zFire is a victim of his own nasty forum
I have always said the neighbourhood watch is one of the nastiest things on zFire’s site. Right now, however, I am enjoying it.
I expect zFire will delete these when he sees them. We are not meant to criticise him after all.
Since this time yesterday when zFire was hacked in response to his foolish challenge to test his (pathetic) security, it seems he has been hacked again – at least once. a whole bunch of SQL tables or maybe even the entire database was dropped in what looks like yet another SQL insertion attack. It is clear that zFire has been gemming up on avoiding SQL injection attacks. Keep reading zFire … you will get there eventually.
But not before it is all too late. Password outing functionality, and indeed the veracity of the video we carried this week has been confirmed by the hackers from last night who released their findings to the Alphaville Herald. It may be they attempted to contact us with the information first, for which I thank them but I think the Alphaville Herald is a good place for that report.
Yesterday’s hack was still annoyingly obvious – and today’s moreso. I can allay some fears however in that I understand that significant quantities of false data have been injected into that database by yet another person or persons who have demonstrated they understood the security vulnerability well enough to do this. This same source suggests that zFire was about to manually add the names of all members of the inworld GreenZone users group to the list of “known copybotters”[sic]. Attached is the evidence provided – snipped away are well over 1000 names take from the group membership.
Letter to zFire Xue from Merlin Swordthain
Since today’s hack the forums appear to have had it although it looks like there was a recent database backup. If anyone else is thinking of cracking this database I should point out that its no great challenge but at this time the working database is zFire’s biggest albatross It shows he has been a very very bad boy so please do not be tempted to take it offline. False IP address reports will do no harm though.
To end on a lighter note, Theia was confused by this remark from new RedZone poster arooga:
by arooga » Fri Mar 11, 2011 1:48 am
I would like to have crackerjack’s babies for the way he got Theia Magic
Done Up Like A Kipper she was, hung by her own petard
Her comment to that was amusing bit this is even more amusing in the light of this:
Arooga is Crackerjack
[Edit: Someone challenged the image showing that Arooga is Crackerjack, saying anyone could have written that on the forum. I edited down the screenshot I was given and now include a bit more to show this was a message sent directly to zFire. The message and the screenshot predate Friday's crack on the database.]
It seems Crackerjack, in an attempt to beef up his security by changing his email address, locked himself out of that account. He decided Arooga would be fun for alt games. Strange from someone who finds alt outing so important.
So Arooga wants to have Crackerjack’s babies? Nice to see him getting in touch with his feminine side.
A few minutes ago someone pasted a link on a group to Merlin Swordthain saying that someone had hacked his account on the isellsl forum. As I was browsing the forum the whole site died.
It may be that someone took zFire up on his challenge to beat his security. I hope not really. But if they did, we could see quite an extended outage!
Move along now…there is nothing more to see.
Oh, but another theory: Merlin may have been watching for the posting of that URL. This may have been an attempt to bow out graciously – take the server down when people will think it is hacking… blame the griefers and walk away.
Either way – RedZone could be gone.
EDIT 3:12 SLT – This is a confirmed crack on the database.
ZFire had posted this earlier:
Originally Posted by zFire Xue
Let me be very clear when I say:
zFire did not “underestimate the tech savvy community of Secondlife if he thinks they will not [insert illegal hack attack here]…”My server remains online, DDOS, URL probing, port scans, and seriously did you just try to “NUKE” me on port 139 Mr Germany?
They offer technical resumes, and warnings of everything they feel I did wrong.
My server is still online, even with low tech abuse reports to my ISP, DDOS of 860 million a second (Impressive but pointless), and whatever else.
This therefore means that my server is the most secure server and database in all of Secondlife.
That is a challenge.
Many people have already made battle cries, suggested methods, or claimed not to support methods of hacking.
Bring it on.I am the guy that logs your shoe size right? Do you think any server software exists that does NOT log the IP, date and time of an attempted cybercrime? Wow this will be fun.
“My computer is bigger than your computer”
Cyber criminals need banning, so please feed attempts to isellsl.ath.cx
His site was actually an exercise in how not to do security, but I am annoyed that this crack was so unsubtle. That’s what happens when you challenge the whole Internet to come hack your server.
This video is everywhere now. Thanks Anastasia for this upload to youtube.
Compare it with this one if you have any doubts about who it is.
http://www.youtube.com/user/marskgb006
This was quickly deleted from redzone forum:
Re: *knock knock* WTF?
Postby RedzoneGlugGlug ª Thu Mar 10, 2011 5:32 pm
Go look up “mars006kgb” on google. Then look at the cache Google has.
Creation date Apr 4, 2008.
Then look up marskgb006. It’s creation date is Apr 8, 2008.Seems those nasty GreenZone folks have a time machine and can go into the
past.
Or that they predict an account name 4 days before zFire creates his own
account. Then wait almost 3 years before springing into action.
Or perhaps we should go for a long shot and claim that zFire lies. I know
it’s unlikely, but it is a remote possibility.
Best laugh of the day though was when zFire categorically denied to a concerned flakseed that this was a video of him – against all the evidence that has been collated to prove that it is. Once again I smell the heady aroma of roasting pants.
Things are too busy for me to keep up with news on this site, but Samantha Poindexter did a useful summary on the-thread-that-will-not-die. Once again I shamelessly repost it. Feel free to thwack me in my comments if you think that is bad 
:
It hasn’t been that long since the last summary, but another one is totally warranted.
When we left the last summary, SLU and zFire’s forum were abuzz with discussion of that leaked YouTube video.
On the SLU side, people were cross-referencing it with other videos from zFire and Insanity Productions, finding remarkable similarities between the voices and faces of the people therein.
On zFire’s forum, the prevailing opinion was that of course the video was a fake, made by the anti-RedZone griefers to try to bring him down.
The consensus here was that whether the video was real or not, zFire would have to be a complete idiot and/or a pathological liar to address it at all without consulting a lawyer.
So of course he addressed it.
On his forum, zFire explained that of course the video was a fake.
He said that this new account, “mars006kgb”, had nothing to do with him.
He said that he wouldn’t need “mars006kgb”, because he already had “insantiyproductions” and “marskgb006″ and other YouTube accounts.
He outlined a vast Green-wing conspiracy, telling all manner of lies to try to bring RedZone down, with this shameless copycat account being just the latest example.
There was just one teensy little catch: the “new” mars006kgb channel page was still cached on Google.
mars006kgb’s account (the “fake” one) was created on April 4, 2008.
marskgb006′s account (the “real” one) was created on April 8, 2008.
For zFire’s claim to make any sense, the anti-RedZone forces would have had to have made their account four days before he did.
On SLU, at least, this is now conclusively settled. The only reasonable explanation is that he (or his team) made both accounts, the video is real, and he’s been lying his ass off to everybody.
On his own forum, zFire has explained that, well, clearly the only possible explanation is that the anti-RedZone forces found a way of hacking YouTube to change the signup date.
Just to be absolutely clear for anybody who doesn’t have a YouTube account… no, that can’t actually be done.
Incidentally, somewhere along the way there, zFire averred that “my server is the most secure server and database in all of Secondlife” and challenged people to try to hack it.
Also, it turns out zFire is publicly listed as a member of an inworld group that presents itself as some sort of computer crime syndicate.
Several highly empathetic members on this forum have expressed sincere concern for zFire’s psychological wellbeing in the wake of all this.
The general consensus is that while zFire may be a bad person, a pathological liar, and/or an evil sack of shit with delusions of grandeur, he’s still a human being and we don’t want him to actually kill himself or anything.
Others have pointed out that pathological liars have the amazing ability not to let anything get to them, so that’s not likely to be a problem.
In other news, Quickware’s website is now advertising services to help you get right back into Second Life, even if you’ve been hardware banned by LL.
It’s also offering the source code for its alt-detector to the highest bidder.
There are plenty of screenshots and copies of deleted videos painting a very clear trail from the video and the rest of Mike’s RL information – especially the admission from him that those youtube channels he pulled down are his, so there is simply no doubt it is genuine.
An anonymous comment on this blog was too good to leave buried in the comments. Everyone take a look at this quickly, because as soon as zFire Xue spots this he will take the link down. Take copies if you can.
Youtube Video of zFire Xue Admitting to Hacking SL Accounts
In this video zFire Xue (the man behind the avatar) tells his girlfriend about a special HUD he has made her which has all the usual (now banned) features of RedZone in it for alt detection, geolocation etc. But also, it shows that he harvests possible Second Life passwords of the users of his website. They log in there with real SL names and sometimes type their SL password out of habit. zFire collects these passwords it seems, and this hud shows them for any user.
The key bit is where zFire says that in his tests he has found they sometimes indeed use SL passwords by accident.
zFire admits in this video to hacking the SL accounts of some of his customers.
Edit: Some people are asking how we know this is the real zFire as this was posted anonymously without evidence. Take a look at this video of the real zFire (Mike) and see if you agree that the voice and face in the video look the same.
Edit 2: Here is the transcript for anyone with difficulty accessing video. Thanks to people at SLUniverse for typing it up:
This webpage will let you look up basic information about a person at isellsl, as well as if and when they joined isellsl, if they own a RedZone, if they’re on anybody’s RedZone’s safe list, and if they ever got a RedZone demo… which those three things are more useful for me.
What’s useful for you is that this website will also predict people’s Second Life passwords. Now you know how that’s done? It does that based on incorrect passwords that they enter. A lot of times out of habit people of course enter their Second Life username and by habit enter their Second Life password occasionally.
All of the incorrect passwords that they’ve ever entered will be visible. Not everybody has one. Many of them do and in my tests many people have indeed entered their Second Life passwords. So that’s here.
A little useful thing I am also going to make it display are people’s real world locations. For us only, that will be very interesting. Nobody else can access this page at all; only me and ze. Anyway that is all for now. I do have another page I’m gonna make for you. But here’s this one for now.
As followers of this blog know, on the 10th of February I wrote about my adventures with RedZone, revealing the ridiculously insecure way the spyware collects data. This elicited a furious coding effort by zFire who tried valiantly, to the best of his ability to plug the hole I had exposed here (but that had already been widely exploited it seems by people intent on poisoning his database). On Sunday 13th February zFire rolled out a new version of RedZone with some new improved encryption. It was another week before he fixed everything else he broke. As I said in a post on 13th February, it was extremely hard to find a RedZone to scan me with the new improved system. But I tried valiantly, and in fact I did manage to get scanned once.
As it turns out, once was enough. Within a couple of hours I had cracked the new encryption which was pretty much as clueless as the last one. I did not mention this at the time though, as I was enjoying watching all the RedZone updates, and in any case, why let the “enemy” know what we know?
However others have also posted on SLUniverse that they have cracked this encryption, and what it contains. (Waves to Walker. We really should find a way to chat sometime!) This being the case, and as RedZone is on its last legs, I thought now would be a good time to blog about my findings.
So here is how zFire used the best of his ability to fix his encryption. You will remember that the previous encryption was a straightforward monoalphabet substitution cipher – much like a ceasar cipher. It can be decrypted by hand rather easily. zFire decided he would fix this by replacing it with… another monoalphabet susbstitution cipher!
Here it is. The first line is plain text, the second line is the ciphertext alphabet:
=./&%0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX-
tuQtlikJ0x&raL39qhM.%VW8eDNRU62P=XH5/vFKgBSYnG_bdjsAEfmw4Cp7O1Iyc-
Good job zFire!
Oh but he added an extra couple of features to make it really difficult! These were:
I must say I was quite disappointed when I saw the transaction ID. Easy banning of theBoris Gothly as a copybotter was now not on the cards (and yes, we did spot that the ban had worked, zFire! Just in answer to your message in this forum that the previous code did nothing).
What must now be happening is that the RedZone device itself reports back Avatar scan information, which is given a transaction ID. This report contains stuff that was previously reported in the GET request fed to your client. Your client then confirms a couple of points of information and also supplies IP address and User Agent for the scan (if you open the parcel media URL).
So what can we do? We cannot intercept the scan information and change it, and having media off already ensures that the missing IP address is not sent back to the database.
The answer comes from silly redZone users themselves. Because they have requested the option to ban all those terrorists and malcontents who dare walk into a sim with their media off. How does RedZone know that the media is off? Because one half of the scan is sent back to base from the sim, and the other half from the client using the parcel media hack. Failure to receive the second half of the transaction from the parcel media hack indicates (not to reliably) that parcel media is off, or the client is blocking the request in some other way. After a while, these people get ejected from the sim for the audacity of not connecting to a content stream that provides them with no content!
But what would happen if you could fool the sensor into thinking someone else was on sim who was not really there? Then RedZone would record their names and information, and eventually ban them from a sim that uses the media-off ban. Now that could be fun.
And here we have to cue a techy friend who wishes to rename nameless. This friend had been observing RedZones for some time and had discovered how to listen in on the RedZone probe communications with the base unit. RedZone, like any script, can only scan in a 96 metre radius of its location, so those full sim scans are handled by flying probes that jump around the sim doing multiple 96 metre scans and then report back to the base unit with an llRegionSay() call on a secret channel.
As it turns out, that channel differs for different installations, but once chosen it is set. If you can find the channel of a RedZone device, you can listen in on the communication, and even send back your own communication to it.
Discovering channels is not a trivial thing to do as you have to create a lot of channel listeners listening (on a rotating basis) on all possible channels until you observe chatter. You can create a lot of listeners, but you still need scripts to close old ones and open new ones and a bit of patience. Fortunately RedZone probes chatter a lot, so one of the freely available channel scanners should find the chatter without too much difficulty.
Having found the chatter, my techy friend presented me with some data that looked like this:
[21:21] MystiTool HUD 1.3.1: (xx) [zF RedZone v4.1.7 - Ch.36411517]: Probe go to~
[21:21] MystiTool HUD 1.3.1: (xx) [Object - Ch.36411517]: ghJKhKk pmKlo aP.GGP.r-rLP0~q0Lq-MBMBrq0q-8xBBjjXah-sshowrGkjsIlswKS~dsjwUAksadlsLkKsahsjswsa-XZXs~q0lq-rrahHasea-JJ8xBah9X-sQqjhJk3Xr0JqsoiS~o=jqaDa=3483aB 0eBqawS 0MoMX9S
I looked at it and at first I was stumped. This looked like zFire’s normal clueless ciphered encryption, but the normal markers that made it easily crackable were missing. I knew there should be a UUID in there but nothing obviously fitted the pattern of a UUID.
Thus for the first time I actually had to ask for more data to crack the encryption. My friend (and his friend) collected me a whole load of additional data and then I took a good look at it, and spotted that some data did not change from one scanner to another. Eliminating the non changing information was the breakthrough. Once I removed the junk (every second letter), this was clearly just another of zFire’s backwards ciphered strings, and I already had the code to decrypt it.
Here is my rough and ready decryption script:
integer mychannel=2 ;
integer listen_handle ;
//
string clearText= "=./&%-0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX " ;
string cipherText="tuQtl-ikJ0x&raL39qhM.%VW8eDNRU62P=XH5/vFKgBSYnG_bdjsAEfmw4Cp7O1Iyc " ;
//
string substitute(string baseChar, string clearText, string cipherText) {
string ss="" ;
integer pos = llSubStringIndex(clearText,baseChar) ;
ss=llGetSubString(cipherText,pos,pos) ;
return ss ;
}
//
default
{
state_entry()
{
listen_handle = llListen(mychannel, "", llGetOwner(), "");
llOwnerSay("Type /"+(string) mychannel+" encryptedstring to see decryption") ;
}
listen( integer channel, string name, key id, string message )
{
string resultstr="";
string unstegtext="" ;
integer msglength=llStringLength(message) ;
integer i ;
for (i=msglength ; i>=0 ; i-=2) {
unstegtext+=llGetSubString(message,i,i);
resultstr+=substitute(llGetSubString(message,i,i),cipherText, clearText) ;
}
llOwnerSay("cleartext : "+resultstr) ;
}
}
It decrypted to something like this:
=add Obj Marker 1f15f287-e582-46d1-a212-ac5b0f0598f1 0a714cfa-c819-4cfb-bc7a-a66368918ed2
Notice the UUIDs. One is the UUID of the person detected and the other appears to be the RedZone device owner’s UUID.
So to add additional people to a sim is easy. Just write a script that uses llRegionSay() on the sim with the detected RedZone probes which inserts random UUIDs of people, or UUIDs of a hitlist of RedZone owners, and all these people appear to be sim visitors. As none of them are actually on sim, they clearly never send back the second GET request with their IP address, and after a while, RedZone bans them.
Well anyway it amused me.
zFire – would you like to go and fix your software again? Or do you think you are ready now to call time on your illegal collection of personal data?
A final word: there is an additional attack, and this one I believe has been used by someone (I really don’t know who) for some time to poison the RedZone database. RedZone stores the IP address from the scan from the client – but suppose a clever coder intercepted those scans on their computer and quickly constructed a URL and fed this to an inworld object that collected it using an llHTTPRequest() with a correct transaction ID? In that case the GET request would come from the sim IP address, and anyone doing this in the same sim would become alts of one another in the database. Nice! But flawed in a few ways (which I will not mention for reasons of space) so I did not pursue that myself.
