Petition and Poll: Reinstate CrisMid

I like Cris too and so far several people aver that Cris did NOT include the exploit details.

But fact is that he is one of three people with a heavy penalty. There must be some detail that has not been revealed. Forum-based violations are not usually prone to miscalls.

Margaret, that statement I made as a former mod from elsewhere. It's actually hard to make a miscall on a forum violation because the evidence is already in plain text.

That's what's confusing me here. An exploit warning with no procedure cannot get a high level penalty. In fact it normally should not even get a penalty.

Exactly. dun Dun DUN!

Which is why I want to hear from the other side, namely the mods or the Lindens. Getting Cris reinstated for me is not the issue. LL can reinstate Cris anytime ... or not.

The prime issue for me is: was this a miscall, or is there something we on this end do not know about the case?

Why do you think everyone's coming forward? You may be confused, so have decided that there must be more to the scenario than you are aware of. Miscalls on this forum have become routine.

Is it too late to put my vote in for the interpretive dance?

Then I would rather LL come forward and state the miscall if ever. I came from a mod culture where we do not want a single miscall. With a violation and penalty of this gravity, no mod group should be tolerating a miscall.

I don't know about LL's decision makers, but from the group I came from we say if we made a mistake and fix things.

Calling for the reinstatement of Cris is not going to end miscalls.

Signed.

Signed.. Some of LLs recent suspension have been mangled, others justified.

This one was mangled.

Signed.

I don't know the guy, but I did see the post in question. Considering that the exploit was not only harmful to LL, but to residents as well, I would imagine that he felt it important that *we* know it existed. I think that *he* thought it was a responsible thing to do. I think I wouldve thought so too.

I read a post from someone else the other day that I do know vaguely- we used to be neighbours- and a similar thing happened to him when he informed the owner of certain scripts that they had been sold as full perms. She overreacted and blamed *him* for her mistake, banned him from her store, accused him of copying the scripts, got really ugly...

WTF is up with the shooting of the messengers?

Another game (I know, I know) I play online actually gives out game credits and rewards for bug and exploit finding, and the bigger the bug, the bigger the reward is for reporting it. If everyone's looking for exploits anyway, why not exploit *that* and entice them to *tell* instead of using the exploits they find? Punishing people for it hardly seems like a good way to encourage reporting.

Of course, LL is a private company, and I would never suggest that a private company take a vote amongst its customers to shape its policies or to determine punishments for its other customers. This is not a democracy, nor should it be, and I doubt if anyone really thinks LL are obligated to respond to every poll posted in the forum- but it's a pretty civil way to tell them our collective opinion on the matter just the same.

Anyway. Here's to the whistleblowers- you deserve our thanks.

Presuming, for the sake of argument, that I know the details of the exploit, and that I know what Cristiano Midnight posted to the forums.

I presume that what he was reporting was not something that he alone had come up with. I presume that he was reporting an exploit that other people had developed and was already in the wild - I can infer this from some other people's comments. I can also infer that he made a limited description of part of the steps that were used.

So, what he posted - was it a detailed description of how people can /protect themselves/ and their extant builds /against/ the people who are pulling this exploit?

Was it /necessary/ for people to understand how the exploit /works/ in order to protect themselves and their extant builds from people pulling the exploit?

I've worked computer security - these two principles are at the core of "To disclose or not to disclose". Are you posting something that will give script kiddies (clueless malignant users) a head-start on exploiting the bug? Is what you are posting more useful to script kiddies than to legitimate users? Or are you posting detailed instructions on how people can protect themselves and their builds/boxen/investments? Do the legitimate users need to know the details of the /exploit/ to carry out the protective measures? Do the legitimate users need to know the details of the exploit in order to believe your word that the requisite (burdening) steps are necessary, or will they /simply trust you and your reputation/ when you tell them "Storm is on the way, batten down the hatches with steps X Y and Z" - ?

Further questions to answer are: Have you contacted - in an acknowledgeable way (with real, /human/ response from a knowledgeable/skilled point person) the vendor of the product that has the exploitable bug? Have they acknowledged that it's a real security problem? Have they set a person or team to working on the problem? got a ticket number? Got an ETA? Does the vendor have a reputation (professional reputation) for fixing acknowledged security exploits quickly and with due diligence? Or, do they have a reputation for sitting on (easily discovered, or in-the-wild) security exploit reports for months and failing to do anything until public disclosure shames/forces them?

Once you do decide to perform public disclosure, do you have a workaround/fix that you've developed? Or is the disclosure a public call with the possibility of someone else in the community developing a fix/workaround? Or is this simply a hands-thrown-up public call to withdraw from using the exploitable product due to the damage an in-the-wild exploit will cause to users and the impossibility of an independently developed fix and the unresponsiveness of the vendor? This last reason is:

A: The tack of last resort
B: Only to be taken if the vendor has a professional history of unresponsiveness
C: Real valuable items are at stake (intellectual property theft, code theft, computer security, work product theft, money, goods, services) that /cannot be conceivably be replaced under any process/. For computer security reasons, "downtime" (denial of service) isn't considered to be one of the "irreplaceable things" - downtime happens. more time is just around the bend. Privacy, once undone, can never be redone.


Linden Labs has made public that their ToS will be interpreted in the broadest possible sense. That means that any level of detail on how to go about performing any exploit on any of their forums will earn the person involved disciplinary action, regardless.

Was his suspension /just/? Probably not. Was it /expectable/? Probably. Did he respond to the exploit in the /best possible way/? Probably not.

I - in his shoes - would have:

A: Not posted the discussion/linked to a discussion in the forums for the details of how the exploit works.
B: Reported it to Linden Labs and received acknowledgement that action was being taken, and attempted to get an ETA for a fix, or their advice for a workaround.
C: Posted a warning on the forums that a given exploit existed, was being used in the wild, and that /because of LL ToS/, details of the exploit aren't available on the forums but that the /best/only/ defense for that exploit that has yet to be discovered is steps X, Y, and Z.

As far I'm concerned, it's not so much about freeing the individual of the moment as it is about LL acknowledging and owning the error in judgement. The first step towards rectifying an issue is acknowledging and owning it. But it seems that LL places a higher priority on avoiding the appearance of giving in to "bullying" than to establishing some bit of credibility by admitting a mistake in judgement has been made.

I'm not ready to assume anything at this point because there is an area of unknown data. We do not know the precise story from the Linden's side.

I'm not fond of such black holes but they do exist.

However on something the gravity of this case I am still hoping LL will come forward, right or wrong. If the ban was justified, I'd like the air cleared. If the ban was a mistake, I'd like to see a retraction.

Yes, dance for us sweetie.

Well, based on history, they won't. It has been policy to provide no commentary on actions taken on violations either in SL or in the forum. To sum up, the answer to "Why?" is "Because I said so!". No wonder you have adults bristling at being treated as children.

Sad that. Call me a romantic if you have to but I don't believe it has to stay that way. I can understand the lack of commentary, it's typical policy. What I believe can be improved however is the reputation of bad calls.

I know for a fact that it's possible. That's how it was where I came from, and from what I hear, it's still like that. There the mods are trusted like anything.

Excellent post!

I think Chris felt compelled to let us know exactly how urgent it was that we secure our property immediately. Yes, perhaps he gave a tad too much info about the exploit.. but I think given the circumstances it was absolutely justified!

Knowing full well how LL usually moves on things & it being quite late in the US, without a doubt, he did what was necessary to provoke us that were available, into protecting ourselves against a possible catastrophe.

I didn't even have SL installed on my machine at the time. No intention of logging in until after the next update. But after seeing his post I was logged in and setting my property to group access only, within minutes. Then it was mere minutes before I couldn't refresh his thread in the forums. And minutes later, LL had closed login and were on it.

This surely could've gone in the opposite direction.

I have rarely been so angry with LL about any one thing, as I am over Chris' suspension. His intention with the thread was clearly a "desperate times..." thing.

In general, I think suspending a paying customer is just bad business.

Signed and seconded.

I don't know his intent. I've never had to report a bug to LL when my own property/rights/stake were on the line. I've been in situations before where I knew that the only way justice could be served was to bend/break the rules and accept the punishment that came with bending/breaking the rules, in a society where I had deep personal investment of time, capital, resources.

But, being a paying customer is not a license to bend/break the ToS. Linden Labs is very clear that - despite how arbitrary or unfair they can be - the ToS are applicable to everyone, regardless, and will be interpreted in the broadest possible way. Justice is blind. Within the ToS, what happened to Cristiano /is/ just. He agreed to the stipulations of the ToS, like everyone else. Much of the LL ToS /isn't/ just by outside (my) standards - they can suspend or remove your account at any time for any reason and take all of our money and time and effort and declare bankruptcy and according to the ToS, we have jack-all-rights - nothign we could do unless some obscure "unable to waive your rights by contract, implied duty/warranty to the customer" law is invoked, /outside the scope of the ToS/ but which LL is still beholden to (US federal law, maybe? I dunno).


/Outside/ the system of the ToS, it was /not just/, IF he was acting as a case of last resort (Linden Labs acknowledged the exploit but was failing to act in an appropriate timeframe to handle it) AND the level of detail he gave was necessary in order to persuade the maximum number of people (i.e., he couldn't have done so on his reputation alone) AND/OR the level of detail was necessary for people to implement/create a workaround.

Whether he could have convinced the maximum number of people on his reputation alone is unknown to me and likely unknowable to anyone (Can't experiment on the past). The level of detail he gave was seemingly un-necessary for people to implement a workaround (He could have said simply: The best solution is to set all your objects to group-only for the time being, whatever).
Whether the level of detail he gave could have given scriptkiddies a headstart on locating detailed descriptions of the exploit, or to work it out for themselves: whether it actually did or not is ultimately unknowable, but the ruleofthumb for computer security is that /there is always a zero-day-exploit/ - and that even if you stop all /known/ sources of zero-day exploits, /there is always a zero-day-exploit/. Meaning: Someone will use what you post to figure it out on their own.
Whether the level of detail he provided was useful in persuading people to implement a workaround: Unknown and possibly unknowable. People certainly are persuaded to take action if they think a threat is credible, but in order to persuade knowledgeable, well-intentioned people that X is a credible threat /publicly/, one also inherently persuades knowledgeable /bad-intentioned people/ that X is a credible threat. This is the important part.

It's so important that i'm going to restate it.

If you succeed in persuading good people that eXploit X is a credible threat in a public forum, you've /also/ persuaded /bad/ people that eXploit X is a credible threat.

Inside the system of the ToS, his actions - not just.
Outside the system of the ToS - it is impossible for me to know if his actions were just or not, since I know neither his intention, nor the level of due diligence he pursued before publicly disclosing, nor whether LL has a professional reputation of sitting on exploits until forced to do so by public disclosure.

Now, when I say "professional reputation", I don't mean democratic or popular consensus. I mean there's a professional organisation whose sole purpose is to grade the quality of customer /bug report/ exploit prevention service of Linden Labs (and/or other MMORPGS), they keep statistics on all the bug reports they hand in, they have a membership of bug reporters who report to them discovery time, report time, resolution time, etc for reports and they produce a detailed breakdown of categories and grade their performance over time and as compared to some standard.

AFAIK, no such organisation, report, and grading system exists.

Signed.

Whoops! I pressed yes, not no. I think it was unjust.