Redzone Security Breached – SL Passwords Compromised?

Publicado el 2011/03/12 por Pixeleen Mistral

Is Redzone playing guessing games with 2200 customers’ SL passwords?

The firestorm of criticism surrounding the zf Redzone Second Life security system may be only the beginning of zFire Xue’s troubles. A shadowy group of Second Life hactivists claim to have breached the Redzone server’s security, gaining access to the server database and discovering cleartext passwords for most Redzone customer accounts on the site.

As if storing raw Redzone customer passwords is not bad enough, there is apparently a second table that tracks passwords from failed login attempts in the hope users will accidentally enter their Second Life account password. These failed passwords are conveniently displayed on the user profile page of the “Admin Overlord App”  as “Possible SL PW(s)”.

In light of these revelations, the Herald strongly suggests that all zf Redzone customers change their Second Life account passwords immediately – and ask themselves why they would continue to run a product that attempts to guess their Second Life password.

Vnt21
Redzone User Data includes possible SL passwords stored in cleartext

Rumors that zf Redzone has been used in attempts to collect Second Life passwords recently gained significant metaverse mindshare as a YouTube video began making the rounds describing a web site that can predict player passwords based on failed login attempts.

It is widely believed that the video is from zFire Xue to Mariana Swashbuckler. Avril Korman reports that zFire Xue is part of a SL gang known as the “Mars Syndicate” which includes a member named Mariana – apparently the same Mariana to whom the video is addressed.

 

How did the hactivists gain access to the Redzone security system’s secrets? According to several sources, the site fell to an SQL injection attack in which carefully crafted URLs cause the site to hand over information in the database that was not intended for public viewing.

This is the same sort of attack which was used to breach the HBGary Federal site recently. We can only conclude that role-play security experts in both real life and Second Life have some difficulty with the basics of keeping their own sites secure. Perhaps they should not store sensitive data?

Passwords compromises are not the only concern raised by the leak. It appears that zFire Xue can also manually add players to the Redzone copybotter list.

We can only hope the Mr. Xue does not abuse this power to persecute his critics.

Vrfrt
Admin Overlord App allows manual addition of “copybotters” and Account stats lookup

The amount of avatar and IP address information contained in the Redzone database is impressive – but not in a good way.  According those claiming responsibility for the leak, there are over 1.6 million unique IP addresses connected to various avatars in the database, and geo-location tools to identify real life location of Second Life players monitored by zf Redzone.

However, hactivists who have accessed the Redzone database have not published its contents so these claims will be hard to verify.

iIesN
zFire Xue protects his own “Possible SL PW” from view

The hactivists behind the security breach went into significant detail about what they uncovered in this comment sent to the Herald early today:

screenshots having zfires password viewing pages and others. certain sensitive info is removed. please save and repost the images before they get remove.

“Admin Overlord Ap” – http://i.imgur.com/Vrfrt.png

“Account Data” – passwords were store using md5() hashed. a column is added later to keep the raw password to show to admins. after… the failedlogin table is added to store failed logins and show failed password choices to admins. probably use to steal SL accounts like in the video

zfires “Account Data” page – http://i.imgur.com/iIesN.png random redzone owner “Account Data” page (to demonstrate that possible all sl password is show to admins) – http://i.imgur.com/Vnt21.png

other infos: there is raw failedlogin passwords store for 2200 users. there is raw user password store for most with an isellsl and redzone account.

ips are not store encrypted like the “frequently asked questions” say. there is 1670471 unique nonencrypted ips connected to avatars. there is geoip tables in the db for finding locations from ip….

maybe zfire plans to stalk people around the grid using his redzone things. This table is in the redzone db:

[tracking] index, detectedname, detecteduuid, location, date, ownername, owneruuid, objectname, objectuuid

4 other people in the server at once.. bad security.

i only want to confirm. not data or mess up his data or something stupid. i did not remove the db or mess it up. i cant also wont leak the contents. maybe other people already got it though, from looking at sql error and posts of password changed without them…

please remove tracking and failedlogin tables and pass2 column from users table. thank you.

please also read OWASP and fix page zfire. dont be a jerk!!

As of this writing, evidence that something is seriously amiss with the isellsl.cx Redzone site persist as SQL error messages are displayed on several pages. Attempts to contact zFire Xue for comment have been met with silence – it seems likely has is busy inspecting his database and applications for leaks and damage.

Given the level of access the hactivists seem to have to his system, the Herald suggests Mr. Xue takes our advice to his customers and change his passwords – then ask himself why he would continue to run Redzone.

forums
a general error on the isellsl.cx MadScientist forums
ideaorganizer
idea organizer now disorganized
neighborhoodwatch
the neighborhood watch throws errors
Publicado en Featured, Hacktivism, Mafias, Gangs and Virtual Governments, News, News from Second Life | Deja un comentario

Steve — Post 6 Adonis DNA Tigerblood Boil

Publicado el 2011/03/10 por Alphaville Herald

[I was standing in my studio when one of the most repulsive avatars I have ever seen skittered in on little malformed legs. I immediately recognized the oversized and overbearing head, with its uncanny resemblance to Charlie Sheen’s Id, as belonging to the boil that had recently afflicted Herald writer Jimbo Quality. I had no intention of allowing it to be a Post 6 model, even after two beautiful twins dressed in Green Lantern costumes followed him in, but his argument that Post 6 had never featured a talking skin affliction, combined with his threats to attach himself to me, won me over. Also, for the record, he likes to be called Steve. ~Timothy Morpork]

Jimbos Boil Final1

When I was a mere irritated follicle and Robert Downey was arrested with a hooker in a Wonder Woman costume, I knew I would one day top that. Here I am, two hot Green Lantern chicks later, winning. What do you expect? I have Adonis DNA.

It’s only right that I be here. I’ve got magic. I’ve got poetry at my fingertips. Look at these sad trolls waving up at me in my jet powered F-18 of life, soaring over you like an eagle over a turd. I am going to win every moment because I have tigerblood.

Jimbos Boil Final2

I know, I can’t help but be excellent, born as I was on the magnificent glutes of a legend, and after all the balm that Jimbo applied to me, people think I’m on drugs, that this isn’t real. Well let me tell you, I am on a drug, it’s called Steve, and if you tried it, it would melt your face and make your children weep. This is not some cheap sideshow, it’s grandiose- I’m grandiose, I live a grandiose life. I am a rockstar from the planet Mars. It’s called winning, sorry.

Jimbos Boil Final3

And it doesn’t stop here. Post 6 will be my launching pad. Already I have grown from a irritation on a hair follicle to a pimple to a boil to a carbuncle to a sentient creature to a walking talking rock and rolling warlock that’s playing with the house money. The run I was on made Sinatra, Flynn, Jagger and Richards look like droopy-eyed armless children. Change the channel, I dare you, you can’t, you need to see what Steve the Boil will do next, you want to watch me win.

I’m done. It’s on. Bring it.

Publicado en Featured, News, Sex, Cybersex and Beyond | Deja un comentario

Second Life Story in HBO Documentary this Valentine’s Day

Publicado el 2011/03/07 por Pete Linden

As you may have already heard, HBO will be showing a documentary called, When Strangers Click: Five Stories from the Internet on February 14 (Valentine’s Day). The film is the work of Robert Kenner (the Oscar®-nominated director of the documentary Food, Inc.),
and it presents several stories of people finding love online. One of
the segments of the film is a great Second Life love story: a talented
musician happened to meet a woman at an inworld performance, and as a
result, both of their lives have changed significantly.

Publicado en News | Deja un comentario

Improving our Lines of Communication with the Community

Publicado el 2011/03/07 por Amanda Linden

As customers, your satisfaction and input is critical to the success of
Second Life. However, we know that it has sometimes been confusing and
difficult to communicate with us and we can always do a better job of
listening. Toward that end, we’ve taken a hard look at all of our
Resident-Linden communication paths and designed, or revamped, a series
of new programs and tools to help us all have a more productive
dialogue. Our goal is not only to listen and acknowledge your feedback
and ideas, but also to work more collaboratively to help build a better
Second Life experience for the common good.

Publicado en News | Deja un comentario

A New Community Platform Coming March 2nd

Publicado el 2011/03/07 por Vogt Linden

I wanted to give you an update on several important new Customer and
Community Support initiatives currently underway. We have recently added
significant resources–of both people and technology–to improve your
experience with both Customer Support and community interaction and
communication.

Publicado en News | Deja un comentario

Blogs, Forums, and SL Answers in Read-Only Mode Until March 2nd

Publicado el 2011/03/07 por Vogt Linden

As I mentioned last week,
today the Second Life Forums, Blogs, Knowledge Base and SL Answers are
now temporarily in read-only mode. This means that everything housed
within the http://blogs.secondlife.com
site is available for you to read, but you cannot post comments–or
contribute content–until we launch our new community platform (http://community.secondlife.com) on March 2nd.

Publicado en News | Deja un comentario

The Hand What Taketh

Publicado el 2011/03/06 por Alphaville Herald

by Pappy Enoch, Philanthropist

Rob4food 001

My enormus fan klub at the Herald will know that I gits me a heap o’ mail thru them-there Internet-tubes.

I done writ about this befo’ but I reckon it are too good to omit when it happens again. In fact, I done got this-hear same letter a year ago from a different dyin’ gal.

I gits me one o’ these-here “please-help-me-cause-I-are-falling-to-pieces-from-cancer-and-my-husband/son/dawg/boyfriend/chikkin-left-me-a-bazillion-bucks-in-Kenya-but-I cain’t-git-it-so-give-me-your-bank-account-please” letters.

Whew. I been a-tryin’ to help these po’ sufferin’ folks for years but they ain’t bit, yet.

Here am the latest attempt to help.

Dear Miz David,

You done writ to me about the horrible-terrible situation what done befell yo’ famberly.

Now I are just a poor, lonesum, woebegone feller who done landed in The Big House (what am called “prison” in the United States) but I done beat that-there rap and am a free man.

I gots me a bank account so’s I reckon I kin help you out sum.

You done said:

our only son died in a ghastly motor accident last year 2010.
I have been battling with both lung cancer and stroke.

Oh my gawd that am awful-terrible. I done lost folks thataway, as well as in explodin’ stills, manglin’ by junkyard dawgs, shootin’ dead by my sister Jezz, alien protology experiments, and Bigfoot-rape.

My late husband deposited the sum of (2.800.000.00 Dollas) Two Million Eight Hundred Thousand Dollas with a Bank here in Cote d’Ivoire and my name as beneficiary of the funds.

Do tell.

After his death I decided not to remarry or get a child outside my matrimonial home.

That am rite smart. I don’t believe in marryin’ at all, if’n I kin help it, or gettin’ no chirren inside o’ no home. The woods am better or behind the smoke-house for knockin’ up sum gal.

According to the doctor, my medical report shows a have very short life sperm due to my health status presently.

Ain’t you a gal? Why in Gawd’s name am you a-talkin’ about sperm? Maybe the cancer done mutated you into sum’fin shemale, but that am beside the point. We needs to talk about that-there 2.8 million.

Maybe I may still have another 1-3 months to live, that I do not know but God can say. That is just my faith as a deteriorating cancer patient.

That are a-startin’ to sound like a country song and I are all ears.

Knowing my health condition I decided to donate the above mentioned funds to an individual Muslim/Christian or any faith

Hoo whee. I are part o’ the First Church o’ the Bleedin’ Heart of Snake-Handlin’ Jesus H. Christ on a Crutch, so I reckons that will do. If’n you wants me to turn Muslim, howsoever, I will do it. Where do I sign up?

The Bible/Qur’an made us to understand that blessed is the hand that giveth.

That am rite original. My Pappy, Pappy-Pappy Enoch, done telled me “boy, that-there hand what taketh are mo’ blessed still.”  I done lived by that-there wisdom ever since.

I took this decision because our only son who is suppose to inherit this money and properties is also late

Well, he’ll show up then and don’t worry yo’ poor cancer-eaten heart none. Heck, I are always late.

Ma’am, I plans to watch over that there 2.8 million tighter’n a tick on a cow’s belly till that son o’ yours gits home.

You just git me your bank account number with them 2.8 million in there and I will do the rest. If’n you needs some killin’ done, or just kneecap breakin’ done, my sister Jezz am first-rate muscle for them jobs.

We will be to Coat Divorce or wherever the hell you lives in no time flat, if’n we kin git there by pickup truck.

Yours in God,

Pappy Enoch, Recently Reformed Sinner

Publicado en Featured, New Media, News, News You Can Abuse, Scammers, Griefers and Goons | Deja un comentario

zFire Xue Interview: RedZone is not Spyware

Publicado el 2011/03/04 por Pixeleen Mistral

RedZone protects users from 77283 people they have banned plus their alts

The zF RedZone security scanner scandal continues to churn, creating what seems to be a nearly unstoppable epic thread in the SL Universe forums which has grown to over 320 pages (8100 posts) as of this writing. At the heart of the controversy is zFire Xue – the creator of RedZone.

Mr. Xue was gracious enough to consent to an e-mail interview with the Herald. In the interview zFire Xue discussed the variability of Linden Lab’s ToS conditions, his dealings with Patsey and Soft Linden, and his plans for the future.

rz 1
zFire Xue’s Second Life storefront

Pixeleen Mistral: I understand that Linden Lab has removed your zf RedZone from in-world and also removed this product from the Marketplace. Will you be able to meet Linden Lab’s conditions for reinstating this product?
zFire Xue: Yes Patsey Linden has removed the zF RedZone from the Market 2 times, and from inworld 1 or 2 times. zF RedZone has been removed from the Marketplace a total of 4 times, recently one of those was even by myself. It is back in world, and I am debating on posting to the market, as an issue of paying Linden Labs any fees related to zF RedZone for their assistance.

I have always met Linden Lab’s conditions for keeping zF RedZone llLegal(‘If I may add a joke here’);

Pixeleen Mistral: Has Linden Lab changed the conditions under which you are able to sell the RedZone product? How long have you been negotiating with the Lab on this issue?
zFire Xue: Yes Linden Labs has changed a few conditions. Soft Linden has been in contact with me since 2-9-11. We have spoken about the political issues of zF RedZone and how people interpret policy. Soft Linden came up with the idea of a Consent based system. Of course I was not keen on the idea of limiting information in this way, but a type of “background check” system could still work, just not so well for helping stop contest cheaters in clubs.

Eventually it was “Oh, hey, we removed X, Y, and zF RedZone from the marketplace, you may relist it but you have to add a consent system for displaying alt names, and include an Opt-Out system by Friday.” (paraphrased) and “we will be ******** the Second Life Community Standards to prohibit disclosure of Residents’ alternate account names without their consent.” (I added a few **** and the word “to” so it protects the grammer of the unnamed Linden and isn’t “disclosing a conversation log”. )

So I did that, which upset thousands of people. Not my idea at all.

Then some days later Patsy Linden said displaying alt names at all was forbidden, even with consent.
So all alt name display functions where removed.

Then zF RedZone was delisted by the Lindens because of the Consent system the lindens thought of.

Now using a Consent system is forbidden.

I went off on them for that. It was their idea in the first place, I even asked them to look it over, and further explain the finer points of their requirements. No response. Days later Consent is forbidden.
So I just removed all that, and let everyone know I never offered Alt name displays even if that is one of the functions I included, and enjoyed. I posted a notice here: http://isellsl.ath.cx/madsci/forum/viewtopic.php?f=8&t=561

Explaining just as before http://isellsl.ath.cx/madsci/forum/viewtopic.php?f=8&t=490 That zF RedZone changed yet again to adapt to the ever changing SecondLife™ Terms of Service, but all functions continue to operate as normal, but without displaying alt names. In short it still bans alts of people you do not want, does everything the advertisement says, and a bit more.

Pixeleen Mistral: If you and Linden Lab cannot come to an agreement soon, so you plan to move to an outside-of-SL approach for RedZone using paypal and user-installable scripts?

zFire Xue: I had publicly said that I could move RedZone outside of Second Life if Linden Labs wishes it to leave Second Life. To go to a stand alone website, Open-Space, and others, to a paypal paid membership system that hosts no objects in any world. The problem with that is then it becomes nothing but an alt display gadget, and my existing users would not be safe from 77283 people they have banned plus their alts. (Those are private individual bans not grid bans by the way. ) Many of my own users have asked me to go off world with it, etc. Linden Labs knows that if alts cannot be displayed even with consent by RedZone, many many others will take it’s place and do so.

Thanks to the hospitality of the Lindens I am willing to sit back and let that happen. So Linden Labs can hear from thousands of other complaints, but about someone else for a change. This is me allowing a bigger fire to burn elsewhere so the angry mob can go deal with that and I can get back to my own updates in security.

Pixeleen Mistral: Do you have any concerns about the RedZone database being compromised with suspect data if you moved to a user-installable script business model?
zFire Xue: Yes there is an issue with a user installable script business model, which would prevent entirely full perm scripts from being available. They would have to be no mod to protect the methods that ensure the data packet is in sync with valid data sent from the unit itself. It is possible to transmit no mod scripts, or even objects for that matter, but for now that isn’t necessary.

Pixeleen Mistral: Is there anything you would like to tell the Herald readers?
zFire Xue: I would like to thank all of your readers, I would like to invite them to read and understand what zF RedZone is and is not.

As most people know Linden Labs is very slow to deal with Abuse Reports or DMCAs for the few they deal with at all.

The only viewer Linden Labs has blocked is Emerald, which still logs in to SL in some cases.
If you have a griefer or copybot threat zF RedZone is more effective at catching and banning copybot viewers, griefers, stalkers, and the alts they use than Linden Labs itself. Without it, try banning someone, and they will be back with an alternate account.

The bad guys do have new copybot viewers every so often, or other methods to steal, but zF RedZone catches these viewers in time, and the alts of these people, unlike Linden Labs which only sometimes bans or suspends individual accounts, but never stopped a single copybot viewer from logging into the grid.

zF RedZone is not spyware, it does not install anything or record anything that is not public information.
It does use intelligence to calculate things for security purposes. There are no script functions for keylogging or voice media controls as the other side of the debate will have you believe.
Please visit http://isellsl.ath.cx/rzfaq.php for answers to more questions.

Best Regards,
zFire Xue =)

Publicado en Featured, Gossip and Drama, News, News from Second Life | Deja un comentario

Justanother Oompa

Publicado el 2011/03/02 por Alphaville Herald

[Every so often a gaggle of friends and I head out onto the grid to see what's new, get a dose of "Hooooooo's" at a club, and generally have a good time. On one recent sojourn we met Justa, one of the more clever conversationalists I've met on the grid and possessor of several great avatars he made himself. I asked him if he'd do Post 6, and was very happy he agreed. I should add that in my group I was not the only one to be impressed with Justa, as he has subsequently become the boyfriend of one of my best SL friends and I wish them both the best! It is a pleasure and an honor to introduce Justanother Oompa, Post 6 Guy. ~Timothy Morpork]

Justanother Oompa

Hi Alphaville Herald Readers,

My name is Justanother. You can call me Ray, or Mr. Oompa.

In real life I’m the CEO of a computer network security firm and I’ve come to Second Life to infiltrate Anonymous and show off my skills. I decided to pose for Post 6 because I had reliable information that Morpork was the head of Anonymous, and when that proved to be a false lead, I decided to pose anyhow because I know how hot I am and that you all probably want to see my penis. Please excuse the scars and bruises on my face, I’ve been pretty beat up by Anonymous over the past month or so.

Actually, none of that is true. I’m really a graduate student at the University of Notre Dame doing my doctoral thesis on how virtual women played by women differ from virtual women played by men. My project is not doing well as I’m having trouble finding virtual women played by men, as all the women I meet here swear that they are women IRL.

My girlfriend, GiantRack420 assures me that they are out there, so we hang out at sex clubs a lot. Sex clubs can be pretty rough and occasionally I get beat up, which explains my sorry looks. GiantRack420 said that showing everyone my bits here in the Herald would bring out the fake women in droves.

Justanother Oompa

My hobbies here include going to all the fairs and festivals- I especially like the ones that are so laggy you can’t move and nothing rezzes, and going to the really popular stores and buying all the same skins and hair and clothes and stuff that everyone else has so we all look alike. Oh, I also like leaving shitty comments about other people on blogs so they feel bad about themselves in real life. I mean what else are games for if not to be a dick and hurt other people’s feelings?

I like building stuff and impressing newbies with it so they’ll have pixel sex with me, then publishing the photos of it on the internet. I also like exploiting the IP address fetch in streaming media and using it to freak people out and make them mistrust this place. Innocent statements like “Oh! I see you’re logged on from Indiana, how’s your weather?” really get people flummoxed. Nothing makes my day complete like ruining someone else’s.

Of course, that’s not true either. I’m really a lonely housewife in Iowa who is one of the dozen or so people that actually play Second Life. I have approximately 4,322,687 alts and this is my 378th time posing for Post 6. As I already know because I play all of the writers and readers of this blog, this will be one of my best Post 6’s ever and all the comments I leave for myself will be positive. My avatar is beat up because it was my first night at Fight Club last night. No, I mean I fell off my bike riding to the photoshoot.

Justanother Oompa

In truth, my real story isn’t interesting or any of your business, which is what makes these virtual worlds so much fun. I’ve poked around in a lot of them and still like Second Life the best, in spite of, and probably because of, all the drama and angst that gets stirred up from time to time.

I do worry about this place because I worry about our future as a species and a culture. Some people in SL really can be such dicks, and many people online have lost that ability to be civil, which seems to be leaking out into face to face life too. There have always been assholes, but sometimes I read the blogs and comments from online games and become afraid that we’re breeding them here.

So go forth and be nice to someone. Tell ‘em Ray sent ya.

Publicado en Featured, News, Sex, Cybersex and Beyond | Deja un comentario

The Second Life Economy in Q4 2010

Publicado el 2011/02/25 por Nelson Linden

2010 ended on a positive note for the Second Life economy, with several key measures growing while others remained stable as compared to Q3 numbers.

Total money supply, LindeX volume, and web merchandise sales volume were all up between 6% and 8%, indicating growth in economic activity. Also, the L$ rebounded strongly from Q3, appreciating 3.7% quarter to quarter.

When comparing 2009 to 2010 measures, average monthly repeat log-ins were up 8%, average monthly economic participants were up 4.3%, annual web merchandise sales volume was up 104%, and the world size grew by 5.8%.

For a definition of the metrics in this post, please see this wiki page. Click on each image below to see a larger version.

AVERAGE MONTHLY REPEAT LOGINS

Repeat logins gained 1% this quarter. Average monthly repeat logins in 2010 rose 8% over the 2009 average.

average monthly repeat logins.jpg

USER HOURS

User hours were flat this quarter, appearing to stabilize after a gradual decline in the prior four quarters. Total user hours in 2010 fell 10%  from 2009.

user hours.jpg

AVERAGE MONTHLY ECONOMIC PARTICIPANTS

Economic participants were flat in Q4, remaining in the historical five-quarter range. Year over year, the 2010 average of monthly economic participants was up 4% from 2009’s average.

average monthly economic participants.jpg

AVERAGE EXCHANGE RATE

Increasing demand and falling supply on the LindeX caused a 3.7% appreciation in the value of the L$ in Q4.* The average L$ value in 2010 was within 1% of the average value in 2009.

average exchange rate.jpg

*Note that the exchange rate is expressed in L$/USD, meaning larger numbers represent a lower L$ value and smaller numbers represent a higher L$ value. The average rate is calculated by dividing the total L$ exchanged through the LindeX by the total US$ exchanged through the LindeX in the quarter.

L$ SUPPLY

Money supply grew significantly in Q4 to US$28.4m worth of L$, 8% over Q3. The year end money supply in 2010 was 11.9% over 2009.

L$ supply.jpg

LINDEX VOLUME

Mirroring money supply growth, volume on the LindeX grew 8% in Q4, nearing the top end of the historical five-quarter range. Total LindeX volume in 2010 was nearly US$119m, 2.8% over 2009. This means that an additional US$4m traded hands on the LindeX in 2010.

Lindex volume.jpg

WEB MERCHANDISE SALES VOLUME

Driven by greater merchant adoption and improved shopping features, web merchandise sales volume grew 5.8% in Q4. 2010 web sales volume was up 104% relative to 2009.

web merchandise sales volume.jpg

WORLD SIZE

World size remained flat in Q4; 2010 year end world size was up 5.8% relative to 2009. Today, Second Life’s virtual land mass would be roughly twice the size of Hong Kong.

world size.jpg

Publicado en News | Deja un comentario