Tuesday, March 22, 2011

Linden Lab is Slacking on Media Security

It seems most people have gotten back to business as usual in Second Life.  The atmosphere is one of optimism, music venues are once again starting to flourish, and retailers are enjoying a new surge of shoppers enjoying a sense of regained security.  But is this sense of peace really just a case of too many wearing rose colored glasses?  Yes.

It's wonderful that Redzone and Quickware Alts are both gone.  It's also great the Sparrow Industries has removed all alt detecting function from their products.  My fear is that people have been lulled into a false sense of security.  The truth is, the media exploit that allowed devices like these to function is still there.  I would be willing to bet there's others just like these, trying to detect alts and worse, working discretely on the grid right this very moment.  Redzone was out there and 'in your face', so it was easy to know who the enemy was.  Now, because others have seen zFire's demise, they've learned from his mistakes to work quietly and slip under the radar.

Thankfully, Sione Lomu coded a media security patch that requires anything trying to access your media or music to gain permission.  This is a huge step in the right direction.  Currently, there are three viewers that are using Sione's patch:

Notice anyone missing from this list?  Yup, Linden Lab.  Why is it that the TPV's picked up the media security patch rather quickly but Linden Lab hasn't for it's standard viewer?  Wouldn't you think they'd be the first in line to protect Second Life residents, not last?  I'm sorry, but this is seriously wrong.  Linden Lab should've made their own security patch long before Redzone existed and Sione made his media patch, and yet they still don't even have the protection in their own viewer.

I find this particularly disturbing as all new residents entering Second Life use the standard viewer and have no clue there even is a security risk.  Can you imagine how many newbies have inadvertently put themselves at risk?  Or rather, how many newbies Linden Lab has put at risk with it's lack of security and information for newcomers?

This shouldn't be tolerated by anyone, old timers or newbies.  I find it more than a little ridiculous that we have to rely on each other for security help and information while Linden Lab remains irresponsibly silent.

I urge everyone to continue to take responsibility for your own security and pass that knowledge onto others.  I also encourage everyone to keep the heat on Linden Lab until they finally do the right thing and actually start proactively protecting all residents.

Some resources:
Media and Privacy by Inara Pey
Media Security Notecard offered by Inara Pey

Thursday, March 17, 2011

So what now?

It's definitely been a chaotic couple of weeks to say the least.  Sometimes I take a step back and look at the big picture, and I think to myself "how the hell did all this happen?"  Which of course, leads me to my next question "So what now?"

This entire privacy issue was truly a snowball effect of the worst kind.  It all started with a vulnerability in media security, and all it took was a few people to discover it and run with it.  The timing, of course, was impeccable.  Content creators all over the grid have been howling for years for better security (and rightfully so), then in swoops the likes of the CDS to save the day.  "We'll stop the copybotters!" CDS proclaimed.  The content creators of the grid oooh'd and aaahh'd, thankful for someone to finally be protecting them.

But then, some rumbling started.  Innocent people were being banned and had no idea why.  It was around this time zFire got his hands on CDS's script and realized with some modification, this script could do a lot more than catch a copybotter.  We all know what happened next- the alt detector was born and others like Quickware Alts and Sparrow Industries soon followed.

Of course, when this privacy issue first exploded, we had no idea the problem went beyond privacy violation and nose dived straight into internet security fraud.  I have to chuckle a little when I think of all the people who worked together to put the pieces of the puzzle together.  Seriously, have you looked at the epic Redzone threads over on SLU?  Forget Sherlock Holmes, we have the forumites over at SLU to handle the job! *laughs*  If you have a couple days to read (yes it's that long) you can literally watch all the pieces drop into place, ultimately ending with the zFire Xue's criminal history being exposed and him banned from Second Life.

Thankfully, as residents across the grid screamed louder and louder for our right to privacy, we even managed to get Linden Lab's attention.  In particular, Soft Linden, whom I think we all owe a major debt of gratitude to. Not only was the Community Standards changed to make revealing alts a violation, but both Quickware Alts and Redzone were banished from the grid.  

We also owe a debt of gratitude to Sione Lomu, the person responsible for coding the media security patch now implemented in various viewers.  Thanks to Sione, we can now better control what connects to us via media and music.

So I ask again... what now?  We're done, right?  Problem solved?


The problem, the very thing that started all this to begin with, still exists.  There is still a security hole in the media filter, which means changes to the TOS and Sione's patch or not, the vulnerability is still there for the next person to come long and try to exploit.  In fact, someone could be using that exploit right this very moment but discreetly so we don't even realize it's happening.

This is why I left the "how to protect your privacy" tab, because while it may be a huge relief to be rid of Redzone, as long as the security vulnerability still exists, our privacy is never truly safe.

Tuesday, March 15, 2011

zFire Xue and Redzone are GONE!!!

It's come to my attention in the last couple minutes that not only are zFire Xue and TheBoris Gothly gone from search, they're also gone from groups.

I am standing in the now empty Mad Sci City Shopping Mall, where everything belonging to zFire is gone.

You heard right.

Redzone and zFire Xue are GONE!!

(please Redzone tab for more info)

Urgent- Your password may be unsafe

I can not stress enough that this is not a "Redzone" issue- it's a human security issue.  
If anyone reading this has ever logged into zFire's website isellsl, you need to change ALL your passwords immediately.  Not just your Second Life password, but any passwords you could have accidentally typed into his website.  I don't care if someone reading this is still using Redzone- it's irrelevant to the point your security is in very real jeopardy. 

In case anyone missed it, scroll down a post and you'll see proof that zFire was logging people's passwords to access their Second Life account.  

What's worse is the fact zFire has not learned from past mistakes.  This isn't the first time zFire committed crimes on the internet.  In fact, he is a convicted felon for a theft scam on eBay.  There is a very real chance, judging by his past criminal history, a lot more than your Second Life account could be at risk if you've logged into his website.

For those of you who will inevitably howl at me to prove it, here is a link to the court document: http://www.ca9.uscourts.gov/datastore/opinions/2005/12/13/0230375.pdf

After you have a look at that, keep in mind we've known for awhile zFire Xue's real name is Mike Prime.

Ok...here's some connect the dots:
-zFire has publicly admitted his YouTube account is marskgb006

-In the court documents in question (linked above), it names Shawn Cahill as one of the defendants and Mike's friend:

"The extrinsic evidence included money orders and e-mail correspondence with aliases used to conduct fraudulent transactions, written reports by both the fingerprint and handwriting expert, and certified copies of prior convictions for both Prime and his friend Shawn Cahill"

-On marskgb006's YouTube account, there is this video. Notice the title John vs. Shawn Cahill

-In the court documents in question, it names Juan Ore-Lovera as a co-defendant
-Also on marskgb006's YouTube, there is this video. Notice the title of Juan's reaction to the 'John Vs. Shawn Cahill" video:

-Remember the John Hamlin mystery? CEO of Insanity Productions with Mike Prime? Well, here's Juan's (the co-defendant in Mike's criminal case) Facebook. Look who his friend is- John HamlinJohn Hamlin | Facebook

There is no way it's a coincidence that men who played a part in the criminal trial of Michael Stefen Prime are also in YouTube videos under an account that zFire publicly admits is his.

There's no "if". zFire is Michael Stefan Prime.

So please, if you've ever logged onto the Redzone website or any part of isellsl, CHANGE ALL YOUR PASSWORDS IMMEDIATELY.

Saturday, March 12, 2011

zFire's Xue's database hacked- proof made public

The first sign that zFire Xue's database had been hacked came on no2redzone's blog, where this anonymous comment was made:

Security Thru Hackscurity (12:35:24) :
"we hacked becuse zfire xue challenge hacker to hack. he so script child that it take second. site down. site back. second to access again. site go down come back. again. again. again access until he close hole which place everyone data in secondlife at risk. oh the thing we see lar. admin page with manual copybot name enter and list of added user. not detect by rz! manual! hundred user manual entered! user vasilisa shilova manual enter many name too! database dump say video true. he log wrong entered password. everyone owner redzone need change SL password! how we send database to linden with anonity? we still work on this. we not use or release database. we attach example admin log screen as access prove. we only hack becuse he ask. if he deny hack we post more criminate screen until doubt gone".

...and apparently Hackscurity makes promises not threats, because earlier today the following screenshots surfaced on The Alphaville Herald, proving not only their claims that zFire logs passwords entered onto his site as a way to potentially hack the user's Second Life account, but that he manually enters alleged copybotters into the system (rather than detecting them):

And if this new proof of zFire's deceit isn't damning enough, Hackscurity also released this screenshot, which logs traffic to zFire's hosted sites:

What is KoM, you ask?  Knights of Mars, a vigilante group to "assassinate" avatars for a price.  A group that brags about violating TOS and the ability to "kill" an avatar.  zFire Xue hosts the Knights of Mars site, in fact there's strong evidence that he runs it.

To all the Redzone users reading this, I again urge you to change your Second Life password immediately.  This isn't about ego it's about internet safety, and yours is in grave danger at the hands of the man you trusted to 
protect you, zFire Xue.

(For those wanting to stay informed, be sure check out SLU's very active and enlightening thread: Redzone Epic Thread Part Deux !)

Thursday, March 10, 2011

zFire talking about sharing people's RL data and hacking SL passwords

UPDATE 3/10/11- People asked how we knew this video was real? zFire removed it from YouTube the minute he found out it had been leaked.  Too bad someone had already made a copy elsewhere.  I've updated the link below so it's viewable again :D

Also, notice his Redzone "Insantiyproductions" (his crappy spelling, not mine) profile at the bottom.  You'll clearly see the "mars006kb" profile where the original video was posted subscribed to it. (again, screenshots taken before he could delete the evidence)

I had this video bomb dropped on me tonight.

Apparently zFire, creator of Redzone, made this video for his girlfriend.  If you listen to the video, you will hear him not only bragging about giving her access to his database information, but revealing people's RL locations and even attempting to access people's Second Life accounts based on failed password attempts on his own site.

Yes, you read that correctly, trying to figure out people's Second Life password by their failed password attempts on his own isellsl website.

Have a look for yourself, be sure to turn the volume up!!!

I have no idea who leaked this originally, but I do know it's a private video that can't be found in search.  You can only view it with a direct link because it was never meant to be seen publicly.  He also mentions his Redzone website, 'isellsl', by name.  I also noted it's not new- it was uploaded on August 3, 2010.  That means this video was made long before any of the Jiras or Greenzone.  

I'm guessing the Redzone camp will all be rushing to change their Second Life passwords now.

Tuesday, March 8, 2011

Quickware Alts -BANNED

Soft Linden commented on VWR-24746:

Thank you for the additional ARs, all. After some research and follow-up with some of you who reported, it's clear that there is no such thing as a ToS-compliant version of QuickWare Alts Pro. For lack of a good faith effort on resolving issues associated with this device, many assets have been blacklisted and accounts held. I can't go into specifics beyond that.

If you see QuickWare Alts Pro return under a new name or creator, please select the device and file Abuse Reports against the device's owner. Be sure to mention which specific device you have found.

As always, file ARs based on first-hand knowledge. There's nothing wrong with peers filing additional ARs to underscore importance. However, each person filing should take a close look and ensure they understand the object of the AR. They should personally be able to justify the AR if asked. Brief and verifiable is best.

Sparrow Industries- more privacy violations

I hope it's clear to anyone reading this that fight for privacy is not Redzone specific.  There are others just as bad out there, and we need to fight against them as well.  You'll notice some minor changes to this blog that reflect the need to keep informed, most noticeably the extra tabs.  I've decided to make individual tabs for each product discovered that violates privacy and/or TOS by detecting alts.  

...with that said... you'll notice a new name up there, Sparrow Industries.  Be sure to have a look!

Saturday, March 5, 2011

Police Department in Romano, Redzone Free

Earlier today I had made a post about the Police Department in Romano using Redzone and asking for consent to check alts.  Tonight, I received an IM from the sim owner, Cdurd770 Halfpint.  He was most gracious and kind throughout the conversation, and I learned he had been out of Second Life this week so he wasn't able to remove the device requesting consent.  Below is our conversation (which I post with his permission):

[21:55]  Cdurd770 Halfpint: Hi there, thanks for visiting my sim :)
[21:55]  Cdurd770 Halfpint: Love the blog as well.
[21:55]  Theia Magic: Oh hello!  You're the police guy, yes?
[21:55]  Cdurd770 Halfpint: I am!
[21:55]  Cdurd770 Halfpint: (disarming to chat)
[21:55]  Cdurd770 Halfpint: lol
[21:55]  Theia Magic: Nice to meet you, though I'm sorry under the circumstances.
[21:56]  Cdurd770 Halfpint: Not a problem at all.
[21:56]  Cdurd770 Halfpint: Let me first say this
[21:56]  Cdurd770 Halfpint: I don't log on much, so TOS changes quicker than I can log on to remove things.
[21:56]  Theia Magic: Heh and no need to "disarm", contrary to popular belief I'm not a bitch
[21:56]  Cdurd770 Halfpint: lol it's ok, just messin
[21:56]  Theia Magic smiles
[21:56]  Theia Magic: OOhhh so you didn't know?
[21:56]  Cdurd770 Halfpint: I read on my phone
[21:56]  Cdurd770 Halfpint: but
[21:57]  Cdurd770 Halfpint: I don't give return rights to my staff cause they tend to return my stuff.
[21:57]  Theia Magic nods
[21:57]  Cdurd770 Halfpint: so I have to get these things.
[21:57]  Theia Magic: I understand
[21:57]  Cdurd770 Halfpint: I jsut had a long long chat with another gz person. Very productive chat.
[21:57]  Theia Magic: It's been a whirlwind here this week, that's for sure
[21:57]  Cdurd770 Halfpint: It has.
[21:58]  Cdurd770 Halfpint: Now, I'd like to air a few things about us, alt crap and who we're not if you hve time.
[21:58]  Theia Magic: Sure of course.
[21:58]  Cdurd770 Halfpint: Plz feel free to put this on the blog, you have my perms.
[21:58]  Theia Magic: If you'd like me, to I will.
[21:58]  Cdurd770 Halfpint: PD has been around for almost 4 years.
[21:58]  Cdurd770 Halfpint: We do what we do for free, we work in about 50-75 sims, and have our networked protection system in some 1200 sims.
[21:59]  Cdurd770 Halfpint: We work around the clock, for free, to help people have a chance to enjoy SL.
[21:59]  Cdurd770 Halfpint: We devised some time ago, over a year in fact, a way to have a clue about people who are relentlessly griefing sims.... with alts
[21:59]  Cdurd770 Halfpint: But
[21:59]  Cdurd770 Halfpint: Me being the nice person I am
[22:00]  Cdurd770 Halfpint: created this where names are not just shown
[22:00]  Cdurd770 Halfpint: and broadcasted to anyone.
[22:00]  Theia Magic nods
[22:00]  Cdurd770 Halfpint: Someon griefs...
[22:00]  Cdurd770 Halfpint: Yes, we look, we determine is this person this griefer????
[22:00]  Cdurd770 Halfpint: So we look and see if we get a visit from that person on that one sim.
[22:00]  Cdurd770 Halfpint: That's when we do what we do.
[22:00]  Cdurd770 Halfpint: RZ, bad idea.
[22:01]  Cdurd770 Halfpint: Open to all with 3999
[22:01]  Cdurd770 Halfpint: bad bad bad.
[22:01]  Theia Magic: Yes exactly
[22:01]  Theia Magic: That's been my point all along
[22:01]  Cdurd770 Halfpint: Do I use rz? Yes, my ban list is long, it helps
[22:01]  Cdurd770 Halfpint: lol
[22:01]  Cdurd770 Halfpint: Even when our system would report to us via owner chat info about people
[22:01]  Theia Magic: I've heard that from many people, that they use it for the long banlist.  I wish LL would make the ban lists here unlimited, it would help many.
[22:02]  Cdurd770 Halfpint: we never disclosed it
[22:02]  Cdurd770 Halfpint: But, now, we've moved it all out of world, there's not even an option. It's just ban them.
[22:03]  Theia Magic: See and I don't doubt that you used it responsibly, but the problem is all the names scanned in are put into the database.  Up until this recent TOS change, people were using that database to do exactly what you were fighting against- grief and stalk.
[22:03]  Cdurd770 Halfpint: Right. Agreed.
[22:04]  Theia Magic: You know, my heart goes out to people like you who bought Rz with the best of intentions.  I've met many similar.
[22:05]  Theia Magic: So, if it's ok with you, I'd like to make a return visit to your sim to verify the consent thingie is gone, then do a revision stating what we spoke of here tonight?
[22:08]  Cdurd770 Halfpint: Sure.
[22:08]  Cdurd770 Halfpint: I just now got the consent thingy. I thought I got it 3 days ago.
[22:08]  Cdurd770 Halfpint: lol
[22:08]  Theia Magic: May I ask if you removed Redzone entirely, or just the consent thing?
[22:08]  Cdurd770 Halfpint: I got them both.

I went to the sim to verify, and he did remove both the consent requester as well as Redzone entirely.

To Cdurd770, my apologies for any trouble all of this caused you, it wasn't my intention in the least.  After speaking with you today, I have the utmost respect for you and your organization.  Thank you. :)

Thursday, March 3, 2011

More ranting from the Redtards

"by crackerjack » Thu Mar 03, 2011 9:32 am
have you been over to theia magic yet to ask her about her insurance business, you know the one where she goes around stalking people then making all sorts of threats and accusations, and advocates all kinds of harrassment against people simply because they wont cave in to her demands regarding her opinion that redzone should be banned. In exactly the same way that criminals go around demanding that shop keepers hand over money so their shop wont get smashed up and their customers hassled?
now if you can point to any similar outrage in the advertising of redzone i would agree, but you see your perception of what needs to changein redzone and what actually needs to change may be two different things"

I felt the need to address this because quite honestly, the dude is pulling this out of his ass.  Anyone who knows me knows I advocate change through education, not griefing or harassing.  In fact, I have publicly stated more than once that I will have no part in any harassing, griefing, or otherwise illegal activities.  With the exception of Dilbert, I've never even had a cross word with a merchant using Redzone. (and he's the dipshit that verbally attacked me in-world)  

To the Redtards, I'm truly flattered that you love me so much my name seems to constantly drip from your mouths.  But I gotta tell you, lies based in desperation isn't very becoming.

Wednesday, March 2, 2011

Redzone- R.I.P :D

Soft Linden: "Hey, all. I got the go-ahead to give an update on zF Red Zone specifically. Again, thank you for the ARs with specific info about violations. These have been very helpful for letting Lindens know what's going on.

Tuesday morning, we removed zF Red Zone from the Marketplace for a second time. We removed the in-world vendor distributing the item as well. We determined that zF Red Zone was still in violation of our Terms of Service and Community Standards.

We asked for removal by no later than today of all zF Red Zone functionality that discloses any alternate account names. That is, even if consent is asked, the service may not act on the consent. In addition, we asked for removal by no later than Friday of the interface for and any remaining implementation of the zF Red Zone consent mechanism because it does not comply with our policies. If these updates are not made, we will take appropriate steps to remedy the violations.

As before, we appreciate your help in keeping an eye on content. If you find that any merchant's product is not in compliance with our TOS or our Community Standards, please file an abuse report about the product. Do this even if you filed against a previous version. Include a specific explanation of what you believe is a violation, and ideally select and report the in-world object at issue in case it behaves differently than what's in the Marketplace. Before reporting, make sure you have first-hand knowledge of the issue. Support can best react if you explain specific steps to reproduce or confirm a violation."

Soft Linden removing the Redzone Vender

Tuesday, March 1, 2011

CDS vs. Redzone

I've seen a lot of people comparing CDS to Redzone.  While I agree CDS uses the same http request method as Redzone, that's pretty much where the comparison stops.  CDS, unlike Redzone, was created as a security device.  It does not reveal alts to anyone nor does anyone have access to alt information.  This is why you will find CDS as quite a number of stores but never in a club or other social sim.  

I decided to go to the source and ask CDS' creator, Skills Hak, point blank what CDS does and doesn't.  I have never spoken to her before this and she was very pleasant to speak to.  She answered my questions without being defensive or vague at all.  This, I might add, is a stark contrast the reaction anyone who confronts zFire receives.

Below are the prudent parts of our conversation. (I have her permission to share this, btw.  I only edited out the small talk between us that has no bearing on the topic).

[07:13 AM] Skills Hak: Hmm i really should update the CDS FAQ after this Redzone fiasco
[07:13 AM] Skills Hak: Some people seem to think CDS does alt matching and i even read rumors on SLU there had been a database leak and other nonsense
[07:13 AM] Skills Hak: CDS doesn't do the alt dealie at all, it doesn't even log IPs
[07:13 AM] Skills Hak: Oh and for some reason people think CDS vanished months ago, i'm not sure why, sales have been steady and detection rate is still around 80% successfull, there are over 10k flagged copybot users by now
[07:15 AM] Theia Magic: Thank you! One more question? If CDS doesn't log IP's, why does it use media? (I know I'm going to be asked that question)
[07:16 AM] Skills Hak: because it needs the user agent
[07:16 AM] Skills Hak: which is part of the HTTP protocol
[07:16 AM] Theia Magic: Oh ok, that makes sense then.
[07:17 AM] Theia Magic: May I have your permission to share this conversation?
[07:17 AM] Skills Hak: sure go ahead
[07:17 AM] Theia Magic: Thank you very much
[07:18 AM] Skills Hak: redzone is basically based on the cds beta script that was stolen from a friend a year ago
[07:18 AM] Skills Hak: and he turned it into an alt matching stalker tool
[07:18 AM] Theia Magic: I know he's not the original script writer, too. Of course, I can't prove it, but I know what you're saying 100% true.
[07:19 AM] Skills Hak: fun fact: the only time i spoke to zfire was when i had to ask him to remove my keywords from his marketplace listing
[07:19 AM] Skills Hak: he used "skills hak, gemini, cds" etc in a font size 0 text
[07:19 AM] Theia Magic: I'm not surprised. He's as sneaky and underhanded as the day is long.
[07:19 AM] Skills Hak: sneaky bastard

<<snipped the banter>>

[07:22 AM] Skills Hak: alot of people claim it's useless but i wonder where the 10k+ banned people come from
[07:23 AM] Skills Hak: i certainly didn't add them manually like many suspect 
[07:23 AM] Theia Magic: Ok, though that is a good point. I heard it was great "back in the day", but since people are now using legit viewers to mask copybotting, how can it catch them?
[07:24 AM] Theia Magic: I too was under the impression it no longer worked because coptybotters got sneakier
[07:24 AM] Skills Hak: well since copybotters are generally not the smartest people in SL, they often get the spoofing wrong
[07:25 AM] Skills Hak: sure there are some clients we can't tell apart from the legit ones
[07:25 AM] Skills Hak: nothing we can do about that
[07:25 AM] Theia Magic: Ohhhh.... so you catch the flaws then? When they try to mask it?
[07:25 AM] Skills Hak: but there is still the large db with flagged avis
[07:26 AM] Skills Hak: and the vast majority still uses older clients
[07:26 AM] Skills Hak: yeah they use versions that don't exist for example
[07:26 AM] Theia Magic: Wow really? They're that stupid? lol
[07:26 AM] Skills Hak: 80% of them are stupid 
[07:26 AM] Skills Hak: haha
[07:26 AM] Theia Magic laughs

I then did some further searching, and found this.  A person who did some testing on CDS, which supports what Skills told me: Analysis of Gemini Cybernetics CDS

My point to all this?  I think everyone has to judge for themselves what is acceptable.  I personally don't have an issue with CDS because it makes no attempt to reveal alts and was created as strictly a security device.  If someone else decides to disable Media and reject any http requests from CDS that's their choice- which I fully respect.  But when someone asks me why I don't exclude CDS locations from lists, the reason is because CDS is different than Quickware Alts or Redzone.  People using CDS are doing so to try to protect themselves, in stark contrast to the people using Redzone and Quickware Alts for the single purpose of being a nosey drama whore.