Security conciousness (may offend some)

Yes, in fact it is LL's fault because that is an unnecessary and even counterproductive layer of "security." I have never, ever seen this kind of thing happen in this way before, ever. With any MMO ... and I have a long MMO history.

Wonder what'll happen to those people who had credit cards on file but then got rid of them after some time and replaced them but, since they weren't premium at the moment, didn't update them? People who've moved and don't have their old information memorized? And so on?

Well, who knows? LL won't be taking calls 'till Monday. It's the weekend and TIME TO PARTY BABY, WOO!

That's customer service. Oh yeah.

What part of "It's never a question of IF, but WHEN ... " Did you have a problem reading?

Alex isn't accussing me of ass-kissing (okay, maybe she is but) - We've talked in the past. She's not attacking me. She's taking issue with the stance I've taken. She has a good point, aside from some misconceptions - It's very much LL's job to secure, and to take appropriate action when they discover a security breach.

My point is this: They secured. They discovered a security breach. They took appropriate action. If you think TWO DAYS is a long time to wait before having people's passwords invalidated and informing them, then you've never considered entrapping a cracker/hacker in a three-month long trackdown before. You've never had to sweat out a 36-hour-long "shift" of watching your systems for signs of the crackers. They wanted to perform due diligence and ensure they had everything they might be able to get about the crackers in order to turn over to law enforcement - that takes time. They wanted to assess the scope of the situation - that takes time. Figuring out how to close the hole - takes time. One does not publicly announce a security issue until one has a patch in place - lest others flock to the security issue.

In short: I've been where they are. What they did is really rather good. Leaving for the weekend with a lot of people locked out of SL? hmmmmmm Not so good. But- had those people been responsible and used useful email accounts and kept track of their security questions ....

You flamed me?

*looks at /dev/null*

Hmm, can't really tell one way or the other...

I still think security questions are a fundamentally poor choice of things to require people to remember. Obviously, I'm far from the only person who thinks this, so my position is pretty much self-supporting since using a form of security that will only frustrate customers and possibly drive them away without actually improving security at all is obviously foolish beyond belief.

At least we can agree that it's very unprofessional that they're just taking off for the weekend.

Interesting about the needing two days to handle it thing. I haven't been in that position, so I didn't know that was normal.

Yes, your security question is a second password. Any short string or phrase that lets you reset your everyday password = second, backdoor password.

*thumbs up*

The alternative is having them hand out other, non-arbitrary sensitive information.


LAST POST! BYEBYE ALL!

Hi, you must be new here. Both SQL injections and XSS attacks have been done here before. The track record is not so hot going beyond that, too. Just because you feel someone is 'whining' doesn't mean there hasn't been history to justify being upset. You're essentially meta-whining and looking like a noob who wants to flex their 'experience' for 'oohs' and 'ahhs' at the expense of the average person who is upset. Instead you just look like a total ass.

I agree they did the right thing regarding our accounts. The WRONG thing they did is not provide phone support for this problem until next Monday! Work some stinkin' overtime and get people back in world LL!!!

I use a totally different answer to my security question and i have never had an account newhere compromised since 1989 when i joined the net and that also includes my CC details etc. Maybe ive been lucky but then again it may be due to the fact i use a different password to every one of my accounts and i try and be as careful as possible online

LLs should with hindsight handled this a bit better but then Hindsight is always good after an event

Maybe you have been lucky, or maybe other companies are not so forthcoming when they have security issues. The truth is you don't now how many accounts have been compromised. Often companies deal with it internally and don't feel the need to let you know.

I realise these sorta breaches happen with banks and many other servers worldwide on a daily basis and it is kept internal, my employers often keep things of this magnitude internal

Also my CC company gives me and all the other customers a guarantee, that if our card number is compromised online through no fault of our own as per this example, then they will refund any moneys taken from our accounts and i am sure many other CC companies do the same.

What i cant understand though is how many people use the same password for EVERYTHING, email, SLX, SLboutique, etc. etc. that is just bad and they are asking for trouble and we cant moan at LLs for our own negligence in not using secure and different passwords for everything we logon to.

A Zero day exploit to by definition is hard to protect against at the best of times, as i said earlier Hindsight is a wonderful thing but the most important thing that must come from all this mess is that LLs will have learnt and put proceedures in place for the future and i am sure they will do this, as will be business suicide not to do so.

I certainly wont worry about this incident unless LLs do not learn from it and if through this mess my CC details have been hacked and someone does use my CC illegally then i will donate L$10,000 to you to do what u want with Im that sure my L$10,000 are that safe

Absolutely, this is indicative of LL not having any sort of customer service policy. If they had a customer service manager, that person would have been herding linden cats up Friday night and had them working 24 X 7 on this issue helping people re-establish their account passwords through the weekend.

The fact that they did not speaks volumns about their opinion of their customers.

Believe it or not Hand Holding is important to people when they have a glitch, particularly a security glitch. When you lose one customer because of this, keep in mind that you don't just lose one - chances are, you will lose two or three by word of mouth.

Be honest, keep people informed and hold their hand while getting them logged into the new security.

I heard last night at a meeting that they might be working on a coding solution.

In hindsight, I would say had they said THAT, then people would have been a lot less panicky and furious.

It didn't even occur to me that they might be working on a coding solution. (Though I was certain, finally, they would be working on something, and not just going home.)

Busy or not, it would have gone a long way to say that much.

I would add, finally, that things are too spread out, and not even the Lindens know how to handle the new blogs and forums, largely because they are trying to micromanage everything, and US.

This business of burying some answers in forum threads, putting other answers in the Second Life Answers (non-answers), and yet something else on the blog (with no comments allowed), is a good recipe for immense confusion.

I would make all the above suggestions on the blog or somewhere, but (a) probably the Lindens have figured that out already (or should have), (b) not sure if it allows comments, and (c) don't like chasing Lindens around the web just to say something only to get (d) erased and treated like a criminal for making a post.

coco

Good to hear, I feel the same way

(Thought I was alone)

Yay another sensible thinker I am not alone either now

I don't mind looking like a total 'ass'. I do mind people calling my security experience into question. Well, okay, just because it makes me giggle uncontrollably and then people I work with look at me funny.

Your "average person who is upset" is upset at Linden Labs for something they, themselves, did wrong - screw up their security question / backdoor password / use a throwaway account. These same people have - in the past - had a track record of calling up customer service and abusing those people whose ONLY JOB is to reset the passwords for THEIR OWN mistakes. I despise that behaviour.

Yeah, SQL injection attacks and any of a number of other issues are tried worldwide on a regular basis. I get to see them myself. I used to have to deal with them all the time. There /is/ no defense against a 0-day - that's why it's called "zero-day". There are only closing holes that you know about, and the fact that LL's systems handled a lot of other attacks means they're doing it right - they probably sanitise their data really well, but still, it was THIRD PARTY software, not something they have control over nor can improve - only replace.

It happens. All the time.

Wow, I think you've finally uncovered a key element here, for me anyway. I see a very divided community in this thread, and this post made a lightbulb go off in my head. Were (or are) you in tech support? I'm a tech support burnout myself, due exactly to the despised behaviour mentioned above. What I always saw mostly, was mistakes the customer made.. which they then deflected onto me... the nearest techie. Yeah, ok, my system sucks because YOU demanded admin access and then deleted your root partition.. whatever. Add to that the fact that you always get angriest at yourself for your own mistakes.. and you have where we are at now. All the self-anger (is there a word for that?) directed towards LL, and anybody else who can see the other side of the coin (ie: been there, done that, got the t-shirt).

I don't know about average people, but I think the point is more:

- The problem is not that passwords were stolen, the problem is that other info was stolen at the same time as passwords. The hackers did not steal the passwords, then use them to log in and steal address and credit card information. They stole the address and card information at the same time, in the same query, they used to defend the passwords.

- Linden Labs did deal with it professionally, and the exploit in the software is not their fault, but it is their fault that the software they were using was connected to a database holding customer and payment info when it had no reason to be. AFAIK it was stolen from a service which didn't use this info, but just used SL login names for authentication. SL login names and passwords (and nothing else) could have been placed in a seperate table with a foreign key into the RL customer information table which was held on a seperate server, and I hope that this is what LL are going to implement now.

- This is affecting everyone in negative ways. After hearing about the attempted Paypal intrusions I personally have had to spend the equivalent of L$67500 on identity theft insurance and CIFAS protective registration, raise alarms at my bank, and lose an unknown amount from (even my, relatively small) SL business from customers who will now be unwilling to obtain and spend L$ because they are afraid to enter their card info. Other people I know have had to remove "ban no payment info" protection from adult areas because if there is another hack, they don't want to be responsible for having coerced people to put their details at risk.

This IT burnout has seen the light.

I say we do away with the security question entirely, so that next time there's a compromise everyone will be completely screwed.

Oh, and make sure the next compromise is announced on a Monday so the phones will be sufficiently staffed with people to ask: "Can you prove you are who you say you are? No? Oh, sorry, too bad, just create a new account. Next!"

(snort)

No. I do not WANT LL sending me my new password in email, thankyouverymuch. If someone is going to try cracking my account I want them to WORK at it, not just have a password handed to them.

While I didn't rely on it, I AM glad to see that LL kept people on staff over the weekend updating the web site to allow more people to re-gain access to their account. It probably helped more people with less staff than just throwing people at the phones.

And, I also respect that they actually took a day or two to determine the extent of the damage before they blew the whistle. Can you imagine how helpful it would have been if they just said "We've been hacked. Dunno how, or who or how much, or where... the exploit still exists... we'll just take the grid down now and leave it down until we figure out what's going on. We'll let you know soon. Call us if you want but we don't have the phone lines to keep up, so you may be waiting for a day or two to get through."


Anyway. Crap happens.

Even before I spent a period of time talking to clueless and gratuitously abusive people on the phones, I had the brains and compassion to realise that the people on the other end of the phones are PEOPLE, and do not need to be treated poorly, and are there to help me.

I am an IT burnout - I got out specifically because everyone who managed/employed IT personnel sneered at us and treated us as commodities - forced to work long hours, nights, weekends - performing obnoxious repetitive tasks by hand for weeks that could be done by a competent programmer in thirty minutes, sneering at women, refusal to merely comply with the law, and being trained monkeys who were paid more than I yet I had to save their asses, along with union-busting and a constant environment of fear ... I hated most management I worked under, excepting one person.

I hate clueless, egocentric abusive idiots, whomsoever they are. I can smell egocentric, abusive cluelessness a mile away. I refuse to work for companies before finding and interviewing their 'grunt' clerks, who had better be happy.