Happy 2011, gang! I hope everyone had a terrific break and a wonderful new year. It seems like it’s back to business time and the past two weeks have not been idle in the wacky wonderland of virtual worlds, so let’s do a little catch up baseball.
Two days before Gothmas, Linden Lab announced a new CEO, (Rod Humble) who is coming into this new position from a VP slot at EA Play. After the round of jokes about his name settled down (it took a while), the speculation began in earnest about what he was going to bring to the table, having come from EA. I’ve now read a fair bit, and my conclusion is wait and see, since there’s no clear indicators at all as to what his plan is going to be. Frankly, I don’t think he can be much worse than the mess we had in 2010, so I’m willing to be cautiously neutral on the topic of his appointment to the job. Besides, he wasn’t going to be taking the reins until after the new year anyway (using the vacation time as the last calm before the storm, I’m sure.) so he hasn’t even done anything yet.
However a point was made (and validly so) about the timing of the announcement. Two days before a major holiday, when many people have the week following off on vacation, *when he wasn’t going to even actually take hold of the job* until after the new year is something worth questioning. Speculation ran that if the Lab actually thought this news would be well received, the timing would have been different.
This is probably true. But let’s face it- no matter who the Lab would have chosen and when they announced it, the results would likely have been the same. It makes little sense to orchestrate timing differently when you know no matter what you do, a chunk of people are just going to bitch anyway. This way it controlled the possibility of the information leaking out over the vacation break, making the Lab look like it was hiding something from the user base.
So the new year begins at the Lab with someone new at the helm. Let it not be said that he doesn’t have some issues to deal with. But to add to the (I’m sure, lengthy) issues on Topics of Importance, I’m going to lay down another one. Because Houston? We have a problem.
Over Halloween weekend I was talking about not only the new display name system, but the fact that Linden Lab had was about to abandon their seven year old naming convention system. The old Firstname Lastname way of doing things was about to be scrapped, in favor of a new, single name system, where people would have one single name as a username, and the placeholder last name (ever so charming) of Resident.
(Click to enlarge).
In fact this was indeed done in mid November, and we’ve been seeing a fair number of single named folk walking around the grid. It’s a bit strange- it’s a really clearly defining line between the new people and those who were here before, and it’s a little disconcerting, culturally. But that’s not a big deal. However, the system is flawed (yeah who knew? Oh right, me.) and in fact, single name users could not post to the Lab’s own forums, because the database couldn’t handle the query. So true to form, a feature is rolled out by the lab before the actual consequences are fully considered. Business as usual. Moving right along.
But since the difference between new accounts and old ones is so visually obvious the practice of creating throwaway alts for nefarious purposes (griefing, thievery) took a blow. It’s really easy to see when an account was recently created, and those of us with longstanding SL experience know to keep an extra eye out for trouble until we know the account is truly legit. Few people would want to risk an old two-name account in order to do this, preferring instead to use a single name account that can be tossed like a used paper towel.
Juuuust one problem.
It would appear that Linden Lab forgot to disable its reg.api anyway, and the thieves already know that.
Who With the What Now?
For all those I just utterly lost with what I just said, let me explain. A reg.api is a bit of code that other sites use to allow you to register with a service on the web remotely. So, let’s say for example you have a RL business with a SL presence. You want all your employees to get an SL account. But you don’t want to necessarily send them off to the main Second Life registration page- you want to keep them penned in to a site you control. Reg.api to the rescue! Linden Lab authorizes third parties to also handle new account registrations. Places like SLNamewatch.com operated on this principle and were open to the public. But SLNamewatch shows that the last batch of last names was disabled on November 20, 2010.
But they’re not the only ones with a reg.api. The website I just linked to also has one. And unlike what SLNamewatch says… It works. Perfectly, I might add, as of this writing. You can in fact, get an old style username by using this very form. The only explanation for this is that Linden Lab has not actually disabled reg.api, nor is it requiring reg.api authorized pages be password protected.
So for all those who desperately wanted a two name username? There ya go, sport. I’d feel badly about outing this except that I promise you, the thieves and griefers *already know about it*.
The Dark Side to the Silver Lining.
A few weeks ago (while we were all on break), I got an IM from a friend inworld asking me to check on a name- Moaning Meskin. She wanted to know if this was a username, or a display name (for more information about what the difference is, look here.) Though these days I’ve switched from 1.23 (which I still prefer) to Catznip (a 2.0 based third party viewer, because the official Linden Lab version is utterly unusable), I have display names disabled. So I did a little test, shown here:
First you see my friend’s profile. She is not using a display name. Then you see Moaning Meskin’s profile. I have display names disabled- I am seeing this name as a username. On the far right, we have our control hamster, in the form of Aeonix Aeon. Though I have display names disabled. I *know* that he has a display name up- his real life name of Will Burns (from Andromeda3d). The viewer is not malfunctioning. It is showing me usernames only. But there’s a problem. Moaning Meskin’s account is only one day old. That’s why she was asking me to check to make sure it was a username- after all, as far as anyone knew, the days of Firstname Lastname were over, right? So how did a one day old user have two names?
She asked Linden Lab customer support, and got the entirely unsurprising answer of we have no idea (and I want to note here, that’s verbatim. That’s actually what Customer Support TOLD HER.) She did some checking on her own, which is how the reg.api issue was uncovered. While the mystery seemed to be solved, there was suddenly a twist. Moaning Meskin (whose account is now banned) turned out to be a thief- a copybotter. By this point, the Meskin account had listed a huge box of full permission items on marketplace as a freebie. Worse yet, Moaning Meskin left a notecard inside the box with a message, which seemed to be created by my friend in the first place, (this is easy when you copy something with a full permission notecard inside of it- you simply change the text, but the *creator* is still listed as the original user who made it, regardless of how it’s been edited.) making it look like she had something to do with the theft- something that took a while to clear up, and in fact is still ongoing.
So, legitimate new users and even legitimate old timers may not have known about the reg.api issue. Meantime, thieves already knew, and as of now, nothing at all has been done to stop the leak.
That looks like a full plate there, Rod.
So in addition to performance issues, customer service issues, economic issues, and the implications of the closure of the Teen Grid (which I’ll get to next week), we’ve got a giant security mess too. Sounds like a full plate for the new CEO. Will he be able to sort it out? No idea. But I’ll give him the benefit of the doubt for the moment that he’s going to at least try.
Good luck, Rod Humble. You’re gonna need it.