The question was asked on the SLUniverse thread-that-never-dies as to how we can use the forthcoming media patch to tell that a URL is suspicious. How does the average user of SL know that one URL is a valid music stream and another looks like an IP data collection service. Clearly we can suck it and see – allow the URL and see if we actually get music, but then by the time we realise the URL is not music, we have already been recorded in some basement guy’s database.
One sugegstion was to look for & characters, and I was about to write a reply here that made the point that zFire’s updated Redzone URLs use a new (equally crackable) mono alphabet substitution cipher to obfuscate even the “&” characters, so that is not going to work. I was gearing up to write a “how to” answer to the question, when I found that Psyke Phaeton had answered the question fully on the above thread on SLUniverse.
I am shamelessly copying Psyke’s reply here because it would be a pity if it got less attention for being lost in that 8000+ post thread.
Psyke Phaeton said:
The main aim of the bad people is to send information about you to their server. Therefore the longer the URL the more chance it contains your information.
doesn’t obviously contain any extra information that looks like it might be data about you. But
becomes more suspicious. Is 123 a way of tracking you or is 123 a music selection from a larger collection? We don’t know.
become even more suspicious. What is that data on the end of these?
You arent looking for ? and & but long strings of letters and symbols which might be obscuring data about you.
The longer the sequence of the URL after the first single / the more information it is potentially sending and therefore the more suspicious you should become.
If I look at the current URL for my post I am doing I see:
This data on the end makes sense. I am doing a new reply and the post is number 1175291. I can therefore trust this. If I go to YouTube and play a video I see..
This makes sense also. I am playing video NLmsiaN5dZM and I used the feature topvideos.
The question you ask is a) Is the length of the URL suspiciously long and b) Does data in the URL make sense or does it look suspiciously obscured.
Did I make sense? Its 4am here
The good news is that Linden Lab is going to allow us to see the full URLs and make informed decisions on what we see. The bad news is that there are still far too many people who will just ignore the security warnings because they don’t understand them. But we can console ourselves that never again can spyware like RedZone be completely hidden from view by the spyware operators.