URGENT! LL security exploit

867-5309? I'm pretty sure that's Jenny's number.

Don't lose it.

Not to stir the pot, but, I find it really amusing that people are blaming Linden because they didn't follow directions (ie: False Security Question Answers, Invalid Email Addresses, etc.)

I wouldn't go so far as to say "unlikely." I'd break the possibilities like this:

- They used the MySQL PASSWORD() function, even though they weren't supposed to. (Everybody does it; I mean come on it's the PASSWORD() function! Surely that's what you use for passwords! Right? Right?!)

- They used the MySQL MD5() or SHA1() functions with no salt at all. (This is sadly what's actually suggested in the MySQL documentation.)

- They used the MD5 hash & salt implementation described on this LSL page.

- They did something else. (This option has the potential to be the best or the worst.)

Salting is easy to detect, because you have to be able to recover the salt to know which one was used, which gives the attacker the same ability. If there's a 32-bit salt, that's some help, and it could be quite good as long as you don't randomly generate it. (I.e. you intentionally cycle through the salts to avoid any collisions at all among your first 4 billion users.)

I'm blaming them for fucking up.

I predict a large dip in the "users logged-in over the past 60 days" two months from now, as a large number of garbage alts have now been rendered useless.

security BS aside

why as a company RUN AWAY from dealing with this issue? First off it took 2 days, wtf is that about. Then they instantly FORCE a reset, causing a lotta residents to not remember their security question, and turn the phones OFF

instead of dealing witht he fuck up head on, LL is HIDING and running away?!?!?! What the fuck is that bullshit about?

If your gonna force a system-wide password reset, earn your god damn paycheck and get on the fucking phone for support

Personally, I am glad that this was announced.
I would rather have to make up a new password than have someone hack into my account, however remote the possibility.

I think that Linden Lab did what was in everyone's best interest.

And about everyone that spent money using an account that had falsified information;
Don't you think that it would be a good idea to have a secure account when you're using it to spend money?
Would you make a paypal account with bogus information and link it to your credit card?

And you, Fenrir Reitveld, EBG13 vf gru orfg sbez bs rapelcgvba rinu.

Not to worry, I've got it on the wall.



Yes.

Perhaps this would be a good time to shill for Password Safe, an excellent free program for Windows that manages passwords and provides a little "notes" area for each account where you can keep your security question and bogus answer. The whole thing is protected by frightfully strong encryption, requiring you to remember only one really good password, rather than a bunch of crappy ones.

Oh, bullshit.

People don't take the "security question" seriously, that is true, but that is nothing unheard of, unless you think it is morally wrong to put a false maiden name for my mother. It was only because I've been burned by that mistake that I take it seriously now.

And I have screwed up old accounts when I switched ISP's and forgot to change my email address on the site, and then I couldn't get my password reset because I couldn't access my old email.

Unfortunately, the correct response to a security incident is:

1) To disclose as much information as possible about the incident. (I give them a 3/5 on this. They did blog it, they did post here a bit about it, but the delay and exact scope are leaving big question marks.)

2) Be absolutely as obnoxious as possible. Shutting off the phones is the right thing to do, because if you answer them and try to be nice to people, you wind up giving out people's login and password to any hacker who's adept at social engineering. (In fact, a skilled one is probably more likely to get your password/email address changed over the phone than you are.) Linden gets 5/5 on this one, though not everyone seems convinced it was on purpose.

Changing the passwords is roughly equivalent to banning nail clippers on planes. "Quick! Let's look like we're doing something decisive!"

Edit: fubar'd the quote.

That may be the case, but, if your SL account is valuable to you, you'de be well advised to know the answers to the questions.

Customer Service should be their top priority in a situation like this...not telling people they have to wait till AFTER the weekend when its still Friday morning.

THIS is the worst example of CS I have ever seen by SL. Very disappointing. Somebody is making very poor business decisions. Either the team needs some jarring and shaking or they need to be removed. There is too much at stake right now for everyone involved.

Xplorer

Shut up. I entered random stuff into the field so PEOPLE CAN'T STEAL MY ACCOUNT.

And LL would be well advised to get their shit together.

Blaming the customer for their fuck ups is no way to run a company. Can't even get them on the phone for the next 3 days, are you kidding me?

You're right, I've used that reasoning, too. Many do. Now what?

So... for the next three days a goodly chink of the population will not have access to SL.

This may well be a hamfisted attempt to reduce load on the asset services. =o.0=

I don't see them blaming anyone. Yes, not being able to contact someone is unfortunate. However, it is not the end of the world. I am sure they will straighten everything out.

Finally got the email. Takes a while due to all the traffic I bet. So be patient I guess. I feel sorry for all those good people with fake emails (except for griefers), poor fellows, reaping what ya sow.

If anyone didnt notice, the blog mentions that credit card information was not compromised. But then again one would be unable to even cancel an billed account now anyway. I'm sure they're find some wacky way to fix it. Patience kids!

well now i'm realy screwd, my alt is my primary account, she bought the bloody land.
my primary account was only used for a fw days, i'v used the alt for nearly 6 months.
now i cant get in as any account and its been an hour since i requested a password change.

I nearly quit on tuesday night when i lost my lover, If im not back in within the next few minuets I will call the card divison of my bank and have them block, and hopfully reverse, any chages from LL.

This may be a good thing in the long term I was too damn adicted to SL anyway.

I am more than a little pissed as I know we all are.

Is she really a good time?

How would a social engineer have my credit card number, billing address, real name, access to my email, and knowledge of exactly where I have my land, how much I pay per month, etc...

How?

i entered the correct info and its still telling me its wrong, and i'v read some others are having the same problem prolly due to the servers catching on fire

Okay. So did I. It's a good idea.

Now, whose fault is it that you didn't make a copy of that random stuff you entered and treat it with the same care as your password?

You called me ?

I hope they didnt store the Password as readable plain text in a Database...
that would be a bit too simple.