Second Life: Your home is under attack, guys. Support it instead of screaming...

THAT WAS REALLY LONG

but I think it basically boils down to, "Hay guys, let's make sure we keep the Linden shvanz in our mouths during this time of trouble. Remember to watch your teeth."

Totally agreed as we cant see the workings behind the scenes so lets Big them up for a change and remember it is not all their fault and the fallout because people use the same password for everything is certainly, not their fault.

Also, if there is anyone here on the forums gifted with "Hindsight" im sure your services will be very much in demand here and at LLs & i would apply for the post forwith

And yet, you don't KNOW. You can push for it being crass incompitance all you like, but the fact remains until I know for sure, I'm not jumping in with cleats. It serves no function yet except to assure others that admitting fault at all is a bad idea.

I find it interesting that you assume that it wasn't. What reason do you have to make that assumption?





I can understand how you would feel that way. Yeah, it would have been nice to know immediately, but I can understand the delay if it meant helping to catch the hackers. I am pretty sure that law enforcement asked them not to say anything for a bit to help them track down the bad guys. Of course, I don't have any proof of that, but it seems a reasonable thought anyway.

There's enough history. This isn't an isolated example from which to forge a view.

Yet interestingly your post at the start jumps in on the 'don't blame LL' side without knowing either. But I guess that's OK, is it?

HEY

WATCH IT MURRAY

SHVANZ BACK IN THAT MOUTH

NO TEETH!

I'd certainly say that the proper information - rather than the speculation - coming out thus far is no way near enough to damn LL for laxity etc. Not that it means they've been absolutely perfect either, it's just too early to tell. For example, criticisms on the basis that "they knew about it on the 6th" - *what* did they know on the 6th? How certain was it? Can you imagine what the consequences of "hello SLers we are shutting down the grid and resetting your passwords bai" would be if there had *not* been an exploit?

I can't see that it's practically possible right now to apportion blame. We just don't have the information. By the by, a lot of forum posts on the subject, frankly, have generally across the "sensible or understandable venting" border and gone into "irrational uneducated ranting" territory, where they are subject to UN sanctions.

I don't know, maybe they screwed up, maybe they didn't, but I can wait a few days before making that judgement.

'Innocent until proven guilty' is safer than 'Shoot 'em all and let god sort them out'.



I'm not saying you don't have a right to be mad, I'm saying MY point of view is to try and make sure of all the facts first. Call me Merry Sunshine if you like, but I work from this method as much as possible.

Ordinal, we're going to have to disagree on that. What I see is what we're told which, even then, doesn't actually paint a particularly good picture of their security setup. It was 3 days before they realised something had happened and closed the hole (meaning they knew how the attacker had got in and could trace from there) and a further 2-3 days before they decided that there was a possibility that all accounts had been compromised. Those timescales are too long when you're dealing with personal and financial information. Especially the gap between the first attack happening and LL actually realising that something had happened. I wonder whether attacks have happened before that never made the radar? Who can tell. That's where my monitoring point comes in from my first post.

Then we have the exposing of personal and possibly financial information (I'm still hazy on this as Robin Linden's been contradicting herself and other statements on where this is stored and how it is stored in those places) to web applications that, in all reality don't require it. This has come through a third party piece of software - so it's either the blog, the wiki or the forum I guess. Why should any personal or financial information come anywhere near those three applications? There doesn't appear to be an awful lot of seperation there if so much information could be accessed from places that don't require it and shouldn't come anywhere near it.

And that's just from the nicely spun blog announcement. What the truth is, rather than being better than that, is most likely much worse. A company's never going to come out and say the worst.

Philip's silence is overwhelming on this issue.

Ultimately, whether he likes it, the buck stops there... "blame it all on me" his in-world profile says, for a reason.

So why is he staying well out of it, and asking other Lindens to do his dirty work and catch all the flak?

Lewis

I agree with the original OP - the Hackers are the criminals here.

But

This incident brings us back to a fundamental argument that has been raging for the last year.

It is time for Linden to stop adding toys and gimmicks - and time for them to sit down and take a serious look at their system - Client and back end.

Call a halt to new stuff - get the fundamentals sorted first - or we will all have real speaking robots with flashing lights ( lovely ) and will have hacks, grid attacks, people not getting paid, and a pile of bugs the size of Everest from here until eternity.

I'm not mad, in case that hasn't been obvious. I'm dismayed and concerned. But I also find it not entirely unexpected.

But you misunderstand how the "love machine" works: you only work on something when you want to. Who wants to work on investigating security breaches? Bor-ing!

Wait. I LIKE figuring out security methods.

But...

That means...



I'M BORING!

<runs away crying>

Since when have top-level management and/or owners ever done otherwise?

Ok, I've been perusing these forums over the security issues since yesterday afternoon, and read all of the posts here so far. The fact is, hacking does occur and that is a way of life these days. And yes, the hacker is to blame for causing this security compromise. But I tend to agree more with Moopf's posts. Don't try to go so easy on LL. The fact that they waited to inform us and do something about this is outraging me more and more. Plus, being such a company that deals with hundreds of thousands of dollars being exchanged on a daily basis, wouldn't you think their security would be state of the art? Sure there is always a way around security, but from what i've read, this sure wasn't state of the art security. I put my faith in LL that my personal information was secure, when in fact they it was there for the taking. I am trying to be patient with LL to resolve this, but in my eyes, this whole situation could have possibly been avoided.

And now, with the fact you don't need an email to reset your password? How is that being safe? Since my secret question info was amongst the compromised data, now anyone can go in and change my password. If you ask me, it's just made that time that I spent changing my password a total waste.

So give LL a break? I don't know, my confidence is slowly fading

For those of us that do not know what does "Zero Day Exploit" mean?

I think it was decribed somewhere around here...

It's when the issue is taken advantage of the same day it's publicised as existing. it may have been known about by third parties before this, but it was not public knowledge.

Huh?

P2

You big baby.

it was the Hackers to blame for the breach in security.
but it was LL's resoncibility to watch for it.
by their own accounts, it happened on the 5th, they discovered it on the 6th, but Waited untill the 8th to do something about it.
That's where they Failed in their responsibilities to Us, the customers.
they should have pulled the plug the minute they found the intrusion.
they could have put up a small web server and posted a notice of the reasons and let the 3rd-party forums handle the discusions, like they planned on anyway.
waiting 2-3 days to do something about the problem is bordering on Incompetence!

IMHO heads Should roll over this, sombody(s) screwed up Bigtime.
FWIW I believe LL's actions to reset the passwords was correct. they just needed to have done it Sooner.

Excellent summation, sir.

I'm curious as to how many people where affected beyond having to change password ?

In response to Moopf's original comments about the security situation, there are stringent standards that the Payment Card Industry (a collaboration between various credit card companies) has created. For medium-to-large companies, they require that those standards are largely met otherwise the companies can lose their ability to continue processing credit cards altogether.

I think it is likely that this incident will trigger an audit for LL. I am willing to bet that this does cause them to change their overall perspective on security. We would all be much better off for it.

For my own peace of mind, I phoned my card issuer and explained the situation, asked them to check all transactions via the card during the last month, there were no unknown transactions, and I then asked them to cancel my card and replcae it, which will arrive Tuesday or Wednesday.

The phone call took around 20 minutes in total, and whilst I am able to use my second 'savings' account debit card to access a little money over the next few days, essentially I am without banking facilities until the card arrives.

I also need to make sure that I remember to change billing details for my TSO accounts when the new card arrives, plus put them into SL, and now memorise another 16 digit number.

So count me down as "one".

Lewis