July 28, 2008 by Ciaran Laval
Posted in
I have tried to stay away from the security issue, not because I don't think it's important but because I didn't want to spread panic when I only have half the facts.
Linden Lab have neither confirmed or denied these rumours, however there's now a thread over at SLUniverse discussing the serious security allegations.
There appears to be an issue. Konner McDonnell had earlier reported the statements from Cocky Dagger which generally caused people to say "He runs an exchange, how can you trust him"? However it seems that this might be bigger and deeper then we'd all like.
However I do wish Linden Lab would at least say something, either "We've got it under control" or "This is a load of old bollocks". The silence is deafening.
Now i've been fed information by a couple of trustworthy sources, we'll call them deep voice and dark throat (As dark voice and deep throat would just sound wrong) as codenames. They both pretty much confirmed this security flaw, especially in terms of ATM's, although I'm reliably informed that SLX is safe. Phew!
General advice seems to be to make your items no copy for the time being, pass it to an alt and pass it back then hopefully you're not going to have your hard labour ripped so easily.
However, now, the conspiracy part, how the bloody hell did anyone find out about this exploit? Allegedly this isn't a staring in your face exploit.
For all of Linden Lab's transparency, there are times when they simply aren't transparent and whereas I can understand their reluctance to talk about this issue, it really is time for a statement.
Being naked is often the best choice!
- Ciaran Laval's blog
- Add new comment
- 1359 reads
ACE Responds
This exploit, however it was, allowed several alts to steal copies of each exchange's ATM. The perpetrators were able to withdraw 700k from Cocky Dagger's ISE, 300k from VSTEX, but none from ACE or SLCapex, although they did make fraudulent deposits to each's website, no actual money was deposited.
We have since worked with the other exchanges to tighten up security all around. At ACE we've added a number of verification checks to every ATM transaction, including owner, owner UUID, account holder UUID, whether the ATM is online or authorized (these last two checks were already in place however seem to have been messed with by our former sysadmin, Yukiko Omegamu). We have added a number of others and will also be checking the ATM owners SL transaction history xml file to ensure all withdrawals and deposits are valid.
Essentially we do not inherently trust any in world object simply because LL has proven to be so bad at ensuring the security of user content.
ACE did not lose any deposits in this, and we are now fully operating with 15 actively traded companies and over a half dozen in IPO.
Deposits have increased markedly since then as the public has gained confidence in ACE, and our trading volume is running over 1 million shares a week, making us the second largest exchange by several metrics.
Given our interest in restoring investor confidence to the entire financial sector, we are providing code to the other exchanges so that all investors can have trust that their transactions are secure.
For further information, you can check out http://www.ace-exchange.com
IntLibber Brautigan
ACE Chairman
CEO BNT Holdings
300K from VSTEX?
It must be noted, that number is completely made up. All of the L$ available at the time of the ATM incident are there, where they are supposed to be.
VSTEX was the first to report the issue, the first to shut down the ATM network, the first to apply any needed fix, along with some additional features. Before ACE posted a public offer to share code that we didn't need, at that point.
Over the last days we've been in touch with ISE and SL CapEx, sharing all the info we had with them. Those are the exchanges we like to cooperate with. ACE business practices are not compatible with our ethic standards.
Samantha Goldflake
VSTEX Communication and Public Relations Director
http://www.vstex.net
Actually...
While we were the last to find out about this exploit (as is typical, people like Samantha et al leave us out of the loop) ACE was the first to reopen its ATMs and never ceased trading activity. The 300k figure we received from officials at the other exchanges.
It is unfortunate that Samantha has, since ACE was founded, tried to invent some sort of rivalry with ACE. Other than VSTex sheltering what we now know became scammers like Jasper Tizzy and company, we've never had an issue with VSTex management. All I can chalk her hostility up to is anti-competitive jealousy or something.
ACE has always stood for amity between exchanges, and sharing information and code to improve security. We shared code with L&LBT and SLCapex over one exploit previously, for instance.
ACE has also operated by the highest ethical standards, insisting all companies listing here meet SLEC IPO listing standards. I personally restructured the stock of BNT, and eliminated many millions of my own personal wealth so that BNT complied with the SLEC 60% rule, even though BNT was grandfathered against that rule, merely to set an example.
CEOs recognise our high ethics, which explains why ACE is the ONLY stock exchange that is still growing in the SL markets. Our public listings have grown by 50% in the last 6 months, and we have several IPOs in their offering stage, while the other exchanges have none. Our average weekly volume in L$ and shares has placed us solidly in 2nd place in the SL markets behind SLCapex.
This growth demonstrates that the investing public trusts ACE and how we do business. It is unfortunate that Samantha lets some professional jealousy get in the way of bettering the SL markets for everyone.
IntLibber Brautigan
Chair, ACE
VSTEX comment
First off, I confirm that the 300K L$ figure Brautigan keeps reporting, no matter the source, is just a number with no correspondance to our records.
However, credit given where credit is due, I can confirm the lots of love we always got from ACE. For example, they loved so much that they were using our name as a keyword in their classifieds. So sweet and cute.
Nothing more to add right now, besides confirming that we'll keep searching for mutual agreements with SL CaPex and ISE, since those business entities do operate on standards comparable to ours.
Samantha Goldflake
VSTEX Communication and Public Relations Director
http://www.vstex.net
Thanks for the update
Thanks for the update Samantha. Although I think in situations like this it's good to share the information even with companies you're not so friendly with.
Apparently this got Linden Lab's attention.
Cocky posted an update alluding to LL "handling" the issue where the ATMs are concerned. In my eyes, handling the incident does not equate resolving the issue. All things considered, I've found myself on the verge of writing LL off altogether.
Ciaran, I'm probably going to put the final touches on my article tonight. From an exchange perspective, the story has been told and the article has served its purpose. If you're pursuing the bigger picture, let me know if I can be of any assistance.
km
I just got some info on this...
Even sweating outside, my connections are still working. ;-)
Second Life Consultant
Wonderful.
I'm sure people will look forward to seeing your writeup.
I'm glad you folks are staying on top of this.
It's a pretty big deal, and while I am out of the loop at present I am very interested in this issue for a variety of reasons. It is very disturbing that Linden Lab hasn't said anything about it, but then... that has always been the Tao of Linden Lab when it comes to such things. In this case, it may be that they simply don't want to spread dread, but if that is the case they may have eaten the wrong fortune cookie.
I agree. People need to know. There are legal implications as well... this might be worth talking to Benjamin Noble (VirtuallyBlind.com).
Yes, I am still alive. Recovering from fireant bites after planting mango trees, if you can believe it...
Second Life Consultant
Legal Implications
Interesting discussion; I've been on the road and missed most of this one.
From a legal perspective, it's actually fairly straightforward.
First, theft is theft; it doesn't matter if the victim exchanges are procuring funds in violation of a dozen finance regulations. If somebody found a way to steal something of value from them (e.g. Linden dollars) the exchange owners could reasonably complain to the authorities. Of course, theft involves taking "something of value" -- and admitting that they're exchanging stock in companies for "something of value" might not be the smartest idea in the long run. Even if they wanted to risk admitting that they're providing a means for users to exchange money for unregistered securities, getting a prosecutor to care is going to be tough sledding, particularly given the amounts involved.
Second, regarding the intellectual property issues, copyright law doesn't really care how a thing is copied, just that it is, at least for "direct infringement." In other words, if I'm a guy who wrote the script for an ATM and someone copies it -- whether via an exploit or because I carelessly left it exposed -- I have a claim. The mechanism isn't as important as the act of copying. Consider: books are right out there in the open, it's the act of copying one that gives rise to the claim, not working around any security provisions.
Finally, a "vicarious infringement" or "contributory infringement" claim against Linden Lab for not patching this faster isn't very plausible. The legal standard for indirect infringement (the catch-all category for vicarious and contributory infringement) is fairly high. For "contributory infringement" (which is what keeps getting file sharing software makers) the rule is that the provider must substantially participate in the infringement, such as inducing, causing, or materially contributing to the infringing conduct. Basically, by providing a service that facilitates infringement if that device or service has no substantial use other than infringement. Vicarious infringement involves being in a position to control the direct infringer and benefiting financially from the infringement. An argument could be made on both of these, of course, but it would be an uphill, expensive battle and I'd not give it very good odds based on the facts outlined above.
VSTEX comment
Provided that our activities are completely legitimate, in the aftermath of this incident, not a single L$ was lost on our side.
We cooperated with SL CapEx and ISE, we passed on to Linden Lab all the info we could collect. Both Harry Linden and Echo Linden have been very supportive and helpful.
Besides a couple more white hairs on our heads, nothing has happened. Something real bad could have happened, I won't deny that. I'm not a software engineer, so I can only imagine the complexity of Linden Lab's server software.
They are doing a great work. Time to move on now, VSTEX is back to normal.
Samantha Goldflake
VSTEX Communication and Public Relations
http://www.vstex.net
On the mechanism of copying...
I believe - I haven't touched on it recently - that reverse engineering a mechanism to copy may be a violation of the DMCA in certain instances, which would be a separate issue... if I'm right?
Second Life Consultant
That is right --
That is right -- circumvention can violate the DMCA, separate from direct copyright liability.
http://www.chillingeffects.org/anticircumvention/
Fugazi
Take care of yourself. Let us know if there's anything we can do from afar, particularly where Y2P is concerned.
I'm sure you're aware that your virtual surname is a bit of US Army slang. So, where those fireants are concerned, try not to live up to it. Be well.
km
Security Issue, not just for exchanges
I believe there are some thinking/well meaning avatars that have nailed this issue. It is the lack of response from the Lindens regarding another episode of fraud, and I cannot help thinking they hope that the stock market will simply hang and twist in the wind, with no help on their part. It is obviously in the best interests of LL for them to investigate, ban, and punish perpetrators of the SL common good. So why wont they do it? Is there some animosity regarding their wrongful closing of legitimate banking institutions still? And yes, this does exceed the realm of LL when you are in fact copying a device as if it is your own, to use for personal gain, in fact a violation of DMCA!!! Is there a Linden that might care, or whose title might require them to correct an error in favor of the common good?
Cliff