Emerald Site Security Broken! Data Mining Shocks Linden Lab!!!
by Pixeleen Mistral on 11/05/10 at 4:40 am
According to documents that appear to have been leaked from ModularSystems, the developers of the “Emerald” Second Life viewer have compiled a database of avatar names, IP addresses, and geo-location information for players who created Second Life accounts at the ModularSystems.com site. In addition, visitors to the developers’ land in the virtual world have been profiled in the database.
The leaked documents include e-mail exchanges, a partial dump of the secret database, php source code for portions of a “datamine” application, and a picture of the Emerald developers in a meeting with Linden Lab CEO M Linden, Linden legal council Marty Linden, and several other Second Life staff.
Emerald meeting M Linden, Marty Linden, Joe Linden, and others (click image for closeup view)
Unfortunately, pictures of a virtual meeting with top Linden leadership may not reassure the virtual world’s rank and file residents, as they consider the implications of leaked documents appearing on anonymous file sharing sites.
There is a strong sexual role play component to the Second Life game, and many players are sensitive to linkage of real life information and game accounts, particularly in the hands of third parties who may be less circumspect than Linden Lab. Several of the Emerald developers have “colorful” reputations which may also raise some eyebrows.
Is a database connecting avatars and IP addresses of concern? According to an e-mail exchange with second life resident Hazim Grazov [full text below], Linden Lab staff seemed to think so. Soft Linden said, “I’m working with a VP on how to best deal with this. This is extremely serious”.
avatar keys, names, and IP addresses collected both in-world and via RegAPI
Soft Linden’s concerns are echoed in an e-mail dated April 16th, in which Joe Linden tells Mr. Grazov, “We consider this a very serious event and have not finished our discussions with them as to next steps, privacy policy modifications, and communications with their users. I don’t know what the source of the file was, but if you know, I hope you will encourage them not to release it publicly.” Joe concludes by saying, “Thanks again for making us aware of this. Rest assured, we do not treat events like this lightly”.
However, it is unclear how seriously Linden Lab is treating the situation. This morning, the Herald contacted both Soft Linden and Joe Linden for comment. As we go to press 12 hours later, neither have replied and it is unknown what – if any – steps have been taken to limit the data collection.
Jcool410 searches for Tizzy
According to the leaked documents, several Emerald developers were able to run searches against the database. One document shows a user named Jcool410 performing a “datamine” search – but it appears that Jcool410 ‘s account had been compromised. Other documents list what are believed to be Jcool410’s passwords — apparently Jcool did not get the memo warning against using passwords found in the dictionary.
Welcome to Burbank!
Asked via Skype Saturday if there had been a breach of security at the modularsystems.com site, Jcool – who is known as Fractured Crystal in Second Life – declined to comment.
While it is possible that some of the documents have been fabricated, I can confirm at least two e-mail messages found in the Emerald Revealed documents are legitimate — both are chat messages that I sent to Fractured Crystal while he was offline and which were automatically forwarded to e-mail.
The news that Hazim Grazov raised questions about the Emerald developers’ data mining operation with Joe and Soft Linden will certainly lead to speculation that the recent Woodbury University Second Life ban was connected to the Emerald leaks. Mr. Grazov is known to have spent time with members of the Woodbury group in Second Life, and there was a confrontation between some members of the Woodbury faction and Fractured Crystal (a.k.a. Jcool410) shortly before Linden Lab removed the Soviet Woodbury sims and their leadership from the game.
As the Herald staff sifts through the Emerald Revealed documents, I am struck by the similarities between this confrontation and that of the Nicholas / Sephora mafia wars — the gameplay leaks out into the real world and website security breaches are used to score points against the other faction.
But are both sides treating this as just another game?
————————————————————————————–
Subject: Re: Someone told me you might want to see this RE Emerald…
Date: Fri, 16 Apr 2010 14:05:22 -0700
From: Joe Linden <joe@lindenlab.com>
To: Hazim Gazov <hazim.gazov@gmail.com>
Cc: Soft Linden <soft@lindenlab.com>
We consider this a very serious event and have not finished our discussions
with them as to next steps, privacy policy modifications, and communications
with their users.
I don’t know what the source of the file was, but if you know, I hope you
will encourage them not to release it publicly.
By the way, we determined that yours was the only voice account that had
been disabled. Is voice working for you again?
Thanks again for making us aware of this. Rest assured, we do not treat
events like this lightly.
Regards,
– Joe Miller
On Fri, Apr 16, 2010 at 1:36 PM, Hazim Gazov <hazim.gazov@gmail.com> wrote:
> I heard the explanation Jay gave as to why he had the info, and I don’t buy
> it.
>
> The database allowed administrators to quickly determine if a new account
>> was a alt account of a griefer that had previously attacked the sim. It also
>> stored the IP used on registration portal on the website when you register a
>> avatar because avatars created on that portal usually logged directly into
>> Emerald Point and were the fastest route for griefing the sim. After it was
>> demonstrated that this was a effective solution to the problem, several
>> nodes were placed in a few other sims for short periods of time
>>
>
> Since when do you need GeoIP functionality to determine if someone is an
> alt? From what I heard they had rather large GeoIP files used to obtain an
> approximate location from an IP address and had the code built into the
> system:
>
> From datemine.web.php:
>
>> $gi = geoip_open("geoip/GeoLiteCity.dat",GEOIP_STANDARD);
>> $giorg = geoip_open("geoip/GeoIPOrg.dat",GEOIP_STANDARD);
>> $giisp = geoip_open("geoip/GeoIPISP.dat",GEOIP_STANDARD);
>> $tip = $_GET['ip'];
>>
>> $record = geoip_record_by_addr($gi,$tip);
>>
>> /*$netspeed = geoip_country_id_by_addr($gi,$tip);
>> if ($netspeed == GEOIP_UNKNOWN_SPEED)$netspeed =
>> ‘Unknown’;
>> }else if ($netspeed == GEOIP_DIALUP_SPEED)$netspeed =
>> ‘Dailup’;
>> }else if ($netspeed == GEOIP_CABLEDSL_SPEED)$netspeed =
>> ‘Cable/DSL’;
>> }else if ($netspeed == GEOIP_CORPORATE_SPEED)$netspeed =
>> ‘Corporate’;
>> else $netspeed = ‘???’;*/
>>
>> $org = geoip_org_by_addr($giorg,$tip);
>> $isp = geoip_org_by_addr($giisp,$tip);
>>
>
> I sincerely hope something more than a slap on the wrist is doled out.
>
> I’ve also heard that my IP was sent as the person who "hacked" into their
> website, that’s bull and they should pony up some logs if they want to say
> that. I wouldn’t be surprised if they just pulled up the IP from that
> database.
>
> On Thu, Apr 15, 2010 at 11:32 PM, Hazim Gazov <hazim.gazov@gmail.com>wrote:
>
>> Unfortunately, I wasn’t the first one to get this, so I don’t think I can
>> do much to limit the sharing of it… however AFAIK very few people have one
>> with full IP addresses, most people have one with the last two blocks
>> censored.
>>
>>
>> On Thu, Apr 15, 2010 at 6:05 PM, Soft Linden <soft@lindenlab.com> wrote:
>>
>>> Yep, I see that, and I see the regapi collection. I’m working with a
>>> VP on how to best deal with this. This is extremely serious.
>>>
>>> Do you know how widely this has been spread, and could I trust you to
>>> limit further sharing?
>>>
>>> On Thu, Apr 15, 2010 at 12:25 PM, Hazim Gazov <hazim.gazov@gmail.com> wrote:
>>> > It’s being retained for the purpose of getting an SL user’s RL data
>>> > arbitrarily.
>>> >
>>> > On Thu, Apr 15, 2010 at 4:22 PM, Hazim Gazov <hazim.gazov@gmail.com> wrote:
>>> >>
>>> >> They’re not simply being retained, look at
>>> >> secondlifeutility/datamine.web.php
>>> >>
>>> >> On Thu, Apr 15, 2010 at 4:18 PM, Soft Linden <soft@lindenlab.com> wrote:
>>> >>>
>>> >>> I appreciate the heads up, Hazim, and I’m disappointed to see that the
>>> >>> IP addresses are being retained. I’ll let the appropriate Lindens
>>> >>> know.
>>> >>>
>>> >>> On Thu, Apr 15, 2010 at 11:57 AM, Hazim Gazov <hazim.gazov@gmail.com> wrote:
>>> >>> >
>>> >>> >
>>> >>> > ———- Forwarded message ———-
>>> >>> > From: Hazim Gazov <hazim.gazov@gmail.com>
>>> >>> > Date: Thu, Apr 15, 2010 at 3:50 PM
>>> >>> > Subject: Re: Someone told me you might want to see this RE Emerald…
>>> >>> > To: joe@lindenlab.com
>>> >>> >
>>> >>> >
>>> >>> > and I forgot the attachment, spectacular
>>> >>> >
>>> >>> > On Thu, Apr 15, 2010 at 3:49 PM, Hazim Gazov <hazim.gazov@gmail.com> wrote:
>>> >>> >>
>>> >>> >> Take a look at the SQL file and regapi/index.php at line 97…
>>> >>> >
>>> >>> >
>>> >>> >
>>> >>
>>> >
>>> >
>>>
>>
>>
>
Imnotgoing Sideways
May 11th, 2010
I’m carrying Fractured’s lovechild! DX
http://www.sluniverse.com/snapzilla_snapshots/Imnotgoing_Sideways_Silhouette_AV_449526.jpg
Glenn Beck
May 11th, 2010
You know who else used computers to datamine people?
Hitler.
Eva Ryan
May 11th, 2010
This brings out the big “SO WHAT” in me.
No U
May 11th, 2010
Interesting video about Emerald Team, discussing breaking vivox and other egotistical shit.
http://www.youtube.com/watch?v=_XnlYqJqLVI#t=3m28s
Quaver
May 11th, 2010
So in a nutshell
1. Known black hatters compile database of avatar names, locations and ip addresses allowing them to cross-reference alts.
2. The data is harvested by various means. Grid-wide Onyx bots, CDS, the Emerald (oops, those username details were being sent by accident, honest!) Viewer etc.
3. Numerous creators (tonktastik, ayumi, magika, etc.) are complicit in gathering said data and submitting it to known black hatters systems. Oh and they do not care TYVM. Their IP (property) is more important than your IP (address), rights to privacy and security.
4. Emerald’s Ministry of Truth Princess Chalice Yao is caught with her hands in the till but fails to offer a decent explanation for her use of this database.
everest piek
May 11th, 2010
well…brings me to the question, why those “documents” are plublicised on your blog and what you need my email for?
@ eva: AGREED! so f**king WHAT??
someone compiled a modded version of a viewer, took data from the registrations and you blame modular systems for it?? i am not affiliated with them in no ways, but i am getting a slight feeling someone wants to badmouth those developers for bringing out a viewer without getting paid for it. thats really poor.
V
May 11th, 2010
Thank you Glen. You scored 1 Godwin.
Otto
May 11th, 2010
Another pant load from Pix trying to damage Linden Lab and also take a little revenge for her griefer buddies at Wu being banned. Go back to being a mediocre academic has-been. The Herald is offically a giant FAIL. No one who matters believes this crap anymore.
Wyrdwolf Legion
May 11th, 2010
But you can’t help yourself from reading it , eh, Otto?
LOL!
ModularSystems=New G-team
May 11th, 2010
>The only reason LL talks to them is because of YOU, yes YOU, the gullible and manipulated masses who continue to use their hacked viewer and think it’s the greatest thing since sliced toast (while it secretly sends your info to their site). If it weren’t for all of you they’d get the same reception from LL as Michael Moore at a Teabagger rally.
/thread
Jocelyn Pawpad
May 11th, 2010
Damn, so a bunch of black hat Emerald devs are showing up at my place? I’d better order chinese take out and put the kettle on!
Cartman
May 11th, 2010
Otto has it right. This is half-truth, badly researched fail, just like everything else the Herald publishes and then has to scramble to justify later, sometimes by lying about it some more.
Cartman
May 11th, 2010
It’s amazing how somehow Woodbury creeps into every article whether it has anything to do with it or not.
Hendrik Schroeder
May 11th, 2010
I hope this was a learning for Linden Lab to review their open source strategy. In the past only the Content Developers used to be the victims of this stupid strategy.
But now it has hit the whole amount of emerald users, a 3rd party viewer that has been recently approved by LL.
If I would have used this viewer I would start a legal action immediately. The penaltys for illegal data mining are quite high. Even a imprisonment of responsible persons is possible based on the US and even european law.
Hazim Gazov
May 11th, 2010
Well actually I am/was a member of WU, and I tipped off pix and the lindens, then WU was massbanned, so I’d say it has something to do with the article.
my nutz
May 11th, 2010
this is about as real as my ava is .. this is another LL witch hunt to kill the most popular viewer in SL BECAUSE IT ISN’T THEIRS!! get a life LL emerald is a well thought out viewer light yrs ahead of yours. so either hire them to do yours or STFU and stop feeding this rag customer info and false statements. kill emerald you kill your customer base. you will have a made rush of ppl who will leave return servers or have no one to buy the V-land from them. wake up you retards.
GEORGE ZIMMER, FOUNDER AND CEO OF MEN'S WAREHOUSE
May 11th, 2010
In during the flood of raging Emerald devs.
David McNaughten
May 11th, 2010
I really really doubt that, Hazim. Everybody knows the Lindens had been watching WU to see if they’d break the deal they made after the first mass banning and sim deletion in 2007, and Linden Legal has a file on WU as long as your arm going back years.
Just because the events were sequential doesn’t mean they’re connected, and that the last three years of continuous rulebreaking and getting caught hacking, cracking, griefing, copybotting and everything else during all that time had no bearing at all is a ludicrous proposal.
Omnifox
May 11th, 2010
So… Any website you EVER go to, logs your IP information.
Having someones IP is not the “KEY TO THE INTERNETS”
Everyone viewing THIS blog post, has given Alphaville Herald their IP, Where is the shit storm over that? They even GEOIP you here as well?
Oh wait. It means nothing. Sensationalist journalism for the sake of web hits!
Hazim Gazov
May 11th, 2010
@David
Well considering beforehand LL was working closely with us to get a total of 9 new estates and we agreed to have a liason permanently posted in WU as part of the deal, I’m not sure why they’d start doing it, then just ban us all of a sudden.
David McNaughten
May 11th, 2010
Easy. You guys just reached the threshold. You had every opportunity to turn it around before you reached your “magic number”, and then you reached it, legal threw the switch, and it was all over. That simple, really.
David McNaughten
May 11th, 2010
I mean, “The sun rose this morning. My car caught fire. Therefore, the sun made my car catch fire.” That’s a logical fallacy, because it ignores all the other possible elements.
Hazim Gazov
May 11th, 2010
I don’t think it’s a logical fallacy considering a linden basically confirmed it and got fired for it.
Hazim Gazov
May 11th, 2010
@Omnifox
I highly doubt the herald retains a database of avatar names linked to IPs to give out to their friends for lols and actually maintains an application that has geolocation capabilities.
Just the fact that they made a whole web application centered around it should tell you how often they used it.
There’s a huge difference between a webserver log and “hurrdurr dox and ips in hurr guys lol”
ModularSystems=New G-team
May 11th, 2010
Hazim, for the most part I agree with the things you say and the Emerald devs shady actions.
But as far as WU being banned, come on, you’re not stupid, and you know we’re not stupid. we all know what went on in WU. Why LL turns the cheek on it for ModularSystems, specifically J and Phox is makes me wonder everyday.
Hazim Gazov
May 11th, 2010
@ModSys=NG
I never said there wasn’t any legitimate reason for WU to get banned and I really don’t care about it being banned, but this whole thing was the final straw for LL.
Hazim Gazov
May 11th, 2010
and the reason they turn the other cheek is because they’re all buttbuddies with oskar / soft / whoever.
Curious
May 11th, 2010
This is why I will not use any other viewer than the Linden labs one and another reason why they should never have made the viewer open source.
Now we have stepped up from content theft to ID theft. I cannot wait to see what is next.
Ajax Manatiso
May 11th, 2010
A fat lot of nonsense. If you are going to try and create an account on a website, the website HAS to have a database in order to process the request. The fact that the database is search able is irrelevant since thats what a database is. You might as well report on the possible bombs in everyone’s car — they have a container full of gasoline in every one! OMG!
Jahar Aabye
May 11th, 2010
While I do not know for certain, I do not think that the use of the Emerald viewer specifically was responsible for their ability to attain the IP address of an avatar.
From discussions that I have had with individuals who are not affiliated with Emerald, it is theoretically possible to obtain an individual’s IP address using the land media URL. If someone has media set to autoplay, it means their viewer, even the LL viewer, will automatically attempt to load the media address when they enter that parcel.
This is one method that I know of that would allow someone to obtain the IP address of another user who enters their parcel, which appears to be the main method used here. And from what I know, it does NOT matter whether you are using the Emerald viewer or the default LL viewer.
This doesn’t mean that there isn’t also code embedded in Emerald to make this easier, but since the Emerald viewer is distributed open-source, you’d think someone would have noticed if they’d embedded some sort of Trojan-like capability of this nature.
The existence of a database, however, is disturbing. If someone shows up and actively griefs the sim, then it might be acceptable to log that user’s name and UUID, and obviously ban them and submit an AR if necessary. I could also possibly see why one might wish to keep their IP address on file so that if they came back with an alt, you might be able to pre-emptively ban that user when they entered the sim, before they had a chance to create mischief. However, since many people use dynamic IP addresses, this method is hit-or-miss at best.
And most importantly, there is no reason to keep the IP addresses of all visitors to Emerald Point on file. Keeping the names, UUIDs, and possibly the IP addresses of individuals who actively griefed the sim on file could be justifiable under certain circumstances, but not keeping tabs on everyone.
swedishfox ghost
May 11th, 2010
i got a feeling that this is forged
Hazim Gazov
May 11th, 2010
>the website HAS to have a database in order to process the request.
lrn2regapi.
Nebula/PinkBunny
May 11th, 2010
Well my ranting of saying hey look here in the source code pointing out the mother fucking line in their viewer that sends data and pointing out the places in cds that also mine data that was posted to paste bin awhile back by a friend of mine isn’t so far fetched now isnt it! Fuck emerald the viewer is shit, it lags, fuck the devs they are money hungry ass holes, and I cannot wait untill they finailly get what is coming to them.
Once again my position as an ex-griefer:
When people quit griefing there is at least a small noticeable change. Fractured did not change one fucking bit and he is just a dumb dick hole.
And finally yes I did an actual rant about the cock sucking, dumb as shit, fucking stupid ass, furfag emerald developers who can’t even code a simple sl viewer right.
ModularSystems=New G-team
May 11th, 2010
>but since the Emerald viewer is distributed open-source, you’d think someone would have noticed if they’d embedded some sort of Trojan-like capability of this nature.
@Jahar
The source they post IS NOT what they use to make the binaries, I have proof of this and anyone who has compiled their own viewer can see it too, I can post it here if you’d like. Although where the difference was found is no biggie it makes you wonder, what else may be different from the source and binary.
Nebula/PinkBunny
May 11th, 2010
@ above comment
Thank you oh and PS they broke some of the releases to prevent people from making copy bat clients off of them. That is against the rules. Oh and in earlier releases still available to download there is code that references Vlife.
Tin foil hat time!
Kiddoh
May 11th, 2010
“i got a feeling that this is forged”
I got a feeling that you would make a terrible fortune teller.
swedishfox ghost
May 11th, 2010
@kiddo
well lindens dont talk to users like that, thats my reason thinking its fake
Cartman
May 11th, 2010
This is just more of the same bunk we’ve been seeing from the Herald for months now. Geolocation can’t pinpoint your house anyway, and frankly, most web sites do keep logs of who visits them complete with the IP addresses, what country they’re from and what domain name their IP is associated with – and sometimes that means what ISP you’re using too.
Most of the internet does this. Why did anybody even write an article about it? It’s like “Dog bits man”. Who the fuck cares?
Cartman
May 11th, 2010
And yeah, very probably forged.
Kiddoh
May 11th, 2010
Ou~ Cartman, every point you’ve tried to make in this thread has already been cock-slapped in the SLU forums.
http://www.sluniverse.com/php/vb/general-sl-discussion/44270-oh-snap-10.html
“well lindens dont talk to users like that, thats my reason thinking its fake”
You’d be surprised. Some Lindens do in fact have personalities and aren’t brick walls when you talk to them.
Nickee Ninetails
May 11th, 2010
wondering why all the fuss all of a sudden when this was posted in NOVEMBER?
Jahman
May 11th, 2010
“But now it has hit the whole amount of emerald users, a 3rd party viewer that has been recently approved by LL.”
Hell you say – I never gave Modular my in-world ID at all. Get your facts straight, and lets not get our frackin’ panties in a knot.
If you don’t use a proxy, your IP address is there for anyone to see. If you spread your user ids around with them, then you get what you deserve.
Amira Footman
May 11th, 2010
To all the people saying ”so what!” and ”I don’t f*cking care” etc, you’re missing the point entirely. The issue isn’t that they are recording IP addresses and other information, the issue (for me at least) is that
a) LL didn’t KNOW they were recording IP info
b) They were not SUPPOSED to be recording IP info
For me it just proves once and for all the ModSys are playing their own game, by their own rules, and LL have no control over them whatsoever.
Incorporate the Emerald features such as previewing animations and textures before paying to upload, double click to teleport, and any other major feature it has into the standard viewer and cut off ModSys. But LL will never do that for one huge reason, they’re terrified of what ModSys is capable of if they’re not working WITH LL.
In my opinion one group of residents should NEVER have been given the power LL has given to ModSys, a group made up of hackers and copybotters, it’s just asking for trouble.
Jahman
May 11th, 2010
Umm….
If I understand it correctly, this list they’ve got is related to their own forum, right?
So what does Linden Labs have to do with anything here?
Kiddoh
May 11th, 2010
“In my opinion one group of residents should NEVER have been given the power LL has given to ModSys, a group made up of hackers and copybotters, it’s just asking for trouble.”
Very true. This was a point made back when the JLU actually had influence.
Oxe/Geo
May 11th, 2010
@Eva Ryan’s ”This brings up the big SO WHAT”
Fuck you.This is about privacy.
You ignorant piece of camel shit.
Quaver
May 11th, 2010
Eva Ryan is an asshole. Remember when our credit card info got exposed by Linden Lab back in 2006? If Eva Ryan’s card details ever get leaked and used, or her identity gets stolen using other data, remind me to necropost her uninformed shit and tell her to go fuck herself.
Amira Footman
May 11th, 2010
@Nickee Ninetails
You’re looking at the date the wrong way round. Take a look at the email dates.
Danziel Lane
May 11th, 2010
Or think about this:
by Pixeleen Mistral on 11/05/10 at 4:40 am
If that would mean “back in november” …. how comes this year’s november is “back” in your mind?
Kelindra Talamasca
May 11th, 2010
Well whomever said datamine about hitler didnt say hitler had to do it the old fashioned way using people, gossip, bad neighbors, hearsay and just someone saying bad htings about others because computers were still just ideas.
But one datamine source still not even metioned yet is the government and law enforcement, so if they really want it. Government prolly is using datamines on the dataminers themselves and it is establised fact that law enforment agencies as well as private detection agencies ARE in SL. And they do not advertise.I just hope that the dataminers are traced via ip address and that the government legal eagles will actually do something and publicise that they did as lesson.