If you haven't read the post by Tranq, you should: Forum Post
Now some background information.
Last summer, we had someone put themselves in the InWorldz Founders group, Tom Grimshaw, if you don't know that name you can look it up, but he's the technical admin for Meta7, still part of MMR, and helping Avination. His mentality was to create a role named "Penis" and put himself in it. Needless to say, Tranq fixed the exploit when pointed out by Ratchet Xevion and we banned Mister Grimshaw with an email. We've always worked pretty well with those who find exploits and want to work with us to eliminate them. Finding exploits, it happens in every code, and we're pretty serious about finding them and closing them.
Couple of weeks ago, we had an exploit reported us by Casper Warden, and I immediately cleaned it up. This is where things get interesting. The conversations I have, have been passed over to me and as such, I will not release their names. But you can come to your own conclusions:
[11:06:30 PM] ****: Do you feel that you're better then everyone or something?
[11:07:03 PM] Tom: not at all
[11:08:41 PM] ****: Its just seeming that way. You said Elenia is not very smart, that Avination is secure because it uses your code, and that you end up fixing Melaine's code most of the time. And I don't know much about OpenSim servers, so I can't really defend what you say to me when you tell me things like you know how to get into databases etc.. I'm just left to believe you.
[1/26/2011 9:57:25 PM] ****: [11:10:53 PM] Tom: Look, OpenSim is basically in my blood, i've worked with it so extensively for so long I know it inside and out. I fix a lot of melanie's bugs, yes, she fixes a lot of mine
[11:11:07 PM] Tom: that's what happens when you work together
[11:12:01 PM] ****: Right, it just seems you have been taking a lot of credit, and making me look like an idiot in some ways.. I know you may not be meaning that though
[10:27:18 PM] ****: I'm not telling Elenia, but there has to be some reason why you care so much. No one tests for vurnabilitys on grids and keep access on their grids without caring..
[10:28:25 PM] Tom: I have been asessing the possibility of porting my vendor system to inworldz, but i will not do it until it's secure
[10:29:34 PM] ****: Thats the only reason? I mean, you got access to their staff groups and their backend. Think about it for a second, had she had such access in Meta7, do you think you'd be okay with that?
[10:30:10 PM] ****: I understand what you're saying, but I think you're just going the wrong way about it. That too not even telling them, they wont be able to fix these holes..
[10:30:20 PM] Tom: people have exploited meta7 before, I fixed it and thanked them
[10:30:38 PM] Tom: the last time I reported an issue to elenia she bitched me out
[10:30:59 PM] ****: Do it from a different account?
[10:31:10 PM] Tom: no! I don't want to help someone with that kind of attitude
[10:31:38 PM] ****: I really don't mean to be harsh at all, I'm on your side, understand that
[10:31:41 PM] Tom: If there's anything that's going to affect the users themselves i would tell her
[10:32:11 PM] ****: Well, I suppose she considers you as a threat, because she obviously cares why you care so much.
[10:32:46 PM] ****: It can't just be because of your vendor system. You want to have access on that grid, and I am just trying to understand why.
[10:33:08 PM] ****: You spent time creating scripts, to get the access you have now, as you stated.
[10:33:36 PM] ****: So, you know, don't get me wrong, I trust you, and I hope you trust me
[10:33:48 PM] Tom: It's really none of your business
[10:34:57 PM] ****: No its not. But I'd like to help you, and I just want to be careful. If you get into a legal hassle with them, I don't want to be having something like that on my mind.
[10:35:41 PM] Tom: i'm not going to be in any legal trouble.
Fortunately, our friend was able to point something out to Tom:
Thanks Casper, was an oversight from our early days when the site was more rushed. We have since fixed it, and if you find other exploits, by all means let us know, and we'll plug those up.
[10:38:06 PM] ****: She didn't bitch out the last time you told her one of her holesTrue, I didn't know it was him, but nor did I ban him when I was told the following night. It wasn't until this conversation where I banned him, again with his alts. This is the only time he has ever reported an issue to us that we are aware of.
[10:38:14 PM] ****: You copied and pasted the ticket to me
[10:39:35 PM] Tom: that's apparently because she didn't know it was me
So, how do we tie these two together? With this:
[7:00:07 PM] Tom: I don't deny it at all, but I used THEIR viewer, and an option which is exposed to all users
[7:00:12 PM] Tom: hardly a hack
[7:00:18 PM] Tom: and i'm not banned at all
[7:00:24 PM] ****: What other flaws do you know about their site?
[7:00:32 PM] Tom: many
[7:00:39 PM] Tom: but i'm going to keep some to myself
[1/26/2011 8:39:29 PM] ****: [7:03:40 PM] Tom: i wish you hadn't told her i was casper
[7:03:45 PM] Tom: now i have to make a new account
[7:04:05 PM] ****: I wish you hadn't reported me.. Now I have to call LL lol
[7:04:07 PM] Tom: oh, actually, never mind, i set myself to unbanned
Interesting side note here... the "i set myself to unbanned". We don't ban via the database. At least not with any flags to say the person is banned. His account, Tom Grimshaw, hasn't logged in since Aug. 13, 2010. His Casper Warden account was Jan. 26, which is the night we banned him.
In our endeavor to be transparent, I detest doing things like this, but on the other hand it's good to expose. I think the biggest issue we have with this sort of stuff, is if you have this much time on your hands to worry about us, maybe you need to find something else to do. Have we been to other grids? Sure. Do we do anything to potentially harm their systems? No. And if we found some sort of exploit, we'd report it. Rather than blaring it all over or using it for our own devious ends. Maybe we're a bit higher on the moral grounds and have a tad better understanding of responsibility.... but seriously? Penis? As a role?
Til we meet again InWorldz!