May 24, 2024

G-Men Called on W-Hats for WMVD

[Despite our recent focus on the SonyBMG CD flap, our mandate here at Freedom to Tinker covers infotech and policy generally. So I hope any Sonymaniacs in the audience will forgive me for posting about something else today. (If you need a Sony fix, Bruce Hayden can help.) Regularly scheduled Sony-related programming will resume next week.]

There’s a fascinating story going around about the intersection between virtual worlds and real-life law enforcement. (I have written twice before about this topic.) It started in a virtual world called Second Life, which has 70,000 or so members. There’s a group of in-world characters calling themselves the W-Hats. Stories in the Second Life Herald – a foulmouthed but apparently somewhat trusted virtual newspaper about Second Life – depict the W-Hats as a gang of racist thugs. (The rest of the story I tell here is based on the Herald’s reporting.)

One of the cool things about Second Life is that players can create new kinds of objects, by writing small programs in a special scripting language to describe how the objects should behave, and then launching objects into the world.

Things got really out of hand when the W-Hats created a doomsday device. It looked like a harmless little orb, but it was programmed to make copies of itself, repeatedly. The single object split into two. Then each of those split, and there were four. Then eight, and sixteen, and so on to infinity.

Okay, not exactly to infinity but to billions of copies (after thirty-some generations of splitting), at which point the servers running Second Life crashed, and the whole virtual world was knocked off-line. The W-Hats had created a Weapon of Mass Virtual Destruction (WMVD).

The WMVD was detonated more than once, and on at least one occasion Linden Lab, the company that runs Second Life, contained the damage by taking parts of the world offline as a kind of virtual firebreak.

Last week at an in-world holiday party, Philip Linden, the character played by Linden Lab CEO Philip Rosedale, mentioned that the company had called the FBI about the attacks and had turned over the names of some players. Others at the party reportedly praised the action. But was this justified? Should the FBI get involved in this mess?

It seems to me that they should. A WMVD of this sort is just a fancy denial of service attack, and a deliberate denial of service attack against a large network service looks to me like a crime. It’s possible that the first attack wasn’t meant to crash Second Life – though even if not deliberate it was certainly reckless – but subsequent attacks could only have been intended to cause a crash.

There is some indication that Linden Lab may have banned at least one player temporarily because of the attacks, but there is a limit to the effectiveness of in-world punishment. As James Grimmelmann has argued, the worst punishment available in-world is exile from the world – try to impose a stronger penalty on someone and he will simply exile himself by leaving the virtual world permanently. Real-world punishments can be worse than exile and so stronger deterrence is available in the real world. When stronger deterrence is needed, real-world punishment may be the only option.

Some have argued that players shouldn’t be punished for doing things that the world’s coding allows them to do. But that seems to me to be the wrong rule. For one thing, that’s not how things work in the real world, where you can commit all manner of crimes without violating the laws of physics. And it’s just wrong to think that the virtual world can be coded in a way that allows everything good but prevents everything bad. Any virtual world (if I may be forgiven for that phrase) that is complicated enough to be interesting will probably enable some undesired behavior.

It will sometimes be necessary, then, to appeal to real-world law enforcement to handle bad acts in virtual worlds. In general, there are lots of caveats here – for example, in some worlds, in-world fraud or murder is considered just part of the game; and world-builders shouldn’t run to the FBI over minor problems. But the particular case before us seems like an easy one: the FBI should investigate and, at the very least, use its power to intimidate the perpetrators into behaving better.


  1. Wow, cool man, big thanks!

  2. W-Hat are not racist thugs, nor are they any form of terrorist. They are trying to save the residents of Second Life from themselves. Like Noel Godin and Aron Kay before them, W-Hat exists to prick at the pomposity of delusional Second Lifers. Their activities are nothing more sinsiter than a virtual version Godin’s and Kays pie throwing.

    I should stress that I am a Second Life resident, and I heartily support what W-Hat are doing. Like all the best subversives, their goal is to bring down a peg or two those who take themselves too seriously – for their own, and everyone elses good.

  3. anonymous says

    Way I see things, you don’t want people there, then don’t allow them access.
    Allow the access, then you need to keep yourself from what’s coming, and one way to do so is get rid of this “Ahaya Ohowns teh Internettt!!!”

    Because in the end, nobody owns the Internet for one, and in SL you really own nothing but bits of binary data, and since those little bytes reside in the cpu AND someone else’s hard-drive, the true ownership is hard to define.

    Looks to me like someone got what they deserved, SL is full of virtual punks who think that since they pay money for a piece of virtual land that they suddenly own whoever ends up there.

  4. So let me get this straight… They created a fake world, poured cash into it, and now something bad happened in their fake world, so they’re going to take time away from the FBI – time that could be spent solving problems in the real world where the rest of us spend our time – to have them fix the problems that have emerged in their fake world?

    Think about it. I mean, REALLY think about it.

  5. Hoeveel bemaningsleden telt de Freedom of the Seas op 6 december 2006????????

  6. World Of Warcraft (along with other MMORPG’s worldwide) has a much larger user base and a much stronger penetration/ effect in the real world than SL. SL, despite its self-invented currency exchange and self-promotion, is just another in a long string of virtual worlds and a blip in comparison to the size and scope of other current online virtual worlds.

    The hype about SL seems to be mostly a result of self-promotion on the part of Linden Labs and their media evangelists (someone over at Wired, someone over at Reuters, etc): most tech-savvy people I know have neither heard of it nor show much interest beyond the initial fascination with the fact that SLers take this obscure thing so seriously. To the wider world (who make more use of the other virtual worlds more extensively) SL is merely a curious novelty.

  7. The way I see this is simple, at least in my own mind. If Second Life wants to make the real outside laws of the United States apply to what occurs on their servers, they are going to have to pay to play the same way as everyone else. That means full sales tax according to the home state of the server that you are accessing for any goods purchased in game, and that means actually using special Sex Crimes police units to watch over, arrest, and bring prosecution against the people selling virtual sex in SL. If Philip Rosedale feels that the behavior of SL should be exactly as condemnable as the real world, the thousands of crimes that happen on his servers daily should also be brought to life.

    Fantasy sex haven or real world penalties when users don’t behave correctly – it’s SL’s choice, but you can’t really have it both ways.

  8. The problem with comparing this to a DOS attack is just that, since it is entirely inside the game, there are simple ways that should have been in place already. Let’s say I run a fileserver on which people can run programs. There is nothing I can do to stop an outside DOS attack, like e-mail spamming or packet bombardment. However, I can easily cap the number of processes spawned by a single user, or the amount of disk space a user can use. Additionally, I should have those limits in play anyway, because they protect the server from actual bugs. For instance,

    The solution to this type of attack seems simple: Linden labs converts tons of money into the game anyway. Make it so that each user has a quota or objects, and they can pay to have more. Just like a real ISP.

    If our arguments are that Second Life is as much ISP as it is game, then Linden should have to behave as if it is an ISP.

    The fact that there is a virtual real estate market or online businesses using Second Life is irrelevant. Equally so is the fact that Second Life currency is freely converted to US dollars. Everquest money has an almost fixed exchange rate. It’s just on eBay instead of currency exchanges. But no one would dream of calling the FBI or the police for griefing a gold farmer or stealing a valuable in-game item as a thief: that’s just how the game works. Linden can and should have dealt with this in house. Calling the FBI is just laziness on their part. Putitng an item can into their universe would be far less of an ‘abitrary limit’ than imposing outside law.

  9. I have to say that


    does not follow in the least. The programmed world has allowed objects, and these are closer to socially acceptable behavior. If the programmers of the game decided that someone could make an infinitely replicating object, then that is their lack of forethought. The idea that this is a DoS act is rather absurd, as the people in question did something allowed by the game. It would be analogous to claiming that someone clicking a link on a website that causes the entire website to crash is committing a DoS attack.

    In the future, the programmers of Second Life should simply be more careful about what is allowed and what is not, and put up some sort of mechanism to prevent something like this.

  10. Jack Blatt says

    Holy crap the article suggests calling the FBI over scripting server crashes? Thats nuts. The only reason congress and law enforcement want this game online is because it can launder so much money. The developers are hoping for legal protection under the rights of property. Screw a couple forum goons , theyve got money to make.

  11. I think what some people are missing is that Second Life is somewhere between a game and an ISP.

    A few other points: Did Linden labs even try to patch anything after the first forkbomb went off? Obviously they have the ability to patch their clients so why didn’t they specifically outlaw this right off the bat? Other client-server programs (such as Diablo II, as I remember) were patched really quickly when server-killing events happened. Why or why didn’t they?

    Does the ToS carry any legal weight? I’m sure there is probably some blanket language in there to allow them to get off scott free no matter what a user does, but does the ToS actually apply? I’ve yet to hear of any cases where a ToS was shown to be as ironclad as a physical signed contract.

    Personally, I think people were just working with the tools they were given. Does the FBI need to get involved in circumstances where people are using the (somewhat free) tools they are given in a way someone else doesn’t like?

  12. The author of the article is wrong on two points:

    Firstly, the problem is with the way the world is designed, and not with the actions that were taken. It is almost trivial to stop one user from crashing a system, if that system was properly designed. Anyone with a knowledge of UNIX, or even a passing knowledge of software and systems developement would know this since it was a solved problem from the time of C/BPL and even before, an on the other hand even Lisp interpeters can be limited to prevent abuse.

    An earlier poster made that point: it’s just a matter of limiting the rate of object “forking”, or tagging objects with the id of their author and limiting how many objects he can have active at once. You can’t make 4 billion objects unless the game engine allows you too; and why it would crash rather than stop additional forking is beyond me.

    Secondly, denial of service attacks themselves shouldn’t necessarily be a “run to the FBI” type of thing. Even when technical solutions are not as easy as in Second Life, there’s a problem with indirection, motive, etc. :

    suppose your home PC on a Cable Modem is “zombified”, running a program which you don’t know it’s running, and used in a DoS attack.

    Would the FBI be justified in arresting you, confiscating your PC, and sorting it out in court later? How can you prove that you didn’t do it intentionally, esp. if some malicious person uploaded a document to you PC outlining how you’re part of a Taliban sympathetic group and the attack was motivated by your anti-Christian/anti-American views?

    Such senarios may seem ficticious, but people have literally been arrested and raided for less; typically, it’s because some “big company” feels threatened. And these same companies WILL “downsize” and hurt the economy and the society which allows them to abuse their power, with the idea that “they create jobs” and “pay taxes”. Just like Enron(impoverished many) and Microsoft(never actually pays taxes), right?

    I think you need to realise that giving up a lot of freedom in the real world in order for some business to run a hassle-free virtual world is not a good trade-off.

    Even if you don’t have children, you should think of the world you yourself are living in, and how you would feel and more importantly, if you’d be able to defend youself if these systems which your praise were used against you, not necessarily because it was you fault but… because you could be exploited easily. Remember, there’s no “hard evidence” in the virtutal world; the W-Hats might have done this intentionally, but some cracker could have used YOUR PC to make you look like a W-Hat, and you wouldn’t have much defense against it since Linden Labs has more money than you and that’s all that matters nowadays; not his word but , how much cash is backing it.

  13. Seriously, get a First Life. Get out there, do something, shit, shoot some heroin and bang a meth whore, at least you’d seem like less a waste of space than someone wishing the FBI would fix their Second Life.

  14. pinks sugar says

    Its not a denial of service attack

    its using ingame means that are allowed

    It is not anyones fault but lindens lab that there game cannot handle there own scripting done ingame by others

    the game wasnt hacked

    the game allows this stuff to be created

    maybe you SL players should ask the Lindens why they dont invest the money they take from you in something other then piss poor servers that cannot handle scripts they allow

  15. the w-hat don’t allow racism and all people found for dos attacks, racism, ect. are banned from the group.
    they NEVER do things as a group. NEVER!!! NEVER!!! NEVER!!! NEVER!!! NEVER!!! NEVER!!! NEVER!!! NEVER!!! NEVER!!! NEVER!!! NEVER!!! NEVER!!! NEVER!!! NEVER!!! NEVER!!! NEVER!!! NEVER!!! NEVER!!! NEVER!!! NEVER!!! NEVER!!! (should i continue…)

  16. But it’s virtual property. You pay real money to enter the virtual world and then play according to the limits of the game, and things may not be virtually profitable but it’s all virtual. Then at some point you may be able to exchange your virtual status for real world atatus and then you play in the real world.

    No problem and no need for the real FBI to get virtual.

    If someone in your vrtual world discovers a fork bomb that no one expected was possile isn’t that similar to someone in the real world discovering the possibility of an atomic bomb ? and you can’t get the real FBI involved in stopping someone inventing it – you can only get them to stop other people inventing it a second time (or copying it) ! .

  17. […] Second Life Trolling/Hacking Article [ #124723 ] Tuesday December 20, @06:19AM Things are going nuts in Second Life. This is a game where people can own land, do adult things and create objects for sale. The game currency is freely convertible into real money, so people develop land, charge admission fees for clubs and so on — this is a real economy. A group of technically sophisticated trolls, the W-Hats, from Something Awful unleased a doomsday device (a few times) on the virtual world, ruining the experience for everyone. It was essentially a fork-bomb, which overwhelmed the servers of the game, Now the proprietors of the game are talking “FBI”. This is covered here. A previous hack, by the same folks, involved hacking a client so that they could violate the protection scheme of the game, stealing the source code of valuable in-game objects/businesses. The interesting thing about the responsible trolls is that they’ve combined technical skills with anti-social behavior multiple times — the doomsday device is just their latest. Previous “offenses” have included: Building offensive structures[NSFW!!], extorting money from neighbors, or mocking the 9/11 attack on the WTC. So this is a virtual world where trolling and hacking have financial consequences — not just for the proprietor of the world, but the players, whose “virtual property” can lose or gain value based on the actions of trolls. […]

  18. it amazes me that it took this long for the forkbomb vulnerability in SL to be discovered. with the number of relatively inexperienced programmers using SL’s scripting language it seems like this would have been innocently stumbled upon long ago.

  19. I think logicnazi misses the point. the point is that laws are intended to be fair, so that any action which is made as part of vrtual world game play isn’t criminal (regardless what a TOS might try to say).

    if you make a game play that crashes the game that’s not illegal even if you do it three times – and there ae any legitimate reasons why you might do that, for example you might belive that a bug should have been fixed and try the play again to find what the consequences of that play “really” are.

    something ilegal – like a DoS attack – would be something like the game failure impacting other services, and then you could probably bring a case against the game hosts for facilitating the attack, but trying to prosecute the gamers (griefers or not) will never work.

  20. I think most of these comments (and the article) are missing the point (though the ones about clearly violating the TOS are close). One needs to distingush between two different issues.

    1) Should a certain action be made illegal/carry with it the threat of law enforcement

    2) Given the way the laws and social understanding is now should a given action provoke law enforcement response.

    The arguments about whether this amounts to a DOS, how many people lose money and what not all related to 1. They do not speak to 2.

    Whether or not law enforcement should arrest and prosecute someone depends on both whether it can technically be fit into a legal crime *and* whether there is a clear societal understanding that such an activity is off limits. Yes “ignorance of the law is no excuse” but this is designed to be used reasonably and in particular reflects the widespread societal understanding that one is expected to learn the laws before one engages in certain sorts of activity. For example if you move to a new state and just assume their tax returns work the same way they did in the old state you violated the understanding that one reads the tax rules but if you move to a new state and get thrown in jail because you threw away your reciept at 7/11 there is a problem. If the government wants to make something that isn’t already understood to be off limits they have a responsibility to make this clear before they start arresting and jailing people over it.

    The fact that lots of people may be hurt of real money might be involved is pretty irrelevant. If I’m a billionaire corporate raider I might buy a company wholesale and try and replace the whole workforce with robots just to see if it can be done, and thousands of people may be out of a job, but it is perfectly legal. Similarly protesting walgreens may cost them money but it isn’t illegal. One can’t assume that just because some action is illegal it is understood to be in the real of the forbidden.

    THE VERY FACT THAT SO MANY RESPONSES ASSUMED IT WAS IDIOTIC TO PROSECUTE FOR VIRTUAL BEHAVIOR PROVES THERE IS NO COMMON SOCIAL UNDERSTANDING THIS IS WRONG. There is a common understanding (by everyone with the ability) that sending DOS packets is off limits and may cause prosecution but even if you think this is the same many people do not. The norms of behavior for virtual worlds are still unclear.

    Just putting a clause in the TOS makes no difference. There just isn’t a well established social understanding that people face jail time if they don’t read all the terms of the TOS (most people just skim through it).

    If Second Life wants to bring in real law enforcement they first have an obligation to make sure it is understood that this sort of behavior may result in jail. Say a large warning on the programming tools/enviornment. Alternatively if they want to keep it in the TOS they could put a big warning when you log in/sign up saying somthing like, “Our TOS has provisions you might not expect if you don’t read it you may find yourself in legal trouble” Unless they have done something of this kind it is wrong to bring in LEOs.

  21. Ned Ulbricht says

    If a silver piece buys a gigaflops-second, and a gold piece is a gibibyte-second, then what are the opportunities for arbitrage?

  22. The idea of bringing the real-world government into virtual worlds opens a horrific can of worms. If you have a game where thievery is an accepted part of the game, do you really want the FBI to be called on your thief character, on the grounds that the game currency is convertible to dollars?

    If not, where do you draw the line? Do you want a bunch of lawyers and juries attempting to draw that line? Would you want to be one of the test cases while they try to hash this out?

    Long-term, some social scientists are starting to use online games for social experimentation. Perhaps we can use them to experiment with alternative social and economic structures, and figure out better ways of running things. That opportunity goes away if government is enforcing the existing rules on virtual worlds.

  23. If they call in the cops, they are offering themselves into the jurisidiction of the cops. Don’t be surprised when the cops decide to regulate the games. Say Welcome to courts, counties, associations, agencies, the UN, WIPO, little old womens’ associations … the list goes on as to how many people now have a bone to pick with what is allowed in the “virtual” space or not.

  24. So, when we did explode a nuclear bomb, did God run to the Devil, saying “Jeepers these guys are so Bad! There is nothing in this world I can do to punish them enough, and when I try, they just suicide!”

  25. The ToS, does specifically prohibit what it calls “global attacks” — taking servers offline, but this doesn’t make it criminal. It just makes it a breach of contract to do so. The criminal aspect of it, if it exists, has to be viewed from outside of the game. Did these people plan and execute a denial of service attack. If yes, then it is really incidental whether the attack was launched from outside the world or from inside the world. In point of fact, it was launched from inside the world by engaging in activities that are in violation of the ToS, but that is more or less academic in my fiew.

    It is certainly true that the scripting language allows this to happen, but the features of the scripting language which made this possible have legitimate uses in world as well. The idea that we must nerf all the tools of the game in order to make it safe from griefers is a losing proposition. We don’t tolerate that in meatspace; no one says, “well yeah he smashed up your china shop but its your fault for selling things that are made out of glass — that stuff is so fragile you were asking for it.”

    In meatspace we exect people to moderate their behavior. Just because it is *possible* to inflict damage does not make it right. I don’t see why we shouldh’t expect the same moderation of behavior in virtual spaces as well. And I don’t see why we shouldn’t expect the same legal remedies as well.

  26. Supercat, you’re right to ask “did the real-world people using the system do so in a manner clearly not authorized?” The people running second life seem to think that they did. Others may disagree.

    The question is not merely whether they did so in a manner not authorized, but whether they did so in a manner “clearly” not authorized. And I don’t think that could be proven beyond a reasonable doubt unless there was something in the TOS that expressly forbade what they did. Otherwise, they could reasonably view tricks like the ones they pulled as being a legitimate “part of the game”.

    It would be possible to have TOS written that would define these people’s actions as criminal, but unless the TOS were written that way when the actions occurred (and, if the TOS weren’t written that way when these people signed up, they were given conspicuous notice of the change) there is no basis for charging them for doing something that should have been (but wasn’t) real-world forbidden.

    BTW, what I’d suggest as a system improvement would be to have the system track resource usage by objects running each user’s code; if a person’s code is running in too many objects, don’t allow any more to be spawned. Although this would mean that one user might be able to impair another user’s abilities by taking advantage of bugs in the latter user’s code, the only victim in such case would be the person who wrote the buggy code in the first place.

  27. If you run a computer simulation of the weather you could reasonably call this a virtual world. If there is a bug in the virtual world that causes a crash who should you call ?. On the other hand an attack could obvioulsy be a serious issue of national importance.

    A virtual world in a game clearly doesn’t have the same asiprations in creating a “virtual world” – it’s just a game however much real world money you have tied up in it. If this facilitates real world problems such as DoS attacks on ISPs, then the ISP should lead the reaction, but inside the game it’s just game play.

    The real world consequences of virtual world play as descibed in this thread are similar to the practicalities of implementing any sophisticated computer system in the modern world. If the players don’t understand the scope of the engineering problem (and usually they don’t) you can’t solve that by getting lawyers involved.

  28. Jerkka Kymalainen says

    So… a virtual world where you can do anything…
    Finally, my chance to see what exponential growth actually looks like!
    What, the servers crashed? Well, fix them! I want to see this!

    Lets see what they say about their world: “No restrictions or arbitrary guidelines imposed by the developers”.
    Looks like a bug in their world to me.

    If anything, this guy needs a refund for being restricted to finite number of items.

  29. Chris Smith says

    There is an obvious feedback mechanism, available in the TOS agreement.
    You simply state that malicious behavior is billable.
    Sure, the first fork-bomb may have been accidental (maybe the scripting documentation includes specific warnings), but if they can prove the subsequent tomfoolery was no accident, then hit ’em in the wallet, say I.

  30. Ned Ulbricht says


    I think that P == NP is very, very hazardous and ought to be prohibited. Would you please point me to a safe, secure virtual world where there’s a ironclad guarantee that P != NP ?

  31. “Some have argued that players shouldn’t be punished for doing things that the world’s coding allows them to do. But that seems to me to be the wrong rule. For one thing, that’s not how things work in the real world, where you can commit all manner of crimes without violating the laws of physics.”

    The critical difference here is: the laws of physics are not goverened by those providing services. If a bad action is permitted by the laws of physics, there’s no recourse to changing those physical laws: we can only enact social laws to guide behaviour. We can’t stop gravity working, but we can punish those who drop heavy objects on others.

    The laws of a virtual world are *entirely* at the discretion, and governance, and mercy, of those who provide the service. If those virtual rules permit undesirable behaviour, it *is* possible to change the rules to make that behaviour impossible. That becomes an option, against which to weigh the option of punishment.

    When it becomes possible to *entirely prevent* “(virtual) heavy objects dropping on (virtual) people unless the circumstances are desirable, but those who can change the rules choose instead to go to the law, then their own responsibility in not preventing the undesirable behaviour must be considered.

  32. llSetStatus() and llRezObject() i think are the LSL function names you meant to mention Prokky 😉

    llGiveInventory() has very little to do with anything.


  33. I think it’s wrong to call this DOS attack.

    Consider this hypothetical: Let’s say my name is “brawatashaulmba funkyholtenblitz smith jr.” and one day I buy a 9V battery at Radio Shack and the clerk wants my name so they can send me a catalog. Turns out their store management software has a buffer overflow bug so that the act of entering my name causes the whole system to crash.

    (At this point I don’t think anyone would blame *me* for the crash)

    A week later I’m in the mall with my friend “Bob Jones” and as we pass the Radio Shack I say “Hey Bob… watch this!” We go into the Radio Shack and I ask the same clerk if he can sign me up for a catalog. “No problem, sir! What’s your name?” And the system again crashes.

    If you use the same line of logic that a lot of people in this thread are using, you’d now say that the act of telling my name to the clerk makes me guilty of a felony DOS attack. And that seems a bit absurd.

  34. Paul Johnson says

    Bear in mind that in the US exceeding the T&C for any computer system is actually a criminal offence, not just a civil one. The legal precedents involve spammers: basically some spammer used an ISP to send spam, and the spammer was prosecuted on the legal theory that since the use of the ISP’s computers to send spam was not authorised, the spammer was guilty of unauthorised access, which is a crime under federal computer misuse laws. I seem to recall reading discussion of this on Groklaw some months ago.

    I don’t know what SL T&Cs permit, but I suspect that DOS attacks are probably not authorised. Most T&Cs have some blanket language along those lines in order to get the service provider off the hook for the activities of subscribers. If Orb activation is outside the T&Cs then its outside the law and can be prosecuted as such.

    Whether this is good law or not is another debate. And indeed the debate about this is ongoing. The questions are not simple.

  35. The fact that Second Life’s network is used for gaming is irrelevant. SL for all purposes, is an internet service provider. Their users have access to a programming language, the same as webhosting customers have access to Perl, PHP at their service provider.

    If one of SL’s users is disrupting their network with a forkbomb, this is both a DOS attack and a trespass, and the network owners should have some legal redress. If not, will there be no penalty for someone knocking them off the internet every day, all day, permanently?

    Really, the FBI is the only law enforcement agency equipped to get involved, and most of the time (in my experience) the FBI does absolutely nothing when a DOS attack, hack attempt, hack success, or hack + tampering occurs. And local law enforcement usually don’t have jurisdiction to investigate these crimes, and more likely just don’t know how. So don;t feel like your tax money is being wasted investigating computer crimes, because it’s not.

    Because of this situation, there’s most often no penalty at all for attempting or even being successful at these kinds of attacks. That is why they are so widespread. What does it take now, 15 minutes before a freshly installed computer with no updates placed on the internet is rooted?

    You can’t say that just because the attacker is one of SL’s own players that a legal response is not justified. Can a storeowner not call the police when someone won’t leave when asked, or who knocks down a display? Can a webhosting company not prosecute a customer who hacks into other customers’ accounts or who launches DOS attacks from there, or when they catch him in the middle of a dictionary attack – even one that is not yet successful?

    Mr. Neumann, the players of SL may be “free” to use the service, but they are not free to destroy or technically interfere with it. They may have a character who interferes by having an annoying or obnoxious character, but that does not rise to a legal wrong (although it could if the game owners told that person never to return or got a restraining order). If there is any doubt as to whether a user has crossed the line of what they are free to do in the game, the game owners should be free to call the police and have the matter resolved in court.

    It’s not up to SL to “fix their world” anymore than it is up to a large webhost to limit their servers’ outgoing bandwidth to prevent customers’ outgoing DOS attacks, or removing Perl and PHP because phishers sign up for service and use those languages to spoof websites and collect authentication information.

    I also say it doesn’t matter whether there are other users’ inconvenienced by the outage, or if anyone loses any money. The legal wrong is completed when a person attacks a computer system, regardless of whether he is successful or causes a little or a lot of damage.

    Kevin Mitnick went to federal prison just for logging in and taking a look at some files. Maybe that was a waste of FBI resources too, but it’s no secret that you should not be meddling with someone else’s network.

    I say this is a real crime and is no more a waste of the FBI’s time than their helping ME if someone knocks my laptop off the internet.

  36. Ned Ulbricht says


    If you put your script interpreter on a server, and charge users for cpu time, then would a $1,000,000,000 bill for a fork bomb still count as exceptional circumstances?

  37. Most of this disagreement seems pretty bogus to me. It looks as if two issues are being conflated into one.

    Issue 1:-

    Q: Should real-world authorities be called in to handle misdeeds in a virtual fantasy world?

    A: If some jerk is deliberately crashing the servers, that’s not just a fantasy world issue!

    Issue 2:-

    Q: I put a script interpreter on a server and encourage people to log-in and do something creative with it. The scripting language contains a “fork” command. If some jerk keeps crashing my server with fork-bombs, can I seek legal redress?

    A: Probably not, unless there are exceptional circumstances. If the jerk with the fork-bomb clicked on a button labelled, “I must pay $1,000,000,000 damages if my script is a fork-bomb.” then that might be an exceptional circumstance.

    Just my $0.02 worth. I am not a lawyer. Do not taunt Happy Fun Ball.

  38. I’m with rps on this one. This was entirely foreseeable, and the chosen response is reprehensible.

    I see this as similar to prosecuting “cheats” in online FPSes – write a stronger system, aggressive kick suspected cheats, create a social dynamic that discourages undesirable behavior, etc. Don’t waste the taxpayers money, and don’t (perhaps) unwittingly help to extend the rent-seeking grasp of our out-of-control legal system into yet another previously-free corner of human enterprise. The whole point of these “communities” is to creatively experiment with human potential. When the results of this experiment are unsatisfactory, tweak the conditions and try again.

    This reminds me of the corporate trademark squad’s takeover of DNS administration, except this time the “geeks” are actually inviting the cops and the lawyers to assume control. The only parts of our society that are effectively innovating are those that aren’t already overlitigated and overregulated. Congratulations to second life, they’re helping to extend the reach of the law into yet another area in which it has no business.

  39. Ned Ulbricht says


    So where’s the bright line between an interactive computer time-sharing service in comparision with a MMORPG providing a Turing-complete scripting language facility?

  40. One solution is this:
    Have two worlds. One a heavily policed, family-safe online creche in which the FBI will be called to investigate any misdemeanors. And the other world, a completely lawless adult-only sandpit in which anything goes. Rectifying any degeneration of the latter can then be used to improve the resilience of both.

    What I wonder though is what would be the relative demographic for each world?

    There does need to be a clear distinction between ‘online virtual theme park – into which real world jurisdiction is required to extend’ and ‘online game – legally indistinguishable from an unreliable IRC service’.

  41. As maker of a virtual world, I understand how difficult it can be to anticipate and prevent all destructive activities of members. However, it’s definitely the problem of those running the world, not the real-world FBI. If it’s possible for a game to cost taxpayers money, perhaps that game should be regulated to minimize that cost — and non-players may well feel the easiest solution is to ban the game.

    A DOS attack that doesn’t use in-game tools is a different matter, and should be treated the same as any other.

  42. It’s interesting to see how the “tools not rules” meme raises its head in this discussion. I think there’s something both attractive and creepy in the idea that virtual spaces should be engineered so that you simply can’t do things that would cause certain kinds of damage to others or to the virtual space itself. I also wonder how the population of people who believe in that kind of engineering of virtual worlds overlaps with the population of people who reflexively oppose attempts to engineer the real world to impose similar safeguards. (That last isn’t just snark; I think it may be important for understanding the way that different people approach virtual behavior as opposed to real-world behavior.)

  43. Supercat, you’re right to ask “did the real-world people using the system do so in a manner clearly not authorized?” The people running second life seem to think that they did. Others may disagree.

    One of the main purposes of the legal system is to rule on such questions. That seems to be where the dispute is heading. Makes sense to me.

  44. These Second Life guys are idiots. Were they not aware of the creatures known as “griefers” who live only to ruin games for other people? Have they never heard the term “forkbomb” – which can be honest-to-god bugs as well as malicious code? As a programmer, if I were writing a scripting language for users of an MMORPG, the first thing I would do would be to set limits on the resources each of them can use, which has been done ever since time-shared systems were invented in the ’60s.

    I don’t want my tax dollars going to prosecute people, nor do I want FBI agents diverted from investigating real crimes, when it’s Second Life’s fault for being incompetent idiots.

  45. David Harmon says

    poet’s “fool me once, shame on you; fool me twice, shame on me” is a good point, but when you’re dealing with a massively-multiplayer environment, fixing something like this takes non-trivial real-world time, after you figure out what the problem was, and hopefully without shutting down the V-world entirely for the duration.

    To respond to Roastbeef’s snark: Nobody smote us when we *discovered* nuclear fission. But by the same token, if we’d gone on to full nuclear exchange, fallout, nuclear winter, etc, I doubt anybody would have “restarted the system” either. Ditto if we warm the atmosphere to ecodisaster, or fish the seas so thoroughly as to cut off the oceanic food chain. On the gripping hand, a localized outbreak of bioengineered disease ( or nanotech “gray goo”) might well prompt nuclear sterilization by the “wizard” players, that is, those with in-world control of such weapons.

  46. Absolutely insane to call in the real world FBI on this. These people were authorized paying users when they created this object, using a scripting language that the service provider made available to the users for the express purpose of user created object.

    To be slightly snarky about it: Did our uber-service provider (God/Nature/pick-your-own) smite us from the planet when we discovered nuclear fission? No need to because the system was properly designed.

    You know those T-Shirts for the speed of light (“It’s not just a good idea, it’s also the law”), time to cook up Conservation version.

  47. I don’t know why this is so complicated. To me, it seems pretty simple: did the real-world people using the system do so in a manner clearly not authorized? If not, I see no legitimate basis for any real-world punishment beyond banishment (a punishment the system owner is free to impose on any user for any reason). If real-world people who have been banished try to get in by pretending to be someone else, that could be construed as unauthorized access and punishable by law.

  48. David Harmon says

    I’d say that as soon as the servers crashed, the exploit in question effectively *had* broken out into the real world. And when the griefers did it a second time, they lost the presumption of “accidental damage”. At that point, I have no problem bringing in law enforcement.

    At the same time, I would hope that the SL mods are *also* working on upgrading the system…. Besides rate-limiting (fixing the last hole), they might want to consider creating in-game “Furies”. These would be mod-controlled creatures able to monitor the gameworld for large-scale problems such as object storms, and perhaps empowered to deal with them directly.

  49. The people who are arguing for FBI intervention seem to be saying that it’s justified because there are real-world consequences to the things that the online miscreants are doing — disruption of the servers, disruption of enterprises that show real-world profits or losses, and so on. On the one hand that makes a lot of sense to me. As soon as the bits you manipulate in the virtual world have a solid-enough connection to physical objects and money in the virtual world, then you’re not really manipulating bits any more.

    On the other hand, this approach raises questions about how systems like Second Life should be regulated. Let’s say I start an online enterprise in SL and sell shares in it. At what point is the office of the Secretary of State in my physical home state (or in some other state claiming jurisdiction) going to become interested? At what point will the SEC point out that selling shares in corporations comes under its bailiwick? Thus far, it seems, the amount of economic activity taking place within virtual spaces is small enough that no one really cares about it, but at some point this will become an issue. (A few months ago there was a discussion about virtual worlds where force and fraud were considered perfectly reasonable forms of interaction; as such worlds get massive enough to do real-world things like calling in the FBI for DOS attacks, will there be limits on the laws that they can use to govern themselves?)

  50. There seems to be some confusion over what is a crime within the virtual world & what is a crime in the real world. In the virtual world in question here, it’s possible that no crime was committed; it all depends on whether introducing endlessly multiplying orbs into that world was prohibited by some law within that world. On the other hand, if the creaters of this script intended to produce a DOS attack, that would be a crime within the real world–an attack against a particular set of servers in the real world.

    Calling in real-world punishments for crimes that take place entirely within the sphere of a virtual world is absurd. The participants of the virtual world (which is after all really just a metaphor) may see fit to create systems of crime & punishment to deal with the virtual ‘needs’ of that world, but they have got to be recognized as crimes & punishments strictly within the confines of that world.

    Only if actions within the virtual world lead to crimes in the real world should real-world punishments be administered. It’s worth noting that actions need not be considered crimes within the virtual world to result in real-world crimes. Perhaps the game is coded such that an action that is legitimate within that world, even laudable, causes events to take place in the real world that constitute crimes. This disjunction of results exists exists because they arise within the context of two absolutely disjunct domains: the real world with its own set of morals & laws, & the virtual world with another.

    One is real & the other isn’t. The confusion arises because one world, the virtual one, depends for its existence upon the other, the real world. But artificial constructs within the dependent world do not escape into the real world on which it depends.

    So: ‘It will sometimes be necessary, then, to appeal to real-world law enforcement to handle bad acts in virtual worlds.’ Actually, then, real-world law enforcement would be called in to handle bad acts in the real world, whatever they might be. The real-world crime is the DOS & not the multiplying orbs.

  51. Ed: Thanks for the response. I agree that there is a threshold of damage beyond which it is appropriate to inolve the authorities; the question is where that threshold lies.

    In the real world the threshold is pretty low – I’d imagine a shop owner might call the police over a $10 shoplifting attempt.

    I think many internet users (myself included) believe this theshold should be rather high for online attacks – a DOS attack that shuts down a major business warrants intervention, but an inconvenience to players of an on-line game does not (keeping in mind Prokofy Neva’s point about the use of real money in Second Life). I can think of a few reasons:

    1. Historically there has been little regulation and law enforcement carried out in on-line worlds, so FBI intervention is a new and possibly dangerous development.

    2. It is probably harder to track down an on-line criminal than a shoplifter, so the chance of being caught (and thus the deterrent effect) is lower for a given level of law enforcement.

    3. I believe that results tend to be poor when government authorities step into areas where they have little experience. Would increased policing of on-line systems lead to calls for new poorly-thought-out, overreaching legislation? e.g. a requirement that all users of on-line systems register their identities and physical locations?

    (for a small-scale example of this, consider the animosity many players of on-line games hold against the “mods” who oversee their worlds – even well-intentioned intervention in the game world sometimes backfires)

  52. A virus or DOS attack is just that, regardless of the context. I think it’s a question of intent more than anything. If a script was really written to damage property in the real world, I have no problem with involving the law. If it’s just part of the game (yes, that includes “kiddie scripts” to cheat) then it’s an issue for the in game police (moderators) not real world prosecutors.

  53. required reading: my tiny life.

  54. The makers of Second Life and many of its residents don’t consider it a game. Unlike World of Warcraft or The Sims Online, the platform is used for entertainment and socializing, but also for businesses and educational uses. When the grid is deliberately crashed, and repeatedly, by a known group of griefers, it’s not just that people’s games are interrupted, their businesses and non-profit projects are disrupted, too. The Second Life currency, the Linden, is convertible to real-life U.S. dollars on the LindEX and other currency exchanges. This isn’t just selling game-gold mined by AFK farmers; this is income from enterprises like other web-based businesses and academic courses. Therefore denial-of-service in this context takes on a deeper dimension because people locked out of the crashed world for hours or days actually lose income, customers, data and objects they’ve been working on, etc.

    The world has its own scripting language called LSL which has a function called “giveinventory” which some programmers have said should be shut off or limited. It’s functions like these that griefers use to spread the weapons of mass destruction around. But those functions are also used to do things like distribute notecard information, news, landmarks, etc. so that like in a real-world society, if you shut down various mass news and transportation arteries, you’re crippling the world for the sake of fighting a few terrorists.

    Those within SL currently screaming loudest against Linden Lab’s decision to call in the FBI often have the least financial or time stake in the world and prefer to see it as a gaming prototype or entertainment device and want absolutely no limits on creativity or behaviour.

    Those applauding hardest over LL’s decision to call in the feds are those with businesses or projects constantly attacked or suffering losses from such griefers who want to make a civilization.

    The balance between these two poles will define the struggles in the Metaverse to come.

    Prokofy Neva

  55. When this story initially broke, I was against the FBI being called in. I felt that virtual worlds and real worlds shouldn’t collide. After all, if the game lets you do it then you can do it. The only time that shouldn’t be the case, is if the TOS aggreement specifically forbids that behaviour. And even then it shouldn’t usually involve the authorities.

    But if you look at this as a DOS attack (which it was) then it makes sense for the real world authorities to get involved. So I guess it is a good thing to call the FBI in this case.

    I still think that the game should be coded in such a way that executing valid game actions shouldn’t take the game down. That just seems to poor design on the part of the game developers.

  56. Ned Ulbricht says

    Is the scripting language Turing-complete?

  57. Bob Neumann says

    The idea of calling the FBI is insane. If person “A” builds an imaginary world, and tells person “B” that he may play FREELY in it, (remember, the whole point of this world being imaginary is that I can do “whatever” unhindered by the laws/norms/morals issues of the real world) then person “B” does something that person “A” hadn’t anticipated, Person “A” should:

    A: Fix his defective world to prevent that unanticipated action
    B: Try in whatever imaginary-world social context to get person “B” to stop
    C: Call the REAL world’s tax funded FBI

    You think the correct answer is “C”????? You must’ve lost your marbles.

    If you can’t fix your imaginary world, then shut it down. If it’s “too hard!” to code it to be fool-proof then become a plumber. Get out of the imaginary world business. Whatever. The FBI is for real world crimes, not imaginary-world customer/vendor relations problems.


  58. Dan,

    I see your point. But it seems to me that a denial of service attack like this, executed via in-world computer code, should be treated the same as if the attack were executed by out-of-world methods.

    Consider, for example, an attack that sent a diabolical network packet to the Second Life servers, which caused the servers to automatically send two copies of that same packet to themselves. The packets would multiply exponentially until the servers crashed. If this attack were carried out several times over a period of weeks, aimed at a server-farm with 1000 servers or so, I would expect it to merit FBI investigation. I don’t see why this attack should be treated differently from the actual attack.

    You might argue that neither case merits prosecution. If so, I would still hope the FBI paid a visit to the perpetrators and helped them see the wisdom of stopping the attacks.

  59. That seems like a completely over-the-top response. Why not just limit the rate at which in-game objects are allowed to multiply, the same method that operating systems use to prevent “fork bombs” from taking over the machine?

    I guess the reason is that the developers can’t forsee every possible exploit, and calling in the authorities provides some extra deterrence against potential attackers.

    But I feel that if the FBI should be getting involved, they should be spending time on SERIOUS issues like malicious black-hat hacking, identity theft, on-line fraud, etc, not worrying about script-kiddies in an on-line game.