3pointD Security: Will Second Life Ever Be Safe?
The virtual world of Second Life ground almost to a halt this past Saturday night after being attacked by malicious, self-replicating objects that prevented users from conducting business as usual. Several similar attacks shut the world down completely last year. This one only made it impossible for avatars to move around normally, and led to Linden Lab having to temporarily switch off much of the world’s functionality (including the ability for anyone to log in) while they cleaned up the mess. The attacks raise an interesting question: Can a place where users are free to create their own content ever be made completely safe from attacks like these?
The very thing that makes Second Life unique — the ability for any user to create any object at any time — is also what makes it vulnerable to such attacks. It’s an easy task to create an object, place a script within it that first copies the object and then copies the replication script, and finally places the replication script within the new object. You end up with objects that replicate in power of two, like cell division, and which quickly overwhelm the capacity of LL’s servers. This is essentially a denial-of-service attack on a virtual world.
LL’s first response to this, last year, was to disable certain aspects of object creation, unless the object in question was operating on land owned by the object’s creator. But this removed so much functionality from the world — virtual retailers were no longer able to sell items in rented plots, for instance — that the company quickly had to backpedal. In a later attack, administrators were able to prevent the spread of such objects by taking only certain servers offline, in effect creating a virtual firebreak. But as the world grows, it will quickly outpace the ability of humans to respond effectively to such attacks. The question is, can the technology itself be made to protect the world?
Answering that question will depend in part on how virtual worlds develop. It may be that as 3D online spaces proliferate, they will leave behind the contiguous model of Second Life and take on an aspect similar to Web pages, which are more loosely joined. Even in a virtual world like that, though, a deep kind of avatarized navigation will mean that users will be able to bring their own objects with them wherever they go (in the form of at least clothing and other attachments), which in turn makes such places vulnerable, to an extent.
I don’t pretend to be able to answer these questions at the moment, but they raise an interesting aspect of 3pointD development: There will be a new set of security questions that will have to be addressed as the 3pointD world moves forward. My guess is that, just as with the current Web, no solution will ever be airtight. In any case, these will be important questions for world and “space” designers to keep in mind as the technology moves forward.
[UPDATE: Steven Davis at the PlayNo Evil game security blog weighs in with this post.]
Feeds
Yeah, well its a little over a year since the above thread was posted.
Now tell me, where does SL stand now, totally ruined.
What was going to become quite a popular game is just now turning tino a worthless puruit. Linden Labs might as well just hang themselves now and finish it quick, surely beats a painful slow agonising death. Oh well their call.