Jump to content
Red2Blaze

Is SL chat now secure from 3rd party?

Recommended Posts

2 hours ago, Callum Meriman said:

It's my understanding that chat is still unencrypted UDP and able to be seen by everyone who can tap into a router between you and the Lab. This includes at a minimum: the Chinese, the Russians, Mossad, and the all of the Five Eye Countries.

Yeah but the Chinese don't bother to tap in. It's easier for them to just add covert sniffing hardware to the motherboards at the factory. ;)

 

  • Haha 2

Share this post


Link to post
Share on other sites
1 hour ago, Bradford Mint said:

Yeah but the Chinese don't bother to tap in. It's easier for them to just add covert sniffing hardware to the motherboards at the factory. ;)

 

They do that?

  • Like 1

Share this post


Link to post
Share on other sites
5 hours ago, Lindal Kidd said:

They do that?

They certainly have the capability; the Chinese make most of the motherboards and few would ever spot an extra chip or modified chip on a board. The stories in the news don't seem to be impossible anyway. Whether they're doing it or not ... who knows?

 

Edited by Parhelion Palou
Clarification
  • Like 1

Share this post


Link to post
Share on other sites
25 minutes ago, Parhelion Palou said:

They certainly have the capability; the Chinese make most of the motherboards and few would ever spot an extra chip or modified chip on a board. Whether they're doing it or not ... who knows?

Most nation states are capable of it in one form or another.

I just don't buy Bloomberg's chipped motherboard story, and neither do most experts. Consider that most corporations do have IDS systems. Any internal server dialing out to an unknown server is going to be trivially detected. Exfiltration of data is also going to be easily detected, especially if it reaches into the GB quantity.

Placing a physically detectable bug on a device means it will be detected. If it's detected all hell will break loose as the Snowden leaks proved.

I think any nation state would use other methods, such as altering BGP tables, installing viruses, employing APT, creating an encryption algorithm that used insecure primes, or applying brute state pressure to a company such as Apple, Google or Microsoft to get what they want.

  • Like 1

Share this post


Link to post
Share on other sites
14 hours ago, Red2Blaze said:

At times sexting is out of my control

No, it isn't, except through a Transcranial Electrostimulator device.

780856685_ProfessionalSexter.jpg.8f22e9e8fa776c6e02bfd50bba7d990a.jpg

"Sexting set to Ludicrous Speed. Engage!"

Edited by Arduenn Schwartzman
  • Haha 1

Share this post


Link to post
Share on other sites
55 minutes ago, Arduenn Schwartzman said:

No, it isn't, except through a Transcranial Electrostimulator device.

780856685_ProfessionalSexter.jpg.8f22e9e8fa776c6e02bfd50bba7d990a.jpg

"Sexting set to Ludicrous Speed. Engage!"

Tinfoil hat would be cheaper to solve OP’s issue..

  • Sad 1

Share this post


Link to post
Share on other sites
50 minutes ago, Love Zhaoying said:

Tinfoil hat would be cheaper to solve OP’s issue..

You do get I am talking about something that is existing and made up story right?

I am fine with most jokes but this is all ready insulting

This is not some mind control alien thing (that is completely a story made by Wakanda to distract us from there sinister aglets plan) but something that you can see if you take the time

I am not going off Second Life because of it, but I do think they should put locks on the doors and not leave them open

4 hours ago, Callum Meriman said:

Most nation states are capable of it in one form or another.

I just don't buy Bloomberg's chipped motherboard story, and neither do most experts. Consider that most corporations do have IDS systems. Any internal server dialing out to an unknown server is going to be trivially detected. Exfiltration of data is also going to be easily detected, especially if it reaches into the GB quantity.

Placing a physically detectable bug on a device means it will be detected. If it's detected all hell will break loose as the Snowden leaks proved.

I think any nation state would use other methods, such as altering BGP tables, installing viruses, employing APT, creating an encryption algorithm that used insecure primes, or applying brute state pressure to a company such as Apple, Google or Microsoft to get what they want.

But if the security that looks for this sniffers are also made by China...

Share this post


Link to post
Share on other sites
4 hours ago, Callum Meriman said:

Most nation states are capable of it in one form or another.

I just don't buy Bloomberg's chipped motherboard story, and neither do most experts. Consider that most corporations do have IDS systems. Any internal server dialing out to an unknown server is going to be trivially detected. Exfiltration of data is also going to be easily detected, especially if it reaches into the GB quantity.

Placing a physically detectable bug on a device means it will be detected. If it's detected all hell will break loose as the Snowden leaks proved.

I think any nation state would use other methods, such as altering BGP tables, installing viruses, employing APT, creating an encryption algorithm that used insecure primes, or applying brute state pressure to a company such as Apple, Google or Microsoft to get what they want.

Yes although it also depends on what is to be exfiltrated and how.  For example, extracting only crypto key material or credentials or even keystrokes and sending them via LiFi for example would be far more covert than trying to send to China via IP.

Supply chain intercept is a real concern, especially where the root of trust has to be implemented in a country that is not trusted and ironically that tends to include the USA too as far as most of Europe goes.

  • Like 1

Share this post


Link to post
Share on other sites
26 minutes ago, Red2Blaze said:

You do get I am talking about something that is existing and made up story right?

I am fine with most jokes but this is all ready insulting

This is not some mind control alien thing (that is completely a story made by Wakanda to distract us from there sinister aglets plan) but something that you can see if you take the time

I am not going off Second Life because of it, but I do think they should put locks on the doors and not leave them open

But if the security that looks for this sniffers are also made by China...

Have you considered filing a JIRA for a feature request?

  • Thanks 1

Share this post


Link to post
Share on other sites
5 minutes ago, Bradford Mint said:

That was my thought.

Easy peasy. Do we know for certain that it’s not already using Http for most viewers?

  • Like 1

Share this post


Link to post
Share on other sites
Just now, Bradford Mint said:

To be honest, I thought the viewer was using HTTPS but my chat is secure anyway - I don't login!  :)

Ah, similar here..plenty of time for forums but SL? Nope. Unless I’m scripting.

  • Haha 1

Share this post


Link to post
Share on other sites

Since it is still being harped on: There is very little of any real worth/value to make it worthwhile for someone to go to the trouble of putting a sniffer on your machine, just to read Second Life chat/IMs.

No, really ... There simply isn't.

On top of that there are other ways to gain access to that information, starting with silently copying your logs (if any) every once in a blue moon.

Take the standard precautions on your end and just get on with your (Second) Life.

  • Sad 1

Share this post


Link to post
Share on other sites
1 hour ago, Love Zhaoying said:

Easy peasy. Do we know for certain that it’s not already using Http for most viewers?

Out of order chat lines shows it's not tcp/ip.

 

  • Confused 1

Share this post


Link to post
Share on other sites
3 hours ago, Love Zhaoying said:

Have you considered filing a JIRA for a feature request?

... wanted to make sure its not "fixed" yet before I do, there for this post

2 hours ago, Solar Legion said:

Since it is still being harped on: There is very little of any real worth/value to make it worthwhile for someone to go to the trouble of putting a sniffer on your machine, just to read Second Life chat/IMs.

No, really ... There simply isn't.

On top of that there are other ways to gain access to that information, starting with silently copying your logs (if any) every once in a blue moon.

Take the standard precautions on your end and just get on with your (Second) Life.

Ya but for them to get my logs it means they need to get on my system first, something I assume is some what harder then simple sniff of the network

 

I know there is always that one, but really?

I did not say I am leaving or stop using SL because of this no did I call out a red alert to call out the troops

Yet I think its legit to ask and be given a secure chat

I am not holding my breath or stopping my (Second) life on this

But I do think its worth the time to ask for it

Share this post


Link to post
Share on other sites

I really wish there was a "groan" button right about now.... 

Short of having direct access to your machine to place some sort of monitoring software, anyone looking to intercept Second Life chat or Instant Messages will have to sort all of the other traffic going through the node they choose to tap into. 

Even writing and using a program to do so is far more trouble than it is worth. There is nothing of real value being transmitted through Second Life's chat systems to warrant the effort. 

Edited by Solar Legion
  • Sad 1

Share this post


Link to post
Share on other sites
15 minutes ago, Solar Legion said:

Even writing and using a program to do so is far more trouble than it is worth. There is nothing of real value being transmitted through Second Life's chat systems to warrant the effort. 

Unless of course you are a Gor working for the church - blackmail hurray ;)

  • Haha 1

Share this post


Link to post
Share on other sites
17 minutes ago, Solar Legion said:

I really wish there was a "groan" button right about now.... 

Short of having direct access to your machine to place some sort of monitoring software, anyone looking to intercept Second Life chat or Instant Messages will have to sort all of the other traffic going through the node they choose to tap into. 

Even writing and using a program to do so is far more trouble than it is worth. There is nothing of real value being transmitted through Second Life's chat systems to warrant the effort. 

I'm a bit yes and no on this one.  They don't need direct access to the machine, only the transmission media and given that the use case is an academic institution, that suggests shared access somewhere along the line. In reality, at the local LAN level, I would expect the switch ports to isolate client traffic so the only people who would be sniffing the aggregate data would be admins or someone who has access to set up port mirroring on the switch.  Similarly, any good configuration of a wireless AP in a public area would have AP Client Isolation enabled for the same purpose although wireless presents other opportunities.

As for filtering?  That's trivial with a network sniffer, just set up a filtering rule to exclude/include traffic as appropriate, no sifting required.  You'd do that at the capture level so only cursory additional investigation required later to inspect the actual captured traffic.

Whether it's worth it?  I'm with you on that one, the OP is just trying to avert any embarrassment that might come up from peers and the simple solution as others have said is "don't use SL on a shared media" or use a VPN.  Sufficient solutions exist for this specific issue and while they not be desirable, are easier to implement than trying to get LL to implement a change instead.

  • Thanks 1

Share this post


Link to post
Share on other sites
2 hours ago, Solar Legion said:

I really wish there was a "groan" button right about now.... 

Short of having direct access to your machine to place some sort of monitoring software, anyone looking to intercept Second Life chat or Instant Messages will have to sort all of the other traffic going through the node they choose to tap into. 

Even writing and using a program to do so is far more trouble than it is worth. There is nothing of real value being transmitted through Second Life's chat systems to warrant the effort. 

"groan" has been registered and moved along to the appropriate departments :)

I don't think its that hard to do and to find a way to filter it even without looking for that spasficlly

2 hours ago, Bradford Mint said:

I'm a bit yes and no on this one.  They don't need direct access to the machine, only the transmission media and given that the use case is an academic institution, that suggests shared access somewhere along the line. In reality, at the local LAN level, I would expect the switch ports to isolate client traffic so the only people who would be sniffing the aggregate data would be admins or someone who has access to set up port mirroring on the switch.  Similarly, any good configuration of a wireless AP in a public area would have AP Client Isolation enabled for the same purpose although wireless presents other opportunities.

As for filtering?  That's trivial with a network sniffer, just set up a filtering rule to exclude/include traffic as appropriate, no sifting required.  You'd do that at the capture level so only cursory additional investigation required later to inspect the actual captured traffic.

Whether it's worth it?  I'm with you on that one, the OP is just trying to avert any embarrassment that might come up from peers and the simple solution as others have said is "don't use SL on a shared media" or use a VPN.  Sufficient solutions exist for this specific issue and while they not be desirable, are easier to implement than trying to get LL to implement a change instead.

I think I may have been a little unclear on that part

Its not that this case is the only reason I ask for this, its just the one that push me to go out and really look out if its all ready done before I go on opening a Jira asking for it

The base reason is simply that I feel it simply should be secured

compere to other work Linden Lab dose I assume over all that this is not that huge request and again this is not a breaking case, this is just a thing that I think should be there, over all I assume most of the SL residents as my self as well on that assume that the chat is simply secure, I mean I will not pass passwords or anything like that on it anyway, but I at least assume the basic of it being on even a small level secure

 

And sure it may not be easy to get LL to do something about it, and hell how much can one even really expect them to do it, if they did not so far, but I can be optimistic anyway, so or so don't think it matters for you if they do it or not, for me it just be "nice to have" thing, so or so its not a world changer

 

 

On any case Jira case opened:

https://jira.secondlife.com/browse/BUG-225783

Edited by Red2Blaze

Share this post


Link to post
Share on other sites

The poster was patient through a lot of jibberish.  If she returns I want to suggest that you can download a vpn service in less than a minute, and for a few bucks a month secure your traffic from your computer to the vpn server of your choice somewhere in the world, then on to SL and back.  This answers your concerns and thwarts the nosy guys around a university who are not criminal minded seeking bank accounts but are interested in the private lives of girls and how to snoop on them thru fun hacking.

Only subscribe to a vpn that allows you to see the server list and the percentages of load on each server, so you can choose one in a good location and under light load each time you log in.  I know of one such service and I won't mention it's name but I think it starts with "N" and ends with "n."  Just choose one of their servers on their list that is close the the SL servers in San Francisco or else close to your own location so that traffic is most direct. 

You know there is no total security on the internet and don't need to be preached to and told snarkily to alter your behaviour.  To answer your initial concern, this should ease your mind about local snoops on the university network.

Best of luck, lass.

  • Thanks 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...