How to make Second Life look better – hide the problems

So, Linden Lab has decided that:

Because we want to make it even easier to report bugs, today we are making some changes that will streamline the bug reporting process, allowing us to more quickly collect information and respond to issues.

and to do this they are moving away from crowd-sourcing the identification and analysis of problems found by removing visibility of bugs that are reported from now on.  Which means if you do find a problem there’s no central place for you to check to see if others are experiencing it or if there’s a workaround.  You’re expected to suck it up and continue to pay your money.

There’s no way this is going to streamline the process – except that most people probably won’t report issues from now on and if it’s bad enough to impact on their Second Life will either try one of the various fora around or just give up and leave.  After all, this is supposed to be entertainment not a struggle and since problems are rarely fixed and when they are it’s at a glacial pace I’d say the chance of improvement in turnaround times is pretty unlikely but it will make Second Life look better to anyone who doesn’t actually have anything to do with the platform.

So, here’s where I laugh and hand Linden Lab another bag of nails and a new hammer for that coffin of theirs.  With an 8% decline in regions this year any sane company certainly wouldn’t be trying to push people even further from the platform.

The only saving grace for Linden Lab will be the reduction in bugs reported as the overhead of managing this new system will, by the very nature of the new process, increase.

Apparently Linden Lab management hate their employees almost as much as they hate their customers.  This decision seems to reflect this.


Linden Lab wants to rebrand Second Life. I think they have bigger problems than that.

Some of you may know that Linden Lab is considering a rebranding exercise in the near future.  Most likely it will be a concerted attempt to change public opinion of Second Life from being basement dwelling sex fiends into young, cool, content creating hipsters.  I would suggest that Linden Lab has far bigger problems to content with than the opinion of a few of the gaming blogs.

Linden Lab employees have always given the impression that Linden Lab wholeheartedly despises its user base.  It must be the only company I can think of that has long-term, well established customers who openly don’t trust it and don’t expect it to act in a professional manner.  The power of the product is highlighted in that sentence. Second Life’s biggest saving grace is that most of its customers don’t care how unprofessionally it behaves as long as they are able to use it as they want and the rest will not step outside the self-imposed ghetto of the Second Life world of the platform, some second life specific forums and some blogs.  They rarely ever make their displeasure known outside of these properties and are even less likely to bring law enforcement, government or legal pressure to bear.  Linden Lab is a remarkably lucky company in that respect.  It’s even luckier with its product, in that it has even managed to survive the almost constant behaviour of its employees that from the outside looks like they are determined to bring the company into disrepute and damage it.

In the last few days we’ve seen

  • The recently employed Counsel for Linden Lab offer a settlement to the US Securities and Exchange Commission for an investigation that has been ongoing since 2007. I would have thought that if due diligence had been undertaken before taking Ms Berry on as General  Counsel they perhaps would have looked elsewhere until this had been resolved.
  • A blog post advertising the release of a new type of breedable animal.  The post has been removed from the Second Life website now but not before questions were asked if this post was made because the brand owner is a Linden Lab employee, if the brand paid for this as marketing and Linden Lab didn’t identify it as a paid editorial when it was sent or if it was just a favour being done.  It could be anything of course.  A few years back Linden Lab listed Sion Chickens as a finalist for the Linden Prize. I’ve had to use the SL Universe link because the blog posts are no longer on the Second Life website.  Here’s the description of the prize  – although apparently they no longer award it.  Last year, Linden Lab acknowledged that Sion Chickens improved inworld economic activity.
  • Then of course there’s the questions around how they suddenly went from the F rating to an A+ rating at the Californian Better Business Bureau, the uncharitable say it’s because of this:

BBB Accreditation

A BBB Accredited Business since 09/21/2010

BBB has determined that Linden Lab meets BBB accreditation standards, which include a commitment to make a good faith effort to resolve any consumer complaints. BBB Accredited Businesses pay a fee for accreditation review/monitoring and for support of BBB services to the public.

BBB accreditation does not mean that the business’ products or services have been evaluated or endorsed by BBB, or that BBB has made a determination as to the business’ product quality or competency in performing services.

My emphasis of course.

These examples are from the last few days remember.

The BBB accreditation requirements has this little gem

8. Embody Integrity
Approach all business dealings, marketplace transactions and
commitments with integrity
An accredited business or organization agrees to:
Avoid involvement, by the business or its principals, in activities that reflect unfavorably on, or otherwise adversely affect the public image of BBB or its accredited businesses.

Which brings me onto my final point.

Linden Lab has always taken a consistent position that what some of it’s customers do to their other customers is none of their business, even when the activities were in blatant breach of their ToS. This blind eye is of course subject to the whims of the employees.  Linden Lab also have a history of terminating accounts with no explanation given and no recourse.

Now Second Life does appear to be a haven for people who are not properly socialised and have problems differentiating right and wrong behaviour.  Unfortunately, as I’ve briefly noted in the recent events above, Linden Lab actions also constantly confirm that its employees also suffer this handicap.

The latest storm is around a group of people who at first glance appear to breach copyright and trademarks held by the owners of DC comics. They are a vigilante group who have assumed the mantle of “protectors” of Second Life and in their guise as protectors don the guise of the characters from DC comics. This is not a new group as they have been around since before 2007 and have apparently had regular contact with Linden Lab employees during this time.

The people who are the core members of this group aren’t young people, apparently they are late middle aged men and some have families.

Sadly, Second Life is a product that is appears to be rife with intellectual property theft and Linden Lab refuses to proactively monitor by maintaining that it can only act when the holder of the copyright or trademark contacts them and they refuse to do even barest due diligence when it blatantly crosses their path.  How hard would it be to request documentation confirming a licence is held for those most obvious breaches?  That would require Linden Lab employees to act to protect the good name of the company, something that they have determinedly not done in the past.

Now, if these middle aged men in tights were just running around with their superhero costumes you could just look at them and laugh and move on.  The problem is they’re not, they’re out of control and dangerous.

Apparently since at least 2007 they’ve been keeping a private wiki detailing all the information they can find on anyone in Second Life they consider to be a griefer, a potential enemy or just because they can.  They trawl through all the social media, forums and go undercover in world to contact people to get as much real life information on them as they can. They note health, residence, real life work, details of their children – any bit of information they can, no matter how irrelevant.  In itself this is certainly borderline stalking behaviour and certainly cannot be considered acceptable, although data mining and aggregation are one of the main ethical issues currently facing online entities and is yet to be resolved.

However as with all these self styled upholders of the law, they’ve overstepped the mark.  It wasn’t enough for them to have their secret stash of information, they then had to step further over the line of acceptable into the truly abhorrent behaviour.  According to reports, not only have they tried to have people sacked from their real life workplaces but more egregiously, one of the number contacted the sister of a dying man they considered to be a griefer under the pretence of being his friend so they could confirm his near demise and then death.  If that isn’t bad enough, they then posted the details on their wiki and their public website.  When you search for the dead man’s name, their web page is very close to the top of the returns.  Not only did the friends and family have to come to terms with the death of their loved one but even now, if they search his name they’ll see this web page documenting it.  Words escape me in describing my revulsion at the sheer insensitivity and deliberate hurt they cause.

To add to the general poisonous unpleasantness of this group, they apparently do charity work inworld.  This charity work apparently also extends to finding the real life details of the children they are purporting to help and documenting on their private wiki their disabilities, illnesses, family information and any other information they can get their hands on.  I’m sure the parents of these children and the charities will be thrilled to hear that.  I wonder if they’ll also contact the parents if the children look like they’re going to die – they’ll say it’s just for completeness you understand.

Does any of this stir any revulsion in the heart of any Linden Lab employee yet?

On top of this (and really it’s almost a minor side note in the great scheme of the sheer awfulness of the behaviour of these people) they’re also IP address mining to do alt matching – just as zFire did with RedZone.

Linden Lab have known about the wiki since it was first leaked in January 2010 and they condone this behaviour through their inaction.  I’ve spent a lot of time in Second Life and I’ve seen behaviours that make me despair of the human race but the actions of this group actually disgust me.  I’m appalled that Linden Lab is so completely disreputable and its employees apparently so completely incapable of identifying ethical behaviour or even understanding just how badly this reflects on them, that they have taken absolutely no action to protect their rapidly diminishing reputation.  Linden Lab employees are determined to ruin the company and honestly, after this I hope they succeed.  Years ago I decided that if a cv from a Linden Lab employee ever came across my desk it would go straight into the bin and nothing I’ve seen since has made me change my mind on that.  I feel sorry for you Rod Humble, you really do have a corporate poison chalice there.

Enough is enough, Linden Lab has to once and for all make it clear to everyone who is data mining and capturing IP addresses (and there are many more out there that I know of) that this practice is unacceptable.  Linden Lab cannot continue to say that it’s none of their business as long as the details are held outside of Second Life and not used inside it.  The complete disregard that Linden Lab has for its customers and its reputation has to stop now.  Everyone involved in this group should have their accounts cancelled – no exceptions.  The ToS allows for these actions and there is nothing to stop Linden Lab doing this – except that they don’t want to.  It’s an entrenched corporate behaviour to leave us exposed to these kinds of people, Linden Lab just can’t help themselves.  From forcing people to blanket accept all cookies from any website and with no way to protect themselves if people use viewer 2 and want to access the inworld search, to allowing the JLU and other groups to flourish, they appear to refuse to see how vulnerable we are.

Words really do fail me.

Linden Lab displays skewed values. How unusual.

Is it me or is there something wrong with LL when it will continue to fund at least 4 adult regions which do nothing to promote Second Life or even adult activities yet allows such gems as The Lost Gardens of Apollo and many others (including the AM Radio region in a few months time) to vanish from the grid?

I don’t know what the reason is for this but given a choice, I know what I’d choose for Linden Lab to spend their resources on and it isn’t squandering them on 4 barely used regions with no artistic merit.

Is spyware the root cause of this data leak?

Linden Lab published this yesterday to remind people about basic internet security.   In a roundabout way it is very forcefully reaffirming Linden Lab’s position that these spam emails are as a result of user machines being compromised.  Unfortunately it ignores what is being said by those who have been affected.  The thread where this is still being discussed is here.

Once I am convinced that this was due to spyware I’ll remove these posts and replace them with a background piece and the actual cause.  At the moment I’m not at a level of comfort to be able to accept the Linden Lab position.

Without knowing how local payments work, what data is required and if you need to access the Dragonfish site to do this rather than via the Second Life web pages (and there’s no way I’m going to test it out), my problems with blindly accepting Linden Lab’s position are:

  • If an email address is used for Second Life only, the last time it was probably entered anywhere was when the email account on the Second Life website was updated – assuming people pull their emails down to an email client or it will be used to log into the mail provider if accessed via the web.  Although, web access does increase the chance that spyware could capture it.
  • Those who have identified the spam emails claim their machines are spyware free.  Although none have yet said if they run scheduled checks and if they’ve reviewed the logs down the last few months to see if anything has been picked up.
  • If it is spyware, then I would expect their non Second Life accounts to be receiving spam as well, I doubt there is anyone who only uses their second life email address, yet I’ve not seen any reports of this.
  • Whilst there is a chance that somehow this spyware is clever and targetted enough to only recognise second life accounts and wait until it has the card holder name from a transaction against a Second Life account to send the data to the data collector to enable the email to be sent out, I wouldn’t consider it likely.

I’m still not convinced this can be brushed aside as user carelessness and I would certainly be asking Dragonfish to explain. As Linden Lab are so publicly committed to protecting our data, I would have expected them to contact those who are currently claiming that spyware is not the cause of this to ask them for the emails, to check their logs to see if any spyware has been removed in the last few months and to ask them where they use the email addresses in question. Just brushing this aside as user carelessness without even going through the motions of due diligence doesn’t impress me. Just saying “contact us” in what looks like a peripherally relevant post isn’t what I would expect of a company who is so committed to protecting our data and believes in good customer relations but of course the only recent Linden Lab employee who publicly demonstrated that commitment and understanding of the basics recently ceased working for the company.

Linden Lab are extremely lucky with their user base, the user base is extremely tolerant of errors, it’s extremely rare that people ever exercise their right to complain to external authorities and they’re easily distracted.  Given another week this will have passed from most memories and this will have been just another blip on the horizon.

However, since I’m not feeling enough confidence in the Lab over this, I’ll stick to avoiding local payments and keep these posts here.

Data breach discussion thread moved

The forum thread discussing this issue on the Second Life forums has been moved to here, where anyone can access it without being logged in. Kudos to Linden Lab for making it accessible to everyone. There are others affected who are stating that it is highly unlikely it is spyware but I won’t be able to properly look at it until the weekend.  So, if you’re interested, go have a look at the forum replies.

and I changed the theme of this blog to make it easier to read.

Linden Lab and the Dragonfish data breach

True to form, Linden Lab are now blaming its customers for the leak of card names and email addresses.  They claim that the data breach is due to poor computer security on behalf of those whose data has been compromised.

FJ Linden responded in the form thread (post 31) and said

01-06-2011 05:26 PM

Thanks for raising this issue with us. Protecting our users’ privacy is of the utmost importance to Linden Lab. Based on our investigation, we have determined that the spam was not the result of a security breach or our billing partner selling Second Life users’ data to any third-party.

So, what happened? Unfortunately, it looks to be a case of email addresses collected by spyware, which can happen via a third-party application or website. The advertised site is not a property of Linden Lab or any of our partners. More information about this type of activity, and how email addresses are obtained through third-party software or websites, can be found here.

Again, big thanks for bringing this to our attention.

I say that it’s about time that Linden Lab employed some people who have business experience.

Which was promptly rebuffed (post 34) by one of those affected.

         Reply to FJ Lindenview message

01-06-2011 06:58 PM

1) I received these spam-emails to 3 addresses used for SL. 2 of these are ONLY used for SL. And NONE of my other email-addresses received these spam-emails and I have dozens of addresses. One for each account on some website or other. As I said NONE of these other email-addresses received the spam. It is highly unlikely (though admittedly not impossible) for a spyware to randomly get just 3 addresses that are known to SL and none of the others. If my math is correct then the statistical probability for this is about 0.3%. (8 out of my total of 50-60 email-addresses are known to SL)

2) I know how to take care of my computer-security. I have 20+ years of experience as an IT-professional (programmer and webserver-administrator). NEVER in all those years have I had a virus/spyware on my computers. I use Firefox with Noscript-plugin to keep Java, Javascript and Flash disabled for almost all websites except trustworthy ones. BTW: Stop putting Javascript on as it forces me to enable Javascript for all of This is a security-hole waiting to be exploited. I already posted about this over a year ago when you first started doing this.

3) The fact that the advertised sites don’t belong to LL or some partner of LL doesn’t prove anything. Only a very, VERY stupid spammer would make it that easy for you.

4) We are not just talking about email-addresses here. We are also talking about RL-data associated with the email-addresses. In my case the spammer knew my RL-firstname. In one case reported by someone else it was the combination of an email-address used ONLY for SL and the full RL-name of the credit-card holder used for that account which was NOT identical with the user’s RL-name. I don’t see how any spyware could connect these two pieces of information.

In conclusion: Linden Lab, KEEP LOOKING!!! You are leaking this information *somewhere*.

Logically from the information given by one of those affected, the explanation given by the Linden Lab representative can not have occurred unless the Second Life payment site has spyware embedded in it.  One email was sent to an email address that apparently has only been used as the contact point between Linden Lab and the Second Life account holder, had not used elsewhere and the spam email had the card holder’s name, not the account holder.  The card holder is someone else and therefore the only place the matching of these two pieces of data could occur is Dragonfish.  The fact that card holder names are being used should have triggered alarm bells in Linden Lab.

The most likely scenarios are:

  • Corruption.  The data has been accessed and removed by an unauthorised person/s  working for Dragonfish and has been sold on to other gaming sites for personal profit.

I feel this is the most likely scenario but only Dragonfish can confirm this by checking who has access to the data.

The other possible scenarios are:

  • The emails came from other Dragonfish companies.  This means that Dragonfish is using the data without the knowledge or consent of those affected and in breach of the EU data protection laws.  Financial information (card holder name at a minimum) should never be used this way.
  • Dragonfish is selling the data on to other gaming sites.  Again this is a breach of EU data protection laws.  Financial information (card holder name at a minimum) should never be used this way.
This does look like a breach of internal security and the implications of this are worrying, not just for Second Life users but for all users of Dragonfish.  At the moment we are aware of the card holder details being compromised but it is very possible that the card details have also been compromised.  Assuming that the person/s distributing this data are doing it for personal profit then it may not just be gambling sites the information is being sold to.  This puts everyone who has used the Dragonfish site for a financial transaction at risk of card fraud and/or identity theft.
Third parties being careless with data is nothing new, this year in particular has seen a rise in companies needing to apologise because their third party supplier has not kept their customer data secure.  The one thing all these companies have had in common is they don’t blame their user base as an easy way out but investigate with the third party and take instant action to mitigate the data loss and the damaging publicity.
Linden Lab on the other hand is determined to blame its customers and hope the problem goes away.  It won’t if there is a worker in Dragonfish who is accessing and distributing the financial and contact data in breach of the company policy.  It’s data theft that is the issue here and Dragonfish will not admit this or take action to stop this happening in future unless Linden Lab forces them to.  Rather than just mouthing platitudes at the masses and hoping the problem goes away, I would suggest that Linden Lab actually get the details from those affected, analyse it and then go to Dragonfish and demand an explanation.  That’s what real companies who believe in protecting their customer’s privacy and the organisation’s good name do.


Unauthorised distribution of financial information is a serious breach and again I cannot urge people more strongly to make a complaint to their country’s relevant data protection commissioner.  I doubt this is the first time data has been leaked from this company and it will not be the last until all offenders are caught and dealt with.  If Linden Lab and Dragonfish will not take action then it is left to consumers to make a complaint to enable the authorities to act.
You should also consider contacting your bank or card issuer to advise them that your card details may have been compromised.  This enables the provider to monitor your card for transactions and stop card fraud before it occurs.


Within the next few days I would expect to see the following action taken:
  • The culprit/s are identified and are removed from the company ( I do believe it is likely that there is more than one)
  • Data security at Dragonfish is tightened to ensure this cannot happen again.
  • Dragonfish issues a statement where it admits full liability and publicly absolves Linden Lab for the breach
Anything less will imply that Linden Lab is at fault here. So if you don’t see this then draw your own conclusions.

Here are the relevant links to make a formal complaint

A quote from the UK site – I’ve highlighted the relevant reasons for the complaint.

How do I know if my problem is a data protection problem?

You might have a data protection problem if any of the following apply to you:

  • You have been denied any of your rights, including your right to see the personal information an organisation holds about you.
  • Personal information about you is used, held or disclosed:
    • unfairly
    • for a reason that is not the one it was collected for, or
    • without proper security.
  • Personal information about you is:
    • inadequate, irrelevant or excessive
    • inaccurate or out of date, or
    • kept for longer than is necessary.

Linden Lab in another data security breach. Possibly payment details, definitely cardholder name and email address

Linden Lab has outsourced the processing of payment details to a company called Dragonfish, who claim to be  “The Leading Provider of Online Gaming Solutions”.  How true this claim may be is for others to decide, one thing is certain, they appear to play fast and loose with their customer’s credit card data.

Apparently Dragonfish/Cassava Enterprises (the parent company) passes at least the card holder name and the email address to other gambling sites, this has been confirmed by people who have received spam email for gambling sites to email addresses that are only used for Second Life purposes*.  More worrying is that card holder names are also being passed, this claim was made by someone who received a spam email to the Second Life account used by the account holder yet addressed to the card holder name which was someone who had allowed them to use the card to make payment to Linden Lab*.

Added to this was the extremely poor method of verifying a card holder.  All reputable payment processing organisations use the card verification plugin provided by the credit card company (think “Verified by Visa” and the rest) but not Dragonfish, they send emails with the following text* before they even use the security provided by the card companies. This of course is unnecessary as the card company is best placed to verify the card, so the question arises as to why this effort is being spent on obtaining copies of the card.

(*to view links marked * you need a Second Life account and be logged into the forum.)

Operations Department – Second Life to me
show details 2:48 PM (2 hours ago)

Dear Resident,

I am Paramjit B. from the Operations Department at Cassava Enterprises (Gibraltar) Ltd. I am contacting you with regards to your Linden Lab account with username “(name redacted)“.

As part of our continued efforts to provide confidence and security for all of our members, we will always seek to verify the ownership of any credit cards used to make a deposit. As such your account may experience enhanced security steps at deposit stage, including processing through Verified By Visa or Mastercard Secure.

To process your deposits without this requirement and in order to become a fully verified customer, please send us the following documentation –

–  A photocopy of your credit card ending # 0479 (front & back)
–  A photocopy of your national identity document such as an ID card, Passport or Driver’s License

These documents can be sent to us by you uploading them through the link:

Please copy and paste the above address directly to your web browser. You will then be prompted to enter your username and password. You will then be guided through a simple process to upload the requested documentation.

Please note that to ensure the security of your documents we have implemented powerful security policies, rules and technical measures to protect the financial security of our Residents. However, please make sure that you block the middle 8 numbers of any credit/debit card uploaded and also block the CVV (3 digit code) on the back of such cards.

If you have any further queries with regards to our requests please review first our Frequently Asked Questions, located on the “Contact Us” tab of the website. Here you will find all the information on why we routinely request documents, how it is possible to send these documents, and the type of documents that we will accept. All these questions and more are answered by typing in the relevant key words to the Frequently Asked Questions search option.

Many thanks for your continued patience and co-operation in this matter.

Paramjit B.
Payment Operations
Second Life

I did smile wryly at the claim they have “powerful security policies” but then ask you to remove some of the card details and in breach of best practice for financial services, they provide a link to the web page to upload the documents.

Neither Linden Lab nor Dragonfish have ever provided details of their customer data handling procedures.  If you ever send sensitive documents like this to Linden Lab you have no idea what becomes of them, for example;

  • who has access to the data? (apparently everyone by the look of it),
  • if the information is printed out, how is it disposed of?

This is a concern as Linden Lab has had data security breaches in the past which they never advise their customers of.  Those we do know about range from the wholesale breach of the database in 2006 which resulting in everyone being advised to change their password to last year when accounts were compromised but only those affected were notified when they tried to access their account and the doubts (now realised with this Dragonfish leak) about their commitment to protecting their customer data, giving Linden Lab your data is a risky business and on the balance of probabilities, sending them copies of your ID is foolhardy.

It’s been 8 months since full payment options were available to Second Life users.  Apparently Dragonfish are having problems delivering the solution.  If Linden Lab were any one else, the fact that their new supplier of services had effectively stopped some overseas customers paying them would have been a big deal.  Linden Lab appear to be fine with it and apart from reinstating PayPal payments last week after some pressure and bad publicity due to people losing their regions and accounts due to LL not providing a mechanism for their customers to pay them.  This project seems to continue to meander along with a possible release date of this month, yet as usual the Beta deployment isn’t even what would normally be considered Alpha, let alone deployed for customer use due to the sensitive nature of the transactions.

Will I use local payments when it’s finally released?  No.  If I ever have to add new payment details and Dragonfish is the only choice then I won’t be doing it. There’s nothing I need in Second Life that would make me provide my details a site that cannot keep the financial data secure.

How will you know if your data has been compromised?

You can’t really, if you live outside the United States and in particular Europe and have recently used Linden Lab’s local payment option (new accounts apparently were forced to join the beta test for this, for the rest it was “voluntary”), it is very likely that you have had your credit card details compromised.   There will be a couple of indicators that arouse your suspicions.

  • You should have received spam emails from gambling sites.  Although, if you use a provider such as gmail, yahoo or hotmail you may not have received them as the spam filters
  • You may see unusual transactions on your card statements

What you can do

  • Check your spam folder to see if you’ve received any spam emails from gambling sites
  • You should check your card statements, and
  • Consider making a complaint to you local data protection commissioner.

Here is the link to the European Data Protection authorities:

Here’s the UK one:

How do I know if my problem is a data protection problem?

You might have a data protection problem if any of the following apply to you:

  • You have been denied any of your rights, including your right to see the personal information an organisation holds about you.
  • Personal information about you is used, held or disclosed:
    • unfairly
    • for a reason that is not the one it was collected for, or
    • without proper security.
  • Personal information about you is:
    • inadequate, irrelevant or excessive
    • inaccurate or out of date, or
    • kept for longer than is necessary.

I’ve highlighted the relevant reasons for the complaint.

Dragonfish has a UK office, you may like to also lodge a formal complaint with them.

Dragonfish UK

20 Thayer Street

As always, carefully think about the information you provide to Linden Lab.  The risk of it being accessed by unauthorised people appears to be continuous and real.