Attacks and reactions

11 10 2006

Recently virtual world Second Life suffered various attacks on it’s server grid by self-replicating objects resulting in various outages during the last week until this monday.
Linden Lab reacted in the usual way of restricting logins, cleaning up the attack and re-enabling logins. Additionally they deployed some fixes in order to address the problems
(although in the process of this a bug in the fix was discovered leading to permission problems with object and thus resulting in a closed grid until it was repaired). You can read about
all these on their blog (a results of these outages might be a lot of traffic on their blog resulting in being the number one blog on wordpress).

Opinions in some parts of the Second Life resident base suggests that only the opening-up of the registration process earlier this year when the requirement of a credit card was dropped led to this proliferation of attacks. Other rumors say that the banning of the 60 residents in mid september led to the issue as it was seen as affront against that group resulting in stronger trials of attacks.
It is hard to say what is true and who is behind it without further evidence shown to us. And of course the latter fact is no excuse for such attacks. But they are happening and Linden Lab (and the Second Life residents in the end) have to deal with them. It should be clear though that the growing popularity (895,223 residents registered at the time of this writing) will also attract more potential attackers and griefers.

The latest news on the issue is by Robin Harper, vice president of Linden Lab, creators of Second Life, where she explains their measures to be taken against further attacks. The first one is to meet up with Federal authorities in order to hand over evidence on the attackers and discuss the further process. Another mechanism according to her is the installment of a trust system in which only trusted users are allowed to fully utilize the Second Life scripting language LSL. No further information is yet given on how this trust system might work (except that it will not adding credit cards back to registration but instead it is based on credit card verification but not only) and also no info on how the scripting language will be restricted.
Additionally the upcoming release of Second Life which is going to be deployed today is said to also address grid attack issues in respect to more easily identifying and stopping them.

My thoughts on it

Attacks in either the real or the virtual world seem always to yield the same result: A limitation of freedom. Although no details are known yet about the upcoming trust system I guess it will impose some limitation especially as it is said to go beyond credit card registration. It might also introduce some issues like passing scripted objects from one avatar to another (one trusted, the other not). And also clear is that attackers will also find ways around this.
I personally do not really care that much about grid attacks if they are cleaned up quickly. It’s just an annoyance but has no real impact on my Second Life so far. And to people doing business in Second Life it should also be clear that such things (and normal bugs) are a common thing in such very new environments. So make sure you have that included in your risk management. I’d rather keep freedom instead of loosing more and more of it for the sake of having a completely attack-free grid (most likely it would also be a resident-free grid).

Regarding open registration my opinion is clear in that it must stay open. It was always hard to me to convince people to join Second Life as they were quite reluctant to give out their credit card although it’s saying that it’s a free account. Open registration should make it for any party easier to get in. Included here are of course griefers but we also had attacks with verification and this is nothing which can stop any attacker. Freedom again is good and the freedom to sign up should be included in it.

Another point about the new trust system is the question of how the procedure is to get trusted. If it contains more than the credit card verification which can be automated and it might consist of human interaction then it might eventually introduce a huge back queue of applications. But maybe it’s to early anyway to discuss this as long as no information is available.

Then there’s the architecture of Second Life. It’s not easy to understand why the whole grid needs to go down or is at least slowed down when an object replication attack is happening. When digging a bit deeper though it’s obvious. It is the non-distributed nature of the asset server and probably some other central services. So if an object replication attack is going on then the amount of objects created is exponential and as the asset manager as the central repository of objects needs to handle these it is likely to slow down. Moreover it might also be a network bandwidth issue in the backplane of their services. Now changing this to a distributed system which is eventually distributed among sims (and thus unaffected sims could stay stable) is of course not easy and might as well never happen (although also the growing number of residents and thus objects might lead to performance issue in normal operation at some point). So it’s of course easy to point now to some basic design decisions in the past but it’s not going to help us unfortunately πŸ˜‰

Moreover as Mark Wallace explains in this post on there might be issues with having two classes of users then. This is contrary to what Philip Linden’s (CEO of Linden Lab) idea of this metaverse is (at least as I understand it).

The overall bad thing though is that such attacks always lead from trusting residents to generally mistrusting them. So in fact instead of assuming that you are nice you now have to sort of prove it (add to this the already existing practice of Linden Lab to store all chat and IM logs for an unnamed amount of time). So this is not necessarily my dream of an open system and it’s sad that attackers have such a bigger impact on policies than just the annoyance of an attack here and then. And again the same goes for Real Life here, of course.

But anyway, I will report more on this when more details on the changes become available. For now let’s hope for a good deployment today in Linden Lab’s and our interest πŸ™‚

Technorati Tags: , , , , , , , ,




4 responses

11 10 2006
Xs Andree

I think the problem comes from the assumption that Security and Freedom are opposing or mutually exclusive concepts. While they certainly seem to prove themselves this way, I thinka truly elegant solution would take the power we gain from the freedoms and turn it against the threat to our security. If no solution comes from that, take the converse side, and use the safety given in security to actually add to the freedoms we want to preserve. It is a riddle, and one we’ve always taken for granted will always be a compromise. Synergy between the two is what is needed. This way instead of one taking away from the other, both work together to be more than the sum of thier parts. It isn’t a pipe dream, and all truly innovative solutions use this approach.

11 10 2006

Well, I think the issue here is not even security but more stability. And of course people might have different perceptions of what freedom is. For instance to me it’s ok if the grid is shortly down here and then due to an attack but for other people it might be a restriction of their freedom. OTOH we also need to see of course that Second Life’s residents seem to overdo nearly every problem in it’s tragedy value. Usually actually no harm is done, no permissions are compromised, no people are killed, just a bit of downtime (I call it spare time ;-).
The problem right now for all of us was probably just that it was offline that often and long.
But I think these problems can be for the most part fixed on a technological basis. And thus I think we don’t really need a trust system etc. for now. Of course Linden Lab should continue to pursue these people nevertheless.

12 10 2006
Orlie Omegamu

I agree, for me personally, the grid shutdowns haven’t been so bothersome, and so I wouldn’t want to give up any convenience while I’m in-world in order to prevent the shutdowns.

But I would argue that being a resident is somewhat like driving a car. You should have to prove that you can handle the responsibility over a long period of time before you are fully trusted. And your driving license can be suspended or revoked if there is reason to believe that you are a danger to others.

Some trust system along the lines of the driver’s license model might be ok. Or perhaps a hybrid solution, where you have to be in-world for 100 hours with a clean record before you can run scripts, unless you want to register with a credit card, in which case you can be trusted sooner.

13 10 2006
Tao Takashi

Well, I do not need to prove I am able to walk outside my door πŸ˜‰
And regarding cars it’s also more about the difficulty to handle one so that you don’t kill people by accident. It does not mean that it prevents you from killing people if you really want to (gladly not that many people have that need). You can even drive without license.

But anyway, analogies are probable always a bit weak πŸ˜‰ I understand your point and it seems to be one that was raised here and then in different form in the blog comments.

My problem with that is that it will create classes of people. You cannot just jump right into Second Life and do all the things you want to. You are restricted where other people aren’t.
And I doubt it will keep griefers from griefing. They will find ways around that. So only the nice user will have a disadvantage here (same usually with all those restrictions, be it DRM or whatever).
Griefers could for example signup 100 of their alts and keep them idling around until they are trusted and so on. It might take time but eventually they will find time to speed this up (a non-griefing user on the other hand might not even have anti-idling scripts for getting these 100 hours together faster).

My main fear is, though, that with each attack we will then get rid off a little bit of freedom each time. Next time we have an attack people will call again for restrictions. And if this keeps going I am not sure Second Life will be still the cool place to be as it is now.

So I’d like people to step back a bit, see if there are any/severe attacks at all (which are not cleaned up quickly) and then check again whether we really need restrictions or not. But as said again I don’t think they will help at all anyway.

Let’s keep the freedom in Second Life for everybody!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: