Reposted from UOForums

[Tracy]

Wow...

'Virtual theft' leads to arrest

Habbo Hotel users create a character and can buy furniture

A Dutch teenager has been arrested for allegedly stealing virtual furniture from "rooms" in Habbo Hotel, a 3D social networking website.

The 17-year-old is accused of stealing 4,000 euros (£2,840) worth of virtual furniture, bought with real money.

Five 15-year-olds have also been questioned by police, who were contacted by the website's owners.

The six teenagers are suspected of moving the stolen furniture into their own Habbo rooms.

A spokesman for Sulake, the company that operates Habbo Hotel, said: "The accused lured victims into handing over their Habbo passwords by creating fake Habbo websites.

"In Habbo, as in many other virtual worlds, scamming for other people's personal information such as user names has been problematic for quite a while.

It is a theft because the furniture is paid for with real money


Sulake spokesman


"We have had much of this scamming going on in many countries but this is the first case where the police have taken legal action."

Habbo users can create their own characters, decorate their own rooms and play a number of games, paying with Habbo Credits, which they have to buy with real cash.

"It is a theft because the furniture is paid for with real money. But the only way to be a thief in Habbo is to get people's usernames and passwords and then log in and take the furniture.

"We got involved because of an increasing number of sites which are pretending to be Habbo. People might then try and log in and get their details stolen."

Six million people in more than 30 countries play Habbo Hotel each month.
Virtual theft is a growing issue in virtual worlds; in 2005 a Chinese gamer was stabbed to death in a row over a sword in a game.

Shanghai gamer Qiu Chengwei killed player Zhu Caoyuan when he discovered he had sold a "dragon sabre" he had been loaned.

[Tracy]

It is a theft because the furniture is paid for with real money

Purchasing an Orny from a UO vendor doesn't count. You aren't paying for the item from EA. EA also makes a disclaimer that your ingame stuff isn't really your ingame stuff...so it doesn't work for UO unfortunately. However, it looks like these kinds of things may begin to get pursued.

[Brianna]

ONE STEP AT A TIME THOUGH

[Irwin Hunter]

But still, these peeps are hacking and stealing on EA's or at least through EA's Servers. So, they should really take it more personally. Especially since it is thier patrons they are scamming. I guess I am just one of the few that feels this way.
Seems they would at least be more responsive to the crime happening and have some sort of procedure in place. Especially when we were on them WHILE they were doing it.

[Atta Kquast]

Here was an interesting article from last month on Dark Reading. I learned about this site while studying for my CISSP certification. Pretty strong site focused on computer-related security. The original link follows at the end if you want to go there. Its part of CMP Media group whom prints many computer trade magazines:

Online Games & the Law

US law struggles to keep up with new capabilities in collaborative computing environments


OCTOBER 11, 2007 | I suppose any article on the law should include a disclaimer at the top. I am not a lawyer, nor do I play one on the Internet. Take everything you read here with a largish block of salt.

Computer security has always had a law enforcement aspect, but the law consistently lags behind the technical cutting edge. Recent advancements in software design and the advent of geographically distributed applications puts the law even further behind than usual. The time has come to rethink computer security law in light of advances in software architecture.

A Brief History of U.S. Computer Law
Federal computer law in the United States began in earnest with the Computer Fraud and Abuse Act of 1986 (CFAA), which was a rewrite of a failed 1984 statute. CFAA covers six types of computer crime, all of which involve unauthorized access to someone else's computer. The law has a clear focus on access over a network.

Another law introduced in 1986, the Electronic Communications Privacy Act (ECPA), criminalized unauthorized network sniffing and other interception of data. Once again, note the emphasis on the network. Marck Rasch's excellent introduction to computer security law covering these statutes in greater detail is worth a quick read.

As computer crime evolved to include malicious exploits such as viruses and worms, early statutes began to show their age. A 1992 amendment extended the law to cover the authors of malicious code and denial-of-service attacks. Still, current computer law focuses much more attention on network security than on anything else.

In late 1998, the U.S. Congress enacted the Digital Millennium Copyright Act (DMCA). The law criminalizes both the production and distribution of technology meant to circumvent copyright protection mechanisms. In other words, it restricts certain activities surrounding digital rights management (DRM) and other security technologies that are meant to enforce copyright laws. It also heightens penalties for copyright infringement on the Internet. The European Union has a very similar law.

The DMCA is not without controversy. Many people believe that it goes too far to uphold the rights of copyright holders, even to the point of stifling competition. Ironically, the raison d'etre for the DMCA (bolstering DRM with the law) may be itself eroding.

Princeton professor Ed Felten argues that "as the inability of DRM technology to stop peer-to-peer infringement becomes increasingly obvious to everybody, the rationale for DRM is shifting." Eventually debate over DRM will shift away from copyright enforcement, he says. Felten made this argument at the Usenix Security conference in 2006, and later blogged about the ideas.

Another way that computer security law is evolving is through case law that sets precedents. Precedent-setting involves extending existing bodies of law, such as wirefraud law, to apply to computer security.

Exploiting Online Games Is Legal?
At the eCrime Researcher's Summit this month, academics and law enforcement gathered in Pittsburgh to discuss spam, phishing, and massively distributed applications. I gave a keynote based on my work in online game security.

One interesting aspect of online games is the legal limbo they inhabit when it comes to security. Put simply, the state of computer law regarding cheating in online games is murky at best. Nobody is sure what is legal and, more importantly, what is not.

The problem is that it's possible to convert hacking skills into money by conjuring up virtual items in a game, either by exploiting a bug or by creating and using a bot. These exploits can then be sold in a burgeoning online market.

Malicious hackers have flocked to the online game domain because there is money to be made. Due to the sheer size of the middle market, the U.S. Secret Service acknowledges that online games such as Second Life and World of Warcraft have been used to launder money.

In addition, it is possible to cheat by manipulating the parts of a massively distributed online game that exist on your own PC. That is, the game client program on a gamer's PC interacts with the central game servers over the Internet, and cheating can be accomplished without any network security shenanigans by focusing attacks on the client software.

By attaching a debugger to the game program on the PC, or by manipulating the game program by poking memory values directly on the PC, a gamer can cheat... on his or her own PC. Greg Hoglund and I describe these and other techniques commonly used to hack games in our new book, Exploiting Online Games.

Think about the old game hacking chestnut that involved editing a high score file on your PC to make your Tetris score seemingly untouchable. There's nothing illegal about that! The question is where to draw the legal line when it comes to manipulating things on your own PC. If parts of a massively distributed online game reside on a PC, can you change them? What's at stake is virtual property – and lots of money. The whole notion of virtual property rights in online games is a tricky one. Games such as Ultima Online, Second Life, and World of Warcraft have their own virtual economies that involve licensing and developing virtual property. Middle market companies like IGE can convert virtual wealth into hard currency.

Property rights in Second Life have already led to interesting legal entanglements. Marc Bragg, a Pennsylvania lawyer, discovered and exploited a bug in Second Life program allowing him to bid on virtual real estate that wasn't yet open for auction. By URL parameter tampering, Bragg became a virtual real estate baron. Linden Labs, the game company behind Second Life, took a dim view of this approach and canceled his account.

In a pending lawsuit, Bragg argues that Linden Labs unfairly confiscated $8,000 worth of his virtual land holdings by shutting down his account. But Linden Labs and some Second Life players counter that Bragg was hacking their systems. (Bragg made money by renting his virtual land to other Second Life players.) Who is right? To me, the law is not very clear.

When Linden Labs first started, they used to say that users owned property in Second Life. Now they say that users own licenses to the property, legally similar to software licenses in the real world. That's a subtle but important change in perspective – and it doesn't make the legal situation any clearer.

That brings us to the infamous End User License Agreement (EULA). The DMCA and the EULA are the two main legal weapons in the game companies' anti-cheating arsenal. However, EULAs have a spotty track record when it comes to the law. In many cases, EULA terms "agreed to" by software users have not held up in court.

Some people believe the idea of EULAs has not been appropriately tested in court, thus the EULAs can't be valid. This is a misunderstanding of contract law. The only way EULAs have been challenged successfully in the past is by objecting to the contract terms. In some cases, only certain terms are found objectionable. As a result, EULAs sometimes hold up in court – and sometimes don’t.

Ultimately, the state of the law and its application to online game security is unclear. Because of the amount of money involved in online games, this legal limbo is a bad situation.

The Law Must Evolve
If you believe, as I do, that online games are a harbinger of computer security attacks that may evolve along with SOA, software as a service, and Web 2.0 architectures, you can see the legal problem that we're creating for ourselves. (See Online Games to Cause Software Security Issues.)

The kinds of legal tangles we see today in online games are the same kinds of legal tangles we're likely to encounter in other domains. If a system includes critical functionality that runs on machines that belong to others (including potential attackers), it is not at all obvious how the law is to be applied or when. The law is once again in catch up mode when it comes to computer security.

If you want to read the original article here is the url:
http://www.darkreading.com/document.asp?doc_id=136128