Botched Blog Move – Customer Name Security Nil

by Pixeleen Mistral on 07/10/06 at 9:43 pm

Resident masquerade text griefing free-for-all to follow?

by Pixeleen Mistral, Herald National Affairs desk

Unverified_linden_blog

Ten hours after the Herald found a massive security problem with LL’s new official blog which allows anyone to grab another metaverse resident’s name, Robin Linden voiced grave concerns and said, “We’ll look into what needs to happen to give you name security”. Angry residents such as Jonas Pierterson responded, “The decision to move the blog to a security hole prone third party is reprehensible” and continued, “I will not use the new blog… anything with my name on it is ‘forged.’” Resident fears over the bobbled blog move arise because Linden Lab has a history of taking disciplinary action against those who post to official Linden forums, and has declared the intention to do the same for resident comments on their blog. Herald investigations suggest it is trivial to assume another resident’s identity on the new WordPress blog site, and possible to create account names that appear to have the last name “Linden”. WordPress uses a first come, first served account naming policy, so the fleet of foot are rewarded with any name they like really good names.

Either by squatting on another resident’s name to lock them out of the site or posting impolite comments, whole new avenues for griefing would seem to now be available to those so inclined. Fushichou Mfume asked, “Why the hell aren’t you requiring some form of authentication/tie to an actual SL user name so that other griefers can’t just change their screen name to spoof somebody else’s SL name and grief you with comments that you supposedly make?” Good question.

Another question is exactly how much planning Linden Lab put into this move, since whole classes of users with WordPress-blocked e-mail accounts – such as Hotmail – are unable to set up accounts at the blog. Those who believe that the move from forums to a blog was an attempt to stifle resident dissent will likely see the move to outsource the blog to WordPress – and leave the SL avatar names behind – as another step down this path.

Since June, Linden Lab has taken a very loose approach to user identity with the essentially wide open unverified account creation for entry into the metaverse. Some might wonder if the Lab is now suffering from a corporate cultural that does not place a high value on resident identity. For many residents, building and maintaining a metaverse identity is the true currency of the game, and these sorts of moves are deeply unsettling.

A the Herald presses roll, and an embattled Linden weekend staff considers how to respond to this latest challenge, I am comforted knowing that my identity on the WordPress blog site is safe in the hands of a certain Unverified Linden who has a fine looking blog and promises not to get me in any serious trouble – at least for now. If you can’t trust an Unverified Linden on WordPress, who can you trust?

7 Responses to “Botched Blog Move – Customer Name Security Nil”

  1. Your Cock On Drugs

    Oct 8th, 2006

    So what?

  3. what does anything I type in this form have to do with identity?

    Oct 8th, 2006

    What do you mean I’m banned?

  4. God

    Oct 8th, 2006

    Stop spamming

  5. GWB

    Oct 8th, 2006

    How does this work?

  6. Prokofy Neva

    Oct 8th, 2006

    Not to confuse anybody with the facts or anything, but even with all these “gaping holes,” LL does have the IPs captured and the look-ups, so they can still see that marker information and match it to whatever information they have already from log-ons or sign-ups — of course it’s always possible to dodge that but I’ll bet it helps them to identify at least a good percentage reliably.

  7. Major Senior

    Oct 9th, 2006

    Yah, more mystical smoke and magic from Linden Labs on their ability to do something useful with the tools they have? Tools so strong they need to join non-Linden groups in order to locate some script? Uhm, why do I feel an overwelming sense of skepticism here? Sometimes I trully wonder if Prok sees the self-contradictions in its words and actions.

    Reality check, the only things “special” about a system to trully identify it are changable. The ethernet cards MAC address (don’t get all shocked, its been a requirement that this be software settable for years since Xerox no longer controls the MAC addresses and it is now possible to have a MAC address collision. That and crap like PLIP, SLIP, ect don’t even have a hardware MAC, it all comes from software, as do a few USB etherner devices), and CPU serial number (easy enough to turn off reporting at the BIOS level, even easier to write some piece of crap software to report garbage/random ones). You can argue this point all you want, but you will find that other larger companies have been fighting this sort of issue for years. aka Microsoft, IBM, Intel, ect..ect.. Or are we to suddenly believe that Linden Labs achieved something at the application level that was not feasible to do at the hardware or OS level to properly identify exacly who was using what system?

    As has been pointed out in other venues, people can just jump through an anonimizing VPN, or go drive around using random wireless hotspots. And for web access, there are thousands of anonymizers willing to let you use them as a proxy to access any old web page. IP tracking here is only useful in catching those who pose no threat to begin with. Unless you start physically tracking hotspots with groups of suite and tie guys with sun glasses and special radio gear trying to track down the people, you are pretty much up crap creek. Oh, but lets not take the rest of the worlds actions and lessons as any sort of indicator, lets listen to the all mighty wisdom of Prok instead.

Leave a Reply