Thursday, July 15, 2010

Spyware...ToS and Legal Violation in secondlife and why you should be concerned

Warning:This post is filled with sloppy writing thats only meant to get a point a across, Dry legal issues, reference to ToS and Legal violations and attempts to prove something and probably is redundant in proving the point made. Beware, poor grammar ahead.

It has come to My attention that security issues with media in secondlife have become a serious problem and many users downplay these security issues. In this Post I'm going to write about mostly a tool that commits these security exploits, issues regarding it, It's creator, It's Legality, and I'm also going to write about other things that can be done with this mentioned exploit, many of the cases outside the discussion of the tool are undocumented but potential threats to secondlife and it's users.

I Discovered a while back on a security orb tool that claims to ban copybotters, and their alts? Well now how do they do this? Are they getting my information? Pulling it From my PC? Are they Invading my Privacy? Is this legal? Many people are familiar with such a tool, and when I discuss it they often mention a tool I have yet to look into titled CDS, the tool I am mentioning is Called zf redzone, and is published by a zfire xue. To answer the above questions: It utilizes Secondlife Media functions to obtain IP addresses on avatars, and compare them searching for avatars with the matching IP address. Their Getting information on you such as alternate accounts, there are rumors that this tool scans your hard drive to locate info on you, but really that's likely an exaggeration of its functionality. The information is not pulled from your PC, it's gained from the nearest routing point they can get to which is your home router, so when they do identify your alts, oftentimes others you share residence with will be included. Yes they are invading your privacy as they are collecting Information about you without your knowledge or consent. It's Illegal by secondlife Terms of service and By Law, Secondlife Terms of service Section 8.3 Specifically disallows the use of spyware, and the Tool violates the California privacy Protection act a law designed to protect any systems within California, Linden Labs being a california based company and the spyware residing on their servers, means that all secondlife residents are Protected under the california Privacy protect act, specifically BPC22575-22579 protects you and linden labs servers. Also to top it all off you and your alt, or roommate may not visit the same locations in secondlife? Guess what? It's a distributed system that utilizes web functions to log this information so your alts may be identified even if never crossing the same point, so long as they are both scanned by the zf redzone system. Is this system 120% accurate as the author claims? No It is not. As it works based on IP and can identify roommates, or people you login to assist as alt's, also if you log in from college or a dormitory connection, to zf redzone it may look like you have hundreads of alts. Which brings upon another function of this tool, client detection. If it detects a copybot. It bans the user, and their alts. Is It's copybot protection 100% accurate? NO! Any copybot with media off can evade it and any snowglobe 2.0 user appears to be copybot to this system. Anyhow snowglobe users are probably reading this and wondering why hasent this thing banned me for snowglobe use. If you are. Do your research on the viewer your using! Anyone that knows much of anything about alternate secondlife viewers and snowglobe should know snowglobe has 2 major distributions which are Snowglobe 1.3(based on secondlife 1.23) and Snowglobe 2.0(based on secondlife 2.0) both viewers being inherently different their only the same in name as they both come from different codebases, so when zf redzone detects snowglobe, it is detecting the use of snowglobe 1.3. Please see this link regarding a user who contacted zfire xue about this nasty issue, and the ignorant response he was given: Obviously the creator does not acknowledge his system has a flaw and thus then will do nothing to fix it.

Now Onto the point why it upsets me, upon viewing this spyware for sale on xstreet I contacted the seller, what I suspect is an alternate account known as TheBoris Gothly. And inquired about what it did, the inquiry lead me to find the user has no consideration for the privacy of others or potential misuse of the system. Upon interviewing the user he quoted the privacy Policy of Linden Labs and convenienintly neglected the parts that did not fit his misuse of the service he quoted:
some services operated by Second Life users may provide content that is accessed through and located on third party (non-Linden Lab) servers that may log IP addresses.

however he conveniently left out the previous part that sites this is only an example of users are capable of that immediately states beforehand:

For instance,

and he also conveniently left out the purpose of that part of the privacy Policy:

Certain account information is displayed to other users in your Second Life profile, and may be available through automated script calls and application program interfaces. This information includes your account name, account type, the date your account was established, whether or not you are currently online, user rating information, group and partner information, and whether or not you have established a payment account or transaction history with Linden Lab. Further, you agree and understand that Linden Lab does not control and is not responsible for information, privacy or security practices concerning data that you provide to, or that may otherwise be collected by, Second Life users other than Linden Lab.

want to see the privacy Policy that's quoted here in whole? View it here: (7/14/2010)

with that stated the privacy policy in whole means Linden Labs shall in no way be held responsible for information that you include within your profile and shall not be held responsible for data mining schemes of other users like this one we provide an example of so if you get someone hiding behind the privacy policy, and the user quotes the example scenario only in part to hide the fact that what their doing is not condoned by Linden Labs and to make it sound like their on terms with the privacy policy, so what TheBoris Gothly quoted, has its meaning reversed by all the parts he so conveniently left out. Misrepresenting the Privacy Policy? I think that's enough for banishment from the secondlife system against both zfire xue and TheBoris Gothly right there, but as you expected. Theres more.

The secondlife terms of service specifically disallows this type of activity under the section 8.3 regardless of Privacy Policy which can be viewed here:

8.3 You agree that you will not post or transmit Content or code that may be harmful, impede other users' functionality, invade other users' privacy, or surreptitiously or negatively impact any system or network.
You agree to respect both the integrity of the Service and the privacy of other users. You will not:

(i) Post or transmit viruses, Trojan horses, worms, spyware, time bombs, cancelbots, or other computer programming routines that may harm the Service or interests or rights of other users, or that may harvest or collect any data or personal information about other users without their consent;

(iv) Engage in malicious or disruptive conduct that impedes or interferes with other users' normal use of the Service;

with that said, It is clear, Spyware is against the secondlife Terms of service, also your probably wondering why section iv is included in the quote? It's because this tool disrupts service for snowglobe 2.0 users and if you read the xstreet page that sells this object at: it becomes clear this tool is designed to cause a crash in the secondlife client quoted from the page: Ejects and TP home intruders automatically often crashing them, if your online or not, group owned land or your own! so this tool further violates the ToS because it is designed to crash a viewer by running the eject function which teleports users to the nearest place off your parcel and the teleport home function which does at it says at the same time against a targeted user.

Also another point I should make with this on the zf redzone site found at there are various statistics posted where as ToS 8.3 states at the end Any violation by you of the terms of this Section may result in immediate suspension or termination of your Accounts without any refund or other compensation. you can see just how many times the zf redzone system has violated ToS 8.3 under the section Linked IP's which is a count of how many groups of accounts its made to a target IP address, simply put you can violate ToS section 8.3 a single time and be banished from secondlife. This user has made a tool that has done it many thousands of times. I'm just waiting for the ban to happen.

Not to forget, further proof of previously made claim, that this tool is illegal and violates the law. People being scanned by this system receive no notice their being scanned and are not asked for consent which ToS 8.3 clearly states you must have but secondlife ToS is beside the point now. This Tool is illegal. The Legal Code BPC22575-22579 Prohibits this and you can view it here: zf redzone commits these violations of this law. The law requires that you present the user with a privacy Policy before gathering information on the user, and specifically protects any information that may be used to contact a person In Person or Online, your username is protected under this law.

(6) Any other identifier that permits the physical or online contacting of a specific individual.

This law also as said before states there must be a privacy policy presented to the user information is being collected on, its setup in the zfire xues store in the sim vsevolod I've passed the security system numerous times and received no such notice it was trying to collect information on me or of its privacy Policy. From the law it is stated:

22575. (a) An operator of a commercial Web site or online service
that collects personally identifiable information through the
Internet about individual consumers residing in California who use or
visit its commercial Web site or online service shall conspicuously
post its privacy policy on its Web site, or in the case of an
operator of an online service, make that policy available in
accordance with paragraph (5) of subdivision (b) of Section 22577. An
operator shall be in violation of this subdivision only if the
operator fails to post its policy within 30 days after being notified
of noncompliance.

if you viewed the previous link to the zf redzone and viewed the item discussion on xstreet the above 30 day notice has already been clearly delivered by a number of users who state this is a privacy violation and you will further see this references another section of the law:

EDIT:(the user posts have been deleted leaving gaps in the item discussion read about it here: I think this puts zf Redzones author and salesperson in knowledgeable and willful violation of BPC22575-22579 as they have covered up the posts pointing out that this is a privacy violation)

(b) The term "conspicuously post" with respect to a privacy policy
shall include posting the privacy policy through any of the
(1) A Web page on which the actual privacy policy is posted if the
Web page is the homepage or first significant page after entering
the Web site.
(2) An icon that hyperlinks to a Web page on which the actual
privacy policy is posted, if the icon is located on the homepage or
the first significant page after entering the Web site, and if the
icon contains the word "privacy." The icon shall also use a color
that contrasts with the background color of the Web page or is
otherwise distinguishable.
(3) A text link that hyperlinks to a Web page on which the actual
privacy policy is posted, if the text link is located on the homepage
or first significant page after entering the Web site, and if the
text link does one of the following:
(A) Includes the word "privacy."
(B) Is written in capital letters equal to or greater in size than
the surrounding text.
(C) Is written in larger type than the surrounding text, or in
contrasting type, font, or color to the surrounding text of the same
size, or set off from the surrounding text of the same size by
symbols or other marks that call attention to the language.
(4) Any other functional hyperlink that is so displayed that a
reasonable person would notice it.
(5) In the case of an online service, any other reasonably
accessible means of making the privacy policy available for consumers
of the online service.

given this specific part of the law the operator zfire xue, obviously cannot carry out Option 1 to give notice to users, Option 2, they must make an object visible in world that can be clicked to view the privacy policy that is noticable in world, option 3 zfire xue must make his tool message the user that is about to be scanned for alts that there is a privacy policy regarding this and the must visit a specific URL in order to view this policy. 4 pretty much covers 3 but declares hyperlinks in services that may not be able to display text links and 5 states very openly that there must be a reasonable means that you can view the privacy policy before this information is collected, and as with any terms of service or privacy policy you need to verify the user was capable of viewing the privacy policy, so at the very least, zfire xue, needs to make this tool popup a dialogue box, with an OK button on it that must be clicked before any information is collected on you. Does zf redzone do any of this? No it does not. I've passed it by several times, its being sold in the sim vsevolod and there is one setup on top of his store location which does nothing to notify me information is being collected on me. So thus hence zf redzone violates this law which is part of the california privacy protection act. Not a California resident and reading this? And wondering how your protected under this law being a California state law? See the above link to the secondlife terms of service section 12.2. it states:(7/14/2010)

You agree that this Agreement and the relationship between you and Linden Lab shall be governed by the laws of the State of California without regard to conflict of law principles or the United Nations Convention on the International Sale of Goods. Further, you and Linden Lab agree to submit to the exclusive jurisdiction and venue of the courts located in the City and County of San Francisco, California, except as provided in Section 12.1 regarding optional arbitration. Notwithstanding this, either party shall still be allowed to apply for injunctive or other equitable relief to protect or enforce that party's Intellectual Property Rights in any court of competent jurisdiction where the other party resides or has its principal place of business.

repeated:You agree that this Agreement and the relationship between you and Linden Lab shall be governed by the laws of the State of California

simply put you must follow California state law at all times and with all actions within the secondlife service((in addition to your local laws of course)) thus hence all secondlife users are protected under BPC22575-22579 in regards to events occurring related to the secondlife service. But theres more...

and finally zf redzone further violates the law BPC22575-22579 by having a deceptive privacy Policy BPC22575-22579 states:

22576. An operator of a commercial Web site or online service that
collects personally identifiable information through the Web site or
online service from individual consumers who use or visit the
commercial Web site or online service and who reside in California
shall be in violation of this section if the operator fails to comply
with the provisions of Section 22575 or with the provisions of its
posted privacy policy in either of the following ways:
(a) Knowingly and willfully.
(b) Negligently and materially.


(1) Identify the categories of personally identifiable information
that the operator collects through the Web site or online service
about individual consumers who use or visit its commercial Web site
or online service and the categories of third-party persons or
entities with whom the operator may share that personally
identifiable information.
(2) If the operator maintains a process for an individual consumer
who uses or visits its commercial Web site or online service to
review and request changes to any of his or her personally
identifiable information that is collected through the Web site or
online service, provide a description of that process.
(3) Describe the process by which the operator notifies consumers
who use or visit its commercial Web site or online service of
material changes to the operator's privacy policy for that Web site
or online service.
(4) Identify its effective date.

zf redzone fails to do all of that, and even more so the privacy policy posted on the redzone website listed above, states:(7/14/2010)[yes zfredzone does have a privacy policy the previously mentioned issue is its not made available to users being scanned at all when its required that it be made available before a scan takes place] Before or at the time of collecting personal information, we will identify the purposes for which information is being collected. ,We will collect personal information by lawful and fair means and, where appropriate, with the knowledge or consent of the individual concerned. ,We do not consider any publicly displayed secondlife information such as usernames, account age, photos displayed to the world, payment status, join date, UUID, IP, platform, viewer, group affiliations, preferred language used, time of day, timezone, region, partner name or any other secondlife information to be private.

given these all above this is taken from the privacy policy of zf redzone, it fails to identify information is even being collected or the purpose of the collection to those it collects information on. It does not acquire consent and as proved above uses unlawful means to collect the info. While a username is public information as they say they do not consider it private, as stated above, (6) Any other identifier that permits the physical or online contacting of a specific individual., despite the publicity they must gain permission to collect your username as it is contact information. This is all required by BPC22575-22579.

I find zfire xue in further violation of BPC22575-22579 on the grounds of:

22576. An operator of a commercial Web site or online service that
collects personally identifiable information through the Web site or
online service from individual consumers who use or visit the
commercial Web site or online service and who reside in California
shall be in violation of this section if the operator fails to comply
with the provisions of Section 22575 or with the provisions of its
posted privacy policy in either of the following ways:
(a) Knowingly and willfully.
(b) Negligently and materially.

The user posts a privacy policy that violates this law by claiming in their privacy policy does things which it does not do which is to cover up that they are in knowledable and willful violation of BPC22575-22579, It also makes any legal protection their privacy Policy provides them Null and Void as they did not adhere to it.

Anyhow now that I've proven one of the people using the secondlife media exploits to identify alternate accounts is violating both the secondlife terms of service, and the law. Onto the final part of this article.

An IP address is a number that identifies your network or computer over the internet, while seemingly innocent enough for use, many services protect the discovery of this information user to user for only admins to view, there are exceptions as an IP address is not private information but it can be used to discover private information on a user or identify usage habits which is private information, or discover additional contact information as described above and prohibited by the above mentioned law BPC22575-22579, once discovered, there are more sinister uses for this information. Now you may already know IP addresses for network resources can change when a resource such as a router or PC is restarted and a connection to the ISP needs to be re-established and that online services such as google acquire IP addresses all the time, an IP address is necasary to facilitate computer to computer communication over the internet, so it must be shared, this is one of many reasons users should only connect to services they trust. I've been ridiculed for my argument against redzone by forum trolls and the such, saying things like oh noes google has my IP address, google is no big deal their legit and responsible and usually answer to issues, and better than an illegitimate service such as redzone, yes its a big deal because it then gets used to uncover identifying information. And then, theres that little troll hacker in the basement of his moms home who lives in nigeria, even worse yet. While it may simply be the address used to identify your PC over the internet and can be traced to the town your ISP operates from. And not to your door, a good analagy to IP addresses is to think of them like home addresses. Also before noting the analogy, anyone with your current IP address and the right utilities can check your network for vulnerabilities.

In explanation of this analogy lets say the internet is this very earth we stand on, people represent users and online activities such as games media, structures and facilities represent web sites and services that facilitate these, and home represents your PC on the internet, the streets the network that supports it all. And your Home address the same as your IP address, while you may subscribe to a premium service that gets you the same IP address again and again for your server, lets say you live in a trailor park and your always moving going from address to address as conditions change every so often.the local college is holding a Job fair, but has had recent issues with crime, being the redneck you are your looking for something better, or just looking for something whatever. You step out of your trailer, the trailer park can be thought of as your home router, all the other residents there are other PC's connected to that address temporarily, you venture out and you go to the job fair, the college the job fair has been held at, has had some issues with a criminal stalking people breaking into their homes, doing undue harm to people and stealing their things, before entering the college since the security is stepped up your all required to get a nametag with your IP address(home address) on it so the college police if witnessing a person committing a crime can easily identify and visit suspects and victims. A cost of privacy for a little security at the campus, a person casually passes by, bumps into you and apologizes(just like a ping request) but they observe your address and take note of it, later that night after you come home you settle in, and don't realize the person while you were at the job fair surveyed your place and found the hide a key(like a security hole being found in a vulnerability scan) later that night you are attacked and fall victim to this same person cause your address was published for the college security.

While just an analogy computers over the internet that have obtained your IP address can perform vulnerability scans which oftentimes takes form of ping and many other types of requests and if your IP address is discoverable through a service, even though it was intended to be viewed by someone else your PC can be located on the internet and targeted for a vulnerability scan and vulnerabilities can be found just like the hide a key, while you may of hid the key well like setting a port to stealth mode on your router. The vulnerability was searched for in many places, and when found you had Open Ports they may have seen what OS your running and what security measures are in place in the vulnerability scan and by gathering this info identified probabilities that your using this and that, which lead them to finding the key(the messaging service you use for example) which opens up that stealth port they just figured out you use an outdated version of windows messenger because through vulnerability scans they identified your OS(your trailor in this analagy) as being windows XP home, with the scans they further identified how to contact your browser which allows them to know many things and odd setting you didnt expect people to know like your desktop resolution which is used in PHP XML, and sometimes CSS functions to identify how to properly format the web page, various functions lead to discovery of various information about you, assumptions can be made about your online activity to identify vulnerabilities in your system. If a advertiser uses a vulnerability scan and finds signs of gaming software, and a PC running in only 800x600 they can pester and spam an email address they discovered using illegitimate means with ad's to get you a better video card, other scenarios can be potentially embarassing.

Like for example Lets say you work for a net firm, and they like to connect with gamers, one of the jobs duties may be to connect to secondlife and try to make a sale on the users there and you like to work extra hard to make that sale, you go home, and login to secondlife from your business alt. While in your business alt you use the service from your bosses location, lets say he rezzed zf redzone. He discovers your personal account, which happens to be a furry(or replace furry with your less understood side and the unusual attributes) and your character has tenticles and all sorts of other naughty features, that are your own personal business, you go into work the next day and receive the pink slip of doom, when you ask why? Your boss says I've seen that episode of CSI with the fursuiters and I know you like to screw animals you sick [expletive deleted], you just lost your job because of your own personal business thats your business and nobody elses, because zf redzone helped your boss peer into your private life and a little misinformation from a myth created by a TV show. Pretty lame isnt it?

I dont know zf redzones complete method for identifying a secondlife name, to an IP address as there are many potential methods to do so and I dont have my hand in the code however I do know its done by linking an IP address to an avatar name in the secondlife service, thats the only way it can be done. As media functions in secondlife reveal IP address and the viewer nor the service make alternate accounts discoverable. It could be just simply comparing who entered the parcel and when a stream was accessed and looking at shoutcast streams IP address list and tagging the newest IP on the list with the avatar name and submitting it to the redzone service, this method is inaccurate but would yield the information redzone seeks, zf redzone could temporarily change the parcel media to direct to a website as a user enters a parcel and have the extension of the web address match the name like while this method is inaccurate it would yield results, or it could just be simply singling out lone people on parcels and checking to see if one person is tuned into the stream and assuming the person on the secondlife parcel is one in the same, another inaccurate method, there are methods and tests and procedures to determining an IP address of a secondlife user with media enabled with 100% accuracy, and secondlife shared media feature titled media on a prim that allows more flexibility in acquiring an IP address, higher accuracy, easier to perform, and dont require land. While I doubt zf redzone uses this method one thing is certain, it uses IP addresses tagged with avatar names and recent comparisons of the address to identify an alt. You can combine the above methods in various ways to achieve higher accuracy using these inaccurate methods but, there are several disturbingly simple easy to perform methods which will get you the IP address of a user through parcel or media on a prim with 100% accuracy, which I must leave unnamed and undescribed as to not promote them, im sure many of these methods could be used to improve redzones accuracy in discovering it but I dont promote the illegal activities of zfire xue and theBoris gothly with the redzone utility.

Given that someone can get your IP address, through shared media, even if you dont take your privacy seriously or feel you have nothing to hide from you should still take the IP discoverability issue with secondlife media seriously. Though non documented, a vulnerability scan as mentioned before can be used to assess the security state of a discovered users PC and determine weak points in the security(maybe their running a dated version of VNC that allows remote control of their PC for when they go to the office, and has an 8 character length limit for the password that can easily be entered via brute force password scanning) whatever the vulnerabilitiy of the system IP discoverability in secondlife, makes the vulnerability discoverable. User to user, and allows the user to know just who their targeting for attack.

Theres things the lindens can do to fix this, but that would be expensive and unreasonable such as providing every sim a proxy server, or making all sims act as a proxy server, and through flash and java exploits could circumvent these methods. There are things Linden Labs can do that is inexpensive to Mitigate reduce and nearly eliminate privacy and vulnerability issues with secondlife media. First off, they need to take abuse reports seriously, the report field needs to be longer in abuse reports so people can site their resources in proving a case of spyware, even keeping things brief in description there are so many things you need to say to prove it to the lindens. Also they need to start answering to reports of spyware, when an AR failed I submitted it into a support ticket, both lindens responding to that ticket ignored it and did nothing but yap. Also reporting items on xstreet using the report item button needs to be taken more serious your limited to 255 characters in your typed report on xstreet. Also you cannot report an item that has been reported and not investigated yet, you will get an error message saying a report for this item already exists. While you may have been going to file a report saying this item uses media exploits to log IP address to avatar name to make alternate accounts discoverable, some idiot who has no business using the system may have just clicked report, and wrote in this item violated me and do little to nothing to say the incursion which in turn prevents your report, if I was to make an unethical tool such as this I could very well make an alt, and clog the report item system daily against my item so others couldn't report it. Linden Labs Needs to investigate spyware claims, and take users more serious, and they also need to allow multiple people to file a report against an xstreet item just like an object on the grid. Also Linden Labs needs to bring back the warning message that I used to see back in viewer 1.16 or was it 1.18? that tells you when you turn on a stream for the first time and warns you it makes your system discoverable and your IP viewable, doesn't have to give a big disclaimer, but it needs to remind people and allow them to decide for themselves that media can make their PC discoverable and decide what their risks are in using it, the message should be like, warning:using media makes your computers IP address available outside of secondlife, and that addresses can be directed by scripted means, only utilize streams in locations that you trust, Linden labs is not responsible for the actions of other users its a clear concise message which will concern those who need to be concerned and give them a heads up, they can research the topic further if their scared. Also the new web on a Prim feature gives griefers and spyware makers more flexibility in exploiting shared media, there are things that can be done to limit discoverability, by default this options is completely on, and you can turn it off but only completely. There is an option to only load websites on prims when you give the OK but it is easily circumvented(can be disabled by clicking Me > preferences > Sound & Media, and unchecking allow media to auto-play). However if you've been around secondlife you've noticed people can deform your avatar and if your knowledgeable of the method their doing it by gaining animation permissions on you through an object that sits on click and having that object follow your avatar around to load the animation as soon as you click the wrong place and the object often self deletes once its dirty deed is done, there are other methods to performing this attack on users but this is beside the point of this post, the same way they can trick you into sitting on a derformer, you can be tricked into playing shared media, all it takes is a prim set to 100% alpha to follow your avatar around and then load the media exploit all in the same way. Why does this work though? Because all it takes is a single left click to play the media on a prim so turning off autoplay can easily be circumvented, since linden labs does nothing to fix it, and there is plenty of fixes in the Jira suggested none of which they've acted on Ill put in my word here, add the play button for a media source to the right mouse button and dont play media that becomes left clicked. SIMPLE! This obscenely simple fix will mitigate the issue with this method greatly, also many don't know this because its burried away but in the top right corner of the screen in secondlife 2.0 if you mouse over the play button with auto play disabled, a tool bar will pop up that contains a more button, press this button and you will get a display of all the URL's prims are attempting to load around you, this will let you view site addresses before letting them display in your viewer, however here in lyes another serious issue there are 2 buttons one to stop/play the selected item on that list, and another to automatically draw your camera focus to that object, whats the problem? The one that draws your camera focus to the selected item also automatically plays that item. So if you see something suspicious on your land like the URL and you click to give focus to that item in trying to locate it, you just also gave it permission to display in your viewer, when you may of just been trying to locate the object displaying the malicious site, you just loaded it on your PC ouch. Linden Labs can fix this simple to just make the buttons do their individual functions and not the function of the other one as well.

I myself defend myself from this I don't use the linden viewer for any purpose beyond my education on it as the interface is poor and with the half thought out security option to disable autoplay viewer 2.0 is more vulnerable to this exploit. I use emerald. Yes I know the team that worked on it did use the media exploit too, no theres nothing I myself have found in their viewer to spy on the user, for a safer more secure secondlife experience, you should use a mature well developed viewer based on secondlife 1.23 such Hippo Opensim or emerald(there are others) and you should disable media, and there is another exploit in the viewer that actually allows you to protect yourself more. Secondlife 1.23 does not allow users to see the stream URL they connect to. However in the advanced menu(ctrl+Alt+D) if the media URL is hidden you can select the option show admin options while attempting to use the admin options that become revealed will be logged in some cases by Linden Labs there is one advantage, by clicking the location name on the top of your screen and bringing up the land information you can see what the media URL is for that location and make your decision whether or not the URL should connect to your PC then(of course I recommend turning this off as soon as your done) and from here you can paste this URL into the play URL option for your favorite media player Like Windows Media Player, Winamp, XMMS, or whatever you prefer to use. Taking this extra step after disabling media completely in your viewer increases your security by allowing you not to accidentally play a media stream in secondlifes viewer whether it be accidentally hitting play or turning automatic play on, it also makes you more secure against objects that may temporarily switch the media option for a really brief moment to discover IPs of those connected.

Aside from how to defend yourself you the reader is probably wondering, How you can make a difference in the media issues with secondlife, there are several things you can do to help:

-Educate Other secondlife users about these exploits, refer them to this blog Post
-Visit and educate yourself about the Jira, search it for issues related to the media problem that suggest a fix, I myself am still trying to decide which to vote for. As theres several suggestions as to how to make viewer 2.0 safer
-If you visit the secondlife Jira Linked above and have a better solution than those proposed, observe how to create a Jira article, and write your solution and encourage others to vote for it.
-Don t give people the information their looking for, don't just leave the streaming media on full time, turn it off always when not in use.
-Don t visit sites or buy products that claim to give you information on another secondlife user or claim they can effect the user off the grid or detect anything secondlife doesn't normally allow you to do yourself.

Things you can do about current infractions against your privacy on secondlife:
-Visit or and report spyware authors that violate the law. Remember as stated earlier under this article all users using the secondlife service are protected by the California Privacy Protection act which BPC22575-22579 defines, the FTC link is obviously to the FTC, and the IC3 Link is to the FBI's internet crime department, both deal in issues of spyware.
-Use the report item Button in xstreet and file a report item complaint against spyware for a terms of service violation 8.3, and when writing the report site what you know about the spyware and resources that prove its spyware.
-visit the location of known spyware while protecting yourself from it by disabling media and use the report abuse button on the offending object, report spyware you see rezzed and vending systems that sell it such as the vendor for zf redzone in vsevolod/182/49/113(there is a spyware vendor for the zf redzone system as well as the spyware security orb there itself on top of the building with the vendors)

Edit:just lovely I see the text editor I started writing this in dropped out all my quotation marks when I copied it to here!

Edit: looked at the Item Discussion found another part of the privacy Policy TheBoris Gothly and zfire xue are hiding behind will post it below here as not to disrupt my Original article:

from the item discussion at 2010-05-08 12:17:57:

we do permit these companies to collect your IP address. These companies may set and use cookies, web beacons, pixels, or other technologies to collect anonymous information about your visits to our Websites, and may otherwise aggregate, analyze and anonymize that data.

Lets look at that in whole shall we?:

Third Party Advertisements

Linden Lab participates in ad and/or affiliate networks operated by various third party companies. These companies collect and may use certain anonymous information about your visits to our Websites as a function of referring Internet traffic to our Websites. We do not permit these companies to collect any personal information about you, such as your name, address, or email address; however, we do permit these companies to collect your IP address. These companies may set and use cookies, web beacons, pixels, or other technologies to collect anonymous information about your visits to our Websites, and may otherwise aggregate, analyze and anonymize that data. If you seek information about these specialized advertising technologies, the Network Advertising Initiative offers useful information about Internet advertising companies (also called "ad networks" or "network advertisers"), including information about how to opt-out of their information collection.

Lets Explain it shall we? first off, this is the advertising Policy, a Policy in regards to advertisements only. It also says the companies may collect and use certain information. so obviously in certain information this is information released by Linden Labs you can view this here btw: and the 2 previous paragraphs pretty much limit information collected to website visits and lindex exchange, and disallow personal information which as defined by BPC22575-22579 is account names held as they are contact information, while this paragraph permits collection of IP address it does not permit use of this to datamine a user and lets look into the big part of this that they hide behind

These companies may set and use cookies, web beacons, pixels, or other technologies to collect anonymous information about your visits to our Websites

ok first off the information must remain anonymous, it is contact information that is being collected not completely anonymous by any standard, so that's a violation of the privacy policy, second off it pertains to information collected about visits to the websites operated by Linden Labs like visiting, and as said before its an advertising policy, this policy permits advertisers to set up properly targeted ads, much in the same way googles ad sense works where as advertisements can be properly directed(so they can match IP address to search terms), this also pertains to xstreet. ever notice how that advertisement banner at the top of the search usually has something related to what your searching for vaguely related to an item in the search? this policy is to assist in the operation of functions like that. also aside from this, the information being collected on you by zfire xue and his redzone system has no method of opt out oh and something else I totally forgot to mention, which this privacy policy states, is this guy an affiliate of Linden Labs? I don't think so. If he was I think he would understand the privacy policy a little better and know that this section pertains solely to advertising, but as with any other part of the policy he quotes he conveniently leaves stuff out, he is in knowledgeable violation of it as you can see above he conveniently leaves parts out which is clearly intentional. A business affiliate of Linden Labs would not do this because they know they can be sued by both Linden Labs and the userbase they effected. In which bbrings me to another part of the terms of Service:

8.2 You will not post or transmit prohibited Content, including any Content that is illegal, harassing or violates any person's rights.

in accordance with BPC22575-22579 since Linden Labs operates out of california which specifically makes spyware illegal as it falls under the protection of BPC22575-22579 aside from violating our rights the content of zf redzone is specifically illegal

(i) Post, display or transmit Content that violates any law, or the rights of any third party including without limitation Intellectual Property Rights;

(ii) Impersonate any person or entity without their consent, or otherwise misrepresent your affiliation;

hes misrepresenting his affiliation obviously, hes obviously violating our right to privacy and hes obviosly breaking the law in doing so as ive touched on a many of times in this article BPC22575-22579.

(iv) Post, display or transmit Content that is harmful, threatening or harassing, defamatory, libelous, false, inaccurate, misleading, or invades another person's privacy;

nuff said that's covered in section 8.3 which I kept saying but all in all the zf redzone product invades user privacy

and yet again under section 8.2 as with section 8.3:

Any violation by you of the terms of this Section may result in immediate suspension or termination of your Accounts without any refund or other compensation.


  1. Actually, it's anything with the "community channel" in its client ID strings. Snow 2.0 isn't the false trigger, it's the source you download and compile yourself.

    Snow 2.0 from the main LL won't trigger a "copybot", but anything in the OSS community that isn't emerald or the kirsten viewer likely will.

    Violation of tos? Yep.

  2. Thanks for the further info, all the same it's still a false positive against some snowglobe 2.0 users and endangers the secondlife developer community and also in stance still violates the ToS up and down again and again, along with BPC22575-22579

  3. I have been griefed horribly by someone using the redzone IP tracker. The man who was targetting me did that on purpose for trying to slander my name and business in second life. i run a SIM in second life trying to educate and inform residents about the bdsm lifestyle in there and by all of a sudden got griefed by someone who was holding a grudge against me, for obscure reasons. his weapon he used to try and bring me down, was the redzone IP locator. the next this person did was to notify the people dear to me in SL about the victory he achieved about alts of mine decieving other residents. after i got aware of his intentions, i started a forum question about this kind of griefing in a bdsm posting service i am active in. the next he replied in it, probably not knowing yet that i was the one he targetted, but i am not afraid to reveal who i am, and soon the thread became a personal attack towards me. this all would not be possible to do if social griefers were not able to use a program as redzone. it supplies the griefer information which in the first place is not his business, but also totally wrong. It's quite easy to take a screenshot of it's database and manipulate it in the way you want it to look like. in any way, this so called copybot defender is a griefing script and IP's fall in the hands of people who want to harm you.
    If you like to read how bad it can get, i include a link to the forum, but it needs registration to read into it

  4. dear friends of mine are supporting me in my fight against social griefers using this redzone.
    also pls read

  5. it seems that my first post did not come in, no problem, i type it again. it is about social griefing with the use of this illegal redzone thing. some person who holds a grudge against me and my friends thought it would be funny to scan my IP amd that of the people close to me. the next what happened was that he collected a list of names, scrambled it a little and came up with an accusation of alts decieving and cheating upon residents in sl. however, i am not someone who sits back and just swallows a load of grief. i contacted the creator of this redzone thing, after i read his policies, and asked what is this? this man holding a grief against friends of mine is using your product, mixing it up a bit and then tries to bring me and my business in sl down? at first he responded and said he would investigate the problem, but soon he stopped answering my e-mails. simple conclusion, he earns his dollars and doesn't care. meantime however things got worse. i posted a question in a forum i am active in, about if there are more people being acccused of having alts in sl and scanned by some redzone user. the next minute the guy who trying to accuse me of doing wrong responded in that forum, without probably knowing it was me starting the thread, telling that it is a innocent and totally TOS compliant device. i couldn't keep from revieling myself as i have nothing to hide. but after that, the grief came to a total personal attack. the guy thinks he has proof of me being IP scanned and adds his own fantasies to it. a typical example of social grief and the reason why this person thinks he got the power to do that, is because of him stating that he uses redzone and he knows my IP and everything to it. this is my story, but i am sure that there are many stories,of personal griefers, stalkers, and god knows what else, maybe even hackers, using this device allowed to use by Linden Lab. it is time to stop creators of harassments, this is not about stopping copybots, it is about selling a product. and everyone can manipulate this inaccurate product to their own purposes. stop this grief please!
    for them who like to read the harassment i been through, i link a forum. but you have to register to read it

  6. You really need to do your homework and get your information correct.
    Otherwise you are just creating more false propaganda that when reported, results in the Lab laughing as they hit the delete button on false ARs.
    If there was but one single shred of truth to your "TOS" and "Law" claims don't you think the Lab would have noticed in this amount of time and 2500+ sims covered?
    I am flattered that you took so much time out of your day for this.
    I understand you spend your time in the adult world and therefore wish to hide that fact from your other personality(s) maybe?
    That is your life choice, but please understand that nobody cares about what you do in your adult world.
    For the record, Google does the same thing zRZ does.
    Yet I do not expect such a full report on them.
    Thanks for your time.
    I enjoy reading confused rumors, and could not have paid for better advertising.

  7. The fact is that more and more people are getting griefed, people are getting scared to visit places because their stalkers are just waiting there. Second life becomes a scary place with now real alleys where the attackers hide. This has nothing to do with the whole copybot thing, it is about residents being after residents. It has become a personal battle between griefers and their victims now. Linden Lab maybe shuts their eyes, but they will become aware of this kind of griefing as soon as many leave the grid, because SL is no fun anymore when your head gets chopped off for just someones amusement. I run a SIM, which costs me a fortune, and i do because i enjoy when others enjoy, but if i can't even feel relaxed anymore because there are fellows waiting there to expose your privates, then i am done with this virtual world.

  8. Ok I don't want a lot of spam on this blog so with this post by zfire, comment moderation is being turned on, I'm likely to approve most comments unless their something really idiotic like what zfire just wrote because usually idiots like him don't stop at that. All the other comments are fine and thank you for the Link to your blog Michelle the Screenshots you provide further prove my point, and thank you G for clearing up where I referenced the mailing list.

    Anyhow with that said zfire, I've provided my homework and results and even provided links to the laws its in violation of and sited what specific part of the law forbids your action and your tools and I also did point out how your service differs in its information collection practices from a legal business such as google which we both mentioned, googles distribution of information is anonymous and otherwise they provide their privacy practices in a reasonable manner which complies with BPC22575-22579 while you do what you can to keep the user from knowing your collecting this information. so there is a big difference in practice. then on top of that just because you've sold 2500+ systems and been at it for some time now doesn't make it legal, I would like to see where your number of sales, and the fact many haven't noticed this privacy violation makes it legal, I've made legal reference to what I've posted here you haven't, and besides I cant find anything that says violating the law this long and having this many users involved makes it legal or adhere to the ToS of the system you post your spyware too.

    But talking about me not doing my homework, it looks to me like you haven't read any of the laws that I referenced or much of the rest of the article for that matter, it really looks to me like you've just read the title and gave it a brief skim over,and commented on that, so due to your lack of information on where you claim it is legal and where you claim google does the same thing I consider your comment spam, and Am just leaving in in the blog for the record as to why comment moderation is on from here and what sort of person is being dealt with, Ive also made a copy of the comment for quotation in later references to your system.

    also further more as defined in BPC22575-22579, having read this article and replied to it(and im taking a screenshot of this just in case anything should happen to your enlightening comment which we all value so much) constitutes that you are in knowledgeable and willful violation, I'm sure anyone who has followed the URL I posted in this article knows a bit what knowledgeable and willful violation constitutes here and I think in a later article I should expand on it for those hoping to file a suit for privacy violations(hell only reason I don't is it takes money) and I'm sure anyone willing to do further research can also be able to tell what additional part of the BPC your in violation of, by violating this part willfully and knowledgeably, I will be posting more on it later, have a nice day.

  9. speaking of spam in my previous comment... Upon reviewing settings of my blog and turning on comment moderation I noticed bloggers spam filter intercepted a couple of your comments Michelle which are not spam, so now they have been revealed as you posted them, comments for September 3, 2010 9:43 AM and September 3, 2010 10:20 AM are now revealed, my apologies for the delay the posting took.

    an additional note for the sake of clarity, zfire before slandering google by accusing their service of doing the same thing, do note that googles privacy policy is legal and adheres to legal limits unlike yours, and also unlike yours, is posted in a reasonable means where it can be reached before the collection of information protected under BPC22575-22579 takes place in accordance with BPC22575-22579

  10. As time passes, more and more people in SL are getting scared walking into a place with an IP trap. People don't want being scanned, IP adresses for others to grab, alt lists whether with the right names or not used to be accused of adultry, jealous ex boy- and girlfriends tracking you down to make your sl fun a miserable experience. Nobody is safe anymore, unless you sat in a corner all by yourself from the moment you joined SL. The question comes to am i doing here? Linden Lab isn't taking any action against illegal tosslers and meanwhile this world is becoming a paradise of grief. The ones with the money and the land to buy all kinds of new spying toys sit back and wait for a fly to get caught up in the web. Maybe this is the new way of filling free time for those who always wanted to be an FBI agent but never had the brains or the physical stamina to make it up there. Or maybe it's the paranoid schizofrene, who finally found a way how to avoid seeing his own shadow. In any way, these IP phishers makes us all schizofrenic and it encourages a load of drama, gossips and accusations, in a place you once thought it wasn't your 1st life. How far does Linden Lab let this go? Will it become a world full of dictator ruled SIM's, where people get shot at sight? Me as a SIM owner myself ...having my plot of land surrounded by enemy states it seems, would say...if the United Nations of Linden Lab doesn't respect the human right of privacy, then at least let residents visiting a SIM know what place they enter. Isn't it true that when you cross the border of a country, it's laws, rules and expectations of how you should behave, are written on big signs? At least then you know what you are facing.

  11. It has been a while since my last post in your blog. I waited to see if anything would change in the new Terms of Service, and I am disappointed that LL still doesn't hold itself responsible for IP phishing. While the rest of the internet world, like banks, government websites and insurance companies are investing loads of money to protect their customers against IP phishers, LL keeps their eyes shut. Meanwhile distributers of privacy invading tools in SL can keep developing and selling their products. Surely many residents don't care about this development, because they only use SL for a couple of hours of weekend fun. But those who are in SL because they seek a relaxing inviroment, away from daily drama, they feel more and more being watched by so called FBI imposters. You know, I find so many TOS violations of this malware called zRedzone, and I filed so many reports of which the Lindens could not shut their eyes for and had to take action against a Redzone user. Still it goes on and on. It really is a pity that LL lets SL slide off to a puddle of hackers and crooks in which account holders information they HAD to provide to be able to play SL for grabbing. I wonder how long it's going to take for people who dearly love being in SL, to suddenly realize that their life ..RL and SL .. is not in safe in the hands of Linden Lab. So far most residents aren't aware of being tracked, and what you don't know doesn't hurt. But Big Brother is watching, and they love watching. They are the Cyber Voyeurs! You would advice them to get a life, but I guess they already wasted two lives.

  12. Several friends of mine all from New Zealand and with the same internet service provider are suffering from false accusations from RedZone.
    Most have sent AR reports to Linden Labs, and also nc to Mr Xue.
    One question we have is ..
    "Is it all streaming media (including streaming music) that makes us vulnerable to these IP thieves? "

  13. the short and simple answer is Yes.

    I'm guessing for redzone to link you and your friends together you must of shared a connection at some point whether it be you connect through a common router, use secondlife at a netcafe, or simply visiting eachother and logging in at eachothers places.

    Any streaming exposes your IP address to whatever server your connecting too and streaming does not take place within secondlifes servers, the parcel you are on holds the web/IP address for the stream to be connected to, when you hit the play button in your streaming software that software connects to the address provided and IP Addresses are used to facilitate communication between systems over the internet, so to send the stream back to you it needs your IP address, thus then when you connect to a stream you reveal your IP providing it to whoever is hosting the service your connecting too, both video streaming, Audio streaming, and Media on a prim all reveal your IP address, to make matters worse,scripted objects can change where your viewer makes a request too and connect you directly to a service setup by the person wanting your IP address.

    the Normal use of secondlife service without streaming is generally safe so long as you do not connect to any servers outside SL through streaming as interaction between users is through the contact of Linden Labs servers thus meaning there is no direct user to user connection(except media, streaming, and voice calls), and there is also no function inside of Secondlifes scripting language to retrieve this info.

    Simply put aside from revealing your IP to the server your connecting too, devious users can change the server your connecting to for any period of time and retrieve your IP address if they have land permissions or an object on the parcel with land permissions and some streaming software such as commonly used shoutcast may publicly reveal listings to moderators club and land owners and DJ's within secondlife a list of connected IP's while these IP's arent linked to avatar name there, there are various techniques for finding out which belongs to whom

  14. I am posting in this blog again, as it seems thet in any other blog noone seems to listen to what really is happening in Second Life at the moment. The war is on now, as Linden Lab closes it's eyes for IP scanning and abuse by 3rd party individuals. We now got several IP/alt scanning products sold on market place, and Redzone now only has to compete with the others to be the "best". Now we have Alt scanners and anti Alt scanners on the market, and where this going to lead to, I don't know. As always Linden Lab doesn't care. I have tried to convince them, tried to open their eyes for what's happening to innocent residents not knowing that they are scanned thoroughly. All i get is a answer to a ticket saying: we are sorry for the late response, but it is a TOS complaint you are referring to and that takes time. Neveretheless, nothing happens, and meanwhile all avatars are target to IP scan in SIMs they are never warned for, and their RLlives are exposed for SIM owners who got nothing else to do all day but scanning people for alts. Just to say to you all who read this blog, you got NO privacy in SL at all! Unless your a nerd or a hacker, or you wouldn't care less because your account was only set up for a week or so. Ya'll have fun being stalked!

  15. Hi Treminari (wave to MichelleMarie too), i read you post and have today (maybe to late) disabled all my media settings. Now it feels a bit quiet in SL and i see no point in going to clubs... except if some way my privacy will be a bit safer if i use winamp to connect to the club stream.
    Is this something you can advice me to do/not to do ?

  16. i am happy to announce that finally people's eyes are opening. forums are full of redzone victims telling their stories and new blogs are opening instructing people what to do before stepping into a trap. scripters are now developing tools to protect yourself from IP griefers and lists of redzone sims are created to warn people. i am very happy that now finally after such a long time people see what's going on in sl. in the mean time though, 8 million people been scanned by redzone, and that plus the additional scans of IP scanning tools developed after redzone was allowed to be sold on sl market place. all kinds of individuals purchased some kind of IP scanner for their own little parcels of land and it's not anymore a big sim owner tool. zFire Xue, or whatever his name really is, is now a rich man. he sold hundreds of copies of his griefing tool and he wouldn't care less who the victims are. i do hope that he will face court and pay for the trauma he inflicted! we now got a HUD called Greenzone, which will warn you as soon you enter a infected sim. do get this tool and list all sims you been to that are infected with IP scanners and publish it. this is the only way to fight back, as LL just got too much wax in their ears.
    Have fun in SL all.

  17. you can use winamp to connect to the stream it is a little safer because it prevents the Secondlife viewer from identifying itself to the stream source(some applications identify themselves to the media server their connecting to, and sometimes that identification may include your login name), and also prevents someone from using a script from changing the parcel media thus changing the media server your connected to, but doesn't make things completely safe, If you must listen to the stream I would recommend viewing admin options and copying the address and pasting it into winamp, however also do keep in mind, that redzone may use several techniques for linking the IP to your avatar including timing stream access, I would recommend waiting a long period of time and waiting for people to come and go before connecting to the streaming media and disconnecting either a time substantially earlier or later than you leave.

    also now there is a countermeasure to this specific piece of spyware called Greenzone you can find it here: I would recommend letting greenzone run, and only connecting if it detects nothing, but please do keep in mind that the capabilities of greenzone may be limited and it may fail to detect redzone, so don't connect if it makes a successful detection or if the parcel your on has disabled your scripts. also another good way to be even safer yet, is to completely avoid parcels listed in this blog here:

  18. Please Vote Here

  19. Treminari? We won quite a couple of steps forward against Redzone and his violation of peoples privacy. Thanks to you and all those who got fed up with these invading tools created by some money greedy nerd and used by second life private investigate roleplay failures. I am so happy now finally LL listens to this huge complaint. But we haven't won yet. Other IP scanners are still active and all it's creators still got the money they earned from griefing stalled on their private bank accounts. I do really hope that there be a way, that these people are forced to pay the buyers of these producst their money back and that victims are compensated. In waht i read in your blog here, you know a lot about state laws. Maybe you can guide us in that in your blog and on Jira.

  20. I posted up about the state laws because I researched them on the spot and found a violation then, It's not something I knew off the top of my head when I first saw finding alts on redzones feature list, Also while it is all legal speak its a pretty easy read through nonetheless. I knew when I saw the statement on its feature list that it discloses information I knew it couldn't be right, BPC22575-22579 is what I found, there is another law BPC17200-17210 which defines the fines for violating the business and professions code and what constitutes a violation, under that law a business can be fined for previous current, and proposals to violate the Business and professions code(Proposals like zFire Xue's threatening to privatize it and sell the scripts to be uploaded by its users). aside from that Linden Labs has taken up the stance that you can't reveal that information, under BPC22575-22579 you cant even so much as collect it without meeting the requirements defined within, and I do agree with the law in that stance, so Yeah im still fed up that zFire Xue is still allowed to operate in SL.

    Also some food for thought, I'm sure theres other laws redzone is in violation of, you remember the Real Jukebox lawsuit? that took place preceding the existence of BPC22575-22579, and was over a lesser violation(assigning anonymous ID numbers to customers and tracking what genra was listened too) but was still a prosecutable privacy violation.

    Also I'm aware of the other IP scanning tools, Some of those will be a little harder to tackle, unless you can prove their databasing some contact info without your explicit consent, and before I get some troll commenting, a countdown timer saying you consent in X amount of time doesn't define consent in the slightest nor does venturing onto the users land constitute an agreement, I mean if you could get legal consent so simply as some of these people think it is, software companies would bury their policies in hidden EULA.txt files without presenting one preceding the installation of their software with the little "I agree" and "I disagree" buttons, but with that said, even the updated redzone systems still are in violation.