Second Life Forums Archive - Security conciousness (may offend some)

Katta Sparrow

Registered User

Join date: 14 Aug 2006

Posts: 39

09-08-2006 13:00

From: Cinos Field

Yeah, I know, because it was MY database that was stolen and *I* decided to kill the support. Let's look at the ROOT of the problem.

...yeah but what is the blame game solving right now? This blame game happens alot in chaotic events and all it really does it give off more negative energy and it's counter-productive.

Sure I'd feel better knowing I can access my account, but it is partially my fault for being so paranoid over security questions even though I have good reasons not to trust them. In this situation, I think bad decisions and choices were made on both parts. Linden labs could have chosen other verification methods but chose the security question route. I as a customer (or future customer) have made a bad decision on the fly with my trust issues resulting in choosing a gibberish answer for a security question.

Everyone in here doing the whole, it's all your fault, ...NO it's all your fault...what is it accomplishing?

It's so weird. In game, there are so many people that are nice but then you go to the forums and everyone is an asshole.

Kalia Meiklejohn

You make me itch

Join date: 20 Jun 2006

Posts: 258

09-08-2006 13:01

I understand the need to reset passwords, but there should be an alternative method to deal with such a major exploit.
I'm also concerned about the security features in place to protect our private information. If someone can get access to passwords, what will be next?
Something has to be done, and soon!

Cinos Field

Registered User

Join date: 21 Jul 2006

Posts: 91

09-08-2006 13:01

From: Katta Sparrow

Everyone in here doing the whole, it's all your fault, ...NO it's all your fault...what is it accomplishing?

Nothing. But unlike LL, we CAN'T DO ANYTHING. :/

Albion DeVaux

DeVoid of DeVotion

Join date: 8 Aug 2006

Posts: 173

09-08-2006 13:01

Great post Finning. Glad you managed to put it on before the curtain goes down on the rest of the drivel that passes for discussion on here. To be accused of 'ass-kissing' because you're not doing the customary knee-jerk LL slagging says much. It's the school-kid mentally that seems to dominate forums like this.

Alex Fitzsimmons

Resu Deretsiger

Join date: 28 Dec 2004

Posts: 1,605

09-08-2006 13:03

From: Katta Sparrow

...yeah but what is the blame game solving right now? This blame game happens alot in chaotic events and all it really does it give off more negative energy and it's counter-productive.

Sure I'd feel better knowing I can access my account, but it is partially my fault for being so paranoid over security questions even though I have good reasons not to trust them. In this situation, I think bad decisions and choices were made on both parts. Linden labs could have chosen other verification methods but chose the security question route. I as a customer (or future customer) have made a bad decision on the fly with my trust issues resulting in choosing a gibberish answer for a security question.

Everyone in here doing the whole, it's all your fault, ...NO it's all your fault...what is it accomplishing?

It's so weird. In game, there are so many people that are nice but then you go to the forums and everyone is an asshole.

Maybe we'd be more inclined to cut LL some slack if they hadn't more or less changed their company motto to "Talk to the Hand" a little while ago.

And if this weren't, you know, part of a pattern and growing history.

Bear in mind that I used to defend LL myself. There are limits.

_____________________

"Whatever the astronomers finally decide, I think Xena should be considered the enemy planet." - io Kukalcan

Zuleica Sartre

Registered User

Join date: 27 Sep 2005

Posts: 105

09-08-2006 13:04

I'd also like to know exactly what "compromised" means.

Did the hackers only get access?

Did they manage to transfer personal information?

How much personal information did they transfer?

Have they been identified?

Is LL pursuing legal channels so that law enforcement can raid these jerks homes, confiscate their computers and destroy the compromised information?

Now that OUR information has been potentially distributed outside LL they owe us the information on exctaly how exposed we were.

Chronic Skronski

SL Live Musician

Join date: 23 Jun 2006

Posts: 997

09-08-2006 13:04

From: Alex Fitzsimmons

But the point is that security questions provide an extra avenue to exploit, and to exploit relatively easily at that.

What's mine?

_____________________

A man without religion is like a fish without a bicycle.

Io Zeno

Registered User

Join date: 1 Jun 2006

Posts: 940

09-08-2006 13:06

From: Albion DeVaux

Great post Finning. Glad you managed to put it on before the curtain goes down on the rest of the drivel that passes for discussion on here. To be accused of 'ass-kissing' because you're not doing the customary knee-jerk LL slagging says much. It's the school-kid mentally that seems to dominate forums like this.

Yes, it's "knee-jerk LL slagging" when LL allows it's db to be hacked, it's customers personal information to be accessed and lock everyone out who can't remember the magic word because they need their weekends off and won't use the valid email account on file to change it and people actually.... complain.

Please.

_____________________

Alex Fitzsimmons

Resu Deretsiger

Join date: 28 Dec 2004

Posts: 1,605

09-08-2006 13:07

From: Chronic Skronski

What's mine?

What a silly thing to say. Because I, personally, don't have your security question, a dedicated hacker therefore could not get it more easily than your password, assuming you answered the question honestly?

To use Groucho's line, you fail at logic.

Utterly.

_____________________

"Whatever the astronomers finally decide, I think Xena should be considered the enemy planet." - io Kukalcan

Lorelei Patel

was here

Join date: 22 Feb 2004

Posts: 1,940

09-08-2006 13:15

From: Alex Fitzsimmons

oh yes, let me put in my mother's maiden name because surely nobody can find that information with ease.

Who said you had to give the correct answer to the security question? It only has to be something you can remember.

_____________________

============
Broadly offensive.

Zuleica Sartre

Registered User

Join date: 27 Sep 2005

Posts: 105

09-08-2006 13:15

From: Io Zeno

Yes, it's "knee-jerk LL slagging" when LL allows it's db to be hacked, it's customers personal information to be accessed and lock everyone out who can't remember the magic word because they need their weekends off and won't use the valid email account on file to change it and people actually.... complain.

Please.

Yes, on THOSE points the complaining is pointlessly silly.

However you are ignoring the valid points of complaint entirely from what I can see...

1. Why did it take them two days to invalidate passwords?

2. Why was personal contact information not encrypted as the CC info is?

3. How much was "compromised", ie. actually downloaded by the hackers?

4. What is being done to find and destroy any stolen information?

Io Zeno

Registered User

Join date: 1 Jun 2006

Posts: 940

09-08-2006 13:21

From: Zuleica Sartre

Yes, on THOSE points the complaining is pointlessly silly.

However you are ignoring the valid points of complaint entirely from what I can see...

1. Why did it take them two days to invalidate passwords?

2. Why was personal contact information not encrypted as the CC info is?

3. How much was "compromised", ie. actually downloaded by the hackers?

4. What is being done to find and destroy any stolen information?

If I'm not mistaken, you have completely missed the point of my post, lol.

ah, fuck it, I've ranted enough on this. I thought I would actually get work done today with the forums closing.

_____________________

Joannah Cramer

Registered User

Join date: 12 Apr 2006

Posts: 1,539

09-08-2006 13:23

From: Lorelei Patel

Who said you had to give the correct answer to the security question? It only has to be something you can remember.

What's the point of making it specific question like that, if the security hinges on the answer having nothing to do with truth? Would make more sense to make it a box with "put completely random 'break the glass' sort of password, here" label, instead.

Seriously, it's quite a flawed concept that really doesn't have to be defended...

Alex Fitzsimmons

Resu Deretsiger

Join date: 28 Dec 2004

Posts: 1,605

09-08-2006 13:24

From: Lorelei Patel

Who said you had to give the correct answer to the security question? It only has to be something you can remember.

There's the rub, don't you think? Anything you can remember easily after entering it only once and then (probably) never using it again is probably also a lot less secure than your actual password. Anything that's actually garbled or obscure enough to be truly secure -- like a password should be -- is also something you're probably going to forget if you don't use it frequently, like say if it's a security question answer.

D'oh.

_____________________

"Whatever the astronomers finally decide, I think Xena should be considered the enemy planet." - io Kukalcan

shockedfrog Shriner

Registered User

Join date: 21 Oct 2005

Posts: 7

09-08-2006 13:30

The security question itself is not a bad idea - e-mail addresses can be stolen in different ways. One example which doesn't even require any personal information is simply that your e-mail address is out of date - perhaps the domain name your e-mail is associated with is no longer yours, or some e-mail services will delete your account if you don't sign in regularly enough, enabling other people to take what used to be your e-mail address. The security question means that losing your e-mail doesn't mean you lose absolutely everything related to that e-mail address.

However, there are problems. Can someone tell me if the signup offered different security questions? For me, it's 'the street I grew up on' - a rather daft question for at least 2 reasons.

1 - I didn't grow up on a street
2 - I still live in the same place. Since I'm sure there are others who have lived in the same place all their life, this is not a good security question.

For these reasons, the answer I gave was probably nonsense or gibberish.

I figure there's going to be a lot of similar e-mails asking for alternative ways to set new passwords before they get round to mine, so all we can do is wait.

Lorelei Patel

was here

Join date: 22 Feb 2004

Posts: 1,940

09-08-2006 13:32

From: Alex Fitzsimmons

There's the rub, don't you think? Anything you can remember easily after entering it only once and then (probably) never using it again is probably also a lot less secure than your actual password. Anything that's actually garbled or obscure enough to be truly secure -- like a password should be -- is also something you're probably going to forget if you don't use it frequently, like say if it's a security question answer.

D'oh.

I don't think so. If they ask for your mother's maiden name and you answer with your favorite food, the street address of your childhood home and radom punctuation, I doubt anyone would figure it out.

At least, I've never heard of a family reunion for the chickentikka503! clan, have you?

_____________________

============
Broadly offensive.

Travis Lambert

White dog, red collar

Join date: 3 Jun 2004

Posts: 2,819

09-08-2006 13:33

Ordinarily, I'd consider myself a borderline "Linden Cheerleader" - I strongly believe in what they're trying to accomplish, and see them as human beings, not simply a corporation. Even some of their more controversial decisions, I tend to support.

I also remembered my Security Question/Answer combo, and had access to my email. So getting back in for me was no big trouble.

That said, there's a lot that doesn't seem to be right about what's going on here.

Now is probably not the best time to be asking Linden these questions, as they're deep into the firefight atm. But I'll post them here for discussion value:

1. Does Linden keep high-level Disaster Recovery plans for situations like this one? There should be a backup plan in place, documented internally, describing exactly what will happen if the colo gets wiped out by an earthquake, Phillip gets herpes, or internal databases are compromised by a hacker.

So this was just passwords. What if it were credit card numbers? Is there a plan in place for that? Even if there's not much you can do, there should be a support & PR plan.

2. Why is telephone support so scantily covered? And its not just for this event - its like this in general. I'd think even utilizing a call center in Bangalore to take on the first level calls, and have 2nd level calls handled by more adept people in San Francisco would go a LONG way.

3. How does Linden 'Define' who the human being behind an avatar is? Is the security question that unique identifier? Is it the Credit Card number? What? I hope its not one thing, but a data composite.

4. Who is the Support manager at LL? I don't mean who is the community relations-volunteers-q&a-developement-support manager. I mean who is the support manager? There should be one, and that should be their baby. If there already is a person like this, great. But obviously they're not that visible since I'm asking the question.

I understand that now is probably a horrible time to be answering the phones, or being tasked with support in general at LL. I just think many of these support challenges could have been reduced in scope had greater attention been paid to it before.

Hopefully, there's a silver lining in all of this - Linden will have learned a valuable lesson going forward. (Hopefully.)

_____________________

------------------
The Shelter

The Shelter is a non-profit recreation center for new residents, and supporters of new residents. Our goal is to provide a positive & supportive social environment for those looking for one in our overwhelming world.

Katta Sparrow

Registered User

Join date: 14 Aug 2006

Posts: 39

09-08-2006 13:35

From: Lorelei Patel

I don't think so. If they ask for your mother's maiden name and you answer with your favorite food, the street address of your childhood home and radom punctuation, I doubt anyone would figure it out.

At least, I've never heard of a family reunion for the chickentikka503! clan, have you?

Are you doing this to rub it in his or her face that they did not use your method for a security question or are you trying to truely be helpful?

Lorelei Patel

was here

Join date: 22 Feb 2004

Posts: 1,940

09-08-2006 13:37

From: Katta Sparrow

Are you doing this to rub it in his or her face that they did not use your method for a security question or are you trying to truely be helpful?

Trying to be helpful, thanks for asking!

_____________________

============
Broadly offensive.

Kalia Meiklejohn

You make me itch

Join date: 20 Jun 2006

Posts: 258

09-08-2006 13:40

I myself had no problem getting in again, but that shouldn't be the foremost problem on people's minds, it should be the fact that someone(s) were able to access this information. Security questions aren't going to be very helpful if you have to cancel your credit card because some of those were accessed. I want to know what's going to happen now, will some new form of security be put in place? Will SL residents demand something better?

Alex Fitzsimmons

Resu Deretsiger

Join date: 28 Dec 2004

Posts: 1,605

09-08-2006 13:40

From: Lorelei Patel

I don't think so. If they ask for your mother's maiden name and you answer with your favorite food, the street address of your childhood home and radom punctuation, I doubt anyone would figure it out.

At least, I've never heard of a family reunion for the chickentikka503! clan, have you?

... and like I already said, the problem is that the security question is very much "fire and forget." You enter it once, and then ... as time passes, you forget it (if it was cleverly garbled, as you suggested).

Passwords can be garbled in that way safely because you actually, you know, use them. Regularly. Security questions are supposed to be for nitwits who can't remember their passwords.

I don't want, and never wanted, a security question. My password is my security question. I resent having anything else, and I really always have.

_____________________

"Whatever the astronomers finally decide, I think Xena should be considered the enemy planet." - io Kukalcan

Io Zeno

Registered User

Join date: 1 Jun 2006

Posts: 940

09-08-2006 13:42

From: Lorelei Patel

I don't think so. If they ask for your mother's maiden name and you answer with your favorite food, the street address of your childhood home and radom punctuation, I doubt anyone would figure it out.

At least, I've never heard of a family reunion for the chickentikka503! clan, have you?

What you are describing is a password, not a security question. What is the point of a security question that has meaningless gibberish as an answer?

_____________________

Katta Sparrow

Registered User

Join date: 14 Aug 2006

Posts: 39

09-08-2006 13:42

From: Lorelei Patel

Trying to be helpful, thanks for asking!

Is it helpful as of right now when Alex cannot change their security answer? If you were saying something like, "In the future just do what I do and then input your advice", that would come across as more helpful.

Margaret Mfume

I.C.

Join date: 30 Dec 2004

Posts: 2,492

09-08-2006 13:45

From: Finning Widget

Why? Why must I - in the death hours of the forums - listen to people whine about how they blame Linden Labs for TREATING THEM LIKE ADULTS? Why must I listen to people whine about how they FAILED TO ACT RESPONSIBLY but BLAME LINDEN LABS?

dunno

Who is holding you captive and where are they now?

I'll gather up a posse and try to get you out of there, k?

_____________________

hush

Katta Sparrow

Registered User

Join date: 14 Aug 2006

Posts: 39

09-08-2006 13:48

From: Alex Fitzsimmons

... and like I already said, the problem is that the security question is very much "fire and forget." You enter it once, and then ... as time passes, you forget it (if it was cleverly garbled, as you suggested).

Passwords can be garbled in that way safely because you actually, you know, use them. Regularly. Security questions are supposed to be for nitwits who can't remember their passwords.

I don't want, and never wanted, a security question. My password is my security question. I resent having anything else, and I really always have.

I share your sentiments especially when it comes to security questions with emails. I never forget my password so I never really have use for a predefined "Where were you born" kind of security question.

In situations like this where there is a password change, USUALLY, all they ask for is your email to email a link so that you can reset a password.

Security conciousness (may offend some)
Katta Sparrow Registered User Join date: 14 Aug 2006 Posts: 39	09-08-2006 13:00 From: Cinos Field Yeah, I know, because it was MY database that was stolen and I decided to kill the support. Let's look at the ROOT of the problem. ...yeah but what is the blame game solving right now? This blame game happens alot in chaotic events and all it really does it give off more negative energy and it's counter-productive. Sure I'd feel better knowing I can access my account, but it is partially my fault for being so paranoid over security questions even though I have good reasons not to trust them. In this situation, I think bad decisions and choices were made on both parts. Linden labs could have chosen other verification methods but chose the security question route. I as a customer (or future customer) have made a bad decision on the fly with my trust issues resulting in choosing a gibberish answer for a security question. Everyone in here doing the whole, it's all your fault, ...NO it's all your fault...what is it accomplishing? It's so weird. In game, there are so many people that are nice but then you go to the forums and everyone is an asshole.
Kalia Meiklejohn You make me itch Join date: 20 Jun 2006 Posts: 258	09-08-2006 13:01 I understand the need to reset passwords, but there should be an alternative method to deal with such a major exploit. I'm also concerned about the security features in place to protect our private information. If someone can get access to passwords, what will be next? Something has to be done, and soon!
Cinos Field Registered User Join date: 21 Jul 2006 Posts: 91	09-08-2006 13:01 From: Katta Sparrow Everyone in here doing the whole, it's all your fault, ...NO it's all your fault...what is it accomplishing? Nothing. But unlike LL, we CAN'T DO ANYTHING. :/
Albion DeVaux DeVoid of DeVotion Join date: 8 Aug 2006 Posts: 173	09-08-2006 13:01 Great post Finning. Glad you managed to put it on before the curtain goes down on the rest of the drivel that passes for discussion on here. To be accused of 'ass-kissing' because you're not doing the customary knee-jerk LL slagging says much. It's the school-kid mentally that seems to dominate forums like this.
Alex Fitzsimmons Resu Deretsiger Join date: 28 Dec 2004 Posts: 1,605	09-08-2006 13:03 From: Katta Sparrow ...yeah but what is the blame game solving right now? This blame game happens alot in chaotic events and all it really does it give off more negative energy and it's counter-productive. Sure I'd feel better knowing I can access my account, but it is partially my fault for being so paranoid over security questions even though I have good reasons not to trust them. In this situation, I think bad decisions and choices were made on both parts. Linden labs could have chosen other verification methods but chose the security question route. I as a customer (or future customer) have made a bad decision on the fly with my trust issues resulting in choosing a gibberish answer for a security question. Everyone in here doing the whole, it's all your fault, ...NO it's all your fault...what is it accomplishing? It's so weird. In game, there are so many people that are nice but then you go to the forums and everyone is an asshole. Maybe we'd be more inclined to cut LL some slack if they hadn't more or less changed their company motto to "Talk to the Hand" a little while ago. And if this weren't, you know, part of a pattern and growing history. Bear in mind that I used to defend LL myself. There are limits. _____________________ "Whatever the astronomers finally decide, I think Xena should be considered the enemy planet." - io Kukalcan
Zuleica Sartre Registered User Join date: 27 Sep 2005 Posts: 105	09-08-2006 13:04 I'd also like to know exactly what "compromised" means. Did the hackers only get access? Did they manage to transfer personal information? How much personal information did they transfer? Have they been identified? Is LL pursuing legal channels so that law enforcement can raid these jerks homes, confiscate their computers and destroy the compromised information? Now that OUR information has been potentially distributed outside LL they owe us the information on exctaly how exposed we were.
Chronic Skronski SL Live Musician Join date: 23 Jun 2006 Posts: 997	09-08-2006 13:04 From: Alex Fitzsimmons But the point is that security questions provide an extra avenue to exploit, and to exploit relatively easily at that. What's mine? _____________________ A man without religion is like a fish without a bicycle.
Io Zeno Registered User Join date: 1 Jun 2006 Posts: 940	09-08-2006 13:06 From: Albion DeVaux Great post Finning. Glad you managed to put it on before the curtain goes down on the rest of the drivel that passes for discussion on here. To be accused of 'ass-kissing' because you're not doing the customary knee-jerk LL slagging says much. It's the school-kid mentally that seems to dominate forums like this. Yes, it's "knee-jerk LL slagging" when LL allows it's db to be hacked, it's customers personal information to be accessed and lock everyone out who can't remember the magic word because they need their weekends off and won't use the valid email account on file to change it and people actually.... complain. Please. _____________________
Alex Fitzsimmons Resu Deretsiger Join date: 28 Dec 2004 Posts: 1,605	09-08-2006 13:07 From: Chronic Skronski What's mine? What a silly thing to say. Because I, personally, don't have your security question, a dedicated hacker therefore could not get it more easily than your password, assuming you answered the question honestly? To use Groucho's line, you fail at logic. Utterly. _____________________ "Whatever the astronomers finally decide, I think Xena should be considered the enemy planet." - io Kukalcan
Lorelei Patel was here Join date: 22 Feb 2004 Posts: 1,940	09-08-2006 13:15 From: Alex Fitzsimmons oh yes, let me put in my mother's maiden name because surely nobody can find that information with ease. Who said you had to give the correct answer to the security question? It only has to be something you can remember. _____________________ ============ Broadly offensive.
Zuleica Sartre Registered User Join date: 27 Sep 2005 Posts: 105	09-08-2006 13:15 From: Io Zeno Yes, it's "knee-jerk LL slagging" when LL allows it's db to be hacked, it's customers personal information to be accessed and lock everyone out who can't remember the magic word because they need their weekends off and won't use the valid email account on file to change it and people actually.... complain. Please. Yes, on THOSE points the complaining is pointlessly silly. However you are ignoring the valid points of complaint entirely from what I can see... 1. Why did it take them two days to invalidate passwords? 2. Why was personal contact information not encrypted as the CC info is? 3. How much was "compromised", ie. actually downloaded by the hackers? 4. What is being done to find and destroy any stolen information?
Io Zeno Registered User Join date: 1 Jun 2006 Posts: 940	09-08-2006 13:21 From: Zuleica Sartre Yes, on THOSE points the complaining is pointlessly silly. However you are ignoring the valid points of complaint entirely from what I can see... 1. Why did it take them two days to invalidate passwords? 2. Why was personal contact information not encrypted as the CC info is? 3. How much was "compromised", ie. actually downloaded by the hackers? 4. What is being done to find and destroy any stolen information? If I'm not mistaken, you have completely missed the point of my post, lol. ah, fuck it, I've ranted enough on this. I thought I would actually get work done today with the forums closing. _____________________
Joannah Cramer Registered User Join date: 12 Apr 2006 Posts: 1,539	09-08-2006 13:23 From: Lorelei Patel Who said you had to give the correct answer to the security question? It only has to be something you can remember. What's the point of making it specific question like that, if the security hinges on the answer having nothing to do with truth? Would make more sense to make it a box with "put completely random 'break the glass' sort of password, here" label, instead. Seriously, it's quite a flawed concept that really doesn't have to be defended...
Alex Fitzsimmons Resu Deretsiger Join date: 28 Dec 2004 Posts: 1,605	09-08-2006 13:24 From: Lorelei Patel Who said you had to give the correct answer to the security question? It only has to be something you can remember. There's the rub, don't you think? Anything you can remember easily after entering it only once and then (probably) never using it again is probably also a lot less secure than your actual password. Anything that's actually garbled or obscure enough to be truly secure -- like a password should be -- is also something you're probably going to forget if you don't use it frequently, like say if it's a security question answer. D'oh. _____________________ "Whatever the astronomers finally decide, I think Xena should be considered the enemy planet." - io Kukalcan
shockedfrog Shriner Registered User Join date: 21 Oct 2005 Posts: 7	09-08-2006 13:30 The security question itself is not a bad idea - e-mail addresses can be stolen in different ways. One example which doesn't even require any personal information is simply that your e-mail address is out of date - perhaps the domain name your e-mail is associated with is no longer yours, or some e-mail services will delete your account if you don't sign in regularly enough, enabling other people to take what used to be your e-mail address. The security question means that losing your e-mail doesn't mean you lose absolutely everything related to that e-mail address. However, there are problems. Can someone tell me if the signup offered different security questions? For me, it's 'the street I grew up on' - a rather daft question for at least 2 reasons. 1 - I didn't grow up on a street 2 - I still live in the same place. Since I'm sure there are others who have lived in the same place all their life, this is not a good security question. For these reasons, the answer I gave was probably nonsense or gibberish. I figure there's going to be a lot of similar e-mails asking for alternative ways to set new passwords before they get round to mine, so all we can do is wait.
Lorelei Patel was here Join date: 22 Feb 2004 Posts: 1,940	09-08-2006 13:32 From: Alex Fitzsimmons There's the rub, don't you think? Anything you can remember easily after entering it only once and then (probably) never using it again is probably also a lot less secure than your actual password. Anything that's actually garbled or obscure enough to be truly secure -- like a password should be -- is also something you're probably going to forget if you don't use it frequently, like say if it's a security question answer. D'oh. I don't think so. If they ask for your mother's maiden name and you answer with your favorite food, the street address of your childhood home and radom punctuation, I doubt anyone would figure it out. At least, I've never heard of a family reunion for the chickentikka503! clan, have you? _____________________ ============ Broadly offensive.
Travis Lambert White dog, red collar Join date: 3 Jun 2004 Posts: 2,819	09-08-2006 13:33 Ordinarily, I'd consider myself a borderline "Linden Cheerleader" - I strongly believe in what they're trying to accomplish, and see them as human beings, not simply a corporation. Even some of their more controversial decisions, I tend to support. I also remembered my Security Question/Answer combo, and had access to my email. So getting back in for me was no big trouble. That said, there's a lot that doesn't seem to be right about what's going on here. Now is probably not the best time to be asking Linden these questions, as they're deep into the firefight atm. But I'll post them here for discussion value: 1. Does Linden keep high-level Disaster Recovery plans for situations like this one? There should be a backup plan in place, documented internally, describing exactly what will happen if the colo gets wiped out by an earthquake, Phillip gets herpes, or internal databases are compromised by a hacker. So this was just passwords. What if it were credit card numbers? Is there a plan in place for that? Even if there's not much you can do, there should be a support & PR plan. 2. Why is telephone support so scantily covered? And its not just for this event - its like this in general. I'd think even utilizing a call center in Bangalore to take on the first level calls, and have 2nd level calls handled by more adept people in San Francisco would go a LONG way. 3. How does Linden 'Define' who the human being behind an avatar is? Is the security question that unique identifier? Is it the Credit Card number? What? I hope its not one thing, but a data composite. 4. Who is the Support manager at LL? I don't mean who is the community relations-volunteers-q&a-developement-support manager. I mean who is the support manager? There should be one, and that should be their baby. If there already is a person like this, great. But obviously they're not that visible since I'm asking the question. I understand that now is probably a horrible time to be answering the phones, or being tasked with support in general at LL. I just think many of these support challenges could have been reduced in scope had greater attention been paid to it before. Hopefully, there's a silver lining in all of this - Linden will have learned a valuable lesson going forward. (Hopefully.) _____________________ ------------------ The Shelter The Shelter is a non-profit recreation center for new residents, and supporters of new residents. Our goal is to provide a positive & supportive social environment for those looking for one in our overwhelming world.
Katta Sparrow Registered User Join date: 14 Aug 2006 Posts: 39	09-08-2006 13:35 From: Lorelei Patel I don't think so. If they ask for your mother's maiden name and you answer with your favorite food, the street address of your childhood home and radom punctuation, I doubt anyone would figure it out. At least, I've never heard of a family reunion for the chickentikka503! clan, have you? Are you doing this to rub it in his or her face that they did not use your method for a security question or are you trying to truely be helpful?
Lorelei Patel was here Join date: 22 Feb 2004 Posts: 1,940	09-08-2006 13:37 From: Katta Sparrow Are you doing this to rub it in his or her face that they did not use your method for a security question or are you trying to truely be helpful? Trying to be helpful, thanks for asking! _____________________ ============ Broadly offensive.
Kalia Meiklejohn You make me itch Join date: 20 Jun 2006 Posts: 258	09-08-2006 13:40 I myself had no problem getting in again, but that shouldn't be the foremost problem on people's minds, it should be the fact that someone(s) were able to access this information. Security questions aren't going to be very helpful if you have to cancel your credit card because some of those were accessed. I want to know what's going to happen now, will some new form of security be put in place? Will SL residents demand something better?
Alex Fitzsimmons Resu Deretsiger Join date: 28 Dec 2004 Posts: 1,605	09-08-2006 13:40 From: Lorelei Patel I don't think so. If they ask for your mother's maiden name and you answer with your favorite food, the street address of your childhood home and radom punctuation, I doubt anyone would figure it out. At least, I've never heard of a family reunion for the chickentikka503! clan, have you? ... and like I already said, the problem is that the security question is very much "fire and forget." You enter it once, and then ... as time passes, you forget it (if it was cleverly garbled, as you suggested). Passwords can be garbled in that way safely because you actually, you know, use them. Regularly. Security questions are supposed to be for nitwits who can't remember their passwords. I don't want, and never wanted, a security question. My password is my security question. I resent having anything else, and I really always have. _____________________ "Whatever the astronomers finally decide, I think Xena should be considered the enemy planet." - io Kukalcan
Io Zeno Registered User Join date: 1 Jun 2006 Posts: 940	09-08-2006 13:42 From: Lorelei Patel I don't think so. If they ask for your mother's maiden name and you answer with your favorite food, the street address of your childhood home and radom punctuation, I doubt anyone would figure it out. At least, I've never heard of a family reunion for the chickentikka503! clan, have you? What you are describing is a password, not a security question. What is the point of a security question that has meaningless gibberish as an answer? _____________________
Katta Sparrow Registered User Join date: 14 Aug 2006 Posts: 39	09-08-2006 13:42 From: Lorelei Patel Trying to be helpful, thanks for asking! Is it helpful as of right now when Alex cannot change their security answer? If you were saying something like, "In the future just do what I do and then input your advice", that would come across as more helpful.
Margaret Mfume I.C. Join date: 30 Dec 2004 Posts: 2,492	09-08-2006 13:45 From: Finning Widget Why? Why must I - in the death hours of the forums - listen to people whine about how they blame Linden Labs for TREATING THEM LIKE ADULTS? Why must I listen to people whine about how they FAILED TO ACT RESPONSIBLY but BLAME LINDEN LABS? dunno Who is holding you captive and where are they now? I'll gather up a posse and try to get you out of there, k? _____________________ hush
Katta Sparrow Registered User Join date: 14 Aug 2006 Posts: 39	09-08-2006 13:48 From: Alex Fitzsimmons ... and like I already said, the problem is that the security question is very much "fire and forget." You enter it once, and then ... as time passes, you forget it (if it was cleverly garbled, as you suggested). Passwords can be garbled in that way safely because you actually, you know, use them. Regularly. Security questions are supposed to be for nitwits who can't remember their passwords. I don't want, and never wanted, a security question. My password is my security question. I resent having anything else, and I really always have. I share your sentiments especially when it comes to security questions with emails. I never forget my password so I never really have use for a predefined "Where were you born" kind of security question. In situations like this where there is a password change, USUALLY, all they ask for is your email to email a link so that you can reset a password.

Welcome to the Second Life Forums Archive

Security conciousness (may offend some)