Join 3,414 readers in helping fund MetaFilter (Hide)


Second Life turns in players to the FBI
December 15, 2005 10:06 AM   Subscribe

Second Life CEO turns in players name to the FBI for disrupting one of his virtual parties. In the world of Second Life any player can create objects using the built in scripting language. Some players have created self replicating "bombs" or hand out embedded pornography. Instead of just banning users or limiting what can be done with the scripting language the CEO Philip Rosendale is simply turning over the names of players straight to the feds and expecting the FBI to prosecute players under existing anti-DoS laws. A case of the bruised ego of a self-important CEO or are virtual world 'hackers/pranksters' best treated like common criminals?
posted by skallas (67 comments total)

 
SmartFilter blocks out the first site as "pornography".

Damn filters.
posted by SweetJesus at 10:11 AM on December 15, 2005


ooh, common criminals! COMMON CRIMINALS!
posted by jimmy at 10:12 AM on December 15, 2005


Couldn't he just have someone program virtual FBI agents?
posted by NationalKato at 10:14 AM on December 15, 2005


I remember back in the day I used to mess around with PennMush, which had a similar facility, in that you could script objects. I made a vending machine that distributed vending machines. It was awesome. That is all, over.
posted by RustyBrooks at 10:15 AM on December 15, 2005


So... there's an exploit in the game that allows griefers to do nasty stuff, and rather than fix the exploit, he's sending the actual, for-reals FBI after them? Doesn't the FBI have better things to do?

Oh wait... pornography. I take it back. They'll be all over it.
posted by Durhey at 10:17 AM on December 15, 2005


ather than fix the exploit, he's sending the actual, for-reals FBI after them?

Would you be okay with them doing both, or do you think the griefers should get a pass no matter what?
posted by PinkStainlessTail at 10:24 AM on December 15, 2005


The SL scripting language is both annoyingly limited and very powerful. Self-replicating objects, unfortunately, are one of the easiest things to do. SL is probably the first game to reach broad usage where any resident is technically capable of crashing the entire game. The Unix equivalent would be the 'fork bomb'. In Unix, the way that's generally handled is with kernel-arbitrated limits on how many processes can be spawned by particular users. SL might be forced to implement something like this eventually.

The fundamental SL design of 'trust the user by default' gives users amazing ability to create entirely new things, but it's really vulnerable to deliberate crash attempts. However, unless there's some bug in the system I don't know about, all such attempts are easily traceable back to the 'creator' of a given item... the account that originally made an item is permanently recorded.

The concept of Owner is different than Creator... if you, Evil Dude, give me a malicious item, even though the item is owned by me (and probably runs under my ulimits, if that concept is ever implemented in SL), your Evil Dude name is there in lights for anyone to see. Nobody but Linden Labs, of course, has any idea who Evil Dude really is, but they've got a valid credit card on file for every account, and they have your IP address, so that's a lot of data to give the FBI.

So SHOULD they do this? Absolutely. If they try to shut down the bad guys using technical means, they'll also be shutting down the GOOD guys via technical means. There are laws against deliberately disrupting a computer service; might as well use them.

You could argue that SL should, rather than relying on the crutch of the law, design an attack-proof architecture, but given what they're doing, that's probably not possible. Processor speeds have hit a huge brick wall. Implementing new features like that means burning precious CPU time, and there's never enough of that in a persistent virtual world.
posted by Malor at 10:27 AM on December 15, 2005


If "Dow Jonas" of "The Second Life Herald" is reporting that the CEO's cartoon, wearing a Santa hat, told other cartoons while dancing around a virtual bonfire that he was reporting a hack to the FBI, then federal agents must surely be on their way to make arrests any moment now.
posted by brain_drain at 10:27 AM on December 15, 2005


do you think the griefers should get a pass no matter what?

I don't see it as getting a pass, because I don't believe that they've broken any laws.

Just as they aren't violating any real-world planning regulations when they build monstrous houses, so they aren't violating any criminal laws when they build their atom bombs.

If you create a virtual world, and give people the tools to make an atom bomb, you shouldn't be prepared to deal with the consequences in that virtual world. Put them in virtual jail or something.

Disclaimer: I've never visited such a site. The only online game I've ever played is poker.
posted by PeterMcDermott at 10:31 AM on December 15, 2005


If you create a virtual world, and give people the tools to make an atom bomb, you shouldn't be prepared to deal with the consequences in that virtual world. Put them in virtual jail or something.

The virtual death penalty is not a deterrence, and if you read any Kant, you would know this.
posted by iamck at 10:33 AM on December 15, 2005


SmartFilter blocks out the first site as "pornography".

NotSoSmartFilterTM

Sorry to tell you this folks, but, i really hope that the FBI come back to LindenLab and say “unfortunately, since you’re LSL language allows for this, the ‘exploiters’ are breaking no law", damn wouldnt that put out the message, “come on in and find our scripting exploits", i would so love to see this backfire in their faces.

Me too.

One day, you receive 12 UCHU-guided bombs. What do you do?
posted by mrgrimm at 10:34 AM on December 15, 2005


This is some funny shit, and this is also indicative of a truly clueless "CEO".

Fix your site, don't rely on your users to play nice. They won't. And for Christ's sake, don't get the FBI involved. That just makes you look even more retarded.

The only online game I've ever played is poker.

It pays better than SecondLife anyway.
posted by wakko at 10:34 AM on December 15, 2005


This makes me want to get an account on second life, and make a taco that can create more tacos.

Everything's better with infinite tacos... right?
posted by I Love Tacos at 10:35 AM on December 15, 2005


It pays better than SecondLife anyway.

Not the way I play. :)
posted by PeterMcDermott at 10:37 AM on December 15, 2005


Silly.

Better to just lock up all gamers. Make the world a better place.
posted by HTuttle at 10:38 AM on December 15, 2005


Hilarious.

The Second Life CEO still doesn't have a life.
posted by Revvy at 10:41 AM on December 15, 2005


Not the way Jason Ainsworth plays, either...
posted by TonyRobots at 10:42 AM on December 15, 2005


I'd agree with the "It's just a game. Deal with it in the game sentiment." if there weren't people making their livings entirely in the game selling in game merchandise.

How is it at all different that someone deliberately crashing a mail or web server?
posted by joegester at 10:43 AM on December 15, 2005


So, Harry, should I infer that you think that posting snarks to MeFi is a much better use of one's spare time than playing games?
posted by solid-one-love at 10:44 AM on December 15, 2005


...different than someone...
Ugh. Also a misplaced quotation mark.

posted by joegester at 10:45 AM on December 15, 2005


How is it at all different that someone deliberately crashing a mail or web server?

When you get a virus on your network, do you call the FBI?

Didn't think so.
posted by I Love Tacos at 10:48 AM on December 15, 2005


I'm sure there's a line in the Terms of Use that gives him the right to do this. That said, he's behaving like a child and should just kick the offenders out of the game and make sure that all of the one's left understand that they can't behave like utter jackasses.

I'm sure the FBI's getting right on his complaint since it involves titties.
posted by fenriq at 10:48 AM on December 15, 2005


I'm surprised nobody has scripted tribbles in yet.
posted by chibikeandy at 10:53 AM on December 15, 2005


...different from someone...
posted by MrMoonPie at 10:56 AM on December 15, 2005


When you get a virus on your network, do you call the FBI?

If I knew who the author of the virus was I would. In a heartbeat.
posted by PinkStainlessTail at 10:59 AM on December 15, 2005


If wikipedia can deal with its absolutely massive number of attacks, no one else has any excuse not to deal with it themselves either. Spamers routinely make money attacking wikipedia with scripts, no mere game has to deal with that.
posted by jeffburdges at 11:01 AM on December 15, 2005


I don't see how people making their livings off of playing this game is an argument that this is the same as a DNS attack. People make their livelyhoods off of all sorts of stupid shit.
posted by klangklangston at 11:08 AM on December 15, 2005


I'd agree with the "It's just a game. Deal with it in the game sentiment." if there weren't people making their livings entirely in the game selling in game merchandise.

Maybe they should get real lives, jobs and such...
posted by c13 at 11:09 AM on December 15, 2005


First Life was way better
posted by poppo at 11:12 AM on December 15, 2005


Better to just lock up all gamers. Make the world a better place.
posted by HTuttle at 10:38 AM PST on December 15


This is a pretty weird gimmick you have going; I don't get it.
posted by Optimus Chyme at 11:15 AM on December 15, 2005


Actually, I'll bet that he ran this by the legal dept. who, aware that pornography is the new second front ot the war on terrorism, said: "Give it to the FBI before the come after us."

It's a combination of cluelessness and defensive paranoia. Sad that that's smart in these times.
posted by lumpenprole at 11:20 AM on December 15, 2005


Yeah. I don't get how that's against the law. Is it even against the rules of the game?

Sounds like a self-important prick to me. CEO or no CEO, if I met him I'd punch him in the nads.
posted by geekhorde at 11:20 AM on December 15, 2005


Give gamers the death penalty. Only way to cure recidivism.
posted by Rothko at 11:29 AM on December 15, 2005


This is pretty interesting... banning or threatening to ban might not be a deterrent but something actual that affect's your life might. The merging of real and virtual world's in economic and law is absolutely fascinating.
posted by stratastar at 11:47 AM on December 15, 2005


Man, that Escapist Magazine site is pretty...
posted by Ogre Lawless at 12:01 PM on December 15, 2005


It may be "just a game". but the willfully malicious acts of these people DO have real economic consequences. The biggest replicator bomb made in SL actually took down EVERY SINGLE one of their servers. That is a bona-fide denial of service attack. And when you DOS someone who's livelihood relies on the service you are attacking, then YES you ARE beaking the law.

The reason people don't call the FBI everytime they get an email virus is because they don't know who the wrote the virus. The SL CEO, on the other hand, absolutely knows who wrote it and who is fucking with his livelihood, thus he call the feds, and he has every right to.
posted by jaded at 12:07 PM on December 15, 2005


It may be "just a game". but the willfully malicious acts of these people DO have real economic consequences. The biggest replicator bomb made in SL actually took down EVERY SINGLE one of their servers. That is a bona-fide denial of service attack. And when you DOS someone who's livelihood relies on the service you are attacking, then YES you ARE beaking the law.

I don't think it's that clear cut. Does it function like a denial of service attack? Kind of. But is it the same thing? Not really.

The first difference that comes to my mind is that when a site or service suffers a DoS attack, the victim doesn't provide the attacker with the computer network to attack with. Say a group of hackers want to DoS microsoft.com. Do they contact microsoft and say, "Hey - let us pay you a little bit of money. In return, you'll give us access to a huge network of computers that we'll use to DoS your website."? Then, Microsoft goes "Sure! Pay up, here's your network!".. followed by calling the FBI when microsoft.com goes down.

I know that's not an exact analogy, but I think it makes my point.

In short: if the people who make SL want to let players have "real lives" and make "real items" in the game, they should have real ways of stopping the griefers. :)

Calling the FBI over this just seems stupid to me.
posted by JoshTeeters at 12:17 PM on December 15, 2005


I've never actually played Second Life, but it seems they sell themselves on giving the players the tools to do pretty much whatever they can conceive of doing. Unfortunately, this is going to include some people doing things that weren't initially conceived of.

How does the CEO even know that the intent was to crash the servers? Maybe the user in question just wanted to see if they could create a self-replicating object, and how far it would go. Perhaps the user didn't think that such as progressive MMO as Second Life would really not have foreseen the possibility of someone creating a self-replicating object.

Acknowledge the problem, fix the code, ban the user if malicious intent is determined, but don't call the FBI. For one thing, it's a complete overreaction, and for another, I think he's going to have a harder time convincing people to sign up for a game whose use can conceivably get you in trouble with the FBI.
posted by Durhey at 12:25 PM on December 15, 2005


Durhey: I agree with you.

If the player(s) had coded something OUTSIDE of the game, with the intent of taking down the servers, sure - call the authorities.

However, with how this story goes, what's going here, is essentially:

1. Players are given a sandbox, where they can make what they want
2. Players get into trouble for doing something with the sandbox that the sandbox creators didn't think of / plan for.

As you said...
Find the problem. Fix the code. And, if the player keeps trying, ban him.

An FBI case, this is not.
posted by JoshTeeters at 12:36 PM on December 15, 2005


I'm really glad I'd never heard of this game before reading this thread.

The CEO should read Snow Crash by Neal Stephenson. ["Hiro Protagonist": best name for a hero protagonist ever.]
posted by gohlkus at 12:39 PM on December 15, 2005


JoshTeeters: no, that doesn't make your point at all. Paying for an MSN account wouldn't give you the right to launch a DOS attack on microsoft.com (or msn.com).

I get the impression that most folks here only read the first article, which does make the CEO come off as sort of a prick. The "self-replicating 'bombs'" link is much meatier, raising all sorts of interesting questions about virtual societies.

Online virtual worlds like Second Life are just going to get more popular and eventually they're going to have their own functioning governments. Then we're going to see a lot of wild experiments, some of which may have significant reprecussions in the "real" world.
posted by zanni at 12:43 PM on December 15, 2005


Did player action cause commercial damages to the company and/or its users on purpose?

Is the player 18 or older?

Are those damages provable to be above the felony level (I believe US$10,000)?

If YES to all three, then call the FBI. You can't call a state agency, unless both are in the same state. Without consequences, this doesn't stop. Exploits > Prevention. Sure, make "commercially best efforts." But if you do, and people get around them anyway? Make them pay.

(A post from a game designer, small online business owner, and SL player.)
posted by andreaazure at 12:52 PM on December 15, 2005


Gohlkus: you really think someone who would create something like that could have not already read snowcrash?

Anyway, There needs to be a real dollar amount lost due to a hack for the FBI to get involved. Does this qualify? I'm not sure, seems like the kind of thing courts are for, unfortunately it's very unlikely you'd ever get a judge with enough knowledge to actually understand the situation. The other problem is that there are no 'misdemeanor' hacking laws. So it's either felony or nothing. If it was up to me, I'd tell the CEO to stop being a baby and fix his code.

Metafilter gives it's user base a lot of power too, but we don't call the FBI if people self-link.
posted by delmoi at 12:54 PM on December 15, 2005


I really hate when the argument for right or wrong hinges on commmercial worth. What if this was some free open source thingy no one cared about? I'm sure the admin who did this would not get all the support Rosendale gets because someone somewhere stupidly decided to quit their job and become the equivalant of a farmer in WoW.

As a potential customer I really dont want to contribute nor be part of a company whose easy to exploit system problems are considered to be best solved by running to the nearest authority figure and demanding arrests. I like to see some innovation and see developers and management take some responsiblity; not run off like crying toddlers with the DMCA in one hand and the leash of the state's attorney in another.

As far as the 'growing pains' for a virtual government argument goes, well, I'm not buying it. If you can "jail" my avatar, but my avatar can write a jail removal script, then you've done nothing. If I can't write these very powerful scripts then the problem solves itself.

The SL team really needs to do more in distributing power and access. If Rosendale really did call the feds then I hope he enjoys his little virtual, buggy wanna-be police state and the types of people who will flock to it.
posted by skallas at 12:59 PM on December 15, 2005


> Calling the FBI over this just seems stupid to me.

Is it the case that a guy is running a game service for profit? And does it look like someone purposely disrupted that service and maybe cost the guy money (loss of goodwill? loss of subscribers?)? If that's what this is and if this guy thinks his lawyer can prove it in court, then not calling the FBI over this just seems stupid to me.

Sure, he should change the system to discourage such attacks, but that doesn't mean he shouldn't also go after the asshole who attacked his business. And maybe the FBI will tell him to hit the road, that they don't have the laws to tackle things like this yet, but the business owner should try.

I really hate when the argument for right or wrong hinges on commmercial worth.

If there's no money lost and no violence (or threat of violence) done, the FBI probably isn't going to care. That there's money involved doesn't make it right or wrong but it makes it easier to prosecute.
posted by pracowity at 1:09 PM on December 15, 2005


This game has 70K players? And some people - maybe three or four - actually make their living selling widgets in the freakin' game? The mind reels. Must make for some interesting cocktail party chatter.


Mom #1: "So, how is your son?"
Mom #2: "He's good, he just graduated law school. And yours?"
Mom #1: "He's a successful land speculator in a multi-player on-line game called Second Life."
Mom #2: "Oh."
posted by fixedgear at 1:12 PM on December 15, 2005


I wonder what happens if you PK...
posted by TheOnlyCoolTim at 1:15 PM on December 15, 2005


So, people who are being malicious in any context are not responsible for their own malice? Victims of hate crimes deserve what they actually get because they didn't protect themselves from the attack?

Oh, it's not a normal person being affected by malice - it's a CEO. Damn CEOs should look after themselves, they are above the law anyway, they don't need law enforcement, they have their own security guards.

WTF Metafilter?
posted by elphTeq at 1:20 PM on December 15, 2005


"I'm sure the admin who did this would not get all the support Rosendale gets because someone somewhere stupidly decided to quit their job and become the equivalant of a farmer in WoW."

100 grand a year of stupid.
posted by joegester at 1:25 PM on December 15, 2005


If they lose money over this, it's only because people will see how poorly designed this world is.

Doesn't the CEO and the company have an obligation to put out a good product? Isn't that in some ways more important than what some stupid little exploit some asshat finds in your game?

Poor design is its own karma in the end. I hope.

I was thinking about playing this. No way now.
posted by geekhorde at 1:28 PM on December 15, 2005


This is so stupid. It has already been said here, but I'll say it again. In a sandbox game, playing with the sand is not against the rules. If a user creates something in your game that harms your system, you need to fix your sand first and punish the user last. As far as I can tell, this is not a Denial of Service attack, its a Breaking of Poorly-Designed Service accident. oh nohs call teh cops!

This seriously makes me want to check it out to see what other fun is to be had. If I wasn't so busy with EVE, that is.
posted by hellphish at 2:05 PM on December 15, 2005


The terms of service says that you will not abuse second life's capabilities or its users. Abuse of the service says something like "deliberately causing a disruption of services."

This is DoS. By definition. If the game says "don't make things that make things recursively" and you do it anyway, and do it in a way that causes the most damage possible, what else could it possibly be?
posted by andreaazure at 2:42 PM on December 15, 2005


andreaazure writes "The terms of service says that you will not abuse second life's capabilities or its users. Abuse of the service says something like 'deliberately causing a disruption of services.'"

Is violating the terms of service a violation of federal law, though?
posted by mr_roboto at 2:47 PM on December 15, 2005


Metafilter gives it's user base a lot of power too, but we don't call the FBI if people self-link.
posted by delmoi at 3:54 PM EST on December 15 [!]



I suspect you'd be more upset if someone had used the XSS holes that a malicious user could have exploited on the old user page before they were closed.

SL deals well with offensive content, cf the enourmous penii erected by the alleged friends of the people who perpetrated the attack. This is not an issue of offensive content, this is denying other users the right to use the service when they want to.

Perhaps a more appropriate analogy is a malicious YMCA member who calls in a bomb threat, forcing them to evacuate the building and close it while they search for the bomb. Just because it happened online doesn't make it fake. Nor are the perpetrators absolved of responsibility because it's a sandbox.
posted by heresiarch at 2:54 PM on December 15, 2005


When did people start calling MMORPG haxors "griefers?" And since when is "to grief" a verb?

Are there other massively-multiplayer game neologisms like this?
posted by killdevil at 5:02 PM on December 15, 2005


When did people start calling MMORPG haxors "griefers?" And since when is "to grief" a verb?

Not sure, but you really aren't going to tell me you're surprised by someone verbing a word, are you?
posted by robla at 5:47 PM on December 15, 2005


As a guy who is currently making a living writing code, I have to wonder about a system in which bad code can land you in front of the FBI. I'm not naive enough to think that the people who are out there ruining his servers are just doing it by accident, but if their language is buggy enough this sort of thing is going to crop up occasionally even without any malicious intent at all. I wouldn't want to code and be paid for it if I thought bugs might land me in front of the FBI, much less try to walk that line in a freakin videogame.

(Sides, you know all the coolest neatest rarest stuff in his system is probably the result of the same kinda people who came up with this replication thing in the first place. You have to push the envelope of these languages to do something original, to make games based on this sort of thing fun, even without any evilness. And in doing that you will expose bugs. And that is good provided the person running it isn't a nutjob.)

Of course once they do find something like this they are probably going to show it off, and then the evilness starts. (I'm not saying people who find bugs shouldn't report them, but the goal of reporting should be to make sure they get fixed). This guy needs to fix his game.
posted by SomeOneElse at 5:58 PM on December 15, 2005



posted by quonsar at 6:31 PM on December 15, 2005


This wouldn't be a publicity stunt, would it? Naaaah...
posted by jeremyw at 7:28 PM on December 15, 2005


What I don't get is why criminalize it? Hit them where it hurts, in the pocketbook. Charge them for the grief they caused.
posted by forforf at 7:32 PM on December 15, 2005


SomeOneElse... Linden Labs wouldn't get mad at you if you found a bug in their code and crashed some servers doing it... as long as you document what you did, file a bug report, and don't do it again until they fix it. What they don't like, and apparently are going after, is deliberately malicious behavior.

They're really very reasonable people; they don't like it when people take their service down on purpose, but they're not all paranoid and weird.

You have a lot of freedom in SL, and with freedom comes responsibility. It's not just 'harmless pranksterism' as some people are trying to paint it... people make very real money and a lot of people get quite upset when they can't log on and chat with their friends.

If someone attacked Metafilter repeatedly with DOS attacks and cross-site scripting crap, wouldn't you be pissed off? I would, this is my home page, and I'm annoyed when it doesn't work. I wouldn't blame mathowie for going after a hacker via the FBI, and I wouldn't blame LL for doing the same.
posted by Malor at 7:52 PM on December 15, 2005


Are there other massively-multiplayer game neologisms like this?

God forbid a site should develop its own obscure terminology. Anyway, "griefer" has been around for several years now.
posted by dhartung at 12:02 AM on December 16, 2005


As dhartung says... the verb "to grief" has been around for quite some time. I did a quick newsgroup search, and it seems like the term popped up some time in 2000 (in relation to Ultima Online griefers). Yes, I have way too much time on my hands. :)
posted by antifuse at 3:28 AM on December 16, 2005


FYI, the code wasn't accidental. The source code for the object even contained a comment indicating that it was intended to spread like a virus and cause trouble.

So what some of you are saying is people who write and deploy viruses intended to take down a network should NOT be reported to law enforcement?
posted by joquarky at 5:58 AM on December 16, 2005


I'm assuming that all objects in SL are tagged with their creator's id, and, if it's possible for one item to spawn another, their parent object's id.

Why not either limit the number of objects in the world that a single creator can have? Or, limit the number of spawn that a single item can create?
posted by bshort at 9:25 AM on December 16, 2005


I dunno. The Lindens sound like a lot of old school sysops and web admins who seemed cool at first but over time grew more and more paranoid and insular. I was intrigued by SL, but I probably won't give it a try now. They didn't just overreact by calling the FBI, they also crippled the system to favor landowners. They also seem to have their hands in at least one other favoritism scandal. Smells like just about every other awesome community that grew too big to be fun anymore.

On the other hand, isn't the Second Life infinite spawn issue a variation on the Halting Problem? If you have (n) items and those items can make (n+1), then there's no computational way to determine if the chain of creation will ever stop. The only way to stop it, as pointed out above, would be to put a numerical limit on (n) in the first place. But, I bet that Linden Lab doesn't want to do this because they're always trying to float this idea that Second Life is a capitalistic endevour and they want you to think that you can not only sell (n) widgets for x*n dollars, but you can sell (n+1) widgets for (x*n+1) dollars. Infinite growth, bro, infinite growth.
posted by Skwirl at 10:58 AM on December 16, 2005


"Couldn't he just have someone program virtual FBI agents?"

Hello!? Did you not even WATCH the Matrix movies? There is no way that could end well...
posted by feersum endjinn at 2:13 PM on December 16, 2005


« Older Google music search......  |  Looking for a broadband connec... Newer »


This thread has been archived and is closed to new comments