Argent Stonecutter

LOL

They could have a titlebar icon that lets you know there's a media URL not on your whitelist, allowing you to accept, reject, always accept (whitelist), or always reject (blacklist). Preload the whitelist with second life's media server.

__________________
Argent Stonecutter -- Skyhook Station -- Coonspiracy Store

"And now I'm going to show you something really cool."


The previous is a cybernetic datum published - in direct contravention of DoD Regulation #229RR3X3 - as being conducive to the physical, psychological and/or social well-being of the population.

Tayse Caeks

That's an idea.
Oh, hey, do you know much about using mysql through C#?

Jack Doulton

Plug this in: MySQL :: Download Connector/Net
then you can use a mySQL database like you do any other. To get you started there is a code snippet here: How to connect to MySQL 5.0 using c# and mysql connector/net!

Argent Stonecutter

No, I'm more into PostgreSQL from C.

Cincia Singh

And still not a single documented instance of anyone actually being able to do the exploits everyone claims are possible.

__________________
*My concern can be measured in micro give-a-shits, and I'm working on nanotechnology!*

Jesse Barnett

That's because you don't want to see it.

Tayse Caeks

I offered you the script to do it. Learn to read.

Gigs

Would you disable inlining of external images on this board because people were under the misconception that their IP address is private information?

__________________
-
-
"It is the paramount duty of governments and of politicians to secure the wellbeing of the community under the case in the present, and not to run risks overmuch for the future" - JM Keynes

Argent Stonecutter

If you've figured out how to reliably associate fetches of images with specific accounts, do tell. I guess if you use a tagged URL for each image, and someone posts soon enough after your post (or you sit there repeatedly reloading the page to track who's reading it... for the people who don't disable showing when they're online), and someone is logging in as multiple alts from the same address (after clearing the browser cache each time), you might be able to extract a small amount of the information that's trivially available to people using parcel media or shared media...

Tayse Caeks

I think using an in-line image as Etag, and correlate the times of posts or page views(If you can get who viewed a thread at a specific time) in the thread should work.

Tayse Caeks

Using it. For some reason .Parameters.AddWithValue(stuff) isn't actually defining the parameters :\

Argent Stonecutter

Yeh, I said that in the message you quoted. And noted that I'm skeptical. There's a huge difference between that and being able to use a unique non-cacheable tagged URL to dynamically associate an IP address and a non-revocable cookie (account name or UUID) in real time, for every visitor to a location.

Katheryne Helendale

It's never going to be possible to completely secure your IP address while surfing the web, unless you use a proxy; and even then, it is still possible for someone to associate you with your IP address and perhaps even associate you with your posting alts if you use the same proxy long enough. But just because it's not possible to eliminate the chance entirely does not mean we should just not try or hand it to everyone on a silver platter.

It's just like wireless networking: It is impossible to keep someone off your wireless network if he or she is determined enough to get on it; but that doesn't mean you just leave it unsecured.

Or: It's impossible to keep a burglar out of your house if he really wants in bad enough; but that doesn't mean you should just remove the locks from your doors.

__________________

Tayse Caeks

Let me explain further, then: Look at the timestamps on each post in a single thread. If I weren't busy making something at the moment, I'd whip up a quick example, but you should be able to figure out the concept from there.

Argent Stonecutter

I understand your clever scheme, honest.

Posting is very bursty (consider the "ninja edit" phenomenon), and at the same time it has a high and unpredictable latency (I've posted about an article as much as a couple of days after I've first seen it). In addition, timestamps are unreliable. The only time you can be reasonably sure that posting timestamps match views is in a short window after the image has been posted.

AND, this only gets you information about the people actually posting, whereas in SL you can accurately grab an IP address within seconds of someone coming into the parcel, whether they actively interact with any content in the parcel or not.

The scope of the attack is quite different.

Tayse Caeks

Yes, but associating IP addresses within SL fall under the same set of problems as forum username tracking. You can find the IP simply enough, it's the correlation between that and an account name (or uuid) that takes effort in obtaining with any degree of certainty. So I think it is still an adequate comparison.

In any event, that still does not invalidate the point in further securing an environment where you can, at least when usability increases rather than decreases.

Argent Stonecutter

Weren't we just talking about PARCEL_MEDIA_COMMAND_AGENT?

Psyke Phaeton

Why Can't Johnny Have Privacy? | threatpost

__________________

Spitfire Clay

All secondlife has to do is block the lsl function of retrieving the data. That is an alternative rather than blocking the exploit.

Jesse Barnett

uhm, No. Why in the hell would they want to block a useful function?

I have seen two examples given of actual cookie management and either of them would solve the problem with additional benefits.

Tayse Caeks

Oh, hey.. yeah. I'm sorry, for some reason it didn't occur to me that you could iterate through the agents for specific queries with that. Whoops. I was going off the more half-baked notions... carry on!

Gigs

It's way easier than you make out. I'll not post details, but just think about venn diagrams and process of elimination.

It all can be automated as well.

Gigs

Hiding IP addresses isn't security. IP addresses are public information by design.

Ann Otoole

LL is not going to do anything but laugh lol.

Innocent

An IP address is not *public*. Here we are on the same forum, and I challenge you to tell me what mine is. Can you Gigs? The sluniverse admins know it (if they bother to check) and the admins of other websites I visit, but not other users. So it's an exaggeration to say my IP address is "public".

What you keep ignoring, is that an IP address alone may not be of much value to dataminers but an IP combined with a username is potentially useful to rogues. For example if stored in a database of IP+name combinations, it can be used to link alts, which is NOT public information.

But you can keep ignoring that fact, no matter how often it's pointed out to you, and keep on posting the same irrelevant garbage, pretending that the only issue people are concerned about is a user's IP address alone. That gives you something easy to belittle, even if it isn't relevant to what anybody is discussing.