Second Life Forums Archive - I can't believe they moderated THIS post from the blog

Seraph Nephilim

and the angels will weep

Join date: 28 Jan 2006

Posts: 255

09-11-2006 05:44

From: Skye McArdle

You beat me to it

. Just to reiterate.. just because YOU can get to the page to answer specific, possibly easily guessed questions about your avatar does NOT mean everyone else in the world can (yeah, the thought did occur to me, then I came out of shock and started thinking logically again). I mean, they reset *everybodies* password, on the chance that somebody might decrypt MD5 hashed and salted passwords, and people are thinking they are going to turn around and let anybody access anybody elses password reset consisting of answers that could be publicly known? Breathe.. it's so much better when you stop and breathe.

Here's the thing, though. Given LL's programming practices, so I don't trust them to foresee every security issue, especially when in crisis mode. Since they didn't explicitly tell us how this was secure, I rightly assumed it wasn't, until proven otherwise. And I did test it with another account in my household (with permission) -- the fact that we shared the same IP address is what allowed it to go through, not anything else. Had I been able to get ahold of a third party, I would have confirmed that security was in place. However, given that I could not, it was better to report a potentially huge exploit than to take a chance that there wasn't a hole.

And stupid security is a failing that can hit anyone. My bank just went to a sign in from their front page, which is not a secure page. WTF are they thinking? That by putting a lock icon GIF next to the word "Login" that we should trust that it's secure?! Isn't that a *perfect* technique for phishers? Now, I know the form links to a secure URL, but WTF are they thinking?!!!!! There is no way to tell this till *after* you submit your ID and password. They're training people to accept phishing techniques!!!!! Morons! And this is a *major* bank!

Skye McArdle

Resident Dragon

Join date: 26 May 2006

Posts: 132

09-11-2006 06:39

From: Seraph Nephilim

it was better to report a potentially huge exploit than to take a chance that there wasn't a hole.

Reporting a potential exploit (that you have hopefully researched enough to know if it is already known about or not) is one thing, posting a semi-rant in a blog that could add to the current stampeding herd mentality we're seeing right now is quite another.

Seraph Nephilim

and the angels will weep

Join date: 28 Jan 2006

Posts: 255

09-11-2006 06:56

From: Skye McArdle

Reporting a potential exploit (that you have hopefully researched enough to know if it is already known about or not) is one thing, posting a semi-rant in a blog that could add to the current stampeding herd mentality we're seeing right now is quite another.

Oh, I think I agree with this. When I thought I had confirmed a serious exploit, I wanted to alert people right away. However, that would have alerted the exploiters, too. So, instead, I went in-world and reported it. And warned a friend about the potential, too. Now, if there had been no response in a reasonable amount of time, then I would have publicly warned others.

And folks, security breaches happen, especially with zero-day exploits. And things happen at banks a lot more than you know, too -- they just don't want it made public, where they can avoid it. I think LL handled this responsibly, given the circumstances. And finally, BTW, if it's credit card theft we're dealing with, it's not the FBI, it's the Secret Service that handles it.

Chronic Skronski

SL Live Musician

Join date: 23 Jun 2006

Posts: 997

09-11-2006 07:02

From: Skye McArdle

You beat me to it

. Just to reiterate.. just because YOU can get to the page to answer specific, possibly easily guessed questions about your avatar does NOT mean everyone else in the world can (yeah, the thought did occur to me, then I came out of shock and started thinking logically again).

Careful. I brought this up a couple days ago, and was told that I was an illogical cement-head.

_____________________

A man without religion is like a fish without a bicycle.

Skye McArdle

Resident Dragon

Join date: 26 May 2006

Posts: 132

09-11-2006 07:14

From: Chronic Skronski

Careful. I brought this up a couple days ago, and was told that I was an illogical cement-head.

Yeah, well, what can you do? Ya know? I guess you are now revenged

.

Anyway, see, this is what I'm talking about. This was known about Saturday, it was figured out saturday, and yet there are still people going "but.. but.. ZOMG... click on the link and everybody can see my STUFF!!11!".

Cocoanut Cookie

Registered User

Join date: 26 Jan 2006

Posts: 1,741

09-11-2006 07:47

From: Skye McArdle

You beat me to it

. Just to reiterate.. just because YOU can get to the page to answer specific, possibly easily guessed questions about your avatar does NOT mean everyone else in the world can (yeah, the thought did occur to me, then I came out of shock and started thinking logically again). I mean, they reset *everybodies* password, on the chance that somebody might decrypt MD5 hashed and salted passwords, and people are thinking they are going to turn around and let anybody access anybody elses password reset consisting of answers that could be publicly known? Breathe.. it's so much better when you stop and breathe.

Actually I can see why they might delete a post like that from the blog. It was possible that a post such as that could start another mass panic over a non-issue. If someone has not witnessed how easily this seems to happen around here, you've just simply not been paying attention. LL has enough on their plate right now without having to calm down YET ANOTHER drama.. especially one that has no bearing on reality and that they can simply nip in the bud before it builds... and before somebody says "but.. but.. they could just give an answer to the question instead of deleting it..", well, if some research had been done before the original question was posted it would never have been asked, because I've seen many posts since Saturday referencing the fact that the page is only accessible from the IP adress that you have previously accessed that account from.. so it kinda goes to show that stuff like that snowballs regardless.

1. It doesn't take reading that post to think, "Gee, there is zero security in this method!"

Reading that post isn't going to cause mass panic, because many people have already THOUGHT of this, because yes, it looks like there is zero security in that method.

They just haven't thought about the IP connection.

2. So why don't they just tell us this? Seems like there is ALWAYS some detail of info that it wouldn't hurt to tell us (such as this, or the fact that they were working on a coding solution on Friday night), which they withhold.

I've learned to think to myself: "What little snippet are they withholding so that, when they tell us, we will all feel like idiots?"

That sort of thinking is how I knew that they weren't really going home on Friday night, even though they were purposely giving that impression. (That, and the fact that they would have been idiots to.)

IF they simply mentioned this IP thing (as you did), then I wouldn't have idly worried for the PAST WHAT, TWO DAYS? that somebody would do this to change my NEW password.

coco

P.S. The players of SL are far too smart and/or tech savvy to be treated as a potentially mass-panicking, stampeding herd of dim-witted livestock.

_____________________

Skye McArdle

Resident Dragon

Join date: 26 May 2006

Posts: 132

09-11-2006 08:43

From: Cocoanut Cookie

The players of SL are far too smart and/or tech savvy to be treated as a potentially mass-panicking, stampeding herd of dim-witted livestock.

You certainly couldn't tell it from looking at the forums for the last couple of weeks now, I can assure you of that.

Jim Lumiere

Registered User

Join date: 24 May 2004

Posts: 474

09-11-2006 09:12

Is this thread still on the same subject? Unbelievable moderation in the blogs?

Fushichou Mfume

Registered User

Join date: 30 Jul 2005

Posts: 182

09-11-2006 09:41

From: Skye McArdle

You beat me to it

... Actually I can see why they might delete a post like that from the blog. It was possible that a post such as that could start another mass panic over a non-issue. If someone has not witnessed how easily this seems to happen around here, you've just simply not been paying attention. LL has enough on their plate right now without having to calm down YET ANOTHER drama.. especially one that has no bearing on reality and that they can simply nip in the bud before it builds... and before somebody says "but.. but.. they could just give an answer to the question instead of deleting it..", well, if some research had been done before the original question was posted it would never have been asked, because I've seen many posts since Saturday referencing the fact that the page is only accessible from the IP adress that you have previously accessed that account from.. so it kinda goes to show that stuff like that snowballs regardless.

I'm sorry but this is a fallacious argument. If a Linden moderated my blog comment, its because they read it and deemed it "inappropriate" for whatever reason and then censored it off. If they read it, that means they could just as easily have RESPONDED to my security concern and clarified the issue for EVERYONE. Thus not only preventing such a "stampede" but also heading off similar comments to mine entirely. This would have been the practical and responsible thing to do. Instead, they just delete the comment and pretend it never happened.

Skye McArdle

Resident Dragon

Join date: 26 May 2006

Posts: 132

09-11-2006 10:36

From: Fushichou Mfume

I'm sorry but this is a fallacious argument. If a Linden moderated my blog comment, its because they read it and deemed it "inappropriate" for whatever reason and then censored it off. If they read it, that means they could just as easily have RESPONDED to my security concern and clarified the issue for EVERYONE. Thus not only preventing such a "stampede" but also heading off similar comments to mine entirely. This would have been the practical and responsible thing to do. Instead, they just delete the comment and pretend it never happened.

Ok then, maybe they're attempting to give you a subconcious message saying "If you wanna rant, get yer own blog." heheh

I can't believe they moderated THIS post from the blog
Seraph Nephilim and the angels will weep Join date: 28 Jan 2006 Posts: 255	09-11-2006 05:44 From: Skye McArdle You beat me to it . Just to reiterate.. just because YOU can get to the page to answer specific, possibly easily guessed questions about your avatar does NOT mean everyone else in the world can (yeah, the thought did occur to me, then I came out of shock and started thinking logically again). I mean, they reset everybodies password, on the chance that somebody might decrypt MD5 hashed and salted passwords, and people are thinking they are going to turn around and let anybody access anybody elses password reset consisting of answers that could be publicly known? Breathe.. it's so much better when you stop and breathe. Here's the thing, though. Given LL's programming practices, so I don't trust them to foresee every security issue, especially when in crisis mode. Since they didn't explicitly tell us how this was secure, I rightly assumed it wasn't, until proven otherwise. And I did test it with another account in my household (with permission) -- the fact that we shared the same IP address is what allowed it to go through, not anything else. Had I been able to get ahold of a third party, I would have confirmed that security was in place. However, given that I could not, it was better to report a potentially huge exploit than to take a chance that there wasn't a hole. And stupid security is a failing that can hit anyone. My bank just went to a sign in from their front page, which is not a secure page. WTF are they thinking? That by putting a lock icon GIF next to the word "Login" that we should trust that it's secure?! Isn't that a perfect technique for phishers? Now, I know the form links to a secure URL, but WTF are they thinking?!!!!! There is no way to tell this till after you submit your ID and password. They're training people to accept phishing techniques!!!!! Morons! And this is a major bank!
Skye McArdle Resident Dragon Join date: 26 May 2006 Posts: 132	09-11-2006 06:39 From: Seraph Nephilim it was better to report a potentially huge exploit than to take a chance that there wasn't a hole. Reporting a potential exploit (that you have hopefully researched enough to know if it is already known about or not) is one thing, posting a semi-rant in a blog that could add to the current stampeding herd mentality we're seeing right now is quite another.
Seraph Nephilim and the angels will weep Join date: 28 Jan 2006 Posts: 255	09-11-2006 06:56 From: Skye McArdle Reporting a potential exploit (that you have hopefully researched enough to know if it is already known about or not) is one thing, posting a semi-rant in a blog that could add to the current stampeding herd mentality we're seeing right now is quite another. Oh, I think I agree with this. When I thought I had confirmed a serious exploit, I wanted to alert people right away. However, that would have alerted the exploiters, too. So, instead, I went in-world and reported it. And warned a friend about the potential, too. Now, if there had been no response in a reasonable amount of time, then I would have publicly warned others. And folks, security breaches happen, especially with zero-day exploits. And things happen at banks a lot more than you know, too -- they just don't want it made public, where they can avoid it. I think LL handled this responsibly, given the circumstances. And finally, BTW, if it's credit card theft we're dealing with, it's not the FBI, it's the Secret Service that handles it.
Chronic Skronski SL Live Musician Join date: 23 Jun 2006 Posts: 997	09-11-2006 07:02 From: Skye McArdle You beat me to it . Just to reiterate.. just because YOU can get to the page to answer specific, possibly easily guessed questions about your avatar does NOT mean everyone else in the world can (yeah, the thought did occur to me, then I came out of shock and started thinking logically again). Careful. I brought this up a couple days ago, and was told that I was an illogical cement-head. _____________________ A man without religion is like a fish without a bicycle.
Skye McArdle Resident Dragon Join date: 26 May 2006 Posts: 132	09-11-2006 07:14 From: Chronic Skronski Careful. I brought this up a couple days ago, and was told that I was an illogical cement-head. Yeah, well, what can you do? Ya know? I guess you are now revenged . Anyway, see, this is what I'm talking about. This was known about Saturday, it was figured out saturday, and yet there are still people going "but.. but.. ZOMG... click on the link and everybody can see my STUFF!!11!".
Cocoanut Cookie Registered User Join date: 26 Jan 2006 Posts: 1,741	09-11-2006 07:47 From: Skye McArdle You beat me to it . Just to reiterate.. just because YOU can get to the page to answer specific, possibly easily guessed questions about your avatar does NOT mean everyone else in the world can (yeah, the thought did occur to me, then I came out of shock and started thinking logically again). I mean, they reset everybodies password, on the chance that somebody might decrypt MD5 hashed and salted passwords, and people are thinking they are going to turn around and let anybody access anybody elses password reset consisting of answers that could be publicly known? Breathe.. it's so much better when you stop and breathe. Actually I can see why they might delete a post like that from the blog. It was possible that a post such as that could start another mass panic over a non-issue. If someone has not witnessed how easily this seems to happen around here, you've just simply not been paying attention. LL has enough on their plate right now without having to calm down YET ANOTHER drama.. especially one that has no bearing on reality and that they can simply nip in the bud before it builds... and before somebody says "but.. but.. they could just give an answer to the question instead of deleting it..", well, if some research had been done before the original question was posted it would never have been asked, because I've seen many posts since Saturday referencing the fact that the page is only accessible from the IP adress that you have previously accessed that account from.. so it kinda goes to show that stuff like that snowballs regardless. 1. It doesn't take reading that post to think, "Gee, there is zero security in this method!" Reading that post isn't going to cause mass panic, because many people have already THOUGHT of this, because yes, it looks like there is zero security in that method. They just haven't thought about the IP connection. 2. So why don't they just tell us this? Seems like there is ALWAYS some detail of info that it wouldn't hurt to tell us (such as this, or the fact that they were working on a coding solution on Friday night), which they withhold. I've learned to think to myself: "What little snippet are they withholding so that, when they tell us, we will all feel like idiots?" That sort of thinking is how I knew that they weren't really going home on Friday night, even though they were purposely giving that impression. (That, and the fact that they would have been idiots to.) IF they simply mentioned this IP thing (as you did), then I wouldn't have idly worried for the PAST WHAT, TWO DAYS? that somebody would do this to change my NEW password. coco P.S. The players of SL are far too smart and/or tech savvy to be treated as a potentially mass-panicking, stampeding herd of dim-witted livestock. _____________________
Skye McArdle Resident Dragon Join date: 26 May 2006 Posts: 132	09-11-2006 08:43 From: Cocoanut Cookie The players of SL are far too smart and/or tech savvy to be treated as a potentially mass-panicking, stampeding herd of dim-witted livestock. You certainly couldn't tell it from looking at the forums for the last couple of weeks now, I can assure you of that.
Jim Lumiere Registered User Join date: 24 May 2004 Posts: 474	09-11-2006 09:12 Is this thread still on the same subject? Unbelievable moderation in the blogs?
Fushichou Mfume Registered User Join date: 30 Jul 2005 Posts: 182	09-11-2006 09:41 From: Skye McArdle You beat me to it ... Actually I can see why they might delete a post like that from the blog. It was possible that a post such as that could start another mass panic over a non-issue. If someone has not witnessed how easily this seems to happen around here, you've just simply not been paying attention. LL has enough on their plate right now without having to calm down YET ANOTHER drama.. especially one that has no bearing on reality and that they can simply nip in the bud before it builds... and before somebody says "but.. but.. they could just give an answer to the question instead of deleting it..", well, if some research had been done before the original question was posted it would never have been asked, because I've seen many posts since Saturday referencing the fact that the page is only accessible from the IP adress that you have previously accessed that account from.. so it kinda goes to show that stuff like that snowballs regardless. I'm sorry but this is a fallacious argument. If a Linden moderated my blog comment, its because they read it and deemed it "inappropriate" for whatever reason and then censored it off. If they read it, that means they could just as easily have RESPONDED to my security concern and clarified the issue for EVERYONE. Thus not only preventing such a "stampede" but also heading off similar comments to mine entirely. This would have been the practical and responsible thing to do. Instead, they just delete the comment and pretend it never happened.
Skye McArdle Resident Dragon Join date: 26 May 2006 Posts: 132	09-11-2006 10:36 From: Fushichou Mfume I'm sorry but this is a fallacious argument. If a Linden moderated my blog comment, its because they read it and deemed it "inappropriate" for whatever reason and then censored it off. If they read it, that means they could just as easily have RESPONDED to my security concern and clarified the issue for EVERYONE. Thus not only preventing such a "stampede" but also heading off similar comments to mine entirely. This would have been the practical and responsible thing to do. Instead, they just delete the comment and pretend it never happened. Ok then, maybe they're attempting to give you a subconcious message saying "If you wanna rant, get yer own blog." heheh

Welcome to the Second Life Forums Archive

I can't believe they moderated THIS post from the blog