Sabin Linden informs us that the login process for the viewer is going to change to address anti-fraud and other security issues. Essentially, you're not going to be logging in through the viewer anymore.

Instead, logins will be processed through the Second Life website, and the browser launched from there with a custom, secure token included in a secondlife:/// link. The token is valid for five minutes.

While the solution has been tested internally to function fine with Windows and Mac viewers, the Linux viewer solution still needs work.

Sunbelt Software (a data and network security firm that handles everything from the end-user to the enterprise) has an island in Second Life. You may not have heard a ton about them, other than seeing a few folks wandering around with the Sunbelter last name, courtesy of their registration/orientation system - but they've been working hard on their Second Life presence for some months, catering primarily to their own community.

We got word today that they're starting up a series of Seminars on Sunbelt Software Island, targeting end users and home-office users. How people try to get at your stuff, and the security tips you need to prevent them, titled "How to keep the bad guys out of your PC". Each seminar series will be four sessions. The first session will be in the Sunbelt Auditorium on August 21 at 6PM SLT (US Pacific) - that's tonight - or repeated on August 25 at 6AM SLT.

The full announcement is here, on Sunbelter Software's blog. [Note: The seminars are in text, not voice]

Zee Linden made one of his semi-regular appearances at Meta Linden's office hours today, and spoke a lot about payment fraud in the Linden Dollar exchange, and gave the usual boilerplate password-health-and-safety and anti-phishing spiel.

Zee was evasive as to the magnitude of the problem, but pointed to May as a period where fraud made operation of the Lindex unprofitable for Linden Lab, though it is not clear if the whole month (or more, or only part) was actually unprofitable.

This article makes me weep bitter tears. Beginning the 22nd of March, users of security software Sophos will be able to prevent employees from accessing SL at work.

While the article in question doesn't go into any real detail about how Sophos is able to specifically block SL from a network, the thought alone chills my soul: What if I need to access SL to run down a breaking news story? How can I watch streaming video from SXSW or SLCC? Dammit, what if I need hot, furry-on-robot action, like, RIGHT NOW?

For those of you out there who only access SL from home, and who may be wagging your fingers at those who do a little work-time play, I merely say this: if you want complete employee compliance, make their jobs more SL-like. Give them plush poseballs to sit on! Initiate a 'Come to Work in Your Fursuit Day'! Mandate that, instead of laughing, everyone says 'LOL' instead! Believe me, you'll have happier co-workers, and no one will fling penises at you. Maybe.

(Via computeractive.co.uk)

So it seems that LL is stepping up their security measures, but will it be enough? In a recent blog post, Robin Linden says they'll be taking a 'two-pronged approach' which has already been initiated.

A 'Trusted' account system is to be utilized in allowing scripters to work with LSL, but what, exactly, are the parameters for being 'Trusted'? Robin merely says 'technical options', which is vague at best. Presumably LL is concerned that exposing too much information about this newest method will provide attackers with the means to circumvent it, which is laudable. However, being vague about resident concerns will only carry trust so far. Indeed, one need only browse through the over 130 posted replies to this particular article to see how residents are reacting to the news.

Wednesday's update will bring with it new code changes to help minimize future attacks. Once again, there are no specific methods or changes mentioned. Residents have more cause to be concerned with this announcement, as previous code changes have been responsible for in-place scripts and scripted objects to suddenly cease their functions, with a concomitant loss of revenue for some.

Finally, it will be interesting to see what, if any, results will come of LL contacting the Federal authorities. While we've posted before about SL being named its own country, it's doubtful that the goverment will take too much notice of this, given the continuing viewpoint of the Great Unwashed that SL is simply a game. More on these issues as they progress.

So, I had planned on meeting Master Penguin in-world today to get some photos, maybe get a group shot of the SLI Team, do a little golfing, what have you. When I entered my password, however, I got the message shown above. If you can't read it for whatever reason, it reads:

Login failed.
As a security precaution your password has been changed.
Please go to your account page at http://secondlife.com/password
and answer the security question to reset your password.
We are very sorry for the invonvenience.

Well, guess what? The webpage won't load for me! Get this: Second Life's security measures are so good that even its own residents can't get in. Awesome!

However, this was not the case two days ago: LL has provided this Urgent Security Announcement. Apparently they got hacked on September 6th, and 'some of the unencrypted customer information stored in the database was compromised, potentially including Second Life account names, real life names and contact information, along with encrypted account passwords.' Holy Cats on Fire. I urge you all to jump right on this. Go to https://secondlife.com/password, click on the 'Forgot Password' link, and create a new password for yourself. Do it now.

And a final note: It's probably due to the need to get this out quickly, but LL, please Spell Check your messages: '... sorry for the invonvenience.'?