By wjamesau on August 25, 2010 10:10 AM

Second Life Rocked by Denial-of-Service Attack Involving Anonymous Avatars, Open Source, Bouncing Breasts

Second Life Emerald Second Life was rocked yesterday by an announcement that “Emerald”, an open source software client that can access Linden Lab’s 3D virtual world, had been de-listed from the company’s directory of approved, third-party viewers. This news came days after revelations that Emerald’s mysterious lead developer had used the software in a denial-of-service attack provoked unrest for many of the world’s one million active users. Because by the time Linden de-listed it, Emerald had already become incredibly popular with SLers; by some reliable reports, it accounts for nearly half Second Life’s total user hours. And this being Second Life, the scandal also involves a confluence of anonymous avatars with bizarre names, open source, and, of course, bouncing breasts:

The third-party viewer program is a natural outgrowth of Linden Lab’s open sourcing of its own viewer code in 2007. That’s led to many alternate SL viewers boasting impressive innovations, such as Kirsten’s Viewer, which renders Second Life graphics on a par with next-gen video games. Launched in 2009, Emerald quickly gained a reputation for being more stable and feature-robust than Linden Lab’s official viewers. One Emerald addition attracted enormous adoption: a hack that, well, enables realistic avatar breast physics, as illustrated here:

But while Emerald was popular and acclaimed, dark rumors always lingered around Emerald’s development team, who many accused of secretly being griefers, malicious hackers, or worse. Trouble is, almost all of Emerald’s team are known only by their Second Life avatar names, and almost all of Emerald’s detractors are also known only by their avatar names, leading to a situation where it was difficult to discern who was reliable and who had nefarious interests. (MMO analyst Scott Jennings has a really good, intricate chronology here.) But the demand for a good viewer persisted, especially after Linden Lab’s updated viewer was rejected by many established users. So as Emerald kept getting better, it became ever more popular; and due to the Second Life tradition of avatar-only identities, more and more users wound up installing software with an unknown provenance, and no available recourse, were anything to go wrong.

Things went way wrong last week, when the lead Emerald developer known as “Fractured Crystal” casually revealed that he’d used hundreds of thousands of installed Emerald clients to direct page requests at the site of a rival, which he described as “a poor attempt at boasting” , but others described as a denial-of-service attack. Thereby making hundreds of thousands of Second Life users unwitting accessories in activity potentially punishable in the US and UK with jail time.

What happens now is in Linden Lab’s hands. Rosedale says the company is talking with Emerald’s new team, reconstituted in the wake of Fractured’s apparent removal. (But again, it’s difficult to know if this is true, or if other bad actors are still on the team.) Whatever the case, the incident is another unfortunate blow to the confidence of Second Life’s userbase, already undermined by Linden Lab’s recent rash of layoffs. It also illustrates the limits of trust in a world where users are mostly known only by their avatars. Or to put it another way: Beware of unknown geeks bearing gifts. (Especially when they’re bouncing breasts.)