Jump to content

Chaser Zaks

  • Posts

  • Joined

  • Last visited

Everything posted by Chaser Zaks

  1. That'd be a big expense in my disability check. $40 for something I'd use only for SMS like 2 to 3 times a month seems like unwise spending to me.
  2. If age verification is limited down to a government issued ID such as state ID, drivers license, or military ID, I'd be "ok" with it, not too happy about it. However, if they require cellphones, which quite a few sites are doing with 2FA or some form of verification, I am absolutely against it. I do not have a cellphone, I have VoIP number(but I can't use this because VoIP is blacklisted way too often). I cannot afford a cellphone plan because I am on disability. I know I am not the only one who is in such a situation. However, if age verification was added into Second Life, I would expect it to do something else such as lowering the minimum age requirement as well. Age verification would be pointless and possibly cause people to leave out of frustration(either because they can't verify a specific ID, or they don't have a ID, or other issues). That number has to be made up some how by increasing the number of possible residents, and since a lot of other virtual worlds allow anyone above the age of 13 to join while restricting those under the age of 16 to general rated regions. I am quite aware that the minimum age requirement is a controversial subject, but I am looking at the bigger picture of user acquisition and competing in a increasingly competitive market. Adult will still be adult, and only people over the age of 18 will go there. And people already lie about their age, if they were given access to G rated regions, it may actually have the effect of reducing under aged users in moderate and adult regions.
  3. I ended up making a user script(as I do for every change I want but it isn't a thing) for this. You can get it (and view the source code) here: https://gist.github.com/FelixWolf/8d6f2e5835c62747ad7097de4b83db6d To use it, you'll need Tampermonkey, which is a user script client. Basically it lets you run custom javascript on pages so that you can tweak sites how you want them to run. It adds a little block button like this: Once you click that, the thread disappears from view! To unblock threads, go to the top right of the page content and click this: Then click unblock on the thread you want to unblock: Once done, don't forget to click "Hide blocked threads" (in the same location "Show blocked threads" is at, it is a toggle!)
  4. Please do keep in mind that SomaFM does have to pay for servers, as well as "MP3 licenses"(even though the patent is expired, they still trying to get people to pay for it), royalties for the music that is played, and the DJs that work to curate/mix the music. SomaFM *very likely* as advertisements on their website. Residents who place the music URLs in their parcel are likely causing them to lose revenue. If I had a media service, and people took the URL and placed it else where on their parcels, I would likely be upset too, because I pay for the server. In the end, it is SomaFM's servers, they have the final say on what may or may not be done with their bandwidth. In the off chance that some people may believe that Linden Lab should pay SomaFM: It is not Linden Lab who owes royalties to SomaFM, but rather, the residents who choose to play music on their parcels. There are plenty of other media streams out there, as well as the possibility to set one up yourself. I run a 24/7 media stream off a $11.50/mo OVH server, using a combo of open source software, including icecast(Stream server) and Liquidsoap(Source server).
  5. God please no, I hang around furries and knowing what furries do most of the time in SL.. I'd rather not smell that. But if I had to choose what my avatar would smell like, I'd probably end up hacking the values(as I usually do, just check my jira history for a list of times I've broke stuff doing this) and make something that is recognizable but you just can't figure out what.
  6. IIRC, Texture area is basically repeats per square meter summed. It is Second Life's version of Texel Density, which is basically the same thing but for faces. Simply put, Texture Area is the sum of this thing: So for each face of each object, add "Repeats per meter" together, and you get the texture area. Higher texture area means more interpolation. To calculate a texture area, you take the face you want to calculate, and figure out it's world space occupation, then divide that by the horizontal and vertical scale. Because of how this is calculated, I don't think it really works with mesh because mesh can have it's own UVs which are different from texture repeat, so a mesh can have a UV that repeats a million times, but H/V scale don't repeat, so that means it'd show up as the object's size divided by 1.
  7. The USB wall charger that they are currently using, because everyone has a billion of these and they'd have to go digging in their electronics box for another.
  8. You bet! https://agni.secondlife.softhyena.com/stats Actually now that I think about it, I need to change "users" to "residents" for correct terminology. Imma do that while I wait for it to be fixed.
  9. "Police blotter" history: 2005-12-23 - Made available at http://secondlife.com/community/blotter.php 2008-02-06 - Renamed to "Incident Management Report" 2008-04-04 - Moved to http://secondlife.com/support/incidentreport.php, renamed to "Incident Report" 2010-11-08 - Broken 2011-02-08 - Completely removed as part of the website redesign Aside from this, it didn't show much: Community: Incident Report The Second Life Community Incident Report displays the 25 most recent disciplinary actions taken by the Second Life Governance Team. The date shown reflects when the incident occurred. Date: Thursday, April 3, 2008 Violation: Community Standards: Assault, Safe Area Region: FlyinTails Airfield USF Description: Assaulting others in safe region. Action taken: Suspended 1 days. Personally, I'd like to see a return of the incident report.
  10. I have a feature on my web server(Not yet "production ready" because it is my local network) that acts as both a asset CDN mirror and converter to formats designed for consumption by web applications. The way I do it is this: https://gist.github.com/FelixWolf/66e989a1eb1f7fff3be26219c2da561d That code is in python and can download the texture and convert it to png/tga/jpg, as well as extract any comments(which is useful for figuring out who uploaded it, when it was uploaded, what the average color value is, and it's original size before getting resized). The portion you want is where I use imagemagick to convert it from jpeg2000 to png or others: proc = subprocess.Popen(['convert', 'j2c:-', 'png:-'], stdout=subprocess.PIPE, stdin=subprocess.PIPE ) proc.stdin.write(Handle.read()) proc.stdin.close() result = proc.stdout.read() cHandle.write(result) return ( 200, [ ('Content-type','image/png'), ('Content-Disposition', 'inline; filename="{}.png"'.format(Key)) ]+utilNeverExpireHeaders(), result ) which is very much also possible in php (Also posting this because it is what I presume most people use). Probably a bug or two because it is untested and my php is rusty. <?php function handleTexture($handle){ $pConvert = proc_open('convert j2c:- png:-', array( 0 => array("pipe", "r"), 1 => array("pipe", "w"), 2 => array("pipe", "w") ), $pipes, "/tmp/", array()); if(is_resource($pConvert)){ //Write the content to the input pipe fwrite($pipes[0], stream_get_contents($handle)); fclose($pipes[0]); //Read the result $result = stream_get_contents($pipes[1]); fclose($pipes[1]); //Read any errors error_log(stream_get_contents($pipes[2])); fclose($pipes[2]); //Store the status code $status = proc_close($pConvert); if($status === 0){ //Success return $result; }else{ return False; } } return False; } ?> The important take away here is "convert j2c:- png:-" which means to run the convert program from imagemagick, accept a j2c as stdin(-) and output a png to stdout(-). It is EXTREMELY IMPORTANT that you specify a input format, otherwise you can become vulnerable to https://imagetragick.com. If you don't want to output it to stream to further process it, just replace "png:-" with a output file like /tmp/image.png. You can do all sorts of stuff with imagemagick as well, such as resizing if you want to do that: https://imagemagick.org/script/convert.php However, a much better solution is to use libraries that embed it. For me, this works, because I am not doing anything complex and I went over the process spawn to make sure it isn't vulnerable. PHP does support imagemagick, but I haven't used it: https://www.php.net/manual/en/book.imagick.php Pretty sure there is a python binding library somewhere too.
  11. I'll only do a survey "about second Life" in one of two conditions: You do your research on it and also actually go in-world and experience it for yourself, instead of just dropping a form link on the forums and leaving. You pay me like the last survey I did. We see no.1 a lot, which is not enough to do a thesis. Researchers don't research lion behavior without seeing and observing lions first hand.
  12. I'd prefer not to encourage threads that would just end with residents fighting each other. Case and point: every political thread we have ever had. Banning politics as a topic would be a better solution, with telling residents to go in-world to locations that welcome it debate politics(see: politics category in destinations guide). This would beneficial in various ways: Place owner can get moderators dedicated to the specific task of moderating those topics. Better for LL's public image, no more possible scaring away residents by making them think the community is toxic or making residents mad by assumed view on something by locking a topic. Voice. (which some prefer, some don't) More in-world engagement. As a retired moderator on a different site, I can tell you having to keep a eye on a specific thread 24/7 and go to bed hoping that the users behave until you get up is not fun and gets tiring really quick. It is especially difficult when I have other things on the forum that need attention, which was always because the report queue would not stay empty for even 10 minutes. Creating a whole sub forum for it would just be a nightmare for the forum moderators. When there is a place dedicated to the topic, it is different because it is one thing to keep an eye on and that's what the moderator of said place expects to deal with. I particularly didn't like to deal with political threads when I was moderating stuff on said different site(no name because advertising,but clarifying because don't want to misrepresent myself as a moderator), because if I did one thing wrong, people would take it as a view or opinion of myself, or worse, the company. So we just outright banned political topics, closed them with "No politics" and hid them away from view. No one could mistake it as a view or opinion, and we didn't have to deal with users fighting. It was a win/win solution.
  13. Environment settings are assets, as such have to follow the asset permission rules. There is no way to *legally* get a environment setting a region or parcel is using without asking the region or parcel owner.
  14. I worry this will turn into a generalization of SL. You are asking the adult forum how often they have sex. A lot of people don't regular the adult forum, and a lot more who don't partake in sex in SL often outright ignore this forum. That is like trying to do an opinion survey where a majority of the people in a city have the same opinion. So the answer isn't as straight forward as a simple poll. There is a big mix of people on SL, some who play games, some who do asset creation, some who do adult stuff, some who hang out, and some who do business/virtual meetings in SL, just to name a few. And some even partake in multiple of those. Please keep this in mind when making the blog post. Second Life isn't red light district(adult focused game), but rather a world where you make what you want of it.
  15. So for those wondering about a reason, I am pretty sure that I know why: The whole gacha thing in SL, it has kinda turned into Japanese gambling. Gambling in Japan is illegal if it returns money, so they use pachinko balls instead. Players will buy Pachinko balls(L$), and the pachinko balls(L$) are then in turn used to buy plushes/toys/etc(Gachas), where then in a back alley they will allow you to sell said things for money(Marketplace). That's basically what is going on here. People play gachas, then sell their gachas. It is basically gambling and that is why LL is banning it. At first when it was "You get random item" it was fine, but it turned into redemption card re-selling which is the kicker. It doesn't help that various states are trying to crack down on lootboxes either, which is another thing that is going on that'd have a factor in this, and LL can't regulate lootboxes so that only players in X state or country can play, especially since California(where LL is based) is one said state cracking down on it.
  16. It runs arch Linux. You can install Linux builds of the viewer on it, or use proton to run the viewer in a windows compatibility layer. It features both touch screen and control inputs, and with the new control settings being rolled out soon, remapping the controls to the gamepad controls should be a brease. I have pre-ordered the 512GiB model, and will be installing firestorm on it as proof of concept and for mobile SL. Additionally remote play is a feature I will be exploring to see if I can utilize my GPU of my desktop remotely.
  17. I say, let the world warm up. We'll grow oranges in Alaska.
  18. { ParcelAccessListReply Low 216 Trusted Zerocoded { Data Single { AgentID LLUUID } { SequenceID S32 } { Flags U32 } { LocalID S32 } } { List Variable { ID LLUUID } { Time S32 } // time_t { Flags U32 } } } ParcelAccessListReply returns results in unix timestamp, since the bans occur almost instantly within each other, someone with a modified viewer(such as myself, via list export) can see the exact time someone will be unbanned(provided they have access to the ban list). So for example, unpacked it will look like: ID TIME 835096de-9f7e-42d2-b92d-6dc6677f7d8f 1623264689 918ff3eb-e8fe-4cfe-8bff-5963a461962e 1623264689 796b1537-70d8-497d-934e-0abcc2a60050 1623264127 In this example, Saltyalt and Parker Oh were both banned at the same time for being alts, while Chaser Zaks was banned at a previous time a few minutes or so ago for some reason(probably for breaking stuff).
  19. After reviewing the terms of service, I'll admit, I was incorrect about it being in violation. However one can argue that it is disclosure due to the fact when a alt is banned, both accounts are banned and they will have the same ban duration listed in the parcel listing, eg: More precise timestamps can be acquired. For some, this is enough to identify alts. EDIT: Was going to edit the other posts crossing out the violation statements, but apparently can't do that after 24 hours.
  20. That is possible. I suspect they are actually using hash, but I didn't in the example for the sake of clarity. However, even hashed, it still violates the terms of service because it doesn't take long to generate a rainbow table to look up IP address hashes. I have one myself, it is about 63 GiB when stored correctly, and takes less than a second to locate the hash because of how it is stored. There are ways to get around the rules, but I'm not going to mention it here because it'll tell people with bad intents how to get around the rules.
  21. All accounts used below in the example are mine and IP addresses are internal addresses. Here is a example table: KEY VALUE altdetector_127.0.0.1 1623172887~796b1537-70d8-497d-934e-0abcc2a60050 altdetector_192.168.0.127 1623173421~835096de-9f7e-42d2-b92d-6dc6677f7d8f In this example, Chaser Zaks(796b1537-70d8-497d-934e-0abcc2a60050) and Saltyalt(835096de-9f7e-42d2-b92d-6dc6677f7d8f) are already in the area and have clicked the URL already. When Parker Oh(918ff3eb-e8fe-4cfe-8bff-5963a461962e) with the IP of enters the area, they are prompted to visit the URL. They do and this is added to the table: KEY VALUE altdetector_192.168.0.192 1623172926~918ff3eb-e8fe-4cfe-8bff-5963a461962e Now, Parker Oh still has the URL. They can simply change it to /?796b1537-70d8-497d-934e-0abcc2a60050 and it will look up the the key "altdetector_192.168.0.192" and see that a entry exists and that the UUID assigned to that address is "918ff3eb-e8fe-4cfe-8bff-5963a461962e", which since the time is very recent(I presume it is a past 24 hour check because it bans for 24 hours), it will consider "796b1537-70d8-497d-934e-0abcc2a60050" as a alt of "918ff3eb-e8fe-4cfe-8bff-5963a461962e", and eject both Parker Oh and Chaser Zaks. This can be repeated for /?835096de-9f7e-42d2-b92d-6dc6677f7d8f and eject Saltyalt. I should note that script is using a "trust the client" approach and not storing any request history. I have checked this and confirmed it myself. It is the same URL for every person, there is no salt/hashing inside the URL, and it doesn't check if the person is even in the area before it ejects them.
  22. Time to deep dive into this: I just tested it on a testing account. This is exactly what occurs: The user is told to add a experience to their land The user is then told to deed the object if it is group owned Then upon entry of any resident(Checked every 10 seconds), they are told to visit a LSL HTTP URL with a query string matching their UUID(EG: http://simhost-#.agni.secondlife.io:12046/cap/<cap>/?<VISITOR UUID HERE>) with the following message: This is also sent in chat: A "mathematical hash" occurs and detects the alt. The user sees the following message in their web browser: Any alts on the land at the same time and you are kicked with this: So what can I figure out from this? Does it work, yes! (This is both good and bad, bad because it works, good because I get to go all analysis on it, figure out how it works, and figure out how I can use this knowledge to break it) Inspecting the request headers and response headers, cookies are not used. In fact, nothing identifiable is stored on the browser, so that leaves either the user agent, or IP address. Let's rule out the user agent because that's easy to test by simply doing this: felix@crocuta:~$ wget -O- "http://simhost-093042474281521d7.agni.secondlife.io:12046/cap/f2140c12-6696-325b-9e97-a545e8e39ae9/?796b1537-70d8-497d-934e-0abcc2a60050" Still detects me, so that means the IP address has to be used, lets try that in tor. After trying it in tor, IT DOESN'T DETECT ME AS A ALT! So that means it is indeed using the IP address, but it says that it doesn't record it, but it uses a mathematical hash, so what is really going on under the hood? Well, thankfully dataserver is sent to the prim, not specifically a script. So I put in a little bug to watch the dataserver responses and I get this: This is a response from the llReadKeyValue function, which means it follows this format: <status>,<data> With that knowledge in mind, we know that the "1," is part of the LSL function, which leaves us with the data after that: 1623172887~796b1537-70d8-497d-934e-0abcc2a60050 Clearly it is seperated by a ~, so we see a number, and a UUID. The UUID is me. The number is the current unix timestamp(EG: https://www.unixtimestamp.com/index.php). But no information regarding on what the "key" of the value is. Since they mentioned a "mathematical" function, I guarantee you their "mathematical" function is just: llMD5String(llGetHTTPHeader(request_id, "x-remote-ip"),0); Or maybe it is just sugar coated and just stores the raw IP address without MD5 hashing it. Even if it is MD5 stored, because you can easily iterate over all the experience database keys and figure out what what the keys are, you can simply have a rainbow table of every IP address(4,228,250,625 different hashes to index, but this includes reserved IP addresses which can easily reduce the number a lot). My GPU can do around a million hashes per second, if not more. So it'd only take me about 70.46667 minutes or less to figure out someone's hashed IP address. So what does all the techno jarble I just posted mean?: Your IP address gets stored by this, either by hash or just plain text. Either way is bad and I would be able to reverse the hash in less than 70 minutes. Your alts are detected by this, but it is easily foolable by just using a proxy(such as tor) to visit the URL, or by using LSL to llHTTPRequest the URL and make the request from the simulator it's self. You can abuse this to get other people banned from the land by changing the last part of the URL you are given. To ban for example Dan Linden(Sorry Dan!), provided he is on the land as well, but he wouldn't be too happy about alt detectors: /?3de548e1-57be-cfea-2b78-83ae3ad95998. It most certainly violates the Terms of Service.
  23. Posted this earlier in the commerce group, but figured I would post it here as well: I didn't know Ebbe personally, but I had spoke with him once or twice though. He was a really nice guy, and I know he was really liked among his colleagues. Wish I had gotten to speak with him more though. May he rest in peace.
  24. Maybe? Is Internal Monologue like: "hmm wot to do" and just general thinking to yourself? If so, yes.
  25. I'm not sure where you are getting Mallchimp, Maiichimp, or Malchimp from. The domain used was mc.secondlife.com and list-manage.com. Second Life's domain is subject to these issues alone, I can easily type "secondlife secondlife secondllife secondlife secondlife sec0ndlife secondlile sesondlife secondlife seconcllife secondlife secondlife" etc. Can you count how many "alternative spellings" are listed in there? Phishing is a problem, it has always been one, and will continue to be one no matter how good we make computers and how well we teach users. However technology has been improving to make it more difficult to phish, including various techniques such as machine learning to filter out, and users are slowly learning they need to be careful. One thing I try to tell people is: If at all possible, if you get a email, don't click the links, instead navigate directly to page by going to a bookmark that you keep or by typing in the URL manually, and if you are ever suspicious, check the SSL certificate and see who it is signed to. Simply put, you should always be careful what you click.
  • Create New...