Posts Tagged ‘RedZone’

From alphaville:

A shadowy group of Second Life hactivists claim to have breached the Redzone server’s security, gaining access to the server database and discovering cleartext passwords for most Redzone customer accounts on the site.

As if storing raw Redzone customer passwords is not bad enough, there is apparently a second table that tracks passwords from failed login attempts in the hope users will accidentally enter their Second Life account password. These failed passwords are conveniently displayed on the user profile page of the “Admin Overlord App”  as “Possible SL PW(s)”.

In light of these revelations, the Herald strongly suggests that all zf Redzone customers change their Second Life account passwords immediately – and ask themselves why they would continue to run a product that attempts to guess their Second Life password.

People have pointed out the issues with his “sakurity” for months. For example, detailed instructions on cracking his database are here and here. Anyone with a background in networking, security, or even web development would find it amazing how little he protected his system – I know I got some good chuckles from those articles.  Anyone who stores passwords in plain-text (or even MD5 hashes!) should be considered suspect, either for stupidity and ignorance or for their shady motivations and agendas. In this case, I believe both are relevant.

From the privacy policy at the isellsl-dot-ath-dot-cx website (which I refuse to link to here because of google’s page-rank algorithm):

Before or at the time of collecting personal information, we will identify the purposes for which information is being collected.

Did he ever tell his customers he was collecting their passwords and what they were used for?

We will protect personal information by reasonable security safeguards against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.


We do not consider any publicly displayed secondlife information such as usernames, account age, photos displayed to the world, payment status, join date, UUID, IP, platform, viewer, group affiliations, preferred language used, time of day, timezone, region, partner name or any other secondlife information to be private.

He may not, but LL disagrees. If LL didn’t, I never would have signed up for an SL account in the first place.

We have, use, and maintain the highest levels of security to protect our data. We boast a perfect security record.

It’s well documented that he is not in fact using the “highest levels of security” (whatever that means – perhaps Zeus himself atop Mount Olympus gave him the insight to use grade-school substitution ciphers as part of his highest level of security?) But my favorite is boasting “a perfect security record.” The only perfectly secured computer in the world is one that’s been disconnected from all communication systems and buried in a concrete bunker with a vicious guard dog. Anyone who boasts perfect security is not to be trusted – they are either a fool or a liar. I could deconstruct every point of his privacy policy, but that’s quite enough for me.

If that isn’t enough for you, dear reader, then consider one of the many threats he’s made – and his own privacy policy be damned:
I could spend some deconstructing the psychology of someone who makes such statements, however, his words say more than enough about his personality.

LL has finally been working on a viewer patch for this. Unfortunately, the problem has been known to them since at least last summer (that’s what I’ve found looking around the web) – and as recently as a couple of months ago, they were still claiming that it wasn’t an issue that needed to be addressed. Despite the Emerald fiasco. There’s still the issue of educating the users after all the TPV’s release updated versions – the only info I’ve seen on this has come from JIRAs – and how many non-technical people look through JIRAs? (Of course that could change, now that JIRAs have been turned into just another forum for drama, instead of the defect reporting system it’s supposed to be). I don’t completely agree with the way certain companies (i.e., Microsoft, Apple, etc) handle security vulnerabilities, but they are light-years ahead of where LL is in this area – whose policy amounts to deny, deny, deny, until enough people yell. Instead, LL’s energy has been focused on web profiles and a new “community platform,” not on protecting their customer’s privacy, much less improving the SL world. Even after this exploded, LL was slow to respond – I guess they were too busy watching the new CEO plant trees, like Nero fiddling.