Subscribe to

The Second Life Herald reported today that “a felony was committed in Second Life” over the weekend, and suggests that Second Life’s open source viewer may have helped enable the crime.

Allegedly, someone using the names ‘Data Lindman’ and ‘CheckOutThis Hax’ stole over US $400 worth of in-world currency from a vendor refund account for the in-world roleplaying game DarkLife. The hack used to steal the money required access to information that should only be available to DarkLife developers. The SLH reported that the theft occurred while the refund account holder (DarkLife Co-Founder ‘Mark Busch’) was on vacation and away from Second Life.

Besides ‘Data Lindman’ and ‘CheckOutThis Hax,’ the alleged perpetrator has also used several other names in a series of griefing attacks and attempts to hack DarkLife over the last few weeks, including ‘Client Hax,’ and (boldly or stupidly) ‘StealinGoldFromDarklife Allen.’

DarkLife in Second LifeDarkLife is a roleplaying game similar to Dungeons & Dragons. Players pay L$500 ($2.18 US) for a “backpack” that contains the code and basic objects that let them play the game. They also buy scripted accessories like swords, shields, and wands. Players use these items to battle creatures and earn “experience,” which allows them to improve various attributes of their characters. DarkLife has been around in various forms since late 2003, and is apparently quite popular, with a traffic number around 8000.

In an interview with Virtually Blind today, ‘Busch’ said that the theft has forced them to make the DarkLife simulation available by access list only until they either release a new version of the game or Linden Lab bans the hacker at the IP address level. Closing the simulation to prospective new players significantly reduces sales of DarkLife backpacks and accessories.

Blame Open Source?

The SLH article focuses on whether the crime was enabled by Linden Lab’s recent, somewhat controversial decision to open source its viewer software. But in the initial post in the DarkLife forums on this topic, ‘Busch’ says that the hack required knowledge of the private channel number (one of about 4 billion possible numbers) that DarkLife uses in “part of the shop script that gives back the L$ if the buy fails.” ‘Busch’ notes that Second Life had a bug recently that existed for about seven hours “where everything bought would be copy-mod, including scripts.” This bug would have allowed anyone who bought any DarkLife product while the bug was active to see the private channel number.

In a comment following up on the SLH article, DarkLife Co-Developer ‘Pirate Cotton’ said that “[i]t seems most likely, to me anyway, that the abuse was formed from a combination of the full-access bug introduced a while ago and some cunning tinkering with the knowledge said bug provided.”

‘Busch’ confirmed this today, saying that “the most likely cause for the channel number seems to be the SL-bug from a while ago,” and not the fact that Second Life has open-sourced its viewer. ‘Busch’ does note, however, that one name the alleged perpetrator used was ‘Client Hax,’ which leads him to conclude that the perpetrator probably does “use an hacked opensource client to do things he shouldn’t be doing,” even if that isn’t how he got access to the channel number.

Grand Theft Armor

In any case, the likely crime here is “grand theft.” VB will run the analysis under California penal law (the theory is that the crime occurred in California, where the servers are).

Under California penal law:

Theft is divided into two degrees, the first of which is termed grand theft; the second, petty theft.

Grand theft is theft committed [...] [w]hen the money, labor, or real or personal property taken is of a value exceeding four hundred dollars ($400).

(California Penal Code § 486-487.)

‘Busch’ said that he had L$120,000 (US $450) in the account when he left for vacation, and that DarkLife made between L$20,000 (US $75) and L$25,000 (US $95) during his absence. Discounting for actual failed purchases, Busch estimates that the perpetrator took at least US $490.

So it is a theft, and a “grand” one at that. There would be several significant hurdles to prosecution, including getting a prosecutor up to speed on Second Life and interested in the crime, and shaking the real name of the perpetrator free from either Linden Lab (to whom he presumably did not give it) or, more likely, the ISP he used to access the service.

A secondary question is whether Linden Lab could be held responsible in a civil suit (though as a practical matter, the amount involved isn’t enough to make it worthwhile). As with most issues involving potential claims against Linden Lab, it would depend on the enforceability of the Terms of Service, which say, in relevant part, (a) that the service is provided “as is,” (§5.4), (b) that the in-world currency is merely “a limited license right to use a feature of our product when, as, and if allowed by Linden Lab” (§1.4) and, (c) that users release Linden Lab from liability for other users’ actions (§5.1).

According to a followup post to the SLH article, ‘Pirate Cotton’ has been contacted by Linden Lab. As of this morning, ‘Cotton’ confirmed that Linden Lab is continuing to investigate.

Email This Post Email This Post
Print This Post (Printer Friendly Formatting) Print This Post (Printer Friendly Formatting)

Related Posts on Virtually Blind

One Response to “Theft at Second Life’s “DarkLife” Roleplaying Game; SL’s Open Source Viewer Likely Not to Blame”

  1. on 26 Feb 2007 at 10:44 pmTiny Pirate » DarkLife theft - Update

    [...] The good news is that Linden Lab has started to investigate the theft and hacking attempted by our little crook. Meanwhile, the event got some coverage on the Second Life Herald (with some interesting debate in the comments) and the legal angle was debated on the blog Virtually Blind.  As it stands now we wish Linden Lab the best of luck in their investigations and we hope the thief wasn’t as smart as he’d like to think he is! [...]

Leave a Reply

Notes on Comments: Your first comment must be manually approved, but after it is you'll be able to post freely with the same name and email. You can use some HTML (<a> <b> <i> <blockquote> etc.) but know that VB's spam blocker holds posts with five or more <a> links. VB supports gravatars. Got a gravatar? Use the associated email and it'll show with your comment. Need one? Set it up for free here.