Dreamland's Currency Convertor abused on day of bank heist.

I just discovered from talking to a support associate for ACS, after checking on my dreamland account, that the currency converter for PED to linden has been shut down on a temporary basis while a security issue is addressed. Someone moved a lot of money through their currency conversion utility The alleged laundering occurred approximately the same day as the massive SL bank heists. Although DSE was not subject to the same exploits as I've seen at many institutions, it brings to light another problem.

Banks and exchanges with currency conversion utilities; whether it be one game currency to another or game currency to dollar, face many more complications and should be dealt with carefully. If the institutions in question are not properly formatted for use there is a possibility of exploitation for illegal means that could render the institution itself liable. This would have the potential of destroying that institution, so please.. be careful where you invest. I am sure Dreamland will fix this problem and be back up and running in little time. They're all very professional and this is a problem I'm sure that was not anticipated. The support associate told me they were currently in talks with Linden Labs and Entropia in an attempt to solve the problem and nail the perps.

Narissa falls to death, obviously did not consult market dragon on real world physics.

What's with dragons dieing sheer stupidly these days? I mean, sure, she never existed in reality before to have experience with real physics, but the brute force weight of her and the bending metal should have been a hint. Obviously she did not cross worlds to second life to consult the Market Dragon, her biggest mistake. I mean, just look at my profile. I perch on NY city skyscrapers with ease and majesty and do not fall to my doom.

That said, my consultations had nothing to do with Narissa's death and it should not reflect any liability or future long term peformance of Dragon Global Diversified. This dragon obeys the laws of physics; real, virtual, or fantastic. This should not become a stereotype for the species.

Oh and my beloved Koudoawaia Menatep and I loved the movie, if you haven't really had time yet and you're a couple who love sickeningly romantic films that you lick (or kiss to) all night, I suggest you go to see Disney's "Enchanted".

*drops one last post on his way out* Xavier Mohr of SLR resigns.

This topic came up on the general forums of CAPEX. The first post was an expression of disappointment with the resignation of Xavier Mohr of SLR after such a short time, this was my response:

When I look to invest I usually ask the CEO if they're putting in a 1 year or more commitment to their firm and I also ask them for how they'd plan a closure or transition. Privately, I've known that Xavier has been looking for a way to minimize his in world presence, his interest has come and gone with time and I know that SLR has been setting heavy on his conscience, that said, I expected this and planned my investments based on it.

SL is not like real world markets, the corps are groups of people pretty much pooled in an interest of making a profit if and however they can. Kind of like the clans on World of Warcraft, but using a more up-to-date stylization of financial structuring to help control ownership. In my eyes, it's a very convenient alternative to Second Life group setups. That said, it's wise to know your corp's leadership, to not just invest based on numbers or hearsay, but to actually talk to them and get to know them and their goals. My investors will tell you, my mind is open to picking, that's why many got on board with me to begin with.

That said, it's another case of, "If you do your homework, you know what you get, and if you don't.. it's not the CEO's fault." He can't come out and just say, "Oh, I'm thinking of resigning." When he has not yet made his decision as it'd be abandonment of his fiduciary duty and result in a direct stock crash right away and could be grounds for accusations of manipulation. It is only after the decision has been finalized that it could be announced without concern for market ethics.

Besides, I think it's more than possible to find someone just as passionate about growing SLR. It's just a matter of being picky and finding someone excited about second life media who has the talents and the skills. It won't be easy, but it can be done.

You'll only be disappointed by a stock you do not research well enough to understand its future.

Also, to those would-be CEOs. Unless you're a scam, it's not easy. Responsibility now binds you to the game. It's not just entertainment any longer, it's also a kind of a job. That can kill the joy for some folks, for me it's fun... driving.. a lil stressful at times but it's also what I thrive on. I really enjoy running DGD. Maybe it's just because I've been doing better than even I expected. Anyhow, don't rush into it, give it a lot of consideration. Not everyone will do good in business.. and the good times and the bad will affect your operations but you have to stick it out for shareholders through the bad times. I've had a number of times things looked sour for DGD. Ginko, The Bank.. we had money in each. Fortunately, close monitoring and vigilance saved the company from those disasters.

And this is why more than anything SL markets are still just part of a game. There's an entertainment factor involved. The CEO must want to run their corp or.. they may just say "I don't like SL anymore" and they're gone. Hopefully you're in a corp that has a shut down plan or a COB (continuity of business) plan that allows for an easy resolution. I know Xavier's had one for a while and it simply involves Arbitrage Wise of CAPEX picking up the corp for a while as they find new administration. That said, I think it's very wise for all investors to keep in mind the context of their investment. SL is a game, it is a virtual world, not a real secondary world that people try to tout it to be. If it were a real secondary world, you could not log out. You would not be able to grow disinterested. The greatest casualty cause for second life interest is probably ceo growing disinterest in THE GAME.... that said, happy Thanksgiving and careful, happy investing.

People get upset because I was running an exchange in second life, yet still called it a game. Listen folks, people blow thousands of dollars in the game industry daily. I call something what it is, I do not lie, I do not distort and try to make something out for more than it is in order to get your dollars in my corp or in the exchange it sits on. I will tell you the blunt truth as I know it and I always will. Just because there's a lot of money in it, doesn't make it real. How much have you invested in your home entertainment console? Is its media content real, or is it still media? Will Mario be jumping out of your WII any time soon? (Okay that may eventually happen with holograms, but it hasn't yet. Who knows what they have up their sleeves over there.) But I think many of you have gotten my point. And yes, when I started DGD, I asked investors to invest in a game world corporation. It is not a real company. I am not legally obligated to them in any way, but I am obligated by trust and that trust won't be violated. I don't want to ruin any one's fun. I actually have a moral spine unlike some of the crooks who do participate in some of these markets. I will call for accountability where none is present even if people do not like me doing so. Because even if it's not a regulated environment, even if it is not the real world, I still believe in the strength of the human spirit, integrity, honesty, and the values which are the better side of our species even if the vast majority of the population does not and even if I do parade around in the game as a dragon.

Happy Holidays!

The dragon will be out of the office starting later today and will not be back until the following Saturday. He will be checking on business time to time, but will not be very active. Please do not mistake his lack of presence for abandonment of his duties :-) as so many do.

I hope everyone in the United States has a Happy Thanksgiving Holiday and hope to be back on task soon. This is the Market Dragon.. signing out for now.

Modest sized exchange merger being attempted.

A proposal has been made by CAPEX and BBX to take over ISE. This would be one of very few mergers of stock exchanges set in Second Life. The exchanges often branch, rarely converge. To get all the juicy details on the merger please look here to read the details of the tender offer. The issues on both exchanges are strong, but the number of issues is not as great compared to other exchanges, say the WSE and may lend a stronger competitive advantage to the merged entity. Reports are coming out that CAPEX is already bypassing the WSE on daily activity despite its numerous outstanding stock issues. For more details on that story check out this article in SL Reports written by friend and colleague Xavier Mohr.

Reasons for the change in traffic flow are attributed to a range of causes from investor confidence being low in the WSE due to the Ginko Bond Scandal to its numerous failed companies which have been renditioned to the mysterious symbol (RMV). Shaun Altman has cornered the market on Ginko Preferred Bond info, so you should probably read his blog here if you want details on that. Needless to say, it's a mess.

SL Mythbusters: The negative withdraw test. Sloppy coding at fault? White hat at work.

I heard part of the reason some banks were hit was sloppy coding. I went around and began to test atms to see if they were vulnerable to negative withdraws. This is just one of the rumors about how I've heard banks have been hacked.. so I though it'd be fun to test with 1 linden amounts. Here's the results:

1. BCX openly mocks you for not being sane when you try to withdraw -1.
2. ACE does not allow it. Ignores you.
3. SLIB does not allow it. Ignores you.
4. ISE removes the negative and simply takes the absolute value of the amount from your account.
5. DSE states you are using the wrong amount.
6. VSTEX reports that you have insufficient funds.
7. JTF/CAPEX ignores your request
8. BNTF Ignores your request.
9. EDGE ignores your request.
10. Banca Di Italia: Secured as of 1:33 PM est.
11. SL Bank ignores negative withraw requests.
12. WSE/One Bank only allows the use of keypad entry for withdraws and does not allow the use of negative integers.

I intend to con tinue my testing to other institutions, these are the results to date.

A vulnerability has been confirmed, the name of the bank has not been released to protect the bank as it works to repair its atms.

Currently sitting in Kremer waiting on the Governance team.. yay. Even after all these warnings the past few days, some banks still leave themselves exposed.

Update: 1:09 PM est, 10:09 AM slt: The vulnerable bank has been notified of its exposure. The representative told me they would work on resolution immediately and that the transactions can be tracked and are reversible if any have occured that are fraudulent.

Linden Lab just removed the exposed ATM, so I can release the name of the bank now. Banca D Italia's programming was exposed to this exploit. Theoretically, I just saved all of Freedom Italy.

When Banca D Italia loads their new atm, I will retest it once again to ensure the loophole has been closed and update this blog.

The loophole was repaired, now added to list of secured banks.

SL Financial institutions taking massive hit.

I'm getting so much content and the market's getting so hot on this news I've had to start another post. Reports are that the attacks came in two waves, one in the morning and one in the afternoon.

Victims known to date:

1. LNL - Lindsay Druart: 3.2 million in deposits affected. LNL has recovered from the first attack. Recovery amounts are now detailed in the comments section.
2. SLIB - Tyrian Carmillo: Reporting no impact with no changes to operations. Security coding minimized damage and the CEO reported the only real loss was time verifying the attacks failed.
3. Royal Bank - Christopher Whitfield: Managed to recover the impact of the first attack from Linden Labs, second attack is still pending. Estimated impact still remaining $L160,000
4. Giovinazzo - Individual Source, Unconfirmed .. impact measure unverified.
5. Second Life Business Bank (SLBB) - Individual Source, Unconfirmed.. impact measure unverified.

Banks surviving the incident with no attacks seen/reported:
1. JTF/CAPEX: Arbitrage Wise: no apparent attack.
2. Edge: Salas Steinbeck: reports no apparent attack.
3. BCX: Travis Ristow: Attack discovered, but no effect. They were testing security. Utilizes LL Risk API.
4. BNTF/ACE: Intlibber Brautigan: no apparent attack.
5. Crystal Springs Land & Loan: Skip Oceanlane: no apparent attack.

Supposed victim count reported by multiple independent sources: 4 or more institutions.

These are confessed victims of the vulnerability and so far no others have been named directly.

I'm not sure even that all the banks are aware as to the level of damage that may have yet been done to them if any so I have reported the incident to the heads of other institutions to make sure they are aware of the event and are checking on their own internal operations. That said, I'd encourage all depositors to be patient with your institution as, even if your money is still available, it may not all be there and there's a significant chance that a broad based panic will result in catastrophic bank collapses.

The information I collected from verified sources, associated with the bank in question, will be marked as verified. This is data I know to be true based on their accounts/claims and their representation of the measure by which they have been affected. Unconfirmed accounts come from second hand individual sources and may or may not be accurate, I will be contacting these institutions if I can in order to find out the validity of the claims.

If you are an SL Bank and want to report the status of your bank in relation to this incident, please fill in the comments section.

With the multiplicity of banks that are supposedly being affected, it suggests the flaw is not directly related to any particular programmer, but a security flaw that may be easily overlooked in transaction api; it's still the responsibility of the administrator to ensure quality coding.

A suggestion has been made that the targeted banks may not be shielded by LL Risk API. I wish I could uncover which of these banks were protected by LL Risk Api and which ones were not. If you'd like to report your Linden Lab API status, again, please use comments.

Reported attack times seem to be taking a similar time frame. This seems to indicate one hack or a co-ordinated group of hackers.

Multiple SL banks rocked by 3.2 million L$+ heist from atm scripting vulnerability.

I logged on to another bank failure looming on the horizon this morning in second life. The problem with the SL financial community is there is a notable lack of testing of the security of atms before their implementation and some of banks tend to find out about their weaknesses after the fact. Well, this appears to be the unfortunate case with LNL. They thought their atm secure, deployed it, and now they're 3.2 million dollars down the gutter with an alleged hacker(s) heisting 3.2 million from their systems.

One of these days the banks will learn to keep balances in separate avatars and use monitoring scripts to move money around to prevent abuses. The world of "I can withdraw as much as I want when I want" really needs to go, it's not realistically feasible in this environment and poses a massive security vulnerability.

Of greater concern, Lindsay Druart stated that JTF/CAPEX's atms are programmed by the same programmer. However, I wish to note that JTF (the bank) has been around since before this exchange or even LNL existed, I do not believe most of their programming is by the same programmer and highly doubt that the same vulnerabilities exist but it's still a concern since the one that Lindsay has claimed did their programming, Unoti Quonset, is also the programmer of the Second Life Capitol Exchange, or SLCAPEX. Unoti has contested the claims that he is the direct programmer of LNL/JTF/SLCAPEX you can see his statement in the comments and the response of Lindsay Druart.

I think we just need to get a clarification from CAPEX as to who did their main bank and withdraw programming. This said, it did unnerve me to see Unoti Quonset at the atm at the same time we were having this conversation. I'm not sure of his role in all of this outside of programming, but it was rather questionable. Perhaps just bad timing... I hope. Unoti, if you're out there, I'd really like to see your response to the claims being made, you more than anyone should know how your programming works. I'd also like someone to tell me how one "hacks" an atm that operates on text entry commands. Based on my understanding of programming it'd be almost impossible to do except for if the coder left back door commands in the system. Unoti Quonset has since contested these statements saying he had nothing to do with the coding of either CAPEX or LNL. Given the expanse of the potential banks affected however, I am still nervous about putting my funds into institutions til I see who will pop and who will not.

LNL was not approved on my watch, but under the reigns of Investor Allen who managed most of the deal personally. Investor Allen began to show a very shady history after the sell of his exchange. There was a lot of verbal sparring on the initial listing conditions, but after AVIX was sold to CAPEX things seemed to calm down under the new management and Lindsay was even given a management position briefly for the exchange.

I think it's going to be a while before we get the whole story on who or what is exactly at fault. Lindsay says she's in fervent talks with Linden Labs in an attempt to get concierge assistance on the 3.2 million dollar theft. If they do not intervene it's highly likely LNL will go insolvent. This leaves a big question as to what will happen with the WSE listed LLL. According to this post by Lindsay said there was no exposure to the bank from her own real-estate company that they only had a fraction of cash in there on deposit to use to purchase some new sims, but having your leadership and finances co-mingled can be a messy affair to try to resolve with investors in the courts of public opinion.

Best of luck dealing with Mr. Linden, Lindsay, you're in my prayers.

Appended note: Someone reminded me that a couple weeks back LNL briefly halted trading and their atms were removed for reworking. According to their announcement history there is a record of atm and web page difficulties. I'd like to know who was responsible for the most recent update. They also pointed out to me the growing financial struggles of LNL in the history of the firm.

Given the current crisis I cannot morally maintain the link to their website on this blog, it has been removed from the banks section, but you may view it here for research purposes. Do not deposit at this time if an in world ATM becomes available until further clarification on these incidents is brought to light.

Did I mention this is the second bank collapse and supposed ATM heist that Lindsay Druart has been tied to? The last such collapse ocured on the World Stock Exchange, under a now non-existant ticker symbol. They took in the customers of that particular event in an attempt to restore what was lost. Supposedly, Lindsay was to be a hero and save those accounts. What now?

Update: Ah, I found a remnant of that old bank through google. It was the Touchet Group Corporation. I could not find a link back to the actual company symbol. If you note, on the page with the information there, it notes the ticker symbol as (RMV). That's one of WSE's ghost (as in dead) shell (as in rotting husk that no longer exists) companies. It was headed up by the infamous JC Brink. Lindsay got one of their sims from him. And the story was the same for that collapse. Rogue agent, broken atm coding. I smell a pattern and regardless of who is responsible it needs stopped. Diligence is the responsibility of the bank operator.

Did I mention that when the WSE was hacked, that it also lost 3.2 million linden? If this is the same crook they're walking away with $20,000.00 USD.

For more info on this past failure, visit the following links: Fraud Ghost Hits At SL Banking System, Lindsay Druart, CEO LLL's official account of the TGC incident on the WSE, Taran's TGC investigation.

Has anyone ever heard the phrase, "Fool me once shame on you... Fool me twice..." When do we start seeing CEO accountability for transaction security?

How ironic that LLL is amid secondary offer on the WSE for just a little more than twice the amount that LNL was breached by or equal to the sum of supposed thefts against LNL and the WSE combined. What an interesting coincidence. REVISION: Thanks to encouragement in the comment area and the help of Lindsay, I discovered that WSE misleadingly/alternatively mentions the current outstanding shares of the company instead of the outstanding shares in the issue, which can make the issue seem much larger, the actual issue is around 640k. This greatly relieves me needless to say.

What is the Linden?

A good friend of mine came to me today and showed me this link to Metanomics a financial reporting news site for Second Life. The link is basically to a video about exchanges and banks in Second Life and their roles in the Second Life economy. This lead to a discussion about, "What is the Linden? Is this market real or a game?" It's a question that comes up often, I'm going to give my thoughts here in the blog, so I can simply refer folks to it when they ask this question instead of repeating myself.

The Linden is a game currency. It is not a real currency. It is a currency that is valid only within the context of Second Life. If you tried to sell your Linden to your local Grocer, they would laugh at you most likely. The only time that Linden, a product of second life, becomes real currency is when you trade it through Linden Lab or another player agent. Without this conversion, the linden you hold in your account is worthless. Whenever you put your USD into Linden, you are more or less buying assets within the game, nothing more, nothing less. Anything else is an over-glorified pipe dream.

That said, when you invest within Second Life, instead of believing you are investing in a real agency, corporation, or business you should keep the proper mindset. You are investing in a game. You are investing in a person within the game who you are trusting is honest enough to do their job and to hopefully return to you an in game profit. If you are lucky, this in game profit may be utilized to your own gain or even for conversion eventually into real USD. The difference between this and gambling, is that the people you invest in may seriously be out to attempt to improve the virtual community in which you play by adding functionality, adding new venues or real estate, improving aesthetics, implementing new ideas, creating new things to do within the game. Second Life is a platform that can support many game possibilities, from first person shooters, to strategy, to basic board games.. it can all be done if you have the skills to do so. Some of the businesses here will be out to do these things, some will be scams. You have to be careful. You have to do your research..

And for God's sake, if you are deluding yourself into thinking this market is an extension of real world securities markets and behaviors, please stop it. That's purely ego.

Appended 11/18/2007, 4:38 pm:
The more I thought about it, the more that Linden seemed like Company Scrip. I don't expect to many folks to be aware of what Company Scrip is unless you come from an area that was on the extremes of society for a while or where actual legal tender was scarce. If you look at the definition, it seems much more appropriate to the Linden. If you really want to become an expert on the subject matter you may want to check out this and other discussions courtesy of Wikipedia.