On hacked accounts

Hi there. We have been reading lately of accounts being hacked and money being stolen. Just a quick browsing and you'll find the most recent ones.

24 February 2007 /165/f8/168093/1.html
11 March 2007 http://www.secondlifeherald.com/slh/2007/03/simones_account.html
28 April 2007 /327/f9/180266/1.html

You will note that the dates are too close to not have at least a suspect that something is wrong.

I was talking yesterday with a resident that was even afraid to speak in public chat after he lost all that he had on his account (and land stolen as well) approximately in the same period. He was sure he was spied.

Given that the only 100% safe security system would be not connecting at all ( ) and that the obvious way to hack an account is to install a trojan/rootkit/keylogger into the victim's computer using phishing or other hacking methods, I started thinking about which risk I was exposed to using the SL client and how to avoid that.

Jut to play safe, I use a credit card with a limit of 100$ and my L$ credit is always in the range of 50$ or so, stealing from me won't make anyone rich .

I change my passwords using a different computer and a different ISP and then watch for any sign of attempted password reset or so.

Not trusting entirely the firewall/antispyware/antivirus etc, I regularly scan myself from a different IP to check how I do appear from "outside".

No installations of untrusted software, latest security patches always applied, mail secured, etc.

That said, let's assume that SL client is the only weak point and that the server security is not compromised (ohterwise there's very little we could do).

One weak point I thought of is media stream. To play music or video my SL client will connect directly to the streaming server without going through the LL servers. Would a bug in the SL client's player be discovered, a malicious server could try to execute arbitrary code on my machine.

Also in connecting to a third party server I'm disclosing my IP address to someone other than Linden Labs exposing myself to a DOS or a "man in the middle" attack (I cant' remember if the SL communications are encrypted).

So, no media for me, thanks.

For the same reason no clicking on urls and, as an added measure, no clicking from a third party site into SL (SLURLs).

SLX and similar services are great but giving them access to my in-world funds seemed as adding an unnecessary risk to me: I would had two worry about someone hacking their servers too! I'll do without.

The next canddate is the permission scheme. Again if there's an exploit to circumvent those, we are at lost, but if we trust it works, I will never authorize a llGiveMoney() to a third party object. Anyway, this is a risk for money but not for the account password.

The same goes for LSL. If there's a bug somewhere or there's some undocumented way to access the AV inventory you could lose items (but, again, no risk for your password).

I feel much safer considering that the source code has been published and scrutinized by the community, if any major flaw was there it should have been discovered and corrected by now.

Did I miss anything? Is there anyone running on tighter security?

Rael Delcon (in a paranoid mood)

Those are some good security measures... another thing that makes me feel a bit safer is running SL on my Linux system. Linux doesn't really have any viruses or spyware, so I am not afraid of anyone spying on me. The Linux SL "beta" client works well.

I think this is just a repeat of what's been said already, but to say it in a slightly different/additional way- Be very very careful about what you rez in SL! It's only a matter of time 'til we find many viruses and trojans in objects waiting for victims. No doubt they exist already, but will increase extremely in future, I expect.

Hey, programmers for the open-source client- it would be good to start creating anti-virus software for in-world; money to be made!

One of the first decisions we (EML Entertainments) made, when we thought about creating media controllers/screens etc in SL, was that we will not become content providers. People maybe tempted to buy players with content already 'locked inside'.
Our sister company WBA do make content which is streamed from our dedicated servers, for our clients contracts. We take steps to make sure that it is as safe as it can be using the SL method.
Now, we sport a new form of technology that hides textures and urls from the 'average' spy, by using encrytped data sent to the client from a secure server. Neither the texture or the url show up on the media tab in About Land.

Furthermore, each purchaser of a system is given a secure website account to login and enter their urls that will play on their coded screen, which can be located in game in a matter of seconds. It's not perfect, but it is a lot safer than the current exposed version.

those measures seem pretty reasonable, and might work for most people, though i'd have a hard time doing all of them. as a seller, i'd be giving up a lot to go without the third party sites or by not giving any object permission to take my money. and although i don't listen to streams often, being at a party where everyone is listening to the same music has something to be said for it.

really, the only computer that's safe is one that's unplugged. when you start compromising your enjoyment for the 0.014% chance you'll get your account stolen, you're just missing out.