inSL Listed on BlogShares Share/Save/Bookmark

 

Home Portfolio Trade Currency IPO CEO Support Forums About Us FAQ Locations



System Archive

Apr 14th 2008, 21:22 system announcement
by IntLibber Brautigan

ACE Reopened After Brief Halt for Security Reasons

(text of Press Release at News Conference held 4/13 in Venture Square)

We want to thank everybody for their patience about getting ACE back online in partial (57 %) trading status. The outpouring of support, patience, and tolerance for what has been a difficult situation for almost everyone is greatly appreciated by myself, and my staff. We have from the start been dedicated to protecting the security of everyones money and investments and we are demonstrating that we will spare nothing in doing our best to return all companies to full trading status as soon as it is technically possible.

We were able to reopen yesterday in time for the Metaverse-tv telethon, which was a wonderful success, with many musical acts playing all day, and the pilot episode of MBCs new show, "Hollywood Cubes", which I am sure will be a big hit.

Many of our traders were able to access their accounts finally, and we are very pleased by the show of support and confidence in our hard work, as represented by a large growth in deposits yesterday.

On a darker note, I need to come to the point of this news conference. Shortly after we reopened, an individual contacted me claiming he had found a security weakness in the Tango11 software we use in our exchange (as does SLCapex). He was able to create fraudulent copies of transaction confirmation pages on his own machine, and use these to force trades of shares between other traders and each other, as well as between them and himself. (At that time I will pass out Ham's statement)

Rather than do one trade to show us as evidence, and return whatever money he gained from it, he first did over 50 trades, netting a profit of L$8200. He then withdrew L$6000 from the ACE ATM. Only after committing these multiple hacks to defraud people, did he contact me to tell me what he had done, and demanding $10,000 L$ in ransom in exchange for information about how he did what he did.


The following is the chatlog of part of our conversation:

[15:32] LeoTheo Bing: yes
[15:32] LeoTheo Bing: its missing a piece of necessary code
[15:33] LeoTheo Bing: it always did
[15:33] IntLibber Brautigan: what sort of code?
[15:33] LeoTheo Bing: LOL
[15:33] LeoTheo Bing: php I assume
[15:33] LeoTheo Bing: I'm no scripter - I just found it
[15:34] LeoTheo Bing: lets just say it works :)
[15:34] LeoTheo Bing: I've taken a little to test it
[15:34] LeoTheo Bing: and yes
[15:35] LeoTheo Bing: its exactly the same as the SLCAPEX software
[15:35] LeoTheo Bing: I kept quiet for them
[15:35] LeoTheo Bing: I can keep quiet for you too :)
[15:35] IntLibber Brautigan: what are you charging?
[15:36] LeoTheo Bing: hmm
[15:36] LeoTheo Bing: how about 5000 before the information is given - followed by 5000 after
[15:36] IntLibber Brautigan: which account did you take money from?
[15:36] LeoTheo Bing: and I wont tell anyone
[15:36] LeoTheo Bing: 3 and 7
[15:36] IntLibber Brautigan: when?
[15:36] LeoTheo Bing: and a little from 17
[15:36] LeoTheo Bing: just now
[15:36] IntLibber Brautigan: You realize you've just admitted to committing a federal felony?
[15:37] LeoTheo Bing: lol - yes
[15:37] LeoTheo Bing: and blackmail too! ;)

Mr. Bing did more than take a little from 3 accounts, he hit 9 accounts, forcing them to trade shares at a loss, totaling 8200 L$. Approximately L$2000 of that was from my own account.
Mr. Bing then withdrew L$6000 BEFORE contacting me about this bug. This demonstrates that he is NOT the public spirited person he claims to be in his comments on SL Reports, he acted to profit himself FIRST without any expectation of reward for simply doing a good deed as a good citizen.

It is also true he could have committed much larger trades, causing greater losses, however at greater risk of being discovered, and of course, risk of greater legal punishment. He portrayed himself to me as some sort of "gentleman" thief, not as a good person. As seen above, he openly admitted to comitting multiple federal felonies without remorse. If he were truly a gentleman, he would have returned the funds taken, and trusted in our gratitude to deliver a reward for his good citizenship. That is how civilized people act, not exploiting a bug for personal reward then extorting money in exchange for information about the bug.

We immediately recovered 2200 of the 8200 L$ taken, and all funds will be returned to those persons who suffered from fraudulent trades. We know exactly who was affected and those persons have been notified of the circumstances.

As soon as Mr. Bing attempted to extort this ransom from me, I contacted Linden Lab to ensure that he would have no chance of extracting the funds via process credit or transferring funds to third parties. They silently put a freeze on his process credit ability, and monitored all his transactions to ensure he was unable to launder it through third parties, but left his account active until we were able to gain the needed information, and shut ACE down again in order to effect the needed fixes. Once we did so, they immediately disabled his SL accounts. LL was highly amused that someone would so blatantly admit to their crimes in chat, and they have agreed to cooperate with any FBI investigation, as we also filed a cybercrime complaint with the FBI regarding these events.

If Mr. Bing had contacted us in a public spirited manner and openly shared the information, and THEN asked for a reward, we would have gladly given one, and publicly hailed him as a hero. He did not act in this manner, he acted as a crook, committing multiple criminal acts which he openly admitted to. This is the distinction between a criminal and a gentleman. It is too bad he chose to act as the former and not as the latter he is trying to portray himself as.

I should also say that we are disappointed that the other major exchange using the Tango11 software, who Mr. Bing openly admitted to having extorted funds from in the weeks prior to hitting us, did not warn us about this vulnerability ahead of time to act for the public good. I had hoped that recent communications between us and them signalled a new era of cooperation and goodwill was beginning. I wont comment about their actions further, other than saying that I hope they change this policy in the future for the good of all SL. We at ACE have assisted other banks and exchanges in the past, such as that given to Lindsay Druart in securing her server better in the wake of her bank being frauded, and we stand ready to help others in the future. We will share the code we develop with other Tango11 software users.

Now, ACE will reopen tomorrow (5pm SLT, Monday) with the needed fixes in place to ensure that Mr. Bings exploit cannot be repeated in any area of the website, as well as to implement the new backup regieme we have adopted as mandatory for all BNT server operations. We will once again, be ready for business as of this time tomorrow. The new website is http://www.ace-exchange.com. We now have 57% of companies back online and will have the rest back when the data recovery experts finish their work.

Home   My Account   Customer Support  About Us  FAQ 



This website © 2009 M2B LLC d/b/a Brautigan & Tuck Holdings and Ancapistan Capital Exchange. All rights reserved.
Second Life® and Linden Lab® are trademarks of Linden Research, Inc. ACE is not affiliated with or sponsored by Linden Research.

Software by Tango 11 Communications and BNT Holdings