Security conciousness (may offend some)

I am concerned that Linden Labs is going to get hit hard by an exodus of users after this issue with having to invalidate everyone's password. I feel for the few people this is genuinely inconveniencing. I have empathy for the very few people who legitimately lost control over the email account they used to register, or committed a typo on the security question.

However.

(And this is going to sound "snide", "high-handed", "elitist", "snotty" - Just, whatever, direct your flames to /dev/null) -

Linden Labs did /everything/ right in this incident.

Your password is the key to your account. It should be more than eight characters long, shouldn't be obvious, should have non-alphanumeric characters, should resemble modem line noise even - 22Tre#*;zlWG is a good example. (Don't use that, BTW).

To give you a way to RESET that password, they've provided a backdoor.

Your password should be changing for every system you use every six months anyway.

Beyond that, there is no such thing as perfect security. It's never a question of IF the system is going to be broken into, it's a question of WHEN, and WHAT can be done to minimise the security fallout

Why? Why must I - in the death hours of the forums - listen to people whine about how they blame Linden Labs for TREATING THEM LIKE ADULTS? Why must I listen to people whine about how they FAILED TO ACT RESPONSIBLY but BLAME LINDEN LABS?

You're ALL ADULTS. MOST of you grew up in an era where having a computer access password and maintaining it is a FACT of LIFE. Those of you who DIDN'T have even LESS reason, because you've been alive long enough to KNOW BETTER and have been exposed to this FACT of LIFE for LONGER.

Are you "mad" at "Linden Labs" for having to enact a standard security procedure to protect your use of the service (and your bank account) - ? Mad because you used a throwaway email address, can't remember it, put in stupid and false answers to the security questions?

Hey, here's an idea - the situation you are in is your own fault. Linden Labs did what they had to do, what they would be expected to do by MATURE people.

Remember that when you get on the phones on Monday to get your password reset - that it's NOT LINDEN LABS' FAULT - THEY ARE HELPING YOU. Do NOT take out your guilt and self-hatred on the person on the other end of the line. Thank them for going OUT of their WAY to HELP your disorganised, irresponsible, and lackadaisacal BUTT out of your own predicament.

Flames to /dev/null. Praise to /dev/null too. But be sure to direct people here if they are whining.

Yeah, I really agree. However, I do wonder why they waited two days to act on it, and why they are delaying phone support until Monday. That said, no one made anyone pick a throwaway security answer or give a false email.

Yes, I agree they did the right thing.

What they didn't do right is cut everybody off and then just shelve the whole thing till Monday. As if people don't have WORK to do in SL, CUSTOMERS, BUSINESS.

Or weddings, or whatever else.

And it is not everybody's fault they can't get back in. Forgetting a security question answer can happen to anybody. And in my case, I didn't even FORGET.

These issues aren't that hard to resolve. You just have to be willing to do it, and not just pack off for the weekend to go sailing or whatever.

I mean, REALLY.

coco

I'm mad at them for fucking up to begin with.

That, and having a system for humans, with no room for human error.

Kind of like a system where if you typo your password, it explodes in pain and shrapnel.

Fantastic post, Finning - I agree 100%.

Have fun getting shot in the face if your finger slips when you type in your password the next time.

It would probably behoove LL to keep the forums open now through Monday to deal with the customer service nightmare that this has created. Not to mention that this incident provides a perfect example of why there needs to be a central communication system that is widely read for the dissemination of critical information.

Ahhhh now I understand why the Wednesday Update was "postponed".

Finning, the problem with that rant is that you defended passwords when nobody is complaining about passwords. All of this boils down to the security questions, not the passwords, and unlike passwords, which make a lot of sense and which we tend to remember because we use them all of the time, security questions are dangerous, foolish, horrible, bordering on the worst idea of all time ... oh yes, let me put in my mother's maiden name because surely nobody can find that information with ease.

How silly. So you're forced to either plug in some easily researched information, in the process screwing yourself out of the security provided by your carefully chosen and actually difficult (unlike the security question) to figure out password, or you put gibberish in the security question field so that some jerk won't be able to easily compromise your account. After all, you tell yourself, I have my password. You know, that carefully chosen, difficult-to-guess password that you just spent so much time defending, Finning.

Only your password is suddenly invalidated, and now you need your security question. You know, the easily researched, horribly vulnerable security question that you either went ahead and put in, thereby making of yourself an easier target ... or else filled with nonsense so that your password could actually do you some good?

Right on! Because it was magic pixie dust and angels that broke through their tightened security after similar incidents! Totally not LL's fault since they were going against PIXIES and ANGELS who wanted this accessible information via SQL injection exploits and we all know nothing can stop PIXIES or ANGELS.

.. Oh wait. What was that you were saying about being security conciousness and responsible again?

It sure would, Isablan. And your second point is well taken, too. I just got some very good tips on my "Cocoanut Koala can't log in" thread that I WOULD NOT HAVE GOTTEN without these forums.

I just plain wouldn't have.

It's like once there was a big room where you could go for help. Then the doors are shut, and you have to find all these little closets everywhere else, and hope someone in their (much smaller) population can come to your aid.

ON THE GOOD SIDE - Robin has just said they will announce it if they decide they can man the phones this weekend!!

coco

What you do with security questions is either pick one that would be very hard indeed to find the answer to - or, preferably, just treat it as another password. What city were you born in? Hysahj!116jp, I had a happy childhood there.

Interesting how you trash them for leaving no room for human error - yet you are leaving them no room yourself. Finning made an intelligent, thought-provoking post. Let's try in at least one thread to keep the rest of the posts this way, okay?

this is why I keep all the info needed on a floppy disk in my briefcase. For me it was nothing more than a copy/paste problem for the security question. The security question can be secure if you actually think through the "what if"s

[/i][/i]

I'm not the one providing a service for thousands and thousands of customers.

The standard kind of goes up when that many are dependant on you.

...are sent a unique link to in your email. Unless you've given out your email password, no one else can access this security question. Chill.

If you have a valid email account with which they can contact you why the hell should you be locked out until monday, because they can't provide decent customer service.

Please stop kissing their ass, it just encourages this bullshit.

Every single company worth their bottom line knows that depending on the customer to never make mistakes, never forget a thing, change their passwords weekly, yada yada is pure delusion. That is what you have a customer service department for, jesus. And, no, that doesn't mean "weekends off" even in an emergency, wtf??

I am mad that this hacker was able to get in their db to begin with. I am mad that people are locked out and screwed over because they can't deal with the very numbers they did everything to pump up.

But be sure to direct people here if they are whining.

Damn right im whining.

I used my personal info and trusted linden labs to secure it , They failed to do this.
It is not my job to "Baby sit" there programers and see to it they keep our info
secure.

There is no reason for this kinda thing and is just what id had expected from linden labs.
Cant clear up there server problems/ Cant create a smart cache system like everyone
wants so that things dont load again two mins latter when you come back to the same
location/ Its gotten very old.

People have TONS of money and time rideing in second life like myself and I could
have lost all of that because of this.

And you have the audacity to say this lol. Let me gues your a pee on that has nothing
to lose in second life and probably could care less if you lost any personal info.

I can say that if someone came to your house and caused problems with your family
due to finding out personal info from linden labs mistake would you be posting this crap?

Nope id bet youd be calling your lawyer.

NO ONE wants there personal info exploited to the public for NO reason.

You can take your idea of changing your passwords on a regular basis and put that where
the sun dont shine lol.

I could have changed my password the day before and gues what lol yep you got it it
would have been listed there anyway for the person so saying its our own fault for not
changing our passwords or that we should have taken into consideration that like you
say NOTHING is secure and just walk away and say oh well that its my own fault for
trusting a company to secure my private information is just plain stupid.

Bottom line is we trusted linden labs with our info and it was not secured .

So what else isnt.

I can tell you. God mode
Ive talked to lindens about this / Its a reversed engineered client of the second life.
The lindens use this lol Now go figure , Maybe they should hire these people.

Anyone that reverse engineers the second life application should be punished under the
law.

There are plenty of ways to secure and validate there second life client shutting down all
of these exploited copies of second life running.

Just another example of how well second life is "Secure"

Very disapointed

Oh, save it. Alex brought up the subject of the security question being easily compromised, I was just saying it is not. I am not kissing their ass, but if you cop this attitude on me for little reason, you can kiss mine.

But the point is that security questions provide an extra avenue to exploit, and to exploit relatively easily at that. I've never wanted or needed them (I always remember my password) and have never liked them, and many others feel the same way. Naturally, when confronted with a request for a security question, we're going to put some BS answer in there, not the actual requested information, which is far too easy to obtain.

Was I even talking to you?

Sigh.

Let's quit pointing fingers at each other and doing the whole "It's LL's Fault" no it's YOUR fault.

Let's face it, some people don't feel secure with password security questions myself included considering how they have been used before to gain access into others accounts. So what.

Linden Labs had an intruder and dealt with it in what they thought would be the best answer however I also think there is more to the story because it does seem odd that they wait two days and if it's in a php db, passwords are encrypted. Your name and all other texts are not! Password security questions and answers are not encrypted either and it would take too much time for hackers to gain access to all accounts before getting caught.

It's just odd that if they really thought our security is compromised that they would wait two days.

I don't see how our passwords if encrypted would be the biggest issue unless they weren't encrypted which I highly doubt because a hacker would have got their hands on this informations a looong time ago.

Has anyone here ever had their emails account hacked into by someone you knew let's say an ex who knew personal information about you and used the security questions to gain access? If you have then you probably have a damned good reason not to trust security questions.

Yeah, I know, because it was MY database that was stolen and *I* decided to kill the support. Let's look at the ROOT of the problem.

It's easy to change passwords and they caught it fairly quickly. Why we weren't informed of it for two days after though is a huge question in my mind.

Howerver, passwords are changable BUT...and this is a big 'but' in my mind...they have compromised our RL contact information.

There is no way to protect against that, it was THEIR responsibility to maintain that confidentiality.

So two questions to LL...

1. Why were we not told to change our passwords the SAME day you discovered the compromize?

2. Why is our personal information not encrypted the same way our CC info is?

Which begs a question, if they feel it's secure to send in the email the link to easily researched help question thing, why they cannot just reset password to random gibberish and send that to your email box?

It's not uncommon way to handle things (some popular forum software use it, amongst other things) and it does save quite a lot of grief like this...