I just discovered from talking to a support associate for ACS, after checking on my dreamland account, that the currency converter for PED to linden has been shut down on a temporary basis while a security issue is addressed. Someone moved a lot of money through their currency conversion utility The alleged laundering occurred approximately the same day as the massive SL bank heists. Although DSE was not subject to the same exploits as I've seen at many institutions, it brings to light another problem.
Banks and exchanges with currency conversion utilities; whether it be one game currency to another or game currency to dollar, face many more complications and should be dealt with carefully. If the institutions in question are not properly formatted for use there is a possibility of exploitation for illegal means that could render the institution itself liable. This would have the potential of destroying that institution, so please.. be careful where you invest. I am sure Dreamland will fix this problem and be back up and running in little time. They're all very professional and this is a problem I'm sure that was not anticipated. The support associate told me they were currently in talks with Linden Labs and Entropia in an attempt to solve the problem and nail the perps.
Saturday, November 24, 2007
Dreamland's Currency Convertor abused on day of bank heist.
Narissa falls to death, obviously did not consult market dragon on real world physics.
What's with dragons dieing sheer stupidly these days? I mean, sure, she never existed in reality before to have experience with real physics, but the brute force weight of her and the bending metal should have been a hint. Obviously she did not cross worlds to second life to consult the Market Dragon, her biggest mistake. I mean, just look at my profile. I perch on NY city skyscrapers with ease and majesty and do not fall to my doom.
That said, my consultations had nothing to do with Narissa's death and it should not reflect any liability or future long term peformance of Dragon Global Diversified. This dragon obeys the laws of physics; real, virtual, or fantastic. This should not become a stereotype for the species.
Oh and my beloved Koudoawaia Menatep and I loved the movie, if you haven't really had time yet and you're a couple who love sickeningly romantic films that you lick (or kiss to) all night, I suggest you go to see Disney's "Enchanted".
Thursday, November 22, 2007
*drops one last post on his way out* Xavier Mohr of SLR resigns.
This topic came up on the general forums of CAPEX. The first post was an expression of disappointment with the resignation of Xavier Mohr of SLR after such a short time, this was my response:
When I look to invest I usually ask the CEO if they're putting in a 1 year or more commitment to their firm and I also ask them for how they'd plan a closure or transition. Privately, I've known that Xavier has been looking for a way to minimize his in world presence, his interest has come and gone with time and I know that SLR has been setting heavy on his conscience, that said, I expected this and planned my investments based on it.
SL is not like real world markets, the corps are groups of people pretty much pooled in an interest of making a profit if and however they can. Kind of like the clans on World of Warcraft, but using a more up-to-date stylization of financial structuring to help control ownership. In my eyes, it's a very convenient alternative to Second Life group setups. That said, it's wise to know your corp's leadership, to not just invest based on numbers or hearsay, but to actually talk to them and get to know them and their goals. My investors will tell you, my mind is open to picking, that's why many got on board with me to begin with.
That said, it's another case of, "If you do your homework, you know what you get, and if you don't.. it's not the CEO's fault." He can't come out and just say, "Oh, I'm thinking of resigning." When he has not yet made his decision as it'd be abandonment of his fiduciary duty and result in a direct stock crash right away and could be grounds for accusations of manipulation. It is only after the decision has been finalized that it could be announced without concern for market ethics.
Besides, I think it's more than possible to find someone just as passionate about growing SLR. It's just a matter of being picky and finding someone excited about second life media who has the talents and the skills. It won't be easy, but it can be done.
You'll only be disappointed by a stock you do not research well enough to understand its future.
Also, to those would-be CEOs. Unless you're a scam, it's not easy. Responsibility now binds you to the game. It's not just entertainment any longer, it's also a kind of a job. That can kill the joy for some folks, for me it's fun... driving.. a lil stressful at times but it's also what I thrive on. I really enjoy running DGD. Maybe it's just because I've been doing better than even I expected. Anyhow, don't rush into it, give it a lot of consideration. Not everyone will do good in business.. and the good times and the bad will affect your operations but you have to stick it out for shareholders through the bad times. I've had a number of times things looked sour for DGD. Ginko, The Bank.. we had money in each. Fortunately, close monitoring and vigilance saved the company from those disasters.
And this is why more than anything SL markets are still just part of a game. There's an entertainment factor involved. The CEO must want to run their corp or.. they may just say "I don't like SL anymore" and they're gone. Hopefully you're in a corp that has a shut down plan or a COB (continuity of business) plan that allows for an easy resolution. I know Xavier's had one for a while and it simply involves Arbitrage Wise of CAPEX picking up the corp for a while as they find new administration. That said, I think it's very wise for all investors to keep in mind the context of their investment. SL is a game, it is a virtual world, not a real secondary world that people try to tout it to be. If it were a real secondary world, you could not log out. You would not be able to grow disinterested. The greatest casualty cause for second life interest is probably ceo growing disinterest in THE GAME.... that said, happy Thanksgiving and careful, happy investing.
People get upset because I was running an exchange in second life, yet still called it a game. Listen folks, people blow thousands of dollars in the game industry daily. I call something what it is, I do not lie, I do not distort and try to make something out for more than it is in order to get your dollars in my corp or in the exchange it sits on. I will tell you the blunt truth as I know it and I always will. Just because there's a lot of money in it, doesn't make it real. How much have you invested in your home entertainment console? Is its media content real, or is it still media? Will Mario be jumping out of your WII any time soon? (Okay that may eventually happen with holograms, but it hasn't yet. Who knows what they have up their sleeves over there.) But I think many of you have gotten my point. And yes, when I started DGD, I asked investors to invest in a game world corporation. It is not a real company. I am not legally obligated to them in any way, but I am obligated by trust and that trust won't be violated. I don't want to ruin any one's fun. I actually have a moral spine unlike some of the crooks who do participate in some of these markets. I will call for accountability where none is present even if people do not like me doing so. Because even if it's not a regulated environment, even if it is not the real world, I still believe in the strength of the human spirit, integrity, honesty, and the values which are the better side of our species even if the vast majority of the population does not and even if I do parade around in the game as a dragon.
Wednesday, November 21, 2007
Happy Holidays!
The dragon will be out of the office starting later today and will not be back until the following Saturday. He will be checking on business time to time, but will not be very active. Please do not mistake his lack of presence for abandonment of his duties :-) as so many do.
I hope everyone in the United States has a Happy Thanksgiving Holiday and hope to be back on task soon. This is the Market Dragon.. signing out for now.
Modest sized exchange merger being attempted.
A proposal has been made by CAPEX and BBX to take over ISE. This would be one of very few mergers of stock exchanges set in Second Life. The exchanges often branch, rarely converge. To get all the juicy details on the merger please look here to read the details of the tender offer. The issues on both exchanges are strong, but the number of issues is not as great compared to other exchanges, say the WSE and may lend a stronger competitive advantage to the merged entity. Reports are coming out that CAPEX is already bypassing the WSE on daily activity despite its numerous outstanding stock issues. For more details on that story check out this article in SL Reports written by friend and colleague Xavier Mohr.
Reasons for the change in traffic flow are attributed to a range of causes from investor confidence being low in the WSE due to the Ginko Bond Scandal to its numerous failed companies which have been renditioned to the mysterious symbol (RMV). Shaun Altman has cornered the market on Ginko Preferred Bond info, so you should probably read his blog here if you want details on that. Needless to say, it's a mess.
Tuesday, November 20, 2007
SL Mythbusters: The negative withdraw test. Sloppy coding at fault? White hat at work.
I heard part of the reason some banks were hit was sloppy coding. I went around and began to test atms to see if they were vulnerable to negative withdraws. This is just one of the rumors about how I've heard banks have been hacked.. so I though it'd be fun to test with 1 linden amounts. Here's the results:
1. BCX openly mocks you for not being sane when you try to withdraw -1.
2. ACE does not allow it. Ignores you.
3. SLIB does not allow it. Ignores you.
4. ISE removes the negative and simply takes the absolute value of the amount from your account.
5. DSE states you are using the wrong amount.
6. VSTEX reports that you have insufficient funds.
7. JTF/CAPEX ignores your request
8. BNTF Ignores your request.
9. EDGE ignores your request.
10. Banca Di Italia: Secured as of 1:33 PM est.
11. SL Bank ignores negative withraw requests.
12. WSE/One Bank only allows the use of keypad entry for withdraws and does not allow the use of negative integers.
I intend to con tinue my testing to other institutions, these are the results to date.
A vulnerability has been confirmed, the name of the bank has not been released to protect the bank as it works to repair its atms.
Currently sitting in Kremer waiting on the Governance team.. yay. Even after all these warnings the past few days, some banks still leave themselves exposed.
Update: 1:09 PM est, 10:09 AM slt: The vulnerable bank has been notified of its exposure. The representative told me they would work on resolution immediately and that the transactions can be tracked and are reversible if any have occured that are fraudulent.
Linden Lab just removed the exposed ATM, so I can release the name of the bank now. Banca D Italia's programming was exposed to this exploit. Theoretically, I just saved all of Freedom Italy.
When Banca D Italia loads their new atm, I will retest it once again to ensure the loophole has been closed and update this blog.
The loophole was repaired, now added to list of secured banks.
Monday, November 19, 2007
SL Financial institutions taking massive hit.
I'm getting so much content and the market's getting so hot on this news I've had to start another post. Reports are that the attacks came in two waves, one in the morning and one in the afternoon.
Victims known to date:
1. LNL - Lindsay Druart: 3.2 million in deposits affected. LNL has recovered from the first attack. Recovery amounts are now detailed in the comments section.
2. SLIB - Tyrian Carmillo: Reporting no impact with no changes to operations. Security coding minimized damage and the CEO reported the only real loss was time verifying the attacks failed.
3. Royal Bank - Christopher Whitfield: Managed to recover the impact of the first attack from Linden Labs, second attack is still pending. Estimated impact still remaining $L160,000
4. Giovinazzo - Individual Source, Unconfirmed .. impact measure unverified.
5. Second Life Business Bank (SLBB) - Individual Source, Unconfirmed.. impact measure unverified.
Banks surviving the incident with no attacks seen/reported:
1. JTF/CAPEX: Arbitrage Wise: no apparent attack.
2. Edge: Salas Steinbeck: reports no apparent attack.
3. BCX: Travis Ristow: Attack discovered, but no effect. They were testing security. Utilizes LL Risk API.
4. BNTF/ACE: Intlibber Brautigan: no apparent attack.
5. Crystal Springs Land & Loan: Skip Oceanlane: no apparent attack.
Supposed victim count reported by multiple independent sources: 4 or more institutions.
These are confessed victims of the vulnerability and so far no others have been named directly.
I'm not sure even that all the banks are aware as to the level of damage that may have yet been done to them if any so I have reported the incident to the heads of other institutions to make sure they are aware of the event and are checking on their own internal operations. That said, I'd encourage all depositors to be patient with your institution as, even if your money is still available, it may not all be there and there's a significant chance that a broad based panic will result in catastrophic bank collapses.
The information I collected from verified sources, associated with the bank in question, will be marked as verified. This is data I know to be true based on their accounts/claims and their representation of the measure by which they have been affected. Unconfirmed accounts come from second hand individual sources and may or may not be accurate, I will be contacting these institutions if I can in order to find out the validity of the claims.
If you are an SL Bank and want to report the status of your bank in relation to this incident, please fill in the comments section.
With the multiplicity of banks that are supposedly being affected, it suggests the flaw is not directly related to any particular programmer, but a security flaw that may be easily overlooked in transaction api; it's still the responsibility of the administrator to ensure quality coding.
A suggestion has been made that the targeted banks may not be shielded by LL Risk API. I wish I could uncover which of these banks were protected by LL Risk Api and which ones were not. If you'd like to report your Linden Lab API status, again, please use comments.
Reported attack times seem to be taking a similar time frame. This seems to indicate one hack or a co-ordinated group of hackers.
