Second Life: Your home is under attack, guys. Support it instead of screaming...

While I'm not a Linden, nor FIC, nor even important enough to even register on most people's radar, I have noticed a disturbing trend:

Note the following:

Second life datasbases get attacked and data harvested from them using security exploits:



People have noticed from around sunday (possibly earlier) that accounts have been comprimised:



They closed all of the logins to try and stop this, and immediatly riots ensue. I really don't see how this could be avoided, once they figured out how bad it was. Generally, some people will not be able to get in for a few days to try and protect them from what could be a fiscal/inventory disaster.


Next, spam emails hitting in quick succession:



Guys, LL may have made some security mistakes, but we have to keep this in perspective:

Somebody HACKED our information from their servers, and the final blame lies at the feet of those bastards. We can scream at LL all we want, but the fact is, they did not hand the data out, they just did not secure it as heavily as would have been prudent.

Finally, Seems that email accounts using similar password may be getting hacked:




E-mail from 'Hotmail' asking him to ID himself. After doing so...




Now, I'm not an alarmist, and all of this may be unrelated, but does this not seem like a heavy-handed attack of some kind? Please guys: Change your outside password and accounts if they have the same password as in SL. Email, Paypal, and get your credit/debit cards secured. I would rather seem alarmists than see anyone lose things important to them. Do it. Now!

But in all this, remember: LL did not commit the crime here. They did not SELL your information. They did not offer it up happily. They were HACKED.

We're all victims here. Let's just get the damage control done and stop pointing fingers.

However lovely and utopian your view may be Foolish, I think this further exposes Linden Lab as having a complete lack of security expertise on hand. I'm afraid that fingers do have to be pointed, not just over this but over a whole wealth of security issues and exploits that have been happening in recent months. Particularly with this as it is on a scale much greater, with the ability to do much more damage, than anything that has gone before.

I have a decade of experience in securing web applications, primarily for commerce related projects, and zero-day exploits are tough but I cannot help thinking that security has been a secondary concern to Linden Lab, both in their Second Life client and, it appears, in how and in what way data is allowed to be accessed from different parts of the web site. There are many ways you can both compartmentalize and monitor so that if an attack happens (a) it is limited in what can be achieved and (b) those in charge are alerted as soon as possible. There needs to be an extremely serious look taken at the security of the whole without further delay. Nothing is full-proof, and never will be, but increasingly it doesn't appear that Linden Lab come anywhere near to even doing the basics of exploit and security management correctly. Silencing people, as has happened in recent months, is not a good policy I might add.

I dread to think what else is lurking here. We're increasingly seeing that the security in the client (through the exposing of flaws in the design by libSL, a project I think needs to exist, for the record, if for no other reason than focusing the minds at LL to close holes) is appauling - L$ charges for uploads handled by the client, prim sizes handled by the client, some god mode features handled by the client (if I remember correctly) - that I believe that nothing that Linden Lab produces is designed with anything other than cursory security in mind and that they do not have the means to secure sensitive data correctly.

We also see, time and time again, a lack of effort to close holes in the client and here, we've seen that although the web hole was patched within 3 days (far too long however for this to have been flagged, I do have to add) no further action was taken to protect the already possibly compromised accounts of the users for another 2-3 days. These are not the actions of a company that takes security seriously, I'm sorry to say.

I'm pretty much flabbergasted at the last 24 hours. I hope there are some very serious questions being asked at the Linden Lab offices and that this causes a sea-change in their attitude towards security. If it doesn't, or even doesn't happen quickly enough, these are the kinds of things that can bring a company down.

I've been here for over two and a half years. And today, for the very first time, I'm seriously questioning whether or not I can trust Linden Lab to keep my data secure. And I'm not somebody doing that because of lack of knowledge - quite the opposite.

I don't live under the delusion that shit doesn't happen. I have expectations concerning how a company deals with said shit. That the hackers are the criminals is not open for debate whereas LL's response to the situation is.

What do ya wanna bet a new job listing pops up on the LL site for a security manager, you should apply Mooph, btw you made some very good points here.

Thinking LL grew from small beans to a very large company a bit too fast, the growing pains must be tremendous, but is no excuse for not having the protection in place for its customers that it should have had. This once again leads me to believe that LL has no idea that they are in the service industry, but still veiws themselves as a game developer, hence the customer has been put on the back burner and as we have seen, not taken seriously very often.

Ah well maybe this happened for the best, at least we know some changes may come about from it.

Nope. Can't disagree at all.

I just want to point out that they are not the people who DID the crime, they are the just guilty of not putting enough security into the system.

So am I happy with LL? No. Am I going to beat them for it now. Dead horse.

They had better get their act together now, though. They don't have a choice.

Trying to say that we should not blame Linden Labs for this in part or in whole is a niave and wrong thing to say. We must and DO blame them, because they allowed it to happen. First of all the database was accessed and very good chance that a lot of critical information was harvested (encrypted or not matters little in the end), the sudden spate of people saying they had been hacked recently, and then to cap it they found the problem on the 6th, but no one told us until the 8th! HELLO?? 2 fucking days to tell us that there is a damned good chance the critical information about each of us might have been harvested and that we are going to need new passwords. The moment they knew this had happened they should have told us, fuck investigations for 2 days, we needed to know about this as soon as they knew.

Here is the solution to hackers. Unplug the frickin' computer from the Internet. It's that easy. Account and CC info should not be connected to the Internet in any way. They can't get what isn't there. Too many businesses rely on security programs and encryption and don't think about simply not connecting it to the outside world.

But then how do you process online payments?

I was incredibly upset and angry yesterday when I couldn't get my account back, but it wasn't at LL, it was at the hackers who caused it. I've been in SL for 2 1/2 years now, and tend to take things in stride, because LL is doing something no one has ever really done before, so I know occasionally things screw up.

If this was something at the cutting edge and beyond of stretching today's computing to its limits, then yes I fully agree with you.

But looking after a database of confidential customer information and protecting it as best as you can from hackers is not exactly in the same league, is it?

Lewis

Sorry but I have to say that the 'LL is doing something no one has ever really done before' line doesn't at all excuse the consistently poor way they handle exploits and security. That's no excuse at all and doesn't have a foundation in truth by any stretch of the imagination.

Take this latest event, for instance. The hardware, protocols and systems they're running their show on isn't new technology and as such is subject to exactly the same security concerns as other Internet businesses using similar setups. They're not alone in screwing up like this but I am now wondering if it is indicative of a corporate mindset within Linden Lab that needs serious overhaul before they take it with the seriousness they should be doing. After all this example doesn't exist in a vacuum for Linden Lab - it's just the latest in a whole catalogue in recent months. It's certainly the most serious for the majority of the users, however.

That is the root of the real complaint here. And also why no one can support LL's actions in this matter. They have over a million people's information (real or not) and almost as many credit card numbers around the world. It is a paramount duty to keep that information safe. On top of that customer service is at its greatest need upon the breech of such information. This is absolute in business, I'm affraid that the "Tao of Linden" needs to be thrown away if they wish to continue to be the big business they are going to be.

As someone who happens to work in the field of making-sure-those-big-computer-systems-work-as-expected, I'm both glad that LL disabled all the passwords, disclosed all the details immediately (except for the nature of the vulnerability, ah well), I'm pleased that they followed best practices by storing confidential information only in salted hash form, but I'm also vindicated that the clients' info database was so easily accessible from outside and that it took user complaints to investigate and determine there was a breach in the first place.

Also, I would have liked that they explicitly said NOT to reuse the same password at all, but that's a detail.

doot doot doot doot doot foolish alert radar confirmed foolish alert

You're both right; but Moopf, we've known of this mindset for months yea even years at this point. You're talking about a company whose policy states that the only fireable offence is playing office politics. My so called credit card on file is a Paypal debit card linked to an account that holds nothing more than Fate Gardens' profits. I'm saving to buy an estate! But I've been under no delusion that anything in the Second Life system belongs to me, or is in any way protected, since 1.2 was released. Am I just smarter than you?

I would also like to point out that much larger companys have security breaches as well costco, microsoft , etc. That is what alot of those patches are all about that your computer downloads, or should be downloading. Certainly we dont run screaming at Microsoft everytime there is a new security update do we? I do not i say phew thanks guys now i know im safer.
One other thing when your apartment window gets smashed and someone looks thru your panty drawr you dont go to the apt. manger and say HEY! someone broke my window and looked thru my pantys and YOUR to blame!!
Nope we blame the turd lowlife that has nothing better to do than look thru pantys ( or in this case some misarable hacker)

Except they didn't. They sat on it for 2-3 days before telling the users (some of the explanations, particularly in relation to where and in what format credit cards details are stored, for instance, have also been contradictory) and forcing the password changes. Which would indicate to me that, in the first instance, they didn't take it as seriously as they should have done. That's a huge issue.

Wellm to be fair, we did not know what it looked like from the inside.

For all we know, it took until today for all of the puzzle pieces to be put together, when a final "CRAPCRAPCRAP THEY GOT ACTUAL CREDIT CARD DATA CRAPCRAPCRAP" and then posted immediatly. Sometime, what seems obvious in hindsight is harder to catch at the time.

I'm not saying it's true, I'm saying WE DON'T KNOW.

Of course, if they fully knew and DECIDED to not release the information that CC data had been comprimised for two or more days...

Well... Just get me a pitchform and a torch too and let's get this over with.

Sorry but I don't accept that at all, not a delay of 2-3 days. Once they knew somebody had been into the system unauthorised in whatever way, their priority above all else should have been to investigate that fully straight away. I do not believe that such an investigation would take 2-3 days to uncover that access to user information had been obtained - after all we're talking about a handful of servers. This isn't rocket science and is traceable in a short period of time once you know it's happened.

In my experience, once you've seen that a breach has happened, within a few hours you have a very good idea of the extent of that breach and the sort of data that's been accessed. If you bother to look, that is.

I doubt it's the ranting and raving they're worried about. The people who will sell off and walk away from the project are likely they're largest concern. It's been a numbers game for a long while; but we stand to loose a lot of older, talented infrastructure this round.

Oh and Moopf I'm of course kidding about being smarter than you. Your knowledge and experience overwhelms me. And I like your haircut.

I tend to agree with the OP. The email we all got said:



For those who are too lazy to do a google search, a "Zero-Day Exploit" is defined as:



Basically the hackers attacked the servers as soon as the vulnerability became known. This means that LL didn't have any time to respond to a security flaw in a third party software package they were using.

They can't guard against a flaw in someone else's software if they don't know it is there.

I believe that LL responded in a professional manner and acted correctly in this situation. I feel for those who are now locked out of their accounts, but at the risk of sounding mean or insensitive, I have to say that it's not Linden Labs's fault that a lot of people were glib or careless about the security of their own account (as in not having a real or current email address on file and/or using a random "secret word" for password recovery.)

Part of being an adult is taking responsibilities for your own actions or inactions. If you cut corners on your side of the security system then really you only have yourself to blame. Instead of screaming about how bad LL is, try to look at it as a lesson learned and be more careful next time.

Having said that, I think it should be noted that LL is working on a way for those that are locked out to get back into their accounts. Because they realize that it's just the right thing to do, regardless of who's fault it is.

The people at LL make mistakes. Of course they do, they are only human. But I truly believe that they are dedicated professionals who take pride in what they do and genuinely want to make SL the best that it can be. So let's not be too quick to judge, especially when we don't know all the facts yet. I'm sure more than one LL programmer was up very late last night working to get things sorted out for us.

So let's show them some love for a change!

LOL Khamon, I'd always thought you were! By the way, it was great to meet you at SLCC.

...it is important that they not damage the viability of the concept in the eyes of the users through mishandling in their management and administration of it.

But they can just not use someone else's software until it's examined for flaws. There are companies that issue software with security certificates. I'm sure that could have been done here.

I've been given to understand (although not officially told) that if I call my bank, and get my credit card put on alert, they'll tell me that if I give my new credit card number to LL, I'm doing it with knowledge and by choice, and thus I won't be protected again. But then I can't play SL? Too bad, says the bank, SL isn't an essential and they don't want to spent money protecting people who take known risks.

I still blame them for failing to tell us the moment they found the intrusion. I mean, even if they didn't know the full extent, one would think they could have posted something like, "We found a intrusion that was via an exploit in a 3rd-party program we use. We fear some data may have been compromised. We are advising all users to please change their passwords at this time, while we continue to investigate the situation."

I would have felt better, and well, it would have shown a bit more of the 'Customer First' that we used to get from LL.

I also think the reason a lot of people are angry (myself included) is that this is just another example of them forgetting the customers and the community as a whole. *shrugs*