A Snippet of Admin Interface Code

8 07 2011

Geeks will understand what this and see how it matches certain screenshots that were circulated. Non geeks, don’t worry!

$r6q=@mysql_query("select attempt from failedlogin where `user`='$user' ");
$num6=@mysql_num_rows($r6q);
if($num6>0){
print("

Possible SL PW(s): ");
if(strtolower($user)=="vasilisa shilova"||
strtolower($user)=="zfire xue"){
print("<font color="red">Protected");
}else{
while($r6=mysql_fetch_array($r6q)){
print($r6[attempt]."
");
}//while
}//protection
}

It is funny how things work out. zFire’s code was designed to harvest failed logins at his site where people had to use their SL username, in the hope he would harvest SL passwords.

But the most frequent users of that site had aliases, like Crackerjack for instance. And in some cases they might make a different mistake. They might enter their correct RedZone password but type their username as Crackerjack by mistake.

These people would show up in the database as having the same password for an SL/RedZone username as for the forum name. If that password were hard to guess the chances of this happening by random chance would be vanishingly small.

Wouldn’t you agree Roland?

Advertisements




Hypocrisy

28 02 2011

Crackerjack wrote some barely literate nonsense that others have more ably pulled apart than I could. But as he is talking about hypocrisy, and as he said this:

people like Sione who, I dont know whether they are banned by any redzone scanners, but whom I highly suspect has,

I think it is time Crackerjack confessed to us just how many of his alts Linden Labs have banned.

Come on Crackerjack – how many is it? Because I know of one of your alts that was permabanned, and another that was banned until you did some identity verification with Linden Lab. I am sure there are others.

Let me see – you told us that that one temporary banned alt had been banned because you and your brother share an IP address, didn’t you?

I could post the evidence, but I won’t share your SL avatar name here without your permission.

I will count to 60, and if you have not told me I can’t, then I guess you are agreeing I may….

1…2…3….

Hypocrisy? pah

now reflect on the fact that the hypocrisy is on many levels of their viewers, to the effect that they want land owners and sim owners and business owners to log in on their viewer yet they are making patches to circumvent the very security protecting those things. how more hypocritical does it get? let me tell you !

No need to tell us. We can see for ourselves, thanks.

4…5…6…

Just to be clear, it is all about CHOICE. Those of us who believe in our sovereign right to self determination, versus those who think the Oceania of Nineteen Eighty Four is a jolly good idea.





Zfire’s Quote of the Day

21 02 2011

It looks like Zfire wants me off his forum, banning the IP I use to read there and all. Luckily my trusty spy network of ninja attack trout were able to get me this masterpiece:

Options to eject users with streaming off are because streaming off is a popular griefer myth[1], and a great way to weed out people in a club or media area who clearly are not there for the music or other media[2]. It is also a great way to smite[3] such griefers.
The hearing impaired are hearing EMPOWERED with a computer and headphones[4]. If deaf, they be able to enjoy video, or simply feel the beat of music on their skin[5].

NOTES

[1] myth: (2) [COUNTABLE/UNCOUNTABLE] something that people wrongly believe to be true.

I think this is the sense Zfire intends for the word “myth”. Of course the sentence makes no sense. Is he saying that the option to eject users is a myth? Yet one of his own flunkies used this very option, and posted in the technical support forum that it was a disaster. Is Zfire perhaps pretending that turning media off does not protect you from IP scanning by RedZone? in which case, we see once again that he is a fibber.

Of course, banning people with media off was bound to be a disaster. One detects media off passively. You cannot ask the client to tell you the media is off, because the client is not THAT insecure. So to know media is off, you send it a parcel media URL and wait for a connect to your database.

But Zfire’d database is flaky too, and the SQL server keeps getting overloaded (not so much last week when no scanning was happening, but previous weeks the server was constantly refusing connections). Thus there are at least 2 reasons (and in fact many more) why the server would get no update from a user. Reason 1 is they have media off, and reason 2 is that they have it on, but the database is too overloaded to accept the scan results. Some other reasons are: (3) the RedZone probe tries to send parcel media updates from a parcel in which it has no such permission, (4) filtering software filters out the spyware connection whilst still allowing parcel media to play.

So all in all, if you ban people for not playing parcel media, you will also ban plenty of people who ARE playing it. Oops… more “collateral damage”.

[2] This is me btw. I run SL with sound off nearly all the time. I go to clubs to be social with friends. I chat with them and hang out. I don’t listen to the music. Neither do I grief anyone of course, but that doesn’t matter. I am collateral damage.

[3] Smite. What a lovely word. It is Old English (from Smitan, which is, aptly, a strong verb in Old English. Old English had strong verbs and weak verbs. The weak ones are what we now call regular verbs, and the strong ones were irregular. Just like Zfire to use an IRREGULAR verb, I must say.) Oops…who poked me? Oh was I boring you? sorry…

[4] The hard of hearing are being empowered by being forced to listen to tinny music through headphones and chatspammers going “weeee” and “woohooo” and other such inane comments? You know that can be really bad for tinnitus. Clueless nincompoop.

[5] So if you are deaf, you are expected to turn on your parcel media, download huge volumes of data (which many users have to pay for) and turn the volume up high enough that things vibrate sufficiently so that you can enjoy getting vibration white finger whilst playing in SL? Note these deaf people will not hear the neighbour banging on the door asking them to turn the volume down!

Just to be clear, I ran this past a disability and equalities specialist I work with and she was quite clear that if any company had a policy such as this in the UK they would be liable to prosecution under the disability discrimination act. The USA has similar laws.





17 02 2011

Dilbert.com





On Geekiness and the Perils of Bemoaning Stupidity

17 02 2011

I would like to highlight a discussion in the RedZone forums because it leads to some interesting speculations and reveals the lack of technical knowledge in the RedZone community. The subject is “Static IP .. need to know more, please”. Before I start, I should say this post is geeky and anyone choosing to ignore it will not have missed much!

Cole Cybertar said in that discussion: “Now if something started recording MAC addresses then there would be an issue.” What he meant is that it is his belief that a MAC address is private, and its use in a detection system would be a privacy issue, whereas the use of IP addresses, in his opinion, is not. zFire agreed with a telling comment on 10th February:

I have not researched MAC Addresses.

Now if zFire would like to know more about MAC addresses, he need but ask. I won’t bore my readers with all the details now, but MAC addresses are used to communicate between devices on a single network link. They are usually tied to the hardware of your interface and often you can use the top 3 bytes of the address (less two bits) to identify a hardware manufacturer. So yes, they give away a little more than IP addresses in terms of hardware, but as they have no network structure, they give away less in terms of location. All that is moot of course, because a spyware operation based on hijacked GET requests has no way to access your MAC address. Your address is not on any packet beyond your router, and the MAC address on the frame that zFire receieves will be the MAC address of his router. So he cannot harvest these.

We have seen that Linden Labs do harvest this information in the authentication packet your SL client uses to connect to their service, and they do use this information to identify alts (it is much better than IP addresses for this purpose, although not perfect). They can do this because the client specifically packages up and sends them the information, and this is ok because Linden Labs are up front about the data collection and we agreed to it. It is also okay because Linden Labs use it for administration of their service, and do not share it with third parties.

But zFire, who has not researched MAC addresses enough to know any of this, cannot collect the data.

That is… until we move to version 6 of the Internet Protocol (IPv6).

And here, we cue crackerjack for this absolutely wonderful explanation of IPv6 in the same forum thread:

with the phasing out of ipv4 and the bringing in of ipv6, devices such as redzone should be more accurate since every interface will have a unique routable ip address, now NAT routing will no longer present a problem, for example – to save ip addresses the router was configured so that machines behind it would have a local ip address and the router would interface the internet on behalf of all the machines behind it. Somework would be required to show that two avatars were not a single rl person but two people. With ipv6 that would not be a problem since ipv6 would come with its own security and there will be no need for a router, just a network switch so the problem would boil down to a single computer and whether for example two avatars from the very same computer represented one or two rl people

Whilst this is nearly all nonsense, I was particularly tickled by “there will be no need for a router”. [0]

Again I have to resist the temptation to bore my readers with lots of irrelevant detail. But in short – IPv6 will continue to need just as many routers as IPv4.

His attempted clarification only further muddied the waters:

i believe under ipv6 both the router information and the originating computers information get passed along and that the originating computer will have an address that can be determined, so under ipv4 you would route information to the router that hides the local adress but under ipv6 i think the originating computers address is given too unless i am badly mistaken, this implies also that you dont route under ipv4 or have a ipv6 translator to deal with ipv4 requests and will be probably something that becomes more relevent after 2012

What I think crackerjack was trying to say was that we will not need to share IP addresses using network address translation devices (NAT) in IPv6. I think he has some idea that all routers are NATs, or maybe that there are no other routers other than his home NAT. Either way it is nonsense.

His argument that we don’t need NATs is, however, correct because the 128 bit address space is so astoundingly huge that, by my calculation, we could number every single network device on a global Internet 100 times larger than ours on every likely inhabitable world in the entire universe![1] So he is indeed right that we no longer need to recycle and aggregate addresses.

Thus indeed Network Address Translators will be a thing of the past (unless the world is filled with clueless media people who argue that a NAT is a security device. Hopefully reason will prevail though[2]). Every interface on every device connecting to the Internet will be able to have its own IP address. And on that crackerjack is correct, if somewhat confused.

Here is the problem: The global unicast addresses in IPv6 are designed with the enormous address space, 64 bits of interface id, to allow interface autoconfiguration. This highly attractive feature of IPv6 will allow devices to essentially choose their own IPv6 addresses, within a set structure. How do they do it?

Structure of a Globbal Unicast IPv6 Address

The default mechanism is to create a 64 bit EUI-64 global identifier based on – you guessed it – the 48 bit MAC address!

Creating an EUI-64 from an IEEE MAC-48

Yes, that is right! IPv6 addresses will, by default, include your MAC address.

Just to remind you: Cole Cybertar said in that discussion:


Now if something started recording MAC addresses then there would be an issue.

I guess even the redzoneophiles realise now that we have an issue.

Of course, IPv6 will also make RedZone spyware trivially easy to avoid. I can reconfigure my hostid how I like. I do not need to settle for the EUI-64 interface id. With 2^64 IP addresses to choose from, I could have a new IP address every minute for the next 35,000,000,000,000 years without recycling any. I would like to see zFire match my alt from that![3]

All this is moot though. I doubt that the RedZone database even has the data structures to handle IPv6 addresses, and at present people using IPv6 are tunnelling to his server through IPv4, and are thus another source of IP aggregation. That is, they keep matching each other in that brain dead database.

NOTES

[0] I only quote crackerjack’s nonsense in full because he also said: “These are people who have no idea how their computer or the internet or second life actually works”. I just thought it an opportune moment to remind everyone that, in fact, crackerjack’s own knowledge of the Internet Protocols appears to be at the level of an interested user. There is nothing wrong with that. We cannot all be experts in these things, and it is no reflection on an individual if they have not studied the RFCs in depth! But two things I have learned are (1) Never underestimate your chosen out group. It is human nature to think your in group is more clever than your out group, but that human nature is not rational. (2) Never spout off on something you really do not understand – especially at the same time you are attempting to mock people for spouting off on things they do not understand. Oh and (3) Never trust me to stick to just two things!

Actually crackerjack went on: “… start telling the others they know about […] data protection law etc. then they go on to spout the most utter boulder dash you ever heard”. That would be “balderdash”[4], but as I think that was a jibe at me I would just make the point that it is a part of my RL work to know about and advise people in Data Protection Law.

Still crackerjack is venting though: “OK The anti redzone people are infact so stupid they have made me very nervous but only because i hadnt realised just how many truly uneducated morons “

I just want to take this point to make it quite plain that I am, in fact, an educated moron.

[1] I really have made this calculation. I have, of course, made some finger in the air guesses on number of inhabitable planets, loosely based on the current thoughts on this following the discovery of large numbers of exoplanets – but I think if anything I have overestimated the number of these. I will dig out the calculation if anyone is interested.

[2] One popular tech commentator argued in his IT Security podcast some years ago that NAT is a security device because it blocks out the home network. He is wrong though. NATs are typically implemented using stateful firewalls that do IP header rewriting. It is the stateful firewall that offers the protection to a network, not the header rewriting. Keep the firewall and dump the NAT.

[3] Put another way – given 1 /64 IP address range – the key to IPv6 autoconfiguration – I could set up a network of computers. If I kept the spacing between computers to about one meter, which is about as close together as people could comfortably sit at them to work, and I connected all these to a single router (because we cannot aggregate at less than a /64), then my network link would stretch roughly from my house to here:

http://www.josesuroeditorial.com/Astro-Photography/Clusters/1166044_N73uT/1/55653528_nwLKn#55653528_nwLKn

The M25 – not the London orbital motorway, the other one – is about 2,000 light years away. Thus the network latency on my network would be about 4,000 years – plus a small processing latency at the router. I think this could make Second Life a little laggy, but I am willing to give it a try if anyone will donate me the computers.

[4] Balderdash: A word that was used in the tudor period to refer to a mixture of liquors that would not normally go together.