An Open Letter To Linden Labs and All Second Life Players

[IsabelleGalapagos]

I have been immersing myself fully into all that second life has to offer, and was thouroughly enjoying myself, until an incident occured last week that has left much more than just a sour taste in my mouth...

I was chatting in the presence of 3 trusted individuals, when a link to marketplace appeared onscreen with a message like "check this out." I assumed it came from one of my friends\family members, but after seeing a sexy bed position, knew that it did NOT come from one of them, as they certainly woudn't send such a thing to my 4 year old avie. I realized it had been a stranger, and only afterwards did someone mention, "Don't click that, it's a trap!" A minute later, i was suddenly kicked off my account. A few emails passed between my friend and i. She, being the original owner of my avie before passing it onto me, recieved an email from the attacker, who changed the password, spammed all my groups, drained my lindens, then changed my password back. I immediately alerted LL of the situation to protect myself and others.

I found myself blamed for other people getting hit with the same spam, sent by my account during that time i was unable to access it, and kicked out of most of my groups. I changed the passwords to all my accounts, created special emails for them,  and since lightning rarely strikes twice, tranfered my REAL trove of lindens to the recently attacked avie. Then, Linden decided to reset the password without emailing me, or by sending an email to a defunct adress and NOT the one I had set up. So now i am locked out of the avie TWO people had invested a fair bit of coin in, cannot access my money, am unjustly villified for someone elses actions, and am so thoroughly disgusted by the way the situation was handled both by the powers that be and by the general public. As someone who has been playing computer games before computers HAD hard drives, this is the kind of experience that makes one question playing games anymore. It's no fun being victimized, and much less when you're on the defensive for being a victim. 

 

 

 

[Dresden Ceriano]

Linden Lab has absolutely no responsibility to restore your access to a nefariously acquired account.  It states clearly in the LL Terms of Service that accounts are not allowed to be transferred to other people unless by written consent of LL and that consent is only given under very limited circumstances.

In other words, unless your friend died, willed their account to you and you cleared it's transfer to you through LL, your use of that account is in violation of the ToS.  Therefore, you have no one but yourself to blame, should you never gain access to that account again.  In fact, if it were up to me, I'd make sure that you never would.

...Dres

[Griffin Ceawlin]

Yeah, you should be more careful. And "as someone who has been playing computer games before computers HAD hard drives", you should know that by now, one would think...

LL did what they were supposed to do, based on YOUR abuse report. They locked the account. How can you fault them for that? Transferring your REAL trove of L$s to that account after the incident? Well, that was just silly and most unwise.

[Senobia Xenga]

---

IsabelleGalapagos wrote:

I was chatting in the presence of 3 trusted individuals, when a link to marketplace appeared onscreen with a message like "check this out." I assumed it came from one of my friends\family members,

I don't know how long you've been in SL, but you said you've been playing computer games for eons. If that's the case, you should realize this assumption was your first mistake. I've yet to see anything in world that sends a message without saying who/what the message was from. Not to say they don't exist - I've just never seen it.

She, being the original owner of my avie before passing it onto me, recieved an email from the attacker,

You said you don't have access to the original email on the account, but it sounds like your friend does. Did she/you check it to see if LL sent an email in regards to the password change?

Then, Linden decided to reset the password without emailing me, or by sending an email to a defunct adress and NOT the one I had set up.

See above.

 

Your only other option would be to have your friend contact LL and pretend it's still her account, explain the situation and ask them for access. Unless you told them about the transfer when you contacted them, in which case you may very well be SOL. Good luck.

[IsabelleGalapagos]

1. Gee, thanks for all the help, support, advice and understanding. I truely appreciate the lack of nitpicking, snarky commentary, or general rudeness in response to my horrendous, nightmarish experience.  Its nice to know one can go through hell and have such wonderful people at your side. 

 

 On a more serious note, the original post was meant as a cautionary warning for those who might fall into the same trap i did. NOT a KICK ME WHILE I'M DOWN sign, so get WAY off your high horses...

[Derek Torvalar]

---

IsabelleGalapagos wrote:

1. Gee, thanks for all the help, support, advice and understanding. I truely appreciate the lack of nitpicking, snarky commentary, or general rudeness in response to
   my horrendous, nightmarish experience
   .  Its nice to know one can
   go through hell
   and have such wonderful people at your side. 

 

 On a more serious note, the original post was meant as a cautionary warning for those who might fall into the same trap i did. NOT a KICK ME WHILE I'M DOWN sign, so get WAY off your high horses...

---

Spare us the hysterionics. Perspective, you need some.

No one 'kicked you while you were down'. They explained why you can't access the borrowed account, something YOU alone are responsible for by breaking the rules. OWN IT!

[Pamela Galli]

A lot of people think these forums are just too lame to read regularly -- but those of us who do, are already aware of this scam, because it was reported here, in this forum.

[Jasmyn Vaher]

horrendous, nightmarish experience... Geez! Where do I have to sign to grant that all the possible horrendous,  nighmarish experiences life can have on hold for me are alike to the one you talk about?...

Ok; what happened to you isn't fun, but horrendous, nightmarish experience?...You are a tad dramatic, don't you think so?

[LaskyaClaren]

Hmm. Yeah.

I have to admit that I'm a little surprised at how harsh the response has been here.

People here are, of course, right in two regards. It is a violation of the ToS to pass an account to someone else without going through Linden Lab first. And it was foolish, obviously, to click on a link without being sure of the sender first.

That said, I can imagine myself stupidly and unthinkingly clicking on a link before I've given myself time to think about what I'm doing. 

I've also known a fair number of avatars who have been passed from one person to another -- yes, in violation of the ToS. It is mostly a pretty harmless practice, unless it is being done to bypass an IP ban or something similar.

I'm also not sure that I understand how the fact that you did so means that you "deserve what you got," which seems to be the message I'm hearing here.

What is certainly true is that the fact that it was not originally your avatar is going to make it more difficult to get it back again. And here, I don't think you can blame LL: they have no way of knowing that you aren't the person who hijacked it in the first place. You're going to need to rely upon the cooperation and hard work of the friend who created the account initially to get it back again, if at all. When and if you do -- create a new account, and abandon that one, after you've transferred whatever can be transferred over.

I'm sorry this happened to you: I don't see any real culpability here -- just a foolish mistake.

I hope it all works out for you. :-)

 

[sirhc DeSantis]

Well harsh responses or not, the part where the OP says '...  and since lightning rarely strikes twice, tranfered my REAL trove of lindens to the recently attacked avie...' strikes me as - hmmm better not say:) Lets settle for foolish, especially as this would have been done after, by OPs account, having the hijacking reported to the Lab...

Also, why would an 'attacker' set the password back so the OP could get into the account to do so anyway?

 

 

[LaskyaClaren]

---

sirhc DeSantis wrote:

Well harsh responses or not, the part where the OP says '...  and since lightning rarely strikes twice, tranfered my REAL trove of lindens to the recently attacked avie...' strikes me as - hmmm better not say:) Lets settle for foolish, especially as this would have been done after, by OPs account, having the hijacking reported to the Lab...

---

Well, yes. I agree. Although I can sort of see how, having newly reset the password, it might feel "secure."

And in a sense, of course, she was right. What she wasn't counting on was LL freezing the account. If you've never seen LL go into action after a serious security breach or ToS violation,  you might not know that this was probably to be expected. 

---

sirhc DeSantis wrote:

Also, why would an 'attacker' set the password back so the OP could get into the account to do so anyway?

 

 

---

That part puzzled me too.

 

 

[CheriColette]

---

sirhc DeSantis wrote:

Also, why would an 'attacker' set the password back so the OP could get into the account to do so anyway?

---

This struck me as very odd too.

And Isabelle...you may not like to hear peoples opinions about your circumstances but they have as much right as you to voice them. 

It is unfortunated what has happened, and you wont be the last person tricked but I know LL are investigating and always lock down accounts while doing so. Your L$ can be traced and may be returned, if not to you then to the original owner of the account. 

I think the advice given to you about setting up your own account is the best thing to do now (if you are aloud) and be more careful in the future. 

[Canoro Philipp]

that sound so illogical that after the hacker change your account, the account was given back to the hacker.

i really hope that Linden Lab is freezing your account temporarly, since the attack involved money, they usually freeze the account of the hacker too and anyone involved, until they clear out the situation.
they may find a way to get your lindens back, and block the hacker from cashing out the money, and probaly IP and MAC ban the hacker.

unfortunately, you are not the only person that has suffer this, and its a security threat that Linden Lab must find out how to block before more people get affected.

i wish you that everything come back as it was. as soon as possible.

[Dresden Ceriano]

---

LaskyaClaren wrote:

Hmm. Yeah.

I have to admit that I'm a little surprised at how harsh the response has been here.

People here are, of course, right in two regards. It is a violation of the ToS to pass an account to someone else without going through Linden Lab first. And it was foolish, obviously, to click on a link without being sure of the sender first.

That said, I can imagine myself stupidly and unthinkingly clicking on a link before I've given myself time to think about what I'm doing. 

I've also known a fair number of avatars who have been passed from one person to another -- yes, in violation of the ToS. It is mostly a pretty harmless practice, unless it is being done to bypass an IP ban or something similar.

I'm also not sure that I understand how the fact that you did so means that you "deserve what you got," which seems to be the message I'm hearing here.

What is certainly true is that the fact that it was not originally your avatar is going to make it more difficult to get it back again. And here, I don't think you can blame LL: they have no way of knowing that 

you

aren't the person who hijacked it in the first place. You're going to need to rely upon the cooperation and hard work of the friend who created the account initially to get it back again, if at all. When and if you do -- create a new account, and abandon that one, after you've transferred whatever can be transferred over.

I'm sorry this happened to you: I don't see any real culpability here -- just a foolish mistake.

I hope it all works out for you. :-)

 

---

You can't be serious.  No one deserves to have their account hacked.  But the crux of this situation is the fact that this person's account was not legitimately theirs in the first place.  Culpability for breaching the ToS lies squarely with the OP... and that culpability is, indeed, very real.  The OP's hands are in no way clean.

What I find most puzzling is that you, among others, would encourage this person to circumvent the system, by asking their friend to pretend that nothing nefarious had taken place on either of their parts, in order for the OP to gain access to an account to which they should never have been given access in the first place.  Surely, LL had, and continues to have, good reason to specifically stipulate that this is not allowed within the massive amount to text which makes up their ToS.

Yet, you've obviously decided that this is one section needs not be subject to adherence and can, therefore, be completely ignored as a "harmless practice".  The very real possibility that someone could find themselves in this very situation should clue you in to the fact that such actions can be anything but harmless.

...Dres

[Perrie Juran]

@ Everyone

There are just so many improbabilities in this post I'd sure want a detailed explanation.

Those of you who've been around know I was very active in warning people about the phishing scemes and how they worked and I hate to say as posted there are too many holes in this story.

For instance, how did the hacker know where to E Mail her friend?

Additionally, simply clicking a link will not give access to a password. So I'd like to know exactly what the OP did. 

I'd like to know exactly how the message was sent to her.

Several other things.

I will allow for something happening, but right now reading this post I am very skeptical.

 

[Charlotte Holmeforth]

Phishing has been going on a long time, not just in Second Life but in Facebook, Twitter, online games, any place on the internet. 

You see a link that looks interesting, it comes from a friend, you click it, you sign on to a page that looks like an account signon on page.  You sign on, and get sent to the real site. A hacker then has your username and password, so they can take your money, and get access to your friend list to spam the same link to everyone you know.

If they don't change your password, you may never know what happened, and they can come back later and do it over again, which why it's a good idea to change your password regularly.

The only thing anyone can do is block your account to make sure you know your account was hacked, and to stop the hacker doing the same to more people.  That's not about blaming the victim, it's about saving more people from becoming victims.

To make sure you don't get caught again:

- make your own SL account, so you get notified if there's any changes
- change the password regularly and don't reuse them
- don't believe any unbelievable offers
- check the spelling of links
- check that a sign on page is genuine and the url starts https:// and has the right certificate
- if you see a sign on page and your sign on is automatic or you're already signed on, it's probably a fake
- instead of following someone else's link, use your own link so you know it's the right place

 

[IsabelleGalapagos]

Thanky you very much for the few genuine, HUMAN responses i recieved!!!

I won't comment on a lot of those replies, because there's a big difference between voicing an opinion, and being absolutely harsh, rude, condescenging and uneccessarily attacking someone... I love that so many comments have left me feeling like I'M the one on trial here, when the only thing i am guilty of is clicking a link I thought came from a friend. No, i guess on the whole it's much easier to savage the victim of an unjustified illegal attack, than to work together and play nice.

Look, i can't claim to know why the hacker changed my password back or what they did while they had access to the account! I don't know the individuals motivations but suspect they figured the account would be closed out due to their spamming. 

 

[Theresa Tennyson]

---

sirhc DeSantis wrote:

Well harsh responses or not, the part where the OP says '...  and

since lightning rarely strikes twice

, tranfered my REAL trove of lindens to the recently attacked avie...' strikes me as - hmmm better not say:) Lets settle for foolish, especially as this would have been done after, by OPs account, having the hijacking reported to the Lab...

Also, why would an 'attacker' set the password back so the OP could get into the account to do so anyway?

 

 

---

Interesting fact, too - if meteorological lightning strikes one place, it's actually quite likely that it will strike that place again.

http://www.weatherimagery.com/blog/lightning-strike-twice/

[LaskyaClaren]

---

Dresden Ceriano wrote:

You can't be serious.  No one deserves to have their account hacked.  But the crux of this situation is the fact that this person's account was not legitimately theirs in the first place.  Culpability for breaching the ToS lies squarely with the OP... and that culpability is, indeed, very real.  The OP's hands are in no way clean.

What I find most puzzling is that you, among others, would encourage this person to circumvent the system, by asking their friend to pretend that nothing nefarious had taken place on either of their parts, in order for the OP to gain access to an account to which they should never have been given access in the first place.  Surely, LL had, and continues to have, good reason to specifically stipulate that this is not allowed within the massive amount to text which makes up their ToS.

Yet, you've obviously decided that this is one section needs not be subject to adherence and can, therefore, be completely ignored as a "harmless practice".  The very real possibility that someone could find themselves in this very situation should clue you in to the fact that such actions can be anything but harmless.

...Dres

---

I think you may be reading a little too much into what I said. I am certainly not "encouraging" people to violate the ToS and circumvent the system; on the contrary, I exonerate LL for having frozen the account, and tell her to make a new one for herself. Ideally, yes, if access to the old frozen account is reinstated, it should be her friend who transfers whatever is transferable over to that new account, rather than her doing it herself.

I think my point here is that, while there are good reasons no doubt for the rules about transferring accounts, we can make a distinction between someone who is doing it for "nefarious" reasons, and someone who was not. And, although as Perrie notes there are some odd gaps in the story here, there is, at the moment, no reason to think that the account was transferred over to enable fraudulent activities. (Indeed, it would be odd to find her complaining here if it had been.) Assuming (as I must, given what I know) that there was no fraud or nefariousness intended, what she did was a venial rather than criminal sin.

So, yeah: transferring accounts is bad practice, and she can hardly blame LL for their actions in freezing her out -- as I in fact said. But, from what we can gleam here, it was a dumb rather than a wicked thing to do. And that, really, was the point I was making, and why I was a bit taken aback by the harshness of some responses.

[Tex Monday]

Let me say that I feel bad that this happened. It's no fun to start a new online experience and have something like that happen. I do agree with Perrie that there are a lot of holes in this story..but, be that as it may, this has happened and it's time to move on to figure out how to solve it.

Something no one suggested, and correct me if I'm wrong, couldn't she go into the my.secondlife.com website, click on transaction history and at least see where the money was transferred to? If the hacker took out all the lindens, it had to go someplace, right? And with that, she could give LL a bit more information.

[Dresden Ceriano]

---

LaskyaClaren wrote:

I think you may be reading a little too much into what I said. I am certainly not "encouraging" people to violate the ToS and circumvent the system; on the contrary, I exonerate LL for having frozen the account, and tell her to make a new one for herself. Ideally, yes, if access to the old frozen account is reinstated, it should be her friend who transfers whatever is transferable over to that new account, rather than her doing it herself.

I think my point here is that, while there are good reasons no doubt for the rules about transferring accounts, we can make a distinction between someone who is doing it for "nefarious" reasons, and someone who was not. And, although as Perrie notes there are some odd gaps in the story here, there is, at the moment, no reason to think that the account was transferred over to enable fraudulent activities. (Indeed, it would be odd to find her complaining here if it had been.) Assuming (as I must, given what I know) that there was no fraud or nefariousness intended, what she did was a venial rather than criminal sin.

So, yeah: transferring accounts is bad practice, and she can hardly blame LL for their actions in freezing her out -- as I in fact said. But, from what we can gleam here, it was a dumb rather than a wicked thing to do. And that, really, was the point I was making, and why I was a bit taken aback by the harshness of some responses.

---

It matters not that no wickedness was intended by the OP's actions... if, in fact, that was actually the case (and I must point out that neither you nor I know of what the actual case consists).  What matters is that you seem to think that there's some sort of distinctive difference between someone willfully violating the terms to which they've readily agreed and someone who was simply too ignorant of those terms to know that what they did was an egregious violation of them.

I'm saying that the terms were violated... period.  And, as a matter of principle, if for no other reason, the ToS should not be able to be circumvented by anyone, no matter how ignorant they are.  I don't think, for one second, that I was being at all harsh for pointing this out.

It's a matter of ethics... something which I previously believed that you possessed in spades.  I simply can't fathom why you're making excuses for some unknown person's misbehavior.

...Dres

[Dresden Ceriano]

---

IsabelleGalapagos wrote:

Thanky you very much for the few genuine, HUMAN responses i recieved!!!

I won't comment on a lot of those replies, because there's a big difference between voicing an opinion, and being absolutely harsh, rude, condescenging and uneccessarily attacking someone... I love that so many comments have left me feeling like I'M the one on trial here, when the only thing i am guilty of is clicking a link I thought came from a friend. No, i guess on the whole it's much easier to savage the victim of an unjustified illegal attack, than to work together and play nice.

Look, i can't claim to know why the hacker changed my password back or what they did while they had access to the account! I don't know the individuals motivations but suspect they figured the account would be closed out due to their spamming. 

 

---

Never once was I rude or condescending toward you nor did I ever attack you.  My reply to you may have seemed harsh given your obviously fragile state of mind... but, unfortunately, that is not something of which I've any control.  I could probably have peppered my responce with rainbows and lollipops, yet still you would not have liked what I had to say.

What you did, namely taking over someone else's account, was wrong, plain and simple.  You may very well not have known it at the time, but ignorance is no excuse.  At this point, your best course of action is to simply forget that account altogether and either move on with the one you're using now or create a new one to use.  Eventually, you will get past this and will have hopefully learned a good lesson from what has transpired.

I wish you the best of luck ...Dres

[LaskyaClaren]

The quality of mercy is not strain'd.

It droppeth as the gentle rain from heaven

Upon the place beneath: it is twice blest;

It blesseth him that gives and him that takes:

'Tis mightiest in the mightiest: it becomes

The throned monarch better than his crown;

His sceptre shows the force of temporal power,

The attribute to awe and majesty,

Wherein doth sit the dread and fear of kings;

But mercy is above this sceptred sway;

It is enthroned in the hearts of kings,

It is an attribute to God himself;

And earthly power doth then show likest God's

When mercy seasons justice.

 

I do like to think that I am a reasonably "ethical" person, Dres.

 

But I also don't believe that laws and rules are ever absolute: they must be tempered with a consideration of possible mitigating circumstances, context, intent, and, yes, mercy.

 

There is a reason why we have sentences set, usually, by human beings -- judges -- and not (usually) applied automatically. (As is probably clear, I oppose mandatory sentencing.) It is so that a human can weigh all of these factors and choose a penalty that is appropriate to the actual circumstances.

 

We are not applying penalties here, but we are clearly judging. Did the OP do something wrong? Self evidently. Does she have a right to complain about the consequences? I have already, twice, said no.

 

But does the fact that this may have been performed in ignorance of the rules, and doesn't (from what we actually know) reflect an attempt to do harm mean that she deserves my sympathy rather than a harsh condemnation? Well, I think yes. Perhaps it is a fault, but I generally try to give people the benefit of the doubt when there is doubt. I don't much feel the need to apologize for that.

 

I am truly sorry if my unwillingness to apply a Draconian interpretation of The Laws here seems to you unethical. But to me a vital part of ethics is compassion and, where it it seems merited, mercy. And until I see evidence to the contrary, I will continue to assume that my sympathy rather than harsh condemnation is appropriate here.

[Dresden Ceriano]

---

LaskyaClaren wrote:

The quality of mercy is not strain'd.

It droppeth as the gentle rain from heaven

Upon the place beneath: it is twice blest;

It blesseth him that gives and him that takes:

'Tis mightiest in the mightiest: it becomes

The throned monarch better than his crown;

His sceptre shows the force of temporal power,

The attribute to awe and majesty,

Wherein doth sit the dread and fear of kings;

But mercy is above this sceptred sway;

It is enthroned in the hearts of kings,

It is an attribute to God himself;

And earthly power doth then show likest God's

When mercy seasons justice.

 

I do like to think that I am a reasonably "ethical" person, Dres.

 

But I also don't believe that laws and rules are ever absolute: they must be tempered with a consideration of possible mitigating circumstances, context, intent, and, yes, mercy.

 

There is a reason why we have sentences set, usually, by human beings -- judges -- and not (usually) applied automatically. (As is probably clear, I oppose mandatory sentencing.) It is so that a human can weigh all of these factors and choose a penalty that is appropriate to the actual circumstances.

 

We are not applying penalties here, but we are clearly judging. Did the OP do something wrong? Self evidently. Does she have a right to complain about the consequences? I have already, twice, said no.

 

But does the fact that this may have been performed in ignorance of the rules, and doesn't (from what we actually know) reflect an attempt to do harm mean that she deserves my sympathy rather than a harsh condemnation? Well, I think yes. Perhaps it is a fault, but I generally try to give people the benefit of the doubt when there is doubt. I don't much feel the need to apologize for that.

 

I am truly sorry if my unwillingness to apply a Draconian interpretation of The Laws here seems to you unethical. But to me a vital part of ethics is compassion and, where it it seems merited, mercy. And until I see evidence to the contrary, I will continue to assume that my sympathy rather than harsh condemnation is appropriate here.

---

The evidence was plainly written out in the very first post to this thread.  It could very well be taken as a confession of the OP's wrong-doing.  I'm all for giving people the benefit of the doubt, when there is any doubt... in this case, there just isn't.

I'm not at all unsympathetic toward the OP for the unfortunate hacking of their friend's account... a fact that I'm sure I failed to make clear.  Instead, my focus has been on the reason why they've no recourse... due to their own action.  That and the fact that some are daring to suggest that they should circumvent the system in order to continue doing what, if they didn't know before, they certainly know now, is the wrong thing to do.

Not long ago, a group of people on the feeds took it upon themselves to help out a girl, whose account was banned for being under-aged, by handing her over one of their adult accounts and encouraging her to hang in there.  A number of these people were people for whom I had a great deal of respect... it boggled my mind as to their reasoning for taking such action.  I see little difference between that situation and this.

Never will I condone such elicit behavior... not even from a friend.  And yet you seem perfectly willing to do so for someone who is seemingly a stranger to you.  I'm sorry... I just don't get it.

...Dres

[Perrie Juran]

---

Tex Monday wrote:

Let me say that I feel bad that this happened. It's no fun to start a new online experience and have something like that happen. I do agree with Perrie that there are a lot of holes in this story..but, be that as it may, this has happened and it's time to move on to figure out how to solve it.

 

---

I know I can be tough on people when it comes to the subject of hacked accounts.  Maybe I am too tough.  But we do get enough "Chicken Little" threads that I watch the details.  And I ask questions.

What we have here is a claim that something hapenned.  With some major holes and a big red flag, how did the hacker get the E Mail address of the friend?  The worst case scenario is that the OP did more than just click on the link but that further actions allowed a keystroke logger to be installed on her computer.  And there is enough of that going on with SLer's who use Skype also that it is a genuine concern.  So the exact details are very important.  It is still possible with the exact details we may not be able to see exactly what happenned. But without them we won't know.

 

---

Tex Monday wrote:

 

Something no one suggested, and correct me if I'm wrong, couldn't she go into the my.secondlife.com website, click on transaction history and at least see where the money was transferred to? If the hacker took out all the lindens, it had to go someplace, right? And with that, she could give LL a bit more information.

---

 

The person who really needs to contact LL is the owner of the account, the person who created it.  Dres is correct, you cannot "transfer" an account to someone without LL's permission.  However there is nothing in the TOS that prohibits a person from allowing someone else to access their account.  What is stated is that the owner of the account is held resposnsible for any or all actions committed with the account.

If the account is locked, the only person who can get it unlocked is the owner.