Users getting other Users IP adresses

Just ignore them, and let them die.

The stalking is a serious issue thou, what head trips the other ppl are on while doing so.
The IP is useless, its letting the stalker get in your head and there alts. Trust me I know.
If she needs to talk tell her to IM me.
~reformed prey.

It doesn't automatically make SL "insecure", however it does provide certain capabilities to the person who has your IP address that are not normally relevant with normal Internet access.

1. Your presence in SL is associated with a non-volatile non-deniable identity: your SL account. This means that someone tracking people by IP address get a "web bug" to track you with that you can't turn off.

2. If you have multiple accounts, or multiple people are using the same IP address (eg, a place of business, a family with multiple users, or a shared apartment) they can determine this fact. This is being actively used by property owners to "IP ban" griefers... and while this may be a beneficial purpose it seems unlikely that griefers are not also taking advantage of this capability.

3. Because SL uses UDP extensively, there is no session-level mechanism to detect or prevent forged packets being inserted into a stream... even to the extent of TCP sequence number randomization. This means that if there is a vulnerability in the client it may be easier to take advantage of it, if you know their IP address. If you know the IP address of the region they are in the potential for exploits is further increased. The recent mandatory client update was done to close a hole of this type.

Because of this kind of consideration, I have always recommended only using streaming music or video on parcels where you know the people who have the right to set the video and audio stream, and to think twice before following requests to view web pages from in-world content. I am also concerned about the potential of even broader exposure through features like displaying web content on arbitrary prims (ie, beyond the current tricks with the parcel media stream).

I think it would be better to say that SL is no more or no less secure than browsing the web in general.

I don't think that it would be better to say that, because I don't believe it to be true.

In some ways SL is more secure, in that Linden Labs acts as an anonymizing proxy and application level firewall between residents... even those who provide services that would on "the web in general" be handled by separate websites.

In other ways SL is less secure, because in SL you have a specific singular location and identity within the grid, and this provides a universal and non-deniable identity that web-bug companies like DoubleClick would sell their grandmothers for.

This mans that the behaviors you need to retain such privacy as is possible in SL are different from the behaviors that you need for "the web in general"... and apparently not obvious to the average resident.

gotta love paranoia

I don't have to love people who are insufficiently paranoid. I've been a network and system administrator long enough that it's amazing I have any sympathy with people who fail to take basic precautions, let alone those who describe them as "paranoia"... but, alas, I'm too nice for my own good.

Which is one reason I'm no longer in that job... uncompensated overtime spent recovering files for my boss the second time they've been bit by the same virus is not a good way to spend an evening.

He-loooo... 1000 ft keyboard! Why do ya tink they make 'em, after all?

I have a friend who met his wife through such a challange. It took him two hours to knock on her door. 90 minutes was driving time.

YMMV.

Of greater risk is info you share!

A friend included a quote in their profile a few years ago I couldn't translate, in my attempts to do so, googling for parts of the phrase, I found only 3 results during one search. They were all forum posts from the same person and included this apparently unique quote.

One forum post was in another MMO they enjoyed. Another forum post included an email address and their real name. Part of that email address led to their personal website with pictures and schedules and things.

They had shared their profession and where they lived in chat (a hugely populated state), so one more search provided their home address and phone number. A search of their name and industry provided their workplace and schedule and employee picture and coworkers.

I was totally astonished all this came from what seemed to be an innocuous quote in their profile and simple web searching curiosity but what they say is true, the system isn't the big risk but how we use it!

Obtaining someones IP address in SL is meaningless. Even matching your account name to your IP is meaningless for the purpose of following someones movements. In the context of your SL "identity" statement, someone trying to track someone by IP would HAVE to have hacked inside LL's main login/presence servers (or have hardware on the inside like NebuAD or Phorm) to accomplish any of that.
Also, it's not like DoubleClick at all, which uses mass site coverage and persistant cookies to glean websurfing habits. Sounds like what you're referring to is "profiling". Common practice on the web, yes.. but a benefit for a stalker in SL? Not likely... Even if you could, what purpose would trending the names of sims the victim visited in the past serve? It wouldn't be live data, OR very useful for the stalker who lives in the now. I can't imagine a stalker using "I know you went shopping at Sn@tch THREE times last month! Be Ph3@r3d 0f Me !!!" to try to be intimidating... the victim might die from laughter

I didn't say anything about "following someone's movements".

Someone collecting IP addresses can cross-reference IP address information and identify your alts (if you're trying to avoid them that way), identify other members of your family or roommates, and so on.

There are people already collecting databases like this to track griefers by IP - they even complained on the blog about the change in streaming video because it makes it harder to collect that information. If there's nobody building up a similar database for less beneficial purposes I would be very much surprised.

My apologies if it's been said before but it should be noted that the only way to even find out a specific person's IP from a hacked up media stream that they are listening to definitively is for them to be the only person on the parcel since you can't tell who's listening to music and who's not short of social engineering people into admitting it and/or cross referencing multiple instances of people listening to streams to see who's on the parcel and who's not in each instance and using process of elimination.

Vee Know Vere You Are!

Cross comparing IP's to identify alts.. yes definately. It was your referrence to "tracking" in the second line of the part I quoted that totally sounds like you meant following someones movements to me.. especially in a thread about stalking *shrugs*

1313 Mockingbird Lane

Just cuz yer not Paranoid doesnt mean they're not out to get you!!

It doesn't have to be definitive. It only has to be fairly reliable.

Suppose you have a scanner on a parcel that logs avatars, and you can get the log from a stream server. If you see an entry at each on or about the same time, there's a good chance, but not 100% chance, that it's the same person. It also depends on how many connections there are to the server, and who else is on the parcel. If you see the pattern repeating itself over a few weeks, then the chances of it being right go up (in a subjective, not statistical sense).

As people have said, so what? It's not useful for that much, in most cases - unless someone wants to seriously attach that IP address. That means keeping your firewall up to date and properly configured.

You can send different streams to different avatars, can't you?

You can correlate when people enter the parcel (llOverMyLand()) and when they connect to the stream. You can collect information about who's on the parcel and who's listening over time. And, finally, you don't NEED to be certain, you just need to be sure enough for your purposes.

This technique does work, and it is being actively used by people working to identify alts of griefers and ban them.

SL uses a UDP-based protocol. If you know the sim someone is in and their IP address there are a number of potential attacks that would at the very least DOS them, and that no firewall will ever be able to detect or block unless it's extended too understand the SL protocol at a very deep level. I'm not going to go into details but anyone who's worked on IP security and can read the protocol docs can think of candidates.