Clickable Culture   Official Research Blog of Phantom Compass
  ‘Second Life’ Grid Downed By Yet Another Attack  
 
 
Posted 2005-12-13 by Tony Walsh
 
 
     
 
The virtual world of Second Life was taken down today in the latest round of a series of deliberate attacks launched late this year. Each global incident has resulted in considerable headache for developer Linden Lab and its resident customers, starting with a spectacular "grief-bombing" in October. That incident denied service for around 3 hours, whereas an attack late in November was contained in under an hour using a giant firewall. After the firewall incident in November, Linden Lab announced it would be bringing future denial-of-service attacks to the attention of law-enforcement agencies.

Today's attack occurred at around 6:30pm Pacific time, resulting in the surprising (but temporary) loss of some resident-created architecture and objects. As of around 7:30 the virtual-world grid was shut down by Linden Lab while the company tinkered under the hood. At the time of this writing, Linden Lab announced the grid was expected to be restored from backups by 10pm Pacific time. Some residents have reported that an attacker attempted to crash the grid last night with a self-replicating object, but botched the programming. Looks like today's attack might have been yesterday's script-kiddie with better code. Of course, "better" is a relative term here...
 
     
 
   
 
  ... share via email del.icio.us digg bloglines fark reddit newsvine simpy blogmarks magnolia  
  10 Comments  
 
   
 
Comment posted by Prokofy Neva
December 13, 2005 @ 1:16 am
     
 
Sigh, parking my cashout in the queue with hundreds of others with the exact same idea, and the Linden continues its tumble...
 
     
 
     
   
 
Comment posted by Tony Walsh
December 13, 2005 @ 2:25 pm
     
 
The Police Blotter shows that a resident who carried out a global attack yesterday was suspended for 14 days:

Terms of Service: Global Attacks
Monday, December 12, 2005, in the region of Ambleside. Global attack - Suspended 14 Days

I assume this is the same person who perpetrated last night's attack. I am rather surprised that a 2-week suspension deemed an appropriate penalty for a grid-wide attack. No wonder it keeps happening, the punishment is a mere wrist-slap. If this had happened in World of Warcraft, Blizzard would have banned the offender without thinking twice.
 
     
 
     
   
 
Comment posted by Secureplay
December 13, 2005 @ 3:27 pm
     
 
The question may become whether Second Life is sustainable - has it become both sufficiently popular and known to be vulnerable to attack that it will be able to continue?

I understand that there are a lot of free/intro accounts, if so, the ability to credibly ban malicious players will be low.

Steve
http://www.playnoevil.com/ blog
http://www.secureplay.com/ corporate
 
     
 
     
   
 
Comment posted by Tony Walsh
December 13, 2005 @ 4:19 pm
     
 
Second Life's vulnerability has less to do with its population and more to do with the fact that Linden Lab's scripting language enables users to create malicious code. Crashing the entire grid is not even difficult--it's just not allowed according to the TOS...despite that the code itself permits it.

It's pretty difficult, although not impossible, to join Second Life completely anonymously--every member is going to leave some sort of trace; at most this is their credit card number, and at least this is their email address. Lack of anonymity is one security measure Linden Lab has at their disposal (banning people could be done easily by credit card number, email address, or other data field)--crash the grid, get turned over to the authorities. Or, as we've recently seen, crash the grid, and be suspended for 14 days. Lame.

In order for Linden Lab to beef up security, they'd have to have a dedicated security team constantly looking for and correcting exploits. They'd have to code into Second Life a number of stop-gap measures. After one attack, they took away the ability for objects to create other objects (hope I got that right), which crippled the work of legitimate programmers. Another way to beef up security is to strongly deter attacks by promising strong action against attackers and then following through publicly. Crash the grid, get beheaded.

With Second Life's influx of free basic account-holders, the chances of attack is increased. One reason is that getting something for free doesn't instill respect for that item. Another reason is that the total number of potential griefers increases in proportion to the total population.

So, in summary, Second Life's security problems are fairly easily dealt with, and therefore Second Life is sustainable in that regard. However, if Linden Lab continues to let their world be attacked, it's going to turn customers away eventually.

Second Life has other sustainability issues that are completely unrelated to security. It is currently operating at a loss, which indicates a failure in whatever business model it was founded upon.
 
     
 
     
   
 
Comment posted by csven
December 13, 2005 @ 4:30 pm
     
 
Agree with you, Tony. And for an example of pseudo-anonymity on the net, check today's news on the Wikipedia biography that got so much attention this past week. Dude just lost his job over it. Talk about bad timing.

Anyway, Linden Lab could track them down. But once they do they have to do something worthwhile when it happens. A simple suspension, if that's all s/he got is lame.

btw, what's with the comment spam, Steve? It seems to me to be a bit rude to me, but then if Tony is cool with it, maybe I should add http://blog.rebang.com to all my posts from now on. That cool, Tony?
 
     
 
     
   
 
Comment posted by Tony Walsh
December 13, 2005 @ 4:42 pm
     
 
I'm not too bothered by Steve's sig, csven. It is unecessary, and even a little redundant (considering users already have a built-in link under each of their comments), but he's geniunely participating in the discussions here, so I can let it slide. I have deleted comments by some users who don't really do anything but pimp their own stuff, but I don't see Steve going there. I wouldn't fault you for adding URLs to your sig as well. It doesn't seem too productive, but hey, to each their own.

Incidentally, Steve's sig URLs each contain a space, and therefore result in a 404 error. Not like that's helping any search engine rankings :)
 
     
 
     
   
 
Comment posted by Secureplay
December 13, 2005 @ 5:07 pm
     
 
What is interesting to me is that Second Life didn't really consider the "threat" of malicious scripting... or, perhaps, that it has taken so long to occur.

The ease of creating free accounts will remove the incentive for responsible play.

If these outages continue or grow, they will definitely have an adverse impact on the world and business (assuming everything else is OK - right Tony?).

It is an interesting question as to how to keep the powerful worldbuilding features of Second Life but balance them with reasonable security.

Sorry for the blog faux-pas... I've only been blogging for about a month.

Steve
 
     
 
     
   
 
Comment posted by Tony Walsh
December 13, 2005 @ 5:17 pm
     
 
Yes, Second Life is secure through obscurity, which is as you know one of the worst forms of security around. Now that there is an influx of new users and instructions for crashing the grid are being circulated, more attacks are probably in store.

You hit the nail on the head here:
It is an interesting question as to how to keep the powerful worldbuilding features of Second Life but balance them with reasonable security.
I think the best step Linden Lab can take at this point would be a zero-tolerance policy towards grid-crashers. Because the other issues are too complex to work out as easily.

No worries about the signature, it was only a borderline faux-pas :)
 
     
 
     
   
 
Comment posted by csven
December 13, 2005 @ 6:23 pm
     
 
I think LL has considered the threat. I just suspect they figured they would be able to deal with it. But as stated here and elsewhere previously, the free accounts mean an influx of users with nothing better to do than get an account just to crash the world. Or, of greater concern might be what I mentioned some time ago: hiring one-time grid crashers to do the dirty work. It'll come (if it's not already happening on a sim-by-sim basis).

I've been told by a reliable source that one repeat offender was often in There bragging about attacking SL. Whether true or not, this person echoed the statements of others: avoiding or getting past an SL ban was easy. And the client hack of a few months back doesn't help. Now if some of their users had a monetary interest in seeing There increase in popularity...

Anyway, personally I'm puzzled but not much surprised by the lack of a zero-tolerance policy. LL hasn't shown itself to be particularly good in dealing with people.
 
     
 
     
   
 
Comment posted by Prokofy Neva
December 15, 2005 @ 9:56 am
     
 
Philip already went to the FBI with names, he announced yesterday
http://www.dragonscoveherald.com/blog/index.php?p=1050
 
     
 
     
   
 
 
     
 
     
[ Detailed Search ]
Clickable Conversation
5224 comments
on 4159 entries

Dinozoiks wrote:
Wow! Thanks for that Tony. Just posted a bunch of other tips here... http://www.dino.co.uk/labs/2008/45-tips-when-designing-online-content-for-kids/ Hope it helps someone... Dino...
in Dino Burbidge's '10 Things To Remember When Designing For Kids Online'


yes, many of the free little games are crappy. but as an artist who has recently published free content on the itunes app store,…
in Free iPhone Games Are Awful: Strategy?


I vote for popup radial menus. Highlight a bit of text, the push and hold, Sims-style radial menu pops up with Copy, Paste, etc....
in More iPhone Gestures, Please


Hey Tony! A client of mine is looking to hire an internal Flash game dev team to build at a really cool Flash CCG…
in Dipping Into Toronto's Flash Pool


Yeah, there's a lot of weird common sense things I've noticed they've just omitted from the design. No idea why though....
in More iPhone Gestures, Please


It also bears noting there's no mechanism right now for a developer to offer a free trial for the iPhone; the App Store isn't…
in Free iPhone Games Are Awful: Strategy?


@GeorgeR: It's on my shopping list :) I've heard good things about it as well. And Cro Mag Rally. @andrhia: meh, I don't know…
in Free iPhone Games Are Awful: Strategy?


...you get what you pay for, you know? I actually bought Trism based on early buzz, and it's truly a novel mechanic. I've been…
in Free iPhone Games Are Awful: Strategy?


The only one I've heard good things about is Super Monkey Ball. Have you given that a whirl yet?...
in Free iPhone Games Are Awful: Strategy?


Advance warning: this frivolent comment is NOT RELATED or even worth your time ... But whenever i hear "Collada", i think of that SCTV…
in Electric Sheep Builds Its Own Flock


Clickable Culture Feeds:

RSS 2.0 ATOM 1.0 ALL

Accessibility:

TEXT

Clickable Culture
Copyright (c)1999-2007 in whole or in part Tony Walsh.

Trademarks and copyrights on this page are owned by their respective owners. Comments owned by the Poster. Shop as usual, and avoid panic buying.