today I went to a club, and I saw a bunch of emerald users, an LGG Proxy(malicious viewer) user, a couple imprudence users a few sl2.0 users .... or did I?
actually everyone there was Emerald users with the exception of some 2.0 users.... apparently now you can set the color your name tag appears to other emerald users, after they established a color coded system where viewers could be identified by the color of name-tag, I'm used to malicious viewers being marked red, there was a guy at the club with his name marked red cause he set a custom color with his viewer, I don't like this. So far since I've started using emerald since my ex-mate tugged me into it with the introduction of boob jiggle version1.23.5.950? and so far, in all my time here, and I get around, I've only seen one Malicious viewer, and one unknown which brings me to a question. does anybody out there know what Moymix is? I googled it and cant find any useful information, one person seems to suspect its a viewer that allows free uploads, I dunno, but I remember seeing it marked in pink, much like viewer 2.0 is before this custom color tagging, aside from that Ive seen a viewer marked "LGG Proxy" one time a while back(googling it revealed it was a malicious viewer) and it was marked as red, so I'm used to the idea of red meaning its a bad viewer. now since people can set their tags to red on their own, I'm kinda thrown way off.
Monday, July 26, 2010
Saturday, July 24, 2010
Item Discussion for zf Redzone Censored
So Today I was filing my usual reports against the zf redzone system visited the xstreet page and of course got the stupid message saying a report already exists for this item, also filed an AR against its location in vsevolod, but I noticed something, every negative comment about it in the Item discussion has been deleted, last I checked it was 103 posts now whittled down to 72 posts, obviously there's a lot of negative to be said about it. I don't know whether the Lindens deleted the comments due to complaint of the seller, or if the seller decided to go back and delete them, I haven't used xstreet in forever so I don't know if you can moderate your item discussion, but it sure seems like to me the creator wants to censor every little bit that says what he is doing violates the ToS and is illegal, so with that his replies against the users should stand on their own if not the case, but why would he need to delete it? obviously someone hit the nail right on the head, probably he had the comments deleted because they can be used to show that he is in knowledgeable violation of BPC22575-22579. either way I'm going to continue to report this to the Lindens, as his utility is a serious threat to those who have multiple accounts regardless of reason for those, and as with found with the previous statement and comments, those who compile their own viewer(so most the developer community)
you can see the item discussion here:
https://www.xstreetsl.com/modules.php?name=Marketplace&file=discussions&ItemID=1175807
Take notice to all the gaps in the conversation
you can see the item discussion here:
https://www.xstreetsl.com/modules.php?name=Marketplace&file=discussions&ItemID=1175807
Take notice to all the gaps in the conversation
Saturday, July 17, 2010
secondlife Relay For Life, Relay today
At the relay for Life event at secondlife showing my support, Right now its the survivors lap so I'm off the track showing my support for those who are living with cancer, My teams campsite is at http://slurl.com/secondlife/RFL%20Hope/115/77/24/ come pay us a visit show your support and light a luminary for someone you know, I'm sure you know someone that's been afflicted by this horrible disease, come show your support for them.
Friday, July 16, 2010
Gathering Hardware and viewer statistics on SL users
Today in Avatar Makers Guild group chat Just a bit ago I got this group notice from a user called Stickman Ingmann:
I made a Jira requesting LL collect and expose useful information for inworld developers.
Oz Linden mentioned that there's internal discussion about a script function to test the viewer for certain capabilities (avatar alpha support, multiwearables, etc), but knowing what the average user can do would help us design products.
Have a read. If you agree, give it a vote. If you don't, leave a comment with feedback if you'd like. Thanks!
http://jira.secondlife.com/browse/MISC-4405
I have to highly recommend voting for anonymous statistics collection. It's a way to get software developers that write viewers to make secondlife suitable for common hardware and exposes statistical information for content creators who make graphically intensive stuff(such as hair with the Max Prim count, all Flexi, and glow...nothing lags a video-card like that) and to top it off unlike that zf redzone I mentioned in a previous post, It don't violate anyone's privacy, Sounds to me like this anonymous statistic collection will make a great alternative to a totally idiotic unthoughtful scripting function used to gather information on another users viewer capabilities, I mean such a scripting function, paired with the media system, to gather information, on a specific users viewer, can be used for vulnerability assessment purposes, this is definitely not a good thing. so if your a secondlife user reading this blog post, vote for that Jira article, and leave a comment, tell them you don't want a scripted function that can do this, and you would much rather see what Stickman Ingmann suggested than such a scripted function.
Just in case of editing by any party here is the Jira Article as it stands at time of posting this Blog Entry:
Having more information about what hardware and capabilities the average users of Second Life have would greatly aid in the designing and marketing of products.
Steam conducts a monthly hardware survey, asking random members of the community if they'd be willing to divulge hardware information to Valve. http://store.steampowered.com/hwsurvey The survey is made public to aid not only game developers in planning and spotting trends, but to aid community awareness on what types of systems people are using.
Gathering and distributing similar anonymous information from the Second Life community would be not only aid Linden Lab in its development choices, but would aid the inworld developers and standard users. As an example, if glow is only enabled by 20% of the users, it may be beneficial for LL to figure out why, and would be beneficial for inworld developers not to rely entirely on it. It would also let the standard user realize that the glow they are emitting may not be visible by everyone.
Besides the information contained on the Steam survey, the follow information specific to Second Life would be useful:
* Feature Support
o Glow/Shader Support
o Transparent Avatar Support
o Media-on-a-prim Support
o Multiwearables Support
o Restricted Life Support
o Etc
* Second Life Resolution
* Second Life Fullscreen/windowed status
* FPS
* Texture Memory
* Viewer Brand/Version
* Viewer Diversity (if people use more than one client or are loyal to just one)
Information also available on the Steam survey that could be gathered includes:
* Operating System and version
* System RAM
* CPU Count and Speed
* Video Card Identifier
* Video RAM
* Display Resolution
* Multimonitor status
* Microphone (not detected, asked)
* Language
* Free/Total HD space (not immediately useful, may be useful if the cache is improved)
* Network Speed
Edit:
you may wish to tell Oz Linden it's a bad idea to implement a scripting function to gather viewer information as it can be used for vulnerability assessments when paired with gathering information via media functions, you can find his office hours here: http://wiki.secondlife.com/wiki/User:Oz_Linden and please if you do say something to Oz please link him to the above mentioned Jira article here: http://jira.secondlife.com/browse/MISC-4405 tell him its a much better solution without all the nasty drawbacks of having such a scripting function.
I made a Jira requesting LL collect and expose useful information for inworld developers.
Oz Linden mentioned that there's internal discussion about a script function to test the viewer for certain capabilities (avatar alpha support, multiwearables, etc), but knowing what the average user can do would help us design products.
Have a read. If you agree, give it a vote. If you don't, leave a comment with feedback if you'd like. Thanks!
http://jira.secondlife.com/browse/MISC-4405
I have to highly recommend voting for anonymous statistics collection. It's a way to get software developers that write viewers to make secondlife suitable for common hardware and exposes statistical information for content creators who make graphically intensive stuff(such as hair with the Max Prim count, all Flexi, and glow...nothing lags a video-card like that) and to top it off unlike that zf redzone I mentioned in a previous post, It don't violate anyone's privacy, Sounds to me like this anonymous statistic collection will make a great alternative to a totally idiotic unthoughtful scripting function used to gather information on another users viewer capabilities, I mean such a scripting function, paired with the media system, to gather information, on a specific users viewer, can be used for vulnerability assessment purposes, this is definitely not a good thing. so if your a secondlife user reading this blog post, vote for that Jira article, and leave a comment, tell them you don't want a scripted function that can do this, and you would much rather see what Stickman Ingmann suggested than such a scripted function.
Just in case of editing by any party here is the Jira Article as it stands at time of posting this Blog Entry:
Having more information about what hardware and capabilities the average users of Second Life have would greatly aid in the designing and marketing of products.
Steam conducts a monthly hardware survey, asking random members of the community if they'd be willing to divulge hardware information to Valve. http://store.steampowered.com/hwsurvey The survey is made public to aid not only game developers in planning and spotting trends, but to aid community awareness on what types of systems people are using.
Gathering and distributing similar anonymous information from the Second Life community would be not only aid Linden Lab in its development choices, but would aid the inworld developers and standard users. As an example, if glow is only enabled by 20% of the users, it may be beneficial for LL to figure out why, and would be beneficial for inworld developers not to rely entirely on it. It would also let the standard user realize that the glow they are emitting may not be visible by everyone.
Besides the information contained on the Steam survey, the follow information specific to Second Life would be useful:
* Feature Support
o Glow/Shader Support
o Transparent Avatar Support
o Media-on-a-prim Support
o Multiwearables Support
o Restricted Life Support
o Etc
* Second Life Resolution
* Second Life Fullscreen/windowed status
* FPS
* Texture Memory
* Viewer Brand/Version
* Viewer Diversity (if people use more than one client or are loyal to just one)
Information also available on the Steam survey that could be gathered includes:
* Operating System and version
* System RAM
* CPU Count and Speed
* Video Card Identifier
* Video RAM
* Display Resolution
* Multimonitor status
* Microphone (not detected, asked)
* Language
* Free/Total HD space (not immediately useful, may be useful if the cache is improved)
* Network Speed
Edit:
you may wish to tell Oz Linden it's a bad idea to implement a scripting function to gather viewer information as it can be used for vulnerability assessments when paired with gathering information via media functions, you can find his office hours here: http://wiki.secondlife.com/wiki/User:Oz_Linden and please if you do say something to Oz please link him to the above mentioned Jira article here: http://jira.secondlife.com/browse/MISC-4405 tell him its a much better solution without all the nasty drawbacks of having such a scripting function.
Copybot... Users going too far to defeat it
Warning:as with previous post, more bad grammar ahead.
This post isn't going to be about zf redzone as I think I covered it pretty well in my previous post, but really those who have their content copy botted, really should see my links to the IC3(FBI) and the FTC in my previous article, and should learn how to file a DMCA complaint with Linden Labs, while they don't give prompt action, it don't make you just as guilty as the person that is illegally copying and republishing your content with the permissions released.
A while back I was in a group chat with a group known as "Avatar Maker's Guild", and a user known as "KK Mode" said he had the solution to copybot, a Prim tool known to crash copybot clients. While it has the right objective in mind, to disrupt copybot viewers export capability, it is severely misguided, however I must tout while I do not endorse the solution it is a hell of a lot less corrupt on spying on people, reason I don't endorse the solution? it crashes copybot and the standard viewer all the same.
KK Mode when initiating the group chat said he had something you could link to your creations that would disrupt the export process of a copybot viewer and crash it, and was handing them out free, he then said he was giving out this tool for free for anyone to make use of and to protect their content with, I of course inquired about this tool in a private IM with him as not to spam the group chat, he said this object is set to an invalid material type and would crash any viewer acquiring the information on that specific prim since its not going to be the root prim and that makes it safe for use, I asked what about editing linked parts and he stated it was safe for people that edited their avatars cause there was no way to select it, and it was more than just invisible, I asked him if he would send me one and he did so, I then asked you know there are some people that modify their avatars and may unlink them to do stuff like remove the ears to mod the ears for ear twitch features, and gave him a number of possibilities about how this could disrupt service for a normal user and isn't exactly a safe tool, his response over my concern? he got his nasty attitude on about a lot of the concerns as I stated it could take linden labs a long time to fix something like this, and that it may only take a copybot creator a week to discover why its crashing their viewer, and less than an hour to patch such an issue do you really want to put something like this out there? and this lead to a full blown argument, if not for ToS section 8.3 which I uphold and preach in my previous post, community standards and other issues, I would post the chat log right here. but I cant, All I can do is talk about it as im not allowed to make a direct copy of the text, but anyhow, the conversation eventually lead to him saying something to the tune of, Modding your avatar is like modding your PC's hard drive by putting a screw driver through it and complaining to the manufacturer it don't work(ironically I later vented with my Secondlife sister Mira and which stated she was as yiff lounge and standing right next to him, and went on to describe that he had a Kani avatar with the all too common fox modification where as you add an aventity fox nose to the Prims in the Kani) , I muted him for being an idiot and filed an abuse report with Linden Labs describing the malware content as it also violates ToS 8.3 like redzone, just the section that says you shall not impede normal function of the viewer(in the AR I said I would hold onto the content up until a certain date for their investigation but would delete it after a certain date as I dont like to hold onto dangerous content):
from: http://secondlife.com/corporate/tos.php
"8.3 You agree that you will not post or transmit Content or code that may be harmful, impede other users' functionality, invade other users' privacy, or surreptitiously or negatively impact any system or network."
impeding functionality right there with that tool. I would like to see copybot defeated just as much as any other creator, I have my own business there which copybot negatively impacts, in the case of This and redzone, the ends do not justify the means, as both are harmful to the general userbase more so than just copybot users.
anyhow with this said both methods to defeating copybot are both crossing the line, and are easily defeated by copybot users, the method described above can be defeated with a minor recode of copybot to ignore that information field, or just simply not lookup the names for the addressed invalid material types, or just simply a Hex editor that locks all addresses defining prim types under that variable to Wood or a material of choice, redzone can be defeated as with any content someone would want to steal, its generally virally spread across the grid, all you need to do is find it in a location where its not protected by redzone, or simply turn off media.
If you are thinking of Implementing either method of to protect your content, as ive heard some user say, copybot users generally aren't too bright in coding their viewers, its just simply modifications to circumvent the permission system and oftentimes they circumvent the UUID system so they don't have to pay to re-upload textures from content their stealing which can give away who was the original creator with lesser known creators who have content stolen from them, however no doubt their bright enough to figure out a scanning system and stay clear of it(just as normal and copybot user would want to do alike) with this said, the method that does more to protect your stolen content is KK Modes method and Not zfire xues method, reviewing the method which he uses the excuse his associates or alts make, I think zfire xue just simply uses copybot in mind as an excuse to do what hes doing, while I do honestly think KK Mode created his method in an honest attempt to defeat copybot, However, I do think KK mode needs to reconsider his methods due to lack of situational consideration(as with said him using a modded avatar he didn't even consider his own situation in this), so in saying this, his method sticks with your content, redzone does not, kk mode while both methods violate the ToS, is not only the lesser criminal in this situation, but is also the greater defender while I do not endorse the method of either and strongly oppose both methods, my opposition to redzone is much greater,if your going to do something in violation of the ToS kk modes method does not come with a legal violation as well unlike redzone(or at least I haven't found any laws that outlaw it at this point), I condemn both methods, but I stress, if your going to put them to use, use KK Modes method, it does much more to protect your content, and a minor viewer crash is a lot less damaging to an individual than a major Privacy violation and is more likely to prevent your content from becoming copybotted.
Please people, lets come up with a means to defeat this copybot system that does not violate the Lindens ToS, that is both Legal and Ethical.
If I worked for Linden Labs and developed their software I would probably create some software that works from the background and verifies that you are using a Linden Approved viewer, much like punkbuster, and verifies that the viewer, is running in an unmodified state, and that no unapproved applications outside the viewer were reading from it, that held a definition list much like an anti-virus to contain known viewers the background software would also acquire checksums on applications reading from the viewer, and verify those are running in an unmodified state if their known to the lindens, and submits checksums and definitions to the Lindens to identify unknown apps reading information and variables and so that these unknown applications can be disallowed, all viewers that don't verify properly are automatically and immediately disconnected, and also all viewers can have a closed source program that reads from them, collects various unspecified data used to verify whether the viewer is not and engages in encrypted communication with Linden servers whereas a new encryption system can be setup, of course this closed source program should be distributable and contain an API for working with so those who wish to make third party viewers can do so., of course no personally identifiable information of course. Hell even one of the third party viewer writers could start developement on this, submit their code to Linden Lab, and push in the Jira to get it Implemented in the regular viewer. the Only problem with this method suggested here? it takes time to do. but still no doubt it will be a goal completely worth working towards. also while absolutely disgusted with the technology behind it because it's a system that companies pay into to have their software developed and cause it can do what this background application I suggested would do quite readily without the need for additional software, there is always *shudders in disgust with it cause its really quite harmful to Open source and all that is good in computing*.... ... ... The disgusting evil, of coding your software, to work with the evils of the TPM(Trusted Platform Module) for those of you that dont know what this is, Its a hardware based system that enforces Copyright of software and other materials and verifies their running in a correct state, and can defeat viruses through the system, simply Its a chip on your motherboard that monitors your systems memory and watches over things when enabled, software can be compiled to only work if its present and enabled and it overviews a database of software(((which companies must pay to make an entry in which is harmful for opensource due to limited funding of some opensource projects and also harmful because a company can dispute the state of another program with it and close down another competing and free project that competes with a commercial project so you can see why I'm so disgusted with it as its a system of who registers first, totally backed by money, its also partially backed by Microsoft the leader in poorly designed operating systems that funded SCO's illegitimate lawsuit Where as some code contributed by SCO to the linux Kernal was claimed to be stolen but beside the point of this article, it just goes to show why im disgusted with TPM, but its nonetheless an option available to LL to defeat copybot))), this chip simply put can make sure your running a Linden Approved third party viewer or the Linden viewer itself, and can automatically close and shutdown unapproved viewers. as it Runs and performs its Operation at the hardware level, utilizes network to verify and discontinues failed verifications and runs over the OS level, a simple copybot user, would find such hardware extremely tough to defeat as it runs over a level which they have control of. Im against TPM though and think copybot could be controlled with the previous software method, and I have another reason I disagree with TPM, it would take a lot of users to upgrade to modern hardware that supports it in order to implement it so would require all secondlife users to use hardware that supports it, thus putting a lot of users out of luck. Simply Put, a piece of extra software that's freely downloadable and closed source that implements a verification system that's encrypted and simply verifies your client is in the state its supposed to be in and communicates with the Linden servers via encrypted means to keep its responses only predictable by Linden Servers, would be the best solution, if a response is invalid the user simply is disconnected by the Linden servers, this would probably even make it impossible to finish connecting if you were going to bot, while there are means of even defeating this method their method, it would force copybotters to do some work to achieve these means, thus then making them a lot more rare. which also in turns makes Linden Enforcement on DMCA issues more responsive, this can be defeated. but, everyone's going the wrong way, if your a talented programmer. Don't make spyware or malware, make a viewer and submit it to the Lindens, It could get implemented in their viewer and improve the experience for everyone without harming it and become a requirement of the system some day. All at the same, defeating copybot for the most part.
This post isn't going to be about zf redzone as I think I covered it pretty well in my previous post, but really those who have their content copy botted, really should see my links to the IC3(FBI) and the FTC in my previous article, and should learn how to file a DMCA complaint with Linden Labs, while they don't give prompt action, it don't make you just as guilty as the person that is illegally copying and republishing your content with the permissions released.
A while back I was in a group chat with a group known as "Avatar Maker's Guild", and a user known as "KK Mode" said he had the solution to copybot, a Prim tool known to crash copybot clients. While it has the right objective in mind, to disrupt copybot viewers export capability, it is severely misguided, however I must tout while I do not endorse the solution it is a hell of a lot less corrupt on spying on people, reason I don't endorse the solution? it crashes copybot and the standard viewer all the same.
KK Mode when initiating the group chat said he had something you could link to your creations that would disrupt the export process of a copybot viewer and crash it, and was handing them out free, he then said he was giving out this tool for free for anyone to make use of and to protect their content with, I of course inquired about this tool in a private IM with him as not to spam the group chat, he said this object is set to an invalid material type and would crash any viewer acquiring the information on that specific prim since its not going to be the root prim and that makes it safe for use, I asked what about editing linked parts and he stated it was safe for people that edited their avatars cause there was no way to select it, and it was more than just invisible, I asked him if he would send me one and he did so, I then asked you know there are some people that modify their avatars and may unlink them to do stuff like remove the ears to mod the ears for ear twitch features, and gave him a number of possibilities about how this could disrupt service for a normal user and isn't exactly a safe tool, his response over my concern? he got his nasty attitude on about a lot of the concerns as I stated it could take linden labs a long time to fix something like this, and that it may only take a copybot creator a week to discover why its crashing their viewer, and less than an hour to patch such an issue do you really want to put something like this out there? and this lead to a full blown argument, if not for ToS section 8.3 which I uphold and preach in my previous post, community standards and other issues, I would post the chat log right here. but I cant, All I can do is talk about it as im not allowed to make a direct copy of the text, but anyhow, the conversation eventually lead to him saying something to the tune of, Modding your avatar is like modding your PC's hard drive by putting a screw driver through it and complaining to the manufacturer it don't work(ironically I later vented with my Secondlife sister Mira and which stated she was as yiff lounge and standing right next to him, and went on to describe that he had a Kani avatar with the all too common fox modification where as you add an aventity fox nose to the Prims in the Kani) , I muted him for being an idiot and filed an abuse report with Linden Labs describing the malware content as it also violates ToS 8.3 like redzone, just the section that says you shall not impede normal function of the viewer(in the AR I said I would hold onto the content up until a certain date for their investigation but would delete it after a certain date as I dont like to hold onto dangerous content):
from: http://secondlife.com/corporate/tos.php
"8.3 You agree that you will not post or transmit Content or code that may be harmful, impede other users' functionality, invade other users' privacy, or surreptitiously or negatively impact any system or network."
impeding functionality right there with that tool. I would like to see copybot defeated just as much as any other creator, I have my own business there which copybot negatively impacts, in the case of This and redzone, the ends do not justify the means, as both are harmful to the general userbase more so than just copybot users.
anyhow with this said both methods to defeating copybot are both crossing the line, and are easily defeated by copybot users, the method described above can be defeated with a minor recode of copybot to ignore that information field, or just simply not lookup the names for the addressed invalid material types, or just simply a Hex editor that locks all addresses defining prim types under that variable to Wood or a material of choice, redzone can be defeated as with any content someone would want to steal, its generally virally spread across the grid, all you need to do is find it in a location where its not protected by redzone, or simply turn off media.
If you are thinking of Implementing either method of to protect your content, as ive heard some user say, copybot users generally aren't too bright in coding their viewers, its just simply modifications to circumvent the permission system and oftentimes they circumvent the UUID system so they don't have to pay to re-upload textures from content their stealing which can give away who was the original creator with lesser known creators who have content stolen from them, however no doubt their bright enough to figure out a scanning system and stay clear of it(just as normal and copybot user would want to do alike) with this said, the method that does more to protect your stolen content is KK Modes method and Not zfire xues method, reviewing the method which he uses the excuse his associates or alts make, I think zfire xue just simply uses copybot in mind as an excuse to do what hes doing, while I do honestly think KK Mode created his method in an honest attempt to defeat copybot, However, I do think KK mode needs to reconsider his methods due to lack of situational consideration(as with said him using a modded avatar he didn't even consider his own situation in this), so in saying this, his method sticks with your content, redzone does not, kk mode while both methods violate the ToS, is not only the lesser criminal in this situation, but is also the greater defender while I do not endorse the method of either and strongly oppose both methods, my opposition to redzone is much greater,if your going to do something in violation of the ToS kk modes method does not come with a legal violation as well unlike redzone(or at least I haven't found any laws that outlaw it at this point), I condemn both methods, but I stress, if your going to put them to use, use KK Modes method, it does much more to protect your content, and a minor viewer crash is a lot less damaging to an individual than a major Privacy violation and is more likely to prevent your content from becoming copybotted.
Please people, lets come up with a means to defeat this copybot system that does not violate the Lindens ToS, that is both Legal and Ethical.
If I worked for Linden Labs and developed their software I would probably create some software that works from the background and verifies that you are using a Linden Approved viewer, much like punkbuster, and verifies that the viewer, is running in an unmodified state, and that no unapproved applications outside the viewer were reading from it, that held a definition list much like an anti-virus to contain known viewers the background software would also acquire checksums on applications reading from the viewer, and verify those are running in an unmodified state if their known to the lindens, and submits checksums and definitions to the Lindens to identify unknown apps reading information and variables and so that these unknown applications can be disallowed, all viewers that don't verify properly are automatically and immediately disconnected, and also all viewers can have a closed source program that reads from them, collects various unspecified data used to verify whether the viewer is not and engages in encrypted communication with Linden servers whereas a new encryption system can be setup, of course this closed source program should be distributable and contain an API for working with so those who wish to make third party viewers can do so., of course no personally identifiable information of course. Hell even one of the third party viewer writers could start developement on this, submit their code to Linden Lab, and push in the Jira to get it Implemented in the regular viewer. the Only problem with this method suggested here? it takes time to do. but still no doubt it will be a goal completely worth working towards. also while absolutely disgusted with the technology behind it because it's a system that companies pay into to have their software developed and cause it can do what this background application I suggested would do quite readily without the need for additional software, there is always *shudders in disgust with it cause its really quite harmful to Open source and all that is good in computing*.... ... ... The disgusting evil, of coding your software, to work with the evils of the TPM(Trusted Platform Module) for those of you that dont know what this is, Its a hardware based system that enforces Copyright of software and other materials and verifies their running in a correct state, and can defeat viruses through the system, simply Its a chip on your motherboard that monitors your systems memory and watches over things when enabled, software can be compiled to only work if its present and enabled and it overviews a database of software(((which companies must pay to make an entry in which is harmful for opensource due to limited funding of some opensource projects and also harmful because a company can dispute the state of another program with it and close down another competing and free project that competes with a commercial project so you can see why I'm so disgusted with it as its a system of who registers first, totally backed by money, its also partially backed by Microsoft the leader in poorly designed operating systems that funded SCO's illegitimate lawsuit Where as some code contributed by SCO to the linux Kernal was claimed to be stolen but beside the point of this article, it just goes to show why im disgusted with TPM, but its nonetheless an option available to LL to defeat copybot))), this chip simply put can make sure your running a Linden Approved third party viewer or the Linden viewer itself, and can automatically close and shutdown unapproved viewers. as it Runs and performs its Operation at the hardware level, utilizes network to verify and discontinues failed verifications and runs over the OS level, a simple copybot user, would find such hardware extremely tough to defeat as it runs over a level which they have control of. Im against TPM though and think copybot could be controlled with the previous software method, and I have another reason I disagree with TPM, it would take a lot of users to upgrade to modern hardware that supports it in order to implement it so would require all secondlife users to use hardware that supports it, thus putting a lot of users out of luck. Simply Put, a piece of extra software that's freely downloadable and closed source that implements a verification system that's encrypted and simply verifies your client is in the state its supposed to be in and communicates with the Linden servers via encrypted means to keep its responses only predictable by Linden Servers, would be the best solution, if a response is invalid the user simply is disconnected by the Linden servers, this would probably even make it impossible to finish connecting if you were going to bot, while there are means of even defeating this method their method, it would force copybotters to do some work to achieve these means, thus then making them a lot more rare. which also in turns makes Linden Enforcement on DMCA issues more responsive, this can be defeated. but, everyone's going the wrong way, if your a talented programmer. Don't make spyware or malware, make a viewer and submit it to the Lindens, It could get implemented in their viewer and improve the experience for everyone without harming it and become a requirement of the system some day. All at the same, defeating copybot for the most part.
Thursday, July 15, 2010
Spyware...ToS and Legal Violation in secondlife and why you should be concerned
Warning:This post is filled with sloppy writing thats only meant to get a point a across, Dry legal issues, reference to ToS and Legal violations and attempts to prove something and probably is redundant in proving the point made. Beware, poor grammar ahead.
It has come to My attention that security issues with media in secondlife have become a serious problem and many users downplay these security issues. In this Post I'm going to write about mostly a tool that commits these security exploits, issues regarding it, It's creator, It's Legality, and I'm also going to write about other things that can be done with this mentioned exploit, many of the cases outside the discussion of the tool are undocumented but potential threats to secondlife and it's users.
I Discovered a while back on XstreetSL.com a security orb tool that claims to ban copybotters, and their alts? Well now how do they do this? Are they getting my information? Pulling it From my PC? Are they Invading my Privacy? Is this legal? Many people are familiar with such a tool, and when I discuss it they often mention a tool I have yet to look into titled CDS, the tool I am mentioning is Called zf redzone, and is published by a zfire xue. To answer the above questions: It utilizes Secondlife Media functions to obtain IP addresses on avatars, and compare them searching for avatars with the matching IP address. Their Getting information on you such as alternate accounts, there are rumors that this tool scans your hard drive to locate info on you, but really that's likely an exaggeration of its functionality. The information is not pulled from your PC, it's gained from the nearest routing point they can get to which is your home router, so when they do identify your alts, oftentimes others you share residence with will be included. Yes they are invading your privacy as they are collecting Information about you without your knowledge or consent. It's Illegal by secondlife Terms of service and By Law, Secondlife Terms of service Section 8.3 Specifically disallows the use of spyware, and the Tool violates the California privacy Protection act a law designed to protect any systems within California, Linden Labs being a california based company and the spyware residing on their servers, means that all secondlife residents are Protected under the california Privacy protect act, specifically BPC22575-22579 protects you and linden labs servers. Also to top it all off you and your alt, or roommate may not visit the same locations in secondlife? Guess what? It's a distributed system that utilizes web functions to log this information so your alts may be identified even if never crossing the same point, so long as they are both scanned by the zf redzone system. Is this system 120% accurate as the author claims? No It is not. As it works based on IP and can identify roommates, or people you login to assist as alt's, also if you log in from college or a dormitory connection, to zf redzone it may look like you have hundreads of alts. Which brings upon another function of this tool, client detection. If it detects a copybot. It bans the user, and their alts. Is It's copybot protection 100% accurate? NO! Any copybot with media off can evade it and any snowglobe 2.0 user appears to be copybot to this system. Anyhow snowglobe users are probably reading this and wondering why hasent this thing banned me for snowglobe use. If you are. Do your research on the viewer your using! Anyone that knows much of anything about alternate secondlife viewers and snowglobe should know snowglobe has 2 major distributions which are Snowglobe 1.3(based on secondlife 1.23) and Snowglobe 2.0(based on secondlife 2.0) both viewers being inherently different their only the same in name as they both come from different codebases, so when zf redzone detects snowglobe, it is detecting the use of snowglobe 1.3. Please see this link regarding a user who contacted zfire xue about this nasty issue, and the ignorant response he was given: http://www.mail-archive.com/opensource-dev@lists.secondlife.com/msg02048.html Obviously the creator does not acknowledge his system has a flaw and thus then will do nothing to fix it.
Now Onto the point why it upsets me, upon viewing this spyware for sale on xstreet I contacted the seller, what I suspect is an alternate account known as TheBoris Gothly. And inquired about what it did, the inquiry lead me to find the user has no consideration for the privacy of others or potential misuse of the system. Upon interviewing the user he quoted the privacy Policy of Linden Labs and convenienintly neglected the parts that did not fit his misuse of the service he quoted:
some services operated by Second Life users may provide content that is accessed through and located on third party (non-Linden Lab) servers that may log IP addresses.
however he conveniently left out the previous part that sites this is only an example of users are capable of that immediately states beforehand:
For instance,
and he also conveniently left out the purpose of that part of the privacy Policy:
Certain account information is displayed to other users in your Second Life profile, and may be available through automated script calls and application program interfaces. This information includes your account name, account type, the date your account was established, whether or not you are currently online, user rating information, group and partner information, and whether or not you have established a payment account or transaction history with Linden Lab. Further, you agree and understand that Linden Lab does not control and is not responsible for information, privacy or security practices concerning data that you provide to, or that may otherwise be collected by, Second Life users other than Linden Lab.
want to see the privacy Policy that's quoted here in whole? View it here:
http://secondlife.com/corporate/privacy.php (7/14/2010)
with that stated the privacy policy in whole means Linden Labs shall in no way be held responsible for information that you include within your profile and shall not be held responsible for data mining schemes of other users like this one we provide an example of so if you get someone hiding behind the privacy policy, and the user quotes the example scenario only in part to hide the fact that what their doing is not condoned by Linden Labs and to make it sound like their on terms with the privacy policy, so what TheBoris Gothly quoted, has its meaning reversed by all the parts he so conveniently left out. Misrepresenting the Privacy Policy? I think that's enough for banishment from the secondlife system against both zfire xue and TheBoris Gothly right there, but as you expected. Theres more.
The secondlife terms of service specifically disallows this type of activity under the section 8.3 regardless of Privacy Policy which can be viewed here: http://secondlife.com/corporate/tos.php
8.3 You agree that you will not post or transmit Content or code that may be harmful, impede other users' functionality, invade other users' privacy, or surreptitiously or negatively impact any system or network.
You agree to respect both the integrity of the Service and the privacy of other users. You will not:
(i) Post or transmit viruses, Trojan horses, worms, spyware, time bombs, cancelbots, or other computer programming routines that may harm the Service or interests or rights of other users, or that may harvest or collect any data or personal information about other users without their consent;
(iv) Engage in malicious or disruptive conduct that impedes or interferes with other users' normal use of the Service;
with that said, It is clear, Spyware is against the secondlife Terms of service, also your probably wondering why section iv is included in the quote? It's because this tool disrupts service for snowglobe 2.0 users and if you read the xstreet page that sells this object at: https://www.xstreetsl.com/modules.php?name=Marketplace&file=item&ItemID=1175807 it becomes clear this tool is designed to cause a crash in the secondlife client quoted from the page: Ejects and TP home intruders automatically often crashing them, if your online or not, group owned land or your own! so this tool further violates the ToS because it is designed to crash a viewer by running the eject function which teleports users to the nearest place off your parcel and the teleport home function which does at it says at the same time against a targeted user.
Also another point I should make with this on the zf redzone site found at http://isellsl.ath.cx/redzone.php there are various statistics posted where as ToS 8.3 states at the end Any violation by you of the terms of this Section may result in immediate suspension or termination of your Accounts without any refund or other compensation. you can see just how many times the zf redzone system has violated ToS 8.3 under the section Linked IP's which is a count of how many groups of accounts its made to a target IP address, simply put you can violate ToS section 8.3 a single time and be banished from secondlife. This user has made a tool that has done it many thousands of times. I'm just waiting for the ban to happen.
Not to forget, further proof of previously made claim, that this tool is illegal and violates the law. People being scanned by this system receive no notice their being scanned and are not asked for consent which ToS 8.3 clearly states you must have but secondlife ToS is beside the point now. This Tool is illegal. The Legal Code BPC22575-22579 Prohibits this and you can view it here: http://www.leginfo.ca.gov/cgi-bin/displaycode?section=bpc&group=22001-23000&file=22575-22579 zf redzone commits these violations of this law. The law requires that you present the user with a privacy Policy before gathering information on the user, and specifically protects any information that may be used to contact a person In Person or Online, your username is protected under this law.
(6) Any other identifier that permits the physical or online contacting of a specific individual.
This law also as said before states there must be a privacy policy presented to the user information is being collected on, its setup in the zfire xues store in the sim vsevolod I've passed the security system numerous times and received no such notice it was trying to collect information on me or of its privacy Policy. From the law it is stated:
22575. (a) An operator of a commercial Web site or online service
that collects personally identifiable information through the
Internet about individual consumers residing in California who use or
visit its commercial Web site or online service shall conspicuously
post its privacy policy on its Web site, or in the case of an
operator of an online service, make that policy available in
accordance with paragraph (5) of subdivision (b) of Section 22577. An
operator shall be in violation of this subdivision only if the
operator fails to post its policy within 30 days after being notified
of noncompliance.
if you viewed the previous link to the zf redzone and viewed the item discussion on xstreet the above 30 day notice has already been clearly delivered by a number of users who state this is a privacy violation and you will further see this references another section of the law:
EDIT:(the user posts have been deleted leaving gaps in the item discussion read about it here: http://treminarisecondlife.blogspot.com/2010/07/item-discussion-for-zf-redzone-censored.html I think this puts zf Redzones author and salesperson in knowledgeable and willful violation of BPC22575-22579 as they have covered up the posts pointing out that this is a privacy violation)
(b) The term "conspicuously post" with respect to a privacy policy
shall include posting the privacy policy through any of the
following:
(1) A Web page on which the actual privacy policy is posted if the
Web page is the homepage or first significant page after entering
the Web site.
(2) An icon that hyperlinks to a Web page on which the actual
privacy policy is posted, if the icon is located on the homepage or
the first significant page after entering the Web site, and if the
icon contains the word "privacy." The icon shall also use a color
that contrasts with the background color of the Web page or is
otherwise distinguishable.
(3) A text link that hyperlinks to a Web page on which the actual
privacy policy is posted, if the text link is located on the homepage
or first significant page after entering the Web site, and if the
text link does one of the following:
(A) Includes the word "privacy."
(B) Is written in capital letters equal to or greater in size than
the surrounding text.
(C) Is written in larger type than the surrounding text, or in
contrasting type, font, or color to the surrounding text of the same
size, or set off from the surrounding text of the same size by
symbols or other marks that call attention to the language.
(4) Any other functional hyperlink that is so displayed that a
reasonable person would notice it.
(5) In the case of an online service, any other reasonably
accessible means of making the privacy policy available for consumers
of the online service.
given this specific part of the law the operator zfire xue, obviously cannot carry out Option 1 to give notice to users, Option 2, they must make an object visible in world that can be clicked to view the privacy policy that is noticable in world, option 3 zfire xue must make his tool message the user that is about to be scanned for alts that there is a privacy policy regarding this and the must visit a specific URL in order to view this policy. 4 pretty much covers 3 but declares hyperlinks in services that may not be able to display text links and 5 states very openly that there must be a reasonable means that you can view the privacy policy before this information is collected, and as with any terms of service or privacy policy you need to verify the user was capable of viewing the privacy policy, so at the very least, zfire xue, needs to make this tool popup a dialogue box, with an OK button on it that must be clicked before any information is collected on you. Does zf redzone do any of this? No it does not. I've passed it by several times, its being sold in the sim vsevolod and there is one setup on top of his store location which does nothing to notify me information is being collected on me. So thus hence zf redzone violates this law which is part of the california privacy protection act. Not a California resident and reading this? And wondering how your protected under this law being a California state law? See the above link to the secondlife terms of service section 12.2. it states:(7/14/2010)
You agree that this Agreement and the relationship between you and Linden Lab shall be governed by the laws of the State of California without regard to conflict of law principles or the United Nations Convention on the International Sale of Goods. Further, you and Linden Lab agree to submit to the exclusive jurisdiction and venue of the courts located in the City and County of San Francisco, California, except as provided in Section 12.1 regarding optional arbitration. Notwithstanding this, either party shall still be allowed to apply for injunctive or other equitable relief to protect or enforce that party's Intellectual Property Rights in any court of competent jurisdiction where the other party resides or has its principal place of business.
repeated:You agree that this Agreement and the relationship between you and Linden Lab shall be governed by the laws of the State of California
simply put you must follow California state law at all times and with all actions within the secondlife service((in addition to your local laws of course)) thus hence all secondlife users are protected under BPC22575-22579 in regards to events occurring related to the secondlife service. But theres more...
and finally zf redzone further violates the law BPC22575-22579 by having a deceptive privacy Policy BPC22575-22579 states:
22576. An operator of a commercial Web site or online service that
collects personally identifiable information through the Web site or
online service from individual consumers who use or visit the
commercial Web site or online service and who reside in California
shall be in violation of this section if the operator fails to comply
with the provisions of Section 22575 or with the provisions of its
posted privacy policy in either of the following ways:
(a) Knowingly and willfully.
(b) Negligently and materially.
and:
(1) Identify the categories of personally identifiable information
that the operator collects through the Web site or online service
about individual consumers who use or visit its commercial Web site
or online service and the categories of third-party persons or
entities with whom the operator may share that personally
identifiable information.
(2) If the operator maintains a process for an individual consumer
who uses or visits its commercial Web site or online service to
review and request changes to any of his or her personally
identifiable information that is collected through the Web site or
online service, provide a description of that process.
(3) Describe the process by which the operator notifies consumers
who use or visit its commercial Web site or online service of
material changes to the operator's privacy policy for that Web site
or online service.
(4) Identify its effective date.
zf redzone fails to do all of that, and even more so the privacy policy posted on the redzone website listed above, states:(7/14/2010)[yes zfredzone does have a privacy policy the previously mentioned issue is its not made available to users being scanned at all when its required that it be made available before a scan takes place] Before or at the time of collecting personal information, we will identify the purposes for which information is being collected. ,We will collect personal information by lawful and fair means and, where appropriate, with the knowledge or consent of the individual concerned. ,We do not consider any publicly displayed secondlife information such as usernames, account age, photos displayed to the world, payment status, join date, UUID, IP, platform, viewer, group affiliations, preferred language used, time of day, timezone, region, partner name or any other secondlife information to be private.
given these all above this is taken from the privacy policy of zf redzone, it fails to identify information is even being collected or the purpose of the collection to those it collects information on. It does not acquire consent and as proved above uses unlawful means to collect the info. While a username is public information as they say they do not consider it private, as stated above, (6) Any other identifier that permits the physical or online contacting of a specific individual., despite the publicity they must gain permission to collect your username as it is contact information. This is all required by BPC22575-22579.
I find zfire xue in further violation of BPC22575-22579 on the grounds of:
22576. An operator of a commercial Web site or online service that
collects personally identifiable information through the Web site or
online service from individual consumers who use or visit the
commercial Web site or online service and who reside in California
shall be in violation of this section if the operator fails to comply
with the provisions of Section 22575 or with the provisions of its
posted privacy policy in either of the following ways:
(a) Knowingly and willfully.
(b) Negligently and materially.
The user posts a privacy policy that violates this law by claiming in their privacy policy does things which it does not do which is to cover up that they are in knowledable and willful violation of BPC22575-22579, It also makes any legal protection their privacy Policy provides them Null and Void as they did not adhere to it.
Anyhow now that I've proven one of the people using the secondlife media exploits to identify alternate accounts is violating both the secondlife terms of service, and the law. Onto the final part of this article.
An IP address is a number that identifies your network or computer over the internet, while seemingly innocent enough for use, many services protect the discovery of this information user to user for only admins to view, there are exceptions as an IP address is not private information but it can be used to discover private information on a user or identify usage habits which is private information, or discover additional contact information as described above and prohibited by the above mentioned law BPC22575-22579, once discovered, there are more sinister uses for this information. Now you may already know IP addresses for network resources can change when a resource such as a router or PC is restarted and a connection to the ISP needs to be re-established and that online services such as google acquire IP addresses all the time, an IP address is necasary to facilitate computer to computer communication over the internet, so it must be shared, this is one of many reasons users should only connect to services they trust. I've been ridiculed for my argument against redzone by forum trolls and the such, saying things like oh noes google has my IP address, google is no big deal their legit and responsible and usually answer to issues, and better than an illegitimate service such as redzone, yes its a big deal because it then gets used to uncover identifying information. And then, theres that little troll hacker in the basement of his moms home who lives in nigeria, even worse yet. While it may simply be the address used to identify your PC over the internet and can be traced to the town your ISP operates from. And not to your door, a good analagy to IP addresses is to think of them like home addresses. Also before noting the analogy, anyone with your current IP address and the right utilities can check your network for vulnerabilities.
In explanation of this analogy lets say the internet is this very earth we stand on, people represent users and online activities such as games media, structures and facilities represent web sites and services that facilitate these, and home represents your PC on the internet, the streets the network that supports it all. And your Home address the same as your IP address, while you may subscribe to a premium service that gets you the same IP address again and again for your server, lets say you live in a trailor park and your always moving going from address to address as conditions change every so often.the local college is holding a Job fair, but has had recent issues with crime, being the redneck you are your looking for something better, or just looking for something whatever. You step out of your trailer, the trailer park can be thought of as your home router, all the other residents there are other PC's connected to that address temporarily, you venture out and you go to the job fair, the college the job fair has been held at, has had some issues with a criminal stalking people breaking into their homes, doing undue harm to people and stealing their things, before entering the college since the security is stepped up your all required to get a nametag with your IP address(home address) on it so the college police if witnessing a person committing a crime can easily identify and visit suspects and victims. A cost of privacy for a little security at the campus, a person casually passes by, bumps into you and apologizes(just like a ping request) but they observe your address and take note of it, later that night after you come home you settle in, and don't realize the person while you were at the job fair surveyed your place and found the hide a key(like a security hole being found in a vulnerability scan) later that night you are attacked and fall victim to this same person cause your address was published for the college security.
While just an analogy computers over the internet that have obtained your IP address can perform vulnerability scans which oftentimes takes form of ping and many other types of requests and if your IP address is discoverable through a service, even though it was intended to be viewed by someone else your PC can be located on the internet and targeted for a vulnerability scan and vulnerabilities can be found just like the hide a key, while you may of hid the key well like setting a port to stealth mode on your router. The vulnerability was searched for in many places, and when found you had Open Ports they may have seen what OS your running and what security measures are in place in the vulnerability scan and by gathering this info identified probabilities that your using this and that, which lead them to finding the key(the messaging service you use for example) which opens up that stealth port they just figured out you use an outdated version of windows messenger because through vulnerability scans they identified your OS(your trailor in this analagy) as being windows XP home, with the scans they further identified how to contact your browser which allows them to know many things and odd setting you didnt expect people to know like your desktop resolution which is used in PHP XML, and sometimes CSS functions to identify how to properly format the web page, various functions lead to discovery of various information about you, assumptions can be made about your online activity to identify vulnerabilities in your system. If a advertiser uses a vulnerability scan and finds signs of gaming software, and a PC running in only 800x600 they can pester and spam an email address they discovered using illegitimate means with ad's to get you a better video card, other scenarios can be potentially embarassing.
Like for example Lets say you work for a net firm, and they like to connect with gamers, one of the jobs duties may be to connect to secondlife and try to make a sale on the users there and you like to work extra hard to make that sale, you go home, and login to secondlife from your business alt. While in your business alt you use the service from your bosses location, lets say he rezzed zf redzone. He discovers your personal account, which happens to be a furry(or replace furry with your less understood side and the unusual attributes) and your character has tenticles and all sorts of other naughty features, that are your own personal business, you go into work the next day and receive the pink slip of doom, when you ask why? Your boss says I've seen that episode of CSI with the fursuiters and I know you like to screw animals you sick [expletive deleted], you just lost your job because of your own personal business thats your business and nobody elses, because zf redzone helped your boss peer into your private life and a little misinformation from a myth created by a TV show. Pretty lame isnt it?
I dont know zf redzones complete method for identifying a secondlife name, to an IP address as there are many potential methods to do so and I dont have my hand in the code however I do know its done by linking an IP address to an avatar name in the secondlife service, thats the only way it can be done. As media functions in secondlife reveal IP address and the viewer nor the service make alternate accounts discoverable. It could be just simply comparing who entered the parcel and when a stream was accessed and looking at shoutcast streams IP address list and tagging the newest IP on the list with the avatar name and submitting it to the redzone service, this method is inaccurate but would yield the information redzone seeks, zf redzone could temporarily change the parcel media to direct to a website as a user enters a parcel and have the extension of the web address match the name like exampleIPLoggingsite.com/Treminari/Huet while this method is inaccurate it would yield results, or it could just be simply singling out lone people on parcels and checking to see if one person is tuned into the stream and assuming the person on the secondlife parcel is one in the same, another inaccurate method, there are methods and tests and procedures to determining an IP address of a secondlife user with media enabled with 100% accuracy, and secondlife shared media feature titled media on a prim that allows more flexibility in acquiring an IP address, higher accuracy, easier to perform, and dont require land. While I doubt zf redzone uses this method one thing is certain, it uses IP addresses tagged with avatar names and recent comparisons of the address to identify an alt. You can combine the above methods in various ways to achieve higher accuracy using these inaccurate methods but, there are several disturbingly simple easy to perform methods which will get you the IP address of a user through parcel or media on a prim with 100% accuracy, which I must leave unnamed and undescribed as to not promote them, im sure many of these methods could be used to improve redzones accuracy in discovering it but I dont promote the illegal activities of zfire xue and theBoris gothly with the redzone utility.
Given that someone can get your IP address, through shared media, even if you dont take your privacy seriously or feel you have nothing to hide from you should still take the IP discoverability issue with secondlife media seriously. Though non documented, a vulnerability scan as mentioned before can be used to assess the security state of a discovered users PC and determine weak points in the security(maybe their running a dated version of VNC that allows remote control of their PC for when they go to the office, and has an 8 character length limit for the password that can easily be entered via brute force password scanning) whatever the vulnerabilitiy of the system IP discoverability in secondlife, makes the vulnerability discoverable. User to user, and allows the user to know just who their targeting for attack.
Theres things the lindens can do to fix this, but that would be expensive and unreasonable such as providing every sim a proxy server, or making all sims act as a proxy server, and through flash and java exploits could circumvent these methods. There are things Linden Labs can do that is inexpensive to Mitigate reduce and nearly eliminate privacy and vulnerability issues with secondlife media. First off, they need to take abuse reports seriously, the report field needs to be longer in abuse reports so people can site their resources in proving a case of spyware, even keeping things brief in description there are so many things you need to say to prove it to the lindens. Also they need to start answering to reports of spyware, when an AR failed I submitted it into a support ticket, both lindens responding to that ticket ignored it and did nothing but yap. Also reporting items on xstreet using the report item button needs to be taken more serious your limited to 255 characters in your typed report on xstreet. Also you cannot report an item that has been reported and not investigated yet, you will get an error message saying a report for this item already exists. While you may have been going to file a report saying this item uses media exploits to log IP address to avatar name to make alternate accounts discoverable, some idiot who has no business using the system may have just clicked report, and wrote in this item violated me and do little to nothing to say the incursion which in turn prevents your report, if I was to make an unethical tool such as this I could very well make an alt, and clog the report item system daily against my item so others couldn't report it. Linden Labs Needs to investigate spyware claims, and take users more serious, and they also need to allow multiple people to file a report against an xstreet item just like an object on the grid. Also Linden Labs needs to bring back the warning message that I used to see back in viewer 1.16 or was it 1.18? that tells you when you turn on a stream for the first time and warns you it makes your system discoverable and your IP viewable, doesn't have to give a big disclaimer, but it needs to remind people and allow them to decide for themselves that media can make their PC discoverable and decide what their risks are in using it, the message should be like, warning:using media makes your computers IP address available outside of secondlife, and that addresses can be directed by scripted means, only utilize streams in locations that you trust, Linden labs is not responsible for the actions of other users its a clear concise message which will concern those who need to be concerned and give them a heads up, they can research the topic further if their scared. Also the new web on a Prim feature gives griefers and spyware makers more flexibility in exploiting shared media, there are things that can be done to limit discoverability, by default this options is completely on, and you can turn it off but only completely. There is an option to only load websites on prims when you give the OK but it is easily circumvented(can be disabled by clicking Me > preferences > Sound & Media, and unchecking allow media to auto-play). However if you've been around secondlife you've noticed people can deform your avatar and if your knowledgeable of the method their doing it by gaining animation permissions on you through an object that sits on click and having that object follow your avatar around to load the animation as soon as you click the wrong place and the object often self deletes once its dirty deed is done, there are other methods to performing this attack on users but this is beside the point of this post, the same way they can trick you into sitting on a derformer, you can be tricked into playing shared media, all it takes is a prim set to 100% alpha to follow your avatar around and then load the media exploit all in the same way. Why does this work though? Because all it takes is a single left click to play the media on a prim so turning off autoplay can easily be circumvented, since linden labs does nothing to fix it, and there is plenty of fixes in the Jira suggested none of which they've acted on Ill put in my word here, add the play button for a media source to the right mouse button and dont play media that becomes left clicked. SIMPLE! This obscenely simple fix will mitigate the issue with this method greatly, also many don't know this because its burried away but in the top right corner of the screen in secondlife 2.0 if you mouse over the play button with auto play disabled, a tool bar will pop up that contains a more button, press this button and you will get a display of all the URL's prims are attempting to load around you, this will let you view site addresses before letting them display in your viewer, however here in lyes another serious issue there are 2 buttons one to stop/play the selected item on that list, and another to automatically draw your camera focus to that object, whats the problem? The one that draws your camera focus to the selected item also automatically plays that item. So if you see something suspicious on your land like the URL www.exampleexploitsitehere.com and you click to give focus to that item in trying to locate it, you just also gave it permission to display in your viewer, when you may of just been trying to locate the object displaying the malicious site, you just loaded it on your PC ouch. Linden Labs can fix this simple to just make the buttons do their individual functions and not the function of the other one as well.
I myself defend myself from this I don't use the linden viewer for any purpose beyond my education on it as the interface is poor and with the half thought out security option to disable autoplay viewer 2.0 is more vulnerable to this exploit. I use emerald. Yes I know the team that worked on it did use the media exploit too, no theres nothing I myself have found in their viewer to spy on the user, for a safer more secure secondlife experience, you should use a mature well developed viewer based on secondlife 1.23 such Hippo Opensim or emerald(there are others) and you should disable media, and there is another exploit in the viewer that actually allows you to protect yourself more. Secondlife 1.23 does not allow users to see the stream URL they connect to. However in the advanced menu(ctrl+Alt+D) if the media URL is hidden you can select the option show admin options while attempting to use the admin options that become revealed will be logged in some cases by Linden Labs there is one advantage, by clicking the location name on the top of your screen and bringing up the land information you can see what the media URL is for that location and make your decision whether or not the URL should connect to your PC then(of course I recommend turning this off as soon as your done) and from here you can paste this URL into the play URL option for your favorite media player Like Windows Media Player, Winamp, XMMS, or whatever you prefer to use. Taking this extra step after disabling media completely in your viewer increases your security by allowing you not to accidentally play a media stream in secondlifes viewer whether it be accidentally hitting play or turning automatic play on, it also makes you more secure against objects that may temporarily switch the media option for a really brief moment to discover IPs of those connected.
Aside from how to defend yourself you the reader is probably wondering, How you can make a difference in the media issues with secondlife, there are several things you can do to help:
-Educate Other secondlife users about these exploits, refer them to this blog Post
-Visit http://jira.secondlife.com/secure/Dashboard.jspa and educate yourself about the Jira, search it for issues related to the media problem that suggest a fix, I myself am still trying to decide which to vote for. As theres several suggestions as to how to make viewer 2.0 safer
-If you visit the secondlife Jira Linked above and have a better solution than those proposed, observe how to create a Jira article, and write your solution and encourage others to vote for it.
-Don t give people the information their looking for, don't just leave the streaming media on full time, turn it off always when not in use.
-Don t visit sites or buy products that claim to give you information on another secondlife user or claim they can effect the user off the grid or detect anything secondlife doesn't normally allow you to do yourself.
Things you can do about current infractions against your privacy on secondlife:
-Visit http://www.ftc.gov/ftc/contact.shtm or http://www.ic3.gov/complaint/default.aspx and report spyware authors that violate the law. Remember as stated earlier under this article all users using the secondlife service are protected by the California Privacy Protection act which BPC22575-22579 defines, the FTC link is obviously to the FTC, and the IC3 Link is to the FBI's internet crime department, both deal in issues of spyware.
-Use the report item Button in xstreet and file a report item complaint against spyware for a terms of service violation 8.3, and when writing the report site what you know about the spyware and resources that prove its spyware.
-visit the location of known spyware while protecting yourself from it by disabling media and use the report abuse button on the offending object, report spyware you see rezzed and vending systems that sell it such as the vendor for zf redzone in vsevolod/182/49/113(there is a spyware vendor for the zf redzone system as well as the spyware security orb there itself on top of the building with the vendors)
Edit:just lovely I see the text editor I started writing this in dropped out all my quotation marks when I copied it to here!
Edit: looked at the Item Discussion found another part of the privacy Policy TheBoris Gothly and zfire xue are hiding behind will post it below here as not to disrupt my Original article:
from the item discussion at 2010-05-08 12:17:57:
we do permit these companies to collect your IP address. These companies may set and use cookies, web beacons, pixels, or other technologies to collect anonymous information about your visits to our Websites, and may otherwise aggregate, analyze and anonymize that data.
Lets look at that in whole shall we?:
Third Party Advertisements
Linden Lab participates in ad and/or affiliate networks operated by various third party companies. These companies collect and may use certain anonymous information about your visits to our Websites as a function of referring Internet traffic to our Websites. We do not permit these companies to collect any personal information about you, such as your name, address, or email address; however, we do permit these companies to collect your IP address. These companies may set and use cookies, web beacons, pixels, or other technologies to collect anonymous information about your visits to our Websites, and may otherwise aggregate, analyze and anonymize that data. If you seek information about these specialized advertising technologies, the Network Advertising Initiative offers useful information about Internet advertising companies (also called "ad networks" or "network advertisers"), including information about how to opt-out of their information collection.
Lets Explain it shall we? first off, this is the advertising Policy, a Policy in regards to advertisements only. It also says the companies may collect and use certain information. so obviously in certain information this is information released by Linden Labs you can view this here btw: http://secondlife.com/corporate/privacy.php and the 2 previous paragraphs pretty much limit information collected to website visits and lindex exchange, and disallow personal information which as defined by BPC22575-22579 is account names held as they are contact information, while this paragraph permits collection of IP address it does not permit use of this to datamine a user and lets look into the big part of this that they hide behind
These companies may set and use cookies, web beacons, pixels, or other technologies to collect anonymous information about your visits to our Websites
ok first off the information must remain anonymous, it is contact information that is being collected not completely anonymous by any standard, so that's a violation of the privacy policy, second off it pertains to information collected about visits to the websites operated by Linden Labs like visiting secondlife.com, and as said before its an advertising policy, this policy permits advertisers to set up properly targeted ads, much in the same way googles ad sense works where as advertisements can be properly directed(so they can match IP address to search terms), this also pertains to xstreet. ever notice how that advertisement banner at the top of the search usually has something related to what your searching for vaguely related to an item in the search? this policy is to assist in the operation of functions like that. also aside from this, the information being collected on you by zfire xue and his redzone system has no method of opt out oh and something else I totally forgot to mention, which this privacy policy states, is this guy an affiliate of Linden Labs? I don't think so. If he was I think he would understand the privacy policy a little better and know that this section pertains solely to advertising, but as with any other part of the policy he quotes he conveniently leaves stuff out, he is in knowledgeable violation of it as you can see above he conveniently leaves parts out which is clearly intentional. A business affiliate of Linden Labs would not do this because they know they can be sued by both Linden Labs and the userbase they effected. In which bbrings me to another part of the terms of Service:
8.2 You will not post or transmit prohibited Content, including any Content that is illegal, harassing or violates any person's rights.
in accordance with BPC22575-22579 since Linden Labs operates out of california which specifically makes spyware illegal as it falls under the protection of BPC22575-22579 aside from violating our rights the content of zf redzone is specifically illegal
(i) Post, display or transmit Content that violates any law, or the rights of any third party including without limitation Intellectual Property Rights;
(ii) Impersonate any person or entity without their consent, or otherwise misrepresent your affiliation;
hes misrepresenting his affiliation obviously, hes obviously violating our right to privacy and hes obviosly breaking the law in doing so as ive touched on a many of times in this article BPC22575-22579.
(iv) Post, display or transmit Content that is harmful, threatening or harassing, defamatory, libelous, false, inaccurate, misleading, or invades another person's privacy;
nuff said that's covered in section 8.3 which I kept saying but all in all the zf redzone product invades user privacy
and yet again under section 8.2 as with section 8.3:
Any violation by you of the terms of this Section may result in immediate suspension or termination of your Accounts without any refund or other compensation.
It has come to My attention that security issues with media in secondlife have become a serious problem and many users downplay these security issues. In this Post I'm going to write about mostly a tool that commits these security exploits, issues regarding it, It's creator, It's Legality, and I'm also going to write about other things that can be done with this mentioned exploit, many of the cases outside the discussion of the tool are undocumented but potential threats to secondlife and it's users.
I Discovered a while back on XstreetSL.com a security orb tool that claims to ban copybotters, and their alts? Well now how do they do this? Are they getting my information? Pulling it From my PC? Are they Invading my Privacy? Is this legal? Many people are familiar with such a tool, and when I discuss it they often mention a tool I have yet to look into titled CDS, the tool I am mentioning is Called zf redzone, and is published by a zfire xue. To answer the above questions: It utilizes Secondlife Media functions to obtain IP addresses on avatars, and compare them searching for avatars with the matching IP address. Their Getting information on you such as alternate accounts, there are rumors that this tool scans your hard drive to locate info on you, but really that's likely an exaggeration of its functionality. The information is not pulled from your PC, it's gained from the nearest routing point they can get to which is your home router, so when they do identify your alts, oftentimes others you share residence with will be included. Yes they are invading your privacy as they are collecting Information about you without your knowledge or consent. It's Illegal by secondlife Terms of service and By Law, Secondlife Terms of service Section 8.3 Specifically disallows the use of spyware, and the Tool violates the California privacy Protection act a law designed to protect any systems within California, Linden Labs being a california based company and the spyware residing on their servers, means that all secondlife residents are Protected under the california Privacy protect act, specifically BPC22575-22579 protects you and linden labs servers. Also to top it all off you and your alt, or roommate may not visit the same locations in secondlife? Guess what? It's a distributed system that utilizes web functions to log this information so your alts may be identified even if never crossing the same point, so long as they are both scanned by the zf redzone system. Is this system 120% accurate as the author claims? No It is not. As it works based on IP and can identify roommates, or people you login to assist as alt's, also if you log in from college or a dormitory connection, to zf redzone it may look like you have hundreads of alts. Which brings upon another function of this tool, client detection. If it detects a copybot. It bans the user, and their alts. Is It's copybot protection 100% accurate? NO! Any copybot with media off can evade it and any snowglobe 2.0 user appears to be copybot to this system. Anyhow snowglobe users are probably reading this and wondering why hasent this thing banned me for snowglobe use. If you are. Do your research on the viewer your using! Anyone that knows much of anything about alternate secondlife viewers and snowglobe should know snowglobe has 2 major distributions which are Snowglobe 1.3(based on secondlife 1.23) and Snowglobe 2.0(based on secondlife 2.0) both viewers being inherently different their only the same in name as they both come from different codebases, so when zf redzone detects snowglobe, it is detecting the use of snowglobe 1.3. Please see this link regarding a user who contacted zfire xue about this nasty issue, and the ignorant response he was given: http://www.mail-archive.com/opensource-dev@lists.secondlife.com/msg02048.html Obviously the creator does not acknowledge his system has a flaw and thus then will do nothing to fix it.
Now Onto the point why it upsets me, upon viewing this spyware for sale on xstreet I contacted the seller, what I suspect is an alternate account known as TheBoris Gothly. And inquired about what it did, the inquiry lead me to find the user has no consideration for the privacy of others or potential misuse of the system. Upon interviewing the user he quoted the privacy Policy of Linden Labs and convenienintly neglected the parts that did not fit his misuse of the service he quoted:
some services operated by Second Life users may provide content that is accessed through and located on third party (non-Linden Lab) servers that may log IP addresses.
however he conveniently left out the previous part that sites this is only an example of users are capable of that immediately states beforehand:
For instance,
and he also conveniently left out the purpose of that part of the privacy Policy:
Certain account information is displayed to other users in your Second Life profile, and may be available through automated script calls and application program interfaces. This information includes your account name, account type, the date your account was established, whether or not you are currently online, user rating information, group and partner information, and whether or not you have established a payment account or transaction history with Linden Lab. Further, you agree and understand that Linden Lab does not control and is not responsible for information, privacy or security practices concerning data that you provide to, or that may otherwise be collected by, Second Life users other than Linden Lab.
want to see the privacy Policy that's quoted here in whole? View it here:
http://secondlife.com/corporate/privacy.php (7/14/2010)
with that stated the privacy policy in whole means Linden Labs shall in no way be held responsible for information that you include within your profile and shall not be held responsible for data mining schemes of other users like this one we provide an example of so if you get someone hiding behind the privacy policy, and the user quotes the example scenario only in part to hide the fact that what their doing is not condoned by Linden Labs and to make it sound like their on terms with the privacy policy, so what TheBoris Gothly quoted, has its meaning reversed by all the parts he so conveniently left out. Misrepresenting the Privacy Policy? I think that's enough for banishment from the secondlife system against both zfire xue and TheBoris Gothly right there, but as you expected. Theres more.
The secondlife terms of service specifically disallows this type of activity under the section 8.3 regardless of Privacy Policy which can be viewed here: http://secondlife.com/corporate/tos.php
8.3 You agree that you will not post or transmit Content or code that may be harmful, impede other users' functionality, invade other users' privacy, or surreptitiously or negatively impact any system or network.
You agree to respect both the integrity of the Service and the privacy of other users. You will not:
(i) Post or transmit viruses, Trojan horses, worms, spyware, time bombs, cancelbots, or other computer programming routines that may harm the Service or interests or rights of other users, or that may harvest or collect any data or personal information about other users without their consent;
(iv) Engage in malicious or disruptive conduct that impedes or interferes with other users' normal use of the Service;
with that said, It is clear, Spyware is against the secondlife Terms of service, also your probably wondering why section iv is included in the quote? It's because this tool disrupts service for snowglobe 2.0 users and if you read the xstreet page that sells this object at: https://www.xstreetsl.com/modules.php?name=Marketplace&file=item&ItemID=1175807 it becomes clear this tool is designed to cause a crash in the secondlife client quoted from the page: Ejects and TP home intruders automatically often crashing them, if your online or not, group owned land or your own! so this tool further violates the ToS because it is designed to crash a viewer by running the eject function which teleports users to the nearest place off your parcel and the teleport home function which does at it says at the same time against a targeted user.
Also another point I should make with this on the zf redzone site found at http://isellsl.ath.cx/redzone.php there are various statistics posted where as ToS 8.3 states at the end Any violation by you of the terms of this Section may result in immediate suspension or termination of your Accounts without any refund or other compensation. you can see just how many times the zf redzone system has violated ToS 8.3 under the section Linked IP's which is a count of how many groups of accounts its made to a target IP address, simply put you can violate ToS section 8.3 a single time and be banished from secondlife. This user has made a tool that has done it many thousands of times. I'm just waiting for the ban to happen.
Not to forget, further proof of previously made claim, that this tool is illegal and violates the law. People being scanned by this system receive no notice their being scanned and are not asked for consent which ToS 8.3 clearly states you must have but secondlife ToS is beside the point now. This Tool is illegal. The Legal Code BPC22575-22579 Prohibits this and you can view it here: http://www.leginfo.ca.gov/cgi-bin/displaycode?section=bpc&group=22001-23000&file=22575-22579 zf redzone commits these violations of this law. The law requires that you present the user with a privacy Policy before gathering information on the user, and specifically protects any information that may be used to contact a person In Person or Online, your username is protected under this law.
(6) Any other identifier that permits the physical or online contacting of a specific individual.
This law also as said before states there must be a privacy policy presented to the user information is being collected on, its setup in the zfire xues store in the sim vsevolod I've passed the security system numerous times and received no such notice it was trying to collect information on me or of its privacy Policy. From the law it is stated:
22575. (a) An operator of a commercial Web site or online service
that collects personally identifiable information through the
Internet about individual consumers residing in California who use or
visit its commercial Web site or online service shall conspicuously
post its privacy policy on its Web site, or in the case of an
operator of an online service, make that policy available in
accordance with paragraph (5) of subdivision (b) of Section 22577. An
operator shall be in violation of this subdivision only if the
operator fails to post its policy within 30 days after being notified
of noncompliance.
if you viewed the previous link to the zf redzone and viewed the item discussion on xstreet the above 30 day notice has already been clearly delivered by a number of users who state this is a privacy violation and you will further see this references another section of the law:
EDIT:(the user posts have been deleted leaving gaps in the item discussion read about it here: http://treminarisecondlife.blogspot.com/2010/07/item-discussion-for-zf-redzone-censored.html I think this puts zf Redzones author and salesperson in knowledgeable and willful violation of BPC22575-22579 as they have covered up the posts pointing out that this is a privacy violation)
(b) The term "conspicuously post" with respect to a privacy policy
shall include posting the privacy policy through any of the
following:
(1) A Web page on which the actual privacy policy is posted if the
Web page is the homepage or first significant page after entering
the Web site.
(2) An icon that hyperlinks to a Web page on which the actual
privacy policy is posted, if the icon is located on the homepage or
the first significant page after entering the Web site, and if the
icon contains the word "privacy." The icon shall also use a color
that contrasts with the background color of the Web page or is
otherwise distinguishable.
(3) A text link that hyperlinks to a Web page on which the actual
privacy policy is posted, if the text link is located on the homepage
or first significant page after entering the Web site, and if the
text link does one of the following:
(A) Includes the word "privacy."
(B) Is written in capital letters equal to or greater in size than
the surrounding text.
(C) Is written in larger type than the surrounding text, or in
contrasting type, font, or color to the surrounding text of the same
size, or set off from the surrounding text of the same size by
symbols or other marks that call attention to the language.
(4) Any other functional hyperlink that is so displayed that a
reasonable person would notice it.
(5) In the case of an online service, any other reasonably
accessible means of making the privacy policy available for consumers
of the online service.
given this specific part of the law the operator zfire xue, obviously cannot carry out Option 1 to give notice to users, Option 2, they must make an object visible in world that can be clicked to view the privacy policy that is noticable in world, option 3 zfire xue must make his tool message the user that is about to be scanned for alts that there is a privacy policy regarding this and the must visit a specific URL in order to view this policy. 4 pretty much covers 3 but declares hyperlinks in services that may not be able to display text links and 5 states very openly that there must be a reasonable means that you can view the privacy policy before this information is collected, and as with any terms of service or privacy policy you need to verify the user was capable of viewing the privacy policy, so at the very least, zfire xue, needs to make this tool popup a dialogue box, with an OK button on it that must be clicked before any information is collected on you. Does zf redzone do any of this? No it does not. I've passed it by several times, its being sold in the sim vsevolod and there is one setup on top of his store location which does nothing to notify me information is being collected on me. So thus hence zf redzone violates this law which is part of the california privacy protection act. Not a California resident and reading this? And wondering how your protected under this law being a California state law? See the above link to the secondlife terms of service section 12.2. it states:(7/14/2010)
You agree that this Agreement and the relationship between you and Linden Lab shall be governed by the laws of the State of California without regard to conflict of law principles or the United Nations Convention on the International Sale of Goods. Further, you and Linden Lab agree to submit to the exclusive jurisdiction and venue of the courts located in the City and County of San Francisco, California, except as provided in Section 12.1 regarding optional arbitration. Notwithstanding this, either party shall still be allowed to apply for injunctive or other equitable relief to protect or enforce that party's Intellectual Property Rights in any court of competent jurisdiction where the other party resides or has its principal place of business.
repeated:You agree that this Agreement and the relationship between you and Linden Lab shall be governed by the laws of the State of California
simply put you must follow California state law at all times and with all actions within the secondlife service((in addition to your local laws of course)) thus hence all secondlife users are protected under BPC22575-22579 in regards to events occurring related to the secondlife service. But theres more...
and finally zf redzone further violates the law BPC22575-22579 by having a deceptive privacy Policy BPC22575-22579 states:
22576. An operator of a commercial Web site or online service that
collects personally identifiable information through the Web site or
online service from individual consumers who use or visit the
commercial Web site or online service and who reside in California
shall be in violation of this section if the operator fails to comply
with the provisions of Section 22575 or with the provisions of its
posted privacy policy in either of the following ways:
(a) Knowingly and willfully.
(b) Negligently and materially.
and:
(1) Identify the categories of personally identifiable information
that the operator collects through the Web site or online service
about individual consumers who use or visit its commercial Web site
or online service and the categories of third-party persons or
entities with whom the operator may share that personally
identifiable information.
(2) If the operator maintains a process for an individual consumer
who uses or visits its commercial Web site or online service to
review and request changes to any of his or her personally
identifiable information that is collected through the Web site or
online service, provide a description of that process.
(3) Describe the process by which the operator notifies consumers
who use or visit its commercial Web site or online service of
material changes to the operator's privacy policy for that Web site
or online service.
(4) Identify its effective date.
zf redzone fails to do all of that, and even more so the privacy policy posted on the redzone website listed above, states:(7/14/2010)[yes zfredzone does have a privacy policy the previously mentioned issue is its not made available to users being scanned at all when its required that it be made available before a scan takes place] Before or at the time of collecting personal information, we will identify the purposes for which information is being collected. ,We will collect personal information by lawful and fair means and, where appropriate, with the knowledge or consent of the individual concerned. ,We do not consider any publicly displayed secondlife information such as usernames, account age, photos displayed to the world, payment status, join date, UUID, IP, platform, viewer, group affiliations, preferred language used, time of day, timezone, region, partner name or any other secondlife information to be private.
given these all above this is taken from the privacy policy of zf redzone, it fails to identify information is even being collected or the purpose of the collection to those it collects information on. It does not acquire consent and as proved above uses unlawful means to collect the info. While a username is public information as they say they do not consider it private, as stated above, (6) Any other identifier that permits the physical or online contacting of a specific individual., despite the publicity they must gain permission to collect your username as it is contact information. This is all required by BPC22575-22579.
I find zfire xue in further violation of BPC22575-22579 on the grounds of:
22576. An operator of a commercial Web site or online service that
collects personally identifiable information through the Web site or
online service from individual consumers who use or visit the
commercial Web site or online service and who reside in California
shall be in violation of this section if the operator fails to comply
with the provisions of Section 22575 or with the provisions of its
posted privacy policy in either of the following ways:
(a) Knowingly and willfully.
(b) Negligently and materially.
The user posts a privacy policy that violates this law by claiming in their privacy policy does things which it does not do which is to cover up that they are in knowledable and willful violation of BPC22575-22579, It also makes any legal protection their privacy Policy provides them Null and Void as they did not adhere to it.
Anyhow now that I've proven one of the people using the secondlife media exploits to identify alternate accounts is violating both the secondlife terms of service, and the law. Onto the final part of this article.
An IP address is a number that identifies your network or computer over the internet, while seemingly innocent enough for use, many services protect the discovery of this information user to user for only admins to view, there are exceptions as an IP address is not private information but it can be used to discover private information on a user or identify usage habits which is private information, or discover additional contact information as described above and prohibited by the above mentioned law BPC22575-22579, once discovered, there are more sinister uses for this information. Now you may already know IP addresses for network resources can change when a resource such as a router or PC is restarted and a connection to the ISP needs to be re-established and that online services such as google acquire IP addresses all the time, an IP address is necasary to facilitate computer to computer communication over the internet, so it must be shared, this is one of many reasons users should only connect to services they trust. I've been ridiculed for my argument against redzone by forum trolls and the such, saying things like oh noes google has my IP address, google is no big deal their legit and responsible and usually answer to issues, and better than an illegitimate service such as redzone, yes its a big deal because it then gets used to uncover identifying information. And then, theres that little troll hacker in the basement of his moms home who lives in nigeria, even worse yet. While it may simply be the address used to identify your PC over the internet and can be traced to the town your ISP operates from. And not to your door, a good analagy to IP addresses is to think of them like home addresses. Also before noting the analogy, anyone with your current IP address and the right utilities can check your network for vulnerabilities.
In explanation of this analogy lets say the internet is this very earth we stand on, people represent users and online activities such as games media, structures and facilities represent web sites and services that facilitate these, and home represents your PC on the internet, the streets the network that supports it all. And your Home address the same as your IP address, while you may subscribe to a premium service that gets you the same IP address again and again for your server, lets say you live in a trailor park and your always moving going from address to address as conditions change every so often.the local college is holding a Job fair, but has had recent issues with crime, being the redneck you are your looking for something better, or just looking for something whatever. You step out of your trailer, the trailer park can be thought of as your home router, all the other residents there are other PC's connected to that address temporarily, you venture out and you go to the job fair, the college the job fair has been held at, has had some issues with a criminal stalking people breaking into their homes, doing undue harm to people and stealing their things, before entering the college since the security is stepped up your all required to get a nametag with your IP address(home address) on it so the college police if witnessing a person committing a crime can easily identify and visit suspects and victims. A cost of privacy for a little security at the campus, a person casually passes by, bumps into you and apologizes(just like a ping request) but they observe your address and take note of it, later that night after you come home you settle in, and don't realize the person while you were at the job fair surveyed your place and found the hide a key(like a security hole being found in a vulnerability scan) later that night you are attacked and fall victim to this same person cause your address was published for the college security.
While just an analogy computers over the internet that have obtained your IP address can perform vulnerability scans which oftentimes takes form of ping and many other types of requests and if your IP address is discoverable through a service, even though it was intended to be viewed by someone else your PC can be located on the internet and targeted for a vulnerability scan and vulnerabilities can be found just like the hide a key, while you may of hid the key well like setting a port to stealth mode on your router. The vulnerability was searched for in many places, and when found you had Open Ports they may have seen what OS your running and what security measures are in place in the vulnerability scan and by gathering this info identified probabilities that your using this and that, which lead them to finding the key(the messaging service you use for example) which opens up that stealth port they just figured out you use an outdated version of windows messenger because through vulnerability scans they identified your OS(your trailor in this analagy) as being windows XP home, with the scans they further identified how to contact your browser which allows them to know many things and odd setting you didnt expect people to know like your desktop resolution which is used in PHP XML, and sometimes CSS functions to identify how to properly format the web page, various functions lead to discovery of various information about you, assumptions can be made about your online activity to identify vulnerabilities in your system. If a advertiser uses a vulnerability scan and finds signs of gaming software, and a PC running in only 800x600 they can pester and spam an email address they discovered using illegitimate means with ad's to get you a better video card, other scenarios can be potentially embarassing.
Like for example Lets say you work for a net firm, and they like to connect with gamers, one of the jobs duties may be to connect to secondlife and try to make a sale on the users there and you like to work extra hard to make that sale, you go home, and login to secondlife from your business alt. While in your business alt you use the service from your bosses location, lets say he rezzed zf redzone. He discovers your personal account, which happens to be a furry(or replace furry with your less understood side and the unusual attributes) and your character has tenticles and all sorts of other naughty features, that are your own personal business, you go into work the next day and receive the pink slip of doom, when you ask why? Your boss says I've seen that episode of CSI with the fursuiters and I know you like to screw animals you sick [expletive deleted], you just lost your job because of your own personal business thats your business and nobody elses, because zf redzone helped your boss peer into your private life and a little misinformation from a myth created by a TV show. Pretty lame isnt it?
I dont know zf redzones complete method for identifying a secondlife name, to an IP address as there are many potential methods to do so and I dont have my hand in the code however I do know its done by linking an IP address to an avatar name in the secondlife service, thats the only way it can be done. As media functions in secondlife reveal IP address and the viewer nor the service make alternate accounts discoverable. It could be just simply comparing who entered the parcel and when a stream was accessed and looking at shoutcast streams IP address list and tagging the newest IP on the list with the avatar name and submitting it to the redzone service, this method is inaccurate but would yield the information redzone seeks, zf redzone could temporarily change the parcel media to direct to a website as a user enters a parcel and have the extension of the web address match the name like exampleIPLoggingsite.com/Treminari/Huet while this method is inaccurate it would yield results, or it could just be simply singling out lone people on parcels and checking to see if one person is tuned into the stream and assuming the person on the secondlife parcel is one in the same, another inaccurate method, there are methods and tests and procedures to determining an IP address of a secondlife user with media enabled with 100% accuracy, and secondlife shared media feature titled media on a prim that allows more flexibility in acquiring an IP address, higher accuracy, easier to perform, and dont require land. While I doubt zf redzone uses this method one thing is certain, it uses IP addresses tagged with avatar names and recent comparisons of the address to identify an alt. You can combine the above methods in various ways to achieve higher accuracy using these inaccurate methods but, there are several disturbingly simple easy to perform methods which will get you the IP address of a user through parcel or media on a prim with 100% accuracy, which I must leave unnamed and undescribed as to not promote them, im sure many of these methods could be used to improve redzones accuracy in discovering it but I dont promote the illegal activities of zfire xue and theBoris gothly with the redzone utility.
Given that someone can get your IP address, through shared media, even if you dont take your privacy seriously or feel you have nothing to hide from you should still take the IP discoverability issue with secondlife media seriously. Though non documented, a vulnerability scan as mentioned before can be used to assess the security state of a discovered users PC and determine weak points in the security(maybe their running a dated version of VNC that allows remote control of their PC for when they go to the office, and has an 8 character length limit for the password that can easily be entered via brute force password scanning) whatever the vulnerabilitiy of the system IP discoverability in secondlife, makes the vulnerability discoverable. User to user, and allows the user to know just who their targeting for attack.
Theres things the lindens can do to fix this, but that would be expensive and unreasonable such as providing every sim a proxy server, or making all sims act as a proxy server, and through flash and java exploits could circumvent these methods. There are things Linden Labs can do that is inexpensive to Mitigate reduce and nearly eliminate privacy and vulnerability issues with secondlife media. First off, they need to take abuse reports seriously, the report field needs to be longer in abuse reports so people can site their resources in proving a case of spyware, even keeping things brief in description there are so many things you need to say to prove it to the lindens. Also they need to start answering to reports of spyware, when an AR failed I submitted it into a support ticket, both lindens responding to that ticket ignored it and did nothing but yap. Also reporting items on xstreet using the report item button needs to be taken more serious your limited to 255 characters in your typed report on xstreet. Also you cannot report an item that has been reported and not investigated yet, you will get an error message saying a report for this item already exists. While you may have been going to file a report saying this item uses media exploits to log IP address to avatar name to make alternate accounts discoverable, some idiot who has no business using the system may have just clicked report, and wrote in this item violated me and do little to nothing to say the incursion which in turn prevents your report, if I was to make an unethical tool such as this I could very well make an alt, and clog the report item system daily against my item so others couldn't report it. Linden Labs Needs to investigate spyware claims, and take users more serious, and they also need to allow multiple people to file a report against an xstreet item just like an object on the grid. Also Linden Labs needs to bring back the warning message that I used to see back in viewer 1.16 or was it 1.18? that tells you when you turn on a stream for the first time and warns you it makes your system discoverable and your IP viewable, doesn't have to give a big disclaimer, but it needs to remind people and allow them to decide for themselves that media can make their PC discoverable and decide what their risks are in using it, the message should be like, warning:using media makes your computers IP address available outside of secondlife, and that addresses can be directed by scripted means, only utilize streams in locations that you trust, Linden labs is not responsible for the actions of other users its a clear concise message which will concern those who need to be concerned and give them a heads up, they can research the topic further if their scared. Also the new web on a Prim feature gives griefers and spyware makers more flexibility in exploiting shared media, there are things that can be done to limit discoverability, by default this options is completely on, and you can turn it off but only completely. There is an option to only load websites on prims when you give the OK but it is easily circumvented(can be disabled by clicking Me > preferences > Sound & Media, and unchecking allow media to auto-play). However if you've been around secondlife you've noticed people can deform your avatar and if your knowledgeable of the method their doing it by gaining animation permissions on you through an object that sits on click and having that object follow your avatar around to load the animation as soon as you click the wrong place and the object often self deletes once its dirty deed is done, there are other methods to performing this attack on users but this is beside the point of this post, the same way they can trick you into sitting on a derformer, you can be tricked into playing shared media, all it takes is a prim set to 100% alpha to follow your avatar around and then load the media exploit all in the same way. Why does this work though? Because all it takes is a single left click to play the media on a prim so turning off autoplay can easily be circumvented, since linden labs does nothing to fix it, and there is plenty of fixes in the Jira suggested none of which they've acted on Ill put in my word here, add the play button for a media source to the right mouse button and dont play media that becomes left clicked. SIMPLE! This obscenely simple fix will mitigate the issue with this method greatly, also many don't know this because its burried away but in the top right corner of the screen in secondlife 2.0 if you mouse over the play button with auto play disabled, a tool bar will pop up that contains a more button, press this button and you will get a display of all the URL's prims are attempting to load around you, this will let you view site addresses before letting them display in your viewer, however here in lyes another serious issue there are 2 buttons one to stop/play the selected item on that list, and another to automatically draw your camera focus to that object, whats the problem? The one that draws your camera focus to the selected item also automatically plays that item. So if you see something suspicious on your land like the URL www.exampleexploitsitehere.com and you click to give focus to that item in trying to locate it, you just also gave it permission to display in your viewer, when you may of just been trying to locate the object displaying the malicious site, you just loaded it on your PC ouch. Linden Labs can fix this simple to just make the buttons do their individual functions and not the function of the other one as well.
I myself defend myself from this I don't use the linden viewer for any purpose beyond my education on it as the interface is poor and with the half thought out security option to disable autoplay viewer 2.0 is more vulnerable to this exploit. I use emerald. Yes I know the team that worked on it did use the media exploit too, no theres nothing I myself have found in their viewer to spy on the user, for a safer more secure secondlife experience, you should use a mature well developed viewer based on secondlife 1.23 such Hippo Opensim or emerald(there are others) and you should disable media, and there is another exploit in the viewer that actually allows you to protect yourself more. Secondlife 1.23 does not allow users to see the stream URL they connect to. However in the advanced menu(ctrl+Alt+D) if the media URL is hidden you can select the option show admin options while attempting to use the admin options that become revealed will be logged in some cases by Linden Labs there is one advantage, by clicking the location name on the top of your screen and bringing up the land information you can see what the media URL is for that location and make your decision whether or not the URL should connect to your PC then(of course I recommend turning this off as soon as your done) and from here you can paste this URL into the play URL option for your favorite media player Like Windows Media Player, Winamp, XMMS, or whatever you prefer to use. Taking this extra step after disabling media completely in your viewer increases your security by allowing you not to accidentally play a media stream in secondlifes viewer whether it be accidentally hitting play or turning automatic play on, it also makes you more secure against objects that may temporarily switch the media option for a really brief moment to discover IPs of those connected.
Aside from how to defend yourself you the reader is probably wondering, How you can make a difference in the media issues with secondlife, there are several things you can do to help:
-Educate Other secondlife users about these exploits, refer them to this blog Post
-Visit http://jira.secondlife.com/secure/Dashboard.jspa and educate yourself about the Jira, search it for issues related to the media problem that suggest a fix, I myself am still trying to decide which to vote for. As theres several suggestions as to how to make viewer 2.0 safer
-If you visit the secondlife Jira Linked above and have a better solution than those proposed, observe how to create a Jira article, and write your solution and encourage others to vote for it.
-Don t give people the information their looking for, don't just leave the streaming media on full time, turn it off always when not in use.
-Don t visit sites or buy products that claim to give you information on another secondlife user or claim they can effect the user off the grid or detect anything secondlife doesn't normally allow you to do yourself.
Things you can do about current infractions against your privacy on secondlife:
-Visit http://www.ftc.gov/ftc/contact.shtm or http://www.ic3.gov/complaint/default.aspx and report spyware authors that violate the law. Remember as stated earlier under this article all users using the secondlife service are protected by the California Privacy Protection act which BPC22575-22579 defines, the FTC link is obviously to the FTC, and the IC3 Link is to the FBI's internet crime department, both deal in issues of spyware.
-Use the report item Button in xstreet and file a report item complaint against spyware for a terms of service violation 8.3, and when writing the report site what you know about the spyware and resources that prove its spyware.
-visit the location of known spyware while protecting yourself from it by disabling media and use the report abuse button on the offending object, report spyware you see rezzed and vending systems that sell it such as the vendor for zf redzone in vsevolod/182/49/113(there is a spyware vendor for the zf redzone system as well as the spyware security orb there itself on top of the building with the vendors)
Edit:just lovely I see the text editor I started writing this in dropped out all my quotation marks when I copied it to here!
Edit: looked at the Item Discussion found another part of the privacy Policy TheBoris Gothly and zfire xue are hiding behind will post it below here as not to disrupt my Original article:
from the item discussion at 2010-05-08 12:17:57:
we do permit these companies to collect your IP address. These companies may set and use cookies, web beacons, pixels, or other technologies to collect anonymous information about your visits to our Websites, and may otherwise aggregate, analyze and anonymize that data.
Lets look at that in whole shall we?:
Third Party Advertisements
Linden Lab participates in ad and/or affiliate networks operated by various third party companies. These companies collect and may use certain anonymous information about your visits to our Websites as a function of referring Internet traffic to our Websites. We do not permit these companies to collect any personal information about you, such as your name, address, or email address; however, we do permit these companies to collect your IP address. These companies may set and use cookies, web beacons, pixels, or other technologies to collect anonymous information about your visits to our Websites, and may otherwise aggregate, analyze and anonymize that data. If you seek information about these specialized advertising technologies, the Network Advertising Initiative offers useful information about Internet advertising companies (also called "ad networks" or "network advertisers"), including information about how to opt-out of their information collection.
Lets Explain it shall we? first off, this is the advertising Policy, a Policy in regards to advertisements only. It also says the companies may collect and use certain information. so obviously in certain information this is information released by Linden Labs you can view this here btw: http://secondlife.com/corporate/privacy.php and the 2 previous paragraphs pretty much limit information collected to website visits and lindex exchange, and disallow personal information which as defined by BPC22575-22579 is account names held as they are contact information, while this paragraph permits collection of IP address it does not permit use of this to datamine a user and lets look into the big part of this that they hide behind
These companies may set and use cookies, web beacons, pixels, or other technologies to collect anonymous information about your visits to our Websites
ok first off the information must remain anonymous, it is contact information that is being collected not completely anonymous by any standard, so that's a violation of the privacy policy, second off it pertains to information collected about visits to the websites operated by Linden Labs like visiting secondlife.com, and as said before its an advertising policy, this policy permits advertisers to set up properly targeted ads, much in the same way googles ad sense works where as advertisements can be properly directed(so they can match IP address to search terms), this also pertains to xstreet. ever notice how that advertisement banner at the top of the search usually has something related to what your searching for vaguely related to an item in the search? this policy is to assist in the operation of functions like that. also aside from this, the information being collected on you by zfire xue and his redzone system has no method of opt out oh and something else I totally forgot to mention, which this privacy policy states, is this guy an affiliate of Linden Labs? I don't think so. If he was I think he would understand the privacy policy a little better and know that this section pertains solely to advertising, but as with any other part of the policy he quotes he conveniently leaves stuff out, he is in knowledgeable violation of it as you can see above he conveniently leaves parts out which is clearly intentional. A business affiliate of Linden Labs would not do this because they know they can be sued by both Linden Labs and the userbase they effected. In which bbrings me to another part of the terms of Service:
8.2 You will not post or transmit prohibited Content, including any Content that is illegal, harassing or violates any person's rights.
in accordance with BPC22575-22579 since Linden Labs operates out of california which specifically makes spyware illegal as it falls under the protection of BPC22575-22579 aside from violating our rights the content of zf redzone is specifically illegal
(i) Post, display or transmit Content that violates any law, or the rights of any third party including without limitation Intellectual Property Rights;
(ii) Impersonate any person or entity without their consent, or otherwise misrepresent your affiliation;
hes misrepresenting his affiliation obviously, hes obviously violating our right to privacy and hes obviosly breaking the law in doing so as ive touched on a many of times in this article BPC22575-22579.
(iv) Post, display or transmit Content that is harmful, threatening or harassing, defamatory, libelous, false, inaccurate, misleading, or invades another person's privacy;
nuff said that's covered in section 8.3 which I kept saying but all in all the zf redzone product invades user privacy
and yet again under section 8.2 as with section 8.3:
Any violation by you of the terms of this Section may result in immediate suspension or termination of your Accounts without any refund or other compensation.
Wednesday, July 14, 2010
Preface
This blog is mostly going to be about my secondlife experience, I may voice opinions about on-goings in secondlife and events that occur, Objects I find, or projects Im working on. If the subject is controversial I generally have a strong opinion on it and good reasoning for that opinion whether I voice it or not, and I may choose not to voice my reasoning for the opinion for various reasons such as to avoid making this blog a how to do negative things in secondlife, so Criticism in comments is generally going to be considered unwelcome within this blog. I may post links to my findings or promote or do the opposite of certain subjects within secondlife, Also I may touch upon subjects of various adult nature like is common place in secondlife, so this blog is set to adult.
Subscribe to:
Posts (Atom)