Normally when I find stolen content from content creators that's been copybotted or perm exploited in some way or another I file abuse reports against the thief, today I filed an Abuse report against the content creator, why else? when they went whining about it to get other people into filing an abuse report against the thief they revealed they were doing something just as bad as the thief, using zf redzone to spy on their customers, their content got stolen by the thief they mentioned all the same, so zf redzone sure didn't do a lot to protect them did it?
anyhow I don't have much L's coming in that I don't put into uploading textures and what not on my own content I work on on an alternate account, when I see something I like I make a shopping list and when I have a lot extra to spare I usually go ahead and Buy a few things from that shopping list, today I took about 5000L off the list without buying any of it and decided that Ill spend my money where it counts on other content creators that are treating their customers right like Luskwood, with that said your probably wondering who it is that had the zf redzone security orb, it was Chimera Avatar parts and accessories, which is owned by Mephitis Jezebel who also runs Aventity avatars, and partnered to Chef Soderstrom whom brought the redzone security orb to my attention, he sent out a notice which had a notecard attached, I viewed the notecard hoping to find out if any of the content I had created has been copybotted or not only to be disappointed in finding the notecard had a blurry attached useless texture and that they had been using zf redzone to supposedly protect their content, normally in this case, of receiving notice someones stealing content I would support them and file an AR on their behalf to help draw the Lindens attention to the issue regarding the notice I saw, but this, finding out they use redzone I'm just going to ignore it, and ignore filing the AR next time I see someone handing out their content(by all means I wont accept stolen content period but normally when I encounter stolen content I file AR's in supporting the creator and notify them of it, wont be doing them this favor any longer.
Anyhow your probably wondering about how this caught my attention I got a group notice from one of the groups im in "avatar makers guild" which had notecards attached from chef soderstrom and go as follows:
Notice:"Tis the season for avatar theft:
Dawnstar Attis, a new alt of crystalie Jigsaw/Carami who was previously banned by LL for proven content theft + harassment, is handing out a notecard named "Merry Christmas," which contains permission-hacked avatars made by AVentity, Curious, Mutation Industries, and more. They are doing this out of spite (they've already viciously attacked me and others in IMs) and won't stop, even claiming that their bad rep is all a lie, despite numerous witnesses and logs proving otherwise. Please keep an eye out.
Notecard:"To ALL Creators/Artists"
Hello, there is a person going around under a series of alts that is passing out notecards similar to the following containing permission hacked avatars which possibly contain some of your avatars. They have currently been banned under two names that i know of (crystalie Jigsaw and crystalie Carami)
This person is idiodic enough to continue making alts with the same profile information along with passing ownership of certain groups to the new alts they make to avoid bans. I have attached a photograph of the older characters that are now banned for more evidence.
[]Snapshot of Older Names
[]Snapshot of Notecard with Items
[]Merry Christmas
The notecard has had the items removed, however a snapshot shows the notecard with the links to the items. (This is to prevent this notecard from being passed maliciously)
Please pass this notecard along to fellow avatar creators/associates so that this is more well known. This user has also been banned under the zfRedzone system multiple times along with being banned from almost all furnation sims and popular furry clubs.
I have also taken a snapshot with a tripcode typed in the description so that if this notecard is altered maliciously it will be a safeguard.
---------------------------------------------------------------
Abuse Report that I submitted, feel free to use this
---------------------------------------------------------------
Reason : Fraud -> Chain letters
Description: Ban Evasion (3rd) Sending notecards with perm. hacked items
This person is an alt of Crystalie Carami and crystalie jigsaw (Both of these users banned for passing out permission based avatars along with items before) Included in the screenshot is the image of the inventory item properties along with the notecard itself, which reads.
Dear girls
now is the christmas over us so i want to give u all a christmas gift
so here are they (links to hacked avatars)
MERRY CHRISTMAS FROM YOUR Dawnstar Attis
You can look at the profile of dawnstar attis and find that it is the exact same as crystalie jigsaw along with crystalie carami, they are also head of the same groups
----------------------------------------------------------------
Thanks for your time,
Chef
viewing Mephitis Jezebels Profile and visiting her store I found a zf redzone security orb using Imprudences Area Object Search feature right atop her store for Chimera avatar parts and accessories, where she attempted to obscure the orb by putting a small Box around it.
Saturday, December 11, 2010
Thursday, December 2, 2010
zf redzone can disrupt secondlife service for residents of the UAE
Seems redzone can and will discriminate against countries with filtered internet service like the UAE
Just the other night I got contacted by a Secondlife user from the United Arab Emirates, this user told me that they had been banned and given the boot from several different regions indiscriminately by the zf redzone security orb oftentimes as a result they would speak to the land owner of the land and most the time the land owner would ask them to appeal but one actually went looking into it for them and found that this person according to redzones so called 120% accurate alt detections that this person had a terrifyingly huge slew of alts, none of these accounts it had linked to this individual belonged to them, as a result of the inaccuracy the land owner removed their redzone security orb so this person may enter the land but however, as another result they started researching redzone and found my blog and personally IMed me in secondlife to ask me about it and find out why it had associated so many accounts as alternate accounts belonging to them, really I hadn't a clue how it could do that, but some inquiry back and forth between me and this individual and a little research on their country lead to the answer.
One of my inquiries with this person, was about Proxy servers, as I have encountered a number of secondlife users who have said I'm safe, I'm using Tor, as Tor may seem to have many Proxy servers in service, really compared to the number of SL users using it it is conceivable that some Tor users may be routed through the same IP and thus show false positives of being alternate accounts of each other, while this user wasn't a Tor user, the inquiry about Proxies had led me to discover that their internet service was proxied after further inquiry, and a little bit of brief Googling I learned a lot more about internet service in the UAE.
Turns out most internet service in the UAE comes down to a single provider known EIM(Emirates Internet and Multimedia), however the service through EIM is censored through a set of Proxy servers, and if you don't configure it which most people don't you are routed through a common proxy by default, the typical use of a proxy server is to filter outbound personally identifying information and mask IP addresses by resending your traffic each way, however countries such as the UAE use it as a point to centrally administer internet traffic requests to websites outside the country so that your search can be filtered, EIM's purpose for Proxying all traffic within the UAE according to my research is to filter out and to block users from viewing porn on the internet.
The side effect of proxying service for the purpose of moderating and censoring a users internet activity in such a way though somewhat effective does have a a side effect, it results in a very small pool of IP addresses for a countries residents and also results in many subscribers to the internet service over there to share IP's within that common pool(multiple secondlife accounts using the same proxy thus appearing to have the same IP), the result being one of these many many many users going through that proxy may have used a viewer that was either a copybot viewer, or falsely detected as such, the end result is that zf Redzone has listed this user as having many alternate accounts which don't actually belong to them and belong to many other users of EIM, which are banned by Redzone as well, while I can't say it's banned the whole country its conceivable with the way IPs are pooled and proxied under EIM that many groups of users from the UAE are probably clumped into groups where hundreds of people are considered alts of each other, and when one of those people in one of these groupings gets detected as a copybot whether it be false or not its safe to say the rest of the group gets banned as such.
Just the other night I got contacted by a Secondlife user from the United Arab Emirates, this user told me that they had been banned and given the boot from several different regions indiscriminately by the zf redzone security orb oftentimes as a result they would speak to the land owner of the land and most the time the land owner would ask them to appeal but one actually went looking into it for them and found that this person according to redzones so called 120% accurate alt detections that this person had a terrifyingly huge slew of alts, none of these accounts it had linked to this individual belonged to them, as a result of the inaccuracy the land owner removed their redzone security orb so this person may enter the land but however, as another result they started researching redzone and found my blog and personally IMed me in secondlife to ask me about it and find out why it had associated so many accounts as alternate accounts belonging to them, really I hadn't a clue how it could do that, but some inquiry back and forth between me and this individual and a little research on their country lead to the answer.
One of my inquiries with this person, was about Proxy servers, as I have encountered a number of secondlife users who have said I'm safe, I'm using Tor, as Tor may seem to have many Proxy servers in service, really compared to the number of SL users using it it is conceivable that some Tor users may be routed through the same IP and thus show false positives of being alternate accounts of each other, while this user wasn't a Tor user, the inquiry about Proxies had led me to discover that their internet service was proxied after further inquiry, and a little bit of brief Googling I learned a lot more about internet service in the UAE.
Turns out most internet service in the UAE comes down to a single provider known EIM(Emirates Internet and Multimedia), however the service through EIM is censored through a set of Proxy servers, and if you don't configure it which most people don't you are routed through a common proxy by default, the typical use of a proxy server is to filter outbound personally identifying information and mask IP addresses by resending your traffic each way, however countries such as the UAE use it as a point to centrally administer internet traffic requests to websites outside the country so that your search can be filtered, EIM's purpose for Proxying all traffic within the UAE according to my research is to filter out and to block users from viewing porn on the internet.
The side effect of proxying service for the purpose of moderating and censoring a users internet activity in such a way though somewhat effective does have a a side effect, it results in a very small pool of IP addresses for a countries residents and also results in many subscribers to the internet service over there to share IP's within that common pool(multiple secondlife accounts using the same proxy thus appearing to have the same IP), the result being one of these many many many users going through that proxy may have used a viewer that was either a copybot viewer, or falsely detected as such, the end result is that zf Redzone has listed this user as having many alternate accounts which don't actually belong to them and belong to many other users of EIM, which are banned by Redzone as well, while I can't say it's banned the whole country its conceivable with the way IPs are pooled and proxied under EIM that many groups of users from the UAE are probably clumped into groups where hundreds of people are considered alts of each other, and when one of those people in one of these groupings gets detected as a copybot whether it be false or not its safe to say the rest of the group gets banned as such.
Saturday, October 16, 2010
Linden Labs really needs to finish Mesh support.... Correctly
Well the other night a friend was telling me excitedly mesh was in beta, I don't really have anything currently done in mesh format and was kinda disappointed it would go so far in development before hitting public Beta, but I started making an inquiry about it asking several questions of some things it should have very basic at minimum that it turned out to be lacking, not being very knowledgeable of it yet and having not tried it out myself yet I refrained from posting a Jira article Until I knew a bit better, the very late the next day a friend gave to me a Jira article she had written, I read it said it was a good idea but was half asleep so I said I would read it again and vote for it later, well I've read it again and it's a damn great Idea. Really with that said it would be crazy and stupid for Linden Labs to release mesh format in it's current state without implementing the suggestion which can be found here as this suggestion suggests some very basic things that make using the Collada format all the worth while:
https://jira.secondlife.com/browse/VWR-23447
Pretty much the standard avatar mesh with the sliders and all that, you can replace that with a custom mesh with Mesh import, however Linden Labs was pretty sloppy with allowing users to set a replacement for that mesh, One issue I had been preaching the whole time time this was in closed beta was that Linden Labs needs to allow meshes to be anchored to the avatar shape in some way. In it's current implementation Linden Labs has failed to do so, which is a very basic thing and it is essential for Mesh to be relevant and useful for avatar meshes. In the current implementation of mesh when you replace the standard avatar mesh, all those sliders you get in Edit appearance, don't mean much to the mesh itself, thus meaning if your a human avatar and go to a store and Buy a mesh from a content creator, or are a furry who buys this cute fox avatar you like, your going to look exactly like in shape as everyone else who has purchased the same mesh, thus taking away your individual appearance and not making mesh useful beyond being able to structure rezzable Objects, this Jira Topic addresses that issue and beyond and suggests allowing Morph targets, which content creators can bind to shapes and various other aspects, which will make the sliders in edit appearance useful once again when using a custom Mesh in place of the default avatar mesh, and giving power to tweaking your shape once again with options such as torso length and such, who knows the user might buy a mesh to make them look like a super model and decide the breasts are too big, I'm guessing most will assume not big enough, or maybe they might want to be a little thicker and heavier set or they might like the basic shape of the avatar mesh their looking at but may wish to tweak the sliders so that their weighted a little more or less realistic, this Jira article above puts that bit of customization back in users hands, as with the current implementation of mesh they lose the power to tweak their shape like that when using a mesh, maybe you might just be using mesh so that your avatar looks like it has toes rather than blended together stubs on it's feet, whatever the reason, this Jira article adds back in the flexibility of that, also aside from that it addresses further issues as well, as many of you know, when you wear a jacket clothing layer the default Mesh for avatars morphs a bit so that the sleeves are wider than your arms and it falls into sliders, Yes content creators being able to set morph targets also addresses this as well, as they will be able to set their avatar up to widen in the arms or pants, simply put clothing the current way it's Implemented may be able to wrap around digigrade legs if the modeler took it into consideration with this Jira article in effect, or in the case of a human avatar, maybe that more muscly shape. some people think that standard clothing will become irrelevant with the introduction of mesh clothing, however mesh clothing may not fit everyone's mesh properly without this capability to support morph targets, also creating clothing the old way and being able to use it with custom meshes, enables indefinite flexibility with clothes as standard clothing will be able to fit just about any mesh that is made keeping it in mind. After all you users the community have pushed hard to get Linden Labs to use Collada format, you better ask them to make the most of it as well, otherwise we may as well of been using OBJ without what this Jira article suggest, So vote for it now, this is an absolute must if you care about the presentation aspect of secondlife at all!
and Onto the next point about mesh...
Also my friend made another Important suggestion, not everyone wants to be human, also the way mesh is currently setup the way a Collada mesh is anchored to the skeleton of an avatar kinda makes avatars with custom meshes move as though there a stuffed teddy bear rather than a person or thing that has bones in it, a topic addressing this can be found here:
https://jira.secondlife.com/browse/VWR-23448
This topic suggests that content creators be given more Power over how the skeleton works and allow content creators to customize the skeleton which not only allows people to define extra limbs such as tails and the such within their mesh, but it also extends this capability so content creators can tweak the skeleton of content they create, thus allowing the avatar mesh to respond to animation better where as the body moves more stiffly in some points and looser in others, so the importance of this topic though seemingly focused on furry also extends to people not into the furry scene as important to human avatars as well, as content creators will be able to extend their skeleton to move and respond better to animation.
If you would like to see mesh in it's current state, It's not bad, but its lacking a lot of absolutely needed potential as you can see here attachment meshes can be associated with parts of the skeleton to bend with it in the hair:
http://www.youtube.com/watch?v=1STH6Qy4fik&feature=related
but take notice of the boot, while it bends well this could be greatly improved upon in realism of the motion.
also if you watch this below video closely around the bunny avatars midsection you can see there some flaws in how its the torso is anchored to the skeleton, custom skeletons in the mesh would allow it to move and respond better to animation, By giving content creators who make meshes more power over how things flex and respond to animation.
http://www.youtube.com/watch?v=9_n29fFxQkI
really mesh in its state is incomplete without the above suggested functionality, while it is much better than what we had before its lacking a lot and I find it to be truly incomplete and in this incomplete state it might take something from the end result of your own personal look without it, so if your reading all this, drop to the web addresses below, sign in with your secondlife name click votes and click the button to vote for the issue.
https://jira.secondlife.com/browse/VWR-23447
https://jira.secondlife.com/browse/VWR-23448
https://jira.secondlife.com/browse/VWR-23447
Pretty much the standard avatar mesh with the sliders and all that, you can replace that with a custom mesh with Mesh import, however Linden Labs was pretty sloppy with allowing users to set a replacement for that mesh, One issue I had been preaching the whole time time this was in closed beta was that Linden Labs needs to allow meshes to be anchored to the avatar shape in some way. In it's current implementation Linden Labs has failed to do so, which is a very basic thing and it is essential for Mesh to be relevant and useful for avatar meshes. In the current implementation of mesh when you replace the standard avatar mesh, all those sliders you get in Edit appearance, don't mean much to the mesh itself, thus meaning if your a human avatar and go to a store and Buy a mesh from a content creator, or are a furry who buys this cute fox avatar you like, your going to look exactly like in shape as everyone else who has purchased the same mesh, thus taking away your individual appearance and not making mesh useful beyond being able to structure rezzable Objects, this Jira Topic addresses that issue and beyond and suggests allowing Morph targets, which content creators can bind to shapes and various other aspects, which will make the sliders in edit appearance useful once again when using a custom Mesh in place of the default avatar mesh, and giving power to tweaking your shape once again with options such as torso length and such, who knows the user might buy a mesh to make them look like a super model and decide the breasts are too big, I'm guessing most will assume not big enough, or maybe they might want to be a little thicker and heavier set or they might like the basic shape of the avatar mesh their looking at but may wish to tweak the sliders so that their weighted a little more or less realistic, this Jira article above puts that bit of customization back in users hands, as with the current implementation of mesh they lose the power to tweak their shape like that when using a mesh, maybe you might just be using mesh so that your avatar looks like it has toes rather than blended together stubs on it's feet, whatever the reason, this Jira article adds back in the flexibility of that, also aside from that it addresses further issues as well, as many of you know, when you wear a jacket clothing layer the default Mesh for avatars morphs a bit so that the sleeves are wider than your arms and it falls into sliders, Yes content creators being able to set morph targets also addresses this as well, as they will be able to set their avatar up to widen in the arms or pants, simply put clothing the current way it's Implemented may be able to wrap around digigrade legs if the modeler took it into consideration with this Jira article in effect, or in the case of a human avatar, maybe that more muscly shape. some people think that standard clothing will become irrelevant with the introduction of mesh clothing, however mesh clothing may not fit everyone's mesh properly without this capability to support morph targets, also creating clothing the old way and being able to use it with custom meshes, enables indefinite flexibility with clothes as standard clothing will be able to fit just about any mesh that is made keeping it in mind. After all you users the community have pushed hard to get Linden Labs to use Collada format, you better ask them to make the most of it as well, otherwise we may as well of been using OBJ without what this Jira article suggest, So vote for it now, this is an absolute must if you care about the presentation aspect of secondlife at all!
and Onto the next point about mesh...
Also my friend made another Important suggestion, not everyone wants to be human, also the way mesh is currently setup the way a Collada mesh is anchored to the skeleton of an avatar kinda makes avatars with custom meshes move as though there a stuffed teddy bear rather than a person or thing that has bones in it, a topic addressing this can be found here:
https://jira.secondlife.com/browse/VWR-23448
This topic suggests that content creators be given more Power over how the skeleton works and allow content creators to customize the skeleton which not only allows people to define extra limbs such as tails and the such within their mesh, but it also extends this capability so content creators can tweak the skeleton of content they create, thus allowing the avatar mesh to respond to animation better where as the body moves more stiffly in some points and looser in others, so the importance of this topic though seemingly focused on furry also extends to people not into the furry scene as important to human avatars as well, as content creators will be able to extend their skeleton to move and respond better to animation.
If you would like to see mesh in it's current state, It's not bad, but its lacking a lot of absolutely needed potential as you can see here attachment meshes can be associated with parts of the skeleton to bend with it in the hair:
http://www.youtube.com/watch?v=1STH6Qy4fik&feature=related
but take notice of the boot, while it bends well this could be greatly improved upon in realism of the motion.
also if you watch this below video closely around the bunny avatars midsection you can see there some flaws in how its the torso is anchored to the skeleton, custom skeletons in the mesh would allow it to move and respond better to animation, By giving content creators who make meshes more power over how things flex and respond to animation.
http://www.youtube.com/watch?v=9_n29fFxQkI
really mesh in its state is incomplete without the above suggested functionality, while it is much better than what we had before its lacking a lot and I find it to be truly incomplete and in this incomplete state it might take something from the end result of your own personal look without it, so if your reading all this, drop to the web addresses below, sign in with your secondlife name click votes and click the button to vote for the issue.
https://jira.secondlife.com/browse/VWR-23447
https://jira.secondlife.com/browse/VWR-23448
Tuesday, September 7, 2010
In reference to a Comment of a previous post Regarding zf redzone
this article is in reference to a comment replying to zfire xue which can be found under this blogpost here where I said I would expand on the violation information about zf redzone: http://treminarisecondlife.blogspot.com/2010/07/spywaretos-and-legal-violation-in.html?zx=e34557c63c81300e
ok someones already written an article on this but however I'm going to write my views on this law the Law I'm referring to is BPC17200-17210 which can be used to define the penalties for violation of BPC22575-22579 the article found here doesn't really explore the full scope of the law but gives idea about it which can be found here:(mind you this is the writers interpretation of the law based on their knowledge of internet and service and is not the law itself)
http://www.cooley.com/files/tbl_s24News%5CPDFUpload152%5C927%5CALERT-Cal_OPPA.pdf
now for the law itself:
http://www.leginfo.ca.gov/cgi-bin/displaycode?section=bpc&group=17001-18000&file=17200-17210
in the article you should note that no enforcement provisions are provided however BPC22575-22579 defines acts by zfire with his redzone utility to be illegal and note that violation of it in accordance with the cooley.com article explaining BPC17200-17210 does note that violations can be enforced through BPC17200-17210 with that said in the cooley article you should pay particular attention to the section that is titled Consequences of Noncompliance with that said any violation of BPC22575-22579 legally constitutes a violation of BPC17200-17209
under the recommendations section zfire xue has not followed through with paragraphs marked by the bulleted paragraphs I will review here below before reviewing the law and where the violations are defined. do keep in mind when reading personally identifiable information in the cooley link it is defined by BPC22575-22579 as any information that can be used to contact an individual online or in person, as usernames in the secondlife service enable you to message a person these fall under that category.
Cooley.com recommends that a person operating an online service must determine whether or not they are collecting personally identifiable information, on the redzone website they say they consider this information not to be private, when it is Protected under BPC22575-22579. Cooley.com also recommends creation of an accurate privacy policy, this is not the case, their policy is deceptive as it states users will be notified before information collection, but no such notification takes place, it is also recommended the privacy policy be conspicuously posted, there are several ways to do this within secondlife the best way is to make use of the annoying scripting command LLDialogue, cooley also recommends that audits of the website take place to be sure the privacy policy still accurately reflects, actually the privacy policy regarding redzone has never been accurate. cooley also recomends that you keep in mind that several states are passing laws like this and you should be mindful that there may be many privacy laws you must adhere to in an online service it is also recommended that you insure there is adequate security for the information collected, in the case of redzone, there is no security as that information is given away to its users, dont believe me? lets reference the a blogpost of someone who recently commented in my blog and posted a screenshot in theirs http://forcemesilverspar.blogspot.com/2010/09/zf-redzone.html you can examine the screenshot there for yourself, and yet again cooley recommends creating internal procedures to prevent your service from being used to cause a privacy breach, but zf redzone alt detection in itself is a privacy breach. all these recommendations proposed by cooley.com are things recommended that would bring a service up to code. zf redzone does none of them
You should bear the phrasing in the cooley article with a grain of salt as most the phrasing pertains to web where as the law itself is in references to online services but lets take a look at the law which I linked above from here on in.
First Off lets take a look at section 17200:
"17200. As used in this chapter, unfair competition shall mean and include any unlawful, unfair or fraudulent business act or practice and unfair, deceptive, untrue or misleading advertising and any act prohibited by Chapter 1 (commencing with Section 17500) of Part 3 of Division 7 of the Business and Professions Code."
In my previous article linked at the top of this article we have established that zf redzone is unlawful as it collects information outside of the compliance of BPC22575-22579 and provided information as to how so, we have also exposed it as fraudulent by exposing weakness in its accuracy vs the ridiculous 120% accurate claim by its author and pointing out their willingness to violate the privacy policy and Terms of the service they operate with by falsifying by quoting it in part it is deceptive as it operates without notice to the user, and users supposedly reach an agreement through passing it by which actually has no legal binding, and the content of the privacy policy which you never get to see regarding it differs from how the system does thus further proving its deceptive
17201 pretty much defines how terminology will be used in the law, meaning person may refer to company yadda yadda yadda, 17204 pretty much states people may make claims on each-others behalf, so I guess this means class action lawsuits can be filed against companies and individuals who violate BPC22575-22579 which puts them in violation of BPC17200 as stated above in line 17200 any business that engages in unlawful business practice may be found in unfair competition so a violation of BPC22575-22579 constitutes a violation of BPC17200-17210
section 17202 pretty much defines that relief may be payed to competitors of the company that engages in unfair competition, since zf redzone is a security orb product this pretty much defines everyone who produces and sells any form of security orb within the secondlife service or any other land security utility or any sort of copybot protection system or for that matter any tool that has a feature which may put it in competition can make a claim and try to get a relief payment to aid their lost business
"17202. Notwithstanding Section 3369 of the Civil Code, specific or preventive relief may be granted to enforce a penalty, forfeiture, or penal law in a case of unfair competition."
17203 I wont quote here as its pretty long but as with anything I write regarding law the links provided and you can read it by following the link for yourself and interpret it yourself to verify it but pretty much it states court may take action against anyone who has engaged in unfair competition(so even if zfire xue was to quit committing these violations he could be charged with those hes already committed), anyone who is doing so, like he is doing now, or anyone who proposes to do so thus meaning if he proposes to create any more products outlawed by BPC22575-22579 he can be charged with a violation for the proposition of creating such a product.
we should also take a look at section 17206 of the law a bit lengthy to post here but you can read it at:
http://www.leginfo.ca.gov/cgi-bin/displaycode?section=bpc&group=17001-18000&file=17200-17210
pretty much this states the penalty for entering into unfair competition is a maximum of 2500 but per violation as well, each of those 2500+ zf redzone locations, is an individual violation in itself also in court, this law states what shall be taken into account is the seriousness of the conduct, yeah its pretty serious silent privacy violations and persistence of misconduct, yep the creator of redzone has been informed, and has obviously read my article(as they commented on it, and left themselves quite a weak defense) so they are quite persistent in conducting this illegal activity also if each instance of violation can cost the operator 2500 each then that indicates that each $20-30 sale of this system can potentially end up costing its author $2500 but there's more on that which I will get into later
section 17206.1 pertains to an additional fine of $2500 if the act is perpetrated against senior citizens or the disabled, and really isn't too important as this does not target those groups, however in the event of a class action lawsuit regarding this the age and disability status may now of those who had information collected on them by this system may play a role in the author of this system being charged with additional fines should charges come to pass and I'm sure SL has plenty of disabled users and even a few elderly users. so that knocks the fine up to a total $5000 per orb that has uncovered information regarding a senior or a disabled person.
and onto my favorite part as to why I called zfire xue's comment in my blog enlightening, obviously we have established knowledgeable and willful violation with that comment and within the article of BPC22575-22579 willful violation for this law as established under section 22576 from BPC22575-22579 which can be found here http://www.leginfo.ca.gov/cgi-bin/displaycode?section=bpc&group=22001-23000&file=22575-22579 knowledgeable and willful violation or non compliance after 30 days of notice constitutes a violation, with zfire xues comment in my blog we have established knowledgeable and willful violation which means a 30 day wait to come up to compliance is no longer required but now lets take a look at section 17207 of BPC17200-17210 I like the first paragraph which I will quote here:
17207. (a) Any person who intentionally violates any injunction prohibiting unfair competition issued pursuant to Section 17203 shall be liable for a civil penalty not to exceed six thousand dollars ($6,000) for each violation. Where the conduct constituting a violation is of a continuing nature, each day of that conduct is a separate and distinct violation. In determining the amount of the civil penalty, the court shall consider all relevant circumstances, including, but not limited to, the extent of the harm caused by the conduct constituting a violation, the nature and persistence of that conduct, the length of time over which the conduct occurred, the assets, liabilities, and net worth of the person, whether corporate or individual, and any corrective action taken by the defendant.
so lets see here we've established that each instance of zf redzone is its each own unique violation with 2500+ violations but this part of the law states there is a civil penalty of $6000 for each violation, and for each violation each day the conduct occurs is to be considered a unique violation in itself, so with 2500+ zf redzone locations this constitutes zfire xue having committed 2500+ violations against this law a day with each violation carrying a civil fine of up to $6000, with that said if you view the related xstreet page(aw drat he deleted more of the item discussion) we can establish with a comment " Posted By: TheBoris Gothly at 2010-05-04 00:41:19 (item owner) " that this tool has been around since at least the time of the time-stamp, still all the the same I remember a 2009 post and its likely Linden Labs for legal reasons such as this and request of the court keeps records as to how long an item has been listed and probably records as to deleted text within the item discussion meaning it may be possible to prove these violations have been going on longer.
section B of 17207 refers where this shall be taken to court too and makes reference to relation to which county the violation took place in Linden Labs being a San Francisco based company and this system zf redzone being implemented on their servers establishes the location of the violation at a central point section C details who collects the fines
section 17208:
17208. Any action to enforce any cause of action pursuant to this chapter shall be commenced within four years after the cause of action accrued. No cause of action barred under existing law on the effective date of this section shall be revived by its enactment.
simply put if someone is found guilty of a violation of this code the courts may wait up to 4 years to take action and action must be taken within those 4 years, and that the person may not be charged with the particular violations again, but as established above, each new day is a new violation so if zfire xue was charged under this law the courts could impose the fines anytime within 4 years, and the violations addressed may not be addressed again(sort of like double jeopardy) but as said each day the violation occurs is a new violation meaning if zf redzone was not immediately done away with though the fines may or may not immediately take place new charges may be brought for a new day of violations(or however long this goes on after initial charges), however the days of violations addressed may not be charged again
17209 defines that if you shall take action against a party when the rest of your paperwork is due, big deal, I wanted to mostly look at fines related to this and with the link above you can read this for yourself if you so wish
section 17210 pertains to additional ways to violate this clause but pertains to information outside of internet business practices such as hotels and the such and covers nothing I found of any importance in writing this article.
ok someones already written an article on this but however I'm going to write my views on this law the Law I'm referring to is BPC17200-17210 which can be used to define the penalties for violation of BPC22575-22579 the article found here doesn't really explore the full scope of the law but gives idea about it which can be found here:(mind you this is the writers interpretation of the law based on their knowledge of internet and service and is not the law itself)
http://www.cooley.com/files/tbl_s24News%5CPDFUpload152%5C927%5CALERT-Cal_OPPA.pdf
now for the law itself:
http://www.leginfo.ca.gov/cgi-bin/displaycode?section=bpc&group=17001-18000&file=17200-17210
in the article you should note that no enforcement provisions are provided however BPC22575-22579 defines acts by zfire with his redzone utility to be illegal and note that violation of it in accordance with the cooley.com article explaining BPC17200-17210 does note that violations can be enforced through BPC17200-17210 with that said in the cooley article you should pay particular attention to the section that is titled Consequences of Noncompliance with that said any violation of BPC22575-22579 legally constitutes a violation of BPC17200-17209
under the recommendations section zfire xue has not followed through with paragraphs marked by the bulleted paragraphs I will review here below before reviewing the law and where the violations are defined. do keep in mind when reading personally identifiable information in the cooley link it is defined by BPC22575-22579 as any information that can be used to contact an individual online or in person, as usernames in the secondlife service enable you to message a person these fall under that category.
Cooley.com recommends that a person operating an online service must determine whether or not they are collecting personally identifiable information, on the redzone website they say they consider this information not to be private, when it is Protected under BPC22575-22579. Cooley.com also recommends creation of an accurate privacy policy, this is not the case, their policy is deceptive as it states users will be notified before information collection, but no such notification takes place, it is also recommended the privacy policy be conspicuously posted, there are several ways to do this within secondlife the best way is to make use of the annoying scripting command LLDialogue, cooley also recommends that audits of the website take place to be sure the privacy policy still accurately reflects, actually the privacy policy regarding redzone has never been accurate. cooley also recomends that you keep in mind that several states are passing laws like this and you should be mindful that there may be many privacy laws you must adhere to in an online service it is also recommended that you insure there is adequate security for the information collected, in the case of redzone, there is no security as that information is given away to its users, dont believe me? lets reference the a blogpost of someone who recently commented in my blog and posted a screenshot in theirs http://forcemesilverspar.blogspot.com/2010/09/zf-redzone.html you can examine the screenshot there for yourself, and yet again cooley recommends creating internal procedures to prevent your service from being used to cause a privacy breach, but zf redzone alt detection in itself is a privacy breach. all these recommendations proposed by cooley.com are things recommended that would bring a service up to code. zf redzone does none of them
You should bear the phrasing in the cooley article with a grain of salt as most the phrasing pertains to web where as the law itself is in references to online services but lets take a look at the law which I linked above from here on in.
First Off lets take a look at section 17200:
"17200. As used in this chapter, unfair competition shall mean and include any unlawful, unfair or fraudulent business act or practice and unfair, deceptive, untrue or misleading advertising and any act prohibited by Chapter 1 (commencing with Section 17500) of Part 3 of Division 7 of the Business and Professions Code."
In my previous article linked at the top of this article we have established that zf redzone is unlawful as it collects information outside of the compliance of BPC22575-22579 and provided information as to how so, we have also exposed it as fraudulent by exposing weakness in its accuracy vs the ridiculous 120% accurate claim by its author and pointing out their willingness to violate the privacy policy and Terms of the service they operate with by falsifying by quoting it in part it is deceptive as it operates without notice to the user, and users supposedly reach an agreement through passing it by which actually has no legal binding, and the content of the privacy policy which you never get to see regarding it differs from how the system does thus further proving its deceptive
17201 pretty much defines how terminology will be used in the law, meaning person may refer to company yadda yadda yadda, 17204 pretty much states people may make claims on each-others behalf, so I guess this means class action lawsuits can be filed against companies and individuals who violate BPC22575-22579 which puts them in violation of BPC17200 as stated above in line 17200 any business that engages in unlawful business practice may be found in unfair competition so a violation of BPC22575-22579 constitutes a violation of BPC17200-17210
section 17202 pretty much defines that relief may be payed to competitors of the company that engages in unfair competition, since zf redzone is a security orb product this pretty much defines everyone who produces and sells any form of security orb within the secondlife service or any other land security utility or any sort of copybot protection system or for that matter any tool that has a feature which may put it in competition can make a claim and try to get a relief payment to aid their lost business
"17202. Notwithstanding Section 3369 of the Civil Code, specific or preventive relief may be granted to enforce a penalty, forfeiture, or penal law in a case of unfair competition."
17203 I wont quote here as its pretty long but as with anything I write regarding law the links provided and you can read it by following the link for yourself and interpret it yourself to verify it but pretty much it states court may take action against anyone who has engaged in unfair competition(so even if zfire xue was to quit committing these violations he could be charged with those hes already committed), anyone who is doing so, like he is doing now, or anyone who proposes to do so thus meaning if he proposes to create any more products outlawed by BPC22575-22579 he can be charged with a violation for the proposition of creating such a product.
we should also take a look at section 17206 of the law a bit lengthy to post here but you can read it at:
http://www.leginfo.ca.gov/cgi-bin/displaycode?section=bpc&group=17001-18000&file=17200-17210
pretty much this states the penalty for entering into unfair competition is a maximum of 2500 but per violation as well, each of those 2500+ zf redzone locations, is an individual violation in itself also in court, this law states what shall be taken into account is the seriousness of the conduct, yeah its pretty serious silent privacy violations and persistence of misconduct, yep the creator of redzone has been informed, and has obviously read my article(as they commented on it, and left themselves quite a weak defense) so they are quite persistent in conducting this illegal activity also if each instance of violation can cost the operator 2500 each then that indicates that each $20-30 sale of this system can potentially end up costing its author $2500 but there's more on that which I will get into later
section 17206.1 pertains to an additional fine of $2500 if the act is perpetrated against senior citizens or the disabled, and really isn't too important as this does not target those groups, however in the event of a class action lawsuit regarding this the age and disability status may now of those who had information collected on them by this system may play a role in the author of this system being charged with additional fines should charges come to pass and I'm sure SL has plenty of disabled users and even a few elderly users. so that knocks the fine up to a total $5000 per orb that has uncovered information regarding a senior or a disabled person.
and onto my favorite part as to why I called zfire xue's comment in my blog enlightening, obviously we have established knowledgeable and willful violation with that comment and within the article of BPC22575-22579 willful violation for this law as established under section 22576 from BPC22575-22579 which can be found here http://www.leginfo.ca.gov/cgi-bin/displaycode?section=bpc&group=22001-23000&file=22575-22579 knowledgeable and willful violation or non compliance after 30 days of notice constitutes a violation, with zfire xues comment in my blog we have established knowledgeable and willful violation which means a 30 day wait to come up to compliance is no longer required but now lets take a look at section 17207 of BPC17200-17210 I like the first paragraph which I will quote here:
17207. (a) Any person who intentionally violates any injunction prohibiting unfair competition issued pursuant to Section 17203 shall be liable for a civil penalty not to exceed six thousand dollars ($6,000) for each violation. Where the conduct constituting a violation is of a continuing nature, each day of that conduct is a separate and distinct violation. In determining the amount of the civil penalty, the court shall consider all relevant circumstances, including, but not limited to, the extent of the harm caused by the conduct constituting a violation, the nature and persistence of that conduct, the length of time over which the conduct occurred, the assets, liabilities, and net worth of the person, whether corporate or individual, and any corrective action taken by the defendant.
so lets see here we've established that each instance of zf redzone is its each own unique violation with 2500+ violations but this part of the law states there is a civil penalty of $6000 for each violation, and for each violation each day the conduct occurs is to be considered a unique violation in itself, so with 2500+ zf redzone locations this constitutes zfire xue having committed 2500+ violations against this law a day with each violation carrying a civil fine of up to $6000, with that said if you view the related xstreet page(aw drat he deleted more of the item discussion) we can establish with a comment " Posted By: TheBoris Gothly at 2010-05-04 00:41:19 (item owner) " that this tool has been around since at least the time of the time-stamp, still all the the same I remember a 2009 post and its likely Linden Labs for legal reasons such as this and request of the court keeps records as to how long an item has been listed and probably records as to deleted text within the item discussion meaning it may be possible to prove these violations have been going on longer.
section B of 17207 refers where this shall be taken to court too and makes reference to relation to which county the violation took place in Linden Labs being a San Francisco based company and this system zf redzone being implemented on their servers establishes the location of the violation at a central point section C details who collects the fines
section 17208:
17208. Any action to enforce any cause of action pursuant to this chapter shall be commenced within four years after the cause of action accrued. No cause of action barred under existing law on the effective date of this section shall be revived by its enactment.
simply put if someone is found guilty of a violation of this code the courts may wait up to 4 years to take action and action must be taken within those 4 years, and that the person may not be charged with the particular violations again, but as established above, each new day is a new violation so if zfire xue was charged under this law the courts could impose the fines anytime within 4 years, and the violations addressed may not be addressed again(sort of like double jeopardy) but as said each day the violation occurs is a new violation meaning if zf redzone was not immediately done away with though the fines may or may not immediately take place new charges may be brought for a new day of violations(or however long this goes on after initial charges), however the days of violations addressed may not be charged again
17209 defines that if you shall take action against a party when the rest of your paperwork is due, big deal, I wanted to mostly look at fines related to this and with the link above you can read this for yourself if you so wish
section 17210 pertains to additional ways to violate this clause but pertains to information outside of internet business practices such as hotels and the such and covers nothing I found of any importance in writing this article.
Wednesday, September 1, 2010
Imprudence as an Emerald alternative
Well today emerald team has announced their final release and discontinuation of their viewer, There will likely eventually be a fork of this viewer but users may be looking to continue the use of its features through another viewer, I heard someone recommend Kirstens viewer in its place, I tried this and was displeased with Kirstens as an alternative you can find the announcement regarding the discontinuation here:
http://blog.modularsystems.sl/2010/09/01/the-end/
anyhow Emerald development ceases with this final release, there will likely be other viewers that are built from emerald and a fork of such, but nonesuch have registered for the TPV List yet however there is a viewer inclusive of some features from emerald which can be seen here:
http://imprudenceviewer.org/wiki/Features
I've used Imprudence before and tried it and hated the abysmal performance, tried it using the latest Release Candidate, Loved it. The performance of the latest release candidate on my system(Imprudence 1.3.0 RC2) was excellent and it can be found here:
http://imprudenceviewer.org/wiki/Downloads
Also its on the third party viewer directory which means it has been approved by Linden Labs and has not done anything to lose that approval which can be found here:
http://viewerdirectory.secondlife.com/
If performance with this viewer however is an issue for you they do provide a solution, as their not licensed to distribute llkdu libraries they use the Slower OpenJPEG libraries instead, however I have not tried this as of yet but will be doing so soon, but they say you can use the LLKDU library yourself you will just need to install and copy it, they mention the solution here:
http://imprudenceviewer.org/2010/08/28/an-update-from-mccabe/
Many emerald users are hooked on Emerald for The built in AO that does not impose on SL's scripting Engine where as scripted AO's need to constantly check the avatar state in the sim thus creating lag, or are hooked on the math features for build or the breast physics all that such can be used in Imprudence
You can find information on building using math expressions here:
http://imprudenceviewer.org/wiki/Build_Math_Expressions
as for the AO yes its there too, mind you it doesn't have the latest check-box that allows you to stop the timer within it, but that's fine cause you can just set the timer high to stop cycling the AO can be found under "View > Animation ovetrider" but I cant help but notice the Hotkey listed for it is the same as the Object occlusion hotkey under the advanced menu.
If You liked Emeralds version of "show look at" and how it named the camera points so you could get an idea who may be camming into your skybox the same modification for "show look at" exists within imprudence it just hasn't been moved, it exists in its old location in the advanced menu "advanced > character > show look at". it does pop up a warning that you shouldn't rely on this for privacy, there's several reasons for this, viewers don't always accurately receive this information and sometimes can show different look at points between viewers(a net packet gets dropped and someone that gave you cam focus hours ago may appear to still be doing so), viewers can disable broadcasting of this(imprudence can too but disables this if you do) and also people can always cam in from other sources.
Also there is the breast physics, mind you I did not find options related to this in imprudence unlike emerald(not saying their not there, but the imprudence team intended it be a subtle thing it appears) however the options still exist within the debug menu under advanced and their settings are under the entries:
EmeraldBoobFriction
EmeraldBoobHardnes
EmeraldBoobMass
EmeraldBoobVelMax
EmeraldBoobVelMin
EmeraldBoobXYInfluence
EmeraldBreastPhysicsToggle
EmeraldBreastSportsBra
the settings seem to be the same as emeralds and follow emeralds defaults so if you adjusted this you can copy the debug entries here and make it the same I guess, I'm not going to mess with the settings myself though.
Extended Edit: well another worth mention feature I forgot to mention that was mentioned to me by a friend is the radar feature, both imprudence and emerald have this but use different implementation. emeralds radar has a longer range, the one in imprudence has a range setting and is built into the minimap with a drop down arrow marker, it however is limited to 512m where as the emerald one apparently had a much longer range than that but still if you need a radar both viewers have it built in, just the emerald one is superior, however, it is available in imprudence nonetheless, another worth mention feature I forgot to mention is imprudence does have an implementation of area search which allows you to search the area much the way emerald does with its area search feature,you can search an area by name, by owner, by group or by description, Both viewers have this however I noticed when using this in emerald I would get a drastic frame rate drop, imprudence this feature seems to run smoothly, whatever the case, its good for finding parcels that have implemented zf redzone which should be avoided like the plague, something I think would make a cool edition to this feature though, is the ability to search by object creator, but still nonetheless a greatly useful feature that exists in both viewers
http://blog.modularsystems.sl/2010/09/01/the-end/
anyhow Emerald development ceases with this final release, there will likely be other viewers that are built from emerald and a fork of such, but nonesuch have registered for the TPV List yet however there is a viewer inclusive of some features from emerald which can be seen here:
http://imprudenceviewer.org/wiki/Features
I've used Imprudence before and tried it and hated the abysmal performance, tried it using the latest Release Candidate, Loved it. The performance of the latest release candidate on my system(Imprudence 1.3.0 RC2) was excellent and it can be found here:
http://imprudenceviewer.org/wiki/Downloads
Also its on the third party viewer directory which means it has been approved by Linden Labs and has not done anything to lose that approval which can be found here:
http://viewerdirectory.secondlife.com/
If performance with this viewer however is an issue for you they do provide a solution, as their not licensed to distribute llkdu libraries they use the Slower OpenJPEG libraries instead, however I have not tried this as of yet but will be doing so soon, but they say you can use the LLKDU library yourself you will just need to install and copy it, they mention the solution here:
http://imprudenceviewer.org/2010/08/28/an-update-from-mccabe/
Many emerald users are hooked on Emerald for The built in AO that does not impose on SL's scripting Engine where as scripted AO's need to constantly check the avatar state in the sim thus creating lag, or are hooked on the math features for build or the breast physics all that such can be used in Imprudence
You can find information on building using math expressions here:
http://imprudenceviewer.org/wiki/Build_Math_Expressions
as for the AO yes its there too, mind you it doesn't have the latest check-box that allows you to stop the timer within it, but that's fine cause you can just set the timer high to stop cycling the AO can be found under "View > Animation ovetrider" but I cant help but notice the Hotkey listed for it is the same as the Object occlusion hotkey under the advanced menu.
If You liked Emeralds version of "show look at" and how it named the camera points so you could get an idea who may be camming into your skybox the same modification for "show look at" exists within imprudence it just hasn't been moved, it exists in its old location in the advanced menu "advanced > character > show look at". it does pop up a warning that you shouldn't rely on this for privacy, there's several reasons for this, viewers don't always accurately receive this information and sometimes can show different look at points between viewers(a net packet gets dropped and someone that gave you cam focus hours ago may appear to still be doing so), viewers can disable broadcasting of this(imprudence can too but disables this if you do) and also people can always cam in from other sources.
Also there is the breast physics, mind you I did not find options related to this in imprudence unlike emerald(not saying their not there, but the imprudence team intended it be a subtle thing it appears) however the options still exist within the debug menu under advanced and their settings are under the entries:
EmeraldBoobFriction
EmeraldBoobHardnes
EmeraldBoobMass
EmeraldBoobVelMax
EmeraldBoobVelMin
EmeraldBoobXYInfluence
EmeraldBreastPhysicsToggle
EmeraldBreastSportsBra
the settings seem to be the same as emeralds and follow emeralds defaults so if you adjusted this you can copy the debug entries here and make it the same I guess, I'm not going to mess with the settings myself though.
Extended Edit: well another worth mention feature I forgot to mention that was mentioned to me by a friend is the radar feature, both imprudence and emerald have this but use different implementation. emeralds radar has a longer range, the one in imprudence has a range setting and is built into the minimap with a drop down arrow marker, it however is limited to 512m where as the emerald one apparently had a much longer range than that but still if you need a radar both viewers have it built in, just the emerald one is superior, however, it is available in imprudence nonetheless, another worth mention feature I forgot to mention is imprudence does have an implementation of area search which allows you to search the area much the way emerald does with its area search feature,you can search an area by name, by owner, by group or by description, Both viewers have this however I noticed when using this in emerald I would get a drastic frame rate drop, imprudence this feature seems to run smoothly, whatever the case, its good for finding parcels that have implemented zf redzone which should be avoided like the plague, something I think would make a cool edition to this feature though, is the ability to search by object creator, but still nonetheless a greatly useful feature that exists in both viewers
Monday, July 26, 2010
Custom Color Tags in emerald.... Yuck
today I went to a club, and I saw a bunch of emerald users, an LGG Proxy(malicious viewer) user, a couple imprudence users a few sl2.0 users .... or did I?
actually everyone there was Emerald users with the exception of some 2.0 users.... apparently now you can set the color your name tag appears to other emerald users, after they established a color coded system where viewers could be identified by the color of name-tag, I'm used to malicious viewers being marked red, there was a guy at the club with his name marked red cause he set a custom color with his viewer, I don't like this. So far since I've started using emerald since my ex-mate tugged me into it with the introduction of boob jiggle version1.23.5.950? and so far, in all my time here, and I get around, I've only seen one Malicious viewer, and one unknown which brings me to a question. does anybody out there know what Moymix is? I googled it and cant find any useful information, one person seems to suspect its a viewer that allows free uploads, I dunno, but I remember seeing it marked in pink, much like viewer 2.0 is before this custom color tagging, aside from that Ive seen a viewer marked "LGG Proxy" one time a while back(googling it revealed it was a malicious viewer) and it was marked as red, so I'm used to the idea of red meaning its a bad viewer. now since people can set their tags to red on their own, I'm kinda thrown way off.
actually everyone there was Emerald users with the exception of some 2.0 users.... apparently now you can set the color your name tag appears to other emerald users, after they established a color coded system where viewers could be identified by the color of name-tag, I'm used to malicious viewers being marked red, there was a guy at the club with his name marked red cause he set a custom color with his viewer, I don't like this. So far since I've started using emerald since my ex-mate tugged me into it with the introduction of boob jiggle version1.23.5.950? and so far, in all my time here, and I get around, I've only seen one Malicious viewer, and one unknown which brings me to a question. does anybody out there know what Moymix is? I googled it and cant find any useful information, one person seems to suspect its a viewer that allows free uploads, I dunno, but I remember seeing it marked in pink, much like viewer 2.0 is before this custom color tagging, aside from that Ive seen a viewer marked "LGG Proxy" one time a while back(googling it revealed it was a malicious viewer) and it was marked as red, so I'm used to the idea of red meaning its a bad viewer. now since people can set their tags to red on their own, I'm kinda thrown way off.
Saturday, July 24, 2010
Item Discussion for zf Redzone Censored
So Today I was filing my usual reports against the zf redzone system visited the xstreet page and of course got the stupid message saying a report already exists for this item, also filed an AR against its location in vsevolod, but I noticed something, every negative comment about it in the Item discussion has been deleted, last I checked it was 103 posts now whittled down to 72 posts, obviously there's a lot of negative to be said about it. I don't know whether the Lindens deleted the comments due to complaint of the seller, or if the seller decided to go back and delete them, I haven't used xstreet in forever so I don't know if you can moderate your item discussion, but it sure seems like to me the creator wants to censor every little bit that says what he is doing violates the ToS and is illegal, so with that his replies against the users should stand on their own if not the case, but why would he need to delete it? obviously someone hit the nail right on the head, probably he had the comments deleted because they can be used to show that he is in knowledgeable violation of BPC22575-22579. either way I'm going to continue to report this to the Lindens, as his utility is a serious threat to those who have multiple accounts regardless of reason for those, and as with found with the previous statement and comments, those who compile their own viewer(so most the developer community)
you can see the item discussion here:
https://www.xstreetsl.com/modules.php?name=Marketplace&file=discussions&ItemID=1175807
Take notice to all the gaps in the conversation
you can see the item discussion here:
https://www.xstreetsl.com/modules.php?name=Marketplace&file=discussions&ItemID=1175807
Take notice to all the gaps in the conversation
Saturday, July 17, 2010
secondlife Relay For Life, Relay today
At the relay for Life event at secondlife showing my support, Right now its the survivors lap so I'm off the track showing my support for those who are living with cancer, My teams campsite is at http://slurl.com/secondlife/RFL%20Hope/115/77/24/ come pay us a visit show your support and light a luminary for someone you know, I'm sure you know someone that's been afflicted by this horrible disease, come show your support for them.
Friday, July 16, 2010
Gathering Hardware and viewer statistics on SL users
Today in Avatar Makers Guild group chat Just a bit ago I got this group notice from a user called Stickman Ingmann:
I made a Jira requesting LL collect and expose useful information for inworld developers.
Oz Linden mentioned that there's internal discussion about a script function to test the viewer for certain capabilities (avatar alpha support, multiwearables, etc), but knowing what the average user can do would help us design products.
Have a read. If you agree, give it a vote. If you don't, leave a comment with feedback if you'd like. Thanks!
http://jira.secondlife.com/browse/MISC-4405
I have to highly recommend voting for anonymous statistics collection. It's a way to get software developers that write viewers to make secondlife suitable for common hardware and exposes statistical information for content creators who make graphically intensive stuff(such as hair with the Max Prim count, all Flexi, and glow...nothing lags a video-card like that) and to top it off unlike that zf redzone I mentioned in a previous post, It don't violate anyone's privacy, Sounds to me like this anonymous statistic collection will make a great alternative to a totally idiotic unthoughtful scripting function used to gather information on another users viewer capabilities, I mean such a scripting function, paired with the media system, to gather information, on a specific users viewer, can be used for vulnerability assessment purposes, this is definitely not a good thing. so if your a secondlife user reading this blog post, vote for that Jira article, and leave a comment, tell them you don't want a scripted function that can do this, and you would much rather see what Stickman Ingmann suggested than such a scripted function.
Just in case of editing by any party here is the Jira Article as it stands at time of posting this Blog Entry:
Having more information about what hardware and capabilities the average users of Second Life have would greatly aid in the designing and marketing of products.
Steam conducts a monthly hardware survey, asking random members of the community if they'd be willing to divulge hardware information to Valve. http://store.steampowered.com/hwsurvey The survey is made public to aid not only game developers in planning and spotting trends, but to aid community awareness on what types of systems people are using.
Gathering and distributing similar anonymous information from the Second Life community would be not only aid Linden Lab in its development choices, but would aid the inworld developers and standard users. As an example, if glow is only enabled by 20% of the users, it may be beneficial for LL to figure out why, and would be beneficial for inworld developers not to rely entirely on it. It would also let the standard user realize that the glow they are emitting may not be visible by everyone.
Besides the information contained on the Steam survey, the follow information specific to Second Life would be useful:
* Feature Support
o Glow/Shader Support
o Transparent Avatar Support
o Media-on-a-prim Support
o Multiwearables Support
o Restricted Life Support
o Etc
* Second Life Resolution
* Second Life Fullscreen/windowed status
* FPS
* Texture Memory
* Viewer Brand/Version
* Viewer Diversity (if people use more than one client or are loyal to just one)
Information also available on the Steam survey that could be gathered includes:
* Operating System and version
* System RAM
* CPU Count and Speed
* Video Card Identifier
* Video RAM
* Display Resolution
* Multimonitor status
* Microphone (not detected, asked)
* Language
* Free/Total HD space (not immediately useful, may be useful if the cache is improved)
* Network Speed
Edit:
you may wish to tell Oz Linden it's a bad idea to implement a scripting function to gather viewer information as it can be used for vulnerability assessments when paired with gathering information via media functions, you can find his office hours here: http://wiki.secondlife.com/wiki/User:Oz_Linden and please if you do say something to Oz please link him to the above mentioned Jira article here: http://jira.secondlife.com/browse/MISC-4405 tell him its a much better solution without all the nasty drawbacks of having such a scripting function.
I made a Jira requesting LL collect and expose useful information for inworld developers.
Oz Linden mentioned that there's internal discussion about a script function to test the viewer for certain capabilities (avatar alpha support, multiwearables, etc), but knowing what the average user can do would help us design products.
Have a read. If you agree, give it a vote. If you don't, leave a comment with feedback if you'd like. Thanks!
http://jira.secondlife.com/browse/MISC-4405
I have to highly recommend voting for anonymous statistics collection. It's a way to get software developers that write viewers to make secondlife suitable for common hardware and exposes statistical information for content creators who make graphically intensive stuff(such as hair with the Max Prim count, all Flexi, and glow...nothing lags a video-card like that) and to top it off unlike that zf redzone I mentioned in a previous post, It don't violate anyone's privacy, Sounds to me like this anonymous statistic collection will make a great alternative to a totally idiotic unthoughtful scripting function used to gather information on another users viewer capabilities, I mean such a scripting function, paired with the media system, to gather information, on a specific users viewer, can be used for vulnerability assessment purposes, this is definitely not a good thing. so if your a secondlife user reading this blog post, vote for that Jira article, and leave a comment, tell them you don't want a scripted function that can do this, and you would much rather see what Stickman Ingmann suggested than such a scripted function.
Just in case of editing by any party here is the Jira Article as it stands at time of posting this Blog Entry:
Having more information about what hardware and capabilities the average users of Second Life have would greatly aid in the designing and marketing of products.
Steam conducts a monthly hardware survey, asking random members of the community if they'd be willing to divulge hardware information to Valve. http://store.steampowered.com/hwsurvey The survey is made public to aid not only game developers in planning and spotting trends, but to aid community awareness on what types of systems people are using.
Gathering and distributing similar anonymous information from the Second Life community would be not only aid Linden Lab in its development choices, but would aid the inworld developers and standard users. As an example, if glow is only enabled by 20% of the users, it may be beneficial for LL to figure out why, and would be beneficial for inworld developers not to rely entirely on it. It would also let the standard user realize that the glow they are emitting may not be visible by everyone.
Besides the information contained on the Steam survey, the follow information specific to Second Life would be useful:
* Feature Support
o Glow/Shader Support
o Transparent Avatar Support
o Media-on-a-prim Support
o Multiwearables Support
o Restricted Life Support
o Etc
* Second Life Resolution
* Second Life Fullscreen/windowed status
* FPS
* Texture Memory
* Viewer Brand/Version
* Viewer Diversity (if people use more than one client or are loyal to just one)
Information also available on the Steam survey that could be gathered includes:
* Operating System and version
* System RAM
* CPU Count and Speed
* Video Card Identifier
* Video RAM
* Display Resolution
* Multimonitor status
* Microphone (not detected, asked)
* Language
* Free/Total HD space (not immediately useful, may be useful if the cache is improved)
* Network Speed
Edit:
you may wish to tell Oz Linden it's a bad idea to implement a scripting function to gather viewer information as it can be used for vulnerability assessments when paired with gathering information via media functions, you can find his office hours here: http://wiki.secondlife.com/wiki/User:Oz_Linden and please if you do say something to Oz please link him to the above mentioned Jira article here: http://jira.secondlife.com/browse/MISC-4405 tell him its a much better solution without all the nasty drawbacks of having such a scripting function.
Copybot... Users going too far to defeat it
Warning:as with previous post, more bad grammar ahead.
This post isn't going to be about zf redzone as I think I covered it pretty well in my previous post, but really those who have their content copy botted, really should see my links to the IC3(FBI) and the FTC in my previous article, and should learn how to file a DMCA complaint with Linden Labs, while they don't give prompt action, it don't make you just as guilty as the person that is illegally copying and republishing your content with the permissions released.
A while back I was in a group chat with a group known as "Avatar Maker's Guild", and a user known as "KK Mode" said he had the solution to copybot, a Prim tool known to crash copybot clients. While it has the right objective in mind, to disrupt copybot viewers export capability, it is severely misguided, however I must tout while I do not endorse the solution it is a hell of a lot less corrupt on spying on people, reason I don't endorse the solution? it crashes copybot and the standard viewer all the same.
KK Mode when initiating the group chat said he had something you could link to your creations that would disrupt the export process of a copybot viewer and crash it, and was handing them out free, he then said he was giving out this tool for free for anyone to make use of and to protect their content with, I of course inquired about this tool in a private IM with him as not to spam the group chat, he said this object is set to an invalid material type and would crash any viewer acquiring the information on that specific prim since its not going to be the root prim and that makes it safe for use, I asked what about editing linked parts and he stated it was safe for people that edited their avatars cause there was no way to select it, and it was more than just invisible, I asked him if he would send me one and he did so, I then asked you know there are some people that modify their avatars and may unlink them to do stuff like remove the ears to mod the ears for ear twitch features, and gave him a number of possibilities about how this could disrupt service for a normal user and isn't exactly a safe tool, his response over my concern? he got his nasty attitude on about a lot of the concerns as I stated it could take linden labs a long time to fix something like this, and that it may only take a copybot creator a week to discover why its crashing their viewer, and less than an hour to patch such an issue do you really want to put something like this out there? and this lead to a full blown argument, if not for ToS section 8.3 which I uphold and preach in my previous post, community standards and other issues, I would post the chat log right here. but I cant, All I can do is talk about it as im not allowed to make a direct copy of the text, but anyhow, the conversation eventually lead to him saying something to the tune of, Modding your avatar is like modding your PC's hard drive by putting a screw driver through it and complaining to the manufacturer it don't work(ironically I later vented with my Secondlife sister Mira and which stated she was as yiff lounge and standing right next to him, and went on to describe that he had a Kani avatar with the all too common fox modification where as you add an aventity fox nose to the Prims in the Kani) , I muted him for being an idiot and filed an abuse report with Linden Labs describing the malware content as it also violates ToS 8.3 like redzone, just the section that says you shall not impede normal function of the viewer(in the AR I said I would hold onto the content up until a certain date for their investigation but would delete it after a certain date as I dont like to hold onto dangerous content):
from: http://secondlife.com/corporate/tos.php
"8.3 You agree that you will not post or transmit Content or code that may be harmful, impede other users' functionality, invade other users' privacy, or surreptitiously or negatively impact any system or network."
impeding functionality right there with that tool. I would like to see copybot defeated just as much as any other creator, I have my own business there which copybot negatively impacts, in the case of This and redzone, the ends do not justify the means, as both are harmful to the general userbase more so than just copybot users.
anyhow with this said both methods to defeating copybot are both crossing the line, and are easily defeated by copybot users, the method described above can be defeated with a minor recode of copybot to ignore that information field, or just simply not lookup the names for the addressed invalid material types, or just simply a Hex editor that locks all addresses defining prim types under that variable to Wood or a material of choice, redzone can be defeated as with any content someone would want to steal, its generally virally spread across the grid, all you need to do is find it in a location where its not protected by redzone, or simply turn off media.
If you are thinking of Implementing either method of to protect your content, as ive heard some user say, copybot users generally aren't too bright in coding their viewers, its just simply modifications to circumvent the permission system and oftentimes they circumvent the UUID system so they don't have to pay to re-upload textures from content their stealing which can give away who was the original creator with lesser known creators who have content stolen from them, however no doubt their bright enough to figure out a scanning system and stay clear of it(just as normal and copybot user would want to do alike) with this said, the method that does more to protect your stolen content is KK Modes method and Not zfire xues method, reviewing the method which he uses the excuse his associates or alts make, I think zfire xue just simply uses copybot in mind as an excuse to do what hes doing, while I do honestly think KK Mode created his method in an honest attempt to defeat copybot, However, I do think KK mode needs to reconsider his methods due to lack of situational consideration(as with said him using a modded avatar he didn't even consider his own situation in this), so in saying this, his method sticks with your content, redzone does not, kk mode while both methods violate the ToS, is not only the lesser criminal in this situation, but is also the greater defender while I do not endorse the method of either and strongly oppose both methods, my opposition to redzone is much greater,if your going to do something in violation of the ToS kk modes method does not come with a legal violation as well unlike redzone(or at least I haven't found any laws that outlaw it at this point), I condemn both methods, but I stress, if your going to put them to use, use KK Modes method, it does much more to protect your content, and a minor viewer crash is a lot less damaging to an individual than a major Privacy violation and is more likely to prevent your content from becoming copybotted.
Please people, lets come up with a means to defeat this copybot system that does not violate the Lindens ToS, that is both Legal and Ethical.
If I worked for Linden Labs and developed their software I would probably create some software that works from the background and verifies that you are using a Linden Approved viewer, much like punkbuster, and verifies that the viewer, is running in an unmodified state, and that no unapproved applications outside the viewer were reading from it, that held a definition list much like an anti-virus to contain known viewers the background software would also acquire checksums on applications reading from the viewer, and verify those are running in an unmodified state if their known to the lindens, and submits checksums and definitions to the Lindens to identify unknown apps reading information and variables and so that these unknown applications can be disallowed, all viewers that don't verify properly are automatically and immediately disconnected, and also all viewers can have a closed source program that reads from them, collects various unspecified data used to verify whether the viewer is not and engages in encrypted communication with Linden servers whereas a new encryption system can be setup, of course this closed source program should be distributable and contain an API for working with so those who wish to make third party viewers can do so., of course no personally identifiable information of course. Hell even one of the third party viewer writers could start developement on this, submit their code to Linden Lab, and push in the Jira to get it Implemented in the regular viewer. the Only problem with this method suggested here? it takes time to do. but still no doubt it will be a goal completely worth working towards. also while absolutely disgusted with the technology behind it because it's a system that companies pay into to have their software developed and cause it can do what this background application I suggested would do quite readily without the need for additional software, there is always *shudders in disgust with it cause its really quite harmful to Open source and all that is good in computing*.... ... ... The disgusting evil, of coding your software, to work with the evils of the TPM(Trusted Platform Module) for those of you that dont know what this is, Its a hardware based system that enforces Copyright of software and other materials and verifies their running in a correct state, and can defeat viruses through the system, simply Its a chip on your motherboard that monitors your systems memory and watches over things when enabled, software can be compiled to only work if its present and enabled and it overviews a database of software(((which companies must pay to make an entry in which is harmful for opensource due to limited funding of some opensource projects and also harmful because a company can dispute the state of another program with it and close down another competing and free project that competes with a commercial project so you can see why I'm so disgusted with it as its a system of who registers first, totally backed by money, its also partially backed by Microsoft the leader in poorly designed operating systems that funded SCO's illegitimate lawsuit Where as some code contributed by SCO to the linux Kernal was claimed to be stolen but beside the point of this article, it just goes to show why im disgusted with TPM, but its nonetheless an option available to LL to defeat copybot))), this chip simply put can make sure your running a Linden Approved third party viewer or the Linden viewer itself, and can automatically close and shutdown unapproved viewers. as it Runs and performs its Operation at the hardware level, utilizes network to verify and discontinues failed verifications and runs over the OS level, a simple copybot user, would find such hardware extremely tough to defeat as it runs over a level which they have control of. Im against TPM though and think copybot could be controlled with the previous software method, and I have another reason I disagree with TPM, it would take a lot of users to upgrade to modern hardware that supports it in order to implement it so would require all secondlife users to use hardware that supports it, thus putting a lot of users out of luck. Simply Put, a piece of extra software that's freely downloadable and closed source that implements a verification system that's encrypted and simply verifies your client is in the state its supposed to be in and communicates with the Linden servers via encrypted means to keep its responses only predictable by Linden Servers, would be the best solution, if a response is invalid the user simply is disconnected by the Linden servers, this would probably even make it impossible to finish connecting if you were going to bot, while there are means of even defeating this method their method, it would force copybotters to do some work to achieve these means, thus then making them a lot more rare. which also in turns makes Linden Enforcement on DMCA issues more responsive, this can be defeated. but, everyone's going the wrong way, if your a talented programmer. Don't make spyware or malware, make a viewer and submit it to the Lindens, It could get implemented in their viewer and improve the experience for everyone without harming it and become a requirement of the system some day. All at the same, defeating copybot for the most part.
This post isn't going to be about zf redzone as I think I covered it pretty well in my previous post, but really those who have their content copy botted, really should see my links to the IC3(FBI) and the FTC in my previous article, and should learn how to file a DMCA complaint with Linden Labs, while they don't give prompt action, it don't make you just as guilty as the person that is illegally copying and republishing your content with the permissions released.
A while back I was in a group chat with a group known as "Avatar Maker's Guild", and a user known as "KK Mode" said he had the solution to copybot, a Prim tool known to crash copybot clients. While it has the right objective in mind, to disrupt copybot viewers export capability, it is severely misguided, however I must tout while I do not endorse the solution it is a hell of a lot less corrupt on spying on people, reason I don't endorse the solution? it crashes copybot and the standard viewer all the same.
KK Mode when initiating the group chat said he had something you could link to your creations that would disrupt the export process of a copybot viewer and crash it, and was handing them out free, he then said he was giving out this tool for free for anyone to make use of and to protect their content with, I of course inquired about this tool in a private IM with him as not to spam the group chat, he said this object is set to an invalid material type and would crash any viewer acquiring the information on that specific prim since its not going to be the root prim and that makes it safe for use, I asked what about editing linked parts and he stated it was safe for people that edited their avatars cause there was no way to select it, and it was more than just invisible, I asked him if he would send me one and he did so, I then asked you know there are some people that modify their avatars and may unlink them to do stuff like remove the ears to mod the ears for ear twitch features, and gave him a number of possibilities about how this could disrupt service for a normal user and isn't exactly a safe tool, his response over my concern? he got his nasty attitude on about a lot of the concerns as I stated it could take linden labs a long time to fix something like this, and that it may only take a copybot creator a week to discover why its crashing their viewer, and less than an hour to patch such an issue do you really want to put something like this out there? and this lead to a full blown argument, if not for ToS section 8.3 which I uphold and preach in my previous post, community standards and other issues, I would post the chat log right here. but I cant, All I can do is talk about it as im not allowed to make a direct copy of the text, but anyhow, the conversation eventually lead to him saying something to the tune of, Modding your avatar is like modding your PC's hard drive by putting a screw driver through it and complaining to the manufacturer it don't work(ironically I later vented with my Secondlife sister Mira and which stated she was as yiff lounge and standing right next to him, and went on to describe that he had a Kani avatar with the all too common fox modification where as you add an aventity fox nose to the Prims in the Kani) , I muted him for being an idiot and filed an abuse report with Linden Labs describing the malware content as it also violates ToS 8.3 like redzone, just the section that says you shall not impede normal function of the viewer(in the AR I said I would hold onto the content up until a certain date for their investigation but would delete it after a certain date as I dont like to hold onto dangerous content):
from: http://secondlife.com/corporate/tos.php
"8.3 You agree that you will not post or transmit Content or code that may be harmful, impede other users' functionality, invade other users' privacy, or surreptitiously or negatively impact any system or network."
impeding functionality right there with that tool. I would like to see copybot defeated just as much as any other creator, I have my own business there which copybot negatively impacts, in the case of This and redzone, the ends do not justify the means, as both are harmful to the general userbase more so than just copybot users.
anyhow with this said both methods to defeating copybot are both crossing the line, and are easily defeated by copybot users, the method described above can be defeated with a minor recode of copybot to ignore that information field, or just simply not lookup the names for the addressed invalid material types, or just simply a Hex editor that locks all addresses defining prim types under that variable to Wood or a material of choice, redzone can be defeated as with any content someone would want to steal, its generally virally spread across the grid, all you need to do is find it in a location where its not protected by redzone, or simply turn off media.
If you are thinking of Implementing either method of to protect your content, as ive heard some user say, copybot users generally aren't too bright in coding their viewers, its just simply modifications to circumvent the permission system and oftentimes they circumvent the UUID system so they don't have to pay to re-upload textures from content their stealing which can give away who was the original creator with lesser known creators who have content stolen from them, however no doubt their bright enough to figure out a scanning system and stay clear of it(just as normal and copybot user would want to do alike) with this said, the method that does more to protect your stolen content is KK Modes method and Not zfire xues method, reviewing the method which he uses the excuse his associates or alts make, I think zfire xue just simply uses copybot in mind as an excuse to do what hes doing, while I do honestly think KK Mode created his method in an honest attempt to defeat copybot, However, I do think KK mode needs to reconsider his methods due to lack of situational consideration(as with said him using a modded avatar he didn't even consider his own situation in this), so in saying this, his method sticks with your content, redzone does not, kk mode while both methods violate the ToS, is not only the lesser criminal in this situation, but is also the greater defender while I do not endorse the method of either and strongly oppose both methods, my opposition to redzone is much greater,if your going to do something in violation of the ToS kk modes method does not come with a legal violation as well unlike redzone(or at least I haven't found any laws that outlaw it at this point), I condemn both methods, but I stress, if your going to put them to use, use KK Modes method, it does much more to protect your content, and a minor viewer crash is a lot less damaging to an individual than a major Privacy violation and is more likely to prevent your content from becoming copybotted.
Please people, lets come up with a means to defeat this copybot system that does not violate the Lindens ToS, that is both Legal and Ethical.
If I worked for Linden Labs and developed their software I would probably create some software that works from the background and verifies that you are using a Linden Approved viewer, much like punkbuster, and verifies that the viewer, is running in an unmodified state, and that no unapproved applications outside the viewer were reading from it, that held a definition list much like an anti-virus to contain known viewers the background software would also acquire checksums on applications reading from the viewer, and verify those are running in an unmodified state if their known to the lindens, and submits checksums and definitions to the Lindens to identify unknown apps reading information and variables and so that these unknown applications can be disallowed, all viewers that don't verify properly are automatically and immediately disconnected, and also all viewers can have a closed source program that reads from them, collects various unspecified data used to verify whether the viewer is not and engages in encrypted communication with Linden servers whereas a new encryption system can be setup, of course this closed source program should be distributable and contain an API for working with so those who wish to make third party viewers can do so., of course no personally identifiable information of course. Hell even one of the third party viewer writers could start developement on this, submit their code to Linden Lab, and push in the Jira to get it Implemented in the regular viewer. the Only problem with this method suggested here? it takes time to do. but still no doubt it will be a goal completely worth working towards. also while absolutely disgusted with the technology behind it because it's a system that companies pay into to have their software developed and cause it can do what this background application I suggested would do quite readily without the need for additional software, there is always *shudders in disgust with it cause its really quite harmful to Open source and all that is good in computing*.... ... ... The disgusting evil, of coding your software, to work with the evils of the TPM(Trusted Platform Module) for those of you that dont know what this is, Its a hardware based system that enforces Copyright of software and other materials and verifies their running in a correct state, and can defeat viruses through the system, simply Its a chip on your motherboard that monitors your systems memory and watches over things when enabled, software can be compiled to only work if its present and enabled and it overviews a database of software(((which companies must pay to make an entry in which is harmful for opensource due to limited funding of some opensource projects and also harmful because a company can dispute the state of another program with it and close down another competing and free project that competes with a commercial project so you can see why I'm so disgusted with it as its a system of who registers first, totally backed by money, its also partially backed by Microsoft the leader in poorly designed operating systems that funded SCO's illegitimate lawsuit Where as some code contributed by SCO to the linux Kernal was claimed to be stolen but beside the point of this article, it just goes to show why im disgusted with TPM, but its nonetheless an option available to LL to defeat copybot))), this chip simply put can make sure your running a Linden Approved third party viewer or the Linden viewer itself, and can automatically close and shutdown unapproved viewers. as it Runs and performs its Operation at the hardware level, utilizes network to verify and discontinues failed verifications and runs over the OS level, a simple copybot user, would find such hardware extremely tough to defeat as it runs over a level which they have control of. Im against TPM though and think copybot could be controlled with the previous software method, and I have another reason I disagree with TPM, it would take a lot of users to upgrade to modern hardware that supports it in order to implement it so would require all secondlife users to use hardware that supports it, thus putting a lot of users out of luck. Simply Put, a piece of extra software that's freely downloadable and closed source that implements a verification system that's encrypted and simply verifies your client is in the state its supposed to be in and communicates with the Linden servers via encrypted means to keep its responses only predictable by Linden Servers, would be the best solution, if a response is invalid the user simply is disconnected by the Linden servers, this would probably even make it impossible to finish connecting if you were going to bot, while there are means of even defeating this method their method, it would force copybotters to do some work to achieve these means, thus then making them a lot more rare. which also in turns makes Linden Enforcement on DMCA issues more responsive, this can be defeated. but, everyone's going the wrong way, if your a talented programmer. Don't make spyware or malware, make a viewer and submit it to the Lindens, It could get implemented in their viewer and improve the experience for everyone without harming it and become a requirement of the system some day. All at the same, defeating copybot for the most part.
Thursday, July 15, 2010
Spyware...ToS and Legal Violation in secondlife and why you should be concerned
Warning:This post is filled with sloppy writing thats only meant to get a point a across, Dry legal issues, reference to ToS and Legal violations and attempts to prove something and probably is redundant in proving the point made. Beware, poor grammar ahead.
It has come to My attention that security issues with media in secondlife have become a serious problem and many users downplay these security issues. In this Post I'm going to write about mostly a tool that commits these security exploits, issues regarding it, It's creator, It's Legality, and I'm also going to write about other things that can be done with this mentioned exploit, many of the cases outside the discussion of the tool are undocumented but potential threats to secondlife and it's users.
I Discovered a while back on XstreetSL.com a security orb tool that claims to ban copybotters, and their alts? Well now how do they do this? Are they getting my information? Pulling it From my PC? Are they Invading my Privacy? Is this legal? Many people are familiar with such a tool, and when I discuss it they often mention a tool I have yet to look into titled CDS, the tool I am mentioning is Called zf redzone, and is published by a zfire xue. To answer the above questions: It utilizes Secondlife Media functions to obtain IP addresses on avatars, and compare them searching for avatars with the matching IP address. Their Getting information on you such as alternate accounts, there are rumors that this tool scans your hard drive to locate info on you, but really that's likely an exaggeration of its functionality. The information is not pulled from your PC, it's gained from the nearest routing point they can get to which is your home router, so when they do identify your alts, oftentimes others you share residence with will be included. Yes they are invading your privacy as they are collecting Information about you without your knowledge or consent. It's Illegal by secondlife Terms of service and By Law, Secondlife Terms of service Section 8.3 Specifically disallows the use of spyware, and the Tool violates the California privacy Protection act a law designed to protect any systems within California, Linden Labs being a california based company and the spyware residing on their servers, means that all secondlife residents are Protected under the california Privacy protect act, specifically BPC22575-22579 protects you and linden labs servers. Also to top it all off you and your alt, or roommate may not visit the same locations in secondlife? Guess what? It's a distributed system that utilizes web functions to log this information so your alts may be identified even if never crossing the same point, so long as they are both scanned by the zf redzone system. Is this system 120% accurate as the author claims? No It is not. As it works based on IP and can identify roommates, or people you login to assist as alt's, also if you log in from college or a dormitory connection, to zf redzone it may look like you have hundreads of alts. Which brings upon another function of this tool, client detection. If it detects a copybot. It bans the user, and their alts. Is It's copybot protection 100% accurate? NO! Any copybot with media off can evade it and any snowglobe 2.0 user appears to be copybot to this system. Anyhow snowglobe users are probably reading this and wondering why hasent this thing banned me for snowglobe use. If you are. Do your research on the viewer your using! Anyone that knows much of anything about alternate secondlife viewers and snowglobe should know snowglobe has 2 major distributions which are Snowglobe 1.3(based on secondlife 1.23) and Snowglobe 2.0(based on secondlife 2.0) both viewers being inherently different their only the same in name as they both come from different codebases, so when zf redzone detects snowglobe, it is detecting the use of snowglobe 1.3. Please see this link regarding a user who contacted zfire xue about this nasty issue, and the ignorant response he was given: http://www.mail-archive.com/opensource-dev@lists.secondlife.com/msg02048.html Obviously the creator does not acknowledge his system has a flaw and thus then will do nothing to fix it.
Now Onto the point why it upsets me, upon viewing this spyware for sale on xstreet I contacted the seller, what I suspect is an alternate account known as TheBoris Gothly. And inquired about what it did, the inquiry lead me to find the user has no consideration for the privacy of others or potential misuse of the system. Upon interviewing the user he quoted the privacy Policy of Linden Labs and convenienintly neglected the parts that did not fit his misuse of the service he quoted:
some services operated by Second Life users may provide content that is accessed through and located on third party (non-Linden Lab) servers that may log IP addresses.
however he conveniently left out the previous part that sites this is only an example of users are capable of that immediately states beforehand:
For instance,
and he also conveniently left out the purpose of that part of the privacy Policy:
Certain account information is displayed to other users in your Second Life profile, and may be available through automated script calls and application program interfaces. This information includes your account name, account type, the date your account was established, whether or not you are currently online, user rating information, group and partner information, and whether or not you have established a payment account or transaction history with Linden Lab. Further, you agree and understand that Linden Lab does not control and is not responsible for information, privacy or security practices concerning data that you provide to, or that may otherwise be collected by, Second Life users other than Linden Lab.
want to see the privacy Policy that's quoted here in whole? View it here:
http://secondlife.com/corporate/privacy.php (7/14/2010)
with that stated the privacy policy in whole means Linden Labs shall in no way be held responsible for information that you include within your profile and shall not be held responsible for data mining schemes of other users like this one we provide an example of so if you get someone hiding behind the privacy policy, and the user quotes the example scenario only in part to hide the fact that what their doing is not condoned by Linden Labs and to make it sound like their on terms with the privacy policy, so what TheBoris Gothly quoted, has its meaning reversed by all the parts he so conveniently left out. Misrepresenting the Privacy Policy? I think that's enough for banishment from the secondlife system against both zfire xue and TheBoris Gothly right there, but as you expected. Theres more.
The secondlife terms of service specifically disallows this type of activity under the section 8.3 regardless of Privacy Policy which can be viewed here: http://secondlife.com/corporate/tos.php
8.3 You agree that you will not post or transmit Content or code that may be harmful, impede other users' functionality, invade other users' privacy, or surreptitiously or negatively impact any system or network.
You agree to respect both the integrity of the Service and the privacy of other users. You will not:
(i) Post or transmit viruses, Trojan horses, worms, spyware, time bombs, cancelbots, or other computer programming routines that may harm the Service or interests or rights of other users, or that may harvest or collect any data or personal information about other users without their consent;
(iv) Engage in malicious or disruptive conduct that impedes or interferes with other users' normal use of the Service;
with that said, It is clear, Spyware is against the secondlife Terms of service, also your probably wondering why section iv is included in the quote? It's because this tool disrupts service for snowglobe 2.0 users and if you read the xstreet page that sells this object at: https://www.xstreetsl.com/modules.php?name=Marketplace&file=item&ItemID=1175807 it becomes clear this tool is designed to cause a crash in the secondlife client quoted from the page: Ejects and TP home intruders automatically often crashing them, if your online or not, group owned land or your own! so this tool further violates the ToS because it is designed to crash a viewer by running the eject function which teleports users to the nearest place off your parcel and the teleport home function which does at it says at the same time against a targeted user.
Also another point I should make with this on the zf redzone site found at http://isellsl.ath.cx/redzone.php there are various statistics posted where as ToS 8.3 states at the end Any violation by you of the terms of this Section may result in immediate suspension or termination of your Accounts without any refund or other compensation. you can see just how many times the zf redzone system has violated ToS 8.3 under the section Linked IP's which is a count of how many groups of accounts its made to a target IP address, simply put you can violate ToS section 8.3 a single time and be banished from secondlife. This user has made a tool that has done it many thousands of times. I'm just waiting for the ban to happen.
Not to forget, further proof of previously made claim, that this tool is illegal and violates the law. People being scanned by this system receive no notice their being scanned and are not asked for consent which ToS 8.3 clearly states you must have but secondlife ToS is beside the point now. This Tool is illegal. The Legal Code BPC22575-22579 Prohibits this and you can view it here: http://www.leginfo.ca.gov/cgi-bin/displaycode?section=bpc&group=22001-23000&file=22575-22579 zf redzone commits these violations of this law. The law requires that you present the user with a privacy Policy before gathering information on the user, and specifically protects any information that may be used to contact a person In Person or Online, your username is protected under this law.
(6) Any other identifier that permits the physical or online contacting of a specific individual.
This law also as said before states there must be a privacy policy presented to the user information is being collected on, its setup in the zfire xues store in the sim vsevolod I've passed the security system numerous times and received no such notice it was trying to collect information on me or of its privacy Policy. From the law it is stated:
22575. (a) An operator of a commercial Web site or online service
that collects personally identifiable information through the
Internet about individual consumers residing in California who use or
visit its commercial Web site or online service shall conspicuously
post its privacy policy on its Web site, or in the case of an
operator of an online service, make that policy available in
accordance with paragraph (5) of subdivision (b) of Section 22577. An
operator shall be in violation of this subdivision only if the
operator fails to post its policy within 30 days after being notified
of noncompliance.
if you viewed the previous link to the zf redzone and viewed the item discussion on xstreet the above 30 day notice has already been clearly delivered by a number of users who state this is a privacy violation and you will further see this references another section of the law:
EDIT:(the user posts have been deleted leaving gaps in the item discussion read about it here: http://treminarisecondlife.blogspot.com/2010/07/item-discussion-for-zf-redzone-censored.html I think this puts zf Redzones author and salesperson in knowledgeable and willful violation of BPC22575-22579 as they have covered up the posts pointing out that this is a privacy violation)
(b) The term "conspicuously post" with respect to a privacy policy
shall include posting the privacy policy through any of the
following:
(1) A Web page on which the actual privacy policy is posted if the
Web page is the homepage or first significant page after entering
the Web site.
(2) An icon that hyperlinks to a Web page on which the actual
privacy policy is posted, if the icon is located on the homepage or
the first significant page after entering the Web site, and if the
icon contains the word "privacy." The icon shall also use a color
that contrasts with the background color of the Web page or is
otherwise distinguishable.
(3) A text link that hyperlinks to a Web page on which the actual
privacy policy is posted, if the text link is located on the homepage
or first significant page after entering the Web site, and if the
text link does one of the following:
(A) Includes the word "privacy."
(B) Is written in capital letters equal to or greater in size than
the surrounding text.
(C) Is written in larger type than the surrounding text, or in
contrasting type, font, or color to the surrounding text of the same
size, or set off from the surrounding text of the same size by
symbols or other marks that call attention to the language.
(4) Any other functional hyperlink that is so displayed that a
reasonable person would notice it.
(5) In the case of an online service, any other reasonably
accessible means of making the privacy policy available for consumers
of the online service.
given this specific part of the law the operator zfire xue, obviously cannot carry out Option 1 to give notice to users, Option 2, they must make an object visible in world that can be clicked to view the privacy policy that is noticable in world, option 3 zfire xue must make his tool message the user that is about to be scanned for alts that there is a privacy policy regarding this and the must visit a specific URL in order to view this policy. 4 pretty much covers 3 but declares hyperlinks in services that may not be able to display text links and 5 states very openly that there must be a reasonable means that you can view the privacy policy before this information is collected, and as with any terms of service or privacy policy you need to verify the user was capable of viewing the privacy policy, so at the very least, zfire xue, needs to make this tool popup a dialogue box, with an OK button on it that must be clicked before any information is collected on you. Does zf redzone do any of this? No it does not. I've passed it by several times, its being sold in the sim vsevolod and there is one setup on top of his store location which does nothing to notify me information is being collected on me. So thus hence zf redzone violates this law which is part of the california privacy protection act. Not a California resident and reading this? And wondering how your protected under this law being a California state law? See the above link to the secondlife terms of service section 12.2. it states:(7/14/2010)
You agree that this Agreement and the relationship between you and Linden Lab shall be governed by the laws of the State of California without regard to conflict of law principles or the United Nations Convention on the International Sale of Goods. Further, you and Linden Lab agree to submit to the exclusive jurisdiction and venue of the courts located in the City and County of San Francisco, California, except as provided in Section 12.1 regarding optional arbitration. Notwithstanding this, either party shall still be allowed to apply for injunctive or other equitable relief to protect or enforce that party's Intellectual Property Rights in any court of competent jurisdiction where the other party resides or has its principal place of business.
repeated:You agree that this Agreement and the relationship between you and Linden Lab shall be governed by the laws of the State of California
simply put you must follow California state law at all times and with all actions within the secondlife service((in addition to your local laws of course)) thus hence all secondlife users are protected under BPC22575-22579 in regards to events occurring related to the secondlife service. But theres more...
and finally zf redzone further violates the law BPC22575-22579 by having a deceptive privacy Policy BPC22575-22579 states:
22576. An operator of a commercial Web site or online service that
collects personally identifiable information through the Web site or
online service from individual consumers who use or visit the
commercial Web site or online service and who reside in California
shall be in violation of this section if the operator fails to comply
with the provisions of Section 22575 or with the provisions of its
posted privacy policy in either of the following ways:
(a) Knowingly and willfully.
(b) Negligently and materially.
and:
(1) Identify the categories of personally identifiable information
that the operator collects through the Web site or online service
about individual consumers who use or visit its commercial Web site
or online service and the categories of third-party persons or
entities with whom the operator may share that personally
identifiable information.
(2) If the operator maintains a process for an individual consumer
who uses or visits its commercial Web site or online service to
review and request changes to any of his or her personally
identifiable information that is collected through the Web site or
online service, provide a description of that process.
(3) Describe the process by which the operator notifies consumers
who use or visit its commercial Web site or online service of
material changes to the operator's privacy policy for that Web site
or online service.
(4) Identify its effective date.
zf redzone fails to do all of that, and even more so the privacy policy posted on the redzone website listed above, states:(7/14/2010)[yes zfredzone does have a privacy policy the previously mentioned issue is its not made available to users being scanned at all when its required that it be made available before a scan takes place] Before or at the time of collecting personal information, we will identify the purposes for which information is being collected. ,We will collect personal information by lawful and fair means and, where appropriate, with the knowledge or consent of the individual concerned. ,We do not consider any publicly displayed secondlife information such as usernames, account age, photos displayed to the world, payment status, join date, UUID, IP, platform, viewer, group affiliations, preferred language used, time of day, timezone, region, partner name or any other secondlife information to be private.
given these all above this is taken from the privacy policy of zf redzone, it fails to identify information is even being collected or the purpose of the collection to those it collects information on. It does not acquire consent and as proved above uses unlawful means to collect the info. While a username is public information as they say they do not consider it private, as stated above, (6) Any other identifier that permits the physical or online contacting of a specific individual., despite the publicity they must gain permission to collect your username as it is contact information. This is all required by BPC22575-22579.
I find zfire xue in further violation of BPC22575-22579 on the grounds of:
22576. An operator of a commercial Web site or online service that
collects personally identifiable information through the Web site or
online service from individual consumers who use or visit the
commercial Web site or online service and who reside in California
shall be in violation of this section if the operator fails to comply
with the provisions of Section 22575 or with the provisions of its
posted privacy policy in either of the following ways:
(a) Knowingly and willfully.
(b) Negligently and materially.
The user posts a privacy policy that violates this law by claiming in their privacy policy does things which it does not do which is to cover up that they are in knowledable and willful violation of BPC22575-22579, It also makes any legal protection their privacy Policy provides them Null and Void as they did not adhere to it.
Anyhow now that I've proven one of the people using the secondlife media exploits to identify alternate accounts is violating both the secondlife terms of service, and the law. Onto the final part of this article.
An IP address is a number that identifies your network or computer over the internet, while seemingly innocent enough for use, many services protect the discovery of this information user to user for only admins to view, there are exceptions as an IP address is not private information but it can be used to discover private information on a user or identify usage habits which is private information, or discover additional contact information as described above and prohibited by the above mentioned law BPC22575-22579, once discovered, there are more sinister uses for this information. Now you may already know IP addresses for network resources can change when a resource such as a router or PC is restarted and a connection to the ISP needs to be re-established and that online services such as google acquire IP addresses all the time, an IP address is necasary to facilitate computer to computer communication over the internet, so it must be shared, this is one of many reasons users should only connect to services they trust. I've been ridiculed for my argument against redzone by forum trolls and the such, saying things like oh noes google has my IP address, google is no big deal their legit and responsible and usually answer to issues, and better than an illegitimate service such as redzone, yes its a big deal because it then gets used to uncover identifying information. And then, theres that little troll hacker in the basement of his moms home who lives in nigeria, even worse yet. While it may simply be the address used to identify your PC over the internet and can be traced to the town your ISP operates from. And not to your door, a good analagy to IP addresses is to think of them like home addresses. Also before noting the analogy, anyone with your current IP address and the right utilities can check your network for vulnerabilities.
In explanation of this analogy lets say the internet is this very earth we stand on, people represent users and online activities such as games media, structures and facilities represent web sites and services that facilitate these, and home represents your PC on the internet, the streets the network that supports it all. And your Home address the same as your IP address, while you may subscribe to a premium service that gets you the same IP address again and again for your server, lets say you live in a trailor park and your always moving going from address to address as conditions change every so often.the local college is holding a Job fair, but has had recent issues with crime, being the redneck you are your looking for something better, or just looking for something whatever. You step out of your trailer, the trailer park can be thought of as your home router, all the other residents there are other PC's connected to that address temporarily, you venture out and you go to the job fair, the college the job fair has been held at, has had some issues with a criminal stalking people breaking into their homes, doing undue harm to people and stealing their things, before entering the college since the security is stepped up your all required to get a nametag with your IP address(home address) on it so the college police if witnessing a person committing a crime can easily identify and visit suspects and victims. A cost of privacy for a little security at the campus, a person casually passes by, bumps into you and apologizes(just like a ping request) but they observe your address and take note of it, later that night after you come home you settle in, and don't realize the person while you were at the job fair surveyed your place and found the hide a key(like a security hole being found in a vulnerability scan) later that night you are attacked and fall victim to this same person cause your address was published for the college security.
While just an analogy computers over the internet that have obtained your IP address can perform vulnerability scans which oftentimes takes form of ping and many other types of requests and if your IP address is discoverable through a service, even though it was intended to be viewed by someone else your PC can be located on the internet and targeted for a vulnerability scan and vulnerabilities can be found just like the hide a key, while you may of hid the key well like setting a port to stealth mode on your router. The vulnerability was searched for in many places, and when found you had Open Ports they may have seen what OS your running and what security measures are in place in the vulnerability scan and by gathering this info identified probabilities that your using this and that, which lead them to finding the key(the messaging service you use for example) which opens up that stealth port they just figured out you use an outdated version of windows messenger because through vulnerability scans they identified your OS(your trailor in this analagy) as being windows XP home, with the scans they further identified how to contact your browser which allows them to know many things and odd setting you didnt expect people to know like your desktop resolution which is used in PHP XML, and sometimes CSS functions to identify how to properly format the web page, various functions lead to discovery of various information about you, assumptions can be made about your online activity to identify vulnerabilities in your system. If a advertiser uses a vulnerability scan and finds signs of gaming software, and a PC running in only 800x600 they can pester and spam an email address they discovered using illegitimate means with ad's to get you a better video card, other scenarios can be potentially embarassing.
Like for example Lets say you work for a net firm, and they like to connect with gamers, one of the jobs duties may be to connect to secondlife and try to make a sale on the users there and you like to work extra hard to make that sale, you go home, and login to secondlife from your business alt. While in your business alt you use the service from your bosses location, lets say he rezzed zf redzone. He discovers your personal account, which happens to be a furry(or replace furry with your less understood side and the unusual attributes) and your character has tenticles and all sorts of other naughty features, that are your own personal business, you go into work the next day and receive the pink slip of doom, when you ask why? Your boss says I've seen that episode of CSI with the fursuiters and I know you like to screw animals you sick [expletive deleted], you just lost your job because of your own personal business thats your business and nobody elses, because zf redzone helped your boss peer into your private life and a little misinformation from a myth created by a TV show. Pretty lame isnt it?
I dont know zf redzones complete method for identifying a secondlife name, to an IP address as there are many potential methods to do so and I dont have my hand in the code however I do know its done by linking an IP address to an avatar name in the secondlife service, thats the only way it can be done. As media functions in secondlife reveal IP address and the viewer nor the service make alternate accounts discoverable. It could be just simply comparing who entered the parcel and when a stream was accessed and looking at shoutcast streams IP address list and tagging the newest IP on the list with the avatar name and submitting it to the redzone service, this method is inaccurate but would yield the information redzone seeks, zf redzone could temporarily change the parcel media to direct to a website as a user enters a parcel and have the extension of the web address match the name like exampleIPLoggingsite.com/Treminari/Huet while this method is inaccurate it would yield results, or it could just be simply singling out lone people on parcels and checking to see if one person is tuned into the stream and assuming the person on the secondlife parcel is one in the same, another inaccurate method, there are methods and tests and procedures to determining an IP address of a secondlife user with media enabled with 100% accuracy, and secondlife shared media feature titled media on a prim that allows more flexibility in acquiring an IP address, higher accuracy, easier to perform, and dont require land. While I doubt zf redzone uses this method one thing is certain, it uses IP addresses tagged with avatar names and recent comparisons of the address to identify an alt. You can combine the above methods in various ways to achieve higher accuracy using these inaccurate methods but, there are several disturbingly simple easy to perform methods which will get you the IP address of a user through parcel or media on a prim with 100% accuracy, which I must leave unnamed and undescribed as to not promote them, im sure many of these methods could be used to improve redzones accuracy in discovering it but I dont promote the illegal activities of zfire xue and theBoris gothly with the redzone utility.
Given that someone can get your IP address, through shared media, even if you dont take your privacy seriously or feel you have nothing to hide from you should still take the IP discoverability issue with secondlife media seriously. Though non documented, a vulnerability scan as mentioned before can be used to assess the security state of a discovered users PC and determine weak points in the security(maybe their running a dated version of VNC that allows remote control of their PC for when they go to the office, and has an 8 character length limit for the password that can easily be entered via brute force password scanning) whatever the vulnerabilitiy of the system IP discoverability in secondlife, makes the vulnerability discoverable. User to user, and allows the user to know just who their targeting for attack.
Theres things the lindens can do to fix this, but that would be expensive and unreasonable such as providing every sim a proxy server, or making all sims act as a proxy server, and through flash and java exploits could circumvent these methods. There are things Linden Labs can do that is inexpensive to Mitigate reduce and nearly eliminate privacy and vulnerability issues with secondlife media. First off, they need to take abuse reports seriously, the report field needs to be longer in abuse reports so people can site their resources in proving a case of spyware, even keeping things brief in description there are so many things you need to say to prove it to the lindens. Also they need to start answering to reports of spyware, when an AR failed I submitted it into a support ticket, both lindens responding to that ticket ignored it and did nothing but yap. Also reporting items on xstreet using the report item button needs to be taken more serious your limited to 255 characters in your typed report on xstreet. Also you cannot report an item that has been reported and not investigated yet, you will get an error message saying a report for this item already exists. While you may have been going to file a report saying this item uses media exploits to log IP address to avatar name to make alternate accounts discoverable, some idiot who has no business using the system may have just clicked report, and wrote in this item violated me and do little to nothing to say the incursion which in turn prevents your report, if I was to make an unethical tool such as this I could very well make an alt, and clog the report item system daily against my item so others couldn't report it. Linden Labs Needs to investigate spyware claims, and take users more serious, and they also need to allow multiple people to file a report against an xstreet item just like an object on the grid. Also Linden Labs needs to bring back the warning message that I used to see back in viewer 1.16 or was it 1.18? that tells you when you turn on a stream for the first time and warns you it makes your system discoverable and your IP viewable, doesn't have to give a big disclaimer, but it needs to remind people and allow them to decide for themselves that media can make their PC discoverable and decide what their risks are in using it, the message should be like, warning:using media makes your computers IP address available outside of secondlife, and that addresses can be directed by scripted means, only utilize streams in locations that you trust, Linden labs is not responsible for the actions of other users its a clear concise message which will concern those who need to be concerned and give them a heads up, they can research the topic further if their scared. Also the new web on a Prim feature gives griefers and spyware makers more flexibility in exploiting shared media, there are things that can be done to limit discoverability, by default this options is completely on, and you can turn it off but only completely. There is an option to only load websites on prims when you give the OK but it is easily circumvented(can be disabled by clicking Me > preferences > Sound & Media, and unchecking allow media to auto-play). However if you've been around secondlife you've noticed people can deform your avatar and if your knowledgeable of the method their doing it by gaining animation permissions on you through an object that sits on click and having that object follow your avatar around to load the animation as soon as you click the wrong place and the object often self deletes once its dirty deed is done, there are other methods to performing this attack on users but this is beside the point of this post, the same way they can trick you into sitting on a derformer, you can be tricked into playing shared media, all it takes is a prim set to 100% alpha to follow your avatar around and then load the media exploit all in the same way. Why does this work though? Because all it takes is a single left click to play the media on a prim so turning off autoplay can easily be circumvented, since linden labs does nothing to fix it, and there is plenty of fixes in the Jira suggested none of which they've acted on Ill put in my word here, add the play button for a media source to the right mouse button and dont play media that becomes left clicked. SIMPLE! This obscenely simple fix will mitigate the issue with this method greatly, also many don't know this because its burried away but in the top right corner of the screen in secondlife 2.0 if you mouse over the play button with auto play disabled, a tool bar will pop up that contains a more button, press this button and you will get a display of all the URL's prims are attempting to load around you, this will let you view site addresses before letting them display in your viewer, however here in lyes another serious issue there are 2 buttons one to stop/play the selected item on that list, and another to automatically draw your camera focus to that object, whats the problem? The one that draws your camera focus to the selected item also automatically plays that item. So if you see something suspicious on your land like the URL www.exampleexploitsitehere.com and you click to give focus to that item in trying to locate it, you just also gave it permission to display in your viewer, when you may of just been trying to locate the object displaying the malicious site, you just loaded it on your PC ouch. Linden Labs can fix this simple to just make the buttons do their individual functions and not the function of the other one as well.
I myself defend myself from this I don't use the linden viewer for any purpose beyond my education on it as the interface is poor and with the half thought out security option to disable autoplay viewer 2.0 is more vulnerable to this exploit. I use emerald. Yes I know the team that worked on it did use the media exploit too, no theres nothing I myself have found in their viewer to spy on the user, for a safer more secure secondlife experience, you should use a mature well developed viewer based on secondlife 1.23 such Hippo Opensim or emerald(there are others) and you should disable media, and there is another exploit in the viewer that actually allows you to protect yourself more. Secondlife 1.23 does not allow users to see the stream URL they connect to. However in the advanced menu(ctrl+Alt+D) if the media URL is hidden you can select the option show admin options while attempting to use the admin options that become revealed will be logged in some cases by Linden Labs there is one advantage, by clicking the location name on the top of your screen and bringing up the land information you can see what the media URL is for that location and make your decision whether or not the URL should connect to your PC then(of course I recommend turning this off as soon as your done) and from here you can paste this URL into the play URL option for your favorite media player Like Windows Media Player, Winamp, XMMS, or whatever you prefer to use. Taking this extra step after disabling media completely in your viewer increases your security by allowing you not to accidentally play a media stream in secondlifes viewer whether it be accidentally hitting play or turning automatic play on, it also makes you more secure against objects that may temporarily switch the media option for a really brief moment to discover IPs of those connected.
Aside from how to defend yourself you the reader is probably wondering, How you can make a difference in the media issues with secondlife, there are several things you can do to help:
-Educate Other secondlife users about these exploits, refer them to this blog Post
-Visit http://jira.secondlife.com/secure/Dashboard.jspa and educate yourself about the Jira, search it for issues related to the media problem that suggest a fix, I myself am still trying to decide which to vote for. As theres several suggestions as to how to make viewer 2.0 safer
-If you visit the secondlife Jira Linked above and have a better solution than those proposed, observe how to create a Jira article, and write your solution and encourage others to vote for it.
-Don t give people the information their looking for, don't just leave the streaming media on full time, turn it off always when not in use.
-Don t visit sites or buy products that claim to give you information on another secondlife user or claim they can effect the user off the grid or detect anything secondlife doesn't normally allow you to do yourself.
Things you can do about current infractions against your privacy on secondlife:
-Visit http://www.ftc.gov/ftc/contact.shtm or http://www.ic3.gov/complaint/default.aspx and report spyware authors that violate the law. Remember as stated earlier under this article all users using the secondlife service are protected by the California Privacy Protection act which BPC22575-22579 defines, the FTC link is obviously to the FTC, and the IC3 Link is to the FBI's internet crime department, both deal in issues of spyware.
-Use the report item Button in xstreet and file a report item complaint against spyware for a terms of service violation 8.3, and when writing the report site what you know about the spyware and resources that prove its spyware.
-visit the location of known spyware while protecting yourself from it by disabling media and use the report abuse button on the offending object, report spyware you see rezzed and vending systems that sell it such as the vendor for zf redzone in vsevolod/182/49/113(there is a spyware vendor for the zf redzone system as well as the spyware security orb there itself on top of the building with the vendors)
Edit:just lovely I see the text editor I started writing this in dropped out all my quotation marks when I copied it to here!
Edit: looked at the Item Discussion found another part of the privacy Policy TheBoris Gothly and zfire xue are hiding behind will post it below here as not to disrupt my Original article:
from the item discussion at 2010-05-08 12:17:57:
we do permit these companies to collect your IP address. These companies may set and use cookies, web beacons, pixels, or other technologies to collect anonymous information about your visits to our Websites, and may otherwise aggregate, analyze and anonymize that data.
Lets look at that in whole shall we?:
Third Party Advertisements
Linden Lab participates in ad and/or affiliate networks operated by various third party companies. These companies collect and may use certain anonymous information about your visits to our Websites as a function of referring Internet traffic to our Websites. We do not permit these companies to collect any personal information about you, such as your name, address, or email address; however, we do permit these companies to collect your IP address. These companies may set and use cookies, web beacons, pixels, or other technologies to collect anonymous information about your visits to our Websites, and may otherwise aggregate, analyze and anonymize that data. If you seek information about these specialized advertising technologies, the Network Advertising Initiative offers useful information about Internet advertising companies (also called "ad networks" or "network advertisers"), including information about how to opt-out of their information collection.
Lets Explain it shall we? first off, this is the advertising Policy, a Policy in regards to advertisements only. It also says the companies may collect and use certain information. so obviously in certain information this is information released by Linden Labs you can view this here btw: http://secondlife.com/corporate/privacy.php and the 2 previous paragraphs pretty much limit information collected to website visits and lindex exchange, and disallow personal information which as defined by BPC22575-22579 is account names held as they are contact information, while this paragraph permits collection of IP address it does not permit use of this to datamine a user and lets look into the big part of this that they hide behind
These companies may set and use cookies, web beacons, pixels, or other technologies to collect anonymous information about your visits to our Websites
ok first off the information must remain anonymous, it is contact information that is being collected not completely anonymous by any standard, so that's a violation of the privacy policy, second off it pertains to information collected about visits to the websites operated by Linden Labs like visiting secondlife.com, and as said before its an advertising policy, this policy permits advertisers to set up properly targeted ads, much in the same way googles ad sense works where as advertisements can be properly directed(so they can match IP address to search terms), this also pertains to xstreet. ever notice how that advertisement banner at the top of the search usually has something related to what your searching for vaguely related to an item in the search? this policy is to assist in the operation of functions like that. also aside from this, the information being collected on you by zfire xue and his redzone system has no method of opt out oh and something else I totally forgot to mention, which this privacy policy states, is this guy an affiliate of Linden Labs? I don't think so. If he was I think he would understand the privacy policy a little better and know that this section pertains solely to advertising, but as with any other part of the policy he quotes he conveniently leaves stuff out, he is in knowledgeable violation of it as you can see above he conveniently leaves parts out which is clearly intentional. A business affiliate of Linden Labs would not do this because they know they can be sued by both Linden Labs and the userbase they effected. In which bbrings me to another part of the terms of Service:
8.2 You will not post or transmit prohibited Content, including any Content that is illegal, harassing or violates any person's rights.
in accordance with BPC22575-22579 since Linden Labs operates out of california which specifically makes spyware illegal as it falls under the protection of BPC22575-22579 aside from violating our rights the content of zf redzone is specifically illegal
(i) Post, display or transmit Content that violates any law, or the rights of any third party including without limitation Intellectual Property Rights;
(ii) Impersonate any person or entity without their consent, or otherwise misrepresent your affiliation;
hes misrepresenting his affiliation obviously, hes obviously violating our right to privacy and hes obviosly breaking the law in doing so as ive touched on a many of times in this article BPC22575-22579.
(iv) Post, display or transmit Content that is harmful, threatening or harassing, defamatory, libelous, false, inaccurate, misleading, or invades another person's privacy;
nuff said that's covered in section 8.3 which I kept saying but all in all the zf redzone product invades user privacy
and yet again under section 8.2 as with section 8.3:
Any violation by you of the terms of this Section may result in immediate suspension or termination of your Accounts without any refund or other compensation.
It has come to My attention that security issues with media in secondlife have become a serious problem and many users downplay these security issues. In this Post I'm going to write about mostly a tool that commits these security exploits, issues regarding it, It's creator, It's Legality, and I'm also going to write about other things that can be done with this mentioned exploit, many of the cases outside the discussion of the tool are undocumented but potential threats to secondlife and it's users.
I Discovered a while back on XstreetSL.com a security orb tool that claims to ban copybotters, and their alts? Well now how do they do this? Are they getting my information? Pulling it From my PC? Are they Invading my Privacy? Is this legal? Many people are familiar with such a tool, and when I discuss it they often mention a tool I have yet to look into titled CDS, the tool I am mentioning is Called zf redzone, and is published by a zfire xue. To answer the above questions: It utilizes Secondlife Media functions to obtain IP addresses on avatars, and compare them searching for avatars with the matching IP address. Their Getting information on you such as alternate accounts, there are rumors that this tool scans your hard drive to locate info on you, but really that's likely an exaggeration of its functionality. The information is not pulled from your PC, it's gained from the nearest routing point they can get to which is your home router, so when they do identify your alts, oftentimes others you share residence with will be included. Yes they are invading your privacy as they are collecting Information about you without your knowledge or consent. It's Illegal by secondlife Terms of service and By Law, Secondlife Terms of service Section 8.3 Specifically disallows the use of spyware, and the Tool violates the California privacy Protection act a law designed to protect any systems within California, Linden Labs being a california based company and the spyware residing on their servers, means that all secondlife residents are Protected under the california Privacy protect act, specifically BPC22575-22579 protects you and linden labs servers. Also to top it all off you and your alt, or roommate may not visit the same locations in secondlife? Guess what? It's a distributed system that utilizes web functions to log this information so your alts may be identified even if never crossing the same point, so long as they are both scanned by the zf redzone system. Is this system 120% accurate as the author claims? No It is not. As it works based on IP and can identify roommates, or people you login to assist as alt's, also if you log in from college or a dormitory connection, to zf redzone it may look like you have hundreads of alts. Which brings upon another function of this tool, client detection. If it detects a copybot. It bans the user, and their alts. Is It's copybot protection 100% accurate? NO! Any copybot with media off can evade it and any snowglobe 2.0 user appears to be copybot to this system. Anyhow snowglobe users are probably reading this and wondering why hasent this thing banned me for snowglobe use. If you are. Do your research on the viewer your using! Anyone that knows much of anything about alternate secondlife viewers and snowglobe should know snowglobe has 2 major distributions which are Snowglobe 1.3(based on secondlife 1.23) and Snowglobe 2.0(based on secondlife 2.0) both viewers being inherently different their only the same in name as they both come from different codebases, so when zf redzone detects snowglobe, it is detecting the use of snowglobe 1.3. Please see this link regarding a user who contacted zfire xue about this nasty issue, and the ignorant response he was given: http://www.mail-archive.com/opensource-dev@lists.secondlife.com/msg02048.html Obviously the creator does not acknowledge his system has a flaw and thus then will do nothing to fix it.
Now Onto the point why it upsets me, upon viewing this spyware for sale on xstreet I contacted the seller, what I suspect is an alternate account known as TheBoris Gothly. And inquired about what it did, the inquiry lead me to find the user has no consideration for the privacy of others or potential misuse of the system. Upon interviewing the user he quoted the privacy Policy of Linden Labs and convenienintly neglected the parts that did not fit his misuse of the service he quoted:
some services operated by Second Life users may provide content that is accessed through and located on third party (non-Linden Lab) servers that may log IP addresses.
however he conveniently left out the previous part that sites this is only an example of users are capable of that immediately states beforehand:
For instance,
and he also conveniently left out the purpose of that part of the privacy Policy:
Certain account information is displayed to other users in your Second Life profile, and may be available through automated script calls and application program interfaces. This information includes your account name, account type, the date your account was established, whether or not you are currently online, user rating information, group and partner information, and whether or not you have established a payment account or transaction history with Linden Lab. Further, you agree and understand that Linden Lab does not control and is not responsible for information, privacy or security practices concerning data that you provide to, or that may otherwise be collected by, Second Life users other than Linden Lab.
want to see the privacy Policy that's quoted here in whole? View it here:
http://secondlife.com/corporate/privacy.php (7/14/2010)
with that stated the privacy policy in whole means Linden Labs shall in no way be held responsible for information that you include within your profile and shall not be held responsible for data mining schemes of other users like this one we provide an example of so if you get someone hiding behind the privacy policy, and the user quotes the example scenario only in part to hide the fact that what their doing is not condoned by Linden Labs and to make it sound like their on terms with the privacy policy, so what TheBoris Gothly quoted, has its meaning reversed by all the parts he so conveniently left out. Misrepresenting the Privacy Policy? I think that's enough for banishment from the secondlife system against both zfire xue and TheBoris Gothly right there, but as you expected. Theres more.
The secondlife terms of service specifically disallows this type of activity under the section 8.3 regardless of Privacy Policy which can be viewed here: http://secondlife.com/corporate/tos.php
8.3 You agree that you will not post or transmit Content or code that may be harmful, impede other users' functionality, invade other users' privacy, or surreptitiously or negatively impact any system or network.
You agree to respect both the integrity of the Service and the privacy of other users. You will not:
(i) Post or transmit viruses, Trojan horses, worms, spyware, time bombs, cancelbots, or other computer programming routines that may harm the Service or interests or rights of other users, or that may harvest or collect any data or personal information about other users without their consent;
(iv) Engage in malicious or disruptive conduct that impedes or interferes with other users' normal use of the Service;
with that said, It is clear, Spyware is against the secondlife Terms of service, also your probably wondering why section iv is included in the quote? It's because this tool disrupts service for snowglobe 2.0 users and if you read the xstreet page that sells this object at: https://www.xstreetsl.com/modules.php?name=Marketplace&file=item&ItemID=1175807 it becomes clear this tool is designed to cause a crash in the secondlife client quoted from the page: Ejects and TP home intruders automatically often crashing them, if your online or not, group owned land or your own! so this tool further violates the ToS because it is designed to crash a viewer by running the eject function which teleports users to the nearest place off your parcel and the teleport home function which does at it says at the same time against a targeted user.
Also another point I should make with this on the zf redzone site found at http://isellsl.ath.cx/redzone.php there are various statistics posted where as ToS 8.3 states at the end Any violation by you of the terms of this Section may result in immediate suspension or termination of your Accounts without any refund or other compensation. you can see just how many times the zf redzone system has violated ToS 8.3 under the section Linked IP's which is a count of how many groups of accounts its made to a target IP address, simply put you can violate ToS section 8.3 a single time and be banished from secondlife. This user has made a tool that has done it many thousands of times. I'm just waiting for the ban to happen.
Not to forget, further proof of previously made claim, that this tool is illegal and violates the law. People being scanned by this system receive no notice their being scanned and are not asked for consent which ToS 8.3 clearly states you must have but secondlife ToS is beside the point now. This Tool is illegal. The Legal Code BPC22575-22579 Prohibits this and you can view it here: http://www.leginfo.ca.gov/cgi-bin/displaycode?section=bpc&group=22001-23000&file=22575-22579 zf redzone commits these violations of this law. The law requires that you present the user with a privacy Policy before gathering information on the user, and specifically protects any information that may be used to contact a person In Person or Online, your username is protected under this law.
(6) Any other identifier that permits the physical or online contacting of a specific individual.
This law also as said before states there must be a privacy policy presented to the user information is being collected on, its setup in the zfire xues store in the sim vsevolod I've passed the security system numerous times and received no such notice it was trying to collect information on me or of its privacy Policy. From the law it is stated:
22575. (a) An operator of a commercial Web site or online service
that collects personally identifiable information through the
Internet about individual consumers residing in California who use or
visit its commercial Web site or online service shall conspicuously
post its privacy policy on its Web site, or in the case of an
operator of an online service, make that policy available in
accordance with paragraph (5) of subdivision (b) of Section 22577. An
operator shall be in violation of this subdivision only if the
operator fails to post its policy within 30 days after being notified
of noncompliance.
if you viewed the previous link to the zf redzone and viewed the item discussion on xstreet the above 30 day notice has already been clearly delivered by a number of users who state this is a privacy violation and you will further see this references another section of the law:
EDIT:(the user posts have been deleted leaving gaps in the item discussion read about it here: http://treminarisecondlife.blogspot.com/2010/07/item-discussion-for-zf-redzone-censored.html I think this puts zf Redzones author and salesperson in knowledgeable and willful violation of BPC22575-22579 as they have covered up the posts pointing out that this is a privacy violation)
(b) The term "conspicuously post" with respect to a privacy policy
shall include posting the privacy policy through any of the
following:
(1) A Web page on which the actual privacy policy is posted if the
Web page is the homepage or first significant page after entering
the Web site.
(2) An icon that hyperlinks to a Web page on which the actual
privacy policy is posted, if the icon is located on the homepage or
the first significant page after entering the Web site, and if the
icon contains the word "privacy." The icon shall also use a color
that contrasts with the background color of the Web page or is
otherwise distinguishable.
(3) A text link that hyperlinks to a Web page on which the actual
privacy policy is posted, if the text link is located on the homepage
or first significant page after entering the Web site, and if the
text link does one of the following:
(A) Includes the word "privacy."
(B) Is written in capital letters equal to or greater in size than
the surrounding text.
(C) Is written in larger type than the surrounding text, or in
contrasting type, font, or color to the surrounding text of the same
size, or set off from the surrounding text of the same size by
symbols or other marks that call attention to the language.
(4) Any other functional hyperlink that is so displayed that a
reasonable person would notice it.
(5) In the case of an online service, any other reasonably
accessible means of making the privacy policy available for consumers
of the online service.
given this specific part of the law the operator zfire xue, obviously cannot carry out Option 1 to give notice to users, Option 2, they must make an object visible in world that can be clicked to view the privacy policy that is noticable in world, option 3 zfire xue must make his tool message the user that is about to be scanned for alts that there is a privacy policy regarding this and the must visit a specific URL in order to view this policy. 4 pretty much covers 3 but declares hyperlinks in services that may not be able to display text links and 5 states very openly that there must be a reasonable means that you can view the privacy policy before this information is collected, and as with any terms of service or privacy policy you need to verify the user was capable of viewing the privacy policy, so at the very least, zfire xue, needs to make this tool popup a dialogue box, with an OK button on it that must be clicked before any information is collected on you. Does zf redzone do any of this? No it does not. I've passed it by several times, its being sold in the sim vsevolod and there is one setup on top of his store location which does nothing to notify me information is being collected on me. So thus hence zf redzone violates this law which is part of the california privacy protection act. Not a California resident and reading this? And wondering how your protected under this law being a California state law? See the above link to the secondlife terms of service section 12.2. it states:(7/14/2010)
You agree that this Agreement and the relationship between you and Linden Lab shall be governed by the laws of the State of California without regard to conflict of law principles or the United Nations Convention on the International Sale of Goods. Further, you and Linden Lab agree to submit to the exclusive jurisdiction and venue of the courts located in the City and County of San Francisco, California, except as provided in Section 12.1 regarding optional arbitration. Notwithstanding this, either party shall still be allowed to apply for injunctive or other equitable relief to protect or enforce that party's Intellectual Property Rights in any court of competent jurisdiction where the other party resides or has its principal place of business.
repeated:You agree that this Agreement and the relationship between you and Linden Lab shall be governed by the laws of the State of California
simply put you must follow California state law at all times and with all actions within the secondlife service((in addition to your local laws of course)) thus hence all secondlife users are protected under BPC22575-22579 in regards to events occurring related to the secondlife service. But theres more...
and finally zf redzone further violates the law BPC22575-22579 by having a deceptive privacy Policy BPC22575-22579 states:
22576. An operator of a commercial Web site or online service that
collects personally identifiable information through the Web site or
online service from individual consumers who use or visit the
commercial Web site or online service and who reside in California
shall be in violation of this section if the operator fails to comply
with the provisions of Section 22575 or with the provisions of its
posted privacy policy in either of the following ways:
(a) Knowingly and willfully.
(b) Negligently and materially.
and:
(1) Identify the categories of personally identifiable information
that the operator collects through the Web site or online service
about individual consumers who use or visit its commercial Web site
or online service and the categories of third-party persons or
entities with whom the operator may share that personally
identifiable information.
(2) If the operator maintains a process for an individual consumer
who uses or visits its commercial Web site or online service to
review and request changes to any of his or her personally
identifiable information that is collected through the Web site or
online service, provide a description of that process.
(3) Describe the process by which the operator notifies consumers
who use or visit its commercial Web site or online service of
material changes to the operator's privacy policy for that Web site
or online service.
(4) Identify its effective date.
zf redzone fails to do all of that, and even more so the privacy policy posted on the redzone website listed above, states:(7/14/2010)[yes zfredzone does have a privacy policy the previously mentioned issue is its not made available to users being scanned at all when its required that it be made available before a scan takes place] Before or at the time of collecting personal information, we will identify the purposes for which information is being collected. ,We will collect personal information by lawful and fair means and, where appropriate, with the knowledge or consent of the individual concerned. ,We do not consider any publicly displayed secondlife information such as usernames, account age, photos displayed to the world, payment status, join date, UUID, IP, platform, viewer, group affiliations, preferred language used, time of day, timezone, region, partner name or any other secondlife information to be private.
given these all above this is taken from the privacy policy of zf redzone, it fails to identify information is even being collected or the purpose of the collection to those it collects information on. It does not acquire consent and as proved above uses unlawful means to collect the info. While a username is public information as they say they do not consider it private, as stated above, (6) Any other identifier that permits the physical or online contacting of a specific individual., despite the publicity they must gain permission to collect your username as it is contact information. This is all required by BPC22575-22579.
I find zfire xue in further violation of BPC22575-22579 on the grounds of:
22576. An operator of a commercial Web site or online service that
collects personally identifiable information through the Web site or
online service from individual consumers who use or visit the
commercial Web site or online service and who reside in California
shall be in violation of this section if the operator fails to comply
with the provisions of Section 22575 or with the provisions of its
posted privacy policy in either of the following ways:
(a) Knowingly and willfully.
(b) Negligently and materially.
The user posts a privacy policy that violates this law by claiming in their privacy policy does things which it does not do which is to cover up that they are in knowledable and willful violation of BPC22575-22579, It also makes any legal protection their privacy Policy provides them Null and Void as they did not adhere to it.
Anyhow now that I've proven one of the people using the secondlife media exploits to identify alternate accounts is violating both the secondlife terms of service, and the law. Onto the final part of this article.
An IP address is a number that identifies your network or computer over the internet, while seemingly innocent enough for use, many services protect the discovery of this information user to user for only admins to view, there are exceptions as an IP address is not private information but it can be used to discover private information on a user or identify usage habits which is private information, or discover additional contact information as described above and prohibited by the above mentioned law BPC22575-22579, once discovered, there are more sinister uses for this information. Now you may already know IP addresses for network resources can change when a resource such as a router or PC is restarted and a connection to the ISP needs to be re-established and that online services such as google acquire IP addresses all the time, an IP address is necasary to facilitate computer to computer communication over the internet, so it must be shared, this is one of many reasons users should only connect to services they trust. I've been ridiculed for my argument against redzone by forum trolls and the such, saying things like oh noes google has my IP address, google is no big deal their legit and responsible and usually answer to issues, and better than an illegitimate service such as redzone, yes its a big deal because it then gets used to uncover identifying information. And then, theres that little troll hacker in the basement of his moms home who lives in nigeria, even worse yet. While it may simply be the address used to identify your PC over the internet and can be traced to the town your ISP operates from. And not to your door, a good analagy to IP addresses is to think of them like home addresses. Also before noting the analogy, anyone with your current IP address and the right utilities can check your network for vulnerabilities.
In explanation of this analogy lets say the internet is this very earth we stand on, people represent users and online activities such as games media, structures and facilities represent web sites and services that facilitate these, and home represents your PC on the internet, the streets the network that supports it all. And your Home address the same as your IP address, while you may subscribe to a premium service that gets you the same IP address again and again for your server, lets say you live in a trailor park and your always moving going from address to address as conditions change every so often.the local college is holding a Job fair, but has had recent issues with crime, being the redneck you are your looking for something better, or just looking for something whatever. You step out of your trailer, the trailer park can be thought of as your home router, all the other residents there are other PC's connected to that address temporarily, you venture out and you go to the job fair, the college the job fair has been held at, has had some issues with a criminal stalking people breaking into their homes, doing undue harm to people and stealing their things, before entering the college since the security is stepped up your all required to get a nametag with your IP address(home address) on it so the college police if witnessing a person committing a crime can easily identify and visit suspects and victims. A cost of privacy for a little security at the campus, a person casually passes by, bumps into you and apologizes(just like a ping request) but they observe your address and take note of it, later that night after you come home you settle in, and don't realize the person while you were at the job fair surveyed your place and found the hide a key(like a security hole being found in a vulnerability scan) later that night you are attacked and fall victim to this same person cause your address was published for the college security.
While just an analogy computers over the internet that have obtained your IP address can perform vulnerability scans which oftentimes takes form of ping and many other types of requests and if your IP address is discoverable through a service, even though it was intended to be viewed by someone else your PC can be located on the internet and targeted for a vulnerability scan and vulnerabilities can be found just like the hide a key, while you may of hid the key well like setting a port to stealth mode on your router. The vulnerability was searched for in many places, and when found you had Open Ports they may have seen what OS your running and what security measures are in place in the vulnerability scan and by gathering this info identified probabilities that your using this and that, which lead them to finding the key(the messaging service you use for example) which opens up that stealth port they just figured out you use an outdated version of windows messenger because through vulnerability scans they identified your OS(your trailor in this analagy) as being windows XP home, with the scans they further identified how to contact your browser which allows them to know many things and odd setting you didnt expect people to know like your desktop resolution which is used in PHP XML, and sometimes CSS functions to identify how to properly format the web page, various functions lead to discovery of various information about you, assumptions can be made about your online activity to identify vulnerabilities in your system. If a advertiser uses a vulnerability scan and finds signs of gaming software, and a PC running in only 800x600 they can pester and spam an email address they discovered using illegitimate means with ad's to get you a better video card, other scenarios can be potentially embarassing.
Like for example Lets say you work for a net firm, and they like to connect with gamers, one of the jobs duties may be to connect to secondlife and try to make a sale on the users there and you like to work extra hard to make that sale, you go home, and login to secondlife from your business alt. While in your business alt you use the service from your bosses location, lets say he rezzed zf redzone. He discovers your personal account, which happens to be a furry(or replace furry with your less understood side and the unusual attributes) and your character has tenticles and all sorts of other naughty features, that are your own personal business, you go into work the next day and receive the pink slip of doom, when you ask why? Your boss says I've seen that episode of CSI with the fursuiters and I know you like to screw animals you sick [expletive deleted], you just lost your job because of your own personal business thats your business and nobody elses, because zf redzone helped your boss peer into your private life and a little misinformation from a myth created by a TV show. Pretty lame isnt it?
I dont know zf redzones complete method for identifying a secondlife name, to an IP address as there are many potential methods to do so and I dont have my hand in the code however I do know its done by linking an IP address to an avatar name in the secondlife service, thats the only way it can be done. As media functions in secondlife reveal IP address and the viewer nor the service make alternate accounts discoverable. It could be just simply comparing who entered the parcel and when a stream was accessed and looking at shoutcast streams IP address list and tagging the newest IP on the list with the avatar name and submitting it to the redzone service, this method is inaccurate but would yield the information redzone seeks, zf redzone could temporarily change the parcel media to direct to a website as a user enters a parcel and have the extension of the web address match the name like exampleIPLoggingsite.com/Treminari/Huet while this method is inaccurate it would yield results, or it could just be simply singling out lone people on parcels and checking to see if one person is tuned into the stream and assuming the person on the secondlife parcel is one in the same, another inaccurate method, there are methods and tests and procedures to determining an IP address of a secondlife user with media enabled with 100% accuracy, and secondlife shared media feature titled media on a prim that allows more flexibility in acquiring an IP address, higher accuracy, easier to perform, and dont require land. While I doubt zf redzone uses this method one thing is certain, it uses IP addresses tagged with avatar names and recent comparisons of the address to identify an alt. You can combine the above methods in various ways to achieve higher accuracy using these inaccurate methods but, there are several disturbingly simple easy to perform methods which will get you the IP address of a user through parcel or media on a prim with 100% accuracy, which I must leave unnamed and undescribed as to not promote them, im sure many of these methods could be used to improve redzones accuracy in discovering it but I dont promote the illegal activities of zfire xue and theBoris gothly with the redzone utility.
Given that someone can get your IP address, through shared media, even if you dont take your privacy seriously or feel you have nothing to hide from you should still take the IP discoverability issue with secondlife media seriously. Though non documented, a vulnerability scan as mentioned before can be used to assess the security state of a discovered users PC and determine weak points in the security(maybe their running a dated version of VNC that allows remote control of their PC for when they go to the office, and has an 8 character length limit for the password that can easily be entered via brute force password scanning) whatever the vulnerabilitiy of the system IP discoverability in secondlife, makes the vulnerability discoverable. User to user, and allows the user to know just who their targeting for attack.
Theres things the lindens can do to fix this, but that would be expensive and unreasonable such as providing every sim a proxy server, or making all sims act as a proxy server, and through flash and java exploits could circumvent these methods. There are things Linden Labs can do that is inexpensive to Mitigate reduce and nearly eliminate privacy and vulnerability issues with secondlife media. First off, they need to take abuse reports seriously, the report field needs to be longer in abuse reports so people can site their resources in proving a case of spyware, even keeping things brief in description there are so many things you need to say to prove it to the lindens. Also they need to start answering to reports of spyware, when an AR failed I submitted it into a support ticket, both lindens responding to that ticket ignored it and did nothing but yap. Also reporting items on xstreet using the report item button needs to be taken more serious your limited to 255 characters in your typed report on xstreet. Also you cannot report an item that has been reported and not investigated yet, you will get an error message saying a report for this item already exists. While you may have been going to file a report saying this item uses media exploits to log IP address to avatar name to make alternate accounts discoverable, some idiot who has no business using the system may have just clicked report, and wrote in this item violated me and do little to nothing to say the incursion which in turn prevents your report, if I was to make an unethical tool such as this I could very well make an alt, and clog the report item system daily against my item so others couldn't report it. Linden Labs Needs to investigate spyware claims, and take users more serious, and they also need to allow multiple people to file a report against an xstreet item just like an object on the grid. Also Linden Labs needs to bring back the warning message that I used to see back in viewer 1.16 or was it 1.18? that tells you when you turn on a stream for the first time and warns you it makes your system discoverable and your IP viewable, doesn't have to give a big disclaimer, but it needs to remind people and allow them to decide for themselves that media can make their PC discoverable and decide what their risks are in using it, the message should be like, warning:using media makes your computers IP address available outside of secondlife, and that addresses can be directed by scripted means, only utilize streams in locations that you trust, Linden labs is not responsible for the actions of other users its a clear concise message which will concern those who need to be concerned and give them a heads up, they can research the topic further if their scared. Also the new web on a Prim feature gives griefers and spyware makers more flexibility in exploiting shared media, there are things that can be done to limit discoverability, by default this options is completely on, and you can turn it off but only completely. There is an option to only load websites on prims when you give the OK but it is easily circumvented(can be disabled by clicking Me > preferences > Sound & Media, and unchecking allow media to auto-play). However if you've been around secondlife you've noticed people can deform your avatar and if your knowledgeable of the method their doing it by gaining animation permissions on you through an object that sits on click and having that object follow your avatar around to load the animation as soon as you click the wrong place and the object often self deletes once its dirty deed is done, there are other methods to performing this attack on users but this is beside the point of this post, the same way they can trick you into sitting on a derformer, you can be tricked into playing shared media, all it takes is a prim set to 100% alpha to follow your avatar around and then load the media exploit all in the same way. Why does this work though? Because all it takes is a single left click to play the media on a prim so turning off autoplay can easily be circumvented, since linden labs does nothing to fix it, and there is plenty of fixes in the Jira suggested none of which they've acted on Ill put in my word here, add the play button for a media source to the right mouse button and dont play media that becomes left clicked. SIMPLE! This obscenely simple fix will mitigate the issue with this method greatly, also many don't know this because its burried away but in the top right corner of the screen in secondlife 2.0 if you mouse over the play button with auto play disabled, a tool bar will pop up that contains a more button, press this button and you will get a display of all the URL's prims are attempting to load around you, this will let you view site addresses before letting them display in your viewer, however here in lyes another serious issue there are 2 buttons one to stop/play the selected item on that list, and another to automatically draw your camera focus to that object, whats the problem? The one that draws your camera focus to the selected item also automatically plays that item. So if you see something suspicious on your land like the URL www.exampleexploitsitehere.com and you click to give focus to that item in trying to locate it, you just also gave it permission to display in your viewer, when you may of just been trying to locate the object displaying the malicious site, you just loaded it on your PC ouch. Linden Labs can fix this simple to just make the buttons do their individual functions and not the function of the other one as well.
I myself defend myself from this I don't use the linden viewer for any purpose beyond my education on it as the interface is poor and with the half thought out security option to disable autoplay viewer 2.0 is more vulnerable to this exploit. I use emerald. Yes I know the team that worked on it did use the media exploit too, no theres nothing I myself have found in their viewer to spy on the user, for a safer more secure secondlife experience, you should use a mature well developed viewer based on secondlife 1.23 such Hippo Opensim or emerald(there are others) and you should disable media, and there is another exploit in the viewer that actually allows you to protect yourself more. Secondlife 1.23 does not allow users to see the stream URL they connect to. However in the advanced menu(ctrl+Alt+D) if the media URL is hidden you can select the option show admin options while attempting to use the admin options that become revealed will be logged in some cases by Linden Labs there is one advantage, by clicking the location name on the top of your screen and bringing up the land information you can see what the media URL is for that location and make your decision whether or not the URL should connect to your PC then(of course I recommend turning this off as soon as your done) and from here you can paste this URL into the play URL option for your favorite media player Like Windows Media Player, Winamp, XMMS, or whatever you prefer to use. Taking this extra step after disabling media completely in your viewer increases your security by allowing you not to accidentally play a media stream in secondlifes viewer whether it be accidentally hitting play or turning automatic play on, it also makes you more secure against objects that may temporarily switch the media option for a really brief moment to discover IPs of those connected.
Aside from how to defend yourself you the reader is probably wondering, How you can make a difference in the media issues with secondlife, there are several things you can do to help:
-Educate Other secondlife users about these exploits, refer them to this blog Post
-Visit http://jira.secondlife.com/secure/Dashboard.jspa and educate yourself about the Jira, search it for issues related to the media problem that suggest a fix, I myself am still trying to decide which to vote for. As theres several suggestions as to how to make viewer 2.0 safer
-If you visit the secondlife Jira Linked above and have a better solution than those proposed, observe how to create a Jira article, and write your solution and encourage others to vote for it.
-Don t give people the information their looking for, don't just leave the streaming media on full time, turn it off always when not in use.
-Don t visit sites or buy products that claim to give you information on another secondlife user or claim they can effect the user off the grid or detect anything secondlife doesn't normally allow you to do yourself.
Things you can do about current infractions against your privacy on secondlife:
-Visit http://www.ftc.gov/ftc/contact.shtm or http://www.ic3.gov/complaint/default.aspx and report spyware authors that violate the law. Remember as stated earlier under this article all users using the secondlife service are protected by the California Privacy Protection act which BPC22575-22579 defines, the FTC link is obviously to the FTC, and the IC3 Link is to the FBI's internet crime department, both deal in issues of spyware.
-Use the report item Button in xstreet and file a report item complaint against spyware for a terms of service violation 8.3, and when writing the report site what you know about the spyware and resources that prove its spyware.
-visit the location of known spyware while protecting yourself from it by disabling media and use the report abuse button on the offending object, report spyware you see rezzed and vending systems that sell it such as the vendor for zf redzone in vsevolod/182/49/113(there is a spyware vendor for the zf redzone system as well as the spyware security orb there itself on top of the building with the vendors)
Edit:just lovely I see the text editor I started writing this in dropped out all my quotation marks when I copied it to here!
Edit: looked at the Item Discussion found another part of the privacy Policy TheBoris Gothly and zfire xue are hiding behind will post it below here as not to disrupt my Original article:
from the item discussion at 2010-05-08 12:17:57:
we do permit these companies to collect your IP address. These companies may set and use cookies, web beacons, pixels, or other technologies to collect anonymous information about your visits to our Websites, and may otherwise aggregate, analyze and anonymize that data.
Lets look at that in whole shall we?:
Third Party Advertisements
Linden Lab participates in ad and/or affiliate networks operated by various third party companies. These companies collect and may use certain anonymous information about your visits to our Websites as a function of referring Internet traffic to our Websites. We do not permit these companies to collect any personal information about you, such as your name, address, or email address; however, we do permit these companies to collect your IP address. These companies may set and use cookies, web beacons, pixels, or other technologies to collect anonymous information about your visits to our Websites, and may otherwise aggregate, analyze and anonymize that data. If you seek information about these specialized advertising technologies, the Network Advertising Initiative offers useful information about Internet advertising companies (also called "ad networks" or "network advertisers"), including information about how to opt-out of their information collection.
Lets Explain it shall we? first off, this is the advertising Policy, a Policy in regards to advertisements only. It also says the companies may collect and use certain information. so obviously in certain information this is information released by Linden Labs you can view this here btw: http://secondlife.com/corporate/privacy.php and the 2 previous paragraphs pretty much limit information collected to website visits and lindex exchange, and disallow personal information which as defined by BPC22575-22579 is account names held as they are contact information, while this paragraph permits collection of IP address it does not permit use of this to datamine a user and lets look into the big part of this that they hide behind
These companies may set and use cookies, web beacons, pixels, or other technologies to collect anonymous information about your visits to our Websites
ok first off the information must remain anonymous, it is contact information that is being collected not completely anonymous by any standard, so that's a violation of the privacy policy, second off it pertains to information collected about visits to the websites operated by Linden Labs like visiting secondlife.com, and as said before its an advertising policy, this policy permits advertisers to set up properly targeted ads, much in the same way googles ad sense works where as advertisements can be properly directed(so they can match IP address to search terms), this also pertains to xstreet. ever notice how that advertisement banner at the top of the search usually has something related to what your searching for vaguely related to an item in the search? this policy is to assist in the operation of functions like that. also aside from this, the information being collected on you by zfire xue and his redzone system has no method of opt out oh and something else I totally forgot to mention, which this privacy policy states, is this guy an affiliate of Linden Labs? I don't think so. If he was I think he would understand the privacy policy a little better and know that this section pertains solely to advertising, but as with any other part of the policy he quotes he conveniently leaves stuff out, he is in knowledgeable violation of it as you can see above he conveniently leaves parts out which is clearly intentional. A business affiliate of Linden Labs would not do this because they know they can be sued by both Linden Labs and the userbase they effected. In which bbrings me to another part of the terms of Service:
8.2 You will not post or transmit prohibited Content, including any Content that is illegal, harassing or violates any person's rights.
in accordance with BPC22575-22579 since Linden Labs operates out of california which specifically makes spyware illegal as it falls under the protection of BPC22575-22579 aside from violating our rights the content of zf redzone is specifically illegal
(i) Post, display or transmit Content that violates any law, or the rights of any third party including without limitation Intellectual Property Rights;
(ii) Impersonate any person or entity without their consent, or otherwise misrepresent your affiliation;
hes misrepresenting his affiliation obviously, hes obviously violating our right to privacy and hes obviosly breaking the law in doing so as ive touched on a many of times in this article BPC22575-22579.
(iv) Post, display or transmit Content that is harmful, threatening or harassing, defamatory, libelous, false, inaccurate, misleading, or invades another person's privacy;
nuff said that's covered in section 8.3 which I kept saying but all in all the zf redzone product invades user privacy
and yet again under section 8.2 as with section 8.3:
Any violation by you of the terms of this Section may result in immediate suspension or termination of your Accounts without any refund or other compensation.
Subscribe to:
Posts (Atom)