Exploiting Tomorrow: As New Virtual World Features Develop, Security Struggles To Catch Up

I said a few weeks ago that Linden Lab had been doing a bunch of cool stuff lately. The speed at which changes and new concepts were being pushed out had increased, and it seemed like the Lab itself was experiencing a cultural shift toward something more in tune with its current user base (not merely its potential base, which has been a problem for a long time). It’s by no means perfect (far from it), but it’s a significant change from the way it had been for the past several years.

August marks the month of the annual Second Life Community Conference (this year held in Oakland, California), during which the things one expects from a convention generally happen. This includes keynote speakers, big speeches, and a general sense of what and where the platform is headed in the next year.

In fact, there’s quite a lot to talk about. Since spring, we’ve seen the advent of basic and advanced login modes, Avatar Physics support (officially), changes involving SL Marketplace (more work needed on that one, folks), a new search system to replaced the badly broken previous incarnation, a timeline for mesh which looms ever closer every day, and the release of social profiles, as a response to the Facebook marketing plan collapse and just ahead of Plusgate/Nymwars. In fact, Linden Lab has gone so far as to completely revamp and update the splash screen for the latest version of their official viewer, complete with zippy mouseover effects (it’s still a little buggy though, as you can see):

New Splash Screen in Second Life

The new splash screen emphasizes the social side of Second Life, responding to years of complaints regarding not being able to find things to do and people to do them with. It displays not only destinations and descriptions, but how many people are currently at the location (I am not sure how often that’s refreshed, though).

For those who use SL as a social experience this could be a great help in terms of scouting out popular locations. To its credit, it’s pretty ignorable for those who already know where they’re headed, or for whom socializing in SL is not a top priority.

Advanced Technology=Advanced Security

But with all this cool stuff, and more to come, there’s a downside that needs to be addressed. Whenever the ability to do things is increased, the ability for people to exploit them for nefarious purposes is also increased.

Although the Lab has been picking up the pace rapidly in terms of new features and technologies, what they aren’t doing is keeping pace with potential security risks. While this was always a problem, the increased pace of new feature releases increases the risk as well, at a time where old exploits are still not being adequately fixed.

You all remember RedZone, right? The hole in the media protocols which allowed RedZone and other devices like it to function still exists. In fact, the JIRA has gotten a spate of comments lately, discussing that very fact, and the status has been changed to “deferred” and resolution “incomplete” (which is an example of a gift of understatement).

Though a media filter has been installed in several third party viewers, the official version of that same filter has not yet been released (I am told it’s scheduled for the next update cycle – but it has been months since the incident). Though RedZone itself is gone from the grid, other systems that claim to do “not quite” what RZ did are still available, under the guise of being security systems that are not much more than snake oil.

The way RZ functioned still exists with no additional security measures added save the change to TOS and Community Standards, which depending on whom you ask, may or may not adequately address the issue. Sadly, people who are trying to exploit systems technologically don’t generally care about TOS or Community Standards, but they do care about exploitable technological holes.

The argument has been made that these kinds of scams are generally done by people who are just trolling at best; a game for advanced griefers with servers. But the reality is that real people are being harmed, and real money (lots of it) is changing hands. Sometimes the scammers are pros, in the case of the creator of RedZone. In fact, on July 26, after having been in federal custody for several months, zFire Xue (aka Mike Prime) was sentenced to four counts of parole violation on a previous federal fraud conviction. Those parole violations can be directly tied into his actions within SL, and they’ve earned him an additional four months worth of time. What is interesting to note is that there have been parole conditions which have been added *specifically* to his case. I got the complete case file right after it was filed and made public(repeating that- this is public information). Page five (special conditions) is of note(highlighting is mine):

Special Conditions of Supervision

As outrageous as this case is, none of what he did would have been possible without the hole in the media protocols- a hole that still exists, and now, months later is first going to be given the same media filter that third party viewers got months ago. But the underlying cause is still the same and as yet remains inadequately addressed.

Although closing the hole outright causes significant problems (at the time, it was a way to make a pipeline to Facebook, which since is no longer really needed), some management of media protocols needs to take place past the level at which it has been done thus far. But this particular exploit is not the only one being thrown around right now.

Meeroo Mania

While the virtual horse and bunny people continue their legal battle (yes, still), the market for breedable pets was just waiting for someone to kick the entire affair up a notch, by developing a completely different product for people to focus on. Not just a new animal or item, but a completely different system on the back end, unrelated in most ways to anything that had been available previously. In late spring, that finally happened with the release of Meeroos.

A wacky, yet adorable hybrid creature that looks somewhat like a cross between a meerkat, a kangaroo and Eeyore, these animals came complete with their own backstory, a new breeding system (FAQ is here), and most important of all, AI, meaning each meeroo had a personality that was different from its companions/relatives. It was definitely breedables at the next level, and WHOO BOY is it popular. Meeroo owners and breeders created an avalanche of fervor for the creatures which has continued, to my observation anyway, unabated since their release.


It was only a matter of time until someone tried to illegally cash in on the meeroo craze. It was inevetable, really. But the way it was done was via a known exploit, still not fixed within SL.

As reported here, someone was able to create items on what should be a place where this is technically not possible due to region settings. The way this was accomplished is not new, and in fact was reported by the Alphaville Herald back in May. To make matters worse, when the creators of Meeroos sought to bypass the issue by making food and accessories available on Marketplace to create a safe place to purchase these items, they found their asset account (aka, their business alt), had been banned by the Lab by mistake.

Since caring for breedable virtual pets is an extremely time sensitive business (the health and other stats of the animals are created and altered in real time), this mistake could be very costly (and as an aside, shows one of the reasons why the Lab’s changeover to a single name system exclusively has been, shall we say, less than a success). Though the account was reinstated several hours later, this entire thing has been a cascade of failures that were not the fault of the creators at all – all of them were on the part of the Lab.

The fact that this was able to be carried out at all is due to the technical security hole not being fixed.

More Good Stuff=More Bad Stuff

The Lab seems to be in a new phase of commitment to bringing out new product developments in a short span of time. It’s a lot to manage. But part of that management must be on the security end as well(particularly with mesh coming out so soon).

Though a laissez-faire policy allows for lots of creativity, sometimes that creativity is channeled into ways that aren’t so awesome. Sure, it’s a lot of running around putting out fires, but that actually means the fires need to actually be put out, and not ignored in the hopes that no one else will notice the smoke.

With the SLCC coming up so quickly, maybe now would be a good time to make an announcement about that. Just sayin’.

Related reading

Top 19 Instagram marketing tools to use for success
Eight tips to get the most from your Facebook page in 2019
social media_does it affect seo