Unsecure Security - a link to your privacy

[Colby Firehawk]

There is a practice in SL that people should know about by which you may in part reveal your real IP address and thus some of your privacy. Here’s how it can happen. You click on something in world, it gives you a special web link, you open that in your browser. That's end of story.

By special web link, I mean something that usually has a bunch of nonsensical stuff at the end like “kIHFZXyfEtOrRdX3YQrFGqHxWBe9”. That’s usually something created just for your avatar. Once you click on something to get that, the moment you open it in your browser, you’ve ventured out into real life. It is VERY, VERY EASY for the operator of the website to associate your IP address with your avatar at that point.

Edit note: Reference examples removed.

[Alwin Alcott]

sure... of course... can we go to our daily things now?

clicking links always gives away our ip, nothing what you say is new, nor dangerous. Every nitwit has a counter on his blog/webpage to do this.

 

privacy on the web.... dream on ......

[KarenMichelle Lane]

You do realize that your IP address is NOT private and has never been meant to be private?

Each and every website or media content provider you visit from any PC [sL sessions as well], Laptop, Smart phone, Tablet, TV, Internet Radio, TCP/IP Enabled Refrigerator, Washing Machine, Thermostat, etc is offered the IP address assigned to you by your ISP.

It's kind of the way the Internet works.

Just reminding the paranoid out there.

The Risks: OMG, someone can identify what ISP you use. Yup, that is pretty much it. If you are lucky, then that means the targeted advertising for your TCP/IP toys can be focused on local stores and businesses.

Well there is the possibility of a terrorist hijacking the Samsung Refrigerator Support Web Server and programming your Refrigerator remotely to spoil all your food thus causing you to experience anxiety and a sour tummy when you eat the bacteria ladened contents....

P.S. You do realize that every SL DJ can see your Avatar Account IP address? When I'm DJing it's great because I can view a graph from my Relay Service provider that tells me how many people are listening and where in the world they are from. Now associating that IP address with YOU and your avatar account is a bit harder. But if you and 3 of your ALTs -or- all of your Sorority-mates are the only ones at my set when I look at the underlying data in the graph, I'm going to know..... 

P.S.S. [With some leg work you can find out quite a bit more in real life....] Really? Without being a valid investigative organization with a subpoena, any ISP that shares any details about the owner of a subscribers IP address is committing a felony in most states in the US.

P.S.S.S. That same said evil DJ or data phishing web site can in fact try to associate your IP address with your avatar account, but to what end? Any attempt to publish an avatar's account information or real life Information or ALTs associated with each other because of a related IP address is breaking the Second Life TOS.  A.R. the offender and move on.

[Innula Zenovka]

To be fair, knowledge of people's IP addresses can be used to attempt to identify -- whether accurately or not -- and publicise their alts, which many people find objectionable and is now against Community Standards (Section 4, Disclosure).

The question has to be, how much do you trust the person to whom you are revealing the information not to abuse it?   It's up to the individual to decide in each particular case.

[Madelaine McMasters]

I'm on Time Warner Cable, which assigns dynamic IP addresses that appear to persist for as long as the MAC address of the root device in your connected network (often a router) doesn't change. I tried the unplug/replug your cable modem/router suggestion to get a new IP address, but it never worked. I even unplugged everything before leaving on a one-week road trip. When I returned and plugged everything back in, I got back the same IP address I had when I left.

When I upgraded my router, I noticed that I'd received a new IP address upon powering everything up. Ever curious, I then reverted back to my old router, which was then given yet another new IP address. So I've found a way to loosen my cable modem's iron grip on IP addresses. Switch routers.

When I feel like getting a new IP address (because we nefarious can never be too cautious), I just swap cables between my primary and secondary wi-fi routers. My plans for world domination proceed apace.

[irihapeti]

---

Colby Firehawk wrote:

... Collecting this information in world is contrary to the Terms of Service ... 

Some years ago there was a scripting exploit to obtain your IP address if you clicked on something in world. SL moved swiftly to prevent this ...

... They and people they appoint can ban you at will (though that in itself may be against the ToS) ....

 

---

can understand that you a bit miffed that you a banlist but you write stuff which is not actual true

you want it to be true. but it just isnt

+

collecting information on visitors to your parcel is not contrary to ToS

+

there wasnt any exploit. LL never moved to prevent anything. LL actual enabled the ability for a web server to obtain your IP address, by clicking on stuff inworld

or even by not clicking on stuff. Just have to turn media on in the viewer  and you broadcasting your own IP address  to any scripted device that is listening

is not a exploit this. Is a design feature of SL inworld that LL specifically enabled to work exactly this way

+

banning people from your parcel is not against ToS. LL have specifically enabled this as well 

 

 

[Chaser Zaks]

As a software developer and networking protocol engineer, I can safely say by connecting to the internet your IP is revealed.

Here is the basic anatomy of network protocol:

(Image is released to public domain)

In this example though, it is my Lan IP. When it gets sent to my modem, it will replace the Source IP with my public IP address. But as long as anyone is connected to the internet, their IP address is visible to whom ever they connect to. Expecially on OSGrid, since it is user ran anyone can get anyone's IP address. It's no big deal. :3

In which case it is seemed that it is an elaberate ruse of me hiding behind my Lan IP, my public IP is 98.17.243.139.

[Qie Niangao]

---

irihapeti wrote:

there wasnt any exploit. LL never moved to prevent anything.

---

Right. It may be instructive to delve a little deeper into what actually happened.

First, an inconvenient bit of background: the guy running one particularly notorious alt-identification ring was a convicted real-life criminal, and the stuff he was doing in SL violated the terms of his parole. (Presumably this wasn't initially known to LL, but facts emerged as some third parties investigated.)

The Lab eventually responded (and it was anything but "swiftly"*) by deleting all instances of the alt-sharing product and terminating the perpetrator's account. At the same time, the SL terms of service were changed to specifically ban revealing the identity of alts, the public's objection to which was becoming a real business problem for the Lab.

Meanwhile a feature was developed for some third-party viewers by which users could choose to be prompted whether to enable any specific media connection. To this day, that has not been adopted in the Linden viewer (although I've heard that few users are still turning it on in TPVs, either).

There are some technical details that don't especially matter for the purposes of this thread, I suppose. Different media features are easier than others to use for reliably associating an avatar identity and an IP address. Similarly, to the original post, even non-media URLs may carry an obscured avatar ID as payload -- although it's generally not all that difficult to make the same association based on timing alone.

 

* It's possible they were working behind the scenes with RL law enforcement to collect evidence. That would never be made public.

[irihapeti]

it wasnt a exploit

 

all he (that guy) was doing was collecting information on possible alts and then sharing it. Which was not against ToS at the time to do. Alt accounts were not considered to be personal information at the time

 

all LL did was change the ToS to say that alt identities are now considered by LL to be personal information. So not shareable anymore unless by consent

 

+

 

that the guy was a actual RL convicted criminal (for other things) dont have anything to do with anything really

[Profaitchikenz Haiku]

Scott McNealy's "you have zero privacy, get over it" quote keeps coming back to haunt us, doesn't it? (He was CEO of Sun Microsystems at the time, the company which managed to insinuate Java into anything chippable). I know this isn't in the same ball-park as Dennett's assertion that free-will is an illusion, but online privacy is a sort of illusion, one that we get promised regularly, but what we get is not what we all expect it to be, it's what the provider can manage to deliver. 

So somebody knows your IP at a certain time? As mentioned above, DHCP leases mean that without the ISP records of who had what dotted quad at what time, it's not a reliable pointer to who is who. Trolls have been around for a long time, and are almost never outed without the cooperation of the ISP. As has already been mentioned above, somebody doing packet inspection can see your IP, a forum or web-page will get it and probably log it, you're giving it away all the time as a necessary part of being online.

 

[CassieMaia]

I suppose the potential for an IP address to be mis-used by a person up to no good might be slightly higher in SL than other web sites that obtain your IP address as part of the normal surfing the internet, but still...  it is not something that has me overly paranoid.

What I think could be the biggest security risk, especially for providing information to allow someone else to be able to link back to your RL or your alts, is one's own self - especially if you are in a relationship with someone else in SL.   Be careful with the details that you give out about your RL self and with the outside forms of communicating that you do with another SL avi (skype, etc). 

[KarenMichelle Lane]

---

Madelaine McMasters wrote:

I'm on Time Warner Cable, which assigns dynamic IP addresses that appear to persist for as long as the MAC address of the root device in your connected network (often a router) doesn't change. I tried the unplug/replug your cable modem/router suggestion to get a new IP address, but it never worked. I even unplugged everything before leaving on a one-week road trip. When I returned and plugged everything back in, I got back the same IP address I had when I left.

When I upgraded my router, I noticed that I'd received a new IP address upon powering everything up. Ever curious, I then reverted back to my old router, which was then given yet another new IP address. So I've found a way to loosen my cable modem's iron grip on IP addresses. Switch routers.

When I feel like getting a new IP address (because we nefarious can never be too cautious), I just swap cables between my primary and secondary wi-fi routers. My plans for world domination proceed apace.

---

You're a slippery rascal you are !

[KarenMichelle Lane]

---

Chaser Zaks wrote:

As a software developer and networking protocol engineer, I can safely say by connecting to the internet your IP is revealed.

Here is the basic anatomy of network protocol:

(Image is released to public domain)

In this example though, it is my Lan IP. When it gets sent to my modem, it will replace the Source IP with my public IP address. But as long as anyone is connected to the internet, their IP address is visible to whom ever they connect to. Expecially on OSGrid, since it is user ran anyone can get anyone's IP address. It's no big deal. :3

In which case it is seemed that it is an elaberate ruse of me hiding behind my Lan IP, my public IP is

98.17.243.139

.

---

I love it when you draw geek! Rawr.....

[Madelaine McMasters]

---

KarenMichelle Lane wrote:

You're a slippery rascal you are !

---

...blushes.

[Derek Torvalar]

---

Madelaine McMasters wrote:

---

KarenMichelle Lane wrote:

You're a slippery rascal you are !

---

...blushes.

---

Improbable.

[Profaitchikenz Haiku]

No, I'm probable

[Tolya Ugajin]

That's a lot easier than my way - I use multiple computers in homes and hotels all over the country.  Plus my phone.  Anyone thinking they have "my IP address"  will be sorely disappointed.

*hugs for Maddie*

[Tari Landar]

Time Warner doesn't seem to have the same policy everywhere. I get new IP addresses all the time, despite having only change, or updated my router once in the last couple of years(wasn't much need to do it before then, and only changed when the other finally crapped out on me). Unplugging and plugging it back in is one of the ways I can change my own IP, though it doesn't seem to work each and every time, it does happen most of the time. Of course the IP tends to be dead wrong on my location, even states(and occasionally even a country) away.  It is interesting to see how often it can, and does, actually change.  I actually had an issue with it during one of the projects I was working on some time back. Mostly it was due to the fact that some of the other participants in that project haven't a clue how IP adddresses really work, and why they change. I suppose that's neither here nor there, it was just more than mildly amusing to me at the time, since they were all programming students and professionals who should have been, at that point, well versed on the subject.

Not that it's really relevant to the topic at hand, just an interesting anecdote from someone else who uses the same ISP, lol.(although I do detest them, and hate the fact that they are my only choice where I currently live, thats probably also irrelevant to most people)

As for the OP.....

You haven't been on the internet very long, judging by your seeming fear of someone knowing your IP. You'd likely be shocked if you ever found out how easy it really is, and how often people get your IP simply from you being on the internet, somewhere, or how many people/companies actually have it.

I know, the internet is a scary place when we don't understand how it works, but tin foil hats only work for so long when we're adults, as in, at that point they typically should stop.  At some point, we have to educate ourselves if we really want to eliminate the fears we have, unfounded or otherwise. 

[Darrius Gothly]

A word on Time-Warner Cable Internet service:

Because they are a larger company, they have also had to deal with a lot more security issues with people either being hacked or thinking they've been hacked. As a result, they will *usually* be able to set your account for frequent IP Address updates. (Key phrase that sometimes works with them "I want to switch to a Dynamic IP Address")

However, like any big company, the people on the fringes (meaning customer service reps) seldom get to hear the details of what is and is not an "issue". You have to be calm, carefully explain what you want and why, and be persistent. You will get them to put you in touch with the right people, but it won't be a snap thing.

[HughJegow]

Tor

[Feldspar Millgrove]

---

KarenMichelle Lane wrote:

The Risks:

OMG, someone can identify what ISP you use. Yup, that is pretty much it.

---

Actually, you can often geolocate an IP address to within a few hundred feet.

(Depends on various factors. You can almost always identify the city; sometimes the house address.)

 

[Dante Tucker]

There is literally nothing LL can do about this while still providing the service you know as SL. Consider it a technical limitation.

You could use a VPN, but that would increase your chances of being detected as an alt of someone by a huge amount. (and your chances of getting banned by mistake) Or you could just not use the internet at all.

[KarenMichelle Lane]

---

Feldspar Millgrove wrote:

---

KarenMichelle Lane wrote:

The Risks:

OMG, someone can identify what ISP you use. Yup, that is pretty much it.

---

Actually, you can often geolocate an IP address to within a few hundred feet.

(Depends on various factors. You can almost always identify the city; sometimes the house address.)

 

---

Let's see, if you get an IP address from your ISP, then you can geolocate to their corporate satellite office servicing your address. That's it from the ISP's POV. Your IP address with your mailing address is NOT a public record.  ISPs are required by law in the US to not make this semi-private data publically accessible.

Mind you, Google Search can have the 2 associated with each other as a matter of your acceptance of their TOS and use of their services requiring your home address. Google, as much of a corporate giant that they are, does not disclose your IP address/home address pairings to anyone unless served with a subpoena.

If you have turned on geolocation for your cellphone you can pinpoint yourself within a few feet. This is done with many apps like Facebook and Google Maps. Your temporarily cellular service assigned IP address is not a part of this as it changes every few miles of travel.

If you have turned on geolocation for your cellphone and it's using your home wifi service you can still pinpoint yourself to a few feet. Your wifi assigned IP address will be your cellular phones IP address while it is in this mode. The same rules apply to all apps using your GPS data as when accessing your temporarily cellular service assigned IP address.

If you have an app on your cellphone that likes to publish your geolocation for the rest of the world to see then you have other issues. Generally these apps do NOT publish nor care about your cellular phones IP address since these are expected to change every few miles of travel.

Carry on with your paranoia everyone....

P.S. If you are afraid of anyone knowing your IP address, then unplug your PC from the Internet! Still want to use your cellphone, then turn off it's geolocation features.

I'll keep all my geolocation features on and use only well vetted apps to make my life much easier to navigate.

 

[irihapeti]

---

Feldspar Millgrove wrote:

(Depends on various factors. You can almost always identify the city; sometimes the house address.)

 

---

i am in Auckland NZ. If you find my house then come to the front door ok. and you can come in and I make you a coffee

dont go sneak round the back door or try peep the windows first. Specially at night ok

bc the neighbours have a pretty big dog. It thinks it owns our back yard. It will bite you. it bites everyone who goes at the back, in the dark

in the daytime it will stalk you and growl you first. Then it will bite you if you dont leave quicky enough for it

but the dog has worked out that it dont have to give any warning when is dark. So it just sneaks up quiet and noms on people. For a big dog he is pretty sneaky. he practices quite a lot. Like on cats and this gunnabe burglar one time

he nearly bite the police officer as well, who came to arrest the nevergunnabesuccessful burglar. bc the police officer never listen much to what I told him when he came either. He just said leave it to me and went round the back to where the burglar still was. bc dog

and the dog looked and he perk up. When he saw the police. So I had to run and get in the way. Or the police would of got nommed as well

so come to the front  door ok. will be safer for you

+

also

in SL I got my attached media player turned on pretty much all the time. So can easy get my dets off that no worries

 

[Madelaine McMasters]

I'm near Port Washington, Wisconsin. That's closer than my IP address will ever get you (Time Warner reports so many physical locations for my IP address you'd think I live in my car). If you can find me, you're also welcome, but come in the back door. The house key is in the lamp on the patio. I have no dog to bite you, my chili serves that purpose.