Security issue I had here-no way will I EVER do Age Verification!

I will try to summarize here so those not interested will not have to read:

1. I came to this website to get help recently and was given personal information about 2 other members in error by LLs's guest help area

2. The company whom LL has chosen to age verify us was caught giving out tons of personal information by a reporter in 2003 (see Wired article discussed below-I am sure others have brought this up).

Recently I hoped to reactivate an alt I had not used since before the password debacle for business reasons and I could not call anyone at LL to get it reset (it was listed under an email address wherby I switched providers and no longer have). My in game parter called the concierge and I was advised the ONLY way to get this handled ws to log in as a guest/basic account member (even though I have paid $50 a month for well over a year)and report the issue.

I followed instructions and when I clicked on my topic as a guest, I was immediately shown a form ANOTHER member completed requesting help instead of being given a blank form to complete as I should have been given. What I was given:

1. The person's email address which disclosed a TON of real life info:
a. What country they were in
b. their rl name (which appeared in her work email address)
c. the name of the university for which she works
d. her exact email to LL about her problems, including the name of where she worked and other personal details. Luckily for her, she was trying to activate a new account so no avatar name was associated. If it were, I was just given enough information where I could track her in a heartbeat and I was in shock and very upset.

I tried again using another associated topic. This time I was given ANOTHER person's information-an active member's avi name, his/her email address, as well the problems he/she was having in game. This one was where the person described that she changed her password and could not log in...just imagine for a minute if she included her old and new passwords thinking she was on a "secure" server and someone with bad intentions accessed that??

I immediately said not a chance in you know what will I EVER complete a form on this site ever again for help. THANKS SOOO MUCH for getting rid of the help line where we cannot safely report security issues.

I immediately took screen shots. I then copied and pasted the details and ONLY sent them directly to the two people whose information was compromised (i only vieweed two-imagine how many more were) via their internet adddresses. I advised them what I was given in error and told them to contact LL immediately because personal information was given to me ON THE GUEST/BASIC MEMEBRSHIP form wheremany request help. Due to me seeing the this system was compromised and how LL gave out this information in error, I was not about to send a report to LL and be compromised as well. My partner would have called the concierge again but no one was available as it was a time the line was not open (after I wasted an hour trying to resolve my issue and discovered the security compromises).

I still have the screen shots LL-you know how to reach me if you need them. I will NOT give them or display them here because personal information was disclosed and this totally made me feel your security is highly lacking. You can pick up a phone and CALL me if you wish to discuss this compromised information but I am not holding my breath.

Also, why did you choose to go with a third party company (Aristotle/Integrity) that Wired exposed in 2003 for readily selling extremely personal information without verifying the buyer?? The reporter listed names Brittney Spears and Condi Rice as buys...come on!! Some of the information they disclosed and got busted for:

"The data includes birth dates, home addresses, phone numbers, race, income levels, ethnic backgrounds and, in some cases, religious affiliations."


"But in reality, Aristotle's site allowed anyone to register and purchase lists under a phony name and address. The site asked only for a name, the state where the buyer resided, an e-mail address and a phone number. Fields for mailing address and company name were optional. "

Three days after an initial discussion, the company still had not determined the source of the problem.

Colopy said the company temporarily disabled the automated feature to prevent further unauthorized sales. Any new buyers visiting the site would have to deal with a live person before completing a transaction, he said.

But two days later, Wired News again was able to purchase lists on the site using a phony name.

Besides a name, address, phone number and birth date, the lists included each voter's registration date, political affiliation, income range, occupation and whether he or she owned a home or had children.

Ethnic codes identified voters as black or white (nine states ask voters to declare their race; three of them require it) and other codes identified Scots-Irish, French, Arab, Jewish or Catholic voters. A phone survey of voters who were identified as Arab on the list, however, indicated the data was incorrect.

Aristotle also listed information about each voter's participation in past elections, as well as campaign and charitable contributions taken from Federal Election Commission records. Charitable contributions were divided into religious, environmental, animal-rights and domestic-abuse categories. "

Ok yes, this information is from four years ago but you REALLY expect in this day and age where identity theft is the fastest growing crime across the world for us to think this company is ok now and we are safe???

Again, when they got busted, here was their response:

"Three days after an initial discussion, the company still had not determined the source of the problem."

With SL in the news nonstop every hacker wanting to make a quick buck is going to go after this list and there are going to be people internally willing to sell it to make some money.

GL LL, I see MANY lawsuits against you if this information is used for purposes other than you have disclosed or if it gets hacked or leaked, which I think may happen.

P.S. I am married to a programmer who manages software for one of the biggest entertainment companies in the world (worth a lot more than SL-) and his words: thousands of hackers try to break their website weekly to get customer information and credit card information and they have spent millions to avoid a hack and have a special internal department set up that deal with this issue- they have successfully avoided a hack and kept information from getting into outsider hands where an employee from a third party could sell out for quick cash. When you hire outside companies and data is transmitted back and forth, you are opening yourself up to a world of bigger problems and potential legal issues when this data is eventually compromised. Why not hire some of the pros in the world to keep this in your hands? Because you were hacked before? Good luck LL

Ok, your support issues aside, I have to agree with your concerns about Aristotle/Integrity.

As a "security aware" person I am amazed at the number of people (my family included) who willingly hand over personal information without a second thought, whenever asked by anyone who seems even slightly official.

I wasn't aware of the issues in 2003, but I have to ask myself, why would a marketing company (Aristotle) be interested in owning or operating a security / verification company (Integrity) which at first glance, has nothing to do with their marketing business?.

From what I can tell, after a few searches, and as someone from overseas who is not familiar with either company, Aristotle is in the business of making and selling voter lists to political campaigners. Given that everyone has the right to vote, that basically includes anyone and everyone. Selling these lists is how they make their income - and as you pointed out, they will sell to anyone - not just political campaigners.

Integrity on the other hand, provide age verification services - a completely unrelated business. Yes I can see that perhaps Aristotle might want to diversify by owning other types of business, but really I am not naive enough to believe that diversity is their motivation for doing so.

Being a verification service means that Integrity has access to lots of personal information, provided to them by their clients, such as Linden Lab - the very information that lists are made of. To the parent company this information is their core business, its what they do - they will turn green with envy watching this information pass through Integrity's hands, and they will blow a gasket when told they cant access this fresh new flow of information.

Im well aware of "corporate realities" that result from management deciding to leverage every available business asset to maximize their ROI (Return On Investment), and information is a vital asset in any business. If my experience in the corporate world is anything to go by, it wont be long before Aristotle play the "parent" card and force Integrity to hand it over. Why would they only get paid for providing verification services when they can get paid a second time for selling the list too?

I rate list makers, about as high as I rate spammers. so there is NO WAY Im going to believe that in this case, one thing is separate to the other, and that Aristottle and Integrity are seperate and do not / will not pass information between one another.

Lindens, if you insist on verification, at least outsource it to a company that has a reputation for security and is unrelated in any way to marketing companies or list brokers.

Welcome to the forum. And thank you for pointing out why I am against Verification with this particular company, in a clear and non hysterical manner.

Amen Sister...

Oh.. and love the title.. offensive broad hehe...Wish I'd thought of that lol!!

I plan on avoiding the verification as long as possible, and when I DO do it, I will not be submitting any information which can be stolen and maliciously used. Such as Driver's Licence Number (omg, what is someone going to do, get my licence revoked? Dear God no! I don't have a --ing car!).

Hmm. Let's not bury the security lapse with another Integrity debate. I'm more concerned about user information being leaked when people are submitting help requests. I consider being able to access another user's information a potential exploit (it shouldn't be obtainable and could be used for nefarious purposes). I would therefore report it as such.

..and what do you know, after checking the blog post i remembered which tells you how to report an exploit (the difference is that exploit reports go straight to Brent Linden's inbox), LL have crossed out 'resident privacy', no longer considering it a serious security lapse.

http://blog.secondlife.com/2006/07/31/new-express-exploit-reporting-feature-and-l-bounty/

Sheesh.

further to this, i tried to reproduce the scenario by following the steps provided by Arianna. it didn't reveal anybody else's ticket (and associated personal information). i tried to access a ticket with a different ID (ie. one submitted by somebody else) but was denied access (as expected).

I'll let you know when I am done with it, then you can have it.