The Wishfarmers debuted a new Second Life project for a client today (it went swimmingly, thank you!) and of course I spent some time afterward reviewing coverage.
Along the way, I ran across a discussion about "Second Life Security" on one of the younger 'in-world' media outlets. Security is my background, so I gave it a read wondering if perhaps it had ventured into actual virtual security yet. I've long been bemused that the actual virtual equivalent of computer security has hardly, if ever, even been discussed in the metaverse media.And apparently, that still has not happened. Yet.
So set phasers to kill, and read on as we venture into the undiscovered country of virtual security.
Lock Your Virtual Doors, and Arm Your 3D Car Alarm?
Here's an excerpt from the article I read, but this is not unique, and no offense is intended to the author. This is pretty much what everyone means when they say "Security in Second Life".
5. Particle spamming requires immediate and definitive action. - One quirk of Second Life allows "particles", intangible floating graphics, to potentially fill the air. Train your staff to immediately turn scripting off (...)
You can read the rest of the original article here, but it's not necessary for this discussion: The risks discussed in it are all basically annoyances . . . virtual hijinx. [7/08 update: Gosh, Metaversed.com, the virtual worlds "experts" who authored it, are gone. Sorry, readers!]
While some of these cretinous behaviors can slow or even crash a "simulator", the risk they pose is still basically only relevant within the context of "real life play".
I'm not dismissing the issues -- not at all. But these aren't real risks, and the responses are likewise still within the "play" system. The term "security" could apply only if one is referring to the "real world" function of a security guard, or security fence.
In other words, it's "game" security -- despite the fact that Second Life is not a game.
So what is being overlooked? What is "real" computer security about in Second Life?
Local Man Hears Couches. New Gossip Column Unrelated.
Lots of objects in Second Life have scripts in them -- certainly, most of the fun ones do.
Some of these objects are complicated: An 8-legged robot, personal storm cloud, or a Twitter relay, for example. One would expect these to contain several scripts.
But some objects are very simple: Say, a pink couch. You might think a couch would have no need for scripts, but actually there are so many little conveniences that users have come to expect, it's probably hard to sell a couch with no bells or whistles. So most will have little scripts in them to put avatars in a sitting position (commonly called a 'sit script'), or change it from pink to green, etc.
You can 'edit' any object in Second Life, and see its scripts listed in the 'content' tab. But when these objects are sold, permissions are set to prohibit viewing of the actual contents.
After all, if you could view them, you could copy them. Then you would make your own, and the product is devalued. That's how virtual products work, and that's fine. You can still view the list of scripts in the 'content' tab, and you won't be surprised to find a 'ColorChanger' script.
The problem here is that even though we expect our couches to have code to change colors, and our Twitter relays to have code to 'listen' to our chat and send email, we have no way of determining whether that is all it is doing . . . and that it is not doing more.
Put simply: There is no way to tell by looking at the list of scripts whether they are doing only what they claim to do. And you cannot view the contents, because you should not.
So the same code that takes your chat commands, or tracks visitors to your sim, or fetches an RSS feed can be as easily integrated into a couch as anything else. The Bad Guy simply names the Secret Script something like "ColorChanger" and hides it in plain sight. For extra insecurity, why not hide it in an invisible quarter. Under one of the cushions. Where else?
You would never even know it was there. Well, unless you're a paranoid security freak like me. Or scrounging for change.Among the many cherished commands in the Linden Scripting Language (LSL) are the ones that do things like:
- Process "chat" text (which is typed in the chat entry box)
- Detect the presence of nearby objects
- Determine the name, join date, motion status of nearby avatars
- Determine the flight, typing, and attachment status of nearby avatars
- Determine parcel details such as name, grid coordinates, video and music URLs
- Send data out by email, or HTTP, which include the object exact location
What is Your Couch Saying About You?
How about a log showing, by date and time:
- Who came to your 'virtual office'
- How long they stayed
- What was 'said' in chat
- What new objects were rezzed
- Whether visitors had attachments on
- What video and audio URLs were set
And this is just one of the obvious issues that, thus far, seem to have been overlooked in a rush to address more pressing concerns. Like particle spam, avatar stacking, or flying phallus.
Ironically, none of the more popular 'security' concerns are likely to result in your being blackmailed/divorced/outbid/attacked by a chicken.
There are plenty of other examples of actual security risks that are never even associated with the concept of "Second Life security".
Here's a fun exercise: Go back and reconsider the whole scenario, but assuming the spy code is in the heel of your shoe . . . as is the custom.
One last note: Of course it should go without saying that anything this evil would be not just a violation but a blatant slap in the face of the Second Life (or any other) Terms of Service. It should be equally obvious that people who would use these sorts of techniques really couldn't care less.
Man in Gorilla Suit Also Unnoticed
You may be asking "why in the hell do you think such evil things to begin with?" It's okay, I'm allowed: In my previous life I analyzed systems, created tools and assessed the security of software and operating systems. In other words: A professional hacker, paper certs and all.
Solutions? Well of course there are solutions. There are always solutions: Some procedures, some technology: This problem is not unprecedented (hint). No, I don't have time to implement them alone.
Email me and we'll collaborate! :)
