Jump to content

Is SL chat now secure from 3rd party?

Red2Blaze

By Red2Blaze,
in General Discussion Forum

 Share
You are about to reply to a thread that has been inactive for 1984 days.

Please take a moment to consider if this thread is worth bumping.

Recommended Posts

Bradford Mint

Bradford Mint

Posted
Posted
2 hours ago, Callum Meriman said:

It's my understanding that chat is still unencrypted UDP and able to be seen by everyone who can tap into a router between you and the Lab. This includes at a minimum: the Chinese, the Russians, Mossad, and the all of the Five Eye Countries.

Yeah but the Chinese don't bother to tap in. It's easier for them to just add covert sniffing hardware to the motherboards at the factory. ;)

 

  • Haha 2
Link to comment
Share on other sites
  • Replies 51
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

Rhonda Huntress
Rhonda Huntress

I know a UDP joke. You might not get it and I really won't care.

Chaser Zaks
Chaser Zaks

Yes and no. Yes, if you have some sort of malware or a hacker on your network, they can certainly spy on your network activities, or on a public network such as starbucks WiFi. Anyone can use wir

Bitsy Buccaneer
Bitsy Buccaneer

Sex, however and wherever it happens, should NEVER be out of your control.

Posted Images

Parhelion Palou

Parhelion Palou

Posted
Posted (edited)
5 hours ago, Lindal Kidd said:

They do that?

They certainly have the capability; the Chinese make most of the motherboards and few would ever spot an extra chip or modified chip on a board. The stories in the news don't seem to be impossible anyway. Whether they're doing it or not ... who knows?

 

Edited by Parhelion Palou
Clarification
  • Like 1
Link to comment
Share on other sites
Callum Meriman

Callum Meriman

Posted
Posted
25 minutes ago, Parhelion Palou said:

They certainly have the capability; the Chinese make most of the motherboards and few would ever spot an extra chip or modified chip on a board. Whether they're doing it or not ... who knows?

Most nation states are capable of it in one form or another.

I just don't buy Bloomberg's chipped motherboard story, and neither do most experts. Consider that most corporations do have IDS systems. Any internal server dialing out to an unknown server is going to be trivially detected. Exfiltration of data is also going to be easily detected, especially if it reaches into the GB quantity.

Placing a physically detectable bug on a device means it will be detected. If it's detected all hell will break loose as the Snowden leaks proved.

I think any nation state would use other methods, such as altering BGP tables, installing viruses, employing APT, creating an encryption algorithm that used insecure primes, or applying brute state pressure to a company such as Apple, Google or Microsoft to get what they want.

  • Like 1
Link to comment
Share on other sites
Red2Blaze

Red2Blaze

Posted
  • Author
Posted
50 minutes ago, Love Zhaoying said:

Tinfoil hat would be cheaper to solve OP’s issue..

You do get I am talking about something that is existing and made up story right?

I am fine with most jokes but this is all ready insulting

This is not some mind control alien thing (that is completely a story made by Wakanda to distract us from there sinister aglets plan) but something that you can see if you take the time

I am not going off Second Life because of it, but I do think they should put locks on the doors and not leave them open

4 hours ago, Callum Meriman said:

Most nation states are capable of it in one form or another.

I just don't buy Bloomberg's chipped motherboard story, and neither do most experts. Consider that most corporations do have IDS systems. Any internal server dialing out to an unknown server is going to be trivially detected. Exfiltration of data is also going to be easily detected, especially if it reaches into the GB quantity.

Placing a physically detectable bug on a device means it will be detected. If it's detected all hell will break loose as the Snowden leaks proved.

I think any nation state would use other methods, such as altering BGP tables, installing viruses, employing APT, creating an encryption algorithm that used insecure primes, or applying brute state pressure to a company such as Apple, Google or Microsoft to get what they want.

But if the security that looks for this sniffers are also made by China...

Link to comment
Share on other sites
Bradford Mint

Bradford Mint

Posted
Posted
4 hours ago, Callum Meriman said:

Most nation states are capable of it in one form or another.

I just don't buy Bloomberg's chipped motherboard story, and neither do most experts. Consider that most corporations do have IDS systems. Any internal server dialing out to an unknown server is going to be trivially detected. Exfiltration of data is also going to be easily detected, especially if it reaches into the GB quantity.

Placing a physically detectable bug on a device means it will be detected. If it's detected all hell will break loose as the Snowden leaks proved.

I think any nation state would use other methods, such as altering BGP tables, installing viruses, employing APT, creating an encryption algorithm that used insecure primes, or applying brute state pressure to a company such as Apple, Google or Microsoft to get what they want.

Yes although it also depends on what is to be exfiltrated and how.  For example, extracting only crypto key material or credentials or even keystrokes and sending them via LiFi for example would be far more covert than trying to send to China via IP.

Supply chain intercept is a real concern, especially where the root of trust has to be implemented in a country that is not trusted and ironically that tends to include the USA too as far as most of Europe goes.

  • Like 1
Link to comment
Share on other sites
Love Zhaoying

Love Zhaoying

Posted
Posted
26 minutes ago, Red2Blaze said:

You do get I am talking about something that is existing and made up story right?

I am fine with most jokes but this is all ready insulting

This is not some mind control alien thing (that is completely a story made by Wakanda to distract us from there sinister aglets plan) but something that you can see if you take the time

I am not going off Second Life because of it, but I do think they should put locks on the doors and not leave them open

But if the security that looks for this sniffers are also made by China...

Have you considered filing a JIRA for a feature request?

  • Thanks 1
Link to comment
Share on other sites
Solar Legion

Solar Legion

Posted
Posted

Since it is still being harped on: There is very little of any real worth/value to make it worthwhile for someone to go to the trouble of putting a sniffer on your machine, just to read Second Life chat/IMs.

No, really ... There simply isn't.

On top of that there are other ways to gain access to that information, starting with silently copying your logs (if any) every once in a blue moon.

Take the standard precautions on your end and just get on with your (Second) Life.

  • Sad 1
Link to comment
Share on other sites
Red2Blaze

Red2Blaze

Posted
  • Author
Posted
3 hours ago, Love Zhaoying said:

Have you considered filing a JIRA for a feature request?

... wanted to make sure its not "fixed" yet before I do, there for this post

2 hours ago, Solar Legion said:

Since it is still being harped on: There is very little of any real worth/value to make it worthwhile for someone to go to the trouble of putting a sniffer on your machine, just to read Second Life chat/IMs.

No, really ... There simply isn't.

On top of that there are other ways to gain access to that information, starting with silently copying your logs (if any) every once in a blue moon.

Take the standard precautions on your end and just get on with your (Second) Life.

Ya but for them to get my logs it means they need to get on my system first, something I assume is some what harder then simple sniff of the network

 

I know there is always that one, but really?

I did not say I am leaving or stop using SL because of this no did I call out a red alert to call out the troops

Yet I think its legit to ask and be given a secure chat

I am not holding my breath or stopping my (Second) life on this

But I do think its worth the time to ask for it

Link to comment
Share on other sites
Solar Legion

Solar Legion

Posted
Posted (edited)

I really wish there was a "groan" button right about now.... 

Short of having direct access to your machine to place some sort of monitoring software, anyone looking to intercept Second Life chat or Instant Messages will have to sort all of the other traffic going through the node they choose to tap into. 

Even writing and using a program to do so is far more trouble than it is worth. There is nothing of real value being transmitted through Second Life's chat systems to warrant the effort. 

Edited by Solar Legion
  • Sad 1
Link to comment
Share on other sites
Fionalein

Fionalein

Posted
Posted
15 minutes ago, Solar Legion said:

Even writing and using a program to do so is far more trouble than it is worth. There is nothing of real value being transmitted through Second Life's chat systems to warrant the effort. 

Unless of course you are a Gor working for the church - blackmail hurray ;)

  • Haha 1
Link to comment
Share on other sites
Bradford Mint

Bradford Mint

Posted
Posted
17 minutes ago, Solar Legion said:

I really wish there was a "groan" button right about now.... 

Short of having direct access to your machine to place some sort of monitoring software, anyone looking to intercept Second Life chat or Instant Messages will have to sort all of the other traffic going through the node they choose to tap into. 

Even writing and using a program to do so is far more trouble than it is worth. There is nothing of real value being transmitted through Second Life's chat systems to warrant the effort. 

I'm a bit yes and no on this one.  They don't need direct access to the machine, only the transmission media and given that the use case is an academic institution, that suggests shared access somewhere along the line. In reality, at the local LAN level, I would expect the switch ports to isolate client traffic so the only people who would be sniffing the aggregate data would be admins or someone who has access to set up port mirroring on the switch.  Similarly, any good configuration of a wireless AP in a public area would have AP Client Isolation enabled for the same purpose although wireless presents other opportunities.

As for filtering?  That's trivial with a network sniffer, just set up a filtering rule to exclude/include traffic as appropriate, no sifting required.  You'd do that at the capture level so only cursory additional investigation required later to inspect the actual captured traffic.

Whether it's worth it?  I'm with you on that one, the OP is just trying to avert any embarrassment that might come up from peers and the simple solution as others have said is "don't use SL on a shared media" or use a VPN.  Sufficient solutions exist for this specific issue and while they not be desirable, are easier to implement than trying to get LL to implement a change instead.

  • Thanks 1
Link to comment
Share on other sites
Red2Blaze

Red2Blaze

Posted
  • Author
Posted (edited)
2 hours ago, Solar Legion said:

I really wish there was a "groan" button right about now.... 

Short of having direct access to your machine to place some sort of monitoring software, anyone looking to intercept Second Life chat or Instant Messages will have to sort all of the other traffic going through the node they choose to tap into. 

Even writing and using a program to do so is far more trouble than it is worth. There is nothing of real value being transmitted through Second Life's chat systems to warrant the effort. 

"groan" has been registered and moved along to the appropriate departments :)

I don't think its that hard to do and to find a way to filter it even without looking for that spasficlly

2 hours ago, Bradford Mint said:

I'm a bit yes and no on this one.  They don't need direct access to the machine, only the transmission media and given that the use case is an academic institution, that suggests shared access somewhere along the line. In reality, at the local LAN level, I would expect the switch ports to isolate client traffic so the only people who would be sniffing the aggregate data would be admins or someone who has access to set up port mirroring on the switch.  Similarly, any good configuration of a wireless AP in a public area would have AP Client Isolation enabled for the same purpose although wireless presents other opportunities.

As for filtering?  That's trivial with a network sniffer, just set up a filtering rule to exclude/include traffic as appropriate, no sifting required.  You'd do that at the capture level so only cursory additional investigation required later to inspect the actual captured traffic.

Whether it's worth it?  I'm with you on that one, the OP is just trying to avert any embarrassment that might come up from peers and the simple solution as others have said is "don't use SL on a shared media" or use a VPN.  Sufficient solutions exist for this specific issue and while they not be desirable, are easier to implement than trying to get LL to implement a change instead.

I think I may have been a little unclear on that part

Its not that this case is the only reason I ask for this, its just the one that push me to go out and really look out if its all ready done before I go on opening a Jira asking for it

The base reason is simply that I feel it simply should be secured

compere to other work Linden Lab dose I assume over all that this is not that huge request and again this is not a breaking case, this is just a thing that I think should be there, over all I assume most of the SL residents as my self as well on that assume that the chat is simply secure, I mean I will not pass passwords or anything like that on it anyway, but I at least assume the basic of it being on even a small level secure

 

And sure it may not be easy to get LL to do something about it, and hell how much can one even really expect them to do it, if they did not so far, but I can be optimistic anyway, so or so don't think it matters for you if they do it or not, for me it just be "nice to have" thing, so or so its not a world changer

 

 

On any case Jira case opened:

https://jira.secondlife.com/browse/BUG-225783

Edited by Red2Blaze
Link to comment
Share on other sites
Lancewae Barrowstone

Lancewae Barrowstone

Posted
Posted

The poster was patient through a lot of jibberish.  If she returns I want to suggest that you can download a vpn service in less than a minute, and for a few bucks a month secure your traffic from your computer to the vpn server of your choice somewhere in the world, then on to SL and back.  This answers your concerns and thwarts the nosy guys around a university who are not criminal minded seeking bank accounts but are interested in the private lives of girls and how to snoop on them thru fun hacking.

Only subscribe to a vpn that allows you to see the server list and the percentages of load on each server, so you can choose one in a good location and under light load each time you log in.  I know of one such service and I won't mention it's name but I think it starts with "N" and ends with "n."  Just choose one of their servers on their list that is close the the SL servers in San Francisco or else close to your own location so that traffic is most direct. 

You know there is no total security on the internet and don't need to be preached to and told snarkily to alter your behaviour.  To answer your initial concern, this should ease your mind about local snoops on the university network.

Best of luck, lass.

  • Thanks 1
Link to comment
Share on other sites
You are about to reply to a thread that has been inactive for 1984 days.

Please take a moment to consider if this thread is worth bumping.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing
×
×
  • Create New...