RedZone database hacked

The last few days have seen some mysterious goings-on around RedZone.

  • A video emerged that purportedly showed someone closely associated with RedZone taking to his girl friend / another user and boasting about how he was attempting to scam the user names and passwords of RedZone users to see if they could be used to access SL accounts
  • This video was posted on YouTube some seven months ago, but was only pointed to (apparently anonymously) this week
  • The video was linked to a number of other videos that appear to have come from the creator of RedZone and a group of friends – channels subscribing to them included “Insanity Productions”, the “company” behind RedZone
  • Attempts to track the links between videos, etc., were countered by attempts to hide them / take them down from YouTube – almost as if someone were attempting to cover their tracks
  • Denials and counter-claims were put out by the “RedZone Camp”, citing, among other things, that YouTube anf Google themselves had been hacked, that the video was a fake, and that the timestamp on it had been altered
  • zFire Xue then threw down a public challenge for someone to attempt to hack his computer.

Guess what?

It appears someone did. Some of us were on the epic SLU thread when his system went down – keeping us going for hours in speculation. Today, all became clear when the Alphaville Herald published a confirmation. And it appears some 1.6 million individual IP addresses are held in the database, complete with geolocation tools for pinning them down – pretty much as claimed in the video that surfaced earlier in the week.

And it appears that his activities are not limited to RedZone users; screen shots hint that he may well have been acting against users of his Prim Animation tool as well.

Already the news is spreading – and it is hard to see how “zFire” and his cohorts can wriggle free of this.

The evidence might be faked – but if so, it is rather elaborate, and one might suggest Occam’s Razor be applied to any explanations that try to explain this leak away via convoluted logic.

Certainly, this would not suggest that Linden Lab may well need to take a closer look at precisely what is going on around data harvesting, as information such as this going into the public domain is not going to do the reputation of Second Life – of Linden Lab – a lot of good.

Back when I first commented on RedZone, I asked the users of that system a question:

“I’d also like to address any potential user of RedZone on the matter of the tool they are using: if RedZone’s creators are collating information on SL users based on a scripted device you are deploying on your land – how much moreinformation might they be gathering on you each and every time you log into their website?”

Well, it looks like we all have the answer.

Advertisements

Why I’m pissed at RedZone

Yesterday, while in-world, I was in IM with a friend, and I mentioned developments regarding the RedZone farrago. The question that came back, after I gave a 3-line summary, was: “Why are you hung up on all this?”

The question wasn’t followed-up with the usual “but IP Addresses are public, blah, blah,” (irrelevant), or simple platitudes  – it was a question to why it affects me so deeply, given I tend to move around SL without the benefits of media anyway (doubly so now, as my friend knows – as does so herself).

To be honest, the question gave me pause. Why am I so all-fired angry about RedZone and Quickware and the rest? Drama is a part of being in SL, and the very nature of the platform means it will always bring out the worst in some people – so why let it get so under my skin?

Well, simply put, because the platform does enable people to abuse one another so readily. RedZone is created by “zFire Xue” – but who the hell is “zFire Xue” – other than (to you and me), a totally anonymous individual who – ironically – hides behind avatar anonymity while trying to “out” you and I in terms of linking out avatar details with our RL locations.

Worse still is the loudest proponent of RedZone, someone who bangs on about his “right” to use it, denigrating all who oppose his as “griffers”, revels in his ability to create mischief – and yet hides behind the veil of the anonymous pseudonym “Crackerjack”. That such people are empowered by their anonymity (and fail to see any contradiction between their own use of pseudonyms while seeks to “out” others), and use it as a weapon against others on the grid pisses me off.

While Linden Lab have responded  – are responding – to this latest situation, I’m also equally pissed off with them.

Security within Second Life has always been lax; while there have been many (and very excellent) reasons for opening up things like the Viewer to open source, encouraging in-world development, looking towards potential business uses of the platform, the Lab has always taken a far too simplistic approach to matters, trying to having a all-in-one solution (the main Grid) attempt to meet a plethora of markets and uses they’ve repeatedly scampered after.

As a result, they’ve been lax in properly identifying the risks to security and privacy inherent in many of the decisions they’ve made, and policy and terms of service have been left woefully ineffective when it comes to dealing with serious concerns. Again, one only has to look at the contradictions in ToS 8.3. and 4.3 with the RedZone farrago to see how contradictory their own legal documents are in these matters.

It has always been this way; I have no idea if it is “west coast culture” (as some claim), or the “Tao of Linden”, a complete lack of concern (so long as the dollars roll in) or pure ineptitude that repeatedly prevents Linden Lab grabbing issues such as this by the balls and simply doing the right thing and stopping it. What I do know is, it is wearing people down. People have left SL over this latest controversy. Others are giving up and retrenching, reducing land holdings, minimising their financial exposure and the rest, simply because the Lab fail to grasp the nettles in their backyard and remove them.

Even now, with a revision to the community standards in place, we’re still seeing creators of these scanning tools working hard to try to get past the ToS, the new media filters and the likes; yet they continue to request ARs on a case-by-case basis.

Many reasons have been theorised as to why this is the case – but the fact is, as I’ve said elsewhere, technical solutions ain’t gonna solve this problem – or any other problem where users within SL get an elevated sense of entitlement they believe allows them to violate the ToS (or indeed, simply come up with a flim-flam system that appeals to those with such a false sense of entitlement in order to get them to part with their cash). If this issue is to be resolved, it’s going to require a clear-cut policy statement from Linden Lab. Period. It’s a policy statement that has got to be enshrined as a part of the ToS, and put up in lights for all to see. It needs to a clear Thou shalt not backed by the unequivocal reality of permabans.

And if we’re honest here, the RedZone situation has more than demonstrated what needs to be done – yet all we get is a token (and unadvertised) change to the Community Standards relating to the sharing of gathered data; not its collection.

And this is another reason I’m pissed off: tools like RedZone already have the potential to allow sick minds to start profiling avatar movements. RedZone even has a HUD users can wear that has the potential to gather information on avatars they encounter. Even with the “sharing” aspect being “disallowed” under the CS, these tools could still be used to gather information – and make it available outside of SL – for those wishing to stalk, spy and grief, as I mentioned in my original post on this matter.

We need a policy that simply outright bans the use of such tools unless used in very tightly proscribed circumstances. Don’t get me wrong – I’m pleased that LL have made some moves on this matter; it’s great that they are adopting the media filter. But unless and until they draw up a clear-cut policy on situations like this, the problem isn’t going to go away, and more and more innocent users are going to fall afoul of those who would prey on them.

And that brings me to the core reason why I’m so “hung up” on RedZone. Last night, after my friend had asked me her question, I dived into the ongoing discussion on the subject over at SLU, and I read this:

“Well I haven’t logged in a while over the head of all of this. It’s hard to be fancy-footed and carefree, skipping to whatever music is playing when in the back of your head you’re wondering if you’re being scanned or if there’ll be an argument just around the corner. Shouldn’t worry too much I know but sometimes we’d just like everything to be perfect in the world if only for a moment. Forlorn hope possibly and no doubt a little rose tinted but imagination brings those expectations for me in SL and hope is such a hard one to let go of.

“I’m even downloading the Windows SDK to build snowstorm just so I can get some of that nirvana back sooner rather than later. And no, I’ve very little clue what I’m doing other than following outdated wiki pages and scouring snippets. I hear ‘geek’ is the new sexy so it may serve a purpose in the end.”

This simple statement cuts to the heart of the entire matter: Second Life should be a world where our imaginations can be set free, where we can feel secure enough to wander, explore, enjoy, experiment and simply be without the constant worry of who might be lurking around spying, scraping, scanning and pawing at us. Of course, we cannot ever be totally secure – you don’t even get that in real life – but we should have the confidence that those who effectively provide and safeguard Second Life – Linden Lab – are actually ensuring our safety as far as they possibly can.

But they’re not as yet, and their track record suggests they won’t. That hurts people such as the poster above. It hurts you and it hurts me. And that’s why I’m so “hung up”.

Media patch accepted by LL

The media patch that was developed as a result of the RedZone data harvesting tool has moved forward significantly.

First put forward for use in the Phoenix Viewer but already available with the Cool VL and Dolphin Viewers, the patch was recently submitted to the Snowstorm project for Viewer 2 development – and has been accepted and is being worked on.

Further, Oz Linden himself has put forward a JIRA (STORM-1037) that means URLs for media streams should no longer be hidden. This is significant as it means that potentially dubious / invasive media exploits (such as that used by zFire Xue for RedZone) can potentially be more easily identified if they pop-up.

This is a significant step forward and means that, with the forthcoming inclusions of the patch in both Phoenix and Firestorm, the majority of users SL users will have a greater degree of control over what happens within their Viewers, and a vastly improved means of making informed choices about what they wish the Viewer to do on their behalf.

Linden Lab makes a further statement on RedZone

Soft Linden has given an official update on the zFire RedZone situation over on JIRA VWR-24746, where he states:

“Hey, all. I got the go-ahead to give an update on zF Red Zone specifically.
Again, thank you for the ARs with specific info about violations. These have
been very helpful for letting Lindens know what’s going on.

“Tuesday morning, we removed zF Red Zone from the Marketplace for a second time.
We removed the in-world vendor distributing the item as well. We determined that
zF Red Zone was still in violation of our Terms of Service and Community
Standards.

“We asked for removal by no later than today of all zF Red Zone functionality
that discloses any alternate account names. That is, even if consent is asked,
the service may not act on the consent. In addition, we asked for removal by no
later than Friday of the interface for and any remaining implementation of the
zF Red Zone consent mechanism because it does not comply with our policies. If
these updates are not made, we will take appropriate steps to remedy the
violations.

“As before, we appreciate your help in keeping an eye on content. If you find
that any merchant’s product is not in compliance with our TOS or our Community
Standards, please file an abuse report about the product. Do this even if you
filed against a previous version. Include a specific explanation of what you
believe is a violation, and ideally select and report the in-world object at
issue in case it behaves differently than what’s in the Marketplace. Before
reporting, make sure you have first-hand knowledge of the issue. Support can
best react if you explain specific steps to reproduce or confirm a violation.”

The wheels may turn slow, but they do indeed turn.

Soft Linden has been working hard on this matter – and keeping abreast of matters over the past weekend – and deserves a lot of thanks and credit for getting things to this stage. The entire matter may not be resolved as yet (the scanners themselves are still in-world and operating & may be unaffected if zFire meets LL’s current requirements and no stand has been made on the use of the device to collect data), but the fact we now have this situation is very, very welcome.

Soft, if you get to read this – thank you for your understanding, your commitment and your effort.

Update

The RedZone device vendor has been removed from zFire Xue’s in-world store by Soft Linden after the creator apparently replaced it following the creator attempting to place it back without meeting LL’s stated requirements. Commenting on the move, Soft said on the JIRA:

Soft Linden added a comment – 02/Mar/11 3:53 PM
Thank you for the additional ARs about the vendor being replaced in-world while the consent request mechanism was still in place. We’ve removed the vendor again and made conditions for recirculation more explicit.

A sad mentality…

Throughout the entire RedZone farrago, there is a sad mentality demonstrated among some of its most ardent followers.

On the one hand, they are paranoid about “copybotters” and “griefers” to the extent that they are willing to utilise a tool that is both flawed in concept and execution, as one of their own members points out:

Yes… it doesn’t work.

Rather than admit this, they get quite rabid in their postings concerning all of us who have genuine grounds for concern over the use and potential abuse of this tool: we’re vilified as being “copybotters” and “greifers” [sic] ourselves; we’re accused of being duplicitous and misleading.

Then on the other hand, in a stunning display of duplicity which (unsurprisingly) seems to escape them, they themselves remain unwilling to be honest and open about their use of RedZone and what it actually does, preferring to avoid, obfuscate or simply omit.

For example, when discussing the use of RZ at the sim level, Sylla Rhiadra suggests the sim owners should put up notification that they are using RZ so that their visitors may make an informed decision as to whether they in fact wish to enter the sim:

“Welcome to XXXXX! Please note that to remain in this sim you must consent to a scan that will load publicly available information about your avatar, including your avatar name, your IP address, UUID, and status of payment information, on to a third-party web site outside of the jurisdiction of Linden Lab or its ToS, where it will be stored and collated against the IP addresses of other residents in order to determine what other accounts employ the same IP address as yourself. Please note also that inclusion of your information within this database may result in you being banned from RedZone-using sims that have banned any account using the same IP address as you, and that, moreover, the names of your avatar and any others employing the same IP (including any of your alts that have been scanned) may be revealed to individual RedZone users if anyone using the same IP address as you consents to the release of this information. To gain access to these names yourself, you must purchase a copy of RedZone, currently retailing at L$3,999. Failure to consent to this scan witihin 6 seconds will result in the ejection of your avatar from this parcel.”

However, Bunderwahl Guisse replies that all that is needed is a message such as:

“Welcome to Dark Alley! [his roleplay sim, which does use the RZ scanner] We use RedZone for your protection. RedZone is a Tos compliant security tool that helps make sure you will not be harrassed [sic] or stalked during your visit.”

Leaving aside the fact that the term “Tos complaint” is highly questionable – suggestive as it is that Linden Lab themselves have vetted the product and given it the all-clear – the “revised” text from Mr. Guisse once again completely avoids mentioning precisely what RZ does, preventing his visitors from making any form of informed consent as to whether they want to run the risk of having their personal information exposed on an insecure, non-Linden database.

It’s also ironic that he claims RZ will ensure his visitors “will not be harrassed [sic]” when if, anything, it is a tool that can allow the unscrupulous to do precisely that.

However, the most revealing thing about Mr. Guisse’s attitude, and those of his ilk using RedZone and attempt to hide its use is this: the fact that they are willing to go to these lengths indicates they are fully aware that honest transparency about the tool they are using will kill their trade stone dead, because no-one will be willing to accept the realities of RZ if presented to them in terms as suggested by Sylla – and remain on their sim.

You’d think that realisation would be enough to get any rational, clear-thinking business person to consider removing the tool altogether and replacing it with something that, while it may require a little more work on their part, will not run the risk of scaring customers away.

But no. These people would rather keep the tool safely hidden and act in a completely dishonest manner towards their customers, clients – and friends. Worse than that, they’ll continue to regard the rest of the community with a mix of rampant paranoia and misplaced belief in their own “rightness” that will, in the end…destroy their own businesses.

People aren’t fools, as Jeggs in the screen shot above notes. The word will out – indeed the word is spreading. I’m persistently banging on about it here just as others are elsewhere – some in the most humorous of ways will still getting the message across. RedZone is a hot topic on Twitter and elsewhere. More and more Groups are spreading the word on the invasive nature of the tool and (potentially equally importantly), the unethical nature of its creator. May content creators who initially used the tool have now withdrawn it from use – some very publicly, as with RedGrave Skins, who sent out an apology to all 1500+ members of their product Group.

It is not as if there are not already tools available to them that could replace RZ, as I’ve stated elsewhere. They’re not even willing to participate and support JIRAs that could potentially strengthen their arsenal when dealing with griefing and the like.

This being the case, those who persist in hiding their use of RZ and trying to whitewash what the tool is and how it works will become the pariahs of SL. Their sims and stores will be avoided (many are already blacklisted) – and they’ll have no-one but themselves to blame.

Not that they’ll see it that way, of course.

Linden Lab comments on RedZone

Following the recent change to the Community Standards, zFire Xue has been attempting to wriggle out of having to receive the formal consent of those being scanned by his RedZone devices to have their information “background checked”.

Tateru Nino carried the concerns of users about Xue’s unethical approaches to the situation, which included a threat the release his database to all and sundry (for a fee), and his attempts to equate implied consent with formal (or informed) consent; not to mention his willingness to effectively throw his users under the wheels of ToS violations.

The Lab were very clear on matters, as you can see here.

The change to the Community Services itself wasn’t enough. However, this move by Linden Lab – coupled with the fact that once again, the RedZone tool has been delisted from SL Marketplace and comments from Lab representatives thanking users for filing AR’s on the matter of the number false positive reports this tool gives (in matching avatar accounts to one another) is indicative that the wheels are still in motion on this matter.

Interestingly, at around the time the comments were made, RedZone again vanished from the SL Marketplace.