Wednesday, December 5, 2007

Second Life Skullduggery

Daniel Terdiman of CNET points out an interesting story on a San Jose Mercury News blog. According to the blog post, there is “a flaw in Second Life virtual world that allows them to strip a user’s character of all of its in-world money.” The security hole lies not directly in Second Life code, but in Apple’s QuickTime, software which allows video playback. In Second Life, users can embed video into their avatars or their property – video that other users view using QuickTime. QuickTime, in turn, has a flaw that can be exploited to allow the unwitting transfer of Linden dollars from the target avatar to the thief.

In a statement issued Nov. 30, Linden Lab warned users about this problem with QuickTime, and said “At this time we advise that you disable streaming video playback in the Second Life viewer except when you are attending a known and trusted venue.” While it appears that no one has taken advantage of this exploit, Linden Lab added “We are able to track attacks, and rest assured, if we discover a malicious stream, we will vigorously pursue the attacker. This will include account termination and legal action if appropriate, as well as the appropriate assistance for affected Residents.”

From a policy perspective, the existence of such a simple means to steal Linden dollars raises some interesting questions. For example, if someone has their Linden dollars stolen, should the real world police get involved? If so, is there a threshold below which the police won’t pursue action? One Linden dollar (equal to about 37 cents) certainly wouldn’t precipitate action, but what about L$1,000 ? Moreover, can a local police or sheriff’s department investigate and prosecute such a crime when the various parties may stretch across multiple states and/or nations? Does that mean that the FBI has to get involved?

It seems to me that the best solution to this security problem, at this point, is to let Linden Lab police its own world. Linden Lab can track down the perps and identify suspicious activity with far greater effectiveness and ease than traditional law enforement. Perhaps the better role for law enforcement is to pursue systematic schemes to steal L$ on a widespread basis. The jurisdictional question does seem to raise to problems, however. If the server where the “crime” occurred is in California, and the victim is in Texas, but the organized theft operation is in France (or Malaysia or Cyprus…), then which law enforcement agency has the leverage and reach to catch the criminals and provide restitution to the victim?

Aside from the public policy questions, this issue reinforces the key point that virtual worlds involve real economic value. As such they need appropriate security safeguards. As Charles Miller of Independent Security Evaluators, who along with Dino Dai Zovi discovered the exploit, said. “Banks clearly try to make their operations secure. Game companies haven’t thought about it the same way. They need to think more about security.”

UPDATE 12/14/07: Via Virtual Worlds News, it appears that Apple has now released a patch, but that Linden Lab has yet to implement the change in Second Life. Thus, we almost have a fix in place.