We will shortly begin beta testing an age and identity verification system, which will allow Residents to provide a one-time proof of identity (such as a driver’s license, passport or ID card) and have that identity verified in a matter of moments.

Second Life has always been restricted to those over 18. All Residents personally assert their age on registration. When we receive reports of underage Residents in Second Life, we close their account until they provide us with proof of age. This system works well, but as the community grows and the attractions of Second Life become more widely known, we’ve decided to add an additional layer of protection.

(more…)

Did you know that May is Strong Password Month? OK, that probably isn’t true…but maybe it should be. It makes for a swell excuse to remind every member of the Second Life family to think about our password choices.

Is your password easy to guess — like your name? Is it a common dictionary word, perhaps ‘cat’? Maybe it’s time to choose something a little more secure. Add a number, at least.

Beyond that, have you ever shared your password? I know that the person with whom you shared is totally your best friend forever, but since when has forever really meant forever?

Anyway…Strong Password Month is a great opportunity to take a moment to change your password to something way cooler and totally more secure. Celebrate today!

Good day! Many moons back, a portion of Linden’s Community Team developed a project meant to deliver better local Governance control to the grid. What does this mean? Many things. For starters: The Estate Level Abuse program which we’ve been Beta Testing since January. This was a test designed to allow estate owners to receive and resolve their own abuse reports in the method in which they best see fit. No longer subject to Linden’s ideas on how abuse could be handled, estate owners in the test had abuse reports filed on their land sent directly to their email.

Almost 200 regions participated and over 10 Estate Owners were involved in receiving reports. Owners were able to delegate to estate managers how they liked. The response has been good. We’ve received many suggestions on how to improve the program and in the future we plan on releasing the program to the entire grid. So what does this all mean? Read Below:

(more…)

A couple of months ago Zero talked about the new capabilities infrastructure that has been added to Second Life. The viewer requests capabilities from the simulator and receives a URI which it can use to invoke the capability. When the capability is invoked a proxy maps the URI to a private URI and passes the request on to a web service which processes it.

(more…)

This isn’t a password phishing attempt as far as we can tell, but it does appear to be a pyramid scheme or email spam scheme — neither of which are fun. Please do not visit the following site or give it your Second Life name, password or email address:

Congratulations! You’ve been selected, to be elligible for up to $3, 500 Lindens. To claim them, please visit: hteeteepee:\\www.undergroundsweepstakes.com (We are in no way associated with the FREE Linden scam that has been going around and we will NEVER ask for any passwords of any kind.)

Note: The web address above has been specifically rendered less linky to protect those of you with obsessive clicking disorder

The above site not only requests that you complete offers before getting your L$ but also specifically indicates that you must have a valid Second Life account and password in their terms of use … both of which should be red flags!

Subject to our Terms & Conditions, receipt of your gift requires compliance with our eligibility requirements including; age and residency requirements, registration with a valid Second Life account and password, completion of at least one sponsor offer. Only one account per person. Members have 90 days to complete all necessary requirements to be eligible for a free Lindens. Available offers will vary and some sponsor offers may require purchases to qualify.

Please treat this as you would a banner on the web proclaiming you’re the 1,000,000th visitor and you’ve won a prize: don’t fall for it

In the last two days, Linden Lab has received slightly fewer than 100 complaints regarding the use of Copybot by close to fifty individuals. These Second Life Residents have received notices from Linden Lab explaining that the use of Copybot constitutes a violation of the Second Life Terms of Service, and that their actions may put the status of their Second Life accounts at risk. We’re continuing to review various data sources to identify additional Residents who have used Copybot, so that we may extend this warning to everyone who has connected to Second Life with Copybot.

With these notices delivered and the position of the Linden Lab in regard to Copybot use clearly established, anyone detected using Copybot maliciously to target individual Resident or damage the community as a whole will be expelled from Second Life.

Never give your Second Life account password to anyone, any site, any telemarketer or any other being (living, dead, undead or “other”) ever. Like, never ever. Never ever ever ever ever.

Have I made myself clear? Good. It’s come to our attention that a number of residents in relatively good standing are spamming open chat with the following:

Hot new LINDEN HACK/CHEAT!! Will give anyone 1 month or older to the game 10,000 L$ FOR EVERY 30 MINUTES SPENT OFFLINE!!! hteeteepee:\\LindenHack.citymax.com\! Limited time hack! Register and start recieveing now!

(address above deliberately made less linky to protect you all!)
Do not fall for this blatant attempt to get your password! The site is a password phishing attack. The less-than-scrupulous individual will log into your account, take all your money and then make your account a spam bot.

Phishing sites always ask you for a user name and password and usually some other identifying information. They sometimes look like an official site of the organization or company they claim to be working with. However the web address in the browser’s address bar won’t always be correct and should be suspicious.

Just remember: don’t ever give your account password out to anyone!

If you believe you have been victim of this please contact support@lindenlab.com immediately. It is strongly suggested that you change your password immediately if you did give it out.

The bug causing the occasional missing inventory on re-log has been located and corrected. All new purchases will work as expected. All inventory purchased since 2006-10-11 and before 2006-10-17 18:00 SLT is being returned to the Lost & Found folder in your inventory.
(more…)

Here’s an update on our investigation into the security breach two weeks ago, and our thinking about what we will do to better protect vital information.

From everything we can see, it looks like the attacker who accessed the SL database was after source code and L$. He did manage to manufacture some L$, and got at least part of the website source. Customer data does not seem to have been a priority, and his access to account information was largely incidental. This wasn’t clear at the time of the intrusion, which is why we took the conservative route and changed everyone’s passwords.

Going forward, our first priority of course is to minimize the likelihood of another breach, and we’re implementing a number of technological and policy changes to this end. However, we’re also taking a hard look at the data we have and how best to protect it if one of our systems is compromised again. Second Life is a complex system and attackers try to break in for a host of reasons - ideally we can make it so someone looking for source code never stumbles upon your address.

In this case, raw credit card numbers were never exposed because they’re kept in a secure back-end “vault” with extremely limited access. We’re going to reduce the amount of customer data we store (do we really need your billing address?), and will move the remaining sensitive bits (passwords, hashed card numbers, L$ balances, etc) into vaults.

Is Linden Lab really so soft on crime that an account hacker can get a warning or a short suspension, according to the Police Blotter, on the same day that someone simply abusing another Resident with foul language gets a 14-day stretch? The answer, clearly, is no.

We take the strongest possible line on attempts to circumvent our systems and security: when we discover attempts at unauthorized account access, data manipulation, or fraud, we close all involved accounts – permanently—and move tp prevent any further access. This doesn’t appear in the Police Blotter.

The Police Blotter reports disciplinary actions taken within Second Life, primarily violation of the Community Standards. Those items that appear, in the Blotter, to reference hacking and security breaches are largely inappropriately worded; they are, generally, ‘social hacks’ rather than determined attempts to wrongly gain access to an account or system. Often times, these are incidents where partners (who far too often share passwords and account access) make bad decisions when the relationship sours – logging in, taking inventory, selling assets. While it’s long been our policy that we’ll not take responsibility for damages when a Residents has knowingly shared a password, from a disciplinary standpoint, it’s difficult to ignore when the intent is clear.

One problem with the Police Blotter is that it shows so much information, but never the ‘whole’ story. While it’s great to be able to share, in real-time, what actions Linden Lab in taking in-world, in situations like these the information, without context, can be misleading. We’re interested in ways to improve the Police Blotter – while preserving privacy – and welcome your suggestions.