**Asri Falcone Hijacked(Idenity Theft)**

I think her email account was hacked and the email with the new password was read before Asri got it... or did I miss something ? I think this explains how the fiend was able to get all the new passwords too (just have it sent to the email account, read and delete the mail as if never sent).

Also, why all the talk about the legally-recognized hypothetical value of L$ ? We're talking about breach of computer systems here. In my country the mere attempt of using someone else's systems without consent is a crime punished by 3 years of jail. Double that if you change the password or alter anything.



This is clearly a problem asking for a solution. I'll look into this.

Ah, well, if you didn't believe her you should have said.

The common problem with IP restrictions is the administration overhead associated with IP changes. For most people on dynamic IPs it would add nothing more than a lock to their ISP, and there will be at least one accessible zombie on most. To keep LL support sane it would have to be restricted to the higher tiers, and probably require clients have static IP addresses.

IMO anyway, a more effective solution would be SL adding support for external cryptographic devices. The simplest of these are USB tokens that perform digital signatures on-token, so the crypto key never leaves the token and can not be duplicated if the user's computer is compromised. Higher-cost variants will also display a code that needs to be manually entered at the computer, to ensure a cooperating human is present.

A security compromise would then require access to LL's servers or a continued compromise of a user's computer while a transaction is ongoing. This level of security is fairly similar to that deployed by banks for high-value customers. Have not kept up to date with the level of standardization of APIs, though I suspect it is getting fairly good. The number of interested customers would be fairly minimal, but the benefits might be worth it.

Chris

Ok, that sounds reasonable.

I don't have time to do anything but tell you to reread my post more thoroughly (and perhaps not in the same casual manner that you apparently read and interpret the ToS). At least the parts you bothered to read and to which you respond.

First off, there's a difference between being aware of another country's solution and using it in a legalistic manner (i.e. citing it as legal precedent or legal reference).

My comment was: "...I think it's a likelihood that rulings outside the U.S. will at least be reviewed." In other words, someone in the U.S. judicial system either has read or will likely read over the solutions to virtual rights in other countries. That's all I said. I did not say "legally reviewed". I did not say "cited". I did not say foreign case law would be used as a basis for SL (or even domestic!) case law. So your comment is meaningless.

Second, I also did not say or even suggest copyright laws between countries are the same (and as someone who has done business internationally, I'm well aware of some of the differences).

My comment was: "And considering that we already share legal concepts and opinions with foreign countries...". Sharing concepts and opinions does not necessarily (or even likely) lead to the same laws. Furthermore, since laws are interpreted within the context of a society, I'd venture that even identically-written laws (assuming the same language was even used) could often have different interpretations depending on the country, the legal system, and the people themselves. So again, your comment implies I said something I did not and would not say and is therefore... again... meaningless.

Since you are unable to even (supposedly) bother to read my entire post let alone do so with comprehension (as evidenced by the above), this discussion for me is over. To use your own words: "If you aren't going to use any sort of logic or basic understanding this debate cannot continue."

I'll just close by suggesting that when you engage in a discussion about legal issues, you refrain from inaccuracies - such as stating "Lindens have no value as stated in the TOS". And in general, responding with meaningless comments because you didn't accurately read and/or comprehend what was written does not mix well with "logic or basic understanding".

And btw, I'm not Hiro.

Good day.

Because Asri was using SL income for RW purposes iirc. Someone commented on the issue and the response was, imo, inaccurate. At some point someone will lose enough virtual currency (convertable to US dollars) that they'll file charges. That is imo more uniquely relevant to SL than the more widely-recognized issue of computer crime. However, the issue of computer crime is also relevant - and at this time more generally relevant.

I just wanted to say:

1. wow asri I’m so sorry to hear about what happened to you *HUG*

2. this clearly doesn’t belong in the notices & well wishes forum, any idiot w/ half a brain can see that I don't care how jaded or whatever you are, yes technically it's a "notice".
Technically every forum post can be a notice it still doesn't belong here. & I Think it's real sh***y of whoever linden in charge to move it, seeing as this is a huge concern for pretty much the ENTIRE sl community! No matter if they hacked in her comp, email, or got it from LL somehow.

3. Here's what I don't get: How did they transfer the money?? Your av gave the money to either another av, or to GOM, or some online service.
can't LL check the logs for large sums of money transferred? & then see who the account belongs to? & If it's to a GOM ATM talk to gom (or whatever online service)

4. LL - WAKE UP! In the account information we can see who gave us money we can't see who we gave money to. That's stupid. Can't be that hard to fix, maybe the next update you can throw that in there?

Anyway, I'd find some money to get a computer technician or a lawyer or both to help you out with this. Not just people arguing on the forums no matter what big words they use.

Thank you

That's BS on LL's part. It's your account and they are bound by the Freedom of Information Act to release anything about YOU to YOU whenever you request it. If in your file they have the ip addresses of every access to your account, YOU have the legal right to that information. Boo-hiss Lindens!

IANAL, but I'm pretty sure the FOIA applies only to government entities. You'd need a subpoena or somesuch to get IP addresses from a private company like LL.

You're probably right about that, but I'm just infuriated over LL's bullcrap that they can't release the information. Hell, THEY should be calling the police directly, not Asri.

And here I never noticed Linden Labs was a US federal agency. Next thing you know someone will decide they are part of Congress and that the M/PG division violates the 1st Amendment.

Filing a civil suit and getting a subpoena against LL would not be all that hard. In fact it might be interesting to see what a lawyer would think of their refusal to help coordinate with law enforcement; accessory after the fact comes to mind. A few fines would make a lot of companies more cooperative when dealing with their privacy policies preventing the filing of criminal charges.

<edit>Actually that's an interesting thought. Call LL tech support and ask what IP addresses _you_ have logged in from. How on earth would that violate anything in their privacy policy?</edit>

It's not a matter of believing her. I don't believe she's lying. I believe (and rightly so) that she does not have all of the details. From a pragmatic perspective, your assumption that the breach is the fault of LL is utterly ridiculous.

ok

the details are i had the lindens reset my password while i was on the phone with them being i first suspected it had to be a key logger. i was given the new pw OVER THE PHONE and as i was talking after they had changed it ....as the linden told me the new pw somone was logging in on it!.....explain that.....i was still on the phone when i begaan screaming at the person on the phone to lock my account again. After that it took 5 days for me to get it back. when i did tada the new sl security breach update.

oh btw: in regards to the TOS stating that lindens have no value ....then why being they KNOW my account was accessed w/o my consent.....and lindens taken off and stolen from me...then why are they still holding me responsible for repayment of 168k of game dev moneies that were also taken?....if it has no value and they KNOW what im going through ...wouldnt they waive and not hold me responsible for $500usd+ worth of lindens that according to them have no value whatsoever?

As you were speaking with the Lindens, someone was simultaneously logging in with the new password? As in, they were sitting there at their computer waiting for that glorious moment when the Lindens supposedly divulge the new password by phone then, when those glorious letters and numbers were uttered, they immediately (within seconds) logged in to your account? Is that what you are saying?

i was on the phone talking with lindens for 5 mins after they changed the pw.....since we were discussing other matters the pw hadnt been told to me yet.....they changed it when they unlocked the account. and during this convo....this person logged into the account. b4 i had been told the pw....now when i look up someone was on it. now if its my system, either way i hadnt been sent it by email nor told anyone.....hell how could i.....nor had i typed it in for the first time. i hadnt logged in to change it.....i had the lindens change my pw to something crazy....and this linden just came up wih something from the top of thier head. i just dont understand.

Ardith,

<<As you were speaking with the Lindens, someone was simultaneously logging in with the new password? As in, they were sitting there at their computer waiting for that glorious moment when the Lindens supposedly divulge the new password by phone then, when those glorious letters and numbers were uttered, they immediately (within seconds) logged in to your account? Is that what you are saying?>>

Why are you being so unpleasant?

I think the server automatically sends the new password as email when it is changed. So the perp could have gotten it from your hacked email account during those 5 minutes ?

Have you changed email account in your profile already ?

Asri is probably one of the worst when it comes to communicating through text so I am going to help her out a bit...

She was on the phone with LL after her account was stolen the first time... after it was reported stolen LL had blocked access to her account and changed her password, so at this time Asri had not logged into her account nor did she know her new password...

LL then reopened her account and chose her password for her... before Asri hung up the phone with LL, the thief was already on her account again and had once again changed her password and moved several of her folders into the trash bin...

Blame whoever you want about this situation, but LL is not the most secure place to invest your money... you can fail PW attempts as many times as you want, LL does not verify who they are speaking with on the phone half the time, (although they may be a little more cautious now)... and everyone already knows your user name, so the thief is already half way in...

I am having a hard time with the once the pw was changed again and Arsi was on the phone and the only 2 people who knew about the passwords was the Linden on the phone and Arsi herself and before she gets off the phone..someone has hacked into her account.. This just doesnt make sense to me. I can not imagine someone waiting and sitting to crack a code...*wonders if anyone lives with Arsi* ( something to look into...)

Asri lives with no one with a computer or any interest in SL, in fact she lives with her parents... senior citizens at that... and furthermore, we know who did it, and to be totally technical, this thief is not even in the US...

So while Asri was on the phone, she

a) received the email with the password
b) attempted to login unsuccessfully
c) informed LL of her inability to log in
d) was informed by LL that someone was logged into her account
e) was then informed by LL that the account was open and she should try logging in
f) upon attempting to use the password in the email, the login failed
g) was then informed by LL that the password had been reset (?)

{note on f) and g), the password Asri received may not have been sent by LL at all. LL may have sent the new password directly to the hacker who may perhaps have set up an auto-forwarding system that swaps out the password for a fake and spoofs the email address of LL - meaning that the person may or may not even have to log in and change the password. just a crazy thought.}

the password wasnt emailed at this time, it was given to Asri over the phone, the Linden, selected her password and told it to her, I was in world at the time... someone else had logged into Asri's account and it was NOT Asri... LL then shut her account down again and was w/o her account for 5 days or so while they "investigated" it.

maybe you need to read my other posts, the LINDEN MADE HER PASSWORD, they SELECTED it for her!