Don’t do it – not even in a virtual world

Hannu Ahola has an interesting story to tell.

His story takes place in a virtual world that many of us who are too busy in the real world never visit. Hannu is an active player of an online role-playing game called World of Warcraft. What is he doing then when he is “playing”? In the World of Warcraft, players from all over the world buy accounts and create characters. By accomplishing different missions, these characters gain skills and virtual wealth that other players envy.

So, when does the game end? Never – much to the relief of its 11 million active players.

Hannu’s story started about 4 years ago. His friends were urging him to play World of Warcraft. At first, he was not interested. But after a little convincing, he bought an account from an acquaintance, which turned out to be mistake.  But Hannu didn’t know that yet.

He found himself spending more and more time playing. He estimates that during those first two years he played 8-10 hours per day. Every day. The result was an impressive character that accumulated a substantial amount of wealth and talents. The character was so good that people might have been willing to pay real world money for it.

And this fact did not escape the acquaintance who originally owned the account. Using the original account information, this 18-year old boy was able to take control of Hannu’s character and the virtual wealth Hannu had been building for years. And it seemed that there was nothing Hannu could do about it.

Most of us have trouble understanding this kind of loss. Hannu explained it to me: “What if you had collected stamps passionately for 2 years. You had put all your spare time into it and then someone took it away. How would that make you feel?”

After he figured out that it was his acquaintance who stole his character, Hannu contacted the boy – who promptly ignored him. He then contacted the boy’s mother but got no help.

Stealing is punishable in the real world, but did not seem to matter in the virtual world. Except to Hannu. He hired a lawyer and took the issue to court.

After a 1,5 year battle, the young boy was sentenced to pay Hannu 4000 euros for the character Hannu finally never got back. But Hannu had won the moral battle: there are limits to what you can do in the virtual world. Hannu’s case represents the first time that a real world court in Finland dealt with a matter related to virtual worlds, and I have the feeling there’s more to come.

(For more about Hannu and the value of virtual world commodities, check out Sean from the F-Secure Labs on “What is a World of Warcraft Account Worth?“)

The boundaries between virtual worlds and the real world are blurring. World of Warcraft accounts get phished all the time. Children are bullied in virtual worlds. In China, even murders have been committed because of  virtual world events. But they also provide a lot of opportunities for enjoyment and self-expression – as long as we obey the law. And for that to happen, we’re going to need a lot more people like Hannu.

So good job, my friend!

Cheers,
Marja

More posts from this topic

AshleyMadison

Is it OK to cheat on the AshleyMadison cheaters? (Poll)

The user register of AshleyMadison has been hacked. You don’t know what that is? Well, that’s perfectly fine. It’s a dating site for people who want to cheat on their spouses. Many dislike this site for moral reasons, but there is apparently a demand for it. The Canadian site has some 37 million users globally! Some user data has already been leaked out and the hackers, calling themselves Impact Team, have announced that they will leak the rest unless the site shuts down. So this hack could contribute to many, many divorces and a lot of personal problems! "We will release all customer records, profiles with all the customers' sexual fantasies, nude pictures and conversations and matching credit card transactions, real names and addresses." The Impact Team This is one hack in a long row, not the first and certainly not the last site hack where user data is leaked. But it is still remarkable because of the site’s sensitive nature. Think about it. What kind of information do you store in web portals and what bad could happen if that data leaks out? If you are cheating on your spouse, then that is probably one the most precious secrets you have. Disclosure of it could have devastating effects on your marriage, and maybe on your whole life. Millions of users have put their faith in AshleyMadison’s hands and trusted them with this precious secret. AshleyMadison didn’t misuse the data deliberately, but they failed to protect it properly. So it’s not that far-fetched to say that they cheated on the cheaters. What makes the AshleyMadison hack even worse is the site’s commercial nature. Users typically pay with a credit card issued in their own name. They can appear anonymously to their peers, but their true identities are known to the site owner, and stored in the database. So any leaked information can be linked reliably to real people. The sad thing is that the possibility of a leak probably never even crossed the mind of these 37 million users. And this is really the moral of the story. Always think twice before storing sensitive information in a data system. You must trust the operator of the system to not misuse your data, but also to have the skills, motivation and resources to protect it properly. And you have very poor abilities to really verify how trustworthy a site is. This is not easy! Refraining from using a site is naturally the ultimate protection. But we can’t stop using the net altogether. We must take some risks, but let’s at least think about it and reflect over what a compromised site could mean. This hack is really interesting in another way too. AshleyMadison is a highly controversial site as cheating is in conflict with our society’s traditional moral norms. The hack is no doubt a criminal act, but some people still applaud it. They think the cheaters just got what they deserved. What do you think? Is it right when someone takes the law in his own hands to fight immorality? Or should the law be strictly obeyed even in cases like this? Can this illegal hacking be justified with moral and ethical arguments? [polldaddy poll=8989656]       Micke   Image: Screenshot from www.ashleymadison.com  

July 21, 2015
BY 
hacking team, hack like a champion, why hacking team matters

3 reasons the Hacking Team story matters from Mikko Hypponen

Hacking is in the news. The U.S. recently disclosed that it was the victim of what may the biggest, most consequential hack ever. We hacked some politicians. And a group called "Hacking Team" was hacked itself. Brian Krebs reports: Last week, hacktivists posted online 400 GB worth of internal emails, documents and other data stolen from Hacking Team, an Italian security firm that has earned the ire of privacy and civil liberties groups for selling spy software to governments worldwide. The disclosure of a zero-day vulnerability for the Adobe Flash Player the team has used has already led to a clear increase of Flash exploits. But this story has a larger significance, involving serious questions about who governs who can buy spyware surveillance software companies and more. Our Chief Research Office Mikko Hyppönen has been following this story and tweeting insights and context. Reporters from around the world have asked him to elaborate on his thoughts. Here's a look at what he's been telling them 1) What is your opinion about the Hacking Team story? This is a big story. Companies like Hacking Team have been coming to the market over the last 10 years as more and more governments wanted to gain offensive online attack capability but did not have the technical know-how to do it by themselves. There's lots of money in this business. Hacking Team customers included intelligence agencies, militaries and law enforcement. Was what Hacking Team was doing legal? Beats me. I'm not a lawyer. Was what Hacking Team was doing ethical? No, definitely not. For example, they were selling hacking tools to Sudan, whose president is wanted for war crimes and crimes against humanity by the International Criminal Court. Other questionable customers of Hacking Team include the governments of Ethiopia, Egypt, Morocco, Kazakhstan, Azerbaijan, Nigeria and Saudi Arabia. None of these countries are known for their great state of human rights. List of Hacking Team customers: Australia - Australian Federal Police Azerbaijan - Ministry of National Defence Bahrain - Bahrain Chile - Policia de Investigation Colombia - Policia Nacional Intelligencia Cyprus - Cyprus Intelligence Service Czech Republic - UZC Cezch Police Ecuador - Seg. National de intelligencia Egypt - Min. Of Defence Ethiopia - Information Network Security Agency Honduras - Hera Project - NICE Hungary - Special Service National Security Kazakstan - National Security Office Luxembourg - Luxembourg Tax Authority Malaysia - Malaysia Intelligene Mexico - Police Mongolia - Ind. Authoirty Anti Corruption Morocco - Intelligence Agency Nigeria - Bayelsa Government Oman - Excellence Tech group Oman Panama - President Security Office Poland - Central Anticorruption Bureau Russia - Intelligence Kvant Research Saudi Arabia - General Intelligence Presidency Singapore - Infocomm Development Agency South Korea - The Army South Korea Spain - Centro Nacional de Intelligencia Sudan - National Intelligence Security Service Thailand - Thai Police - Dep. Of Correction Tunisia - Tunisia Turkey - Turkish Police USA - FBI Uzbekistan - National Security Service 2) What happens when a company of this kind is a victim of an hacking attack and all of its technology assets are published online?  This was not the first time something like this happened. Last year, Gamma International was hacked. In fact, we believe they were hacked by the same party that hacked Hacking Team. When a company that provides offensive hacking services gets hacked themselves, they are going to have a hard time with their customers. In the case of Hacking Team, their customer list was published. That list included several secretive organizations who would rather not have the world know that they were customers of Hacking Team. For example, executives of Hacking Team probably had to call up the Russian secret intelligence and tell them that there's been a breach and that their customership was now public knowledge. The Hacking Team leak also made at least two zero-exploits public and forced Adobe to put out emergency patches out for Flash. This is not a bad thing by itself: it's good that unknown vulnerabilities that are being exploited become public knowledge. But Adobe probably wasn't happy. Neither was New York Times, as they learned that Hacking Team was using a trojanized iOS app that claimed to be from New York Times to hack iPhones. 3) Is it possible to be protected from malware provided by companies like Hacking Team? Yes. We've added detection for dozens of Hacking Team trojans over the years. Hacking Team had a service where they would update their product to try to avoid signature-based antivirus detections of their programs. However, they would have much harder time in avoiding generic exploit detections. This is demonstrated by their own internal Wiki (which is now public). Let me attach a screenshot from their Wiki showing how we were able to block their exploits with generic behavioural detection: Cheers, Sandra [Image by William Grootonk | Flickr]

July 13, 2015
adobe flash, uninstall, auto-update, click-to-play

3 ways to make Adobe Flash less annoying and/or risky

Time to update Adobe Flash if you use it. So if you do, do it now. Of course, it always feels like time to update Flash. As an internet user, it's become all of our collective part-time job. It's a reminded that while the software is free, your time isn't. This particular update was necessitated by an event you may have heard about. "The flaw was disclosed publicly over the weekend after hackers broke into and posted online hundreds of gigabytes of data from Hacking Team, a controversial Italian company that’s long been accused of helping repressive regimes spy on dissident groups," Brian Krebs explained. The Hacking Team hack raised interesting questions about government surveillance and helped rattle nerves this week as computer systems kept planes out of the air and shut down the New York Stock Exchange -- freak incidents that are completely unrelated, according to disclosures thus far. But it doesn't take events like this remind us Flash exploits are so common that they're part of the business model of criminal operations like the Angler exploit kit. The key to security is always running the latest version of everything. So how do you get yourself out of the business of constantly mitigating Adobe Flash risks? Here are three ways. 1. Quit it. This is Brian Krebs' solution. He's lived without it for more than a month as an experiment. "It is among the most widely used browser plugins, and it requires monthly patching (if not more frequently)," Krebs said. And did he notice life without it? "...not so much." So instead of updating, you can just get rid of it. 2. Auto-update. If you're going to keep it, this is the minimum precaution our Security Advisor Sean Sullivan recommends. This will make sure you're getting all the updates and will prevent you, hopefully, from being tricked into downloading malware posing as an update. So turn those "background upgrades" on. 3. Click-to-play. If you're doing number 2, you probably want to do this too. Click-to-play means Flash elements run when you tell them to. Here's how to do it in all your browsers. Not only does this expose you to fewer risks, it makes the internet less annoying and can make your browser quicker. So why not? So what did you choose? Let us know in the comments. Cheers, Jason  

July 10, 2015
BY