An Open Letter To Linden Labs and All Second Life Players

[Pussycat Catnap]

---

sirhc DeSantis wrote:

Well harsh responses or not, the part where the OP says '...  and since lightning rarely strikes twice, tranfered my REAL trove of lindens to the recently attacked avie...' strikes me as - hmmm better not say:) Lets settle for foolish, especially as this would have been done after, by OPs account, having the hijacking reported to the Lab...

Also, why would an 'attacker' set the password back so the OP could get into the account to do so anyway?

---

This is the difference between random chance, nature, and crime.

First: chance is chance so yeah, might not hit twice.

Nature is not chance - so actual lightning very much likely will hit the same general spot many times. If it hits there, it hits for a reason.

And lastly crime; acts based on what it can most easily do. If you find a place easy to burgle, chances are you will burgle it again. There's a person I know in RL who's house has been robbed three times this far. He's a white dude in Oakland living just into the hills (the upper middle class area) and who doesn't know any of his neighbors (so the community views him as a stranger). The company that runs his home security just hits the reset button when an alert goes off (they did that on 2 of the robberies), he often sets travel bags by the car when going out, as if he was going on a trip, and police in Oakland only go to a place if there are black people they can shoot at or Occupy protestors getting in the way of the business district: otherwise they just show up later to do paperwork. So the smarter folks rob his neighborhood, and not others - because if you call the cops, the thief still has two hours on the clock to finish working.

That's a bit like SL. Abuse Reports can sit for days. Nobody knows the 'cops' here (the lindens), people often don't watch out for each other very much, folks get desperate to use an account, and people do things that put themselves at risk.

- The attacker here spammed a link.

They know a LOT of people will just click it.

They know LLs will take forever to act.

They know people will likely try to use the account again.

That LLs locked it before they robbed it again is actually against expectation. I'd say, if the thieves had been smarter, they would have quietly logged into the account once every few hours to see if there was any new stuff to steal.

 

- But this attacker stole the account rather than rob it, so I guess it makes sense to assume they would not return. However failing to presume LLs would lock the account was flawed. Especially as it was an illegal account to begin with.

 

No oen deserves to be a victim. But don't take active steps to make oneself into a target. Don't set your bags by the curb like my friend when just going out for lunch (don't clikc random links), get to know good people, recognize that criminals very much DO return to the scene of the crime if the crime was easy (*), and don't set out while already on the wrong side of the rules.

 

(*) If you read the docket of the criminal courts in many major cities - about 2/3rds of it will be the same crime, at the same location, with the same arresting officers, and often the same pack of criminals.

Possession with intent to sell, heroin or cocaine in San Francisco, in a 2-3 block area between City Hall, the Federal Court House, The old UN building and a major Law School, and a subway exit. That's like 70% of all crime in my city. Lightning might not hit the same exact spot on the hour every hour for decades - but crime does. The actions of bad actors are so predictable its almost comedic...

 

[LaskyaClaren]

Dres, I am not sure why you seem to think that I am suggesting that she continue to circumvent the ToS. I am not: in my very first response here I concluded by saying she needed to use a new account. There is nothing in the ToS that precludes the transfer of transferrable items from the old account to the new, which is the most that I suggested she do.

 

I also think that you may be assuming that my expression of surprise about the harshness of the response here was particularly aimed at you. I WAS somewhat surprised at how little sympathy you seemed to exhibit for the OP's situation, but I was not particularly singling you out -- as I think you'll see if you read it.

 

Again, I did not suggest that what happened wasn't her fault, or that LL owes her a restitution. And I certainly did not say that she should continue on her merry way doing it again.

 

What I did say -- and continue to think -- is that the tone of many of the responses to her predicament was unnecessarily harsh and unsympathetic.

[Perrie Juran]

I want to just throw in some food for thought here.

There is a very good reason why LL does not allow you to transfer an account with out their permission.

When you allow someone to access your account, that person, and in this case the OP, has not enterred into the legally binding contract with LL that is known as the TOS.  In others words, they have no contract with LL.  And while perhaps it would be extreme case scenarios there are very real and viable legal liabilities that can come into play.

What we have again is a case of people forgetting that rules and laws apply to the Internet also.  And you know, it's a constant problem in SL.

The OP has not "innocently" accessed SL.  The OP has done what people seem to do constantly on the Internet.  They assumed something was OK just because it was on the Internet.  They failed to ask the question, "is it really OK for you to give me this account?"   We joke a lot about "it's just the Interwebs," but some things actually are serious.  I can just see a Judges response if I used "It was just the Interwebs" as a defense for not reporting all my income when I did my taxes on the Interwebs.

All of the above does not mean that I am without mercy.  And I know SL is not as important as filing my taxes.  But people sometimes just assume too much.

[LaskyaClaren]

I agree with everything you say here. The rationale you give for this rule is one I had not thought of -- its a good one.

[Tex Monday]

The person who really needs to contact LL is the owner of the account, the person who created it.  Dres is correct, you cannot "transfer" an account to someone without LL's permission.  However there is nothing in the TOS that prohibits a person from allowing someone else to access their account.  What is stated is that the owner of the account is held resposnsible for any or all actions committed with the account.

If the account is locked, the only person who can get it unlocked is the owner.

---

 I agree..the only person who can get the account unlocked is the owner....wasn't disputing that fact. My question was with a bit of investigation using the tools at hand, couldn't she find out where the money went? Granted, it's probably a fake ( like the mumbia prostitute poster) account that was deleted as soon as the funds were transferred, but it's something at least. That was where I was going, my friend.

Next question....Would the my.secondlife.com website even work if the account is locked?

I hope that makes some kind of sense....

[Dresden Ceriano]

---

Perrie Juran wrote:

I want to just throw in some food for thought here.

There is a very good reason why LL does not allow you to transfer an account with out their permission.

When you allow someone to access your account, that person, and in this case the OP, has not enterred into the legally binding contract with LL that is known as the TOS.  In others words, they have no contract with LL.  And while perhaps it would be extreme case scenarios there are very real and viable legal liabilities that can come into play.

What we have again is a case of people forgetting that rules and laws apply to the Internet also.  And you know, it's a constant problem in SL.

The OP has not "innocently" accessed SL.  The OP has done what people seem to do constantly on the Internet.  They assumed something was OK just because it was on the Internet.  They failed to ask the question, "is it really OK for you to give me this account?"   We joke a lot about "it's just the Interwebs," but some things actually are serious.  I can just see a Judges response if I used "It was just the Interwebs" as a defense for not reporting all my income when I did my taxes on the Interwebs.

All of the above does not mean that I am without mercy.  And I know SL is not as important as filing my taxes.  But people sometimes just assume too much.

---

Not only that, but a lot of items are sold in SL with either no-transfer permissions or licenses which don't allow full perm transfers even if they are full perm.  In which case, allowing someone to take over an account with such items in that account's inventory not only breaches LL's ToS but also bypasses the restrictions set forth by every single merchant that sold the original account holder those non-transferable items.

...Dres

[Dresden Ceriano]

---

LaskyaClaren wrote:

Dres, I am not sure why you seem to think that I am suggesting that she continue to circumvent the ToS. I am not: in my very first response here I concluded by saying she needed to use a new account. There is nothing in the ToS that precludes the transfer of transferrable items from the old account to the new, which is the most that I suggested she do.

 

I also think that you may be assuming that my expression of surprise about the harshness of the response here was particularly aimed at you. I WAS somewhat surprised at how little sympathy you seemed to exhibit for the OP's situation, but I was not particularly singling you out -- as I think you'll see if you read it.

 

Again, I did not suggest that what happened wasn't her fault, or that LL owes her a restitution. And I certainly did not say that she should continue on her merry way doing it again.

 

What I did say -- and continue to think -- is that the tone of many of the responses to her predicament was unnecessarily harsh and unsympathetic.

---

Perhaps I was a bit defensive... I, also, wasn't trying to single you out, though I can see how it came off that way.  As for my apparent lack of sympathy, I simply didn't express those feelings, at least not in any sort of adequate way.  But then, I wasn't originally addressing the part of the first post to which I felt sympathetic... perhaps I should have... a spoon full of sugar and all that.

...Dres

[LaskyaClaren]

---

Dresden Ceriano wrote:

Perhaps I was a bit defensive... I, also, wasn't trying to single you out, though I can see how it came off that way.  As for my apparent lack of sympathy, I simply didn't express those feelings, at least not in any sort of adequate way.  But then, I wasn't originally addressing the part of the first post to which I felt sympathetic... perhaps I should have... a spoon full of sugar and all that.

...Dres

---

Perhaps so was I. And I do need to watch my tone sometimes.

NVM. It's all good. :-)

[SpiritSparrow Skydancer]

---

IsabelleGalapagos wrote:

1. Gee, thanks for all the help, support, advice and understanding. I truely appreciate the lack of nitpicking, snarky commentary, or general rudeness in response to my horrendous, nightmarish experience.  Its nice to know one can go through hell and have such wonderful people at your side. 

 

 On a more serious note, the original post was meant as a cautionary warning for those who might fall into the same trap i did. NOT a KICK ME WHILE I'M DOWN sign, so get WAY off your high horses...

---

 If you been playing games for a while you should know how forums go.

[SpiritSparrow Skydancer]

---

LaskyaClaren wrote:

Hmm. Yeah.

I have to admit that I'm a little surprised at how harsh the response has been here.

 

---

 Are you really? You must be new.

[LaskyaClaren]

---

Tarina Sewell wrote:

---

LaskyaClaren wrote:

Hmm. Yeah.

I have to admit that I'm a little surprised at how harsh the response has been here.

 

---

 Are you really? You must be new.

---

Eh. Not exactly.

[Madelaine McMasters]

---

LaskyaClaren wrote:

---

Tarina Sewell wrote:

---

LaskyaClaren wrote:

Hmm. Yeah.

I have to admit that I'm a little surprised at how harsh the response has been here.

 

---

 Are you really? You must be new.

---

Eh. Not exactly.

---

She's just a slow learner!

[LaskyaClaren]

---

Madelaine McMasters wrote:

---

LaskyaClaren wrote:

---

Tarina Sewell wrote:

---

LaskyaClaren wrote:

Hmm. Yeah.

I have to admit that I'm a little surprised at how harsh the response has been here.

 

---

 Are you really? You must be new.

---

Eh. Not exactly.

---

She's just a slow learner!

---

You can tell, because I have to keep repeating.

[Jazleen Raynier]

Okay, I'm going to ask - you say your friend gave you an avatar set up in her/his name, but passed the email address, passwords to you so you could play in SL. What, if anything, has this said friend said or done regarding their avatar's account? has it crossed your mind that you may have paid for something you have done to hurt, embarrass, humiliate them and this is nothing more than cold hard revenge. After all, they have all the details, they could go into your account, transfer all funds, spam attack your friends (including them so as not to be the odd one out) and then quietly hand evrything back to you. 

 

[CheriColette]

Thats a good point....

[Jinnywitha Cleanslate]

This scam was exactly what happened to me...... minus the transfer of lindens thing, and shared SL accounts and the change of passwords by the hackers - but the scam you speak of. 

I was offered a link to marketplace from a close friend, who I had just a couple minutes previously, been talking to about her latest creations in her marketplace store.  So when I got the link from her, and misread it in my haste, thinking she was just showing me a product, I clicked,  and in that second, I had no doubt to think that it was going to cause so much stress and hassle.  Unbeknownst to me, she had also been hacked seconds previously, as she too was offered the link by another friend of hers - only it wasn't a marketplace link, and neither was the link I was sent. 

The word marketplace was spelt a little different by one letter exchange, but I didn't notice it at the time, and the page it directed me too, looked remarkably like a marketplace page, but showed an error message.  I went back to SL, but I was logged out, and within seconds my account had been locked, and drained, all my friends and groups spammed, and had been sent a lot of angry IMs from some group owners.   Oh, and I did get an email (remember I am the original account creator, so it came to me) from LL saying my password had been changed....which was why the hackers were able to keep me out  for a while, and access my AV.  The hackers did not, and could not, re-change that password again, as the account was locked as soon as there was something amiss in SL with the amount of Lindens that were being bought and transferred out of my account....and also due to the immediate phone call I placed to LL.

Unfortunately for me, the hackers had also managed to work through the system somehow, and my RL bank account was attacked and funds removed through buying and transferring out Linden dollars.   It took a load of calls, and a few weeks of hassle, but it all was sorted, and both the bank, and LL restored my funds in full. 

A friend in that time, posted my issue on the forums - and I was pretty much told I was not telling the truth about it all, and that I was at fault and should have known better.  It was rather harshly done I felt, when I could log on to see it.  It all sounded rather 'fishy' from the readers points of view, and the details of what happened were taken apart and questioned negatively - when all the details posted were absolutely true.  When I got back in , I posted a defence, accepting that I had made mistakes, in clicking the link in the first place, and in the end, resigned myself to just taking the harsh views of people on the chin.  The readers pointed out things they felt hadn't and couldn't have happened - but it did.  I thanked them for their help anyway, and gave up.  Sadly, this is just the way of the world now.  Nobody trusts anybody now, it seems.

This was not a scam I was aware of, prior to it happening to me - and I was blissfully unaware of it, and it's speed of spread and attack.  Yes, I had made a mistake in not reading the link properly - but - it was just that - a mistake.  I don't frequent the forums every day, as I am too busy in world, or in real life.  I take note of in-world warnings, official and ones filtering through my groups, but I am sure I am completely unaware of the many scams happening in SL right now.  All I can do is, from now on, read links carefully and be aware of who is sending them.  It's just hard when a friend that you speak with every day, apparently sends you a link on a subject you'd been discussing, and you mis-read it.  I think you can only be careful now and live in hope it doesn't happen to you.

 
I actually don't know why - but I am kinda surprised that this exact scam is still circulating.  I was told by LL that it is a known group of hackers that they were looking to stop, and I later found out that the money both in RL and SL went into Italian based accounts.  This doesn't actually mean that the accounts are in Italy, given global technology, but I would have thought something could have been done about this as its been several months.

After I had spoken to LL, my account was restored to me, and I was able to change the password, and I 'collected' my AV from an Italian Sim, naked, with a party hat from my inventory on her head.  Part of me was most alarmed at that - sort of felt like a violation - the final insult type of thing - but the other part of me thought they really must have loved my shape to want to see her naked!  Lol!

In SL, as the manager of a group, it is very much within the groups interest to immediately block troublemakers and spammers.  This is not something people should take personally.  They didn't know you weren't spamming as it indicates that it is coming directly from you.  My own method is to message the person a couple days after they have been removed, and check that they werent the victim of hacking.  My IM is polite and to the point, and on a couple rare occassions I have had people thanking me and apologising profusely about it all, and begging to come back.  However, if they spam again - they are gone for good, no more chances.  I was actually really surprised at the language used in IMs to me, from some of the groups.  It was both rude and unnecessary.  

What I reccommend you do, in order to restore your groups, message them from your AV and explain the situation.  That's what I did.  Some of them accepted my story - I even directed them to the  posts in my IM to them - and they said how sorry they were, warned their group members of the hack, and then let me rejoin the group - others were not so charitable, and so I decided that I didn't need them in my SL anyway.

Hackers will always hack accounts, and people will always click without thinking anything.  It's just how it goes. 

 If things happen to you - your first port of call - if you are the original account holder - is to phone LL and talk to them for guidance and advice.  If you aren't the original account holder - as soon as you can - get them to contact LL.  As for your lost Lindens.... I doubt there is anything you can do, other than have the original account creator to call up LL and say they sent a password reset email to a now inactive account, as after the hacking you created a new email, and closed the old one, and could they resend the email to XYZ@Bleugh.com email account instead.  Then if they do send an email, you can reset the password again, and hopefully regain your account. 

 

I wish you luck - and don't let these experiences put you off SL.  It's a wonderful world out there, with a lot to offer.  Don't let the hackers win.

[Perrie Juran]

I remember the thread.

None of us here will deny that their are Phishing Schemes going on in SL.

That is extremely well documented.  In fact, I am one of the people who was originally very involved in documenting them.

Really, almost from day one for me on the Internet I have been aware of Phishing Schemes designed to get my password.  Fake E Mails claiming to be from my bank.  Fake E Mails telling me my Credit Cards had been compromised and asking me to log in to spoofed pages where I would input my account name AND PASSWORD.  I've probably seen hundreds of them.  And read a lot about them.

But I have never read or heard of anywhere before that the mere act of clicking a link was all it took for a hacker to obtain someones password.  Not in the way I've been reading here.  If this is documented somewhere I can't find it.  Maybe it is possible, but I hope you can understand my skepticism.

Cause you see, as someone pointed out in the other thread, if someone is able to gain access to your account simply by getting you to click a link, then we have a very serious security flaw in SL.

 

 

 

[Theresa Tennyson]

---

Jinnywitha Cleanslate wrote:

A friend in that time, posted my issue on the forums - and I was pretty much told I was not telling the truth about it all, and that I was at fault and should have known better.  It was rather harshly done I felt, when I could log on to see it.  It all sounded rather 'fishy' from the readers points of view, and the details of what happened were taken apart and questioned negatively - when all the details posted were absolutely true.  When I got back in , I posted a defence, accepting that I had made mistakes, in clicking the link in the first place, and in the end, resigned myself to just taking the harsh views of people on the chin.  The readers pointed out things they felt hadn't and couldn't have happened - but it did.  I thanked them for their help anyway, and gave up.  Sadly, this is just the way of the world now.  Nobody trusts anybody now, it seems.

---

I was one of the principal attackers at the time. You were never doubted, your "friend" was. In the world of internet hoaxes things are usually described as happening to someone's "friend" and not to themselves, and the whole description had been unbelievable. Then, after your "friend" started putting up all sorts of personal information about you I eventually decided it was 99% likely that your "friend" was actually your alt. Assuming this was the case, if you had said this right off you would have been believed much more easily.

If you want to be believed you should tell the whole, unvarnished truth or people will start to wonder why things have been varnished. This was an area where SL and RL shouldn't have been mixed. In SL, avatars don't actually have bank accounts; in RL we aren't our own friends.

Oh, and if your "friend" actually was a RL friend? You should really put a leash on them, or give them less information about yourself. And if you find yourself in the same situation again? Just use an alt.

[Perrie Juran]

---

Theresa Tennyson wrote:

---

If you want to be believed you should tell the whole, unvarnished truth or people will start to wonder why things have been varnished.

---

OK, I know this Forum is not a Court of Law, but the way some people post they make things out like things in SL are life and death matters.  Now in this matter there are real life implications, someone can find their bank account drained, credit cards maxed out etc, etc. So it's a bit more serious than a lot of complaints, issues, etc that people post here.

There's a whole concept in law that people swear or affirm to "tell the truth, the whole truth and nothing but the truth."  Many people never stop to think through why it is stated this way, why there are three seperate elements stated.

The plaintiffs here have made serious allegations.  I really don't think they understand how serious what they have alleged is.  They are alleging that a Hacker has an ease of access to compromise someone's account that goes way beyond the known ways that Phishing schemes in SL work or how they work in general.  So of course we are going to ask questions.  Especially when the original account of what happenned was pure hearsay, "I have a friend, etc," the very way as you stated that most hoaxes start out.

So if the plaintiffs are bothered that we are skeptical, they also need to realise that our skepticism is not without reason.

 

 

 

 

[Aethelwine]

---

Perrie Juran wrote:

I remember the thread.

None of us here will deny that their are Phishing Schemes going on in SL.

That is extremely well documented.  In fact, I am one of the people who was originally very involved in documenting them.

Really, almost from day one for me on the Internet I have been aware of Phishing Schemes designed to get my password.  Fake E Mails claiming to be from my bank.  Fake E Mails telling me my Credit Cards had been compromised and asking me to log in to spoofed pages where I would input my account name AND PASSWORD.  I've probably seen hundreds of them.  And read a lot about them.

But I have never read or heard of anywhere before that the mere act of clicking a link was all it took for a hacker to obtain someones password.  Not in the way I've been reading here.  If this is documented somewhere I can't find it.  Maybe it is possible, but I hope you can understand my skepticism.

Cause you see, as someone pointed out in the other thread, if someone is able to gain access to your account simply by getting you to click a link, then we have a very serious security flaw in SL.

 

 

 

---

I have seen you write that before it has reassured me like others, but i did make a mental note to check it out. I have finally got around to doing that and unless I am misunderstanding this article from about a year ago is talking about precisely that sort of thing. The link is to an XPI file that runs when you click the link and passes on login details for every site that browser has visited. Also for those that have said well you should have an upto date virus checker, well it is only 3 that detected it when the article was written, and of them AntiVir is the only one I have heard of.

This report from the same site seems similar to the skype hacks people were complaining about, in this case they are tricked into installing something they thought was a flash plugin to watch a video and instead install malicious code.

I dunno, what with the news OpenSSL is wide open to hacking for years now, anything seems possible.

[Griffin Ceawlin]

Well, gee, I always click Yes when some site that I visit tells me that I need to update a plugin... :smileyfrustrated:

[Aethelwine]

---

Griffin Ceawlin wrote:

Well, gee, I

always

click

Yes

when some site that I visit tells me that I need to update a plugin... :smileyfrustrated:

---

I am unlikely to too unless the person was very attractive and had sent nude videos before... hehe

But the first report didn't seem to be about there being any request to execute the file. I know I have been to pages before and it is only because I had a firewall running it stopped things running automatically and in that case only 3 antivirus programs detected it as malicious.

 Besides since SSL has been wide open up until now, any complacency from anyone has clearly been misplaced

[Perrie Juran]

---

Aethelwine wrote:

---

Perrie Juran wrote:

I remember the thread.

None of us here will deny that their are Phishing Schemes going on in SL.

That is extremely well documented.  In fact, I am one of the people who was originally very involved in documenting them.

Really, almost from day one for me on the Internet I have been aware of Phishing Schemes designed to get my password.  Fake E Mails claiming to be from my bank.  Fake E Mails telling me my Credit Cards had been compromised and asking me to log in to spoofed pages where I would input my account name AND PASSWORD.  I've probably seen hundreds of them.  And read a lot about them.

But I have never read or heard of anywhere before that the mere act of clicking a link was all it took for a hacker to obtain someones password.  Not in the way I've been reading here.  If this is documented somewhere I can't find it.  Maybe it is possible, but I hope you can understand my skepticism.

Cause you see, as someone pointed out in the other thread, if someone is able to gain access to your account simply by getting you to click a link, then we have a very serious security flaw in SL.

 

 

 

---

I have seen you write that before it has reassured me like others, but i did make a mental note to check it out. I have finally got around to doing that and unless I am misunderstanding

this article from about a year ago

is talking about precisely that sort of thing. The link is to an XPI file that runs when you click the link and passes on login details for every site that browser has visited. Also for those that have said well you should have an upto date virus checker, well it is only 3 that detected it when the article was written, and of them AntiVir is the only one I have heard of.

This

report from the same site

seems similar to the skype hacks people were complaining about, in this case they are tricked into installing something they thought was a flash plugin to watch a video and instead install malicious code.

I dunno, what with the news

OpenSSL

is wide open to hacking for years now, anything seems possible.

---

My point here in this thread and the others is that it always took a second act on the part of the user.

I was trying to avoid asking leading questions in this thread.

The original post was they clicked a link to a page.  What I want to know is what they did next. 

Also, I read the article from Hackers News and all they are explaining is how the malicious code is delivered.  Not how it installs on your computer.

Knowing what browser you are using is moot to this discussion, that is info you are sending any ways when you request a web page. 

Yes it sucks to get tricked into entering your info or installing a file.  Even the best and most diligent people get tricked.  I'm not going to come down on a person who got tricked.  But if that is what happenned, then admit.  That's my view point.