Events

« August 2008
SunMonTueWedThuFriSat
12
3456789
10111213141516
17181920212223
24252627282930
31

User login

Get your own inworld RSS feeds - free!

Recent comments

Syndicate

Syndicate content

Second Life® is a registered trademark of Linden Lab® , as are the Eye-in-Hand logo®, Hexagon logo™, inSL Cube logo™, Linden™ dollar(s), Linden Lab Hexagon logo™, LindeX™ , Second Life Eye-in-Hand logo®, Second Life Grid™ development platform, Second Life Grid logo™, SL™, SL™ world, SL Grid™, SLurl™, Teen Second Life™, Teen Second Life Eye-in-Hand logo™,TSL™, WindLight®,Your World. Your Imagination.™

Home » Blogs » Nobody Fugazi's blog

L&L In Trouble; Same Old Situation

Submitted by Nobody Fugazi on Mon, 11/19/2007 - 09:38.

Lindsay DruartVia notecard inworld from The Rock Insurance, Lindsay Druart sends a message to L&L Bank customers. A bit of background will be given after her release:

All Bank Activity Halted Until Further Notice

At about 3:50am SLT, I got an IM from Tyrian Camillo of SLIB stating that someone was depositing fraudulent lindens and to be careful. I looked at the bank records and saw a 10 million deposit from Betatester Allen who then withdrew $20,500. The account was disabled from Tyrian's alert and LL refunded back the $20,500.

I was checking the account to make sure they didn't ding us for 150% as per the TOS and as I was refreshing the screen, I watch the balance drop before my eyes. In a matter of 3 minutes, the ATM located at the Banking and Investment Center owned by Mateo Infinity on Vacit was hacked and payments made to an avatar by the name of Hamid Jewell totalling a little over 3 million linden running the bank avatar down to $24k. The exact total is not known currently since it was several transactions over the period of time and the legitimate transactions of the day are not showing up for me currently.

I have contacted Concierge and the Governance team are working on the issue. The alt account has been halted and the ATM returned. All ATMs are offline until further notice. All current CD accounts will be halted and returned to their account holders at their current balances. We are waiting for LL to finish their investigation and return the lindens. At that time we will evaluate the loss, if any and proceed from there.

This notice will be posted as many places possible and given to other banks to release as they see fit. I will update the market as I get information and I will be plugging at Concierge all day. I am taking off my RL job to get done what I can so I will be in world or at least in Gtalk if anyone wants to speak with me at lindsay.druart@gmail.com and I will gladly respond as soon as possible.

I ask that everyone keep calm until I get a resolution to this from Linden Labs. Thank you.

Sincerely,

Lindsay Druart

Background and Commentary

For those of you new to the L&L Bank, it wasn't too long ago when Lindsay Druart rescued SLIB and renamed it L&L Bank and Trust - under very much the same circumstances. This all relates to the well hidden part of the Linden Lab rules, which can be found in the documentation for the Risk API. The relevant section is this (emphasis mine):

...If Linden Lab, in its sole discretion, determines that a Second Life user has purchased Linden Dollars for real currency through any means other than LindeX, and that the seller of such Linden Dollars acquired such Linden Dollars through fraudulent means, or any other means in violation of the Terms of Service, then Linden Lab will consider the buying user a complicit party in the fraud or violation. As a penalty for participation in such fraud or violation, Linden Lab will reduce the Linden Dollar balance of the buying Second Life account (and/or any Second Life accounts owned or operated by, or affiliated with, the owner of the buying account), by any amount up to 150% of the amount of Linden Dollars involved in the transaction. In addition, repeated participation in such fraud or violation will result in suspension or cancellation of the buying party's accounts. (The selling account will of course be suspended or cancelled on a single fraud or violation at Linden Lab's discretion.)...

Oddly enough, this is not in the Terms of Service or Community Standards of Second Life - something which shouldn't be surprising considering that even the gambling ban isn't covered in the Terms of Service (VirtuallyBlind had an article on that, but I can't seem to find it).

The 'law' of the virtual world of Second Life gives Linden Lab a lot of discretion in deciding what they will do, which may or may not be influenced by a number of factors - including whether anyone slept on the couch last night. There is nothing definitive in how Linden Lab deals with such issues, and I can back that statement up with at least one example.

Lindsay's latest information on her blog indicates losses to the tune of 3 million Linden dollars, with some important information for investors as well as contact information. I imagine Lindsay will be quite busy with all of this.

Personal Observation

It seems a bit strange that Tyrian Camillo of SLIB would know that someone was depositing fraudulent Linden dollars - unless, of course, SLIB had the same problem. More than that cannot be said, but it immediately caught my attention. Granted, I do not like Tyrian's business practices - but that is a completely separate issue.

Also, it seems a bit strange that ATMs are being hacked - no reflection on the banks themselves, but on the software being used. I wrote about that before. Saying something was 'hacked' can cover a lot of things - WSE said the same when in fact they gave people modify rights on their ATMs. This made it look like a technology problem instead of a stupidity issue. I don't believe L&L suffered a stupidity issue - but the issue of banking software in Second Life is now called into question again.

And last, but not least, Linden Lab consistently invokes rules that are not readily apparent to the unindoctrinated - and indoctrination means losing 150% of whatever a fraudulent account drops on you. Who would expect less from Linden Lab?

While there are things that the community can do to make things better - such as standardizing banking software, etc - the onus still falls on Linden Lab to make Second Life better in this regard, as well as others.

Of course, it doesn't help that the Second Life economy is viewed as a product... unless, of course, Linden Lab figures out that it needs desperately to work on its product... at least enough so that it doesn't penalize businesses and Linden Lab customers through these proxies.


Technorati Tags:
Bookmark/Search this post with:
»


Summary, and thoughts

Submitted by Aldon Huffhines on Mon, 11/19/2007 - 16:33.

I've posted a brief summary and some of my thoughts on this over at Orient Lodge including a bunch of links to different sources.

I do want to suggest that standardizing banking software may not be a good idea, and in this case, may have contributed to the problem.

To the extent that the software is standardized, a vulnerability can be exploited on all systems using the standardized software. It is the well known problem of the mono-culture.

»

I think you misunderstand 'standardization' in this context.

Submitted by Nobody Fugazi on Mon, 11/19/2007 - 17:00.

In this context, it means that there should be *standards* which have to be met.

Your point on the monoculture is not lost, though. Still, if someone actually wrote something that was open source along these lines and banks contributed toward the common effort of security - they would probably do better than they would alone. Apache is a good example of how that works.

Second Life Consultant

»

Note....

Submitted by lindsaydruart on Mon, 11/19/2007 - 10:39.

This is NOT a result of LL's TOS. They refunded the initial $20,500 with no problem. This was a hack of web boxes that hold the data inworld. I have in front of me IP address and the transcript of the brute force attack on the banks database. Considering the victim toll is up to 5 banks now, this will get worse before it gets better. The 5 banks are:

L&L Bank and Trust
SL Investor's Bank (Tyrian Camillo, no losses)
Giovinazzo Choice Investments (Barton Giovinazzo)
Whitfield Holdings/Royal Invest (Cristopher Whitfield)
SL Business Bank (Anre Heron)

The avatars in question are:

Betatester Allen
Hamid Jewell
Hamid Alter

There are more banks but I think some are afraid to spill the beans. If your bank is affected please let someone know as this is the only way to fight this with Linden Labs. From a community stand point, we have to band together and do something.

»

Thanks for clarifying, Lindsay

Submitted by Nobody Fugazi on Mon, 11/19/2007 - 11:57.

Now the question is whether the losses are in fictional currency - as the Linden Lab ToS does call the Linden Dollar. I won't hold your feet to the fire to answer that... but I think you and I know what the answer to that is.

Second Life Consultant

»

Brute Forced

Submitted by lindsaydruart on Mon, 11/19/2007 - 20:52.

While we found several ways that the ATM was hacked, the first hack tripped the built in fail safe but the second brute forced our database and our provider had failed to install the security pack all this time. I bitched to my hearts desire but of course all they could come up with was a few free months of service...bah....waiting on LL now.

»

Public Statement Royal Bank SL

Submitted by Cristopher Whitfield on Mon, 11/19/2007 - 15:50.

Dear friends, customers and all the other´s out there,

yes this day was again a day, that we call "Damage day",
oh well, I do know about so many things going on in SL,
and we all have this and that issue to chew, and sometimes
we all feel lost and currently hasitated.

Well our Bank is in still good condition, we lost about 160,000 L$ in two attact today, done from Betatester Allen and Hamid Alter.

We could halt these to accounts, and found out, that it has something to do with the SignUp. They needed the SignUp Procedre to get into the controll of withdraw issuse. Sure is, that this is a total unrespectable thing in a world, that should be safe, cause all of our ATM´s have a withdraw limit, that they just scipped.

We deleted all SignUp Buttons from our ATM´s, to make sure that we do not give criminal people the possibility to get into the System anymore.

But more important is the fact, really a big thing to think about; that LL gives anyone the possibility to sign in SL, without any GO of security or adresses or any other saftyness. Any sucking ass can open an account, a Robot or what ever, THE DOORS ARE OPEN.
So why not disscuss the roots of the problems, not the effects of criminal plays and people. Even Ebay has a bettter Sign Up Process then LL/SL. I never seen any other Plattform, where you just can step in like that. wakidoo.

Well we are working hard now on a way, to create a SignUp ATM for REAL Residents and people who should not be younger then 3 months in SL, to give our Customers the peace back, the earn.
LL should think about the fact, that they are the ones who open the doors... we the Residents must work hard every day to keep violence of our properties... well are we at war or what?
A place, that allows multiply Avartars, no secure SignUp, and Robots, killing all Nerves... should go inside, and have a day free in the Hell of work we have every day.

So to all our Customers, you are still safe, you are the best comunity that could happen to our bank, and you know, that we do anything to get you in a safe game, but Hackers are criminal, and we all cannot give 100% saftiness to it, that would be a lie.

I whant to thank all Friends and employees, who were assiting here today, and a big kiss to Belinda Linden for her great and quick reaction....

Thanks for posting this articel, and thanks for an open mind

For more informations:http://whitfield-hastings.com

Love
Cristopher Whitfield

»