How Does Linden Lab Detect Alts?

10 02 2011

zFire writes some more fibs in his forum today:

If you or any of your alts are LL banned from SL, your other accounts are subject to the same.
LL and zRZ Link alts the same way, for the same reason.
If Person A is not the same human as Person X, but one of them later turns out to be a copybot, a computer would think they are the same.
For security reasons this is good. If they know and trust eachother that much and one of them is a CB, it is highly probable that they both are. At the very least one will jump onto the others account as needed. (If they are banned, blocked or need to pick a fight)

[My emphasis]

Now let us get one thing clear at the outset. What zFire here is proposing is the well known ad hominem fallacy known as “guilt by association”. Consider:

Fred is a thief
Mary is Fred’s wife
Therefore Mary is also a thief.

In law, of course, we would not countenance even a prosecution of Mary unless we actually had some evidence that Mary is a thief. Nevertheless this argument often feels instinctively right to shallow thinkers. Let us consider a variation:

Fred is a wife murderer
Mary is Fred’s wife
Therefore Mary is also a wife murderer.

Now that one is obviously wrong. But many people assume that people who know one another must share their morality and ideals. The idea goes against sound reason, psychology of human behaviour, natural justice and, often, common sense. But we won’t disabuse zFire of this idea, so let’s move onto the fib.

Once again zFire tells people that Linden Labs detects alts the same way that he does – through IP address matching. We must sadly leave aside his odd belief in sentient computers (no, zFire, computers do not think anything. We leave the thinking to people). nevertheless he is wrong. Linden Labs know that IP address matching is a terrible way to try to identify alts, and all the evidence I have seen is that they simply do not use it.

Linden Labs are much more clever about what they do. They identify people based on the hardware they use to connect. Not the IP address which gets shared between multiple people who often have little to do with each other. In this way, unlike RedZone, they avoid catastrophes where they would ban entire countries that use shared proxy servers (like RedZone did to the United Arab Emirates).

Specifically, the code in the Second Life clients that authenticates users to the service passes hashed copies (hashing is a type of encoding) of the mac address (media access control, or link layer addresses are used to talk to other equipment on a single network link and differ from IP addresses in that they are usually tied to a specific piece of hardware) and also the identifier on your hard disk. Both pieces of information are passed back to Linden Labs, who record this and thus know who logged into Second Life on your computer.

This works much better than IP address matching because people have literally shared computers if they match in the database. Nevertheless it is not perfect. If someone is banned from SL, and they used your computer, you may be banned too. In such cases, a polite appeal to Linden Labs, offering proof you are not the same person as the banned one has historically proven successful for people so affected (I personally know of two such cases).

For the curious geeks or anyone inclined to disbelieve me, below is a snippet of the second life client code, taken from the lluserauth.cpp file. I have bolded the key sections. Notice how the mac address and host id get wrapped up in the XML authentication packet which is sent to the second life service at login. Linux users looking at this file themselves will see they have an interesting variation.


strMac.assign(web_login_key.asString());
strMac.append(hashed_mac.c_str());
//
strHDD.assign(web_login_key.asString());
strHDD.append(hashed_volume_serial.c_str());
//
LLMD5 md5Mac((const unsigned char *)strMac.c_str());
LLMD5 md5HDD((const unsigned char *)strHDD.c_str());
//
md5Mac.hex_digest(mac);
md5HDD.hex_digest(hdd);

//
// create the request
XMLRPC_REQUEST request = XMLRPC_RequestNew();
XMLRPC_RequestSetMethodName(request, method.c_str());
XMLRPC_RequestSetRequestType(request, xmlrpc_request_call);
//
// stuff the parameters
XMLRPC_VALUE params = XMLRPC_CreateVector(NULL, xmlrpc_vector_struct);
XMLRPC_VectorAppendString(params, "first", firstname.c_str(), 0);
XMLRPC_VectorAppendString(params, "last", lastname.c_str(), 0);
XMLRPC_VectorAppendString(params, "web_login_key", web_login_key.getString().c_str(), 0);
XMLRPC_VectorAppendString(params, "start", start.c_str(), 0);
XMLRPC_VectorAppendString(params, "version", gCurrentVersion.c_str(), 0); // Includes channel name
XMLRPC_VectorAppendString(params, "channel", gSavedSettings.getString("VersionChannelName").c_str(), 0);
XMLRPC_VectorAppendString(params, "platform", PLATFORM_STRING, 0);
XMLRPC_VectorAppendString(params, "mac", mac, 0);
// A bit of security through obscurity: id0 is volume_serial
XMLRPC_VectorAppendString(params, "id0", hdd, 0);

Advertisements

Actions

Information

9 responses

10 02 2011
Verina Resident

Whatever method LL might use I consider somewhat irrelevant. I am confident they would employ acceptably high standards of fairness and responsibity in the use of the data. The whole philosophy behind the development of zfRedzone is tainted by its providing the means of turning the target avatars into bloody screaming piles of bones.

10 02 2011
no2redzone

Indeed. Linden Labs get some flak over their alt identification, all the same. But the key difference between them and fly by night spyware operators is that the user has a TOS agreement with them that they may collect this data as a condition of the licence of service. RedZone offers no such agreement but secretly collects data through a security hole, which is why it is in breach of data protection legislation. Redzone is also a lot less accurate – to the point of being a laughingstock.

13 02 2011
X

[19:56] X Linden: Red Zone is being dealt with. Stuff that requires policy considerations, not just tech considerations, moves more slowly than exploit fixes unfortunately.

13 02 2011
X

“We are aware of this program called Redzone, and it is indeed against our Terms of Service for private information about someone’s account to be given out on Second Life without the owner’s permission. We are investigating this issue and hope to resolve it soon. In the meantime, please file an Abuse Report on the program (if you don’t have a specific resident to report, you can put down Governor Linden) and encourage your friends to do so as well. The more residents who can point out a bad program, the more importance this issue acquires. If you have further questions on this issue, please reply to this ticket.”

13 02 2011
zFire Xue

Great article, too bad you never hacked anything.
Ever notice how your greenzone founder was banned?
Fly by night? RedZone has been around for 2 years+
You have no idea that every website logs IPs do you?
Google, amazon, ebay, etc. Even LL, and wordpress.com
Less accurate then other IP loggers? Nice one. I would like to hear how that is explained.
Great line of bull by the way.

You must really be upset to have spent all that time to convince people zRZ is illegal/bad/etc

Check this out:
http://isellsl.ath.cx/madsci/forum/viewtopic.php?f=8&t=397
Your leader is a copybot.

And
https://jira.secondlife.com/browse/VWR-21305
Samuel Linden added a comment – 26/Feb/10 2:32 PM
We need to thank the resident for bringing this to our attention. We do not consider IP gathering to be an actionable security exploit. This has been possible for quite some time with 1.23 and earlier viewers. Shared Media makes this easier, but we have provided residents with the means to turn off Auto Play. We can communicate that they disable Auto Play if they are concerned about having their IP address logged.

http://secondlife.com/corporate/privacy.php#privacy3
Information Displayed to or Collected By Other Users
Certain account information is displayed to other users in your Second Life profile, and may be available through automated script calls and application program interfaces. This information includes your account name, account type, the date your account was established, whether or not you are currently online, user rating information, group and partner information, and whether or not you have established a payment account or transaction history with Linden Lab. Further, you agree and understand that Linden Lab does not control and is not responsible for information, privacy or security practices concerning data that you provide to, or that may otherwise be collected by, Second Life users other than Linden Lab. For instance, some services operated by Second Life users may provide content that is accessed through and located on third party (non-Linden Lab) servers that may log IP addresses.

20 02 2011
zFire Xue: idiot, liar, thief

Check this out:
http://isellsl.ath.cx/madsci/forum/viewtopic.php?f=8&t=397
Your leader is a copybot.

How many different kinds of stupid are you? What part of “IP address is not a reliable means of alt identification” do you not understand?

Sadly, zFire Xue aka John Hamlin, the truth is that you are not only a complete moron, but also a liar and a thief. And quite a practiced one too, as evidenced by the multitude of other web scams for which you are responsible.

Enjoy your L$ while you can. It might even make up for the time you’re going to spend languishing in prison after your next conviction on fraud charges.

13 02 2011
no2redzone

Ah, zFire fibs. “Too bad you never hacked anything”.

My article was factually correct. I mentioned your data cleansing of IP addresses of course. I am aware how you attempt to tidy up your data so that some matching IP addresses associations are dropped. I also mentioned how this can have the effect of dropping real associations too.

Have I hacked anything? Well I was merely investigating. Hacking is not my style. Of course, had I discovered this all some months ago, and had I been inclined to hack anything, I might have inserted large amounts of data from multiple IPs and slowly built a web of connection that I later verified using someone’s zRZ.

All you know for sure is that the system is as bad as I say it. Well done on your temporary fix. Would you like me to break it again?

And AGAIN I tell you I have nothing to do with Greenzone, and I pay for all my content. On SL and RL. Unlike you, I respect the law.

14 02 2011
zFire Xue

Again, you have done nothing.
Prove it. Make me link to a linden. Link me to someone shameful.
Link a random Linden so someone shameful.
I am waiting.

This post:
“We are aware of this program called Redzone, and it is indeed against our Terms of Service for private information about someone’s account to be given out on Second Life without the owner’s permission. We are investigating this issue and hope to resolve it soon. In the meantime, please file an Abuse Report on the program (if you don’t have a specific resident to report, you can put down Governor Linden) and encourage your friends to do so as well. The more residents who can point out a bad program, the more importance this issue acquires. If you have further questions on this issue, please reply to this ticket.”

Is just as fake as your blog.

Nice writing skills indeed, but hat only butters over the fact that it is not real.
Great attempt at threatening someone.
You only respect the law because you cannot break it.
If your blog where true, that would have been cybercrime. No?

14 02 2011
no2redzone

I do not need to prove it. I have already proven what I did and am content. I describe it in my post.

I am alos quite aware that when entering data into such a database, there are certain things that would set off so many alarm bells that it is had to believe anyone would let the data stand. Moreover I have long suspected you do not allow your software to retain data about yourself.

Nevertheless thank you for the invitation to enter random data into your database.

The post you say is fake is not my message. When I gave it some prominence I made it clear that it was unverified. However you no more know it is fake than I know it is genuine. Unlike you, I have the honesty to admit the limits of my knowledge.

I respect the law because I do not WISH to break it. A big difference. Now to comply with the law, you need to remove all data from your database referring to Europeans, and remove access to your data from European customers. Do YOU wish to break the law? or will you comply with it?




%d bloggers like this: