What was zf Redzone? (updated 7/7/11)

1 02 2011

zf Redzone was a Second Life spyware product that used a security hole in the software from Linden Lab to collect and collate user profiles of the users of the service recorded against IP addresses. The software attempted to do two things:

  1. It attempted to identify people using unapproved viewers by looking at the browser User Agent setting in the viewer. It labeled any viewer using an unorthodox user agent as a “copybot” (i.e. a malicious user attempting to make unapproved copies of in world creations of other users). Needless to say this was easily bypassed by actual malicious users (who generally make their viewers respond like the genuine article) whereas developers or anyone having the audacity to modify the user agent got labelled as copybots and banned from all redzone sites. The maker of the sofware also added people manually to the copybot list if they annoyed him and they thus earned bans on all sims using the product.
  2. It attempted to identify alternate accounts (alts) by matching IP addresses of users. Needless to say this was naive in the extreme, as use of web proxies is extremely widespread, and shared DHCP ranges often cause IP address sharing between unwitting users of the same ISP. The maker of the software rather disingenuously claimed that false positives were probably known to the malicious users and therefore malicious themselves.

Additionally the maker of the software was secretly harvesting the SL passwords of his own users where those users accidentally or deliberately entered SL passwords against thair SL username when logging in to his site. Many of those users also used the same passwords for their alts, who – as noted above – were also being identified by this software.

The utility of Redzone was limited and its risks very high, but many are suckered into paying the rather high cost of this spyware for what they perceived as the ability to discover the alts of other users. This raises a number of privacy concerns and related legal concerns, and Linden Lab specifically changed their terms of service to make it clear that sharing of alt information in this way was not permitted on their service.

Concerns were dismissed by the RedZone author as being inconsequential. His argument that sim owners have a right to protect themselves from the alts of people they have banned from their sims for whatever reason carries some merit – with one very large caveat: Those sim owners should have been front about the spyware and its purpose, and allow opt in access – access the simulator if you are content to be scanned, or leave if you are not.

It is the fact that Redzone did not give that choice, but secretly collected data through a security vulnerability in Second Life software that made this spyware and not a security tool. The spyware was operated by a US felon (criminal), and he is now back in prison – at least in part because of his spyware operation.

Advertisements

Actions

Information

18 responses

3 02 2011
Fart Admiral

Thank you very much for this excellent article ! May we add a link to the next release of GreenZone ?

4 02 2011
no2redzone

Yes, certainly. I will be adding more links to Greenzone in my blogroll too.

zFire has attempted to create a new stealth version of redzone yesterday. Previous attempts by him have failed to hide his software from Greenzone, but you may want to check out what he has done. The scripts and prims have all been renamed.

7 02 2011
SecurityGal

One more key step — disable cookies. Reports are that redzone also tries to place a unique id cookie in your browser, then looks for it the next time it sees you.

9 02 2011
go rz!

Laffs. too bad. you been tagged by RZ. I loved it when you tried to go to my region and got banned. ROFLmAO!
Yer a copybotter who thinks a smear campaign is going to work lol

Guess again your campaign is seling it more and more Why? people are tired of the social scammer like you..
Get a life. A third Life

9 02 2011
no2redzone

Hello “go rz”. Just to confirm:

1. I have not been tagged by RedZone. A recent scan revealed to me that I am listed with 5 alts, but none of them are me. Go RedZone. Nothing like misinformation.

2. I have not been banned from any region so I don’t know who you think went to yours. It certainly was not me.

3. This “Copybot” cannard is very tired. Unlike many RedZone users, I pay for all my stuff. I do in RL too. I am a bit nuts about doing that, because I like to obey the law. Again – unlike RedZone spyware operators.

But of course it sounds so good to call your out group “copybots”. I suggest you go the whole way and do what the politicians do. Let’s just call us all terrorists from now on.

It makes as much sense but sounds even worse. Go on, you know you want to.

9 02 2011
go rz!

I see Greenzone is acting the exact same way Redzone is acting. throwing Places under the bus without knowing exactly who the owner of the rezone is.. What Kind of appeal process do Green zone have for Malls whom may have had a vendor use it on their sim? None??
So because 100 users have access to set and deed objects you throw the whole place under the buss without actual knowledge. Is this not the same Thing green zone says redzone odes? Inaccurate info?
The owner discovers this and removes it.. but yet still gets thrown under the buss. Do you think your actions are as fair as redzone?

So as defamation is clearing being done so here and publicized. Do you feel the system is right and the acts you have installed in Greenzone to abuse regions by shouting accusations? What part of greenzone do you feel you are not Invading the privacy of a private sim owners script usage? See you all think yer the ones with the smarts. But you are acting the same lame ass way…
Do not put sims in there unless you actually know the sim owner is the one running redzone. or there could be some nice legal issues dont you think?
Posting on a public website false information and no way to appeal or get it removed. Very interesting habbits for copybotters lol

Claim that one service invades privacy but yet make a toold to invade private region owners script usage privacy…

And your tool is built to insight others to break Second life terms of service by

9 02 2011
go rz!

PS I was talking to Fart

Every resident is equipped with the tools to protect their privacy. With the ability to turn off media etc. So really you guys are yelling about what? Your own ignorance and the ability not to protect your self? Why should Everyone else have to deal with your ignorance.

There is no invasion of privacy that you offer up your self. By not disabling these ways of broadcasting you have agreed to Release this info to the services you use.

Your Privacy is your responsibility And Linden Lab Has Clearly given each resident a way to protect them selves. I can sit on a Sim all day long with my alt and Listen to music all day long and have cookies disabled and media diabled and still never get tagged as an alt to my main account.. These claims and ridiculous fear of your privacy is moronic. The fact that maybe your alts were offered up was due to your own ignorance of the tools you use to connect to regions. No one should be responsible for your actions except your selves.
Linden Lab has been very clear about your responsibility to protect your self and that they do not and will not control what others info they collect.

Just like Facebook Privacy settings…. they are there. Use them. Stop the defaming places for your own ignorant actions
Nothing Illegal about Redzone.. everything illegal about defamation

If your info has been collected is because you allowed it.. Plain and freakin simple

The site that lists regions as having redzone should Post the actual owner of the redzone and not the place it has been planted. Or Contact the owner of the sim to see if they are aware of it being used. If Greenzone peole want to be as respectable as they say.. Back it up by proper labeling of the owners of the system being used and not the place

16 02 2011
Rooted

I and every other user of SL are entitled to a fully featured SL, including full use of all the LL provided functionality, including media, at all times, with neither interference in our privacy, nor interference in the use of all the features of SL.

You have no right to force on us a choice between privacy or the full suite of media features that LL intend us to have access to. You agreed to a TOS that requires you not interfere with either of these things in respect of other users, yet at any one time, you are interfering with one or the other.

That is not acceptable or moral conduct. It is anti-social.

If you do not like SL with the appropriate land management tools LL put in, or without the ability to snoop and spy on others, then you should not have agreed to the TOS, and you should not even be logging into SL. If you did agree to the TOS are logging in, then you need to stop interfering with the quiet, private, and full featured enjoyment of SL by other users.

9 02 2011
no2redzone

Once again you seem to be labouring under some kind of misapprehension that you know who I am. So let me be quite clear:

1. I am not in any way connected with the makers of Greenzone. I have linked to their blog because they have produced a very good piece of code that does very well at rooting out RedZone. Nevertheless until the last few days I had not even spoken to any of them, and even now only have spoken to one of them. Heck, I don’t even know their names!

2. You posted this comment after I notice that the Greenzone list of Redzoned sims was removed precisely because they wish to play more fairly than RedZone spyware operators. I spoke to the only person I know from the GreenZone project earlier and understand that the reason the list was removed is exactly because they consider a boycott of a sim that is an unwilling host to RedZone would be unfair. So Kudos to them.

3. I find it hard to see how any legal action can be countenanced against a website that accurately reports the presence of spyware in a sim. Particularly as the spyware does not otherwise make itself known to people. Note that to bring an action, the allegation would need to be untrue or defamatory, and there would need to be some demonstration of damage or harm.

Of course you claim that “defamation is clearing being done”[sic]. Is it therefore your opinion that the honest reporting that a sim uses RedZone is defamatory to that sim? Do I take it that you now see RedZone use as something that would reflect extremely negatively upon that sim? I take it that you are therefore in agreement it is time this spyware was removed once and for all.

Of course, if you persist with your previous support for RedZone then I presume that you would have to concede that a list of RedZoned sims – rather than being defamatory – would cause people to flock to them as havens of peace and tranquility.

Oh the dilemma!

9 02 2011
no2redzone

gorz said:

“By not disabling these ways of broadcasting you have agreed to Release this info to the services you use.”

This is another tired old cannard. My acceptance of the SL Terms of Service is an agreement with Linden Labs. My acceptance that Linden Labs cannot control the logging of IP addresses by the third party merely ensures I cannot hold Linden Labs to account. It does not confer upon some random Michael the right to harvest my personal data unfairly and to sell it to other random parties, without optout and using spyware.

Let me make it quite clear again: Logging IPs for normal systems administration purposes is fine. Linking it with other data to create profiles is illegal in Europe. Even if there was some kind of contract or license in place other than the default terms, such a contract would be struck down as the collection of this personal data is illegal.

“Your Privacy is your responsibility And Linden Lab Has Clearly given each resident a way to protect them selves.”

Wrong. I have a post pending on that point. I will do a final edit and post it up.

11 02 2011
Lmao

As the jira posted for this lame issue .. Lindens Clearly sad
Oz Linden added a comment – 08/Feb/11 12:46 PM

This is not a viewer issue, and should be dealt with through Support.

Oz Linden added a comment – 08/Feb/11 12:54 PM

Regardless… this is still not a viewer issue.

If you reopen this here, your Jira privileges will be revoked.

that’s a pretty clear. STFU

11 02 2011
Lmao

Let me make it Clear. If Europe does not like our laws in the USA then they can block you. And if you don’t like the laws we have in the USA. then you do not have to connect to the site. Plain and simple….. you chose. and you chose how to protect your self with the privacy tools you are provided. Stop this cry baby bs and take control of your own ignorance.
Screw your european laws. If they don’t like it then they can block USA

Your Laws pertain to servers in your country and country men. They do not and will not ever cancel out laws in other countries
And your freakin User name is not personal and your IP is not personal.. never was.. it is a leased number in which you are barrowing and it belongs to your ISp… It is not yours!!!!! Therfore not personal !!!!

11 02 2011
no2redzone

Let me make it clear. In selling to and gathering data on European citizens, zFire is subject to European law. No need to block anyone. We can bring an action if we consider the case serious enough. There is case law for this.

You say:

“f you don’t like the laws we have in the USA. then you do not have to connect to the site.”

The problem is I am not given that choice. If I am to enjoy the media in an SL music venue, I can be forced to connect to zFires spyware site. My only option is to not listen or to leave the sim. But even then, I am given no warning these are my options. The vast majority of people have no idea they are being made to connect to that site. And that is WHY zFire is breaking our laws.

And please do read through the posts and comments on this site about the law. It applies to any data collection and processing making USE of equipment in our countries. My computer is made to connect to the site. The law applies.

You can also read why you have misunderstood the concept of personal data.

Oh I do wish people would read before they speak! it would save them so much pain and humiliation.

11 02 2011
Oh, Please

Oh, please.

Spyware gathers personal information about you. I’m sorry, but your IP address isn’t personal information. Using that term is just ignorance. Using the term knowing what it means and using it anyway is just dishonest.

SL puts you on notice that third parties are going to be tracking your IP address, and their responsibility ends there. If you don’t like this, you don’t have to connect to SecondLife – but wait, there’s more! Even posting on this blog does something – *gasp* – IT COLLECTS YOUR IP ADDRESS. WITH YOUR NAME AND EMAIL, assuming you didn’t use a proxy and you left your real name and email. So it’s actually doing a lot more than what you’re complaining RedZone does. JUST LIKE EVERY PLACE ELSE ON THE INTERNET.

Nothing to see here on that, move along.

That said, the fact that it’s inaccurate and can be spoofed is what concerns me more. A tool that can be filled with garbage data belongs in the garbage.

11 02 2011
no2redzone

If you would care to look at this article:

https://no2redzone.wordpress.com/2011/02/01/redzone-and-personal-data/

You will see that yes, IP addresses linked to a profile in the way RedZone attempts to constitute personal data. This is particularly true of the “Neighbourhood Watch” part of the site where people are linking defamatory comments against profiled names.

This site collects IP addresses for systems administration purposes. It is illegal for me to attempt to share this information with other site operators in an attempt to build a profile of users. Users volunteer whether to provide a true email address. Most people commenting here are clearly not using true email addresses.

And yes, data inaccuracy is another big minus of RedZone. That is, after all, why Linden Labs do NOT use IP addresses to try to identify alts (even though zFire keeps pretending otherwise).

Thanks for taking the time to comment.

15 02 2011
what the freak?

IP’s tracking is in no way possible to track a person. Most IP addresses are dynamic, there for changing. If two people in same area use the same provider, they will have same ip time from time. I don’t know about most users, but i cannot afford a static ip.

Then you get same users in the same house, room mates, spouse, friends, etc. then two people will have same ip at same time. how does that make that persno an alt?

sounds like redzone is a scam.

Now to publish false and defamatory information about a person is against US law. So a person who claims I am another using IP proof is defamation of character at least, at most its liabel as it is written.

Now, speaking of US, it is against SL TOS to publish any private information. That alone is proof that rz is commiting a crime. Yes a crime, as he agreed to the SL TOS as you and I did. This means that Linden Labs should immediately ban RZ from sl due to TOS violations, and any that use his products as they are also in violation of TOS.

Please AR all redzone users for SL TOS violations

18 02 2011
Allen Kerensky

I hate being so right all that time.

I brought the breach of privacy problems in Viewer 2 (which this RedZone junk uses) to the Linden’s attention on March 18, 2010.
Just look for my name here – and you can read the Linden response for yourself… “thanks, we’ll look into it.”
http://wiki.secondlife.com/wiki/User_Experience_Interest_Group/Transcripts/2010-03-18

On Linux is *possible*, but extremely hard, to secure your machine in a way that forces *all* SL web connections to go through a privacy proxy like Privoxy from http://privoxy.org and an IP-anonymizing proxy like Tor from http://tor.eff.org. I have no idea how to do this on Windows or Mac.

First, use privoxy to pass all HTTP/HTTPS requests for *.lindenlab.com *.secondlife.com and safebrowsing.clients.google.com directly to those sites while forwarding everything else to Tor for IP anonymizing.

/etc/privoxy/config
forward .lindenlab.com .
forward .login.agni.lindenlab.com .
forward .safebrowsing.clients.google.com .
forward-socks4 / 127.0.0.1:9050 .
forward-socks4a / 127.0.0.1:9050 .
forward-socks5 / 127.0.0.1:9050 .

Next, configure IPfilter to direct all outbound requests to the privoxy input port – because the SL Viewer 2 did not (it may now, but not back then) even use proxy settings for media requests… even when proxy settings were configured in the viewer. So – all media requests were going directly out, and IPtables can catch that and redirect those connections into privoxy to put the above proxies into use.

Add rules like this to /etc/sysconfig/iptables
-A PREROUTING -p tcp -m tcp –dport 80 -j REDIRECT –to-ports 8118
-A PREROUTING -p tcp -m tcp –dport 443 -j REDIRECT –to-ports 8118
-A OUTPUT -p tcp -m tcp –dport 443 -j REDIRECT –to-ports 8118
-A OUTPUT -p tcp -m tcp –dport 80 -j REDIRECT –to-ports 8118

However, I can think of several ways to defeat even this level of protection.

So, ultimately, the *only* way to be really sure is to run the SLviewer in a virtual machine with a virtual IP, then use your IPtables to redirect *all* traffic on every port from the virtual IP into privoxy to be sorted out.

I tested this in March 2010 and was successful in getting Viewer 2 to force into privoxy and tor so that I could view Media on a Prim over Tor while still logging into SL (which blocks direct connections from tor exit servers to the login.agni.lindenlab.com authentication site.

Somewhere I have a snapshot of Tor’s “be happy you were anonymous” test page, displayed on a prim through Viewer 2.
That’s how I figured out that every outgoing port had to be PREROUTED into privoxy using iptables.

Now you know one of the reasons why I am still on the 1.x viewers.

… and KNOWING… is half the battle. Thanks, G.I. Joe!

22 02 2011
Katrina

This is NOTHING at all to do with viewer 2.0, 1.0 is just as vunerable.




%d bloggers like this: