Preview Second Life 1.12.1.4 on the Beta Test Grid Now!
Friday, September 8th, 2006 at 7:03 PM by: Joshua LindenCribbing from Torley’s post about .3, here’s the scoop on .4:
In preparation for next week’s planned release, Second Life 1.12.1.4 is once again open on the Beta Test Grid. PC and Mac versions are up. You can see what’s been improved by logging in and using Help menu > Release Notes. Please feel free to come in, report any bugs you find, and help us make the Second Life experience better for you and all who live, play, work, and dream in our world.
We’ve started updating the beta test grid’s account info to match the main grid (per Torley’s post); the most recent snapshot was at Friday 4PM SLT. This means if you’ve reset your password on the Main Grid before then you’re golden. If you reset your password after that point, you’ll need to wait until we refresh the preview database.
September 8th, 2006 at 8:04 PM
Just great, you guys just forgot one thing, the fact that for people who aren’t recognized as having, or do not have a security question currently set you have locked them out of second life, and we have absolutely no recourse until monday, Until today I was contemplating getting a premium account again, but now I vow that LL will not get another cent from me and urge others to make the same vow as LL clearly has no problem denying us service arbitrarily, and no I do not think that the immediate security of accounts and information that has already been compromised makes up for the fact that you locked out thousands of the very customers who are paying your salary, I may decide to try to get my pass back Monday I may not, either way though LL has a lot to answer for on this, I would hope that Phillip would at least apologize for the inconvienenceof this, and I mean an apology from him, not the boilerplate, I know my inbox is waiting for that.
September 8th, 2006 at 8:16 PM
Maybe I was a bit harsh in my last post, however the fact that this is not the first time that LL has done something for the good of the community and caused huge issues, and this is less an issue I think of LL doing the wrong thing by voiding the passwords, if anything they did the right thing, but this at least shows that LL needs to rework the password response system.
My apologies for posting as a comment on this thread, however the main post on the subject is no comment, hmm, odd considering that these commons are supposed to be a good back and forth point with the lindens in replacement of the forums.
September 8th, 2006 at 9:16 PM
No teen sims up yet.
September 8th, 2006 at 9:47 PM
My profile notes are blank in the new version. Is that deliberate or an error?
Anyone with worthwhile info in their profiles notes might want to back them up on their machine just in case.
September 8th, 2006 at 10:32 PM
The preview page gives the link http://secondlife.com/knowledgebase/?page=Preview+Release+Notes for the release notes. That is incorrect (at least at this moment), you really want to go to this link to read them:
http://secondlife.com/knowledgebase/article.php?id=191
I believe this article requires login.
September 8th, 2006 at 10:57 PM
What LL did resetting people’s passwords, as annoying as it was, is the only responsible thing they could have to the situation.
Rather than flame them about it, I’d suggest making suggestions to them:
1) Maybe being able to recieve email at your established email address could be enough in the case your password is blanked to reset? Especially if you have no question set for whatever reason?
2) I would recomend NOT storing unencrypted passwords. Period. It’s not necisary, and well, this is one of the potential results of doing it. MD5 hashes are just fine and secure, and very hard to break even if they are ripped from a DB.
3) Alternatly, or in combination, having the webserver send password requests to an authentication server that only accepts authentication requests and returns “yes/no” responses, and handles password changes.
Then if you get a comprimize you can just roll back any password changes made during the comprimized period, or blank just those passwords, and you ought to be fairly safe.
And I must say I’m very happy to know that LL keeps our credit card info in a seperate DB. Way to few companies take that sort of percaution.
September 9th, 2006 at 3:59 AM
I agree with WhiteFire´s remarks above. I am very surprised to discover LL still saves account and password information in unencrypted form.
The whole security question system is worthless for most users. These should not be random questions, but only one question you can make up your own. I have no idea anymore if I picked a question and if so, what question that was. Besides that, it already locked me out after 3 times. Not 5 as stated in an e-mail or on the website somewhere.
But what bothers me the most is the fact they do these kind of things on a friday and do NOT offer any support whatsoever in this rare event until the next american businessday. Given the fact that probably half the SL population is from outside the US and thus having different timezones, most of us probably first noted it on the weekend. And won’t be able to call given the fact they also have other things to do. At least my boss won’t be very pleased if I started to call long distance for a silly password. Not to mention people that hardly speak english are forced to deal with that also now.
There is about 281,000 active users and about 4,000 still seem to be online (Saturday). So the support will probably have to deal with about 276,000 phonecalls about passwords next week. My guess is, that they will have lots of angry customers soon if they do not provide another way of dealing with your password quickly!
September 9th, 2006 at 4:50 AM
Quoted for reference:
“Linden Lab reported today that it is notifying its community of a database breach, which potentially exposed customer data including the unencrypted names and addresses, and the encrypted passwords and encrypted payment information of all Second Life users. Unencrypted credit card information, which is stored on a separate database, was not compromised.”
—
First off, a big thank you to LL for taking the initiative and time to notify the users of the SL security breach. Too many companies think of themselves first and their customers second, and some feel that the customers don’t need to know about these kinds of data intrusions, unless they become forced to disclose it. Hopefully, more laws will be enacted to empower consumers and give them more control in matters concerning their private data that has or may have been stolen. Again, thanks to LL for doing the right thing where so many others don’t.
I do have a few concerns. The uncompromised but separate database contained “credit card information.” Shouldn’t a user’s private credit card information be encrypted, especially if the database was connected to the Internet? Any sensitive data should be encrypted and access to it controlled by some means, IMO. I’m also confused by the explanations about the specifc data compromised or not compromised. You have a breached database that includes “encrypted payment information” such as credit card numbers, in relation to another uncompromised database with unencrypted “credit card information.” My question would be what is the specific data definition between “payment information” and “credit card information?” Thanks.
September 9th, 2006 at 6:43 AM
Reading carefully what they said, The “Unencrypted Creditcard information” was on seperate computers. What was on the database was encrypted version of the Credit Card that was hashed and salted. It is but a matter of time before someone can figure out the key for all the numbers.
But if that is really what is happening, who knows. I have searched for Zero Day Exploits for both WorldPress and vBullitin and can find nothing. Last expolit was august 20th. I want to know what is being done to catch the hacker and secure the data? Are the FBI involved? This is a Federal crime and Visa says they have no information on any issues with LindenLabs. I want my personal data secured, not left out there to be passed around the Internet as the latest useless password file to show how LindenLabs security was broken. My Name address, creditcard, birth date and mothers maiden name. What more would an identy thief want?
What is happening???????
September 9th, 2006 at 9:59 AM
Actually, WhiteFire, LL only stores MD5-encrypted passwords (with “salt” so that they’re not totally obvious, but the salt is known and documented). However, anyone using libsecondlife to log in will just need the MD5-encrypted password to enter to an account and, say, relieve it of its L$
What this means is that while the intruder won’t be able to log in using the Second Life *client*, it will be able to use the MD5-encrypted password to access basically everything else, just by writing their own client.
In any case, yes, resetting all the passwords was an excellent idea. It will also have an interesting side-effect — in many cases people will be ashamed to call Linden Lab to retrieve a “secret” alt that they don’t want the Lindens to know
— which are used for, let’s put it this way, less legitimate uses. On the other hand, since new alts cost US$10 (unless you’re able to trick the system), this could work well as a deterrent to the multiple-alt-for-griefing-or-abusing-the-system problem — or it may lead to a sudden explosion of paid alts, which is all good for LL 
We’re still getting around 10,000 new users per day in spite of everything, after all.
This is rather off-topic, but actually I wanted to thank you guys to get the Mac version operational on the Preview Grid. I’ve managed to successfully log in, and after half an hour or so, being rather impressed with the good performance (it has been the first time since 1.10 or so that the Preview Grid was, once more, considerably *faster* than the main grid, even on spots like Ahern or Nexus Prime — the last few previews were rather disappointing in that regard), I managed to report two bugs, a minor one, and one which is very, very difficult to reproduce (related to alpha textures and the occlusion feature), but which is also present in the main grid. After half an hour of searching I finally found a spot in Nexus Prime where this can be effectively reproduced. We’ll see if you manage to fix it; my impression is that it’s a rather complex one that will only affect people with graphics cards with less than 128 MB of RAM.
Ah yes — and I *just loved* to toy with the “Hacked God mode” tools
They are very, very funny 
September 9th, 2006 at 7:12 PM
Hmm, the Linux preview client complains that there’s a better client availible, even though there isn’t…
September 9th, 2006 at 10:22 PM
Sure most people are upset about the inconvenience. The resetting of the PW’s is a logical precaution and response to some blatant fool hacking into LL. If this hacker had time to get most of our real life names and address. Who’s to know what he can then do with it? Isn’t this not the first time someone’s has tried to hack LL? Hopefully LL has hacker-proof software on their systems. Thankfully, at least it was noticed and something was done to take care of it. Someone in LL is looking out for us.
September 11th, 2006 at 9:09 AM
“Hopefully LL has hacker-proof software on their systems.”
—-
Hacker-proof? What is this mystical thing called Hacker-proof? If something contains code, and is accessable in any way, it can be hacked into/through…
Seriously, having something that is hackerproof is like having something that’s foolproof… you just aint gonna find it, because they are ingenious in their work.
The Password Reset, despite the pissing and moaning I’ve heard grid-side, was just about the only option to LL, because of the compremised security. Yeah, it was a pain (I had to wait until the updated measures to recover my secondary account), but it was neccessary…
September 11th, 2006 at 10:01 AM
“anyone using libsecondlife to log in will just need the MD5-encrypted password to enter to an account and, say, relieve it of its L$ :)”
Haven’t they heard of challenge-response authentication? It doesn’t do much good to MD5 the passwords in the database if the client logs in using the MD5 itself!
September 13th, 2006 at 2:31 PM
When I go to http://secondlife/password, and enter my secondlife name, the sites says it will sent me an email with instructions how to reset my password, whoch apparently needs to be done after the safety issue that yo had. BUT I DO NOT RECEIVE THE EMAIL!!! Please help! Tried many times, email address (this one) is correct!!!
Mind you, I do NOT delete junk mail! So, that can’t be the reason.
Thanks,
V.
June 5th, 2007 at 11:23 PM
i have first name and last name but the password doesn’t work !
why?
therefore i have 12593lindens dollars and now i have 5300
WHAT HAPPENS
March 25th, 2008 at 2:38 AM
rotella autogram executional shooting chalinitis megaloptera catacoustics corynebacterial
Ardingly Football Club
http://www.comune.torino.it/musei/civici/pietromicca/Mappa_inglese/mappa_inglese.html
日本語