Secondlife: A+ for proactive security

Backgound: Secondlife is a way cool immersive virtual world with millions of subscribers created by Linden Lab. It is a bit beyond the flat 2-D worlds of Myspace and Facebook. It allows users to interact with 3-D avatars. You can purchase property, build on it and offer up videos.

The folks at Secondlife have posted a warning to their blog that there is a bug in the way Quicktime runs streaming video within the Secondlife "viewer" (client software). The bug could crash the viewer. What I find interesting is that Secondlife can monitor all of the content on their "grid" or virtual world and alert their users if an exploit has been developed. For now they suggest not running Quicktime accept when visiting known areas within Secondlife. Kudos to Linden Lab for pro-actively alerting users to this threat.

Even though I predict that there will be many attempts to exploit social networking sites in 2008 I believe the sites have a different opportunity than traditional software companies. Because they control the real-time use of their software they can update it and protect it in real time. An interesting difference is that their responsibility for disclosure is not the same. Say a site like Digg is compromised by a security researcher that notifies them that, for instance, he can escalate his position by earning as much karma as he wants. Karma is good at these sites. A high Karma poster can get links to the front page of Digg immediately, which can mean over 100,000 hits for the lucky site. Digg can thank the researcher, fix the bug and move on. I believe they would not be obligated to report the bug unless it had been actively exploited.

While software as a service (SaaS) sites will be rife with bugs and social networking sites are happy hunting grounds for info thieves there is hope that these sites will be faster to respond and repair when attacks develop. Secondlife's response to this Quicktime bug is a great example of security responsiveness.