Ok, I put about as much cred into "The Herald" as most of you.

Be that as it may, a "story" just went up today about serious security vulnerabilities in the BanLink website.

If you are a member and have the same password on it that you have in other places (like your SL account) you may want to change your passwords.

Maybe this is bull crap but it is better to be safe then sorry.

http://foo.secondlifeherald.com/slh/2009/09/banlink-security-broken.html#more

To verify the original source's claims, the Herald turned to two independent technical experts, who both agreed that the site suffers from significant security issues that may allow uncontrolled access to sensitive information.

One expert pointed out that all the tables in the BanLink database are an open book at this point, and it is unclear how well user passwords have been encrypted. This suggests that anyone who has a BanLink account will want to avoid using the same password on any other system.

If you are a member and have the same password on it that you have in other places (like your SL account) you may want to change your passwords.

Not that one should ever use their SL account password for anything else, especially SL related sites .. but yes. May want to change it :)

I totally agree, different passwords for everything. Unfortunately so many people use the same one for most all of their online stuff. Not to mention how many use "password" :P

Update: The banlink site is down for maintenance.

That's some really shitty programming.

Really shitty.

Giving the code a chance to play around with the contents of a query is bad enough, but having the actual error display on the internet instead of a generic page would have you marched out of the building in most places I've worked at.

I pulled down banlink long ago as being a waste of time. You can do what you need to with parcel rights and a local security system anyway.

A suggestion (I got this from Flipper) is to create a simple transform on the domain name for your password. Simple rules of thumb like (put the last three characters in front, change the first letter to the character below it, etc. etc.)

The end result is a unique password for every site you visit, but a password that is usually not human readable and easy to obtain even if you haven't been to the site in a long time.

if I wanted to get myself added to banlink how would I go about doing it?

"Mullah of Ravenglass" hahahahaha

I use a keychain program which stores all my web logins and has a built in one time password generator with various configuration options. One password gives me access to all my logins and I simply copy and paste. All data is encrypted with strong encryption and is unlikely barring burglary or remote machine compromise that it would ever fall into the wrong hands.
It takes mere moments to create a new login record with a new random password and store it, mere moments more to copy and paste it into the web browser - dead easy really, even for people who are quite lazy with passwords.

The problem now with BanLink is how will people know which avs were banned for good reason and which were hacked in? As BanLink is all about trust, this would seem to deal it a death blow unless they can pin point the time that the exploit was discovered and revert to a data backup from before that time. Either way, lots of people are now going to question BanLink I think.

For example if I were a griefing type, I would now appeal my ban and say my name had been hacked into the system. How could anyway say differently for sure?

because any names added should also be associated with a trust group (nci, luskwood, etc), the individual that placed the ban, and the reason.

A suggestion (I got this from Flipper) is to create a simple transform on the domain name for your password. Simple rules of thumb like (put the last three characters in front, change the first letter to the character below it, etc. etc.)

The end result is a unique password for every site you visit, but a password that is usually not human readable and easy to obtain even if you haven't been to the site in a long time.

I do something similar - I have a short code of letters and numbers which always stays the same, then I add to it an extra code worked out from the domain name. Always unique and I can always remember it.

What I forget more often is my username.

you guys are fools. i have one magic password that controls my entire interweb.






(mozilla master password)

I find incorporating profanity into passwords makes them easier to remember

Is this Travis's thing?

I haven't seen Travis around in a long time.

:coco:

Is this Travis's thing?

I haven't seen Travis around in a long time.

:coco:Yes it is.