[sldev] Lookup Tables and Texture Bugs

Jason Giglio gigstaggart at gmail.com
Thu Jan 25 08:38:36 PST 2007
Previous message: [sldev] Lookup Tables and Texture Bugs
Next message: [sldev] Re: Texture Bugs
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Argent Stonecutter wrote:
> The problem isn't IP addresses, it's using IP addresses to 
> cross-reference information on accounts. The IP address is shared 
> between all accounts belonging to the same person, so if you know the IP 
> address of a large number of accounts you can identify which accounts 
> are alts.

So what? 64-128-27-131.static.twtelecom.net.  Big deal.  You exposed 
yourself as soon as you hit reply.

I also see you are using a Mac, and you use Apple Mail.  Oh no! I'm 
going to correlate you now!

> With a texture bug you can gather that information simply by teleporting 
> about the grid wearing an attachment. If you release a popular enough 
> attachment, you can get thousands of unwitting helpers: You could even 
> run a series of alts through Help Island and pick people off as they 
> arrived in Second Life.
>

So what?  If you have a popular enough web site, you can correlate 
thousands of IPs to pseudonames.

Stop thinking of SL as a monolithic provider.  When you visit a build or 
wear a HUD, you are visiting content under the creator's control.  It's 
exactly the same as visiting their web site.  It's not a third party 
disclosure, LL is only the hosting platform, not the content provider!

This is the way forward that has been outlined in many of LL's long term 
plans.  They don't want people to think of them as the provider.  The 
residents are the providers.

>> Even so, most IRC networks still don't cloak by default.  Everyone in
>> #secondlife is exposing their IP and nick!  I bet they didn't even think
>> twice about it.  It really isn't a big deal.
> 
> Again, that's a tiny fraction of the accounts. It's the difference in 
> scale that makes this a problem.
> 

There are more people on IRC each day than Secondlife.  There's a 
BILLION people sending emails each day exposing their "sensitive" IP 
address in a way that correlates their (pseudo)name.

How many posts are there to usenet each day?  Ever hear of the 
NNTP-Posting-Host header?  It's specifically included when in theory the 
servers could drop that.  Why is that?  Why were the creators of usenet 
so stupid as to expose this sensitive private information?  Why were the 
creators of SMTP so stupid as to leave the sender's IP in the Recieved 
headers?

They could have really used your help when designing those protocols.

> It's a useful feature, but the security concerns are real, and 
> restricting it to prims in the land group would reduce the problem to 
> the level of media bugs.
> 

HUDs would be the most useful way to use these.  Simply repeating over 
and over that the "security concerns are real" doesn't make it true.  It 
isn't even a privacy concern.  Completely untraceable anonymity and 
privacy are two different things.  The Internet is not designed for the 
former.

It's more than a "useful feature", it's a feature that could 
revolutionize interactive content in Second Life.  It's at least as 
important as llHTTPRequest, if not more.

> That will not substantially reduce the scale of the problem, as has been 
> demonstrated over and over on the internet, since most people would 
> eventually have to enable it just to (as you say) see a world that isn't 
> full of loading textures.
> 

For the tiny handful of people that care about exposing their IP 
address, I'm sure their extreme paranoia will keep them from turning it on.

> +----
> | The object SpyHud by Ima Greifer requests that you download a texture 
> from www.example.com.
> |
> |    O Always allow or deny SpyHud.
> |    O Always allow or deny Ima Griefer
> |    O Always allow or deny www.example.com
> |    * Allow or deny this time
> |
> |  (Allow)                    (Deny)
> |
> 

That doesn't solve anything.  You are asking the user to decide on a 
technical issue that they are completely unqualified to decide on.

Beside that, how would you like it if your web browser popped this 
window up every time an inline image from a 3rd party site wanted to 
load?   If a modern browser even could be configured to prompt you every 
time for such a thing (can they?  I don't think so), the vast majority 
of browsers don't by default, that's for sure.

Besides, this functionality is completely available from an application 
level firewall.  If the user is so paranoid to care about this, and 
competent to make such decisions, they surely already have one.

-Jason
Previous message: [sldev] Lookup Tables and Texture Bugs
Next message: [sldev] Re: Texture Bugs
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the SLDev mailing list