Messages In Second Life Can Be Seen By 3rd-Parties In Travel

[AlexLovesHearts]

Hello Everyone,

I just checked, and messages you send in SL are sent across the internet as plain-text. I think this a huge privacy concern and should be dealt with as soon as possible.

What does this mean for you?

Well, you should just be very careful about what you share online. To reach a destination, messages on the internet pass through many checkpoints.

For example, if you are playing SL on a Windows laptop, the message will go from your viewer, to your network adapter.

Between these two checkpoints, any program on your computer has the opportunity to pick up plain-text in a message.
The message will go from your network adapter, through the air to your router. (WiFi connections are encrypted thankfully, but if someone is spying on you, and can decrypt your WiFi connection then you're out of luck.)

If you're playing SL from a public location, please be wary of two situations. 1) Someone with bad intentions could have a computer pretending to be a wireless hotspot and be routing everyones' data through his computer (man in the middle attack); or could just be monitoring messages being sent through the air. 2) The public access point may have the ability to log all messages being sent through it.

From your router, the message will reach your Internet Service Provider (ISP). They may also log messages being sent and received. From your ISP, the message will be passed around by numerous routers that connect the internet together until they reach Second Life Servers. From the Second Life Servers, the message then makes its way to the person's computer you sent the message to, using the same steps that were taken from your computer, to Second Life's Servers.

What Does This Mean For You TL;DR; :
Someone who is recording peoples' internet connections might see your messages in his/her "bounty of snooped stuff" because Second Life does not encrypt (temporary change into giberish) messages while they are in transport.


Some things to Consider:

Since messages in SL are un-encrypted, be sure to never give out personally-identifiable information any more specific than what your IP address can give out, for your own safety. To see what information your IP gives out about you, visit an IP look-up website, or type in "my ip" into a search engine such as DDG. https://duckduckgo.com/?q=my+ip&t=ffsb&ia=answer

I am aware that encrypting and decrypting messages uses some processing power, but all I'm suggesting is for some custom weak encryption to be implemented as to close the door to any general information snoopers. (Someone dedicating to snooping on SL communications would be difficult if not impossible to prevent.) But something is definitely better than nothing, even if the encryption protocol must be open source for viewers.

Research:
Community KB Article also notes that chat is not encrypted:
https://community.secondlife.com/t5/English-Knowledge-Base/Text-chat-and-instant-messages/ta-p/700155#Section_.1.1
"Note: Text chat and instant messages are not encrypted."

Other Things I Did:
-Submitted a suggestion for messages to be encrypted.

I hope there are others that share my views on the matter. I don't mean to instill fear into people, but these are just possibilities that can be easily prevented.

Sincerely,

-Alexloveshearts

[Ivanova Shostakovich]

Fortunately, when I and my cohorts discuss our plans for taking over the world, we don't use the SL messaging system.

[Sassy Romano]

Some TPV's used to have end to end encryption but LL banned it as the LL viewer didn't have it and thus it didn't meet the shared experience.

I think LL understand "shared" to mean giving everyone everything, including governments who have no claim to it.

(It might have been removed for a different reason, I forget but whatever, LL have NO interest or best practice approach to security with regard to their customers - period!)

Create a JIRA for the feature request, they can't ignore it properly until you ask for it.

[Prokofy Neva]

Guess what. I don't care. And I don't care because I'm one of those goofs who says they have "nothing to hide" -- although I don't and everything I think and do in RL is on my SL blog let along my notes inworld.

I don't care because of what your actual agenda is here: to demand encryption of LL. And I refuse to demand that of them because then LL cannot police communications which I'm happy they do.

And they need to do that to fight child pornography, drug trafficking, real-life hacking and violent anarchist movements and of course copybotting rackets. And that's a good thing, and God bless them to the extent that they do that, and not look the other way as some of their employees engage in some of these criminal activities which is a problem (one cleaned up more than usual under the current management).

I'll tell you a story that will be in the updated version of my book. Oh, actually I won't because I don't want to be "reprimanded" or harassed over this true story or banned from the forums. So I'll put it on my blog.

The reality is, you are trying to spook people into privacy fears only with the crypto-anarchist agenda and I'm definitely not interested in having you win there.

If the NSA is snooping in SL -- and there are Naval and other USG presences here and it's not beyond reason -- they pursue legitimate targets, suspects of crimes (not "all of us" as Snowden, a fugitive to Putin's Russia, falsely claims). So good. Let them snoop, and let Ebbe help them in that endeavour of a liberal democratic state that would like the rule of law and not the rule of hackers.

If some jealous spouse is going to hack her hubby who appears as a girl on SL or some other variation and lose them their RL job, that's awful, but see your lawyer for that problem, not your encryptionist.

The biggest privacy disruption in SL does not come from the government or third-parties you refuse to speculate about but other avatars who copy your chat and blow you into LL and get you banned. It doesn't even come from people like me who live in one-party New York State and by law can publish any phone conversation they like, and in my case, as a deterrence to abuse. 

So your panic-mongering here is misplaced, move along and take it to Facebook.

[Sassy Romano]

Well on the other hand, your response is ill conceived and lacks technical merit.  I've not looked at the data but there's no reason to prevent secure transport of messages from SL client to servers and onwards to clients.  LL would still have MITM capability to intercept and log, just that there's no reason to NOT have clear text messages from the SL client on the local network or anywhere in between other than in the SL client to SL server environment.

Is that something you don't understand because if it is, i'll be happy to explain further?

I won't even begin to dispel the "nothing to hide" argument or "for the sake of the children/criminals/etc." that's a very VERY naive stance but lets just stick to how things *should* be...

I do however agree with you though that there are other actors to be more concerned about than random 3rd parties, that said, governments have no right to invade privacy of law abiding citizens - EVER!

 

[Amethyst Jetaime]

Never say or do anything on the internet that you don't want the world to know.  No matter how private you think something is, it may come back to bite you years from now because once it's out there it's there forever.

[Prokofy Neva]

 No, dear, I'm fine, I don't need "explanations" which are packages of pre-set geek ideology devoid of common sense and practical business.

You're also barking at the wrong tree. I'm not the one that said LL COULD NOT have encryption, I'm the one who said they SHOULD NOT. The previous poster said they SHOULD. Sure they COULD and they choose not to, and I support that because I don't want to live a pixel life filled with pixel terrorists like real life now filled with real terrorists spawned by Edward Snowden's Excellent Adventure, no thank you.

Nothing naive about concerns about terrorism. I like my legs attached to my body. People in Boston and Paris now know what it's like not to have that blessing. 

Of course governments should have the right to invade privacy for reasons of pursuit of criminals and terrorists. That you thikn they shouldn't have this is part of your EXTREME sectarian tekkie view and isn't part of real life in the real world. Unfortunately, your notion that "law-abiders" should somehow be exempt of metadata scans -- Snowden's premise -- is without merit because it is no different than seeing an open telephone book of the old school with everyone's telephone numbers in it. On their way to scanning for criminals, the NSA has to machine-scan your junk. It does not expose that data; it does not harm you with that mechanical scan. That's why all the Snowden thing is so fake. 

Call me when there's a real COINTELPRO case like the 1960s where the FBI ruined lives when scanning. Snowden -- and you -- don't have such cases now. So the government in the interests of public safety needs to scan at the airport and scan email headers and act accordingly on suspicious patterns.

 

Ebbe, at his microcosm, understands perfectly well that he has to run this love boat with some built-in capacity for scanning on demand so that he can prevent child pornography and other criminal activity that will get his overall platform suspended. And all that's a good thing and this hysteria about clear text and encryption is a contrived hysteria with an ulterior agenda inconsistent with a liberal democratic society.

[Sassy Romano]

Same tired statements typical from the brainwashed masses.

No problem though, because you clearly don't understand the details, there's no point trying to explain why you're horribly wrong and accept the support of privacy invasion.

 

Please send me all your private bank account details and CC me in all your private email, you have nothing to hide, you've already started such.

 

 

[KarenMichelle Lane]

Alex,

You have an interesting post but that said you've made some assertions that are not exactly correct as well;

In general, yes anyone who values privacy should not be using any public access PC to access SecondLife. The reasons are clear. That PC can have any number of non-obvious keystroke capture programs installed on it that send your closest held thoughts [and passwords] off to parts [PCs] unknown.

As for SL Chat text and IM's not being encrypted, that seems to be incorrect with the current SecondLife Viewer.

End-to-End Encryption, which the old Phoenix Viewer used to have, had an encryption module in the Viewer that allowed you to encrypt your chats prior to them being transmitted through the TCP or UDP packets over the Internet where they were then de-encrypted and presented in-world to your secret party. Even then Linden Lab could capture this [encrypted] chat for their logging needs because the message needed to use one of the LL supplied functions to say it to them. [Anecdote: It was always fun to receive a string of gibberish because we didn't have our chat encryption/decryption option turned on. But once it was, the message was displayed and captured into SL's chat logs]. I don;t remember if the SHA hash was generating a random key but if it was, then even LL would not be able to read the chat text beyond the gibberish.

OK, moving on. My very technically oriented daughter was here this evening as I read your post out loud to her and she said "Pfft, I' can't believe that Linden Lab doesn't perform the simplest encryption of your communication to the server pool!"  Well 2 minutes later she had her protocol analyzer between my PC and my router also had my PC running Wiireshark.

We captured 60 seconds of me interacting with objects in my Music Studio in-world and my chat to a friend both in local and IM.

The results were interesting. we captured all protocol communication packets and analyzed the UDP & TCP information both going and coming to my PC for analysis.

Searching the whole of that data dump, we looked for any of the keywords of my conversation with my friend. Both in local and IM and none of my chat text was found in plain text. However, my interaction with my curtains was clearly noted as posted in the dump below:

I opened and closed the curtains and their name is clearly identified thus

BTW - We also saw much [but not all] of my inventory data being updated as I interacted with objects in there.

However chats, were nowhere to be found.

It would seem that the current SL Viewer does in fact encrypt Text Chat and IMs over a proper SSL encrypted handshake with the Linden Lab servers.

This leads me to believe that back in 2011 when Jeremy Linden wrote the wiki article you referenced,  he may have only been making a reference to the end-to-end encryption feature commonly available in that competing viewer.

So what is the risk? None really unless you distrust LL staff and even with end-to-end encryption all chats are still visible to be seen by them as needed..

This also means that your claim that your ISP [and other hop routers] can read your chat in and out of world is incorrect.

The ISP has no direct access to your conversations as they are being protected by a standard SSL encrypted session between the SL Viewer & Linden Lab's servers. Of course your ISP could be using the [illegal] Man in the Middle fake certificate spoofing Linden Lab but that is a long road to hoe and for what reason when being caught would get them sued for big $$$$.

Caution is still a great idea so this doesn't diminish your geneal warnings.

Carry on!

 

 

 

 

 

 

[Sassy Romano]

Thanks Karen, saved me the bother. If pretty much assumed chat was session encrypted or at least obfuscated between client and SL by now though given that LL really has no security culture, anything is possible

 

As regards Phoenix "end to end" encryption being visible to LL, it should not have been. Not if implemented as a proper end to end method. Apparently though they failed to implement a method of secure keying so intercept would have been via eavesdrop rather than as an expectation.

 

Proper end to end would only have the end points being able to derive the cipher key locally, thus any intercept would be rendered useless.

 

 

[Freya Mokusei]

Very smart investigative work, Lane & Co.! :-)

 

[irihapeti]

i would give you a kudos if i could

 

[irihapeti]

ps

the End-to-End that the TPV viewer (way back in the day) was a fail bc the secret seed for the first message that each end needs to encode/decode the start message was transmitted in plaintext over the same channel as the encoded message

which was kinda ummm!! at them scripties who thought they had a made a: LL dunno what we saying thingy

+

for End-to-End to work them need to use either public/private key encoding, or transmit the secret seed over another channel independently

and even if so then theres what you and Sassy mention also, the viewer capture keystrokes so can peek the message before is encoded and sent. Then at other end the viewer displays the decoded message, so dont need to try decrypt the message at all if you the channel owner. Just wait until the reciever opens/decodes the message, and peek it then, and thats it 

[SirLeighBastard]

---

KarenMichelle Lane wrote:

Alex,

You have an interesting post but that said you've made some assertions that are not exactly correct as well;

In general, yes anyone who values privacy should not be using SecondLife

---

FIFY!

The rest is boring and redundant.

Except the bit about curtains, which made me want to advise you to pull yourself together.

***Call me when you're sober

[Bree Giffen]

Thanks Alex! This is an excellent way to fend off requests for personal information from other residents! I have to copy this stuff to a note card.

[SirLeighBastard]

---

KarenMichelle Lane wrote:

So what is the risk? None really unless you distrust LL staff

---

Massive risk then!

***Call me a pessimist, because that is what an optimist calls a realist.

[Prokofy Neva]

@KarenMichelle Lane -- LL may encrypt chat in this basic form you indicate so that it is not available to casual snooping but that does NOT mean that they permit STRONG even INVINCIBLE encryption by the user base that they themselves cannot get into via a "back door" -- because they're the ones doing the encrypting of it! Instead of the user base. That's the issue. And I don't believe that LL should tolerate strong encryption in the user base because there is a long history of this being misused for crime and I don't want SL to become any more criminalized than it is.

As for this sort of thing: "Please send me all your private bank account details and CC me in all your private email, you have nothing to hide, you've already started such" from another poster, this is tiresome, and the usual snotty answer from extremists and crypto-anarchists who can't differentiate between the various goods of society.Banks encrypt your data so that you are not robbed. But that doesn't mean that by the same analogy your communications should also be wrapped up like a bank vault that police even with a warrant cannot break into, even if you are a terrorist attacking Paris.

Gosh, we're able to distinguish in a liberal democratic society the various means and methods and rationales for encryption in some places and not in others, and the need to hide some things and not others without an extreme, all-or-nothing binary take on this problem. The scorn for the "nothing to hide" advocates and invocation of the need to steal their bank accounts by having them reveal them only lets us know how criminally-minded this group is. A rational and reasonable approach recognizes that some things need strong encryption and others don't or shouldn't for other reasons of the good in society.

Phoenix was not allowed to be a third-party browser precisely because they advocated encryption that LL couldn't access which they would need to do to run this platform. And that's a good thing.

[Sassy Romano]

---

Prokofy Neva wrote:

 

As for this sort of thing: "Please send me all your private bank account details and CC me in all your private email, you have nothing to hide, you've already started such" from another poster, this is tiresome, and the usual snotty answer from extremists and crypto-anarchists who can't differentiate between the various goods of society.Banks encrypt your data so that you are not robbed. But that doesn't mean that by the same analogy your communications should also be wrapped up like a bank vault that police even with a warrant cannot break into, even if you are a terrorist attacking Paris.

---

So I take it that you're not willing to send it to me then, you have something to hide I guess!

You've been brainwashed into believing that 2+2=6 and yet are not prepared to listen to a 5 minute explanation as to why you're wrong that 2+2 in fact equals 4 because that's just geek and below your level of debate.

From your writing, it's clear that you don't understand encryption and as such, are not able to understand why your argument is ridiculously flawed.  You understand the point of encryption yes but not the mechanics and the issues with what your expecations are that follow.

By the way banks don't encrypt my data so that i'm not robbed, they encrypt it so that THEY'RE not robbed.  I guess you've never worked for a bank either?

You may wish to check YOUR Bill of Rights, the one for my country precedes yours by a hundred years and includes that subjects should be free from government interference. 

When a government acts illegally and snoops on its subjects and is then part of a legal prosecution and subsequently retrospectivly changes legislation to make it all go away, that's not one that wins favour.  You may disagree but good luck proving that 2+2=6.

It took 358 years to prove Fermat's last theorem but I hope you'll take somewhat shorter.

And... whether LL "tolerate" strong encryption is irrelevant.  Anyone with nefarious intent doesn't need either LL chat or encryption to perform criminal acts WITHIN Second Life and further, there's nothing that LL could do to prevent strong encryption that they cannot intercept WITHIN Second Life so i'm sorry to pop your bubble but that's just how it is already.  I'd explain why in one sentence but hey, that's just geek so irrelevant yes?

I'll give you a clue though, rapelcgvba vfa'g nobhg ubj fgebat gur nytbevguz vf gubhtu, jr nyernql unir gubfr, vg'f nobhg xrl trarengvba, xrl genafcbeg naq xrl pbasvqragvnyvgl. Vs V trarengr xrlf bhgfvqr bs FY naq genafcbeg gurz bhg bs onaq gb zl pbubegf, V pna fraq pvcure grkg nyy qnl ybat va VZ'f naq YY pna'g gbhpu vg. V pbhyq unir cevzf vafvqr FY npgvat nf jro genafcbegf sbe zl pvcuregrkg jvgu ab fabbcnoyr frffvba xrlf rire tbvat guebhtu YY'f favssvat.

 

 

[Sassy Romano]

Couple of other things, Phoenix was ceased for other published reasons, OTR was not one of them.

 

Second, kindly give me the respect of not referring to me as a member of some made up collective noun for any group you don't share the opinion of.

 

Continue and I'll just refer to you as "one of those civil rights shedding clueless lunatics". Fair?

[irihapeti]

---

Sassy Romano wrote:

---

 

rapelcgvba vfa'g nobhg ubj fgebat gur nytbevguz vf gubhtu, jr nyernql unir gubfr, vg'f nobhg xrl trarengvba, xrl genafcbeg naq xrl pbasvqragvnyvgl. Vs V trarengr xrlf bhgfvqr bs FY naq genafcbeg gurz bhg bs onaq gb zl pbubegf, V pna fraq pvcure grkg nyy qnl ybat va VZ'f naq YY pna'g gbhpu vg. V pbhyq unir cevzf vafvqr FY npgvat nf jro genafcbegf sbe zl pvcuregrkg jvgu ab fabbcnoyr frffvba xrlf rire tbvat guebhtu YY'f favssvat.

 

---

 

Encryption isn't about how strong the algorithm is though, we already have those, it's about key generation, key transport and key confidentiality. If I generate keys outside of SL and transport them out of band to my cohorts, I can send cipher text all day long in im's and LL can't touch it. I could have prims inside SL acting as web transports for my ciphertext with no snoopable session keys ever going through LL's sniffing.

+

you are so broken. Imma own all ur stuffs

q; (:

[Darrius Gothly]



 

[Sassy Romano]

---

irihapeti wrote

you are so broken. Imma own all ur stuffs

q; (:

---

Indeed and of course choosing a simple shift cipher wasn't going to be a challenge and was for fun to see who would be first to spot it but next time it'll be AES256 with appropriate keygen outside of SL and keys exchanged outside of SL and then it won't be so easy and that's how anyone could send messages via SL without LL having an chance of intercept.

Game, set and match to the end user, LL and intermediaries lose... today... no viewer changes required.

So what should LL do, ban their own viewer?

 

 

[irihapeti]

yes. Character substitution ciphers are broken quite easy

so i dont get any of your stuffs then ??!

(:

+

just some more thoughts

even with using more secure crypto algos (like AES for example) encoded short messages are notorious difficult to protect against. Particularly when the messages are a series. Like in a chat app convo (or phone call) for example

when a codebreaker/snooper/hunter is observing these then knowing who is chatting to who (the metadata) and the enviromental aspects - what it is they are most likely chatting about and the language of the participants (the characterset that the decoded message is most likely to resolve to) then it reduce the field search parameters by quite a lot    

is even more difficult to protect when use algo types like End-to-End, which not only contain short messages but can also contain the key for the next message in the series. Mathematically/academically these algos types can seem sound. But they are pretty unsafe from the likes of the NSA for example, when the conversationalists are persons of interest to them, and where have the resources to do something about it 

lengthening the packet that contains the message is the most effective, in that the longer the packet the more noisy we can make it.  However we still bound by the lengths dictated by the hardware and/or channel provider. Who tend toward, the most info in the shortest length for cost (to them) efficiency reasons. Minimum Distance Length (MDL) like channels. Particularly for convo type exchanges        

+

with prime number based algos, the weakness is in the choice of the keys. That people are quite often overreliant on the key generator to choose a key for them, the key generator that comes with encryption software package. Key generators which quite often "randomly" choose from a quite narrow range of prime numbers (narrow meaning when compared to the set of [all]) so that the resulting public/private keys generated can look more "random" to the user

people who are not cryptos (which is most of us) often have a interesting view of what we think "random" should look like. Is quite narrow as well the search field of "random looking".  As opposed to the search field of the set of [all]  

quite often also when people choose their own prime numbers then they go for the ones that they think look more random to them

add in the environmental aspects of the person choosing and it makes it more easy for the hunter to break them

+

while algos are pretty interesting in themself to me and heaps of other people. I think that people ordinarily should see encryption in the same way that they see locks. That is more a posted sign really than anything else. That when we see the sign then it tells us the the person wishes their privacy (stuff contained within) to be respected

[Sassy Romano]

Indeed.  Padding of data prior to encryption is pretty fundamental and the rest of your post holds true.

The other factor however is the time or relevance of the message.  It's not much help breaking that message next week if it refers to a time critical event tomorrow.

Besides, the objective is to derive the key or rather find it, be that by exploiting a weakness in the storage mechanism of the key or similar.

Nothing quite like a hot soldering iron or electric drill being offered to the eyes of your children to see how ones resolve to protect a key lasts.  Or maybe a power saw to shorten limbs bit by bit.  Though not typically government methods that are necessarily the first response.

No, ours just says "if you won't give us the keys, we'll just jail you anyway".  Guilty until proven innocent.

[Darrius Gothly]

I have to agree with your last question .. that being "what should LL do?"

It occurs to me that anyone needing to pass truly secretive information would rather choose an app designed for that purpose. Manually encrypting text to pass via clear-text chat on an unsecure platform, so that the other end can then manually decrypt it before responding .. just seems like more effort and a LOT more chance to mess up.

All it takes is one bad copy/paste and everything is blown. Why not stick to a program designed to automate all the dangerous stuff and just leave you to type and read in plain-text?

Or did I forget to take my paranoia pills again? Did someone take them from me? Were they replaced by secret government agents trying to pervert my mind?

Oh .. wait .. nvm. I took them earlier.

(btw: you can ignore the task entry named "keylogger". It's nothing more than routine maintenance to keep branches, leaves and tree limbs from getting stuck in your keyboard .. honest!)