zf Redzone Security Breached – SL Passwords Compromised?

by Pixeleen Mistral on 12/03/11 at 3:12 pm

Is Redzone playing guessing games with 2200 customers’ SL passwords?

The firestorm of criticism surrounding the zf Redzone Second Life security system may be only the beginning of zFire Xue’s troubles. A shadowy group of Second Life hactivists claim to have breached the Redzone server’s security, gaining access to the server database and discovering cleartext passwords for most Redzone customer accounts on the site.

As if storing raw Redzone customer passwords is not bad enough, there is apparently a second table that tracks passwords from failed login attempts in the hope users will accidentally enter their Second Life account password. These failed passwords are conveniently displayed on the user profile page of the "Admin Overlord App"  as "Possible SL PW(s)".

In light of these revelations, the Herald strongly suggests that all zf Redzone customers change their Second Life account passwords immediately – and ask themselves why they would continue to run a product that attempts to guess their Second Life password.

Vnt21
Redzone User Data includes possible SL passwords stored in cleartext

Rumors that zf Redzone has been used in attempts to collect Second Life passwords recently gained significant metaverse mindshare as a YouTube video began making the rounds describing a web site that can predict player passwords based on failed login attempts.

It is widely believed that the video is from zFire Xue to Mariana Swashbuckler. Avril Korman reports that zFire Xue is part of a SL gang known as the "Mars Syndicate" which includes a member named Mariana – apparently the same Mariana to whom the video is addressed.

How did the hactivists gain access to the Redzone security system’s secrets? According to several sources, the site fell to an SQL injection attack in which carefully crafted URLs cause the site to hand over information in the database that was not intended for public viewing.

This is the same sort of attack which was used to breach the HBGary Federal site recently. We can only conclude that role-play security experts in both real life and Second Life have some difficulty with the basics of keeping their own sites secure. Perhaps they should not store sensitive data?

Passwords compromises are not the only concern raised by the leak. It appears that zFire Xue can also manually add players to the Redzone copybotter list.

We can only hope the Mr. Xue does not abuse this power to persecute his critics.

Vrfrt
Admin Overlord App allows manual addition of "copybotters" and Account stats lookup

The amount of avatar and IP address information contained in the Redzone database is impressive – but not in a good way.  According those claiming responsibility for the leak, there are over 1.6 million unique IP addresses connected to various avatars in the database, and geo-location tools to identify real life location of Second Life players monitored by zf Redzone.

However, hactivists who have accessed the Redzone database have not published its contents so these claims will be hard to verify.
 

iIesN
zFire Xue protects his own "Possible SL PW" from view

The hactivists behind the security breach went into significant detail about what they uncovered in this comment sent to the Herald early today:

screenshots having zfires password viewing pages and others. certain sensitive info is removed. please save and repost the images before they get remove.

“Admin Overlord Ap” – http://i.imgur.com/Vrfrt.png

“Account Data” – passwords were store using md5() hashed. a column is added later to keep the raw password to show to admins. after… the failedlogin table is added to store failed logins and show failed password choices to admins. probably use to steal SL accounts like in the video

zfires “Account Data” page – http://i.imgur.com/iIesN.png
 random redzone owner “Account Data” page (to demonstrate that possible all sl password is show to admins) – http://i.imgur.com/Vnt21.png

other infos: there is raw failedlogin passwords store for 2200 users. there is raw user password store for most with an isellsl and redzone account.

ips are not store encrypted like the “frequently asked questions” say. there is 1670471 unique nonencrypted ips connected to avatars. there is geoip tables in the db for finding locations from ip….

maybe zfire plans to stalk people around the grid using his redzone things. This table is in the redzone db:

[tracking] index, detectedname, detecteduuid, location, date, ownername, owneruuid, objectname, objectuuid

4 other people in the server at once.. bad security.

i only want to confirm. not data or mess up his data or something stupid. i did not remove the db or mess it up. i cant also wont leak the contents. maybe other people already got it though, from looking at sql error and posts of password changed without them…

please remove tracking and failedlogin tables and pass2 column from users table. thank you.

please also read OWASP and fix page zfire. dont be a jerk!!

As of this writing, evidence that something is seriously amiss with the isellsl.cx Redzone site persist as SQL error messages are displayed on several pages. Attempts to contact zFire Xue for comment have been met with silence – it seems likely has is busy inspecting his database and applications for leaks and damage.

Given the level of access the hactivists seem to have to his system, the Herald suggests Mr. Xue takes our advice to his customers and change his passwords – then ask himself why he would continue to run Redzone.

forums
a general error on the isellsl.cx MadScientist forums
ideaorganizer
idea organizer now disorganized
neighborhoodwatch
the neighborhood watch throws errors

110 Responses to “zf Redzone Security Breached – SL Passwords Compromised?”

  1. Omglol

    Mar 14th, 2011

    Shit hits the van, zFire is a very bad boy

  2. had enough

    Mar 14th, 2011

    Mike Prime acts just like a scripty fur-fag.

  3. Rawst Berry

    Mar 14th, 2011

    The people calling for zfire’s bannishment from SL need to pull their heads out their asses. For one thing, this evidence is not solid, it is taking an anonymous hacker at their word. Secondly, this database is housed outside of SL.. therefore the Linden’s have no jurisdiction over it. They cannot ban someone for what happens outside of the game.

    Do you really have sympathy if the users of Red zone get their passwords stolen? I find it hilarious. I know some people bought redzone just to check it out for journalistic/research purposes.. but the risk is probably low if they changed their passwords right away.

  4. Miss J

    Mar 14th, 2011

    Holy….Changing my password!

  5. Miss J

    Mar 14th, 2011

    oh wait nvm….im not a redzone customer

  6. Nakomi

    Mar 14th, 2011

    Heh damit, now they fixed it. I used to backdoor them to add peopole to the ban list i dident liked.
    So yeah. gaytaims.

  7. lol@redzone users

    Mar 14th, 2011

    Its obvious its true, how stupid can you be…zfire and spitfire being the same person. Has released viewers with keylog and backdoors. I would not be impressed if such a thing was used to try and gain user passwords of redzone. Stupid for buying a system from a scammer anyway :Q

  8. MoonGazer

    Mar 14th, 2011

    Could we please get some sanity into this hysteria. The V3 Redzone system is the ONLY one collecting data. All previous versions operate as security orbs only. And yet the Green Zone zealots spam users of V2 and V3 redzone products indiscriminately. Seems they have no problems invading a sim owners privacy based solely on ownership of any redzone product – even if it is one NOT CAPABLE of collecting data. to me this seems like the pot calling the kettle black. What makes it ok for a green zone zealot to come onto my sim and a. identify my security system, b. bitch at me about it based solely on the possibility that it might be the dreaded v3, and then c. spam me with unwanted notecards ever afterwards. Seems to me that there is not a whole lot of difference between that information gathering and that the Red Zone V3 is accused of.
    One has to wonder really…..

  9. Kya

    Mar 14th, 2011

    Quoted from Rawst

    “Secondly, this database is housed outside of SL.. therefore the Linden’s have no jurisdiction over it. They cannot ban someone for what happens outside of the game. ”

    ————————–

    A matter of fact yes he can be taken to court. No matter where the data was stored at or who owned it. Actually he could be facing several charges stemming from this is SL chooses to pursue it.
    BTW: I have a law degree :)

  10. The Anti Herald

    Mar 15th, 2011

    LOL, then you’d better go back to your school and get your money back!

    What a moron!

  11. Rawst Berry

    Mar 15th, 2011

    Kya: He did not get Second Life passwords. He kept a list of failed password attempts on his own website. How the hell can Linden Labs do anything about that? Furthermore… WHY would the Lindens care enough about this issue to waste their money in court? They obviously don’t care otherwise they would have banned him, and not worked with him to let him keep his product on the market.
    And you saying you have a law degree holds as much water as an anonymous person saying they hacked zfire’s website. I don’t care whether you do or not, but just sayin’.

  12. Eva Ryan

    Mar 15th, 2011

    I say…

    OFF WITH HIS HEAD!!!!

  13. Innula Zenovka

    Mar 15th, 2011

    @MoonGazer.. I’m a bit confused by your references to RZ 2 and 3.

    The version he sells in the MarketPlace is Version v4.2, and that’s what his website says is the current version. As I understand it, automatic updates are available for owners of older versions.

    What have very outdated versions of the product got to do with anything?

  14. Danziel

    Mar 15th, 2011

    @Rawst
    “The people calling for zfire’s bannishment from SL need to pull their heads out their asses.”

    What an introduction! Who do you think will be interested to read on? Those that you blame to have their heads in their asses?

    “For one thing, this evidence is not solid, it is taking an anonymous hacker at their word.”

    Well, I have seen so many residents go from SL without the slightest evidence and not the slightest chance to be heard.
    Maybe there is no evidence that they try to guess SL passwords, but they annoy residents, they harrass residents and they promise safety without being able to detect real copybotters or evidents for using alts … besides there is no danger at all coming from alts.

    “Secondly, this database is housed outside of SL.. therefore the Linden’s have no jurisdiction over it.”

    That would mean, if someone steals my car and brings it away from my area to theirs, I cant call the police but have to invite them to my next pary into my house? Strange.

    Linden Lab has given them a license to use SL data INSIDE SL. If they use it on a website outside SL that is a breach of the contract signed by their yes, when they were asked about the TOS.
    So LL has every right to ban them and to ask their lawyers to start a lawsuit against them.

    “They cannot ban someone for what happens outside of the game.”

    Of course they can. If I come and reveal your private data, maybe about taxes and your countless ticket for wrong parking of your car, of course you can so something agains me.
    You could ban me from your sim first, though your taxes and parking sins have nothing to do with SL, plus you can attend your attorney what else you could do against me.

    “Do you really have sympathy if the users of Red zone get their passwords stolen?”

    Well, I have sympathy. Many of them fear to get their hard work stolen, the angst is used by zFire to sell his “products”, the designers are scared by all the bad news about content theft and people who sell these useless products, do a lot to increase the fear.
    You may call the customers stupid, dumb or worse. But that only will lead to them listen to sense even less than before and they will follow the next one who promises safety.
    I have sympathy and I want them on MY side in the fight against false promises.

    “I find it hilarious. I know some people bought redzone just to check it out for journalistic/research purposes.. but the risk is probably low if they changed their passwords right away.”

    Anyone who knows the risk and buys that thing for journalistic purposes or for technical testing to find out, what it really does, will know, what to do as the very next action right after the test.

    But to stop these, someone has to talk to those, who gave hours of their lifetime into a nice product and see it copied the next day.
    These residents need to be informed, instead of calling them stupid and dumb when they buy Redzone, we should talk to them.

    Unfortunately angst can easily be created by 140 bytes twittering, but good information needs more text.

    Unfortunately it is so much easier to create angst and fear to sell such a nasty product than to provide good information about content theft, that would enable people to do smart decisions.

  15. Dave Bell

    Mar 15th, 2011

    The big problem is that there are a bunch of official documents out there, available to the public, which build a disturbing picture of the person known in SL as zFire Xue. If the connections are true, we’re dealing with a person already convicted of cybercrime. If they’re false, the coincidences really mount up: name, age, where the guy lives, names of friends. As Ring Lardner said, the race is not always to the swift, nor the fight to the strong – but that’s the way to bet.

    Much of this came out of the weekend. I would hope that law enforcement is making a few checks, because if the allegation is true, there is potentially a breach of probation. Those checks will take time.

  16. Magnus Brody

    Mar 15th, 2011

    A system which was (mostly wrongly) attempting to compile a database of alts, also collecting mostly wrong passwords. Who would have thought it?

  17. Rawst Berry

    Mar 15th, 2011

    @Danziel
    Obviously, you were interested enough to read on.

    I didn’t call redzone users stupid or dumb. I would call them unethical-purposely allowing some random dude to collect information about their customers. I’ve been copybotted before. It sucked. But I’m not going to go on a witch hunt because of it.

    re: debating whether LL can ban zfire or not: LL reserves the right to ban anyone for absolutely no reason. So you win. But it’s not in the TOS. Under section 4.3 Linden Lab is a service provider and is not responsible or liable for the Content, conduct, or services of users or third parties:
    “The Service may contain links to or otherwise allow connections to third-party websites, servers, and online services or environments that are not owned or controlled by Linden Lab. You agree that Linden Lab is not responsible or liable for the Content, policies, or practices of any third-party websites, servers, or online services or environments. Please consult any applicable terms of use and privacy policies provided by the third party for such websites, servers, or online services or environments.”

    Although Danziel, your little analogy is confusing to me.
    “Of course they can. If I come and reveal your private data, maybe about taxes and your countless ticket for wrong parking of your car, of course you can so something agains me.
    You could ban me from your sim first, though your taxes and parking sins have nothing to do with SL, plus you can attend your attorney what else you could do against me. ”

    Zfire did not share private information about LL, it was about his customers. Obviously, those people would have every right to sue him, and they would probably have a good case as long as there was some actual evidence. Linden Lab itself is a company, they aren’t cops, they can’t go around enforcing their TOS on other websites.

  18. Nelson Jenkins

    Mar 15th, 2011

    @ Rawst Berry

    You seem to forget that zFire agreed to the ToS as well, and thus LL has legal grounds to sue him. Case closed.

  19. Yep

    Mar 15th, 2011

  20. [...] his site was hacked, database deleted, and what anonymous hactivists claim are screen captures of a secret admin interface to his site [...]

  21. Debbie

    Mar 16th, 2011

    And we are suppose to believe a hacker, who commited a crime by hacking the DB? Right, that person could have changed anythign he wanted and put stuff that was not there even. I don[t believe in the criminalk hacker

  22. Danziel

    Mar 16th, 2011

    @Debbie
    “And we are suppose to believe a hacker, who commited a crime by hacking the DB?”

    Ah!! Belief!
    Yep, somehow your belief is part of your private data … well, it’s a decision only you can do.

    You may have a strong belief in the hactivists being honest.
    You may have a strong belief in the hactivists being liars.
    You may have a strong belief in paying 3999 Lindenbucks for that thing, gives you safety from copybotters and stalkers.
    You may have a strong belief in the idea that the 77k humans identified by this system are the real criminals.
    All your decision.

    What I believe in?
    If I go and check a nice shop and decide to do a review, then return with my female model alt to buy some no trans clothes … and get banned before I can even right click on the vendor …
    … well then I have a strong belief in the shopowner being safe from me, my alt models, and my review and the free advertising that I would even have paid for by buying some of their stuff.
    So yes, this system – as long as it was not banned – really provided some sort of safety.

  23. Cathiee McMillan

    Mar 16th, 2011

    @Debbie

    You got Duped by a CON man.
    He ran and hosted the group Knights of Mars a griefing group
    He Owned and Ran Redzone a product to stop said copybots and Griefers.
    He ran a protection racket .
    Lindens banned him cause of that if my bet. they were able to link all the dots in their system and saw that he was an actual griefer.

    You got sold a product that didn’t do its job.
    Sorry you got Duped.

    Learn to protect yourself.

  24. dead zone

    Mar 16th, 2011

    I have tested RZ, the alts..no matter what anyone says, were accurate in every instance I tested…13 people, it missed some of the alts in the listings, until they landed on the sim, but then it got them, but the ones on the individual, were either them, or someone in their house. Not sure how he did it, don’t really care.

    I have things on my sim, some I’ve paid for, some I’ve been gifted from some of the most incredible creators in all of SL. And..I watch the botters come and go, one finds out, his friends come later..and yes..they do get around RZ..its not hard..reboot your modem in most cases and get a new IP address. I have AR’ed all those I felt were copybotting, the ones I watch, stand in one spot for hours, not responding to your invitation to converse, wether they are or aren’t, not my problem, it’s LL’s.
    In all of this, I do know one thing, LL could prevent copy botting if they wanted to, and they could give land owners, yes we the ones that actually pay for your good time here, the tools we need to take care of our own sims .

    IF LL would give their land owners better tools, they (LL) knows for sure whos alt is whos, without snooping, or gathering information, to ban and the option of banning the bannee’s alts, these renegade systems would dissapear from the landscape, from lack of interest.

  25. Danziel

    Mar 16th, 2011

    @dead zone
    “I have tested RZ, the alts..no matter what anyone says, were accurate in every instance I tested…”

    The test that would be interesting for me: two different avas, run by 2 different humans on the same private or company netword, served by the same router … were they identified as alts or did RZ find out they are NOT alts?
    If you haven’t done a test like that, you have not tested RZ.

    “…. or someone in their house. Not sure how he did it, don’t really care.”

    But I care. A system that identifies my ava as an alt of that of my neighbour of whom I don’t even know, what else he does on his computer, is useless and even dangerous.

    “And..I watch the botters come and go, one finds out, his friends come later..and yes..they do get around RZ..its not hard..”

    THAT is the interesting point. Showowners pay 3999 Lindenbucks for the promise to be safe from botters, and all the system does is putting people together as alts, who share a IP.
    YOU watch the copybotters, you see them work, and RZ keeps quiet and lets them do it.

    “In all of this, I do know one thing, LL could prevent copy botting if they wanted to, and they could give land owners, yes we the ones that actually pay for your good time here, the tools we need to take care of our own sims IF LL would give their land owners better tools, ….”

    That would mean, you also see your ISP in charge, when people copy content from your website.
    LL has given landowners a lot of tools and power. You only need to be there and use them. But systems like RZ promise that you can stay in your bed and party 24/7, RZ will keep your land safe.

    The best weapon against copybotters is yourself and customers that trust you and tell you, when they see your stuff copied.

    “…, they (LL) knows for sure whos alt is whos, …”

    This is the dangerous step. You talk about copybotters and the very next sentence is about alts.
    Alts are useful, for testing, for modelling, for taking photos, for doing different things in SL, for putting your money on their accounts, for lots of things … nothing, NOTHING is wrong with alts.

    Only thing is: people who like to make much money quick, promise to detect copybotters and show how easy they detect alts.
    That is as if they sell you a car, not talking about the missing motor, but about now comfortable the seats are.

    The bad thing is, that too many believe that detecting alts has anything to do with their safety from copybotters.

    “… without snooping, or gathering information, to ban and the option of banning the bannee’s alts, these renegade systems would dissapear from the landscape, from lack of interest.”

    The better way is to use what you got from LL. I run a sandbox on my sim for 18 months, and I only ejected 4 and banned 2 of them.

  26. Tux

    Mar 16th, 2011

    @dead zone:
    ‘I have tested RZ, the alts..no matter what anyone says, were accurate in every instance I tested…’
    Then you have no idea how to test. I tested the system and it failed in every instance. I even had media on each time.

    ‘they do get around RZ..its not hard..reboot your modem in most cases and get a new IP address.’
    I thought it was accurate in all tests? Also, my IP is a static business line and will always have the same IP (has done since ’05).

    ‘I have AR’ed all those I felt were copybotting, the ones I watch, stand in one spot for hours, not responding to your invitation to converse, wether they are or aren’t, not my problem, it’s LL’s.’
    Wow, you AR people for copybotting if they don’t answer you – XD. I am sure you are aware writing false AR’s is against the TOS? I would lol if someone now brings in alts, one by one, and AR’s you from each for harrassment, stalking, and writing your false AR’s.

    ‘In all of this, I do know one thing, LL could prevent copy botting if they wanted to’
    It is not possible to prevent without restricting the users ability to generate content and changing they way the client renders objects. SL would be unusable with the restrictions you want.

    ‘ and they could give land owners, yes we the ones that actually pay for your good time here, the tools we need to take care of our own sims .’
    Oh please Mr Linden sir, make me more powerful because I spend money in your game.

    ‘IF LL would give their land owners better tools, they (LL) knows for sure whos alt is whos, without snooping, or gathering information, to ban and the option of banning the bannee’s alts,’
    Here is the thing, LL cannot know who the alts are (for the people YOU are scared of). You have way too much faith!

    ‘these renegade systems would dissapear from the landscape, from lack of interest.’
    These tricksters will always be around while people are prepared to pay for something they have no idea on how to verify.

    Of course it doesn’t matter they got ban wiped and the scripts are being removed. Perhaps before you waste your money again you should ask someone with at least a slither of intelligence to test what you cannot?

  27. Astonished

    Mar 16th, 2011

    For those laughing @ People who May or may not have thier passwords stolen, Shame on you, and May karma come bite you in the ass later.

    It is Sad how all this rolled out, But I am happy the truth was finally brought to light, and if there is people who still Believe Redzone is still a good system, Please Still change your password, it will not be Linden labs Fault of your account is stolen.

    I hope that the current Issues are Dealt with on a Legal Basis with KoM and Redzone, as LL has a right to Deal with thier Residents on that Basis, Noone should be scared to Log in Nor should anyone be given the right to Delete others accounts.

  28. dead zone

    Mar 16th, 2011

    @ TUX [Of course it doesn't matter they got ban wiped and the scripts are being removed. Perhaps before you waste your money again you should ask someone with at least a slither of intelligence to test what you cannot?]

    Just smiles, I have been in SL for over 7 years, indeed the Lindens do know whom your alts are, they have powers that can disable scripts in anything, see what is in your inventory, remove and or investigate each item, and the tools needed on their side with a little effort to remove Copy Bot.

    (If in Phoenix-HELP:ABOUT PHOENIX VIEWER: you will see your computer described in living color)

    As for IP addresses, very few have static addresses any longer, not saying they do not exist, but moving over to your nearest free wifi location is easy enough. His system was not based soley on IP matches which seems everyone thinks is gospel, there were several criteria.

    They way RZ compiled info, was from several visits to different sims that had RedZone, you can not create a new alt, turn its media on, and slap it next to you and expect the system to catch it, in that way it gathered more than one instance of anomaly to make the match, which made it more accurate.

    Sooooo before you insult my intelligence, please be sure you know what your talking about.
    .

  29. Tux

    Mar 16th, 2011

    @dead zone:
    ‘Just smiles, I have been in SL for over 7 years’
    Lol, I love your type.

    ‘indeed the Lindens do know whom your alts are’
    Unless, like some you use the same name, I assure you they do not!.

    ‘they have powers that can disable scripts in anything, see what is in your inventory, remove and or investigate each item’
    Yes, this is obvious.

    ‘and the tools needed on their side with a little effort to remove Copy Bot.’
    Now here is the thing, they cannot remove a local app. I guess you will refute this, but it is true. So without a complete rewrite of the way assets are sent to the client, and having a closed source client, there is really no way!

    ‘(If in Phoenix-HELP:ABOUT PHOENIX VIEWER: you will see your computer described in living color)’
    Lol (again), do you even know how that is generated? Or in fact any of the data not displayed there? Or any of the extra data captured by Phoenix even? If you answer no to any of the above it’s probably best you don’t call me on it.

    ‘As for IP addresses, very few have static addresses any longer, not saying they do not exist, but moving over to your nearest free wifi location is easy enough.’
    Wait while I pick up my PC and move it within range of my neighbour – XD.

    ‘His system was not based soley on IP matches which seems everyone thinks is gospel, there were several criteria.’
    I didn’t say it was, however it was a major factor. Eliminating that failed the check.

    ‘They way RZ compiled info, was from several visits to different sims that had RedZone, you can not create a new alt, turn its media on, and slap it next to you and expect the system to catch it, in that way it gathered more than one instance of anomaly to make the match, which made it more accurate.’
    See above ^

    ‘Sooooo before you insult my intelligence, please be sure you know what your talking about.’
    I am unable to insult something which doesn’t exist. Also as zFire knows, I more than know alot more than I am talking about ;oP

  30. MoonGazer

    Mar 17th, 2011

    Innula – i was trying to make the point that some red zone users did not update to the versions that can do what 3 and 4 do. Thats all. Yet the green zoners do not differentiate, and invade everyone who uses any sort of redzone product indiscriminately

  31. vin

    Mar 17th, 2011

    anyone who says”he cant be banned because the servers are outside second life” CLEARLY havent read the rules. LL can ban ANYONE for ANY reason possible if they want at ANY time. read the TOS and/or your agreement you made when making your second life acount. idiots

  32. Winter Tenebaum

    Mar 18th, 2011

    All I know is this…

    With the use of Redzone I was able to stop copybotters from roaming my sim. I was able to get those pesky little turds who like to grief off my sim AND their alts. Bottom line here is this (and Ill keep it simple for some of you)…

    I pay my tier. LL does not pay my tier for me. If I do not want someone on my sim on their main Account. WTH makes you think I want them on my land on their alts??? Still the same person behind that computer.

    I live in a home with several SL users. Trust me… Redzone picked up all our accounts accurately.

    It’s unfortunate that the system was “Hacked” Although I could go onfor day’s about the griefers I BELIEVE were involved in the attack but with no proof I’ll keep my mouth shut!

    Bottom Line : With the use of “Redzone” I didn’t have to deal with the sneakie, sneakies SL allows on their grids.

    Without the use of “Redzone”, I now have to deal with all the sneakies, sneakies SL allows on their grids, on the land I PAY for.

  33. Winter Tenebaum

    Mar 18th, 2011

    As a side… Lindens need to hear us. I don’t need to know who has an alt, or the names of alts. I would just like to keep the alts of the “banned for my own reasons” off my sim. Period.

    Maybe LL should make a tool for this and incorporate it in their viewers as an option.

    Just sayin…

  34. Tux

    Mar 18th, 2011

    @Winter

    ‘With the use of Redzone I was able to stop copybotters from roaming my sim. I was able to get those pesky little turds who like to grief off my sim AND their alts.’
    Actually you wasn’t.

    ‘I pay my tier. . . ‘
    Thats how they make money, I do the same. However, xFire would ban people for other reasons (like disproving its function for example). So businesses actually lost custom. But of course you can ban who you want, so long as its your choice.

    ‘I live in a home with several SL users. Trust me… Redzone picked up all our accounts accurately.’
    I sure it did, in blind faith. Did you try any of the evasion techniques?

    ‘It’s unfortunate that the system was “Hacked”’
    Inevitable.

    ‘Although I could go onfor day’s about the griefers I BELIEVE were involved in the attack but with no proof I’ll keep my mouth shut!’
    Mere gossip, zFire knows which IP’s, and I guess he will be checking against his RZ data for an account name. But he is banned, so coming into SL and bawing would identify his ban evading alt.

    ‘Bottom Line : With the use of “Redzone” I didn’t have to deal with the sneakie, sneakies SL allows on their grids.’
    Because you didn’t know they was there.

    ‘Without the use of “Redzone”, I now have to deal with all the sneakies, sneakies SL allows on their grids, on the land I PAY for.’
    Probably because you are still publically voicing support for a cheat.

    ‘As a side… Lindens need to hear us.’
    Wouldn’t it be lovely if the Lab listened for once?

    ‘ I don’t need to know who has an alt, or the names of alts. I would just like to keep the alts of the “banned for my own reasons” off my sim. Period.’
    It would be easy for a parcel or estate ban to block normal alts. However, this would also get hacked and made public or worse . . . exploited.

    ‘Maybe LL should make a tool for this and incorporate it in their viewers as an option.’
    Good idea, make the alt detection open source without the need for media. That would work!

    While LL allow TPV’s and open source their viewer, there will never be a way to prevent this. So stop annoucing yourself and enjoy your game. After all thats all it is.

  35. Nelson Jenkins

    Mar 18th, 2011

    @ Winter Tenebaum

    With the use of Redzone I was able to stop copybotters from roaming my sim.

    No, you weren’t. You were able to stop idiot copybotters who used non-cloaked viewers from roaming your sim, yes – not the professional ones who know what they’re doing, which is what you should be more concerned about.

    That doesn’t even bring up the fact here that any copybotter that knew anything about RedZone (and I’d say 50% of SL as a whole at this point) knows that turning off media = avoiding RedZone. Simple as that.

    I was able to get those pesky little turds who like to grief off my sim AND their alts.

    Two things wrong with this statement: first, RedZone is not a griefer detection tool, so you would be the one that would kick them off the sim, not RedZone. Second, if they aren’t scanned (see above), they can get in anyways.

    Bottom line here is this (and Ill keep it simple for some of you)… I pay my tier. LL does not pay my tier for me. If I do not want someone on my sim on their main Account. WTH makes you think I want them on my land on their alts??? Still the same person behind that computer.

    The whole “I pay my tier” argument is kind of irrelevant, but okay. You don’t. Big deal. I have absolutely ZERO qualms with banning peoples’ alts automagically.

    HOWEVER, using a tool that has been renowned as an utter scam for copybotters, content creators, and even those that tried the demo to accomplish such feats is completely out of line, not to mention it does so using questionably-legal methods (certainly ones that are against SL’s Terms of Service).

    I do not understand how you can attribute SL’s security to a man who has been convicted of computer fraud, was outed for distributing SL login information of his OWN CUSTOMERS, sells “how to beat the dealer” DVDs and pornography, all while keeping a straight face and continually lying to his customers and Linden Lab. There is ample proof that all of this occurred – you RedZone loyalists just either do not believe anything that goes against your beliefs (and are thus exceedingly stubborn to the point of your own demise) or you are just too busy whining about it to even bother checking.

    I live in a home with several SL users. Trust me… Redzone picked up all our accounts accurately.

    Two things wrong here:
    1.) We have no idea what you mean by “Redzone picked up all our accounts accurately.” Does that mean that it glued them all together as alts (which would be the inevitable bug that zFire constantly claimed does not happen)? Does that mean that it correctly scanned your accounts and found their IP (which would deem your “test” meaningless, since this is the intended, unwanted, and easily avoidable result)?
    2.) We have no idea how your home network is set up. Do you have separate IPs for each computer (thus conveniently avoiding the glaring IP correlation problem)? Are you behind a NAT (thus proving that your test was done incorrectly or just further proves our point, since all accounts would now be deemed as alts)?

    It’s unfortunate that the system was “Hacked” Although I could go onfor day’s about the griefers I BELIEVE were involved in the attack but with no proof I’ll keep my mouth shut!

    This really is dependent on your definition of “hacked”. The whole system was technically “hacked” by zFire by means of an administrative control panel, where he added virtually all of the copybotters manually (most of whom are just GreenZone members) and essentially stole everyone’s geolocation data and SL login information without their consent or knowledge.

    To say that this is not a hack but someone disabling this clearly illegal (not to mention insecure) system is a hack would be just foolish. This was not a black-hat hack. There was no harm done to innocent people. This was just a well-intentioned muckraker bringing zFire’s hidden reality to light. That’s not to say that muckrakers have not been condemned in the past – look at the whole processed meat fiasco a century or so ago (see Upton Sinclair’s The Jungle), or, more recently, look at the whole Emerald dramafest. Arabella condemned near every single person that went against Emerald’s history of criminal activity. Emerald users did the same. This is just a repeat of history – those that were hardcore RedZone users will fail to see the glaringly obvious truth, even after all is said and done, and continue to hold a grudge against the “hacker” that showed what zFire was really up to.

    <iBottom Line : With the use of “Redzone” I didn’t have to deal with the sneakie, sneakies SL allows on their grids. Without the use of “Redzone”, I now have to deal with all the sneakies, sneakies SL allows on their grids, on the land I PAY for.

    What are these “sneakies” that you speak of? I find this pretty ironic myself, since when RedZone got banned the griefing in my city absolutely stopped. I used to have 6-8 sim crashes a day – now I have not seen a single griefer. See how unreliable testimonials are? A single person’s experience means nothing in the grand scheme of things. The only reason some people are experiencing more problems is because zFire has instructed his griefing ring to attack previous RedZone owners’ sims so they will whine to LL and cause even more of a problem. That’s it. Not only did you get scammed out of 4k, possibly got your SL login information stolen, datamined all of your visitors and customers without their knowledge (something a reputable content creator should NEVER DO), and got duped by a convicted computer criminal, that very same person you trusted with your sim’s security is now the one defiling it.

    Absolutely pitiful.

    As a side… Lindens need to hear us. I don’t need to know who has an alt, or the names of alts. I would just like to keep the alts of the “banned for my own reasons” off my sim. Period. Maybe LL should make a tool for this and incorporate it in their viewers as an option.

    This has been in the works for a while now and will be far more accurate and legal than zFire’s “box of shit”.

  36. Dubdubs

    Mar 20th, 2011

    @ dead zone:

    So you report people for going AFK? Is that what you’re saying?

    There’s a lot of awesome content creators on SL, but jesus, some of you guys are just downright paranoid loonies.

    I for one will never shop or enter any sim you own since I’d rather my account didn’t get suspended in the event I have to get up and take a dump or something.

  37. [...] what’s been happening? Let’s see… The main action seems to have been the Redzone imbroglio (actually an old story, which came to a head this month for some reason). Playing on the [...]

  38. not zFire

    Mar 23rd, 2011

    I store passwords from failed log in attempts for only the most innocent reasons. I distribute them to people for only noble causes. No wait!!!! That makes me an accessory to every crime that results from my lack of morals. Tough to prove, but try a jury of 12 average citizens. They will not view you well, regardless of fancy amoral logic. Kinda the same lame logic that lets a degenerate think you can sell an image of the IPAD spec for $699 on eBay. justice is funny like that.

  39. Winter Tenebaum

    Mar 25th, 2011

    @ Nelson Jenkins, Seriously, I never claimed to be tech Savvy. My only point was that Lindens should incorporate a system we can use on our sims that can keep banned individuals and their ALTS of our lands. Redzone (in as much as I could see) Did this for me. It’s unfortunate that Zfire didn’t turn out to be some stand up kind of guy with a great concept and upstanding morals. I’m pretty sure I stated it was unfortunate in my last post. Or, maybe you just do not know how to read for content… Seriously… If my tiny little blurb pissed you off so much that you had to write a freaking novel (which BTW I did not finish) Then Me thinks instead of downloading the next SL viewer you might want to consider downloading a real life. There was no reason for YOU to be so critical with me. My statement was short and to the point that Redzone’s concept was awesome. Just would like a legal way of having the same program implemented in SL viewers. Even if it means it’s a service I pay for extra with my premium membership. And, as far as good ppl hacking a program to prove it was flawed… Hacking is hacking son. Still Illegal. And, I don’t find any of the several “Greenzone” members who took time out of their day to grief and harass me to be GOOD ppl. They actually were quite vulgar to me for no reason. I never spoke to them. They sent me messages which were all turned into SL for vulgarity. IMO ZFIRE XUE, and certain members of greenzone are all bad ppl. Im so happy your griefers have not bothered you. Mine however won’t go away. I mute, Ban, do everything I can. They keep coming back. These are ppl I don’t even know. From another wedding business. I’m so happy SL works for you. It’s wonderful!

  40. dead zone

    Mar 25th, 2011

    Those that want to burn the RZ users at the stake need to remember one thing, we didn’t spend $3999 for chits and giggles, most did not even realize it named alts names, it was never advertised to, and we sure did not know Xue’s past history. I seriously doubt any of us question that when making purchases in SL.
    We bought it because it could ban the alt of those we chose not to have on or around property we spend our hard earned cash on, or hours of labor creating. OR have caused problems in what we would like to keep as fun and enjoyable in SL.
    There will always be a market for this type of system to provide for this need, unless LL steps up and gives the tools necessary to rid our Second Lives of griefers, copy boters, drama royalty, and just the regular idiot who thinks all land owners OWE him a great time at whatever cost including a griefer invasion if we don’t.
    So if you want RZ systems out, beggggg LL to get them in place, because I know the next system that can even come close, I’ll be getting it as soon as it hits the grid.

  41. Yep

    Mar 25th, 2011

    Most people who bothered by a lot of griefers seem to invite being griefed. No informing a store owner that you will not be buying from them because they use a device to spy on their customers, is not griefing. Report away. If you are stupid enough to pay 3999. to become part of the problem, then you get what is coming to you.
    hacking, LL would not solve the problem without a slap upside the head to get them to pay attention. Breaking into boneheads database and exposing its harm is justified in this case. It slammed the lindens heads up against the wall and forced them to take action.

  42. Innula Zenovka

    Mar 25th, 2011

    @Winter Tenebaum (and others wanting LL to give us the facility to ban avatars and their alts)

    I used to be in favour of this, but I’ve now got two serious reservations about the idea, having thought it through and discussed it people more tech-savvy than am I.

    First issue: at present, as I understand it, LL checks when I log in to make sure I’m not IP & MAC address banned, and then, if I’m not, that’s an end to it. And then, as I move round the grid, the sim checks to see if the sim’s public access or not, if it isn’t, am I allowed there, and if it is public access, am I banned.

    I am just not sure how easy it would be, or what the resource implications would be, of having the sim make a whole new series of checks — what was my IP and MAC address at log-in and do they correspond with those of any other avatar who’s been banned from the sim? I suspect it would be quite a major undertaking.

    Second Issue: LL’s IP and MAC bans are, in fact, apparently not that difficult to circumvent. From what I’ve read, it’s not trivial but it’s not particularly difficult, either. And what worries me is that if LL gives sim owners access to LL’s ultimate sanction — IP and MAC bans — for infractions that LL doesn’t think merit this, before too long, we’ll have bred, in-world, a new strain of super-griefer who can ignore such bans with impunity.

    So by the time he or she does something LL thinks is worth a complete ban, it’ll be ineffective since the griefer (and all his friends) will doubtless already be taking all necessary steps to avoid it in order to grief particular sims. That really does worry me more than a bit.

  43. Tarheel McCoy

    Mar 25th, 2011

    @Innula, the OSIRIS server does those checks before you connect to the grid when it’s easy to use a proxy server to bypass IP bans. MAC addresses can be spoofed regardless, but once you’re connected to the grid, proxies slow you way down or make it impossible to stay connected. So on connect, the proxies have to turn off and the connection to the grid itself has to be done without one.

    All LL would have to do at that point is check to make sure the address you used when you logged in is the same one you used to connect to the grid. If they don’t match, bang. You’re gone.

    Not sure what other criteria for testing they use, but you have at least a partial point.

  44. Tux

    Mar 25th, 2011

    @Tarheel:
    Proxies do not ‘slow you way down or make it impossible to stay connected’. Even on my connection of 1.5Mb I can proxy without a disconnect for days. I also use voice and media.

    The rest of your post is therefore a fail.

    As I continue to repeat, LL will never be able to prevent access unless the close the viewer source and completely redesign the validation process. Even then it will eventually be beaten.

  45. Tarheel McCoy

    Mar 25th, 2011

    Not entirely, Tux. I just got you to admit in public that you have to hide your connection data by use of a proxy to keep from being permabanned.

    I’d say that’s worth something.

    God, you’re predictable.

  46. Nelson Jenkins

    Mar 27th, 2011

    @ Tarheel McCoy

    Not entirely, Tux. I just got you to admit in public that you have to hide your connection data by use of a proxy

    Big fucking whoop.

    to keep from being permabanned.

    Now where, exactly, did he say he was avoiding a ban?

    Hey, I’ve got this new product out, I think you should test it out, since you’re clearly my target customer:
    http://www.thinkgeek.com/books/humor/8e6c/images/2070/

  47. Tux

    Mar 27th, 2011

    @ Tarheel
    ‘Not entirely, Tux. I just got you to admit in public that you have to hide your connection data by use of a proxy to keep from being permabanned.’
    Did I say that? Actually I have a static IP which is used all the time.

    ‘I’d say that’s worth something.’
    Sure try selling the info, lol.

    ‘God, you’re predictable.’
    Thanks, but Sir will suffice. God is quite a big title!

  48. Tarheel McCoy

    Mar 27th, 2011

    So this isn’t your web site, then.

    http://wiki.sl4.me/index.php/Patriotic_Nigras

  49. Yep

    Mar 27th, 2011

    Tiger pounces FTW :D

    Go getem Tiger :P

  50. jaggedglass bumhole

    Mar 27th, 2011

    How stupid are you all going to get here? Youre like a couple of old duffers at a wedding celebration that have had too much to drink and have fallen out over something that happened a hundred years before when they were in their 40′s

    A: put em up gwaaan (dances around like muhammad ali but with their fists doing wierd circular motions like a grandad getting all het up and wanting a fight)

    B: Hold me back, hold me back or i’ll have ‘im ! (dodging around doing the same rabbit punch motions, but nervous to go near the other guy)

    EVERYONELSE: LMFAO

Leave a Reply