Securing a User-Created Metaverse

About two weeks ago, we asked the question, Will Second Life Ever Be Safe? That day may come, but it hasn’t yet arrived. As noted in the previous post here, the virtual world of Second Life was today hit by yet another attack that necessitated Linden Lab‘s closing its Grid, the third time in two weeks. (The last attack, which came just yesterday, was blogged by Tony Walsh at Clickable Culture.) The attacks all have one thing in common: they take advantage of the single most attractive aspect of SL — the ability for users to create their own objects — and turn it against the virtual world.

The history of what LL calls “global attacks” stretches back at least to October 2005, which seems to be the first time the Grid was downed by self-replicating objects. An attack in November was contained when LL took a number of regions offline, but another in December brought the Grid down yet again. Now there have been three more in the span of two weeks’ time.

The crashes have undeniably cost LL money, but what the company can do to protect against them remains unclear. After last November’s attack, CEO Philip Rosedale said he had turned over the attacker’s name to the FBI. The Lindens are again “working with the authorities to go after the people responsible for these attacks,” according to LL VP Robin Harper. But will that be enough?

It would seem that what’s at stake here is nothing less than Second Life’s model of free content creation. At the moment, anyone can log into Second Life on a free account and set about dreaming up 3D creations straight from their imagination. The world presents an unprecedented 3D canvas that’s available to anyone, and has attracted more than 200,000 members as a result.

But that freedom also means that it’s relatively easy to launch the kind of denial-of-service attacks that SL has suffered recently, in which self-replicating objects choke the world’s servers into submission. Is there a way to prevent such attacks without hamstringing the open content creation that is the hallmark of SL?

Linden Lab’s current tactic seems to be to rely on real-world authorities. If punishment is harsh enough, this could serve as a deterrent. But if it isn’t, chances are that LL will have to rethink some part of their model. That was the company’s initial reaction to the first attack, last October. In the wake of that attack, LL disabled object creation except on property owned by the resident who owned the object in question. But this essentially removed all interesting functionality from the world — vendors, for instance, could no longer sell objects in someone else’s shop — and was soon rolled back. A technological solution has yet to be found, apparently.

Interestingly, LL’s initial vision of content creation is one that might have protected against self-replicating DOS objects. When the Grid first opened, residents were charged a small amount for each object they created. At the time, residents were billed at the end of each week. A real-time payment scheme would provide a deterrent for someone contemplating unleashing millions of objects onto the Grid. But this would be a crude and heavy-handed solution that probably wouldn’t go over well, and would certainly slow adoption to a crawl.

The timing of the latest attack comes at a particularly bad time, with Second Life receiving unprecendented media attention, as well as commentary from high-profile bloggers like Robert Scoble. Major corporations are currently contemplating moves into SL, or have projects under way there already. At least one high-profile event is scheduled for this evening — a Second Life Future Salon featuring machinima-makers Paul Marino and Pierce Portocarrero — and may have to be postponed.

Like any other service provider, Linden Lab will have to find a way to insure that its service will be up and running on a consistent basis. How this can be done is anything but clear, at this point. I imagine a solution will eventually be found, but its timing could make an enormous difference to the success or failure of Second Life.

Attacking the problem could also necessitate a shift in Linden Lab’s internal philosophy. The company currently runs on a flat, cooperative model of prioritizing new features and bug fixes; the things that get done there are determined more by what the employees feel like tackling than they are by a strong hand at the top. (Philip Rosedale has described the model to us on SecondCast.) Whether that model can focus enough energy on a solution is an interesting question. At the moment, Linden Lab’s marketing machine seems to be moving faster than its technologists. That may have to change if the world is to continue to thrive.


  1. Prokofy Neva

    I knew that when tenants started reporting to me that beach balls were returning to their inventory so fast the messages were capping, and the ball was made by “Philip Linden,” that I was in for another evening of lost business — I was just trying to arrange a land sale and move in 3 tenants, one very new, as the attack hit. You’re focusing on what this means to Robert Scoble or the Salonistas, who can go meet on Google Earth or something (or in Queens as they were doing today in RL), but let me tell you, for small business taking micropayments within the world, these attacks are hugely destructive — it means a day you cannot earn enough to pay tier and pay bills. Indeed, if the Lindens credited everyone for tier on the days their servers were unusable due to their failure to grapple with these repeated grid attacks, that might help them to get off the fun stuff on the BLOTTD and really fix the problem.

    Philip Linden’s beach ball. Huh? Well, no, that’s just something in the library we all had, and some goofus took it out and put some malicious script in it, maybe not even detectable (I discovered to my puzzlement when I had a huge grief attack using the “set to group” exploit that even when the Lindens had the infected object they couldn’t necessarily see the UUID of the script-maker who dropped the malicious script in an object I had made).

    When the Lindens stop writing copy like “the world is your canvas” (so not surprisingly, people scribble on it); when they stop winking and nodding and celebrating people who reverse-engineer, hack, and thinker with their code by putting them in the hilarious “cornfield” and getting mega media coverage for it (instead of just banning them completely); when hacking the grid will stop seeming like your 3-D resume submission for a job at Linden Lab, then they may begin to end the culture of impunity.

    Let’s ask ourselves, too, who benefits from the ability to move objects across sims. Is it really about “selling objects from one person in a vendor on another sim”? Isn’t this function more to the advantage of *third-party shopping sites* like SLBoutique, the ESC-owned entity that *sponsors this blog*. If that is the case (perhaps you could contemplate), no one would expect ESC and SLB to be willing to forego their shoppers’ access to the sites for the sake of the world’s stability. Their ability to move objects between sims in this fashion, like trucking in the real world, can’t be haulted just because a terrorist put a bomb in one truck (if that is the correct analogy — and I don’t know if it is).

    But what could they suggest, then? Why aren’t the firewalls working?

  2. secureplay

    Prokofy Neva raises an excellent point – when are the businesses that are the backbone of Second Life going to take action against Linden Lab? The company doesn’t seem to be doing its job to support those who make the game a success.

    Since an awful lot of these busiensses are NOT real estate firms, but rathe selling cool stuff, Linden Lab doesn’t really have a meaningful way to compensate them.