Don’t do it – not even in a virtual world

Hannu Ahola has an interesting story to tell.

His story takes place in a virtual world that many of us who are too busy in the real world never visit. Hannu is an active player of an online role-playing game called World of Warcraft. What is he doing then when he is “playing”? In the World of Warcraft, players from all over the world buy accounts and create characters. By accomplishing different missions, these characters gain skills and virtual wealth that other players envy.

So, when does the game end? Never – much to the relief of its 11 million active players.

Hannu’s story started about 4 years ago. His friends were urging him to play World of Warcraft. At first, he was not interested. But after a little convincing, he bought an account from an acquaintance, which turned out to be mistake.  But Hannu didn’t know that yet.

He found himself spending more and more time playing. He estimates that during those first two years he played 8-10 hours per day. Every day. The result was an impressive character that accumulated a substantial amount of wealth and talents. The character was so good that people might have been willing to pay real world money for it.

And this fact did not escape the acquaintance who originally owned the account. Using the original account information, this 18-year old boy was able to take control of Hannu’s character and the virtual wealth Hannu had been building for years. And it seemed that there was nothing Hannu could do about it.

Most of us have trouble understanding this kind of loss. Hannu explained it to me: “What if you had collected stamps passionately for 2 years. You had put all your spare time into it and then someone took it away. How would that make you feel?”

After he figured out that it was his acquaintance who stole his character, Hannu contacted the boy – who promptly ignored him. He then contacted the boy’s mother but got no help.

Stealing is punishable in the real world, but did not seem to matter in the virtual world. Except to Hannu. He hired a lawyer and took the issue to court.

After a 1,5 year battle, the young boy was sentenced to pay Hannu 4000 euros for the character Hannu finally never got back. But Hannu had won the moral battle: there are limits to what you can do in the virtual world. Hannu’s case represents the first time that a real world court in Finland dealt with a matter related to virtual worlds, and I have the feeling there’s more to come.

(For more about Hannu and the value of virtual world commodities, check out Sean from the F-Secure Labs on “What is a World of Warcraft Account Worth?“)

The boundaries between virtual worlds and the real world are blurring. World of Warcraft accounts get phished all the time. Children are bullied in virtual worlds. In China, even murders have been committed because of  virtual world events. But they also provide a lot of opportunities for enjoyment and self-expression – as long as we obey the law. And for that to happen, we’re going to need a lot more people like Hannu.

So good job, my friend!

Cheers,
Marja

More posts from this topic

bash

Shellshock only concerns server admins – WRONG

Yet another high-profile vulnerability in the headlines, Shellshock. This one could be a big issue. The crap could really hit the fan big time if someone creates a worm that infects servers, and that is possible. But the situation seems to be brighter for us ordinary users. The affected component is the Unix/Linux command shell Bash, which is only used by nerdy admins. It is present in Macs as well, but they seem to be unaffected. Linux-based Android does not use Bash and Windows is a totally different world. So we ordinary users can relax and forget about this one. We are not affected. Right? WRONG! Where is your cloud content stored? What kind of software is used to protect your login and password, credit card number, your mail correspondence, your social media updates and all other personal info you store in web-based systems? Exactly. A significant part of that may be on systems that are vulnerable to Shellshock, and that makes you vulnerable. The best protection against vulnerabilities on your own devices is to make sure the automatic update services are enabled and working. That is like outsourcing the worries to professionals, they will create and distribute fixes when vulnerabilities are found. But what about the servers? You have no way to affect how they are managed, and you don’t even know if the services you use are affected. Is there anything you can do? Yes, but only indirectly. This issue is an excellent reminder of some very basic security principles. We have repeated them over and over, but they deserve to be repeated once again now. You can’t control how your web service providers manage their servers, but you can choose which providers you trust. Prefer services that are managed professionally. Remember that you always can, and should, demand more from services you pay for. Never reuse your password on different services. This will not prevent intrusions, but it will limit the damage when someone breaks into the system. You may still be hurt by a Shellshock-based intrusion even if you do this, but the risk should be small and the damage limited. Anyway, you know you have done your part, and its bad luck if an incident hurts you despite that. Safe surfing, Micke   PS. The best way to evaluate a service provider’s security practices is to see how they deal with security incidents. It tells a lot about their attitude, which is crucial in all security work. An incident is bad, but a swift, accurate and open response is very good.   Addition on September 30th. Contrary to what's stated above, Mac computers seem to be affected and Apple has released a patch. It's of course important to keep your device patched, but this does not really affect the main point of this article. Your cloud content is valuable and part of that may be on vulnerable servers.  

Sep 26, 2014
BY Micke
Unbenannt-2

Why your Apple Watch will probably never be infected by malware

On Tuesday Apple announced its latest iPhone models and a new piece of wearable technology some have been anxiously waiting for -- Apple Watch. TechRadar describes the latest innovation from Cupertino as "An iOS 8-friendly watch that plays nice with your iPhone." And if it works like your iPhone, you can expect that it will free of all mobile malware threats, unless you decide to "jailbreak" it. The latest F-Secure Labs Threat Report clears up one big misconception about iOS malware: It does exist, barely. In the first half of 2014, 295 new families and variants or mobile malware were discovered – 294 on Android and one on iOS.  iPhone users can face phishing scams and Wi-Fi hijacking, which is why we created our Freedome VPN, but the threat of getting a bad app on your iOS device is almost non-existent. "Unlike Android, malware on iOS have so far only been effective against jailbroken devices, making the jailbreak tools created by various hacker outfits (and which usually work by exploiting undocumented bugs in the platform) of interest to security researchers," the report explains. The iOS threat that was found earlier this year, Unflod Baby Panda, was designed to listen to outgoing SSL connections in order to steal the device’s Apple ID and password details. Apple ID and passwords have been in the news recently as they may have played a role in a series of hacks of celebrity iCloud accounts that led to the posting of dozens of private photos. Our Mikko Hypponen explained in our latest Threat Report Webinar that many users have been using these accounts for years, mostly to purchase items in the iTunes store, without realizing how much data they were actually protecting. But Unflod Baby Panda is very unlikely to have played any role in the celebrity hacks, as "jailbreaking" a device is still very rare. Few users know about the hack that gives up the protection of the "closed garden" approach of the iOS app store, which has been incredibly successful in keeping malware off the platform, especially compared to the more open Android landscape. The official Play store has seen some infiltration by bad apps, adware and spamware -- as has the iOS app store to a far lesser degree -- but the majority of Android threats come from third-party marketplaces, which is why F-Secure Labs recommends you avoid them. The vast majority of iPhone owners have never had to worry about malware -- and if the Apple Watch employs the some tight restrictions on apps, the device will likely be free of security concerns. However, having a watch with the power of a smartphone attached to your body nearly twenty-four hours a day promises to introduce privacy questions few have ever considered.    

Sep 9, 2014
BY Jason
Unbenannt-3-1

How should we deal with defamation and hate speech on the net? – Poll

Everybody probably agree that the net has developed a discussion culture very different from what we are used to in real life. The used adjectives vary form inspiring, free and unrestricted to crazy, sick and shocking. The (apparent) anonymity when discussing on-line leads to more open and frank opinions, which is both good and bad. It becomes especially bad when it turns into libel and hate speech. What do you think about this? Read on and let us know in the poll below. We do have laws to protect us against defamation. But the police still has a very varying ability to deal with crimes on the net. And the global nature of Internet makes investigations harder. Most cases are international, at least here in Europe where we to a large extent rely on US-based services. This is in the headlines right now here in Finland because of a recent case. The original coverage is in Finnish so I will give you a short summary in English. A journalist named Sari Helin blogged about equal rights for sexual minorities, and how children are very natural and doesn’t react anyway if a friend has two mothers, for example. This is a sensitive topic and, hardly surprising, she got a lot of negative feedback. Part of the feedback was clear defamation. Calling her a whore, among other nasty things. She considered it for a while and finally decided to report the case to the police, mainly because of Facebook comments. This is where the really interesting part begins. Recently the prosecutor released the decision about the case. They simply decided to drop it and not even try to investigate. The reason? Facebook is in US and it would be too much work contacting the authorities over there for this rather small crime. A separately interviewed police officer also stated that many of the requests that are sent abroad remain unanswered, probably for the same reason. This reflects the situation in Finland, but I guess there are a lot of other countries where the same could have happened. Is this OK? The resourcing argument is understandable. The authorities have plenty of more severe crimes to deal with. But accepting this means that law and reality drift even further apart. Something is illegal but everybody knows you will get away with the crime. That’s not good. Should we increase resourcing and work hard to make international investigations smoother? That’s really the only way to make the current laws enforceable. The other possible path is to alter our mindset about Internet discussions. If I write something pro-gay on the net, I know there’s a lot of people who dislike it and think bad things about me. Does it really change anything if some of these people write down their thoughts and comment on my writings? No, not really. But most people still feel insulted in cases like this. I think we slowly are getting used to the different discussion climate on the net. We realize that some kinds of writing will get negative feedback. We are prepared for that and can ignore libel without factual content. We value feedback from reputable persons, and anonymous submissions naturally have less significance. Pure emotional venting without factual content can just be ignored and is more shameful for the writer than for the object. Well, we are still far from that mindset, even if we are moving towards it. But which way should we go? Should we work hard to enforce the current law and prosecute anonymous defamers? Or should we adopt our mindset to the new discussion culture? The world is never black & white and there will naturally be development on both these fronts. But in which direction would you steer the development if you could decide? Now you have to pick the one you think is more important.   [polldaddy poll=8293148]   Looking forward to see what you think. The poll will be open for a while and is closed when we have enough data.   Safe surfing, Micke  

Sep 8, 2014
BY Micke