Is spyware the root cause of this data leak?

Linden Lab published this yesterday to remind people about basic internet security.   In a roundabout way it is very forcefully reaffirming Linden Lab’s position that these spam emails are as a result of user machines being compromised.  Unfortunately it ignores what is being said by those who have been affected.  The thread where this is still being discussed is here.

Once I am convinced that this was due to spyware I’ll remove these posts and replace them with a background piece and the actual cause.  At the moment I’m not at a level of comfort to be able to accept the Linden Lab position.

Without knowing how local payments work, what data is required and if you need to access the Dragonfish site to do this rather than via the Second Life web pages (and there’s no way I’m going to test it out), my problems with blindly accepting Linden Lab’s position are:

  • If an email address is used for Second Life only, the last time it was probably entered anywhere was when the email account on the Second Life website was updated – assuming people pull their emails down to an email client or it will be used to log into the mail provider if accessed via the web.  Although, web access does increase the chance that spyware could capture it.
  • Those who have identified the spam emails claim their machines are spyware free.  Although none have yet said if they run scheduled checks and if they’ve reviewed the logs down the last few months to see if anything has been picked up.
  • If it is spyware, then I would expect their non Second Life accounts to be receiving spam as well, I doubt there is anyone who only uses their second life email address, yet I’ve not seen any reports of this.
  • Whilst there is a chance that somehow this spyware is clever and targetted enough to only recognise second life accounts and wait until it has the card holder name from a transaction against a Second Life account to send the data to the data collector to enable the email to be sent out, I wouldn’t consider it likely.

I’m still not convinced this can be brushed aside as user carelessness and I would certainly be asking Dragonfish to explain. As Linden Lab are so publicly committed to protecting our data, I would have expected them to contact those who are currently claiming that spyware is not the cause of this to ask them for the emails, to check their logs to see if any spyware has been removed in the last few months and to ask them where they use the email addresses in question. Just brushing this aside as user carelessness without even going through the motions of due diligence doesn’t impress me. Just saying “contact us” in what looks like a peripherally relevant post isn’t what I would expect of a company who is so committed to protecting our data and believes in good customer relations but of course the only recent Linden Lab employee who publicly demonstrated that commitment and understanding of the basics recently ceased working for the company.

Linden Lab are extremely lucky with their user base, the user base is extremely tolerant of errors, it’s extremely rare that people ever exercise their right to complain to external authorities and they’re easily distracted.  Given another week this will have passed from most memories and this will have been just another blip on the horizon.

However, since I’m not feeling enough confidence in the Lab over this, I’ll stick to avoiding local payments and keep these posts here.

Advertisements

Linden Lab and the Dragonfish data breach

True to form, Linden Lab are now blaming its customers for the leak of card names and email addresses.  They claim that the data breach is due to poor computer security on behalf of those whose data has been compromised.

FJ Linden responded in the form thread (post 31) and said

01-06-2011 05:26 PM

Thanks for raising this issue with us. Protecting our users’ privacy is of the utmost importance to Linden Lab. Based on our investigation, we have determined that the spam was not the result of a security breach or our billing partner selling Second Life users’ data to any third-party.

So, what happened? Unfortunately, it looks to be a case of email addresses collected by spyware, which can happen via a third-party application or website. The advertised site is not a property of Linden Lab or any of our partners. More information about this type of activity, and how email addresses are obtained through third-party software or websites, can be found here.

Again, big thanks for bringing this to our attention.

I say that it’s about time that Linden Lab employed some people who have business experience.

Which was promptly rebuffed (post 34) by one of those affected.

         Reply to FJ Lindenview message

01-06-2011 06:58 PM

1) I received these spam-emails to 3 addresses used for SL. 2 of these are ONLY used for SL. And NONE of my other email-addresses received these spam-emails and I have dozens of addresses. One for each account on some website or other. As I said NONE of these other email-addresses received the spam. It is highly unlikely (though admittedly not impossible) for a spyware to randomly get just 3 addresses that are known to SL and none of the others. If my math is correct then the statistical probability for this is about 0.3%. (8 out of my total of 50-60 email-addresses are known to SL)

2) I know how to take care of my computer-security. I have 20+ years of experience as an IT-professional (programmer and webserver-administrator). NEVER in all those years have I had a virus/spyware on my computers. I use Firefox with Noscript-plugin to keep Java, Javascript and Flash disabled for almost all websites except trustworthy ones. BTW: Stop putting Javascript on s3.amazonaws.com as it forces me to enable Javascript for all of amazonaws.com. This is a security-hole waiting to be exploited. I already posted about this over a year ago when you first started doing this.

3) The fact that the advertised sites don’t belong to LL or some partner of LL doesn’t prove anything. Only a very, VERY stupid spammer would make it that easy for you.

4) We are not just talking about email-addresses here. We are also talking about RL-data associated with the email-addresses. In my case the spammer knew my RL-firstname. In one case reported by someone else it was the combination of an email-address used ONLY for SL and the full RL-name of the credit-card holder used for that account which was NOT identical with the user’s RL-name. I don’t see how any spyware could connect these two pieces of information.

In conclusion: Linden Lab, KEEP LOOKING!!! You are leaking this information *somewhere*.

Logically from the information given by one of those affected, the explanation given by the Linden Lab representative can not have occurred unless the Second Life payment site has spyware embedded in it.  One email was sent to an email address that apparently has only been used as the contact point between Linden Lab and the Second Life account holder, had not used elsewhere and the spam email had the card holder’s name, not the account holder.  The card holder is someone else and therefore the only place the matching of these two pieces of data could occur is Dragonfish.  The fact that card holder names are being used should have triggered alarm bells in Linden Lab.

The most likely scenarios are:

  • Corruption.  The data has been accessed and removed by an unauthorised person/s  working for Dragonfish and has been sold on to other gaming sites for personal profit.

I feel this is the most likely scenario but only Dragonfish can confirm this by checking who has access to the data.

The other possible scenarios are:

  • The emails came from other Dragonfish companies.  This means that Dragonfish is using the data without the knowledge or consent of those affected and in breach of the EU data protection laws.  Financial information (card holder name at a minimum) should never be used this way.
  • Dragonfish is selling the data on to other gaming sites.  Again this is a breach of EU data protection laws.  Financial information (card holder name at a minimum) should never be used this way.
This does look like a breach of internal security and the implications of this are worrying, not just for Second Life users but for all users of Dragonfish.  At the moment we are aware of the card holder details being compromised but it is very possible that the card details have also been compromised.  Assuming that the person/s distributing this data are doing it for personal profit then it may not just be gambling sites the information is being sold to.  This puts everyone who has used the Dragonfish site for a financial transaction at risk of card fraud and/or identity theft.
Third parties being careless with data is nothing new, this year in particular has seen a rise in companies needing to apologise because their third party supplier has not kept their customer data secure.  The one thing all these companies have had in common is they don’t blame their user base as an easy way out but investigate with the third party and take instant action to mitigate the data loss and the damaging publicity.
Linden Lab on the other hand is determined to blame its customers and hope the problem goes away.  It won’t if there is a worker in Dragonfish who is accessing and distributing the financial and contact data in breach of the company policy.  It’s data theft that is the issue here and Dragonfish will not admit this or take action to stop this happening in future unless Linden Lab forces them to.  Rather than just mouthing platitudes at the masses and hoping the problem goes away, I would suggest that Linden Lab actually get the details from those affected, analyse it and then go to Dragonfish and demand an explanation.  That’s what real companies who believe in protecting their customer’s privacy and the organisation’s good name do.

~~~

Unauthorised distribution of financial information is a serious breach and again I cannot urge people more strongly to make a complaint to their country’s relevant data protection commissioner.  I doubt this is the first time data has been leaked from this company and it will not be the last until all offenders are caught and dealt with.  If Linden Lab and Dragonfish will not take action then it is left to consumers to make a complaint to enable the authorities to act.
You should also consider contacting your bank or card issuer to advise them that your card details may have been compromised.  This enables the provider to monitor your card for transactions and stop card fraud before it occurs.

~~~

Within the next few days I would expect to see the following action taken:
  • The culprit/s are identified and are removed from the company ( I do believe it is likely that there is more than one)
  • Data security at Dragonfish is tightened to ensure this cannot happen again.
  • Dragonfish issues a statement where it admits full liability and publicly absolves Linden Lab for the breach
Anything less will imply that Linden Lab is at fault here. So if you don’t see this then draw your own conclusions.

Here are the relevant links to make a formal complaint

A quote from the UK site – I’ve highlighted the relevant reasons for the complaint.

How do I know if my problem is a data protection problem?

You might have a data protection problem if any of the following apply to you:

  • You have been denied any of your rights, including your right to see the personal information an organisation holds about you.
  • Personal information about you is used, held or disclosed:
    • unfairly
    • for a reason that is not the one it was collected for, or
    • without proper security.
  • Personal information about you is:
    • inadequate, irrelevant or excessive
    • inaccurate or out of date, or
    • kept for longer than is necessary.

Linden Lab in another data security breach. Possibly payment details, definitely cardholder name and email address

Linden Lab has outsourced the processing of payment details to a company called Dragonfish, who claim to be  “The Leading Provider of Online Gaming Solutions”.  How true this claim may be is for others to decide, one thing is certain, they appear to play fast and loose with their customer’s credit card data.

Apparently Dragonfish/Cassava Enterprises (the parent company) passes at least the card holder name and the email address to other gambling sites, this has been confirmed by people who have received spam email for gambling sites to email addresses that are only used for Second Life purposes*.  More worrying is that card holder names are also being passed, this claim was made by someone who received a spam email to the Second Life account used by the account holder yet addressed to the card holder name which was someone who had allowed them to use the card to make payment to Linden Lab*.

Added to this was the extremely poor method of verifying a card holder.  All reputable payment processing organisations use the card verification plugin provided by the credit card company (think “Verified by Visa” and the rest) but not Dragonfish, they send emails with the following text* before they even use the security provided by the card companies. This of course is unnecessary as the card company is best placed to verify the card, so the question arises as to why this effort is being spent on obtaining copies of the card.

(*to view links marked * you need a Second Life account and be logged into the forum.)

Operations Department – Second Life to me
show details 2:48 PM (2 hours ago)

Dear Resident,

I am Paramjit B. from the Operations Department at Cassava Enterprises (Gibraltar) Ltd. I am contacting you with regards to your Linden Lab account with username “(name redacted)“.

As part of our continued efforts to provide confidence and security for all of our members, we will always seek to verify the ownership of any credit cards used to make a deposit. As such your account may experience enhanced security steps at deposit stage, including processing through Verified By Visa or Mastercard Secure.

To process your deposits without this requirement and in order to become a fully verified customer, please send us the following documentation –

–  A photocopy of your credit card ending # 0479 (front & back)
–  A photocopy of your national identity document such as an ID card, Passport or Driver’s License

These documents can be sent to us by you uploading them through the link:

http://secondlife.com/my/account/billing-verification

Please copy and paste the above address directly to your web browser. You will then be prompted to enter your username and password. You will then be guided through a simple process to upload the requested documentation.

Please note that to ensure the security of your documents we have implemented powerful security policies, rules and technical measures to protect the financial security of our Residents. However, please make sure that you block the middle 8 numbers of any credit/debit card uploaded and also block the CVV (3 digit code) on the back of such cards.

If you have any further queries with regards to our requests please review first our Frequently Asked Questions, located on the “Contact Us” tab of the website. Here you will find all the information on why we routinely request documents, how it is possible to send these documents, and the type of documents that we will accept. All these questions and more are answered by typing in the relevant key words to the Frequently Asked Questions search option.

Many thanks for your continued patience and co-operation in this matter.

Regards
Paramjit B.
Payment Operations
Second Life

I did smile wryly at the claim they have “powerful security policies” but then ask you to remove some of the card details and in breach of best practice for financial services, they provide a link to the web page to upload the documents.

Neither Linden Lab nor Dragonfish have ever provided details of their customer data handling procedures.  If you ever send sensitive documents like this to Linden Lab you have no idea what becomes of them, for example;

  • who has access to the data? (apparently everyone by the look of it),
  • if the information is printed out, how is it disposed of?

This is a concern as Linden Lab has had data security breaches in the past which they never advise their customers of.  Those we do know about range from the wholesale breach of the database in 2006 which resulting in everyone being advised to change their password to last year when accounts were compromised but only those affected were notified when they tried to access their account and the doubts (now realised with this Dragonfish leak) about their commitment to protecting their customer data, giving Linden Lab your data is a risky business and on the balance of probabilities, sending them copies of your ID is foolhardy.

It’s been 8 months since full payment options were available to Second Life users.  Apparently Dragonfish are having problems delivering the solution.  If Linden Lab were any one else, the fact that their new supplier of services had effectively stopped some overseas customers paying them would have been a big deal.  Linden Lab appear to be fine with it and apart from reinstating PayPal payments last week after some pressure and bad publicity due to people losing their regions and accounts due to LL not providing a mechanism for their customers to pay them.  This project seems to continue to meander along with a possible release date of this month, yet as usual the Beta deployment isn’t even what would normally be considered Alpha, let alone deployed for customer use due to the sensitive nature of the transactions.

Will I use local payments when it’s finally released?  No.  If I ever have to add new payment details and Dragonfish is the only choice then I won’t be doing it. There’s nothing I need in Second Life that would make me provide my details a site that cannot keep the financial data secure.

How will you know if your data has been compromised?

You can’t really, if you live outside the United States and in particular Europe and have recently used Linden Lab’s local payment option (new accounts apparently were forced to join the beta test for this, for the rest it was “voluntary”), it is very likely that you have had your credit card details compromised.   There will be a couple of indicators that arouse your suspicions.

  • You should have received spam emails from gambling sites.  Although, if you use a provider such as gmail, yahoo or hotmail you may not have received them as the spam filters
  • You may see unusual transactions on your card statements

What you can do

  • Check your spam folder to see if you’ve received any spam emails from gambling sites
  • You should check your card statements, and
  • Consider making a complaint to you local data protection commissioner.

Here is the link to the European Data Protection authorities: http://www.dataprotection.ie/ViewDoc.asp?fn=%2Fdocuments%2Feuropean%2F6f.htm&CatID=37&m=i

Here’s the UK one: http://www.ico.gov.uk/complaints/data_protection.aspx

How do I know if my problem is a data protection problem?

You might have a data protection problem if any of the following apply to you:

  • You have been denied any of your rights, including your right to see the personal information an organisation holds about you.
  • Personal information about you is used, held or disclosed:
    • unfairly
    • for a reason that is not the one it was collected for, or
    • without proper security.
  • Personal information about you is:
    • inadequate, irrelevant or excessive
    • inaccurate or out of date, or
    • kept for longer than is necessary.

I’ve highlighted the relevant reasons for the complaint.

Dragonfish has a UK office, you may like to also lodge a formal complaint with them.

Dragonfish UK

20 Thayer Street
London
UK
W1U 2DD

As always, carefully think about the information you provide to Linden Lab.  The risk of it being accessed by unauthorised people appears to be continuous and real.

How I saved money in Second Life.

At the end of last year I spent some time away from Second Life – almost 4 glorious months in fact.  I did have to go in at least once a week to deal with the store but apart from that nothing.  I discovered that the longer I spent away from it the harder it was to force myself to log in, I was fine once I was in but eager to leave.  During that time I stopped caring about most sl things; search, the marketplace migration, the instability of the platform – even the closure of the business I used for my network vendors had a care factor of virtually zero.   It truly was a beautiful time.  I do enjoy being a virtual goods retailer but Second Life being what it is, everyone needs to come up for air and get some perspective sometimes.

Then just before Christmas I realised just how much I was neglecting it and I thought I should get back into it, so I went back to the workroom and started building.  Since then I’ve surveyed my *cough* empire and was shocked at the reality of how Linden Lab are implementing their objective of streamlining their world.

  • I’ve discovered that search inworld has been optimised once more, in fact they’ve optimised it so much that some of my smaller stores can never be returned in search.  So I’ve taken them out of search, cancelled the classifieds and am in the process of removing them and selling the land.
  • I’ve rediscovered that one of my larger parcels still doesn’t appear in search.  That classified is quite expensive but I’m almost at the stage of pulling the plug on both the parcel listing and the classified. The parcel listing drives traffic more than the classified.  LL won’t refund me for all the money wasted so far and I got tired of live chat telling me to tweak it/wait for the latest update/give it a few more days. 9 months is more than enough time to fix it and they haven’t so I can only assume they don’t want that business.
  • I’m on a version of the rc server code and I’m tired of people IMing me to say that they have an account stuck on the region/haven’t received their purchase from one of my vendors.  I’m also tired of the rolling restarts that seem to be endemic at the moment on that poxy rc.  Do you think I can find out how to get off it?  live help could only suggest I put a ticket in to ask, which of course Linden Lab have promptly ignored.
  • Inworld search is so poorly built that it isn’t even capable of keeping the returns filtered by maturity rating, add that to their inability to get some listings to actually show in search at all and to apply their relevance weightings in a manner that a reasonable person would consider logical. The only thing you can say is that it ticks the fail box.
  • Then there’s the marketplace.  The merchant back end is still at fag packet prototype level and the relevance function is once more embarrassingly bad.  I finally relisted all the items that were corrupted by the migration but now each time I make a change they lose their relevance position and of course don’t have the old xsl data which looks like it is used in the relevance calculation.  

Despite this I spent the last week considering expanding as I’ve run out of prims at the mainstore and need a new full prim region and a couple of homesteads. 

So I did some pros and cons – here’s the list:

Pros

  • I can keep releasing items. 
  • I can make the store more visually attractive and easier for shoppers to find what they are looking for.

Cons

  • I’ll be paying an extra $545 per month on top of the purchase price and there’s no guarantee I’ll see a commensurate increase in sales.  
  • I can’t divide the regions into parcels as smaller regions are penalised in search, so it makes it pointless to try to cleanly target different markets
  • There’s no guarantee Linden Lab won’t stop tinkering with inworld search or the marketplace.  Last year I found out how much of my sales depend on visibility in search and in the marketplace.  I was pretty shocked at the percentage.  The risk of a recurrence of search failing to deliver relevant results is high and the amount of effort required to keep on top of their latest changes via reverse engineering (because God forbid they ever tell us what they’ve done) and then adapt to the change before they change it again is too time consuming for no real return.
  • Concurrency and demand for Lindens is reducing.  Less money and less people means less opportunity for sales.
  • I can’t even be assured that I’ll appear in search.

Now, I really do want to expand, despite the list.  So I went to the land page and there was a button that offered me a human to chat to about it.  

Want Help?

Land specialists can answer
your questions.*

*(Available Wed-Friday 8am-6pm Pacific Time)

As you can see, they’re only available a few days a week but my luck was in as I was looking at the page as these humans were supposedly there.  So I clicked the link, thinking that just maybe the human would say something that might give me the confidence to go ahead and buy – a discount would have been nice but I’ve in SL so long that I know better than that – but I wanted to try – even if they would offer something like actual attention to my tickets and resolution to the search issues I may encounter would have been enough.

Anyway, I clicked on the link and it came back “page not found”.

Sums it up really

So, here’s what I’ve done.

  • I’ve cancelled the parcel listings and the classifieds for the smaller plots that are no longer returned in search. 
  • I’m going to close them and sell the land. I toyed with buying a 1/4 sim on mainland as a sop but the fact they’re all RC is enough to put me off that.
  • I’m not going to expand – Once I can no longer remove prims to make way for the new releases that will be it.

Which means..

  • LL have lost at least $6540 usd plus sinks per year (I was planning on converting the new homesteads to full prims later in the year as part of the growth plan, which would have uppped the overall take – assuming they could do something as simple as upgrading them)
  • I’ve gained many hours in my day as I don’t have to spend all that time setting up the new regions
  • and soon I won’t have to worry about creating anything as there’ll be no room to put it

Pretty well any other B2C outfit would have been all over me at the thought of generating that kind of income, then there’s Linden Lab.  I suppose Linden Lab think they’re creating the new paradigm for self-confessed successful online businesses that in reality are struggling –  Don’t provide service, look amateur, deliver  a shoddy product, pretend the customer doesn’t exist when they ask for help via the support they supposedly pay for and better still, ignore the key drivers for your business and make it as hard as possible for your users to use your service.

Why do they do this?  Are they really so ignorant of the underlying drivers for their world?

The rumour mill says Linden Lab will file for bankruptcy. It’s probably more true than not.

I was just finishing off a post explaining just why the rumour I read yesterday that Linden Lab was about to file for bankruptcy was unhelpful and untrue speculation – despite the reduction in support and all the other things that have been going on with Linden Lab that have given the impression that the company is going out of business..  then I saw this.

Why does Linden Lab constantly snatch defeat from the jaws of victory?  From the deluge of users they cavalierly despised and ignored back in 2006, viewer 2, xstreet to slm migration, zindra, homesteads, AU, the approach to reducing the number of smaller estate owners via the deluge of around 500 regions via the Atlas programme and finally kissing goodbye to all but the most passionate and monied educators and non profits with the tier increase next year..  I’ve always despaired at how totally wrong LL seems to get things.  Now it looks like it’s all coming home to roost.

I desperately hope I’m wrong but the signs aren’t good.  I thought we might have another 12 months left but perhaps my original thought that they wouldn’t last until Christmas really was more accurate.

This is completely down to poor judgement on Linden Lab’s part.  I really could give them a slapping.

Linden Lab indirectly endorses possible federal criminals – who would have thought it?

The Emerald viewer is one of the Third Party Viewers (TPVs) registered with Linden Lab and allowed to connect to Second Life.  Down the last 12 months the developers of this viewer have sullied their reputations through unauthorised data collection of user login details, activities that would breach most consumer protection laws, unauthorised collections of data inworld and a few other activities that generally leave a bad taste in the mouth.  They brag and they sneer about it to anyone who points out their unacceptable behaviour and generally behave in a manner which reflects what they are – immature and dangerous kids.

No matter what these developers have done (including apparently originally creating a copybot viewer and at least one of the developers entering the 18+ grid when they were under age and with LLs knowledge and consent) Linden Lab have turned a blind eye.  Each time Linden Lab ignores the poor behaviour of the Emerald developers and each time the behaviour is worse.

This time they went a little too far – they used the Emerald viewer to commit what is apparently a US federal crime using by using the computers of all those who logged into Second Life during the period 8-17 Aug 2010 using Emerald to undertake a denial of service attack (DDoS) on a website that one of the Emerald developers had taken a dislike to.  This is no small number, 70% of the current SL userbase apparently uses Emerald as their access point to Second Life – a number supposedly confirmed by Google Analytics.

Modular Systems (the company who owns Emerald) called it “shenanigans”.  I call it a breach of trust and unauthorised use of a computer to commit a crime.  None of those users of the viewer during that period are probably even aware they are effectively accomplices to the crime and sadly even if they did know they probably didn’t care.  Even if they did care, LL has removed the link on their TPV page to report unacceptable activities of a registered viewer.  Do LL really think that by closing their eyes and putting their hands over their ears this will go away??  They can try to distance themselves as much as they like but they allow the continued registration of a viewer that has been identified previously as breaching the ToS (along with the developers as individuals), I just don’t understand why Linden Lab refuse to acknowledge how their reputation is damaged by this.

So, for those of you who use emerald and logged in between 8-17 Aug, be aware you are in theory an unwitting accomplice in a Federal crime.  Also remember they have some of your login details from earlier this year, I’ll lay bets they didn’t dispose of those details once they noticed the “oversight” that lead to the data capture and storage.

Philip Linden has said Linden Lab has an objective of bringing the majority of the userbase back to using a Linden Lab provided viewer – he wants to do this so they can roll out new features.  I’d say that it’s more imperative to do it to protect the users of Second Life who are unaware of the criminal activities of the Modular Systems developers and to protect the reputation of Second Life.

Although the chances are slim – Linden Lab has never felt a need to protect any of its users from the less ethical elements that are drawn to SL and I doubt that is ever going to change.

for more information go here.  I’m not going to link to the Modular Systems blog post nor to the site attacked, but I will link to this post, where the site owner talks about what some Modular Systems developers have been doing to harass him.  Also note that he mentions that the viewer user details were being disclosed – pretty serious stuff.

Suffice to say, if you do use Emerald then you should seriously reconsider your choice of viewer.  Imprudence and Rainbow are good alternatives – they have the majority of Emerald features (right down to the jiggly boobs) and I certainly believe Boy Lane (the creator of the Rainbow viewer) is above reproach.

Or of course you can look at other platforms.  Inworldz is coming along quite nicely. Yes, it’s still rough around the edges but of all of them it has the best chance of success and a lot of the Second Life content creators have moved or are in the process of moving in.

Am I the only person who is tired of Linden Lab luring people into Second Life and knowingly allowing others to take advantage of them?

Where is the Linden Lab Second Life Q2 report?

People maligned M, and certainly I didn’t have a lot of time for some of his *ahem* enthusiasms, but one thing I did appreciate was the quarterly report.  Yes, they started out as a work of fiction (does anyone remember the first few where the major fun to be had was picking them apart and demonstrating the inconsistencies and fallacies they indulged in?) but as time went on they were a good indication of just where SL was heading and at least gave some confidence (under all that distracting flannel) that they were managing the decline.

Unfortunately Q2, which by any standards was crucial to understanding the current state of SL, and future quarters, will not be reported on.  It looks like those state of the nation reports have gone the way of M.  To add to this, Tyche Shepherd doesn’t have time to do her version, which I suppose allows LL to opt out and hope we won’t notice.

Anecdotal information indicates even the solution providers are giving up and a lot of content creators are giving up their land.  The decline is feeding the decline – on top of the issues around search, the Xstreet marketplace and all the other things that make people lose heart.  Make no mistake, creators are losing heart – I can name two of the larger creators who would usually be quick to take advantage of anything that would boost their exposure and sales are showing signs of despair and defeat and I never thought I’d see the day that either of them would ever behave like that.  

However, I wouldn’t read too much into the grid size decline.  Those 400+ regions that came online a few months ago distorted the land market and I would have expected the grid to subsequently contract as it’s apparent that the demand wasn’t there for that kind of influx.

The only thing I’m concerned about is who owns the regions going offline.  If the shrinkage is being caused by smaller operators reducing their holdings then the question to be considered is just how much impact that deal with the major land owners has had on the smaller estates.  The potential for that event to be the estate version of the impact of Zindra is real.  For those of you who don’t follow this closely, Zindra demonstrated just how weak SL is – the impact of the adult content landowners trying to sell around 200 regions worth of land (the real number isn’t known because some kept their land, some abandoned it and some sold it) depressed land prices to such an extent that even 12 months later it not only hasn’t recovered but has declined further.  0.05L/sq m is shocking..  I grant you this is for visually unpleasing rocky terrain, but I paid something like 12L/sq m for the same stuff in mid 2007.  Even flat and green can be picked up for around 1L/ sq m – I paid 4.2 for the same type of land in February of last year.

What I would pay attention to is the linden sinks.  When I looked last week at the numbers for July, there was an average decline of 15% of the sink income over June.  This is after factoring frequency of the sink income.  What was remarkable was the decline in those parcels set to show in search – that was around 19% compared to last month.  Now it could just be that not all parcels had their parcel fee collected or it could be that some businesses consolidated their parcels but on those basic numbers I would hope that there’s some kind of alarm bell ringing somewhere.

But then, Linden Lab has never been very good at the financial management side of the business.  You’d like to hope they finally get to grips with the idea that money won’t continue to rain down on them despite their best efforts to stop it but I’m not optimistic.