The All Encompassing Wave of Doom That Wasn’t

4 05 2009

Eventful weekend.

We had to boot someone from 7Seas. First time we’ve ever had to do this, too. It was someone who had been a long running supporter with Hall of Fame status and constant community participation… AND a long running irritant, due to her tendency to poke and prod at any open communications channel she could find in our gear and release exploits into the wild. A strange combo.

Well, this weekend while doing some routine security scans, I caught her overloading a contest board with blatantly fake fishing scores, from a device named “Cast Confuser”. Yep, a Denial of Service attack. We’re not going to stand for that, so, deletion of game account, shutdown of forum account, booting from groups, public notification of action taken, etc.

My main fear was that this would turn into one of those crazy-ass community rifts, like we’re seeing over in COH over farming. That we’d have to endure people turning on us en masse and rallying behind her martyr’s flag, griefing and hassling and causing problems. That it would be headaches and doom for weeks to come.

Turns out the worst case scenario didn’t play out. We got some “Wow!” “Whoa!” “Holy cow!” when the notice first went up, NOBODY expressed any support or sympathy for her, then they got back to joking and announcing contests and trading fish within the span of 60 minutes. Today, it’s business as usual.

Could it be? An internet based community that DOESN’T get sucked down into a black quagmire of rage and drama over a security incident? That they’d stay level headed, understand what’s going on, then move on with their lives because in the end it doesn’t affect them personally?

I think my hope for humanity just increased a little.




6 responses

4 05 2009

From how Meissa described the situation to me, it sounds like you’ve leveraged your (the developers) good relationship with the community very effectively, partly by being so open in discussing the causes of the difficulties.
That’s good social engineering there. Well done.

4 05 2009

Gah–what an idiot (the booted, not you). I can understand a little the whole ‘white hat hacker’ mentality (test their defenses, before a black hat breaks them and does Bad Things) bust as usually happens with that kind, this is *not* the way to go about it. If she wanted to screw with the code like that, she shoulda asked you to set her up with her own private fishing hole to try to break, not go attacking the ‘public/production/live’ code as it were. :-/

4 05 2009

While I (think?) I understand the white hat concept, the line had already been crossed before and we had asked her to stop.
But even if we _hadn’t_ already asked, an attempt to spoof fake scores in the middle of a contest without consent of the participants, the fishing area owner, the game creators, or the innocent people whose account names were being spoofed? Just unforgivably bad.
The effect was a DOS on that particular contest, but I take this more seriously than other types of contest interruptions.
P.S.: I wish we were coding inside an environment that allowed for as much security control as we’d like. Unfortunately, we’re limited by SL’s own limits. So even folks who might imagine they’re “helping” by forcing us to patch… aren’t really helping, because patches aren’t always possible.

4 05 2009

A true white hat tells the vendor of any vulnerabilities first and gives them a reasonable chance to fix the problem before releasing. It doesn’t sound like that happened here, so it’s a grey hat really. A black hat wouldn’t release the vulnerabilities, just use them or sell them.

5 05 2009

As I understand it, information release is meant to force the vendor to patch. But would you consider it white-hat ethical to release info on vulnerabilities that the vendor _can’t_ possibly address? (since Linden Lab isn’t going to bother changing SL…)

5 05 2009

It’s a grey area. One justification could be that publicizing problems like these increases the pressure on Linden to fix them. Another school of thought is that it’s best to assume the black hats already know all the vulnerabilities, releasing them to the public means at least everyone is aware of them now.
On the side of not releasing the vulnerability, the harm of exploits isn’t really born by the only party that can fix it (or at least bears only a trivial share of the harm), and the distribution is small enough that security by obscurity might actually have a shot at working.

Post a comment on this entry! All feedback welcome.

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: