Tag: SL News

Privacy: a new storm brewing?

Posted on by Inara Pey

As people await for Linden Lab’s response to the weekend’s revelations around the on-going RedZone Affair, it now seems a new issue is starting to cause concerns.

Darrius Gothly reports that he was recently sanctioned by the moderators of the new Community Platform.  The whys and wherefores of the sanction aren’t important. Was is important, and somewhat worrying for people is that rather than simply send him an e-mail warning him of his “violation” of Community Platform rules, the moderator instead uploaded a screenshot of Darrius’ post complete with Darrius’ IP address to a publicly-accessible photo-hosting website.

Again, it matters not whether IP addresses are “public information”; no-one is disputing that. What is of concern to many is that:

  • The IP address is displayed at all, and can be seen by anyone using the website
  • The image hosting website’s own ToS  itself makes it an offence to display such information

Others who have received similar moderating e-mails have found the same – and they’ve found it relatively easy the use the information supplied in the image URL to poke their way into other photosets on the site itself.

Questions are being asked within the Linden Lab forum – although it is far too early to expect an answer right now. Of those questions, Qie Niangao asks the correct one:

“Umm.  A more basic question:

“Why on earth would any moderation action on the provider’s own platform require a screenshot, ever?

“To cite a particular post in communicating with a contributor, embed the text, title, and time of the post.  That should be a one-click operation, same as a screenshot, without incurring the overhead of shipping a screenshot out to a cloud service.

“What conceivable value does a screenshot add?  Are they trying to show embedded images that may have triggered moderation?  (A screenshot is an absurdly bloated way to do that, too, but I’m not sure that’s even what they’re trying to do.)”

Indeed. Why is a screenshot even be necessary, much less a screenshot that must then be uploaded to an external site?

As Qie states, the moderators should have sufficient access to the Platform to be able to cite the relevant details of a violation and e-mail the person responsible directly. And even if a screenshot is required as “evidence” – why not simply attach it to an e-mail to the person responsible?

There really shouldn’t be a need to post such to a public website, as Qie further notes:

“So… how did screenshots get into the moderation workflow?  Is that brain-damage inherited from Lithium? or layered on top by LL? or by another third party contractor to LL?

“I mean, once they made the basic mistake of using screenshots at all, then there’s the choice of cloud service to store the bulging bit bags of pixels, and obviously whoever chose this provider wasn’t paying much attention.  I just think they shouldn’t have needed such a service in the first place.

“(I’m somewhat less interested in the idea of masking out the IP address before pushing the screenshot; we’re just extra sensitive to IP addresses these days, but in fact none of the information on those screenshots should be hosted on an unsecured site.  “Across the street” they’re having fun paging through shot after shot of other companies’ dirty laundry, so you can be sure other companies’ customers are laughing at the SL forums shots, too.)”

Again, whether or not IP addresses can be regarded as “public information”, this seems to be an inordinately crass approach that has been taken in informing people of any forum “wrong doings”. If it is simply a matter that moderators have been improperly trained, then it needs to be addressed fully and properly with the minimum of fuss, and LL need to issue a short statement that the matter has been rectified.

If it is a matter of policy for Linden Lab to handle these matters like this, then it really does call into question as to what the heck is going on in Battery Street – as there is no conceivable reason for matters to be handled this way at all.

Addendum March 14:

In response to concerns raised, Amanda Linden posted the following:

“Hey all, Thanks so much for flagging this. I have let the moderators know that displaying this kind of personal information–in any form–including screenshots–is not acceptable. Please accept my personal apology. We are still working out the kinks re: moderation and greatly appreciate this kind of input. Stay patient with us while we work through the issues and find the right moderation levels–all with the ultimate purpose of having a lively, productive dialogue on Second Life.

“Cheers, Amanda Linden”

Which is good news. However, one hopes that LL actually determine why there was such a failure in basic training of employed / contracted moderators.

Had the moderators been volunteers / users elected to the position who had had insufficient training, fair enough, but the fact remains that full and proper training should have been received by any and all contracted moderators, and LL should have sought to ensure this to be the case. If the moderators are in-house, then LL should have ensured full a proper training ahead of time.

It’s simply beggars belief that someone could send out a warning, yet not know how to attach a screen cap to it.

Let’s hope this is an end of the matter.

RedZone database hacked

Posted on by Inara Pey

The last few days have seen some mysterious goings-on around RedZone.

  • A video emerged that purportedly showed someone closely associated with RedZone taking to his girl friend / another user and boasting about how he was attempting to scam the user names and passwords of RedZone users to see if they could be used to access SL accounts
  • This video was posted on YouTube some seven months ago, but was only pointed to (apparently anonymously) this week
  • The video was linked to a number of other videos that appear to have come from the creator of RedZone and a group of friends – channels subscribing to them included “Insanity Productions”, the “company” behind RedZone
  • Attempts to track the links between videos, etc., were countered by attempts to hide them / take them down from YouTube – almost as if someone were attempting to cover their tracks
  • Denials and counter-claims were put out by the “RedZone Camp”, citing, among other things, that YouTube and Google themselves had been hacked, that the video was a fake, and that the timestamp on it had been altered
  • zFire Xue then threw down a public challenge for someone to attempt to hack his computer.

Guess what?

It appears someone did. Some of us were on the epic SLU thread when his system went down – keeping us going for hours in speculation. Today, all became clear when the Alphaville Herald published a confirmation. And it appears some 1.6 million individual IP addresses are held in the database, complete with geolocation tools for pinning them down – pretty much as claimed in the video that surfaced earlier in the week.

And it appears that his activities are not limited to RedZone users; screen shots hint that he may well have been acting against users of his Prim Animation tool as well.

Already the news is spreading – and it is hard to see how “zFire” and his cohorts can wriggle free of this.

The evidence might be faked – but if so, it is rather elaborate, and one might suggest Occam’s Razor be applied to any explanations that try to explain this leak away via convoluted logic.

Certainly, this would not suggest that Linden Lab may well need to take a closer look at precisely what is going on around data harvesting, as information such as this going into the public domain is not going to do the reputation of Second Life – of Linden Lab – a lot of good.

Back when I first commented on RedZone, I asked the users of that system a question:

I’d also like to address any potential user of RedZone on the matter of the tool they are using: if RedZone’s creators are collating information on SL users based on a scripted device you are deploying on your land – how much more information might they be gathering on you each and every time you log into their website?

Well, it looks like we all have the answer.

Media patch accepted by LL

Posted on by Inara Pey

The media patch that was developed as a result of the RedZone data harvesting tool has moved forward significantly.

First put forward for use in the Phoenix Viewer but already available with the Cool VL and Dolphin Viewers, the patch was recently submitted to the Snowstorm project for Viewer 2 development – and has been accepted and is being worked on.

Further, Oz Linden himself has put forward a JIRA (STORM-1037) that means URLs for media streams should no longer be hidden. This is significant as it means that potentially dubious / invasive media exploits (such as that used by zFire Xue for RedZone) can potentially be more easily identified if they pop-up.

This is a significant step forward and means that, with the forthcoming inclusions of the patch in both Phoenix and Firestorm, the majority of users SL users will have a greater degree of control over what happens within their Viewers, and a vastly improved means of making informed choices about what they wish the Viewer to do on their behalf.

Linden Lab makes a further statement on RedZone

Posted on by Inara Pey

Soft Linden has given an official update on the zFire RedZone situation over on JIRA VWR-24746, where he states:

Hey, all. I got the go-ahead to give an update on zF Red Zone specifically. Again, thank you for the ARs with specific info about violations. These have been very helpful for letting Lindens know what’s going on.
Tuesday morning, we removed zF Red Zone from the Marketplace for a second time. We removed the in-world vendor distributing the item as well. We determined that zF Red Zone was still in violation of our Terms of Service and Community Standards.
We asked for removal by no later than today of all zF Red Zone functionality that discloses any alternate account names. That is, even if consent is asked, the service may not act on the consent. In addition, we asked for removal by no later than Friday of the interface for and any remaining implementation of the zF Red Zone consent mechanism because it does not comply with our policies. If these updates are not made, we will take appropriate steps to remedy the violations.
As before, we appreciate your help in keeping an eye on content. If you find that any merchant’s product is not in compliance with our TOS or our Community Standards, please file an abuse report about the product. Do this even if you filed against a previous version. Include a specific explanation of what you believe is a violation, and ideally select and report the in-world object at issue in case it behaves differently than what’s in the Marketplace. Before reporting, make sure you have first-hand knowledge of the issue. Support can best react if you explain specific steps to reproduce or confirm a violation.

The wheels may turn slow, but they do indeed turn.

Soft Linden has been working hard on this matter – and keeping abreast of matters over the past weekend – and deserves a lot of thanks and credit for getting things to this stage. The entire matter may not be resolved as yet (the scanners themselves are still in-world and operating & may be unaffected if zFire meets LL’s current requirements and no stand has been made on the use of the device to collect data), but the fact we now have this situation is very, very welcome.

Soft, if you get to read this – thank you for your understanding, your commitment and your effort.

Update

The RedZone device vendor has been removed from zFire Xue’s in-world store by Soft Linden after the creator apparently replaced it following the creator attempting to place it back without meeting LL’s stated requirements. Commenting on the move, Soft said on the JIRA:

Soft Linden added a comment – 02/Mar/11 3:53 PM
Thank you for the additional ARs about the vendor being replaced in-world while the consent request mechanism was still in place. We’ve removed the vendor again and made conditions for recirculation more explicit.

New Community Platform launched

Posted on by Inara Pey

The new Community Platform launched today. The layout is clean and fresh and in keeping with the rest of the revised SL website.  Torley has produced one of his ever-impressive videos to help introduce the platform:

This is needed, as some of the elements of the platform are not entire intuitive. Take adding an avatar picture for example. Once logged in, there is an option at the top of the screen called My Settings. Within this is a tab called Avatars. One would think this is the place to upload and select an avatar picture for go alongside your posts.

Wrong.

While you can indeed select an avatar from My Settings->Avatars, you in fact have to upload any image you wish to use from your profile first. Your Community Platform profile, that is. This requires that you click on your name at the top of the Community pages then click on Upload Images (/View image for, once you’ve uploaded the first time) then upload a picture then go to My Settings -> Avatars to select and use it.

And if you want to get a background for your avatar picture, it is even more confusing, as you need to play around with the Social Connect tab of My Settings.

And if you want to use a custom background (such as the one on the left) – it gets harder, as nowhere is the required size of the background given. This means that you have to fiddle about guessing the relative size of the background – and the “preview” option in Social Connect is as useful as a chocolate tea kettle as it is not representative of the background’s size when used in forum posts…

Friendly, huh? I eventually got the image on the left to work after well over 30 minutes of pissing playing around with images, and the required size appears to be 117(w) x 210(h) pixels.

None of this gets the new platform off to a user-friendly start – and this is reflected in the fact that the first questions lined up in the new Answers section of the Platform are about … setting up forum avatar pictures…

Elsewhere, LL seem to have blundered yet again. Back when the Jive-based blogrum was launched, a glaring omission was that of a General Discussion forum. This lead to people being confused as to where to chat and, well, be a community. It also lead to some pretty heavy-handed moderation on the part of Linden Labs which at times – it has to be said – was very biased in its approach: threads critical of LL were rapidly shut down by LL staff as being “inappropriate” for the forum in which they were posted, while other threads with a more positive attitude towards LL were allowed to run unhindered, despite also technically being in the “wrong” forum topic area.

Well…guess what is missing from the new forums? Yup: there is no General Discussions area. Of course, the JIVE blogrum did get a GD eventually – but you would have thought someone in LL, staff churn or not, would have remembered what happened before and learned a lesson. True, the JIVE-based GD got to be a pretty unpleasant environment  – but discussion is what makes a community, and without a GD area, the new Community Platform has a big hole in it – and it is already causing mass confusion, with GD topics turning up in both the Entertainment and Your Avatar sections.

I’m not altogether sure how I’ll like the new layout – if I use it that much, I’m now far too at home over at SLU. The general approach seems good, allowing for the obscure route you need to take to get a good-looking forum avatar sorted out;  page layouts are going to take a while to get used to. Certainly, the lack of a clear-cut GD environment is going to lead to a lot of confusion as to where people should post, and LL need to sort this out now rather than leave it – or go back to stomping on threads for being “inappropriate” for the sections they show up in.

More guidelines need to be built-into the system as well: Torley’s video is good at giving a broad overview, but really, the system could do with around two or three more.

It’s also going to be interesting to see how long LL staff remain engaged on the Platform once the sense of Shiny has worn off of it for them. In that respect, I’m rather surprised that there isn’t a section entitled “Ask a Linden” or “Ask the Lab”, or some such – together with clear and concise guidelines – that encourages two-way communications between users and LL representatives. After all, this platform is about improving communications and providing channels of communication, is it not?

Linden Lab comments on RedZone

Posted on by Inara Pey

Following the recent change to the Community Standards, zFire Xue has been attempting to wriggle out of having to receive the formal consent of those being scanned by his RedZone devices to have their information “background checked”.

Tateru Nino carried the concerns of users about Xue’s unethical approaches to the situation, which included a threat the release his database to all and sundry (for a fee), and his attempts to equate implied consent with formal (or informed) consent; not to mention his willingness to effectively throw his users under the wheels of ToS violations.

The Lab were very clear on matters, as you can see here.

The change to the Community Services itself wasn’t enough. However, this move by Linden Lab – coupled with the fact that once again, the RedZone tool has been delisted from SL Marketplace and comments from Lab representatives thanking users for filing AR’s on the matter of the number false positive reports this tool gives (in matching avatar accounts to one another) is indicative that the wheels are still in motion on this matter.

Interestingly, at around the time the comments were made, RedZone again vanished from the SL Marketplace.