Wednesday, March 16, 2011

How to protect yourselves against RedZone and other IP tracing technologies

RedZone was a tool for banning potential content thiefs and griefers, including known alts of known perpetrators.  It could also warn you if someone in the vincinity was a know alt.

The question is: How did RedZone know about your alt accounts?  The answer is that the RedZone servers used a loophole in SL to track the IP adress of the users computer, and when it discovered multiple accounts using the same PC it was fair to suspect they where alt accounts.

As you may know, your IP adress is also quite useful for tracking down your RL location and identity, so the privacy issues here goes far beyond alt tracking.

RedZone is now banned from SL, but the basic technology loophole that can be used to track down your IP adresses is still available.  In other words, nothing can stop other people from doing the same thing.

The problem is the handling of media and HTML in the SL client.  Whenever the viewer plays media or shows a web site, it will contact the media or web server directly.  So if you walk into a store with a music URL, media URL or HTML on a prim, your viewer will get the URL from Linden Labs servers, but will proceed to call that URL directly.

Now, whenever you contact a server, that server will know your IP adress.  So the following sequence may happen:
  1. You walk onto someones land
  2. The parcel have a music URL pointing to the land owners home server
  3. Your PC will call that server and dutifully tell it your IP adress
  4. The land owner have a visitor scanner that will know your Second Life name
  5. The visitor scanner will send your second life name to the same server that serves the Music URL
  6. That server will log that your SL avatar walked onto the parcel at the same time as your PC requested the music URL.  
It's a no-brainer to deduce that the two are connected, and your IP is busted.

How can you protect your IP adress?  The simple answer is: Don't play media or music unless you trust the owner of the thing.

The following setting should do:

That is, remove the check from "Allow Media to auto-play" and "Play media attached to other avatars".

Update: I guess you should also remove the check from Streaming music: Enabled" (forgot that one).

The drawback is that you have to press Play in the viewer whenever you really want to listen to the music or watch the HTML-On-A-Prim thing, but that may be a small price to pay to keep your RL identity safe.

No comments: