Welcome to the Second Life Forums Archive

These forums are CLOSED. Please visit the new forums HERE

Encrypt data stored on computer by SL that could be used for nefarious purposes.

SignpostMarv Martin
Registered User
Join date: 8 Oct 2005
Posts: 68
01-31-2006 17:37
Due to something that I've made a blog post about, I'd like to request that the names.cache file be encrypted, as well as any other files stored on the client side to aid in their prevention for potention nefarious use.

Sites that use the names.cache file to make the data available to the public are known to Linden Labs and this has been true for some time now apparently.

The site that I came across does not promote the mis-use of the information, and points out that the information can be gathered from within SL quite easily.

The site in question just makes it easier for the information to be gathered so that for instance LSL llInstantMessage spam bombs could be made. I've tested the theory and it works. Adam Linden said they will of course take the appropriate steps if someone does this, but I'm slightly annoyed it was allowed to happen in the first place.

It only happened because the files were unencrypted.

Basic point: Do you agree that data such as that held within the names.cache file on your computer should be encrypted in a future release of SL so Linden Labs can help lower the probability that someone will post your Residents' Key onto the net, thus lowering the probability that your key could be used for nefarious purposes such as llInstantMessage and llEmail spam.

feature proposal will be up shortly after this, any other info will be made available upon request. Except for the proof of concept code. I'm paranoid not stupid.

EDIT: feature vote url here: http://secondlife.com/vote/index.php?get_id=978
Masakazu Kojima
ケロ
Join date: 23 Apr 2004
Posts: 232
01-31-2006 19:28
About 16,000 (93%) of my keys are from my scanners for my map, not name.cache. They scan about twice a minute and only exist on W-Hat's plot in Baku. I have several other plots where I could collect keys far more aggressively, and I am sure I could convince quite a few people to wear a key collecting attachment for me.

It'd be a complete and utter waste of time to encrypt name.cache any more than it already is. The keys I already have won't go away. You can't stop anyone from collecting more. If you are really worried about people having your key, or other peoples' keys, you should try to start a good discussion on the issue, and push LL to change their policy on public key databases, or better yet, to develop decent IM/inventory privacy controls. Wasting their time developing a very minor hurdle that many people would enjoy subverting just for the challenge will not change anything. I value my account far more than I value opening my database to the public, and if I was told to take it down I would do it in a heartbeat.

I spent a long time thinking about it before I made my database public. In the end I came to a conclusion similar to the developers of Tor: bad people can already do bad things. My database does not affect a spammer's ability to be a spammer. If someone wanted to send millions of IMs or crash the grid they do not need my database to do it. On the other hand, there are legitimate uses for a key database, and not everybody has the energy or skills to create one themselves. Why should key databases be restricted to people who are willing to break rules, and why should people have to duplicate the effort of everyone else before them if they just want to send their customers an updated product without spending hours on it?

Linden's position has always seemed to be the same: good people shouldn't be punished just because bad people will do bad things. The bad people should be punished for doing bad things. It has its flaws, but in general I think this position has worked well for them. With Ulrika's database before mine, tens of thousands of keys have been available for quite some time. The spam apocalypse has yet to occur.
SignpostMarv Martin
Registered User
Join date: 8 Oct 2005
Posts: 68
02-01-2006 05:29
From: Masakazu Kojima
It'd be a complete and utter waste of time to encrypt name.cache any more than it already is.

The keys are not encrypted at all.

From: Masakazu Kojima
Wasting their time developing...

I would think that Linden Labs would see developing something that would make it more difficult for llInstantMessage and llEmail spam to be sent, not only to their SL accounts but to their personal email addresses as a positive use of time, not a waste of time. As Adam Linden told me himself, if enough residents wanted something, they will usually do it.

From: Masakazu Kokima
My database does not affect a spammer's ability to be a spammer.

It does, as the hypothetical spammer does not need to look for a list of keys. Neither does a hypothetical LSL bomber. I did discuss with members of Linden Labs about the possibility of using PHP to connect to the CSV files, extract the info, parse it and generate the LSL code necesary to make a LSL bomb.

From: Masakazu Kokima
On the other hand, there are legitimate uses for a key database, and not everybody has the energy or skills to create one themselves.

I agree, if the database was on a "submit your own key" basis, and also provided links to innocuous applications for such keys, then I wouldn't have a problem. What I have a problem with is making the keys (specifically mine and my friends) publically available without their permission.

It wouldn't be too hard to setup a simple opt-out procedure on such key databases now would it (heck, I could write one myself if I had the server space) ? If you want me to code you something like that for yours, just ask me in game. Or go onto one of the databases, grab my key and script an IM. (PS, that is not permission to SPAM me, just making a point)

From: Masakazu Kokima
The spam apocalypse has yet to occur.

It's easy to bring about, as I said in my discussion Adam Linden. I know how to do it, I just do not believe in what would effectively be terrorism- taking rash action to prove a point.

Basically, other than the databases being available for use, I'm not seeing any positive uses. If the database were closed and the Jabber support in SL were in place I could.

OpenID servers based on your SL key anyone ?
Masakazu Kojima
ケロ
Join date: 23 Apr 2004
Posts: 232
02-01-2006 06:26
From: SignpostMarv Martin
The keys are not encrypted at all.

Didn't you say, in your conversation with Adam, that the key out of your name.cache file didn't work? Why do you suppose that is, if not encryption?

Here's my key from my name.cache: 9148b7c3-1464-7245-a64a-7092b2e79693
Here is my actual key: a27b84f0-2757-4176-9579-43a181d4a5a0

I will give you that it is extraordinarily weak encryption, but SL's performance is poor enough as it is.

From: SignpostMarv Martin
I would think that Linden Labs would see developing something that would make it more difficult for llInstantMessage and llEmail spam to be sent, not only to their SL accounts but to their personal email addresses as a positive use of time, not a waste of time. As Adam Linden told me himself, if enough residents wanted something, they will usually do it.

How does encrypting name.cache make it any more difficult for llInstantMessage and llEmail spam to be sent? I had sixteen thousand keys before I even looked at a name.cache file. If I started spamming right now, I wouldn't even get halfway through those before I was banned.

What do you propose they do when their new encryption is cracked? Devote even more time to changing it in hopes that it will take longer the next time? It will be cracked, and there is nothing that can be done about it. When the sender, middle man, and receiver are all the same person, they are bound to see the plaintext at some point.

Even if name.cache was done away with entirely, there is nothing to stop someone from creating a program that monitors incoming keys in the background and forwards them along to a database. This would be a lot of trouble to go to for something that can more easily be done in LSL with a scanner though.

The end result of all this is that bad people still have your key. The only people you're keeping it from are the people with a legitimate use for it.

From: SignpostMarv Martin
It does, as the hypothetical spammer does not need to look for a list of keys. Neither does a hypothetical LSL bomber. I did discuss with members of Linden Labs about the possibility of using PHP to connect to the CSV files, extract the info, parse it and generate the LSL code necesary to make a LSL bomb.
Just as there is the possibility of dropping a scanner near the welcome area, collecting the keys, and spamming thousands of people completely from within Second Life, without any external services or knowledge of PHP at all. How many times has it happened?

From: SignpostMarv Martin
I agree, if the database was on a "submit your own key" basis, and also provided links to innocuous applications for such keys, then I wouldn't have a problem. What I have a problem with is making the keys (specifically mine and my friends) publically available without their permission.
A submit-your-own approach does not work because most people have no idea what their key is or what it is useful for. Calling it a "key" makes it seem like a secret, and I don't know anyone who is entirely eager to share their secrets with perfect strangers. Your name is not a secret, and neither is your key.

From: SignpostMarv Martin
It wouldn't be too hard to setup a simple opt-out procedure on such key databases now would it (heck, I could write one myself if I had the server space) ? If you want me to code you something like that for yours, just ask me in game. Or go onto one of the databases, grab my key and script an IM. (PS, that is not permission to SPAM me, just making a point)
I didn't overlook an opt-out procedure, I decided against it. I think it gives people a false sense of security, and encourages baseless paranoia. After reading the previous threads on the issue, it's not enough for most people anyway. Why should they have to keep up with every key database that pops up and go out of their way to get theirs removed? They shouldn't. It achieves nothing.

By the way, I grabbed your key using nothing but Second Life, no modifications, no "hacks," no external applications, from all the way across the world.

INFO: LLTalkView::createFloater: target 83b3987f-xxxx-4275-xxxx-xxxxxxxxxxxx in
session 21c81c8f-b277-0303-1b87-7960bc075395

I blocked out most of your key for you, silly as I think it is. Also, did you know you can search for substrings in the Find window? For instance, "a," "aa," "ab," and so on. From your conversation with Adam it's not clear. Should the Find window be removed, since it can be used to find the names and keys of quite literally every active account?

From: SignpostMarv Martin
It's easy to bring about, as I said in my discussion Adam Linden. I know how to do it, I just do not believe in what would effectively be terrorism- taking rash action to prove a point.
It's just as easy to do it without a database. I know how to do it.
SignpostMarv Martin
Registered User
Join date: 8 Oct 2005
Posts: 68
02-01-2006 08:44
From: Masakazu Kojima
Devote even more time to changing it

From: Masakazu Kojima
How does encrypting name.cache make it any more difficult for llInstantMessage and llEmail spam to be sent? I had sixteen thousand keys before I even looked at a name.cache file

What you and everyone else is doing by creating these databases is creating a database of personal information without the persons permission. Aside from the lack of the relevant functionality, what you have created is an "opt-out" database. Not many people, aside from spam companies like them. Users don't like them cos it means they either have to actively track down every site and request they remove the data (yay for the Data Protection Act)

From: Masakazu Kojima
Even if name.cache was done away with entirely, there is nothing to stop someone from creating a program that monitors incoming keys in the background and forwards them along to a database.

From: Masakazu Kojima
Just as there is the possibility of dropping a scanner near the welcome area, collecting the keys, and spamming thousands of people completely from within Second Life, without any external services


I agree. However, then any such actions would entirely under the control of Linden Labs. If the files are on the computer as weakly encrypted as you have found them to be, then what users do with them is beyond their control. Removing, or at least decreasing the accessibility of the information outside of the grid would be better for all concerned, as it would be easier to see who was doing things for the good of the residents, and who is doing things for nefarious purposes.

From: Masakazu Kojima
A submit-your-own approach does not work because most people have no idea what their key is or what it is useful for.

So develop and promote services that are useful to the residents, and advertise it in world. Then you'd be able to call it whatever the hell you wanted (within reason of course), use LSL to send IMs to a permanently logged out account and parse the requests emails on the server. Aren't there services that do that now anyway ? Making it happen in world makes the submit-your-own approach much easier. Giving instructions online gets more people interested in SL. And L$1000/newbie.

From: Masakazu Kojima
I didn't overlook an opt-out procedure, I decided against it. I think it gives people a false sense of security, and encourages baseless paranoia. After reading the previous threads on the issue, it's not enough for most people anyway. Why should they have to keep up with every key database that pops up and go out of their way to get theirs removed? They shouldn't. It achieves nothing.

That's why opt-in procedures are much nicer. It's the way most of the internet works. Can you name any usefull online opt-out services (aside from governmental stuff, dark nets and P2P) ?

From: Masakazu Kojima
It's just as easy to do it without a database.

No it isn't, you'd have to spend time collecting the data. With the open access opt-nothing database you and others may have then the data is there and its easier as less time has to be spent collecting data.
Masakazu Kojima
ケロ
Join date: 23 Apr 2004
Posts: 232
02-01-2006 09:31
From: SignpostMarv Martin
What you and everyone else is doing by creating these databases is creating a database of personal information without the persons permission. Aside from the lack of the relevant functionality, what you have created is an "opt-out" database. Not many people, aside from spam companies like them. Users don't like them cos it means they either have to actively track down every site and request they remove the data (yay for the Data Protection Act)
Your key is not personal information, nor does it belong to you. The only thing your key identifies is which row contains your user name in Linden's database. With your name, I can look up your profile, I can offer you inventory, I can pay you money, and I can instant message you. What can I do with your key? What does your key tell me about you?

From: SignpostMarv Martin
I agree. However, then any such actions would entirely under the control of Linden Labs. If the files are on the computer as weakly encrypted as you have found them to be, then what users do with them is beyond their control. Removing, or at least decreasing the accessibility of the information outside of the grid would be better for all concerned, as it would be easier to see who was doing things for the good of the residents, and who is doing things for nefarious purposes.
I have no idea what you're trying to say here. Anything I do with your key, no matter how I get it, is entirely under the control of Linden Lab. Outside of Second Life, your key is absolutely meaningless. It is literally a bunch of random numbers. Inside of Second Life, everything that happens is under LL's control. I also do not see how encrypting the name.cache file gives you any insight on what I intend to use my database for.

From: SignpostMarv Martin
-snip-. And L$1000/newbie.
I don't know what you're getting at here either, seeing as I already have my database, I don't stand to gain anything from making it public, and I'm not interested in making money, but I wanted to point out that there is no longer a referral bonus for basic accounts, because it was not announced very visibly.

From: SignpostMarv Martin
Can you name any usefull online opt-out services (aside from governmental stuff, dark nets and P2P)?
I'm pretty sure Google is regarded as one of the most useful services in the world. Maybe you've heard of them. I think the Internet Archive is pretty useful too, even if they did make real personal information about me available to the public without asking first.

From: SignpostMarv Martin
No it isn't, you'd have to spend time collecting the data. With the open access opt-nothing database you and others may have then the data is there and its easier as less time has to be spent collecting data.
You would have to download the data and write a script to decompress and parse it, which seems right on par with writing a script with a scanner to me.
Nargus Asturias
Registered User
Join date: 16 Sep 2005
Posts: 499
02-01-2006 09:46
Well, as has been said. The keys are no private nor personal information. I can drop a maximum-range scanner in my every vendors in world and gather thousands of keys in the next few days. Or, drop them in sandbox and welcome areas for faster speed. And it's still under the rules of SL as long as I do not start sending them all IMs, or agressively follow anyone's movement.
_____________________
Nargus Asturias, aka, StreamWarrior
Blue Eastern Water Dragon
Brown-skinned Utahraptor from an Old Time
Aaron Levy
Medicated Lately?
Join date: 3 Jun 2004
Posts: 2,147
02-01-2006 10:09
From: SignpostMarv Martin
The keys are not encrypted at all.


Proof you have no clue what you are talking about. They are encrypted, try sending an IM to one of the keys in your name.chache.

Now search the forum for name keys and you'll find you are way way way WAAAAAAY late to chime in on this topic. Philip Linden, i.e., CEO OF LINDEN LABS, has said its fine.
SignpostMarv Martin
Registered User
Join date: 8 Oct 2005
Posts: 68
02-01-2006 10:30
There are many types of encryption. the name.cache data isn't encrypted, it's obfuscated.

If its fine for people to collect data outside of the grid on the residents without the permission, why didn't Bub Linden or Adam Linden mention it to me when I spoke to them about it ?

The whole point behind encrypting the data instead of obfuscating it (which is just lame) is to make it as hard as possible for a resident's personal info to be harvested without their knowledge, outside of the jurisdiction of Linden Labs.

So that you may know what you are talking about, take a look here:
http://en.wiktionary.org/wiki/encrypt
and here:
http://en.wiktionary.org/wiki/obfuscate

the data is not concealed. therefore it is not encrypted.
Travis Lambert
White dog, red collar
Join date: 3 Jun 2004
Posts: 2,819
02-01-2006 10:52
I think Linden should just offer a llName2Key function, and be done with it. It is already easy enough to collect keys in world for a spammer to go nuts.

If abuse occurs, its abuse of the llGiveInventory or llInstantMessage functions, not abuse of the key itself. I don't think the disabling of functions is the answer - rather, give us more control over what we can & can't receive, and punish offenders swiftly.

An Avatar's 'Key' is not any more personal information than an Avatar's 'Name' is, IMHO.
_____________________
------------------
The Shelter

The Shelter is a non-profit recreation center for new residents, and supporters of new residents. Our goal is to provide a positive & supportive social environment for those looking for one in our overwhelming world.
SignpostMarv Martin
Registered User
Join date: 8 Oct 2005
Posts: 68
02-01-2006 23:02
From: Travis Lambert
I don't think the disabling of functions is the answer

Nobody is saying anything about disabling functions.

From: Travis Lambert
give us more control over what we can & can't receive, and punish offenders swiftly.

Linden Labs should also attempt to regain control of the poorly obfuscated data, and make sure it is only accesible within the grid so it is easier to seperate the offenders from the people who wish to contribute to SL related in-grid or real-world projects.
Strife Onizuka
Moonchild
Join date: 3 Mar 2004
Posts: 5,887
02-02-2006 20:26
SL residents have a half life of something like 6 months. Meaning that a large percentage of the database is going to be dead users. While yes, they can be used for evil, just about everything in SL can be used for evil in one way or another. The isn't isn't the key it's what is done with the key. I see this as a non issue. If LL encrypts it, people will just figure out how to decrypt it. Did you know currently the keys are hashed? The users figured out how to decode the keys.

About this time last year I pointed out a similar flaw to the Lindens. Encryption was a possible solution. The responce was similar, encryption won't solve the problem, the users could still collect the data. There isn't a point to locking your car if you keep the windows rolled down. Locking them may slow down any theif but probably not.
_____________________
Truth is a river that is always splitting up into arms that reunite. Islanded between the arms, the inhabitants argue for a lifetime as to which is the main river.
- Cyril Connolly

Without the political will to find common ground, the continual friction of tactic and counter tactic, only creates suspicion and hatred and vengeance, and perpetuates the cycle of violence.
- James Nachtwey
Travis Bjornson
Registered User
Join date: 25 Sep 2005
Posts: 188
02-02-2006 21:08
You can collect avatar keys with a script running in-world. No need for an external file. And I'm not worried about spam in SL at this point, anyway. If it is or gets to be a problem, I think that LL's legal measures are effective when they take the time to pursue them.
Ushuaia Tokugawa
Nobody of Consequence
Join date: 22 Mar 2005
Posts: 268
02-02-2006 21:26
From: SignpostMarv Martin

If its fine for people to collect data outside of the grid on the residents without the permission, why didn't Bub Linden or Adam Linden mention it to me when I spoke to them about it ?


You're looking for an interpretation of policy from a liaison and a web designer?
SignpostMarv Martin
Registered User
Join date: 8 Oct 2005
Posts: 68
02-03-2006 05:35
From: Strife Onizuka
Did you know currently the keys are hashed?

From: SignpostMarv Martin
the name.cache data isn't encrypted, it's obfuscated.

Yes.

From: Strife Onizuka
encryption won't solve the problem, the users could still collect the data.

The point is to only allow the collection of the data within SL.

From: Strife Onizuka
There isn't a point to locking your car if you keep the windows rolled down. Locking them may slow down any theif but probably not.

You'd get a better response out of your insurance company if the car was stolen and the windows were locked in the upright position. Otherwise you'd be really screwed getting anything out of them.
If the data was taken outside of Linden Labs jurisdiction, and used in a not-exactly-good way then you'd be slightly screwed.

From: Travis Bjornson
You can collect avatar keys with a script running in-world. No need for an external file. And I'm not worried about spam in SL at this point, anyway. If it is or gets to be a problem, I think that LL's legal measures are effective when they take the time to pursue them.

I'd think Linden Labs would have an easier time convicting people for the misuse of the data if the data was taken within SL as opposed from a users' HD.

From: Ushuaia Tokugawa
You're looking for an interpretation of policy from a liaison and a web designer?

You want to speak to a Linden regarding misuse of SL data through a website, you speak to a web guy.
You want to speak to a Linden regarding how the database could be parsed using server side technologies (and client side as well) into an LSL bomb, you speak to a web guy.
You want to speak to a Linden regarding Linden Labs' position on the matter, you speak to a liason.

That make sense now ?
Ushuaia Tokugawa
Nobody of Consequence
Join date: 22 Mar 2005
Posts: 268
02-03-2006 06:01
From: SignpostMarv Martin

That make sense now ?


Not in the least, but in my opinion your original issue was nonsensical as well so this doesn't suprise me.
Folco Boffin
Mad Moo Cow Cultist
Join date: 27 Feb 2005
Posts: 66
02-03-2006 07:36
Just to point out the obvious, but the majority of people that you would be able to sway with your paranoia don't read the forums. You might get a handful of people, but not in any way shape or form, anything remotly representing the majority.

As it is, every time you make a purchase from a vendor, your key can be recorded. Every time you interact with any object on the grid, your key can be recorded. Every time you wander about SL, your key can be recorded. I also have a listing of a few thousand keys. And I never even heard of the name.cache or whatever the file is. It's a lot easier to acquire the keys in game than out of game. And takes less time to collect more of them probabally too.

So it doesn't make much differance if you remove the file from your drive or not really.

And as for it being personal information, what does a randomly generated number tell about you as a real life person?

Gah, when will I learn to stop feeding trolls... I'm too nice and don't want them to become extinct I suppose.
_____________________
^-^

Signed,
Gorgarath,
Whom in this game called Second Life,
plays the avatar Folco Boffin,
and in this game called First Life,
plays the avatar John McDonnell.
SignpostMarv Martin
Registered User
Join date: 8 Oct 2005
Posts: 68
02-03-2006 13:31
What is it with all you ignorami bringing up the same damn point about LSL being able to record the damn keys. I know that already, I keep saying I know that so pay attention.

What I also keep saying is that keys gotten from SL either inside or outside can be used for nefarious purposes. What you keep ignoring is that if this does happen it'd be a lot easier for LL if the keys could only be read within the game, as the grid is (in terms of computer misuse) under LL jurisdiction and a users HD isn't.

So whereas in the grid one resident might create a script to log the keys, and another would take this data and create a LSL bomb, both would get in trouble, whereas if the keys were sourced from outside of the grid you'd have to go through a lot more trouble to find out who supplied the keys in the first place.

Then if LL did find who supplied the keys and whatever was done with the keys warranted people being prosecuted, pretty much anyone who submitted to the database would be able to be prosecuted.

At least thats how my interpretation of the Computer Misuse Act goes (aside from the fact LL is US based).

Regarding the whole personal information issue, as I said with the whole parsing the database into LSL script, it'd be possible to get the personal information of everyone in the database. I say possible, it's not a bloody guarantee- as you'd have to fall for something similar to those stupid ebay/bank scam emails.

The time it would take to do the whole thing inside the grid would make it a bit more obvious what was going on, and also slow down the process of getting the info.
Aaron Levy
Medicated Lately?
Join date: 3 Jun 2004
Posts: 2,147
02-03-2006 13:38
>>>> Yaawwwwnnn <<<<
Folco Boffin
Mad Moo Cow Cultist
Join date: 27 Feb 2005
Posts: 66
02-03-2006 14:05
From: Aaron Levy
>>>> Yaawwwwnnn <<<<

... GAR! Curses! Forgot this isn't phpBB ...
_____________________
^-^

Signed,
Gorgarath,
Whom in this game called Second Life,
plays the avatar Folco Boffin,
and in this game called First Life,
plays the avatar John McDonnell.
Travis Bjornson
Registered User
Join date: 25 Sep 2005
Posts: 188
02-04-2006 01:01
From: someone
whereas if the keys were sourced from outside of the grid you'd have to go through a lot more trouble to find out who supplied the keys in the first place

True, but I don't think it matters who's supplying the keys. They're public information. I think all that matters is who's misusing them. And since probably the only way to misuse them is in-world, the misuse is easy to trace and report.
SignpostMarv Martin
Registered User
Join date: 8 Oct 2005
Posts: 68
02-04-2006 05:48
And the easiest way to catch all people concerned in the misuse would be if the sourcing of the information and the misuse of the information took place on the grid.

If part of it happened out of the grid then it'd be a whole lot harder to stop those people from doing it again.

Are you all understanding the point yet ?
Introvert Petunia
over 2 billion posts
Join date: 11 Sep 2004
Posts: 2,065
02-04-2006 06:00
From: SignpostMarv Martin
What is it with all you ignorami bringing up the same damn point about LSL being able to record the damn keys. I know that already, I keep saying I know that so pay attention.
Insulting people who disagree is an excellent way to win them over.

I have your SL name by virtue of you posting here. Need I list the number of ways I could use that for nefarious purposes if I was so inclined (which I am not)?

If you are so concerned about someone sending you unsolicited IMs, not logging in to SL would be a perfect preventative measure, in case that was not bleedingly obvious. I will make your avatar an aluminum foil hat if you think that would help.
Aaron Levy
Medicated Lately?
Join date: 3 Jun 2004
Posts: 2,147
02-04-2006 06:00
WHAT MISUSE?

Ulrika ran a key collection site for about a year, and there have been other ones running for as long or longer, and there have been no reports of widespread misuse, why make an issue of it?

Do YOU get the point yet, 83b3987f-9520-4275-8efe-3ac13dd3f635?

You're in-world profile says you were born 10/8/05 -- a whole 4 months ago. This key collection debate played out almost a full year before you joined Second Life.
Elberg Control
Wandering Loon
Join date: 24 Aug 2005
Posts: 79
02-04-2006 06:20
The short of it is that some of the things being said here are correct, and some of the things being said here are incorrect.

Unfortunately a great number of the things being said in this thread are also quite pointless.

It really doesn't matter if someone harvests the asset numbers of people's avatars eitherinside or outside of Second Life. There's nothing useful that can be done with the things outside of Second Life (and they're not much use in Second Life, either). This isn't medical information so HIPPA doesn't apply, and what legislation that does exist to protect consumers always seems to have pesky exceptions that cover cases under which anyone in SL could productively bother to harvest these keys.

I could just as easily scrape the forums and collect the names of all the posters, and then generate md5 hashes for each name, and I'd have a database that's just about as useless as what collecting av keys amounts to. (Actually, I take that back... I could later use the md5 hashes as a half-arsed sanity check to make sure data corruption hadn't affected my list of names.)

Without someone's account password, those keys just aren't useful for much of anything so calling for a poll which implies possible prevention of "nefarious" uses of them is simply misrepresentation.
1 2 3