Wake up, LL apologists. This affects you, too.

Yes, I am. Are you?

I've said a couple of times now that LL should be staffing phones over the weekend and working as hard as they can to make it right. That is where they fell down.

Where users who are complaining fell down is by not maintaining their security system -- be it by giving bad email addresses to start with, not updating email addresses or by using forgettable security codes without storing them somewhere. No one is responsible for that but the user him or herself.

And I said that was only one mistake they made. You seem to have missed the other, or else you just ignored what I said entirely.

Whatever. I know this shouldn't come as any great surprise, but it's still disappointing to actually see it.

Incidentally, I don't suppose there's been any tidbits as to WHY resets will have to wait until Monday? Maybe the old password will be what's used for the last-resort verification and they need to prepare a way to check those and maintain security.

That's really the only explanation I can think of to back up such a horribly self-destructive idea.

Well, it sure cut down on forum closing complaints, for one.

Or was it $75,000? Yes, on Sept 6, $75,000 was stolen from my account. No, $80,000. LL, please reimburse. Thank you!

And you definitely have the managerial mindset there Cory. Customers don't matter, its their fault. Its LL's fault their security sucked ass and they got hacked. People move, ISP's change names, go belly-up...we should not HAVE to rely on constant screwing around with secret words and emails, the managerial types at LL should have had the damn DB entirely encrypted and a LOT stronger security.

Please, tell me if you are still with a company that deals directly with consumers, I would prefer not to patronize it.

You're never going to get through to the 'personal responsibility' gang. These folks have been born and raised with the mindset its always the fault of the person because they didn't show 'personal responsibility'. The ONLY thing that will change their tune (and I have seen this RL with a couple particularly annoying older / conservative family members) is when it happens to them...when THEY forget, or lose the paper....THEN they will see your point of view. Its always easy to be smugly self-riteous and natter on about 'taking responsibility'...until the finger is pointing back at them.

*sigh*

You're right, of course. I was hoping I could get somewhere by using a different angle and pointing out that it's still everyone's problem if lots of people cash out and/or leave SL because of LL's continual poor treatment of its customers, no matter whose fault they want to say it is, but I can't even seem to make a dent.

I think this is one of those things where I have to shrug and accept that I'm not going to reach anyone who doesn't already see it.

That makes no sense. The security question is there to prevent someone else from changing your password and gaining entry to your account. It makes perfect sense for it to be asked before being allowed to change the password.

I feel bad for anyone that can't remember their answer to the security question or used a phony email, but I'm not even for a nanosecond going to assign the blame for it anywhere but where it belongs... with the user.

I truthfully don't know much about the security we should have - I'd like to know more. I'm sure LL didn't want this to happen, and I am very sorry people are suffering. but my question is, what SHOULD we have? What would the ideal (nothing is perfect but the best solution available) be? I saw on this thread:
username should not be character name

What else?

Actually, it's happened to me many times in many ways. That is why I believe in the importance of personal responsibility -- I have seen what happens when I am not.

There's not very much that could really be done different/better in terms of user-level security. As I said, I think a warning period would have been a good way to ease the pains that are happening right now, but that allows the intruders more time to mess things up even worse for the unlucky accounts they've cracked.

More emphasis on maintaining valid e-mail addresses or security questions would help. Maybe even have the reviled security question be freeform instead of multiple-choice (What is my password?:______)

Really the only thing that would help is having the support lines open for manual intervention in case the automated password system doesn't work. That's why it exists in the first place.

Sorry I have to go w/ the majority here.....you need to know your email and security question, noone else can do that for you. PERIOD

Do I feel bad as hell for those who don't? Hell yeah!

But I have an altogether different problem, which right now I can live w/ but is going to become an issue when I want to sell my land. I am hoping it can be resloved before then.

/108/d4/135987/1.html


Has anyone attempted to 'fix' more than 5 accounts? I'd really like to hear if you have.

You beat me to it. If security questions are bogus...

Then suggest something more effective.

And don't just say "Make sure no one gets hacked, or forgets their password."

--
7 more posts until 1000.

When you forget your password with email, they then ask you for the answer to the security question correct?

You missed the point. Nobody expected LL to use the security question as a method to reset passwords in case of a hack attempt. It was assumed as what most websites use it for which is to recover forgotten passwords and yes aide in prevention of changing passwords however several people have used that security question to change others passwords in the past hence why so many people have lost trust in that so called security method.

On most websites if you want to change your password you either must present your current password or they email you as verification that it is you.

In this example if it were any other hacked database, your answer given to these security questions are not encrypted and the hacker can see this and change your password anyway if they went through that method.

Also if you use the same password to access your email along with your second life account, the hacker already knows the answer to your security question and can access your email and supply the answer for you and change your password.

Tell me more about how secure these security questions are and put full blame on those who have been burned before and learned a lesson about the exploit of security questions.

This is kind of a "duh."

Something more effective is simply not using the security question for resetting passwords. Or even having a so-called "security" question.

Your comment presupposes that the security question is needed or actually adds anything of value that would be lost by getting rid of it, which in fact is not the case.

I do too, honestly. Thing is, what you said is also the opinion of every single person I know (including my partner) who works in IT or information security, and has to deal with stuff like this on a daily basis.

I couldn't really follow all that you posted, sorry, but I can tell you that I fixed all of my (... counting ...) eight accounts, all of which are verified. Good luck

I don't see many people who have an opinion that differs with you or chip though. Most people are upset with 1. The original security breach, and/or 2. The lack of customer support over the weekend.

Excellent...then I just need to wait

Yup Hiro, even the security breach thing isn't a biggie. Lack of customer support over the weekend however is not a good idea me thinks.

#1 would have to fall under the heading of the perils of running any computer system that's connected to the Internet these days. Is it negligence on LL's part that they were hacked? Maybe, maybe not ... those nasty little buggers are very talented at breaking into systems that other talented people seem to think are secure, and it happens all the time (unfortunately).

#2 is more mystifying though, I agree. I hope there's an explanation forthcoming. That said, I've heard that the Lindens are in fact working overtime all weekend, but just not on the phone banks. (Anybody have any confirmation on that?) If you've forgotten your info, then not being able to get on until Monday is a drag but not the end of the world in the grand scheme of things. Despite the current level of customer service, somehow I don't think the people who currently feel as if they've "lost" their accounts are going to be abandoned, and I suspect they'll be able to get back in soon enough.

This reminds me of a statement I heard recently regarding terrorists.......

'They only have to get it right once, we need to get it right 100% of the time.'

Fits well for the tiny dicked hackers as well I think.

I can understand where remembering a security question answer is on the users responsibility but theres one slight problem. Some people typed in their answer perfectly and it was rejected. Others don't even have an answer on record or their security question has been changed from the original they selected. This isnt exactly the users fault when the information they know is correct is not working for them at all. Im in the same issue.

No argument there, but I do think people need to be patient. I imagine things are a bit hectic at LL today and people should really give it a few days to get sorted before having any serious freakouts. If a week from now these people have been left high and dry, then the anger will be justified. At the moment it's all rather premature.