26 September 2007

No excuse for this

There is no excuse for this. There can be no excuse for this.
(LOLKitty and Happy Place Supplied by Dale Glass)

Patches of Insanity #4: Do As I Say...

(To view this strip in full please click anywhere on the strip)

Special Thanks to Hervy Rikchi and TheWorldOf Tomorrow. (Yes, there really is such a Resident in SL.) He's da Woozl. No, I really didn't eat him... I think.

17 September 2007

XSS Attack on Second Life logins and My Recommendations

(Special Thanks to Ordinal Malaprop for pointing this one out)

pdp over at GNUCITIZEN highlights a serious exploit that affects Windows-based Second Life Users. Read this like your SL depended on it, because it does!

Explaination of exploit:
The exploit basically uses a inline frame tag with a deliberately malformed set of parameters. (This is a common trick in Cross-Site-Scripting Attacks) it passes what is apparently a secondlife protocol link, which should fire up the SL client by default and pass along the parameters following it.

In a proper secondlife:// link, it would simply be a sim name and XYZ coordinates in a segmented URL). However, this hack truncates the URL awkwardly and instead passes on command-line options that specify that the client should fire up the client and automatically and submit login details, including a MD5 hash of your password if "Remember Password" is enabled in the client, to a specified server at another URL other than the one for the Agni or ADITI grids as run by Linden Lab.

This is a severe compromise, as a false login can be performed at the genuine Second Life authentication servers simply by playing back the request from start to finish (actually logging into the Second Life website would require a further step of unscrambling the password hash, which is possible, albeit tricky, no thanks to pregenerated 'rainbow tables' from projects established to break MD5.)

Until this issue is publicly addressed and fixed by Linden Lab, my recommendation would be to disable password caching by unchecking "Remember Password" at the client login screen. An attempted auto-login would still send your name and client version and type as in a normal login request, but without a saved password to hash, no password will be sent along, rendering this exploit mostly useless.

Switching to Firefox would also help. The vulnerability in IE that is used to run this exploit also used to exist in Firefox, but was patched within days of recognising its existence (yay for FOSS). Attempting the same attack on a updated copy of Firefox would merely result in Second Life being passed a odd "Startup Location" rather than actual command line options (with the security leak that could be used to create)

16 September 2007


The way Second Life works ensures that it has been described on numerous occasions as resembling a dream at times. Even Hamlet reported in his earliest writings that SL resembled "underwater, lucid dreaming" - a odd feeling from the floatiness that Internet lag causes to low-latency movement mixed with the attention and alertness that comes with being in an interestingly wierd world. The things people put out sometimes help a lot :D

I got that odd feeling while watching a anime movie tonight. The name of the movie is "Paprika", and it is based on a sci-fi Japanese novel about the ramifications of playing with people's dreams without due care.

It was directed by Satoshi Kon, whose previous works such as Tokyo Godfathers, Perfect Blue, Paranoia Agent, and Millenium Agent were commonly known for depicting uncertainty in the boundaries between realities, aided by the fact that anime is a considerably more economical artform for depicting the odd and the bizzare. In this movie, Paprika continues to play the fool, but a very interesting fool.

The plot is relatively simple: the prototypes for a world-changing advance in psychotherapy are stolen before the work needed to make them safe for widespread use is completed. In less than ten minutes, we are already thrown in the deep end as the protagonist, a young redhaired dream detective named "Paprika" explores the concerns of a cop with mental issues through interacting with his dreams, using one of the prototypes as a diagnostic tool, which has been illegally smuggled out of the lab. The opening sequence after she takes her leave is surreal, and surprisingly detailed, something that keeps repeating throughout the movie .

Paprika's RL ego is actually a chief researcher for a psychiatric facility named Atsuko, and a surprising contrast to the saucy lass - for starters, she seems horrendously uptight and serious, fearful for the future of the DC Mini technology and its potential for abuse without proper access controls.

Surreal is the keyword here. This is pretty much what David Lynch would have done if he had turned to cels instead of celluloid to film his works. Within the first ten minutes of the film, we already start getting an inkling of how potentially serious the problem is as the thief infiltrates a delusional dream into a colleague's brain, causing him to burst into a really odd essay on stuff as he starts seeling strange dreamlike things while still awake:
"Even the five court ladies danced in sync to the frog's flutes and drums. The whirlwind of recycled paper was a sight to see. It was like computer graphics. That I don't support Technicolor parfaits and snobby petit bourgeois is common knowledge in Oceania! Now is the time to return home to the blue sky! The confetti will dance around the shrine gates. The mailbox and the refrigerator will lead the way! Anyone who cares about expiration dates will not get in the way of the glory train! They need to fully realize the liver of the triangle rulers! Now, this festival was decided by the third grade class with the telephoto camera! Move forward! Come together! I am the ultimate governor!"

And then he jumps through a window, several stories above ground level. For what?

Thank god for well-placed trees. It gets much wierder from here onwards. The movie doesn't have a tonne of separate plotlines... what it DOES have is atmosphere. quite hard to describe, but if you watched it, you'd see it.

To describe it further is to spoil a very good film.

If you see it, rent it. better yet, buy it.

The soundtrack is equally gorgeous, with most songs heavily laden with verbal scatting and lyrical singing as composed by Susumu Hirasawa. In fact, two songs have been released free of charge (for noncommercial uses only) from the soundtrack. If they are any indication of the quality of the OST, I think I will be placing an order for it when I see it at my local record store.

14 September 2007

Good Grief! - Laetizia Coronet asks about coping with griefing

Laetizia Coronet writes in her blog "A Virtual Village Voice" about responding to spates of griefing like what is oging on in the past fortnight:


Some good proposals, and comments are welcome at the original post as always. Your opinions will help make up proposals on the matter she plans to put forth to the people above - make it count :D

06 September 2007

Heartbreak on Caturday

Joel Veitch of rathergood.com is known for kittens, and cute... He also does poppy, upbeat music with his band "7 Seconds Of Love"

His latest video is something different: film noir kittens, heartbreak and more rain than a worst day ever.

Trinkets from Zazzle! (A sponsored Link)

Support the insanity, buy a mug! Or a pad. Or something.