So... this is where we came up to...
(/me lights up a cigar and takes a deep puff)
It seems that more and more of you keep having problems about some people cracking your second-life account passwords, emails IM software and so on. (mostly around bloodlines). And for some universal law that is about to be broken I ... I ... (*frowns*)
... well lets just say that I must be extremely drunk or completely out of my mind to be writing the following as if it would even be worth to try to ¨teach¨ something to these people but then again even intelligence goes on vacation for a few minutes sometimes.
I will probably hate myself and all this post tomorrow, but then again do i like anything ? .... so equilibrium will be maintained.
Note: If you do not understand any or the linked terms/words; click them to know its meaning. And send this to other people, specially bloodlines people
First: You have to understand that these people are NOT hackers. They are simply script kiddies or at most; crackers which in other words mean untalented, dumbass, dirty people who use specific software tools that were made by experts in a devious way .
Second: If you run windows you have a lot to worry starting by the way the operating system is constructed to the way it is by set default and then how it is administered and ending on how the market want it to be vulnerable.
If you Run a MAC (UNIX) or Linux well .. you are by default much more protected while maybe having to worry (if you are a MAC dumbass - *BSD does not include dumbasses) with some rootkits for Unix / Linux and assuming that you are not a noob) you can skip everything else that i will write bellow because if you know how to use it you have brain starting by the fact that you use it.(*bsd/linux)
As for MAC users .. you might still glance your eyes around since most of you have no idea how your system works. And windows users you definitely NEED TO READ IT.
Trojans, vírus, adware, spamware, rootkits, malware, spyware, backdoors (not your ass), etc , etc and the list never ends) is more than available for your system and can and IS used against you by default.
Are you still reading ? *damn* you must not be a bloodlines player !!
Third: The security of an operating system relies in 2 things.
The software used and and how it is administrated and keep in mind that no matter how well the operating system is managed by having the latest anti-virus the latest firewall and the latest security updates, it will still be as weak as the human factor behind it and that's where social engineering comes in and all your I.T noob expertize goes down the drain.
While i will try not to cover here methods that allow a cracker to obtain what he wants i will have to refer to some.
Make sure you understand the linked words and expressions. The following may contain ¨wording¨ that may not be simple to most computer users and if you are a noob windows computer user... well just do what i say for you own good and shut up because i don't have the time to explain you people why it should be done the way i say.
1: A few basic rules about creating MORE secure passwords.
Never create a password that uses a name/word that is something related to you. Such as family names, favorite stuff, personal stuff (even if only you know it) and so on. So NEVER use personal stuff to define your security methods but if you are dumb enough to do it; then make it complicated to be found or figured out.
For example: The word ¨dumbass¨ makes a 56 bit password. Not only it is easy to figure out against dictionary attacks or brute force attacks it is also very low in encryption bits.
Turning it into: Du/\/\B@5$ not only makes it harder to crack with specialized software as even to figure out by someone else; even if you tell to some social engineer that you are a dumbass and that is your password. On top of it the encryption goes up to 80 bit. (now you are a dumbass with style)
The higher the encryption the harder it is to crack even by the experts.
Never use the same password for more than one record/login. If you do and that record/login gets compromised; the first thing the attacker will do is to try rely on your human weak factor and use it to try your other accounts.
Preferably you should also use a different email for each account/record/login. Some email services will allow you to create email alias for your main email account If not, create a new email.
Do NOT MIX your personal email accounts with hobbie stuff. If you have a business SL avatar keep it away from any kind of conflicts.
If your second-life password is 16 characters long make it worth the size. The more variety of characters you use the better (letters, numbers, symbols). If you do it less than 128 bits; then REDO IT ! Same is valid for any other type of logins/records. (always go as high as you can with encryption bit rate)
Storing passwords in your browser, SL viewer and internet applications is dangerous by default and if you use internet explorer for that, then you should get all of them stolen. You deserve it!
If you are going to store passwords on a browser make sure of 2 things.
- You don't use that browser for anything else other than to have your password stored there for fast login access
- Make sure that the browser will ask you to insert a master password for you to use it first.
For example use something like opera for saving secure passwords and lets say firefox for regular browsing.
Make sure you do not allow cookies on that secure browser that you don't known what they are and have browser always to delete it's latest activity records soon as you close it.
Always use secure https:// when creating accounts or access your accounts in any site if they provide secure logins.
Storing passwords on your second-life client viewer is NOT SAFE either even if the only thing you see there is [***********] . The password is stored in a specific file that can be easily decrypted and obtained. It can even be obtained by others from your SL viewer !
And if you use something like: --login Avatar Name to fast connect to the grid; that means storage of the password in clear text. (even easier to obtain no matter how high is the quality or complexity).
Second-life client viewers:
There is an endless amount of sl viewers (and more) out there, some almost open source, (lets not confuse with freeware) others less open source but most are copies from others. Are they good ? Well sure they work and they sure work in ways that most of you don't know. Ever heard about that one viewer that was great for griffing ? How about that one that was awesome to evade bans ? The list is long and quite a lot of these viewers have ¨hidden secrets¨ and vulnerabilities that can and ARE USED either by the creators of by those viewers or by those that found about the secrets and backdoors.
And for what ? For your SL account (lets not talk about RL identity theft too). Nothing comes free online unless is truly open source and clean from methods of obtaining information from the people that use it.
The same goes for all those ¨dark¨ tools and attachments that some dumbasses like to use around to play with fire. Sooner or later you will get burned. They can and are used against you.
Use the official and approved SL viewer by LL (way less chances of security problems) or if you know how to build, modify or inspect the source code of one; then do it yourself from the official source code. (read this)
While the official viewer/client that LL provides is not fully open source it does allow to inspect and build your own modifications to do what all others do if you know how.
The list of other SL viewers is bigger than 30 and if you want to check something fully open source, take a look at meerkat. (beware of those wicked thug SL viewers)
As for all you emerald lovers... well... if i was you ... i would stick with the official one.
Attachments and scripts in world:
The more free they are the more likely you are to pay in some way (for most of the cases). Do not accept anything from anyone that you don't know even if it looks like a landmark (specially around bloodlines - you will get bitten sooner or later) and if it is a landmark; ask for the slurl address instead.
Scripts can also spy you and this means connect to places that you don't know to provide the scripter with whatever info he/she wants from you. The only way you can be sure of whats happening is by performing traffic analysis (sniffing) on your own connection to see what it is going on.
Do not buy stuff around cheaper than what the official place sells it such like bloodlines products (YOU WILL be scammed sooner or later!!) When you buy... try to buy from reputable name ( i am not defending bloodlines here)
Secure communication in world:
While some SL viewers provide you the option of chat encryption like emerald and meerkat to avoid being spied in clear text (which is good); once again the viewer can have a backdoor or it may be vulnerable to in-world M.I.T.M.
Move your chat to something like skype (skype is not the best! its just an example) which provides encrypted communication and by using a second chat channel apart from Second-life to be in touch with in-world people; the chances of being successfully spied are VERY VERY slim to none.
Someone gave you some program to install on your operating system:
DO NOT install it ! Ask for the URL of that software for you to see what it does. Microsoft Windows users do not accept .executable files from your SL friends specially if you are a woman and he is a guy. And if you are a guy and you are taking it from a woman, then you are thinking with your penis and you deserve any possible the dirty outcome.
There are methods that allow any dumbass to create and bind a trojan executable inside of a regular software application that will even disable or get your firewall, anti-virus and other protection software alike; ¨numb¨ allowing him/her them to access your system without you knowing.
This will allow them to plant keyloggers which will record EVERYTHING you type and see; even if its complex passwords like: Du/\/\B@5$ if you type them manually.
(see also hardware keyloggers - not detected by protection software)
Using your accounts at someone else's place:
Well.. if you do that and the other person performs traffic analysis (sniffing) there and even uses keylogger on his/hers system to fish you or for his/hers own security; then you will be fished.
Important note: If the other person has some problems with LL regarding their in-world douche bag activities; once you login from their hardware and static ip; YOU WILL be under close attention too and in some cases your account will be suspended if needed or if your deepshit buddy got his suspended. IT WILL ! Do not doubt !
Using wireless:
If you use some else's wireless you are in it to get fished like the above example of using your accounts at someone else's place if the wireless owner wants too. (unless you VPN or SSH tunel to your trusted remote computer)
If you use your own wireless; make sure you use it with encryption of at least 128 bit to 256 bit (or higher) and wpa*-psk.
Wep keys can be cracked in 5 minutes and even some wpa*-psk. are vulnerable to certain kinds of attacks but at least wpa*-psk. will make life way harder for ant attacker to the point if quitting on the attack.
Use a cable as much as possible. It´ s faster !! and more secure starting from your neighbor. (maybe you have one that hates you or thinks you stink) or some second-life bloodlines war driving stalker ex-deepshit.
There is much more to say about all this but if you survived until now (which is mind blowing since you are not reading gossip); here goes some good tips as options to secure yourself.
Some security advices:
One of the best software applications out there to create extremely secure passwords and encryption them on file. This means that even if the attacker gets the file; he/she wont be able to read it. You can copy and past passwords in "shadow" mode and hide them from the database menu preventing keylogger screenshots or remote monitoring spy technical methods.
The following software if fully open source and is available for windows, unix and linux and also in a portable version.
It is a very full featured application with all sorts of secure options.
A very similar one http://keepass.info
If you need to access stuff like home banking ina very secure way use a linux live cd.
In short a linux live cd runs a linux operating system from a cd or dvd.
These are not build with Trojans, vírus, adware, spamware, rootkits, malware, spyware and not vulnerable to them by default.
You DO NOT need to install it! Simply run the cd when the computer reboots and load it.
( try something like knoppix live dvd)
Social engineering:
Some simple reading about the subject can be done from a well known master of it by the name of Kevin Mitnick. Easy reading;. Soft stuff for the noobs. (no gossip girls...) (The art of deception).
More complex readings regarding the subject and computer security can be done from Bruce _Schneier (website) (this one goes for *nix users mostly)
Identity Theft Toolkit (SMALL book and easy reading)
Now for the elite computer users:
To finish all of this you can always use your custom build SL viewer on your *nix box running a SCSI true-crypeted file system with usb fingerprint ID boot system after bios password settings and grub 256 (or more) bit password prompt logging in with a restricted games user provided with only 1 to 3 OS process for your user on a system that is protected by iptables, snort, and tcp dumped by something like wireshark. If you have to go online and you are not using your box, simply connect to it remotely through VPN or SSH 4096 rsa encrypted tunnel by user@ip and forwarding X if wanted using a live cd.
(i am not even going to bother to add links to those last lines)
Now that i lost 100 pounds sweating while writing all of this ...
(/me *spits the rest of the cigar out*)
.... and now that i have pretty much ruined my reputation in-world with this post i hope you all ignore it and get your accounts cracked because you deserve it for being dumb by choice and if i see you in-world; there is only 2 ways that thing can end....
and in both of them YOU die ...
*frowns hard*
... /me lights up another cigar ...
... damn noobs ....