Some here may recall “The Wrong Hands” theft, via espionage, of documentation belonging to the JLU. Scummy as that was, Tux Winkler has sunk to a new low… Using Second Life residents as pawns in his personal war against the JLU and peacekeeper groups in general.Tux maintains that he has no association with The Wrong Hands, or Woodbury, despite the facts otherwise, including documented Twitter communications with Tizzers Foxchase.
Tux has for several months now been tracking JLU members and other residents he has a grudge against on his publicly accessible web site. Despicable as this is, Tuxes claims that this is compliant with Second Life Terms of Service is correct from a technology standpoint – it uses nothing not already publicly available to achieve his goals.
Tux makes the claim on his site that “This page simply lists the JLU members (former, confirmed, suspected and friends). It uses only the tools provided by LL and no exploits.”
This is true, unless you count:
- exploiting residents, by utilizing ‘hidden’ functionality in freebees.
- exploiting land owners and open land permissions by hiding spy prims on their property without their permission
- listing not only online status but their locations as well, enabling the page as a tool for stalking residents of Second Life. See Terms of service regarding incitement/ encouraging others to violate ToS. While this last is not an exploit per-say it does sow the point of concern here. Listing this information publicly exposes those residents to harassment.
Related to these is section 8.3 of Second Lifes Terms of service, which states:
8.3 You agree that you will not post or transmit Content or code that may be harmful, impede other users’ functionality, invade other users’ privacy, or surreptitiously or negatively impact any system or network.
You agree to respect both the integrity of the Service and the privacy of other users. You will not:
(i) Post or transmit viruses, Trojan horses, worms, spyware, time bombs, cancelbots, or other computer programming routines that may harm the Service or interests or rights of other users, or that may harvest or collect any data or personal information about other users without their consent;
This functionality of the freebees , being hidden, easily classifies as ‘spyware/Trojan’.
The devices also appear to track not just League members and friends, but anybody with whom Winkler has ever crossed swords, or that might do so in the future.
On tips received , JLU members acquired a number of freebies Tux Winkler had created and was distributing to new and old residents alike. These items were examined and compared with Tux’s public tracking page. An interesting fact emerged: when the members teleported with these freebies attached the tracking page updated!
The Items identified so far are :
- “DISTURBED Online Status Board” – Rezzable Status board
- “E-Howl v2.1″ – wearable on AV communication device
- “PAO Hearts an Hugs” – wearable AV device to give hugs and kisses
- “-= Disturbed Photo Booth v2.05″ – rezzable structure to take photos
Each includes a script left no mod named #.- DO NOT DELETE THIS -.# Removal of this script does not harm the freebies in any way but, surprise surprise , the tracking functionality stops! This was verified several times and double tested by inserting the same script into a ‘blank’ prim, at which point the traces would again update.
Now, speaking strictly for myself, I have no real issue with my in-world location being known. However, the underhanded use of residents as pawns like this is utterly deplorable!
Until Linden Lab steps up to bat on this I am not sure if this sort of shenanigan is AR’able or not, so let’s not be hasty with those mouse clicks. I will say this however, if you do not enjoy being used as a pawn – if you feel as disgusted by this as I do:
- Delete any objects you own created by Tux Winkler.
- Share this information with friends and land owning residents.
As of at least yesterday Tux Winklers public tracking page is giving the appearance of being down. I say appearance as the PHP script is still clearly there but returns only the line “404 – page missing”. This is not a genuine 404 error but rather the output of the script. What this means is unclear, but it does seem that at least the Location tracking has gone non public. I still advise residents to be wary of the above mentioned Freebees and other suspicious items.
Genuine 404 is a full HTML page, not a single line of plaintext, were the script actually missing the error would look like the following:
The requested URL /XXX.php was not found on this server.
Apache/2.2.8 (Ubuntu) mod_python/3.3.1 Python/2.5.2 PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8 Server at www.XXX.XXX Port 80 The actual URLS have been expunged for Krypton Radio Reader safety
The fact that the page is returning a false 404 error simply means the system is not publicly visible and may well still be in use. It should be noted here that other attempts to generate a “page not found” error on Tux’s web site produce a genuine 404 error – only this one page on this site produces a fake 404 error, so this one is confirmed as a red herring. Were Tux to actually have removed the script the above example 404 would have shown, instead he chose to obfuscate, having the file jlu.php echo the line “404 – page missing”. Extra work, when simply removing the script would have done . We are left to ponder why, and this leads credence to the idea that there is more going on here than meets the eye.