Avoiding Redzone

This page is being left up for historical perspective and to provide pointers for avoiding similar software. However all RedZone devices are now defunct. They cannot harvest your data and their creator is in jail. There is no need to avoid RedZone itself any more

Keep in mind that there is NO WAY to avoid being scanned by a RedZone no matter what they claim, unless you are a Linden.

So says zFire Xue on his RedZone site to spyware owners panicking about the effectiveness of Greenzone, the free Redzone detector.

To be clear, Greenzone works, but zFire is right that by the time Greenzone warns you of Redzone spyware on a sim, you have already been scanned. He is telling fibs, however, when he says you cannot avoid being scanned (he tells lots of fibs. His ability to con people somewhat surpasses his abilities as a programmer).

Second Life marketplace has some very expensive notecards which will tell you exactly how to avoid being scanned. But to save you the money, here is what you need to know.

If you are (rightly) concerned about Redzone spyware, there are three steps you can take to protect yourself.

1. Disable Media

Redzone uses a security hole in SL Parcel Media. To avoid this security hole, switch off your media settings. Click:

edit/preferences and click “audio and video”. Uncheck “enable streaming music”, “enable streaming media” and also “automatically play streaming media” in the settings. Also do not allow scripts to control your media settings. This is the best defence against redzone and other spyware devices.

Unfortunately there is a problem. Some land owners use redzone in dance clubs. The enjoyment of these clubs can be somewhat marred by unchecking your media settings! What else can you do?

2. Disable Cookies

Click edit/preferences. Click the web preferences option and uncheck the “accept cookies” checkbox.

This on its own will not help much. Do it anyway though. Cookies are not good for your privacy!

3. Block isellsl.ath.cx

This tip will stop redzone dead. Be warned though that at some point zFire will read this blog (you will know he has done so when he adds a comment claiming this doesn’t work. See above regarding fibs). Until he works around it, blocking isellsl.ath.cx will kill all known redzones dead. They will not be able to fool you into sending data back to base because the system relies on your client sending an HTTP GET request to that site.

The obvious work around will be for zFire to change the site DNS name (although this is a pain in his butt because he has to roll out the change in a new version of the software. Also he is using a free DNS service that limits the number of domain names he can have unless he starts paying for them). If and when he does this, the block will no longer protect you. For maximum security, keep streaming media off except on sims you trust. Greenzone can help you decide whether it is safe to switch on streaming media, but its an arms race with spyware writers. Whatever Greenzone detects, zFire will attempt to work around. Media off is safest.

EDIT: zFire has been reading this blog, and others have been contributing new domains that he owns and could be used for RedZone. It will not harm to add all of these, but I have only observed RedZone attempting to uses isells.ath.cx and isellsl.com. The latter appears to be broken though. The domains hamlinpro.com and girlsofthevip.com resolve to zFires Mac that he uses for harvesting so could be used. zfire.isellsl.com resolves elsewhere but he could update it to point home. Thus if you are updating your hosts file now, I advise adding all the domains, but there is still no evidence that just blocking isellsl.ath.cx will not protect you completely.

How do you block that site?

There are several ways. If you have a firewall you may be able to just black list the site for outgoing connections. Thereafter all data to the site will be dropped. Test this by loading the site in your web browser. If you see the site, the block failed. Keep playing with your firewall.

But the other quick and dirty fix is to add these to your hosts file:

127.0.0.1 isellsl.ath.cx
127.0.0.1 isellsl.com
127.0.0.1 zfire.isellsl.com
127.0.0.1 girlsofthevip.com
127.0.0.1 hamlinpro.com

in Linux or on a Mac, you need to open /etc/hosts in your favourite text editor and add these lines.

If you are not sure how, here is the step by step instruction on a Mac. The instructions for Linux will be almost identical, depending on flavour. If you are running Linux you probably know how to do this already.

Start Terminal (type terminal in search if you never used it before)
In the terminal window type:

sudo emacs /etc/hosts
(enter your password when asked)
Use arrow down keys to move to the end of the file
add:

127.0.0.1 isellsl.ath.cx
127.0.0.1 isellsl.com
127.0.0.1 girlsofthevip.com
127.0.0.1 hamlinpro.com
ctrl-x and ctrl-s to save the file
ctrl-x and ctrl-c to exit

On a Windows based PC, the file is in your WINDOWS folder (whatever that is called, but assuming it is C:\WINDOWS):

C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS

If you edit in notepad, take care it does not gain a .txt extension. The file should have no extension. You probably need to be logeed in with administrative privileges to change this file.

Again test the block by going to the website. If you see the website, keep trying or post a comment here.

Take care and stay safe.

23 responses

12 02 2011
Katrina Swales

I am currently making a 3rd Party viewer, that will avoid any media URL on a blacklist updated on logon. Hopefully wihtout a major redoing this should block all redzone like products, with a good enough blacklist

12 02 2011
RedZone – security, scam, or scraping? | Living in the Modem World

[…] updated should the domain change. However, there are concise instructions for doing this on both Windows machines and Macs and for Linux […]

12 02 2011
no2redzone

Katrina, when you are done I will place a prominent link on this site. Thanks.

However, my own preference is for a viewer that pops up a third party media warning, as new redzone clones could pop up or zfire can change the address of his spyware collector, and there would be a window of opportunity to scan users before it was spotted and the blacklist updated.

Seeing “do you want to collect parcel media from isellsl.ath.cx?rz2.php?e=pscan…” etc. is a dead giveaway you are being probed, because parcel media URLs so not need all those odd looking variables to be passed after the question mark.

Thanks again

15 02 2011
Katrina

Yeah a warning would be good for those who know what they are doing, however to most people, it is just an annoyance, think Vista/7 UAC. a silent Blacklist however, pleases most people, I am trying to get this implemented fast, I may make an update to do that option later (building this based on pheonix Firestorm code, though I hope to also add it to the earlier pheonix later)

13 02 2011
anon

@no2redzone,
I believe it would just be blocking the isellsl.ath.cx domain and not the address (and any other domains on the blacklist)

14 02 2011
Someone

There’s actually a few more domains linked to the same place RedZome is operating from.

http://www.sluniverse.com/php/vb/general-sl-discussion/55250-how-stop-zf-redzone.html

The complete list thus far for a suitable hosts file block is:
127.0.0.1 isellsl.ath.cx
127.0.0.1 isellsl.com
127.0.0.1 girlsofthevip.com
127.0.0.1 hamlinpro.com

14 02 2011
no2redzone

Thanks for the information. I had just spotted today that isellsl.com is still in use on a sim. I did not have the other two.

I have updated the page with the fuller information.

17 02 2011
Katrina

Well I will be making available tommorow, a patch for Phoenix firestorm, and an ‘Example’ Blacklist file, will post links and later, patches for 1.0 as well. and if can get some hosting, actual downloads too.

17 02 2011
Katrina

https://jira.secondlife.com/browse/VWR-24746

Patch for firestorm uploaded to there, Will make more patches available, and maybe actual compiled viewers, at a later date (but soon)

17 02 2011
Tweets that mention Avoiding Redzone « no2redzone -- Topsy.com

[…] This post was mentioned on Twitter by Jesse the Mutt, muttinthestacks, Bashful Pixie, Mickey Vandeverre, Avril Korman and others. Avril Korman said: oh ffs: Look people- if you want to stop RZ from scanning you GO HERE http://no2redzone.wordpress.com/avoiding-redzone-3/ Read. Do. #SL […]

19 02 2011
Spies, Lies & Cold Hard Cash: Second Life Erupts In a War Over Privacy | Nichehosters: Web Design, SEO and other Tips

[…] Unfortunately, space considerations (I’m way over my usual word count already) don’t allow me to create an exhaustive exploration of this entire issue — it really is huge. However, if you are simply interested in stopping RedZone’s ability to scan you, go here, read this, do that. […]

20 02 2011
Spies, Lies & Cold Hard Cash: Second Life Erupts In a War Over Privacy

[…] Unfortunately, space considerations (I’m approach over my common word count already) don’t concede me to emanate an downright scrutiny of this whole emanate — it unequivocally is huge. However, if you are simply meddlesome in interlude RedZone’s ability to indicate you, go here, review this, do that. […]

20 02 2011
Spies, Lies & Cold Hard Cash: Second Life Erupts In a War Over Privacy | Online Marketing Secrets

[…] Unfortunately, space considerations (I’m way over my usual word count already) don’t allow me to create an exhaustive exploration of this entire issue — it really is huge. However, if you are simply interested in stopping RedZone’s ability to scan you, go here, read this, do that. […]

20 02 2011
bronxelf

There’s a new one, as posted by Boy Lane here: http://www.sluniverse.com/php/vb/general-sl-discussion/55250-how-stop-zf-redzone-8.html#post1156335

(it’s zfire.isellsl.com for the shortcut.)

20 02 2011
Privacy War in SL « Acoustic Alchemy in Second Life

[…] to Avoid RedZone at […]

21 02 2011
Emilly Orr

Katrina,

I see the patch–I have no idea WHERE it would go in the client. Help?

28 02 2011
Siana Gearz

It goes to a viewer developer who can apply the patch against viewer source, fix it to work on his particular flavor of viewer if it’s not the exact same viewer as was used by patch developer, and then compile the viewer from source.

23 02 2011
Inuko Arashi

I bought the stupid system a couple months ago and now am in the system along with friends of mine who didnt want their alts publically known… Stupid me -_-

23 02 2011
Spies, Lies & Cold Hard Cash: Second Life Erupts In a War Over Privacy | Hide Your IP Address

[…] Unfortunately, space considerations (I’m way over my usual word count already) don’t allow me to create an exhaustive exploration of this entire issue — it really is huge. however, if you are simply interested in stopping RedZone’s ability to scan you, go here, read this, do that. […]

25 02 2011
Debbie

Is there a list over places that use RedZone?

11 03 2011
zFire Xue

So now I am a liar when I said there is no way to avoid a scan?
Do tell the copybot community how to avoid an anti-copybot scanner that uses llSensor();
Your doing a great job in educating copybot users on how to avoid such anti-copybot systems. Now if only LL would use some of the same methods to filter you people and your underground viewers off the grid.

11 03 2011
no2redzone

Mike, what are you doing posting here right now?

Go home. Someone is attacking your computer.

Seriously!!! Go now.

11 03 2011
Innula Zenovka

zFire, you are being disingenuous.

Certainly, there’s no way to avoid a scan with llSensor, unless you’re a Linden, but what of it? It’s very easy to avoid having your ISP scanned, which is what I thought was supposed to distinguish your system from the others.

One of your big selling points was, or so I thought, that griefers or people you’ve previously caught ripping stuff couldn’t simply roll up a disposable alt after being ejected, because your system could do some stuff with llParcelMediaCommandList to get their isp and match it to that of the chap whose just been banned.

Well, if the chap’s set his viewer not to respond to the llParcelMediaCommandList call (or is using Sione’s patch), then llSensor’s not to going to be able to find out anything that any standard security orb at a fraction of the price can’t find out just as well, is it? Your customers now got no more way of knowing that the avatar who’s just turned up with media turned off is a bona fide new resident or Neal in disguise than has anyone else.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




Follow

Get every new post delivered to your Inbox.

%d bloggers like this: