointing at http://jira.secondlife.com/browse/VWR-15455 here)
> quote: yeah, you just gota understand that the detection is not always accurate. in fact, thuglife users all apear as emerald as well.  which is kinda why i really dont like the detection feature.. but other emerald devs do, and if its optional, meh.
> The detection of clients used cannot be handled by residents alone. The Lab must intervene here. Suggestions would be code reviews (even done by peer sides) and trusted releases of 3rd party generated clients. Some safe harbor for software releases that are labelled to be conform for SecondLife uses. Excluding all non-TOS-conform other compiles.
> technical: it's just listening for disclosing chat messages on well known channel, reacting inside listen event handler as shown below:
> listen(integer channel, string name, key id, string message) {
>     cyrouser_name = name;
>     cyrouser_ID = id;
>     if(auto_kickban) {
>         if (llGetAgentSize((key)message)) {     // check if the shouted avatar key is in the region
>             //                llEjectFromLand(cyrouser_ID);
>             llTeleportAgentHome(cyrouser_ID);
> llAddToLandBanList(cyrouser_ID, 0.0);

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.secondlife.com/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        


More information about the Jira-notify mailing list