Does Anyone Still Trust zFire Xue?

12 03 2011

Since this time yesterday when zFire was hacked in response to his foolish challenge to test his (pathetic) security, it seems he has been hacked again – at least once. a whole bunch of SQL tables or maybe even the entire database was dropped in what looks like yet another SQL insertion attack. It is clear that zFire has been gemming up on avoiding SQL injection attacks. Keep reading zFire … you will get there eventually.

But not before it is all too late. Password outing functionality, and indeed the veracity of the video we carried this week has been confirmed by the hackers from last night who released their findings to the Alphaville Herald. It may be they attempted to contact us with the information first, for which I thank them but I think the Alphaville Herald is a good place for that report.

Yesterday’s hack was still annoyingly obvious – and today’s moreso. I can allay some fears however in that I understand that significant quantities of false data have been injected into that database by yet another person or persons who have demonstrated they understood the security vulnerability well enough to do this. This same source suggests that zFire was about to manually add the names of all members of the inworld GreenZone users group to the list of “known copybotters”[sic]. Attached is the evidence provided – snipped away are well over 1000 names take from the group membership.

Letter to zFire Xue from Merlin Swordthain

Letter to zFire Xue from Merlin Swordthain

Since today’s hack the forums appear to have had it although it looks like there was a recent database backup. If anyone else is thinking of cracking this database I should point out that its no great challenge but at this time the working database is zFire’s biggest albatross It shows he has been a very very bad boy so please do not be tempted to take it offline. False IP address reports will do no harm though.

To end on a lighter note, Theia was confused by this remark from new RedZone poster arooga:

by arooga ยป Fri Mar 11, 2011 1:48 am

I would like to have crackerjack’s babies for the way he got Theia Magic
Done Up Like A Kipper she was, hung by her own petard

Her comment to that was amusing bit this is even more amusing in the light of this:

Arooga is Crackerjack

Arooga is Crackerjack

[Edit: Someone challenged the image showing that Arooga is Crackerjack, saying anyone could have written that on the forum. I edited down the screenshot I was given and now include a bit more to show this was a message sent directly to zFire. The message and the screenshot predate Friday’s crack on the database.]

It seems Crackerjack, in an attempt to beef up his security by changing his email address, locked himself out of that account. He decided Arooga would be fun for alt games. Strange from someone who finds alt outing so important.

So Arooga wants to have Crackerjack’s babies? Nice to see him getting in touch with his feminine side.

Advertisements

Actions

Information

46 responses

13 03 2011
Potosi Abonwood

Getting ready to add all the people from the GZ Users group in manually. Wow. That would have been a lot of typing. But then again we were all (well except for the few using it as an excuse to grief) avoiding RZ areas like the plague so most of wouldn’t have noticed. Until we hit one that was stealthed and claiming not to use it.

13 03 2011
Azure Twine

So I guess he thinks this is a way to punish people who would join a user’s group? I hope he realizes that our group includes many of his supporters who troll us constantly ๐Ÿ™‚

Oh yeah and if there was an easy way to get such a list, can that person contact me? I have been trying to figure out for years how to get am in-world group list without having to type it all out ๐Ÿ™‚

13 03 2011
Katrina

Is easy enough with a specially made bot, if you want one, contact me at kat.swales at nekokittygames dot c o m

I am pretty sure is not illegal or against ToS, please tell me if it is.

13 03 2011
bronxelf

I still fail to understand why he persists in the delusion that being banned from any and all RZ locations is a *bad* thing.

13 03 2011
no2redzone

Very true, but technically this still does constitute an illegitimate denial of service.

On the other hand, what an excellent way to verify the redzone sim list.

13 03 2011
Adromaw

It’s not a bad thing in the early game while the coverage is that estimated 3%. If it was significantly greater then we’d have a problem. It was just his dumb luck that enough people with the technical knowhow were educating the rest of us.

13 03 2011
Zaza

His site is down again… Hes getting raped over and over…

13 03 2011
no2redzone

Indeed, and again now! He almost made it through the night!

13 03 2011
Theia Magic

Arooga is Crackerjack?

*drools her tea laughing*

You just totally made my day. I’m totally hugging you when I see you! ๐Ÿ˜€

13 03 2011
Adromaw

He was a bit of a weak link, lol.

13 03 2011
no2redzone

Yes, I must confess I miss Crackerjack’s gems.

13 03 2011
Jenni Darkwatch

Just for the record: Wasn’t me who took him out. I prod at – and laugh at – his pathetic understanding of security, but I do limit myself to royally screwing his (and other similar products) DB.

13 03 2011
Rooted

I always knew his security was rooted.

13 03 2011
no2redzone

Yes indeed. Had he listened to you when you pointed it out, he may have been spared much pain.

13 03 2011
Monkies

Ok, I just have to say, really, I don’t think he SINCERELY was challenging anyone. I’ll say why. Because NOBODY is just that fucking stupid. Maybe we are underestimating him, and he’s playing dumb for a reason. Hold on, maybe I’m the stupid one by giving him too much credit. Nevermind! Carry on ;P

13 03 2011
Potosi Abonwood

I think he was living in the little daze that the whole movement against him was only a few hundred strong using alts to make their numbers look bigger. Seriously he always acted like it was a tiny minority of folks who didn’t like RZ. So he made the challenge thinking that nobody in that small group had the actual know how on hacking him.

Only to discover both of those assumptions were waaaaayyy wrong.

13 03 2011
Voff Uggla

Well I think it’s good news, add me as a GreenZone member on the RZ banlist, then I know what places not to visit or spend any money at.

13 03 2011
Huntress Unya

Well I will be on there since he likely started with the owners and officers of GZ group… Fun fact: there does not seem to be a “removal as copybotter” option in his overlord GUI, or an “unlink mistakenly linked AVs”…

13 03 2011
Jenni Darkwatch

Considering his ego, i’d be surprised if he ever would remove anyone he thinks is a “copybotter” anyway.

13 03 2011
no2redzone

That button is for unbanning himself and theBoris Gothly, who both seem to have been banned as copybotters in the past. I wonder how that could have happened!

13 03 2011
Adromaw

Didn’t he run a test once when one of the developers on the opensource mailing list raised the issue with him of banning legitimate builds? I just assumed that would have been it, if not and earlier then the course of tests to make sure it did something at least some of the time. >.< His own banning didnโ€™t faze me as something out of the ordinary.

14 03 2011
Rooted

theBoris Gothly account was definately being identified as an alt of a known copybotter (by RZ) at one point in time.

In fact this account was banned three times from a sim, by RedZone, for this reason, although the neighbourhood watch has since been cleansed of the relevant entries.

13 03 2011
bronxelf

@Adromaw

Well that and he has always been both lazy *and* sloppy. This is a potent combination.

13 03 2011
no2redzone

Yes he did ban a straightforward source build as an “exotic viewer”. Despite the coverage in the Alphaville Herald, the ban on user agent has always been semi automatic. zFire decides certain signatures are “copybots” and then anyone else using that user agent string is flagged as a copybot. This is wrongheaded, but alos makes it very easy to ban someone by sending a response to the server under their name and with a banned user agent string.

Most of the copybots in his database though are added by hand after reports that they are copybotters based on other evidence from better informed sources. Also many people are added because they annoy zFire.

13 03 2011
Monkies

Im just curious what his real goal is overall with all this?

-Is it really to stalk people because he’s paranoid the government is out to get him or something?

-Is it because he wanted to see who his g/f was cheating with (if that happened)?

-Is it because he has tried to get a job at LL and they declined him and so he tried to work at Emerald Viewer and they declined him, so he went on this rage to ban the world of SL that do not comply to his demands?

-Is it because he broke a nail?

lol I mean really, I really am actually quite curious as to what his motive and goals were? Can I get an answer! ๐Ÿ˜›

13 03 2011
Potosi Abonwood

I think saying that he had an overall goal is giving him more credit than he deserves.

His motivation is simple – greed. He wanted some cash for his creation. Then he just added in everything else he could get away with got his god complex rolling and now is getting that complex scraped off his skull.

13 03 2011
Adromaw

I would have put it down to power and control more so.

13 03 2011
Samantha Poindexter

You might take a look at the rationale for his other project for some insight.

(Link anonymized for your protection!)

13 03 2011
Monkies

im not 100% sure what that link is about

13 03 2011
No1

seems really the only purpose of RZ was to track as much as peopel and find SL password to help him and his team to hack and delete accounts for money.
This guy have serious mental problems.

13 03 2011
Azure Twine

Money and Power… then add a dash of revenge.

Skills was ramping up to do CDS and then they (her and Fractured) had some other weird project they had planned that would involve deploying over 100 bots gridwide. (Those AVs have since been deleted but they were all named OnyxMonitorxxx ModularSystems or OnyxProbexxx ModularSystems. There were around 100 of the monitor ones when I first became aware of them. After the Emerald Scandal they disappeared.

Some early CDS code was leaked via pasetbin and that is what zfire used as his base for RedZone. I’m sure as he realized that revealing alts was lucrative, he built on that aspect. The device itself is clearly written by someone with griefer mentality. Seriously, what professional security device would animate your banning with blood and flying bones and have their device look like a creepy skull?

13 03 2011
Security Thru Hackscurity

Drip drip.

Dilbert say screens faked.

13 03 2011
skills

While i was one of the few who had full access to Fractured’s projects like his Emerald Point “Datamine” (which correlated avatar names and IPs using parcel media) and “Onyxbots” (which never really did anything but scare people), i never accessed them simply because i wasn’t interested and didn’t want to be involved. Same goes for all the other Ex- Emerald devs, thank you very much.

As for comparing CDS to Redzone.. CDS doesn’t do anything with IPs and is not interested in legit clients like Phoenix etc, if your useragent doesn’t trigger the filter it just discards your info.

13 03 2011
Azure Twine

Thanks Skills, I stand corrected. You did not do the datamine, just had knowledge of and access to it. I didn’t say CDS does what redzone does, I have always maintained you stopped short of the whole alt naming business, I said he started with your CDS code and built from there.

My point was, at that time the exploit was known and was being used. zfire took it one step further for power and money. You can;t deny the other Emerald devs did know about the exploit though right? I mean after the Emerald scandal someone had to have noticed.

And your little “just to scare people” bots. That was not how they were advertised. And scare who?

14 03 2011
skills

Thanks! I wouldn’t call it an exploit actually, the function has been designed exactly like this by LL and works as intended, not sure if they thought about scenarios like RZ back then though..

Fractured was rather proud of his bad rep, he enjoyed scaring people and joked about “ruling the metaverse with an iron fist using his underground griefer mafia”.. His onyx bots were supposed to scan for copybotted content like attachments and notify the creators. He never got anywhere near that though since it was alot of work, he just created 100 bot accounts with the shiny new modularsystems name, gave them a scary avatar and then let them tp all over the grid for a few days to show off and see how people react. That didn’t go all to well, lol.

14 03 2011
Walker

You are not using the function for how it was intended though Skills. It was designed to send real media to a specific avatar. Not fake media for the sole purpose of harvesting avatar names, keys, viewer and possibly IP address information (we only have your word that it doesn’t do that). What information is collected by CDS in the query string anyway? There seems to be quite a lot of hashed info there.

14 03 2011
skills

“What information is collected by CDS in the query string anyway?”

The query string is sending: UUID, sim name, date/time and CDS session authentication, that’s all it needs.

14 03 2011
Walker

Thanks. I appreciate the answer. ๐Ÿ™‚

13 03 2011
Katrina

people claiming faked image:
http://errorlevelanalysis.com/permalink/0cffa3f/

http://errorlevelanalysis.com/permalink/4182fdf/
http://errorlevelanalysis.com/permalink/ad1e311/

notice that only differences, is the red ones that allready was obviously added.

14 03 2011
Walker

Those tests are only useful for proper photographic images, not screenshots of webpages.

14 03 2011
Katrina

Well it seems to work fine there, the bits that are obviously added, actually show up different to the ones that are part of the original, the kind of analysis it does, can tell if something has been added then saved, because was saved a different number of times NOTHING to do with photographic images or not really.

14 03 2011
Walker

I have to disagree. ๐Ÿ™‚ The analysis is meant to highlight changes not visible to the naked eye like blocks of pixels which have a different pattern of uniformity to those in the rest of the image. The bright red text is obviously added, but the logo (top left corner) is part of the original document and shows up with the same “suspicious” contrast as the added text. So was that added too? No. It just has an RGB value of 255,0,0 like the added text.

Regardless, any webpage can be modified before a screenshot has even been taken (right click > inspect element in Chrome, or install the Firebug addon in Firefox and do the same thing), so any changes need not occur in Photoshop at all for the document to be faked.

From my experience with the RedZone demo however, I’d say those screens are the real deal.

14 03 2011
Katrina

looking up on the test, it even says it is best at discovering stuff added then resaved, it uses the fact that the quality gets worse on each save,
http://errorlevelanalysis.com/faq/

you are right about it COULD be edited beforehand, just trying to show that it is almost definatly not image edited.

14 03 2011
lok

redzone is back on the marketplace once again. secondly, gemini cds also needs to be banned. lonely bluebird / phox also manually adds people to the cds list and skills won’t remove them. happened to several people just as it’s happened with redzone.

14 03 2011
no2redzone

Welcome to Walker and Skills (and everyone else of course). Thanks Skills for giving us that information.

My take on this is that CDS is in no way the same kind of issue that RedZone is, because it does not appear to collate data that can be linked with personal data about avatars. Personally, when RedZone dies, I will not turn my attention to CDS.

However I think CDS, like all such systems, will do little to prevent copybot usage. Really there is no way to prevent copybots except to detect the stolen items when they turn up in-world. That is just the way the technology is. A few clueless people will be caught out through strange user agents, but a tiny proportion of the true total.

Add to this that the media exploit (sorry, but it is an exploit unless you provide me actual media) is a sneaky way to gather data.

But thanks to Sione et al., the media exploit issue is resolvable. We can blacklist CDS and just get on with enjoying SL. As long as CDS does not try sneaky tricks to get around our choices, and as long as it does not harvest personal data, I am simply going to ignore it.

A problem for us, of course, is that we cannot review the data that CDS sends back. Furthermore, the IP address could still be harvested. I am not happy about that. But there are many things in SL I am not happy about and life is short!

Another problem lies in the appeals system. What happens if – as in the comment from Lok here – someone is added to the system perhaps in error? I personally might appeal to Linden Lab over such a thing but I would never appeal to some random resident. Maybe all bans should be aged out.

Philosophically, CDS still harvests data without consent. That is not right. But as long as it retains no personal data, it does at least remain legal.

15 03 2011
Prokofy Neva

I don’t believe a word that Skills Hak says. Not a word. He personally came to grief me on my sim with Emerald coder thugs on at least once occasion and they were frequent flier documented griefers on my sims, and those people are all permabanned now. He has a Linden fix in and that’s all there is to it.

BTW, a reminder that the reason I’m on zFire’s ban list is because…I discovered he was a problem long before all of you — in June 2010:

http://secondthoughts.typepad.com/second_thoughts/2011/03/oh-in-which-we-find-where-zfire-xue-has-appeared-before-on-this-blog.html

Re: http://www.sluniverse.com/php/vb/general-sl-discussion/56364-redzone-2-electric-boogaloo-157.html

“rafferten” whoever he/she is has blocked the names of other people who banned me using RedZone, but there’d be no cause, as I don’t use Red Zone or any security device whatsoever, nor do I have anything to do with copybotting.

His bans were likely entered manually as I never visited his store and I’m not much of a shopper at malls.




%d bloggers like this: