Saturday, September 09, 2006

« UNCANNY VALLEY EXPO: BUTTONPUSHER GOODLIFFE | Main | FASHION VICTIM? (Updated) »

OPEN FORUM: SECURITY BREACH AND TRUE NAMES

Update, 9/13: Here's Tateru's report on the growth spike after the breach.

So on September 6th, according to Linden Lab's official blog, there was a web-based security breach.  Payment information was not exposed, Robin Linden posts there, but potentially revealed were "Second Life account names, real life names and contact information".

Update, 9/10: Sex and security-- this post updated and bumped up to include an anonymous  reader's concerns over this breach.


In other words, for at least a brief time, to unknown individuals, the veil between Second and First lives may have been shorn apart.  Though reportedly no financial information was endangered, true names and details of Residents' real lives may have been revealed.  (To whom, if anyone, and for what reason, if any, still not clear.  Assuming it ever will be.)

How significant is this event to you, as an SL Resident, and how will it impact Second Life as a culture and an economy, if at all?   

Discuss in the Comments of this post.

Update, 8:10PM:  At first, the password reset would require many Residents to call Linden Lab's support line.  There are now Web-based alternatives for restoring your account.  However, before that announcement was made, a reader who wishes to remain announcement wrote in to express their trepidations of even doing that:

"I make my living in SL as an escort. This is NOT the sort of thing I wish to have associated with my real self and would rather lose my account, its money, and the things I have worked pretty hard for, and just start all over again. SL is for many an escape, relaxing, and fun. But having my real self call in about a character who happens to be an escort is not relaxing or fun at all, in fact it’s the extreme opposite for me.

"Yes I know I’m being paranoid about this and they probably wouldn’t even know what my character gets up to in game, and even if they did they would probably be discreet about it, but that doesn’t change the fact of how uncomfortable it would make me.

"While the clothing, objects, and Linden money I have in game at the end of the day are just pixels and 1s and 0s, they do have real world economy value so there is something very real that I may end up losing if this doesn’t get resolved, plus my sentimental attachment to the character, and the time I have put in."

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8341bf74053ef00d834af8ef953ef

Listed below are links to weblogs that reference OPEN FORUM: SECURITY BREACH AND TRUE NAMES:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Aimee Weber

Just for the record. If my real-life information is published by this hacker and my real-life name shows up as "Wagner James Au," well...

...it's just a coincidence.

*ahem* that is all.

JW Russell

WEll if you consider the LL as "goverment" of Second Life and the in world usernames are your unique inditification "code". The comprimized data has the same value to me as social security information in RL.

So what kind of effects it will have on Second Life and its citizens? I don't know for sure, but could imagine that a lot of people will delete their (paid) account to be sure (at least make the chance that to a minimum) their real identity can be connected to their SL name. This because a lot of people do use SL as an escape from daily life and do things their surroundings in RL wouldn't understand.

The effect on the trust in LL as central place for personal information storage will be as low as it can be for a long time. I think LL need to be an open book to what happened, what information was exactly involved and what measues (strong password requirements is one to mention they toke already!) they toke to prevent it in the future. But still people will be handling LL with less trust as before, especially if some one has his/her RL income from SL.

So if you take the above "conclusions" you can predict a degrade of the L$ value in a short time (I think we go way beyond the 315 L$/USD this time) barrier, because people are cashing out because of the lack of trust or the deletion of their account. And if the low rates stay for a while you will see that prices of (new) products will raise overtime.

All of the above is are my thought i can let wander around while my account is being locked due to a non working security question.

josh g.

The email I received from Linden Labs indicates to me that financial information may indeed have been endangered. I'm more concerned about my credit card information being decrypted than someone attaching my real life name to my SL name.

From the email:

"Q: Should I be concerned that encrypted password and encrypted payment information may have been exposed? Is the encryption unbreakable?

"A: We use an MD-5 hash (scramble function) and salt (additional data) to encode passwords and payment information, an industry standard technique that is commonly regarded as difficult to defeat. However, no hash or encryption is unbreakable, given enough time and computing power. If you believe that you may be the victim of credit card fraud, you should contact your credit card company. If you use your Second Life password on other websites, online services, or any other services, you should change the password on that service as well. You can find additional tips for protection of your identity online at http://www.privacy.ca.gov/sheets/cis1english.htm."

SignpostMarv Martin

My real life info is floating about somewhere anywayz.

But the thing that really bugs me "strong password requirements is one to mention they toke(sic) already!"

A maximum length limit when you're using MD5 hashes (which have been proven to be relatively easy to brute force compared to SHA-1 btw) is not a strong password requirement.

It bugs the shit out of me that I'm not allowed to have a password with a complexity that I'm comfortable with, when instead I'm forced to try and fudge said level of complexity into a 16 character length string.

Ariel Jakobovits

Is anyone in LL or the labs of SecondLife hearing these comments? They make a lot of sense.

Relee Baysklef

I was kinda surprised by it, but personally I'm not worried.

Some folks are, which is a shame. Most people don't realize what danger they're in whenever they go online, irregardless of how many precautions they take. Any kind of reminder will send them down a fear spiral.


One last interesting thing, people who took advantage of LL's new 'anybody can join' policy and used a fake email address to set up their account, just lost it.

Without the secret password or the payment information, Linden Labs has no way to determine who owns an account.

Gwyneth Llewelyn

Well, I could imagine that LL will now add a line or two to ToS making very clear that in no way they will respect your privacy, or provide a reasonably effort to keep your RL data safe and secure...

No, wait! They can't do that :) Actually, according to both US and EU legislation, and a very large agreement between the US and the EU called the "Safe Harbor", there are strict regulations that guarantee how your RL information is used by a company. Read the following: http://www.export.gov/safeharbor/

One particular point that is required reading:

"Security: Organizations must take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction."

We can safely assume that Linden Lab not only did that (a hacking attempt is a hacking attempt; there are no 100% secure systems), but will continue to do that in the future.

Or else:

"Under the Federal Trade Commission Act, for example, a company's failure to abide by commitments to implement the safe harbor principles might be considered deceptive and actionable by the Federal Trade Commission. This is the case even where an organization adhering to the safe harbor principles relies entirely on self-regulation to provide the enforcement required by the safe harbor enforcement principle. The FTC has the power to rectify such misrepresentations by seeking administrative orders and civil penalties of up to $12,000 per day for violations."

Now, the web site listing all companies registered to the Safe Harbor initiative is down, but one could reasonably assume that Linden Lab would commit to that initiative. What this means is that, unlike what was claimed, it is hardly likely that "Most people don't realize what danger they're in whenever they go online, irregardless of how many precautions they take. Any kind of reminder will send them down a fear spiral."

Not to appear condescending or paternalising, but the regulations of what it means to reveal personal data that you entrust to a company totally contradict your argument. In effect, your right to privacy is even one of the rights guaranteed by the UN Declaration of Human Rights, which says, on its Article 12:

"No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks."

So, yes, your privacy is supposed to be guaranteed. When you entrust a company with your personal data, you trust that they'll keep it safe. The relationship we have with Linden Lab is that they are pretty good at keeping our RL data safe. As a matter of fact, they did a rather good job — this was the only breach in over 3 years of operation, and they immediately proceeded to close down all the holes.

I agree with JK that indeed this "trust" was violated, but not by Linden Lab directly, just by someone (hopefully with the FBI knowcking at their physical door) who has deliberately attempted an intrusion to get access to RL data, who knows for what purpose. Now, Linden Lab has indeed done a "more than reasonable" attempt to keep the data safe. You can see that on their ToS — they guarantee you your privacy. You can see it on their CS: publishing RL data without anyone's consent is a major offense that will get you banned. And so on. This is the correct attitude of a company that is, indeed, commited to privacy.

So, I would even imagine that when all our RL data goes public one some mysterious website one day, due very likely in not a long time, things will be interesting. In theory, citizens of 26 countries (at least) could directly complain. I imagine that a case in court where you can potentially have 650,000 witnesses :) wouldn't have a chance in getting this particular culprit out of jail for a long, long time :)

Personally, I would not believe that "doom is to come". Very likely, people will create new alts with fake data to Linden Lab for a while, just because they distrust LL for a few months. The L$ will not dramatically fall — rather the contrary, its value has even slightly increased. People will not close the door and go away — what's the point? After all, the damage is done already! If someone had access to your RL data — so what?

Remember, think a bit about this guy. He's now laughing behind a closed door (not suspecting that the steps outside are not his neighbour walking the dog, but the FBI...) and looking at the hilarious things he has found out. Like the fact that George Bush is, in fact, playing as a hostess at the Barbie Club. Or that the Queen of England has an account and plays a samurai and regularly chops heads off at the Samurai Island. So funny! But now comes the big dilemma. Should he publish this data?

The very moment he does that — and remember, this guy has resources and is devilishly cunning — a big red arrow will pop over his head and say [CRIMINAL HERE!], since he has now violated so many laws in so many countries at the same time that it'll take an hour for a judge to read all his offenses. Do you seriously think that our culprit would do that? :)

As a matter of fact, I can imagine that this guy is now desperately trying to offload his bomb to some cleverly disguised sites. It'll stay underground. It'll never be too public — remember, all the FBI needs is a clue on where the data is being read/viewed, and they can lock in to the weakest point. Imagine an underground hacker culture that will post their findings on their internal websites. All it takes is one eager SLer to say out loud "hahahahaha I always knew it, Gwyneth Llewelyn is actually a 50-year-old lorry driver that never completed high school!" — the next minute, *he* will be the focus of the FBI's attention. They will be VERY interested on how he got access to that data. And, believe me, it won't be hard to get the whole story out of him — giving the FBI access to those "underground sites" and see what's going on there. It'd just take a few weeks to uncover the whole thing.

No, very likely, our culprit is going to stay low, laugh out loud for days and days, comment it (probably on face-to-face) to some *very close* and *totally trusted* friends what he has done, and, if he didn't do it already, convert all those L$ he had access to into US$, through fake accounts. And then he'll simply delete everything (since all passwords were changed anyway) and stay low. Very likely, he wouldn't even have had the time to do all that in just a few days; LL was pretty quick to patch the holes and lock the accounts.

Does this mean that my RL data is still safe? No. Somewhere, someone has had access to it, and I have to live with that. Will that data "go public"? I'd say, it's rather unlikely, unless this guy is particularly stupid. From his modus operandi, one would conclude that he has been everything *but* stupid. He has proved a point. He might have been engaged into a personal vendetta. But most likely — we will never know.

Crissa

Honestly, if you don't want your name known - don't ever use it. There's nothing stopping someone else from knowing, breaking, or otherwise finding out your name through other parties.

LL can only do so much to hide your identity, but really, if you're doing something you don't want known... Don't do it.

gabymymoump

Presenter BEN AFFLECK wore a three-button streamlined tropical weight wool tuxedo by Giorgio Armani. The satin lapel was designed with a high notch to complement the white classic collar shirt and white silk satin necktie.
http://helwigkirk.007gb.com

Post a comment

If you have a TypeKey or TypePad account, please Sign In.