[SLED] Lessons from the SL security problem

Giulio Prisco gp at uvvy.com
Sun Sep 10 02:44:34 PDT 2006


I think the comments to the Linden blog Update: Resetting
Passwords<http://blog.secondlife.com/2006/09/09/update-resetting-passwords/>will
be very useful for LL staff to read as they indicate some shortcomings
in the ability of LL to offer efficient customer service. These are the main
points I can extract:
1) SL started as a game but now LL and users want to use it for serious
things. This requires a real, professional, 24/7 customer service and
support helpdesk. Most users are upset because to reset their passwords they
have to wait to Monday when, evidently, there will be so many calls that
most users will only find busy lines.
2) Many people from outside the US complain that they cannot call LL
customer support because it is too expensive, they don't speak English well
enough, or they live in a timezone from which it is impossible to call the
US at business hours (this is another reason why customer service must be
24/7). I think LL should start dedicating more attention to the requirements
of non-US users. This requires also language localization and local support
call centers. Of course these things cost money, but this is business: one
needs to spend money to make money.
3) It is normal that when nobody paid any attention to Second Life there was
no significant security risk. But now that SL is always on the press, with
businesses and even politicians moving in, there can only be more and more
attacks and I believe LL should address security like a bank. In particular,
for things like password recovery, it is important to find a suitable
tradeoff between security and usability. I wish to recommend that LL hire a
professional IT security firm with experience in the banking and financial
services industry.
3) We tend to forget the answer to "security questions". I certainly
remember the name of the street where I was born, but did I use only lower
case? Did I include "street", "avenue" or "square"? This can make the
difference between success and failure when only a limited number of
attempts is allowed. I believe security questions are only effective when
users are allowed to create their own security question.
4) As it was mentioned on the 3pointD
blog<http://www.3pointd.com/20060908/second-life-user-data-compromised/>,
the coming 3.D web is too important to be run by a single company, even one
so good as LL. With a single point failure so big, it will be difficult to
persuade major businesses and administrations to invest money and resources.
Clearly a robust, secure and usable 3.D web must be based on a distributed
and redundant architecture with open standard, interoperable and redundant
components. This was the choice of DARPA when today's Internet was planned
in the 70s.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.secondlife.com/pipermail/educators/attachments/20060910/2a8bf41b/attachment.htm


More information about the Educators mailing list