Fixing the Security Hole and Terms of Service (TOS)

24 02 2011
Hidden Media URL

Hidden Media URL

Before his alt finder software was neutered yesterday, crackerjack gloated:

so anyway they thought they would let the user see which url’s were being used by media on the sims media streams but then the truth dawned on them and they realised it is against TOS to disclose the media stream of a parcel if the stream is hidden by the owner, or indeed any stream that isnt being offered by the sim owner as public knowledge
Basically they drew a blank lol

Actually to be clear, I made this point up front in my article on the security hole in the SL client on the 9th February:

So Linden Labs and other client developers: how about it? I will immediately change to whichever SL client offers me this option.

Although if Phoenix Viewer did it, I suspect the developers might find themselves under attack from Linden Labs for revealing those “secret” parcel media URLs.

But what the developers are doing is more imaginative. They are munging the URL so it is still clear enough its spyware, whilst not revealing music stream URLs. This keeps the spirit of keeping stream URLs private whilst giving people good information on what they are being secretly asked to connect to.

Not that those music stream URLs are really so secret. The official Linden Lab viewer allows you to see them; just enable the admin menu. If you are not sure how to do that, here are instructions in the official LL Viewer 2 assuming a brand new installation (you may already have done at least the first step):

1. You need to open the Debug Settings in your Advanced menu. Second option from the bottom in figure 2 below.

2. In the debug settings (figure 3) type Admin Menu in the box. Click “true” to enable the Admin Menu

3. Now click the bottom option in the Advanced Menu to show your develop menu.

4. In the Develop menu that appears, the last option will be available: “Show Admin Menu”. Click this.

5. Now take a look at the media stream (World menu/Place Profile/About Land. Click the Media tab), and you will see the URL as in the example in figure 4.

Show Your Admin Menu

Fig 2. Show Your Admin Menu

Enable Admin Menu in Debug Settings

Fig 3. Enable Admin Menu in Debug Settings

The Media URL Revealed

Fig 4. The Media URL Revealed

Easy, isn’t it!

This works in Phoenix and other viewers too. Once enabled, go look at the about land tab – you will see the tick in “hide the url” but you will also see the URL!

So much for secret URLs.

But look at this for utter hypocrisy from redzoneophiles:

ALSO I HAVE MY MUSIC URL HIDDEN FOR A REASON! IF THEY DISPLAY IT TO THE PUBLIC THERE WILL BE HELL TO PAY

Not happy that a third party viewer might actually close the security exploit his spyware uses, he says there will be hell to pay if we look at the URLs… that Linden Lab lets us see in their official viewer.

Hmmm.

Let’s be quite clear. A URL is not secret information. That is public information. The computer needs it to connect to a website.

Sound familiar?

Look at this “I HAVE MY MUSIC URL HIDDEN FOR A REASON!”.

I wonder why Redzoneophiles think our IP addresses are hidden on the SL service. Now what reason could that be?

This guy rants on:

If a viewer does not respect my region privacy settings it will be banned for good
If they put this patch in it will be a breach of TOS

Ah yes…privacy.

The URL is hidden for privacy… now what reason is the IP address hidden again?

Except, of course, the URL is NOT hidden. The IP address is though.

“Woe to you … hypocrites”.

Advertisements

Actions

Information

4 responses

25 02 2011
Jenni Darkwatch

Besides… making the media URL anon is a non-issue, as probably most geeks know how to get around that without ever using the clients built-in functionality (which I wasn’t aware of, btw).

For many media URLs it’s even sufficient to use “netstat” to find it. ~shrugs~

2 03 2011
Password management site plugs info-leak bug | Hacking Articles Resource

[…] Fixing the Security Hole and Terms of Service (TOS) « no2redzone […]

2 03 2011
Redwood Rhiadra

Interestingly, Radegast (the text viewer) displays “hidden” music stream URLs, by default. It always has. And it is listed as a TOS-compliant viewer.

8 03 2011
Hacker kills his own Pwn2Own bug for Android phones | Hacking Articles Resource

[…] Fixing the Security Hole and Terms of Service (TOS) « no2redzone […]




%d bloggers like this: