Eloise Baily Posted November 30, 2011 Share Posted November 30, 2011 B = blummin btw, didn't fancy a bleep in my title. Is this a genuine Linden with a genuine response?https://jira.secondlife.com/browse/VWR-21305 or is this a spoof? I'm confused, because if it's genuine, when did LL start broadcasting the names of perps?Please tell me I spend too much time inworld to know the intricacies of this stuff? Link to comment Share on other sites More sharing options...
Amethyst Jetaime Posted November 30, 2011 Share Posted November 30, 2011 It appears genuine. Nice that they released the new viewer with such a huge security issue. Link to comment Share on other sites More sharing options...
Storm Clarence Posted November 30, 2011 Share Posted November 30, 2011 The Jira is 2 years old. The replies from Lindens are 2 years old. Link to comment Share on other sites More sharing options...
Venus Petrov Posted November 30, 2011 Share Posted November 30, 2011 If you set your media preferences so that you do not autoplay media when you TP to a new location, you should be fine. Link to comment Share on other sites More sharing options...
Eloise Baily Posted November 30, 2011 Author Share Posted November 30, 2011 Then why did I receive this in my email notifications today? Link to comment Share on other sites More sharing options...
Sy Beck Posted November 30, 2011 Share Posted November 30, 2011 Eloise Baily wrote: Then why did I receive this in my email notifications today? I'm guessing because you signed yourself up to the "Watch" list? Therefore, there might have been some new info added today/yesterday, which has been emailed to you? Link to comment Share on other sites More sharing options...
Eloise Baily Posted November 30, 2011 Author Share Posted November 30, 2011 I wish that were true Sy. I haven't been near the JIRA since RZ which was when, March? I find this a little odd. I'm nearly 3 years old and savvy to a point. I'm not clueless on these things and this has never happened before. Is someone playing? ETA: It's not the notification Sy. It's the disclosure if an avatar by a Linden. I stated that in my op. Link to comment Share on other sites More sharing options...
Eloise Baily Posted December 1, 2011 Author Share Posted December 1, 2011 BTW, clicking on the link now does not get what I got in my notification. What I got was this (Dunno how to link): [ https://jira.secondlife.com/browse/VWR-21305?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Alexa Linden updated VWR-21305: ------------------------------- Environment: . Assignee: ProductTeam Linden Labels: forProductReview vi-backlog (was: vi-backlog) > Potential Privacy Exploit - It is heuristically possible to use MoaP to link a client IP address to an avatar > ------------------------------------------------------------------------------------------------------------- > > Key: VWR-21305 > URL: https://jira.secondlife.com/browse/VWR-21305 > Project: 1. Second Life Viewer - VWR > Issue Type: Bug > Environment: . > Reporter: Joe Linden > Assignee: ProductTeam Linden > Priority: Minor > Labels: forProductReview, vi-backlog > Attachments: IP-Proof-of-PrivacyBreach.png > > > This is a temporary report on a major privacy breach risk with the new viewer. Upon request, the resident reporting this issue has offered to demonstrate the exploit documented below in safe place, with a personal guarantee that the obtained data (such as IP addresses) would, by definition, only be used for the risk test and would be scrambled and/or deleted immediately afterward. > Risk Definition: > This exploit relates to the rendering of HTML/Flash on prims (i.e. MoaP) and represents a major privacy breach risk which can also compromise security of an individual. > Test Configuration: > The test described below is done with a limited setup, but is fully functional, automatic and already operational. > * webserver with a database > * a small amount of server side scripts to register and process data > * standard viewer 2.0 > * 1 prim with media texture pointing to an (empty) web page on a fraudulent server and one simple script with standard LSL > * invisible placement of the prim (small size, hidden inside other prims or the land) > Testing: > * presence of avatars with the v2.0 viewer in the neighbourhood of the prim. Avatars must have media enabled (automatically or manually). > Testing results: > It is heuristically possible to link a client IP address to an avatar. Depending on the number of present avatars, the time they enter and they leave, it is possible to obtain ONE HUNDERD PERCENT accuracy. > I have attached a very simple example of obtained data, not heuristically processed. > Though it's already clear without scripts: Gentle Heron is the owner of one of the (scrambled) IP addresses. > The other IP address reveals the existence of 2 users or a user and his/her ALT on the same network. > Using the above configuration, it is possible to: > Direct exploit > * obtain IP addresses of any avatar > * obtain the country of origin, even the location of the SL user depending on the DNS information or additional information from hacking tables > * in case of static IP addresses, such as for companies, link an SL user to a company (or, e.g., his private business) > Enhanced exploit > * With the necessary tools, a hacker could be able to obtain personal data by attacking the PC of the SL user (Trojan horses, etc.). > * Since the SL User does NOT know about the website/server he actually connected to, this a major improvement for any hacker or bot network! Instead of having to hack websites to get a user connecting to a dangerous webserver, this is a direct and invisible way. > * Due to the amount of concurrent users on SL, this is a dream situation for any serious hacker. > Extreme possibilities > Any hacker with experienced SL knowledge is able to link SL information about an SL user to the real individual once he has the connection. > The anonymity of the SL user is completely undermined in this way. > Additional Concerns... > Given the fact that SL users completely rely on anonymity concerning their Second Life, including being part of several groups, including adult-related groups, blogs and posts on the internet,.... the real individual can be subject to DIRECT blackmail from the hacker(s) or hacker groups. > Linden Lab might experience serious trouble if SL users blame the company for Trojan horses and viruses on their PCs, as well as the lack of protection of privacy. > Final Remarks... > Even a proxy server would have issues beyond those of heavy traffic. It would allow people to surf anonymously, and also prevent the logging requirements of each country's state security. Or, in case of less "free" countries, circumvent their own system (China,...) > In theory, this was also possible with existing parcel media streams. Due to the ownership and parcel media restrictions, and also because they were limited to audio or video streams, developing and using a working exploit was less obvious. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators:https://jira.secondlife.com/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira New | Reply Reply all Forward | Delete Junk Sweep ▼ Mark as ▼ Move to ▼ | **Only uploaded images may be used in postings**://by151w.bay151.mail.live.com/mail/clear.gif" border="0" alt="Print" title="Print (Ctrl+Shift+P)" /> **Only uploaded images may be used in postings**://by151w.bay151.mail.live.com/mail/clear.gif" border="0" title="Refresh" /> Link to comment Share on other sites More sharing options...
Eloise Baily Posted December 1, 2011 Author Share Posted December 1, 2011 Damn it still doesn't show right, but it seems a bit odd. Link to comment Share on other sites More sharing options...
Sy Beck Posted December 1, 2011 Share Posted December 1, 2011 I just looked and you are on the "watch" list Eloise. It is weird though because I don't see any recent update, but then again I could be looking in the wrong place as I hardly ever visit the JIRA. And yeah i see what you mean, I'll leave it to more experienced JIRA folks to comment. Link to comment Share on other sites More sharing options...
wiked Anton Posted December 1, 2011 Share Posted December 1, 2011 it certainly appears genuine, and the fact that the lindens provided an avatar name is worrying, but just goes to show they doen seem too worried about users information being collected. the fact that they mention someone AND ther alt and gave a few IP addresses makes it too easy for someone to connect the dots there......most wrrying indeed is the fact the LL doesnt consider IP collecting as an actionable exploit.......................................OMG Link to comment Share on other sites More sharing options...
Marigold Devin Posted December 1, 2011 Share Posted December 1, 2011 This thread was updated today, which is why you got a notification in your email. I might be a little past my bedtime currently, but the person named in that screenshot upload must have given her permission to be named. (G.H. I mean). She was featured in a video a few weeks ago, so her RL identity is not a secret. Link to comment Share on other sites More sharing options...
Griffin Ceawlin Posted December 1, 2011 Share Posted December 1, 2011 "Upon request, the resident reporting this issue has offered to demonstrate the exploit documented below in safe place, with a personal guarantee that the obtained data (such as IP addresses) would, by definition, only be used for the risk test and would be scrambled and/or deleted immediately afterward." Link to comment Share on other sites More sharing options...
Recommended Posts
Please take a moment to consider if this thread is worth bumping.
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now