Bit of drama on the SL General forum (no link…needs membership). It seems some enterprising young script kiddie has managed to hack one of the most popular in game vendor systems. And just when I was thinking of getting in to the recreational playarea equipment market.

Not sure I understand it myself entirely, but the ‘JEVN’ system is a way for people who want to sell things in multiple locations, to do so with a minimum of fuss, consisting of a number of multi panel display vendor objects, and a centralised server object to synchronise their content, and handle the transactions, at the request of the vendor unit, when the customer interacts with the vendor. Great if you want to sell things all over the world, but don’t want to have to run round and update each individual vendor when you introduce new items.

An inquiring mind is a dangerous thing however, and some bright young spark seems to have found a way to build a server emulator, which when fed the unique object key of the real server (not a difficult thing to get, apparently), is capable of spoofing correctly validated authorisations to the vendor, in effect meaning free stuff, delivered to the emulator owner, and logged as having gone to someone else entirely. I’m not sure how I’d even begin to build something like that, but it certainly seems a realistic thing to be able to make with the right know-how, and becomes a matter not of ‘Can I build it?’, but more ‘Should I build it?’

The trouble is, these JEVN systems really are everywhere, easily one of the most popular ways for creative types to handle sales and distribution. In the best traditions of Real Life, the whole vulnerability seems to have been hushed up for some weeks by the vendor’s designer, and only came to light at all due to some ridiculously petty argument between the emulator builder, and some punk he’d sold one to, who wanted a refund because he couldn’t figure out how to use it properly. Said punk decided to take the matter to the boards (under the pretence of nobly 'stealing to show that stuff could be stolen!'), and now all hell seems to have broken loose. Honour among thieves, etc. Murky virtual property pseudo-law reigns supreme! But amid the, admittedly very amusing, board-drama very real concerns are emerging from the mercantile masses who had previously relied on the system without question.

I suppose the nearest equivalent would be the emergence that a high street bank had accidentally left some kind of ‘master-pin’ code in use, which would let someone help themselves to whatever account they liked. I think I’d be pretty annoyed too. Regardless of how many goods have actually been pilfered in this way, far more damaging is the loss of confidence in the system itself, responsible for the handling of thousands of $US-equivalent in transactions every day, and it’s unlikely the vendor creator will recover their business and credibility. Who knows if their replacement version will be any more secure? And just how many other punks did the emulator guy sell his little toy to?

  • 1. Use Emulator to steal goods from networked vendor.
  • 2. ???
  • 3. Profit!

In actuality, the punks with Emulators are probably just going to end up with a huge heap of clothes, lingerie, hair, vehicles and houses that they’ll soon get bored with, but it is still lost sales for the vendor owners concerned, and of course the seeds of doubt, which must be causing the most upset. After all, if you can make the vendor think the goods should be delivered to you for $0, how hard would it be to make the server think the proceeds of real sales ought to go to you instead? Step 2, above, is suddenly removed…

In all fairness, no-one in SL is being paid to be a network security expert, just like I’m not being paid to be a seesaw physicist, but to be honest, I’d have to be a LOT more confident that I knew what I was doing than I am now, if my seesaw was to interact with other people’s money in any way, shape or form. I doubt I’ll ever want a shop or vendors, purely because where money is concerned, it can always go really badly wrong. It all goes to show why RMT will be commerce’s badlands for a long time to come, because there’s always a smarter kid than you out there…