Day: March 12, 2011

Time to end the whack-a-mole

Posted on by Inara Pey

As reported earlier, the RedZone situation has been blown wide open. However one looks at the video that was released last week, the data passed to the Alphaville Herald, and everything that lays behind them; it would appear that all roads lead back to isellsl.ath.cx domain and the avatar of zFire Xue.

Indeed, it now appears that zFire, in another guise, is behind the so-called “Knights of Mars”, an “organisation” promising to get avatars banned from Second Life – no matter what the reason – for a fee; even boasting that their activities are against the ToS (“Is this against SecondLife’s TOS? You bet!” screams their FAQ).

All-in-all the evidence – to those outside – is damning. One would hope that it is enough for Linden Lab to take the appropriate actions, and sooner rather than later.

It’s not even as if this is a sheltered incident. Over the past week, locating and stopping so-called “alt detectors” has become something of a game of whack-a-mole; and poor Soft Linden has been the one stuck at the machine clouting heads:

  • Following the changes to the Community Standards, the creator of Quickware Alt Pro, another device intended to links alts, tried various methods to circumvent LL’s revised position on sharing information gathering within Second Life – efforts which eventually earned him, at least one of his Alts and his device a ban from Second Life
  • Following this, the imaginatively named “Jacks Sparrow” of “Sparrow Industries” popped up with another “alt detector”, quickly pressed into use by those looking to replace RedZone, as Theia Magic reported at the time
  • At the same time, a further “alt detector” turned up on the Marketplace, made by one “Gzoa Resident”. Whether genuine or simply an attempt to cash-in on the perceived need for such Right now, technical  tool, the device was pulled by LL after multiple ARs were filed.

So three systems in a space of days, collecting and sharing data; tip of the iceberg, anyone?Meanwhile, Gemini CDS is still very much out there, collecting data. Who knows what else is out there?

And here is where the system falls down at present: Linden Lab have only proscribed against the sharing of collected data. This really isn’t the issue; the issue is the collection of said data.

As the hack of the Emerald database showed, just before the entire Emerald thing blew up around a year ago – as this RedZone situation demonstrates now – allowing anonymous individuals across SL to quietly gather data and funnel it out of SL into their own databases and servers is unacceptable in it present form. It either needs to be outlawed entirely, or steps need to be taken to ensure people are both aware of what is about to happen and have a means of preventing it from happening prior to any attempt at gathering data being made. And this needs to be properly backed up by a clearly-defined Privacy Policy intimately hooked to the Terms of Service such that anyone found to be either circumventing the “right to decline” or using the data other than for its intended purpose will be immediately banned from Second Life.

Reactive efforts – as mighty and as welcome as Soft Linden’s exploits have been (the man has been a hero in this entire situation) – are now not enough.

Even on its own, the RedZone situation, as this news spreads, is going to severely dent people’s confidence in Second Life as a platform and further shake users’ faith that Linden Lab has, as far as possible, got their back covered when it comes to reasonable expectations of privacy.

In a week when RedZone has continued to rock the boat, when Gemini CDS has begun to emerge as still being in widespread use, when Quickware, Sparrow and the “Gzoa” items all pitched up / got whacked, LL remained stubbornly silent on matters, other than Soft’s lone voice on the JIRA (and who out of the majority of SL residents, study the JIRA regularly?). At the same time, multiple questions around RedZone and alt detection raised on the new Community Platform were shut down – hard.

Within Linden Lab there has always been something of a permissive attitude towards many things. Frequently, it’s taken a court case or two to shake the company out of lassitude. People point to Philip Rosedale as the “cool dude” and cite things like “West Coast attitudes”; the Lab itself talks in terms of the (iteself ideological) “Love Machine” and the hippy-ish “Tao of Linden”. They make for really good human interest reads; they make for cosy employee feelings. They frame the Rosedale dream and vision of Second Life.

And they need to stop.

Whack-a-mole is no longer an option – if it ever was. Linden Lab have been trying to a good number of years now to get the platform taken seriously. Unless they grab this particular nettle properly and excise it from their lawn, they are not only going to further damage the credibility of the platform to the world at large, they risk tearing the community itself apart with suspicion and doubt.

People are already avoiding the use of media in their viewers; and while Sione Lumo’s Media Patch is gaining wider acceptance in the Viewer community, the fact is  – again, as I keep on hammering – technical solutions are not the key. Not only are they potentially hard from the non-technical community to grasp, they are a potential threat to the economy (no media = no live music) and they are a challenge to all the little skiddies out there who see such tools as something to be “gotten around”.

Linden Lab need to make a stand. Now. They need to stop with all the Ta0y lovey-dovey. They need to straighten out the ToS and the Community Standards and get themselves a fully-rounded Privacy Policy that completes the triangle. A Privacy Policy that, rather than simply trying to absolve them of any blame if Things Go Wrong, actually sets out the expectations of privacy their users can reasonably expect when signing-up to their service. They need to eliminate contradictions in the ToS around sections 4.3 and 8.3.

Idealism had its place once, back when Second Life was starting out; but the fact is, if the company really wants to be taken seriously, if it really wants to try to leverage the likes of Facebook and the rest, then it needs to do more than simply looking like it means business.

It needs to start acting that way as well – not least where the user base is concerned. If they don’t then Second Life runs a serious risk of being ever-increasingly marginalised as viable platform, and will haemorrhage users as they leave to join those platforms that demonstrate a willingness to meet their expectations.

RedZone database hacked

Posted on by Inara Pey

The last few days have seen some mysterious goings-on around RedZone.

  • A video emerged that purportedly showed someone closely associated with RedZone taking to his girl friend / another user and boasting about how he was attempting to scam the user names and passwords of RedZone users to see if they could be used to access SL accounts
  • This video was posted on YouTube some seven months ago, but was only pointed to (apparently anonymously) this week
  • The video was linked to a number of other videos that appear to have come from the creator of RedZone and a group of friends – channels subscribing to them included “Insanity Productions”, the “company” behind RedZone
  • Attempts to track the links between videos, etc., were countered by attempts to hide them / take them down from YouTube – almost as if someone were attempting to cover their tracks
  • Denials and counter-claims were put out by the “RedZone Camp”, citing, among other things, that YouTube and Google themselves had been hacked, that the video was a fake, and that the timestamp on it had been altered
  • zFire Xue then threw down a public challenge for someone to attempt to hack his computer.

Guess what?

It appears someone did. Some of us were on the epic SLU thread when his system went down – keeping us going for hours in speculation. Today, all became clear when the Alphaville Herald published a confirmation. And it appears some 1.6 million individual IP addresses are held in the database, complete with geolocation tools for pinning them down – pretty much as claimed in the video that surfaced earlier in the week.

And it appears that his activities are not limited to RedZone users; screen shots hint that he may well have been acting against users of his Prim Animation tool as well.

Already the news is spreading – and it is hard to see how “zFire” and his cohorts can wriggle free of this.

The evidence might be faked – but if so, it is rather elaborate, and one might suggest Occam’s Razor be applied to any explanations that try to explain this leak away via convoluted logic.

Certainly, this would not suggest that Linden Lab may well need to take a closer look at precisely what is going on around data harvesting, as information such as this going into the public domain is not going to do the reputation of Second Life – of Linden Lab – a lot of good.

Back when I first commented on RedZone, I asked the users of that system a question:

I’d also like to address any potential user of RedZone on the matter of the tool they are using: if RedZone’s creators are collating information on SL users based on a scripted device you are deploying on your land – how much more information might they be gathering on you each and every time you log into their website?

Well, it looks like we all have the answer.