Snowden and Heartbleed

By now I’m sure you’re all aware of Edward Snowden and his revelations about the NSA, GCHQ (Great Britain’s version of the NSA), and just about every other government’s intelligence gathering organization.

And, I’m sure you’ve all read about HeartBleed – the bug in OpenSSL which effectively broke internet security, everywhere. In fact, it might have broken your phone, too.

In fact, there’s also a rumor that the NSA “used” the HeartBleed bug to extract things like passwords and private keys from servers for years before it was discovered “in the wild”.

But I think Snowden’s revelations and HeartBleed are actually much more broadly connected than the NSA’s alleged use of it (which they of course denied).

And, I believe that the HeartBleed incident is actually far more dangerous than Snowden’s revelations, and, ultimately, what we should really be worrying about.

And, that both issues – the Government’s eavesdropping, and Heartbleed, are our fault.

First the NSA issue. Like most people, I think most of us already assumed that the Government, or the Companies that provide internet services, or irresponsible employees of either of these entities, were probably accessing our data anyway.

While it may not have been something we fretted about on a daily basis, we took common sense precautions, like having good passwords, not sharing passwords between sites, taking care not to email sensitive information like passwords, SSNs, and the like, etc.

And, if we did something illegal, we were probably smart enough not to transmit it via the internet or even the phone.

In this regard, we owe one to the conspiracy theorists for at least making us think about these things.

The sad fact is, most of us weren’t careful enough with our personal information anyway to have the NSA revelations make any difference. For everything you’re probably concerned about the NSA doing – spying on what products you buy, your credit card #s, what you send in emails, what web sites you visit – someone else was probably doing it already.

Think I’m kidding?

  • Reading your Mail. We already know Google scans your mail (Gmail) to give you helpful advertising.
  • Credit Card Numbers. You give your credit card to a stranger, who disappears into a back room with it, every time you charge your dinner in a restaurant.
  • Buying Habits. Let’s just forget Amazon. Use one of those handy Supermarket, Best Buy, or simaler reward cards? What do you think they’re doing with your data?
  • Bank Card Pins? Try buying a metro card in New York.
  • Your Location? Apart from just owning a phone which tracked your location, many Android Users actually paid for an application which tracked their location while pretending to be a flashlight

It goes on and on. No, the NSA isn’t doing anything different the someone else has been doing for years, legally, or illegally.

Of course, the advent of Social Media has only made this worse. Think about it: If the NSA really wanted to know where you’d been do you think they’d start by trawling through petabytes of data to find out? They’d probably start by looking at your Facebook, Instagram, or public Twitter postings, in which you probably blithely reported your location, what you were doing, who you were with, and what you were wearing.

Of course, that doesn’t make it right. Especially when it’s your elected government, and it could possibly be used in ways you don’t expect. Especially if the government, or someone important to the government is unhappy with you.

But does anyone actually expect this to stop? Sure, we can express indignation, demand action from Congress, even pass laws. But, in my opinion, all that means is that we’ll drive their efforts back underground. In the Government their will always be people who view the laws as guidelines, more than actual rules.

Even worse, whatever changes we can institute in our own government, it does nothing to impact what other people, companies, and countries will do illegally.

As a little “P.S.” to the NSA, it doesn’t matter what else we learn from Snowden, or, in fact anything beyond one fact: You Did It. You went as far as you could go, and beyond. You broke the trust of your citizens. You broke the trust of your citizen’s companies. You broke the trust of our allies. Nothing you can do will undo that, and we will always know you will do it.

No, the real problem is us. Beyond the fact that we’ve elected and enabled a Government which does this, the fact is that most of us don’t manage our privacy in a way we’d expect others to respect it.

That – and this is where we get to HeartBleed – is where the real problem is.

We found out last week that even if we did all the right things to protect (most) of our data, the tools we were (implicitly) trusting we horribly, horribly broken.

And that’s our fault, too.

The HeartBleed bug is roughly the equivalent of finding out:

  • Seat belts, if fastened while the back right passenger door open, will spontaneously fly open in the case of an accident
  • Electrical outlets will stand a 10% chance of shooting out bolts of high voltage electricity if you plug something in while standing on one foot.
  • If you take aspirin while drinking milk from a cow with a black spot on it’s forehead, will make you break out in hives for a week.
  • All door locks and alarm systems made in the last two years have a defect such that your house can be easily entered by someone carrying a cat.

So you’re probably saying “Well, those are ridiculous examples! Those things could never happen?”.

Why is that?

Because, all of those things – seat belts, electrical outlets, etc, are surrounded by systems – regulatory, commercial, or social – that makes it very difficult for broken products to survive. We all know what would happen if seat belts started failing that way, or people started to get shocked by their outlets, or people broke out in red spots. There would be outrage. There would be congressional hearings. There would be lawsuits.

And there would even be reform. It might be something as important as UL (Underwriter’s Laboratories), or an “Evil Government Agency” like the NTSB (I don’t think they’re evil), or even a semi-evil organization like the FDA (I don’t think they’re evil either, just a little misguided sometimes).

The point is, we have now learned that the systems – regulatory, social, or commercial – to protect the internet, our use of it, and the safety of our data on it – are non-existent.

OpenSSL, which is the software impacted by HeartBleed, is maintained by a group of less than a dozen individuals who rely on donations (and a few corporate contracts) to maintain a piece of software which is central to our security on the Internet. And, apparently, only one of those volunteers work on the product on a full-time basis – the rest of them have “day jobs” which may not even be security related.

Let’s put this in perspective. The next time you get on an airplane, how you would feel if you learned the airplane’s collision avoidance systems was maintained by 12 volunteers who didn’t get paid, and only worked on the systems part time, because they to support themselves with day jobs as accountants, construction workers, and cooks?

And oh, one more thing. There are no formal test systems for the Collision Avoidance System. The volunteers do an amazing job of reviewing each other’s work, but since they are stretched so thin, they haven’t had the time to produce a rigorous set of tests for the software.

That’s the case with OpenSSL, so Heartbleed is really no surprise to anyone. In fact, I think people in the industry are still in shock as to how bad it is, and not quite sure what do other than patch up the current hole (Thank goodness the folks at OpenBSD have at least started a major clean-up).

But OpenSSL is just part of the problem (oh, by the way, in case you thought HeatBleed impacting your Android phone was bad enough, it’s not just things like sign-ins to your Bank Account that are impacted. It’s every website that uses OpenSSL for security, including, potentially, power plants, hospitals, chemical plants, oil refineries, train control systems).

Let’s say you decide “Ok, I’m now going to be a safe, responsible internet user, and encrypt my sensitive emails”. Assuming you’re a “normal” person, this will prove to be an enormous pain, and you’ll probably end up giving up or doing it wrong.

“But, but”, you say, “how is this my fault?”. Ok, you didn’t do it deliberately. But what we have done is the equivalent of spending the last 10 years riding in cars with unregulated seat belts, 90% reliable electrical sockets, mostly good cow’s milk, and doors for mostly trustworthy dog-lovers. Certainly not a disaster. Yet.

But, we have to understand, as the public, that it’s a problem, and have the will to fix it. Hopefully, it won’t take something like defective ignition switches killing people to get everyone’s attention, but I have my doubts.

Then, we need to find a way treat these things like what they are : Public Utilities, or vital parts of Public Utilities, which require the appropriate level of care and trust.

Let’s be clear here – like, say, the public water utility – just because we choose to protect a given variant of software doesn’t mean you have to use it – just like you don’t have to drink tap water. If you think tap water isn’t protected well enough, or you don’t like it because you don’t like your water company, then you don’t have to use it.

What examples of these sorts of systems exist? Lots of models come to mind.

  • U.S. Government systems, like the NTSB, or FDA
  • Independent systems, like the Underwriters Laboratory
  • International Organizations, like the ACM, IEEE
  • Trusted private organizations, like Consumer Reports
  • Stewardship by private or public organizations, like Google, or Symantec, etc. Note I didn’t use the word “Trusted”
  • Form Private companies which will produce their own versions of SSL which are in turn certified by independent parties and sold, like enterprise software.

Some of these systems are regulatory, some provide objective reviews, and some do actual development. It’s likely that this problem needs some combination of all three.

You’ll notice I didn’t mention “Open Source”. This doesn’t mean that I don’t think these components shouldn’t be Open Source – they have to be to be trusted – it means that we can no longer rely on the current system of “Let’s hope we get enough donations to maintain this well”.

Some Open Source products are amazingly well funded and maintained, and some, like OpenSSL, are starved for resources and funding. So, I think the “Open Source” system is a part of the solution, but clearly not all of it.

So what do we do now?

If you’re an ordinary citizen, you can:

  • Make sure you are treating yours and your family’s information responsibly. Remember, for all intents and purposes, once you put information on social media, it’s out of your control and it’s forever. That should be enough to give anyone pause.
  • Use safe password practices. Consider using a tool like 1Password to generate and store good passwords. (By the way, Agile Bits, the people who make 1Password, have an amazing blog which talks about HeartBleed and you).
  • Do you best to understand other security issues like “SSL” and “Encryption”. You don’t need to be an expert, but, like your car, even knowing a little bit more is helpful
  • Support political candidates that take your rights to privacy seriously. Resist the urge to get partisan about this – both parties have been violating those rights, both have continued to violate them, and both will continue to, if given the chance.
  • See below. Maybe you can do more!

If you work in Technology, or are even more interested, there’s lots more that you can do!

  • Understand the efforts of the OpenSSL group, and, where possible, how you might be able to help. For example, I’ve noticed there been a hue and cry over the lack of automated tests for SSL, but no one has stepped up even offer to define them, much less build them.
  • Understand the efforts of the OpenBSD Group, which, as previously mentioned, is trying to improve the OpenSSL situation. The OpenBSD group has an excellent track record for security, and are generally highly regarded.
  • Donate money to wherever you feel it will work best: The OpenSSL Group, The OpenBSD Group, etc. If you really want to impact personal security in a broad way you can do what the guy who found the HeartBleed bug did – donate to the Freedom of the Press Foundation (follow the link to see why this makes sense).
  • If you’re a real geek, consider contributing to any one of these projects – OpenSSL, OpenBSD, or one of the Freedom of the Press Projects. But if you do so, understand what’s needed – in my view, OpenSSL needs a lot of good old grunt-work – not super cool groundbreaking stuff, but good old things like…test cases.

Finally, if you’re good at organizing, help think about what I wrote above about systemic improvements. I will be. Maybe I’ll even try and do something.


I can’t believe I have to post this, but what not to do about HeartBleed.

Also Android phones may not be susceptible to HeartBleed, but it’s very hard to tell.

1 Comment

Free There Weekend Trailer

There: The only place where even the Weekends have Trailers:

And, not only THAT, there’s a ”contest” for the best Trailer. So, not only is it Free, you can ”’Win Prizes”’! Learn more here!


Camping Around the World and FTW

Camping Around The World

Who needs the Game of Thrones, when you have Thrones, Schromes, we’ve got something event better!

I’m happy to help spread the word about a truly unique event in World this Month: Camping around the World. And, to help promote it, I found this amazing video!


And, just when you thought it couldn’t get any better, we’ll be holding our next Free There Weekend (FTW), starting Friday, April 11th at 6 PM PST (9PM EST) and ending Sunday, April 13th at 11:59PM, PST. So tell your friends, tell your Facebook, tell your Twitter!

(We’ll be running some Google advertising to this affect over the next week or so, and, of course, posting on our Facebook Page).


FTW Updates and more!

Snowy Creek

Snowy Creek

FTW (Free There Weekends) Update

Our first FTW was a great success. Our CCU was “about the same” as during the There Winter Games, which is great considering we had no advertising and very little advance notice. Thanks to SamSyn and Bruce, we also were spared any service overloads or outages.

Going forward, we’ve decided to make FTW’s a monthly affair on the 1st or 2nd weekend of each month. Before we start that, we need to solidify and test the “Avatar Deletion Process” which will purge people who showed up for a FTW (or two), but never subscribed, or, better yet, never logged into the 3D world (we had a lot of those!).

We want to make sure we wash them out of the system so they don’t hog all the good avatar names and fill “New There” up with “zombie” Avatars.

Change to the Low Cost/Free Trial Program

As you all know, you can “Try” There out for 10 days (yes, we snuck that one in on you!) for $.50, which is effectively “Free”, since we give you $.50 worth of Therebucks. We going to be increasing that time over the next few weeks or months to give people more time experience There, hang out, and hopefully get hooked!


The software support for Developer Hair rolled out to production over the past few weeks, and SamSyn has been working with some unnamed developers to figure out how hard it is – 3DSMax wise – to actually “make” hair. As we suspected, it’s not trivial at ALL, which isn’t surprising when you think about it: “Hair” has to not only “lie” well over heads and shoulders (in different ways), it also has to “work” with all kinds of different head shapes and sizes.

To quote SamSyn:

“Custom Hair Notes

You will probably notice some hairstyle submissions in the next few days. These are just for test and should not be approved (but please do get review copies and make sure they appear on your head as expected).

If you are a talented 3D designer who thinks they can make a working skute with virtually no help, drop us an email and we will get you on the early list for an updated StyleMaker/Previewer you can play with. You can also just email us skute files you have crafted and we can try them out for you. (hair skutes only for now, please).”


I’m sure you’ve all noticed our newly re-animated There Facebook Page, which is a form of advertising. We’d love you all to get in and “Like” that page (Ok, we’re no George Takei but we know more than more than 338 of your Like There!

We’re now going to (gingerly) start flexing our Google Adwords muscles, so you should start seeing ads popping up now and then.

But here’s what blew me away. I was playing around with Google WebMaster Tools, and checking us out, and here’s the traffic we get, with no advertising:


(Hmm. I’m not sure where that image went…)

That’s 300K impressions in 2 weeks, and 15,000 clicks! That’s not actually bad, at all, for no advertising!

Now, all we have to do is get them to sign up!

That’s all for today!


Coming soon: F.T.W.


We’re really excited to announce that in the next couple of months, we’re going to be trying something soon.

(I’ll be the first to admit that this is something SamSyn has always wanted to do, and I’m sure many others have suggested it too).

It will be Free There Weekends.

During one or more weekends that we pick, people will be allowed to sign up and play There for Free for the Whole Weekend. They’ll still be “trial” members in that they’ll
get their Welcome Walkway goodies, and there of course will be some common sense restrictions until such time as they subscribe.

We’re really excited about this, but before we kick it up, we’ve brought back an old There employee to “resurrect” our There Facebook page, get some content on it, and promote the page in Facebook. We think that this, along with your word-of-mouth, will help bring more members to FTW, and make it a big success.

Now, for the inevitable questions:

Q. What happens after FTW is over?
A. If you registered during FTW, and try to log in after FTW is over, you’ll be required to subscribe (just like today!).

Q. Will I get a credit on my subscription for the FTW weekend?
A. Umm, no.

Q. Is There still 18+?
A. Yes!

Q. What happens if I register on FTW, and then don’t subscribe. What happens to my Avatar? Will it be deleted?
A. Not right away, that’s for sure. We will be deleting FTW avatars who don’t come back after some period of time (to keep the from bloating up the system and hogging names), but we’ll give you a chance to think it over and come back. We’ll probably even send you an email to warn you!

Q. If I’ve been banned or moderated, can I register for FTW under a new name and come back?
A. No. We moderate or ban individuals, not avatars. So, no, we’re sorry, but you can’t do that.

Q. What if I didn’t deserve to be moderated?
A. No.

Q. What if I’m a Belieber now? Doesn’t that count?
A. A Thousand Times No.

Q. Will FTW’s always be only a weekend?
A. Well, the truth be told, the first FTW might just be a Free There Friday night, to try things out. We don’t want to get too ambitious and have a lot of people come in and have a bad experience because we haven’t ironed out all the kinks.

Q. Could it be a FTW 3-day weekend?
A. Maybe! After all, a weekend’s a weekend.

Q. Maybe the first FTW should be during the There Winter Games!
A. You know, I’d like nothing better! But I’m a little worried we will have overlooked something, and don’t want to impact them in any way. Besides, knowing how resourceful There folks are, I’m sure you’ll have scores of special events for newbies during FTW.

Q. Will you change the landing zones for FTW?
A. Yes, we will probably activate more zones. We will probably also take steps to make sure the landing zones don’t turn into target-practice zones for Paintball.

Q. Ok! We’re excited! When?
A. Watch this space!


Real Medicine


I was very proud to be part of this.

Real Medicine’s strength is that their efforts are real and scalable. By training Nurses in South Sudan (as one example), they’re “teaching the man to fish“.

But the thing which really encouraged me was the story of the actual delivery. Too often, people make donations, only to have the funds disappear into the ether. This is a refreshing and encouraging change.


1 Comment







The Shoes outside the door

The shoes outside the door

That is all.


Real Money *LIVE* for Everyone


Thanks to SamSyn and all of our intrepid testers, “Real Money” – the way for Developers to get Real Money for their Virtual Goods, is now live for ”everyone”.

Cribbing from SamSyn’s post on, during the test:

Num Purchases: 632
TotalPriceDollars: $1518.22
TotalMakenaDollars: $568.35
TotalDeveloperDollars: $949.86

Again, to quote SamSyn:

(not counting fees kept by PayPal which can generally be estimated as “5 % and a nickel” (if you are set for micropayments) or “3% and 30 cents” if you’re not.

Waving my hands, I claim the total micropayment fees were about $100, so the real Developer Income was about $850 all told.

This is important. There has set itself to “handle micro-payments”, which means that PayPal takes out less for small transactions like Makena’s ‘cut’ for the sale. That’s good for us.

However, for you (the Developer) to get the best rate, you need to do the same thing:

  • Become a PayPal Merchant
  • Set your Merchant Account to be eligible for Micropayments
  • Use that account for your There Developer Sales

And, boom, you get the Micropayment rate.

Becoming a PayPal Merchant is not hard (some of the Beta Testers have already done it), and does not make you a Bride of Cthulhu, nor expose you to even more NSA spying. But it does let you take advantage of Micro-payments, which is pretty cool.

We’re all very excited by this. It doesn’t seem like a lot, but putting >$750 directly into the hands of developers is a pretty good deal.

As of 12/30.2013, All Developers can use “Real Money” and start earning a little coffee money (or maybe even more) for their work.

So, get on it!


There’s been some talk of how this would be “better” if we instead introduced another kind of currency for Developer Sales, which in turn could be exchanged for real money.

Thus, converting another kind of virtual money, for real money.

I know that sounds simple, but there are a couple of legal hurdles, which I’ve covered before:

  • The U.S. Treasury’s Financial Crimes Enforcement Network (FINCEN) doesn’t like it.
  • There has been another Legal Opinion issued which basically would make There responsible for reports Virtual Currency -> US $ conversions as income to … you guessed it, ”our Developers”. And, well, once we report it..

So while it’s a good idea, it, unfortunately, has serious problems from a legal standpoint.