Reflections on trusting trust in virtual worlds

It transpires that Emerald, the preferred open source viewer for the virtual world Second Life is now blocked from accessing the world of the giant talking lobster[1]. Always curious I read through a couple of message streams and observed the following:

  • Linden Labs are not the custodians of a democracy. They are the legal owners of fact and law to a mass of digital content hosted on servers owned and managed by them. If you think that’s not the case, you’re wrong
  • Open Source does not equal security. Most people couldn’t analyse a source code tree for vulnerabilities if their lives depended upon it[2] Open Source doesn’t automatically equal “good”, “secure” or “free”. More bells and whistles[4] just means “more stuff that fewer people will understand”. Ken Ritchie first wrote about this in Reflections on Trusting Trust.
  • When programmers walk off a project saying “Guess what I found in this library!” then look. Do not assume just because the suspicious output is now a apparently random data (instead of nicely formatted username:password pairs, for example) that the problem has gone away. Chances are that the “Fox in the henhouse” will have just implemented a copy of the AES cryptography.
  • Never believe your own PR[5]
  • Code matters. Breaking trust by inserting spyware will end up with you not getting invited to picnics. People care about their privacy[6]. 
  • People are stupid enough to cling to beliefs in the face of overwhelming evidence. Bright people are just as likely to be stupid. You are the most likely to be stupid out of everyone you know. [7]
  • Linden Labs are the virtual equivalent of Disney. The mouse has no heart.
  • Background checks are a good, good idea even for free projects. 

[1] Trust me, you want those things to be lobsters. Freudian nightmares aren’t in it.
[2] Why else do you think systems have so many holes. Of course, there are some lazy programmers, but most of them just don’t know how to code securely. I once reversed a very popular browser that used system(“/bin/rm -f %s”); When asked why, the programmer replied that that was the most portable way[3]!
[3]  ANSI Standard unlink() Tell your friends.
[4] Or in the case of emerald, virtual jiggling boobs. I kid you not. (and it makes the lobsters look tame)
[5] And by corollary, never believe anyone else’s!
[6] Not enough. 
[7] And you don’t believe that.

The Pop Singer’s Love of Web 2.0

I’ve listened to Mel’s music for a while, and just found out that not only does she have a presence in Second Life, but that she’s about the most online-y musician I’ve met, having a presence on Facebook as well where you can listen to her tunes via iLike and YouTube.

Do your ears a favour, and listen to this welsh chanteuse. Better yet, attend one of her gigs, buy her CD, and support real independent music.

A yummy mummy. Now if only I still had my drumkit.

Spooks get to Second Base – or do they?

I was going to write about this article:
http://www.infosecnews.org/pipermail/isn/2008-February/015882.html
“Over the last few years, “virtual worlds” such as Second Life and other role-playing games have become home to millions of computer-generated personas known as avatars. By directing their avatars, people can take on alternate personalities, socialize, explore and earn and spend money uncharted online landscapes.”
“Intelligence officials who have examined these systems say they’re convinced that the qualities that many computer users find so attractive about virtual worlds — including anonymity, global access and the expanded ability to make financial transfers outside normal channels — have turned them into seedbeds for transnational threats.”

Buuuuutt, the truth is funnier than the fiction. “Intelligence officials” know darn well that there is a choke point where fraud controls can be applied – Linden Labs. And they do.

I am very skeptical of this story. WHO said it? HOW seriouslydid they mean it? etc. What we have here is little snippets out of context, potentially presented in a sensationalist manner (and of course the target net.paranoid audience will eat it up).

There’s too much of a history of Second Life or similar startups trying to present themselves as some sort of scary threat to the government,so that people will take them seriously, rather than being regarded as anovergrown video chat room full of weirdos.
An earlier story:
http://valleywag.com/tech/spin/second-life-calls-in-the-feds-249707.php
“Second Life’s architects, at Benchmark-backed Linden Lab, invited in the FBI on several occasions; and they’re the ones behind this latestnews. It’s not like the Bureau could be bothered to call a press conference. Fact is that this counts as good publicity for the over-hyped and under-whelming 3D environment. Any controversy, over illegal gambling or copyright infringement, creates the impression that Second Life is a vibrant alternative society, and economy. Which it’s not. The FBI probably isn’t making an issue out of virtual-worldgambling, because the casinos are so empty (see picture). There are more convenient ways to gamble online. For Linden Lab, better a synthetic scandal, tailormade for the press, than the depressingly bare reality.”

Predatory software exploits weaknesses in vulnerable humans

One of the oldest and most successful ways of getting someone to spill information is the “honey trap”, where the mark gets seduced and tells all sorts of stuff they really shouldn’t. Pillow talk works exceptionally well, and its effective for industrial espionage, identity theft, and all sorts of what is quaintly termed “co-operative coercion”.

Everything that has mass market appeal eventually gets automated.

So, I read with interest that ComputerWorld reports that malware expert PCTools has discovered the CyberLover. From the report:

Developed in Russia, the new software is known as CyberLover and has been uncovered by security vendor PC Tools.
CyberLover can be found in chat-rooms and dating sites trying to lure victims into sharing their identity or visiting Web sites with malicious content.
According to its creators, CyberLover can establish a new relationship with up to 10 partners in just 30 minutes and its victims cannot distinguish it from a human being.

Where this becomes serious, of course is that CyberLover encourages its targets to reveal details about themselves, and reports all these back to its (her?) controllers. And yes, its us dumbo blokes who fall for this – women are much more savvy about who they engage online with.

At the moment, CyberLover is infesting Russian web chat sites, however I’d expect to see it pretty quickly move onto AIM, MSN, and Yahoo.

And there’s another place. If I were the author of CyberLover I’d wire this into the open source libsecondlife library, and wreak havoc amongst the horny geeks on there. Its technically easy, and the hard part – the interactive chat – is already done.

When you consider that all the experts such as David Lacey, Stuart King are predicting the growth of targetted attacks against big businesses, plus the fact that so many companies are leaping into Second Life with a glad cry, its an eminently plausible attack vector.

Be wary of that attractive pink talking lobster, it may have sharper claws than you expected.

Sun shines on second life

I see that some of my former colleagues @Sun are discovering the joys of second life, and like most newbies, they are asking the second commonest question. (Its quite sweet, there is now the “SunMicrosystems” family in SL).

“How can I shoot someone?”

The most common of course, is all to do with the stickier side of human relationships. Wierd, innit.

The answer being of course, create a scripted object, go to a “damage enabled area” and blast your testosteroney heart out. (Its a similar answer getting sticky).

Of course, if you really want to cause strife, I’ve included links in other posts to “griefer scripted objects” (In Second Life, “Greifing” is behaviour designed to annoy, that will not win friends and influence people).

I’m afraid however, that this is all a bit behind the curve. Second Life has been colonised already by Microsoft, Dell, RedHat, IBM, and probably Old Uncle Tom Cobbley ‘n’ all! They run (or perhaps hobble) their servers on Dell Linux, and to be honest, the whole “virtual worlds” thing is a little over-hyped. Its not the next great paradigm, the monetary transfer stuff is frankly suspect, and there are plenty of stories in The Register on how the SL denizens frequently trade images that are as unsavoury as you might expect.

There’s also the minor technical point that each “sim” (think of it as a server running a chunk of the virtual world) can only handle about 40 people on it. If you are carrying around big complicated objects (like guns, or gadgets to make you move more normally instead of the default “dorky robot walk”) then this can drop even further. Its not much of a crowd for a U2 gig, is it.

Networking is very simple.

  1. Meet up with people, and establish a personal relationship, common values, and shared goals.
  2. When you are geographically seperate, use IM, Video calls, phone conferences, and email to communicate.

That really is it. Giant Virtual Lobsters are not required.

Second Life, not so much a fraud as a dismal failure

In Second Life, the game where those with more marketing qualifications than sense excel the virtues of Web 2.0 and promise that very soon, we will never put our anoraks on and go outside ever again, the final whimper of a somewhat controversial exercise in trust is finally being played out.

First, this came across my RSS reader from the “World Stock Exchange” – which has nothing to do with the World, Stocks, nor it seems, them being Exchanged (for anything other than other junk).

The WSE has halted trading in Ginko Perpetual Bonds (GPB) pending an important company announcement.

My interest piqued, I scrolled a little further down to see what was about to be unleashed. Would the so-far anonymous Second Life player reveal his identity? Would be announce his buyback plan to pay back the millions of dollars of monopoly play money he’d taken? Would it be a note from his Dad saying that he was a Very Naughty Boy.

But no. It was the following:

Hello,
A couple years ago, I had this idea to create a bank. I wanted to leverage myself by investing other people’s money, something I thoughtI could do well. This was more an exercise in entrepreneurship than itwas a million dollar idea. I didn’t plan to make a living out of it,just play with the concept and see how it went. I didn’t have this idea in Second Life and I almost created it outside this world. I just bumped back in here and thought, hum, maybe this is a good platform. I had been away ever since I had given up the idea of being a virtualstore owner.I of course had hope but I did not expect it to grow to such a size sofast and I was caught by surprise with it’s success, perhaps just as much as I was later caught by surprise by it’s failure. Say what you will, but Ginko Financial changed Second Life for the better.As you very well know, there were problems. Ginko Financial was hit from too many different sides and it fell. Perhaps if I had been more competent in building Ginko Financial, I could have made it strong enough to stand through this, but, that was not the case. The creation of the bonds was meant as a truce, a way to help me catch my breathback. I knew that in six, nine months tops I could settle the matter of the success or failure of our investments and that we had the meansto make interest payments for the first quarter or two even withoutthe success of our offworld venture.I also thought I could do partial liquidations and use the money to lower our debt proportionally. However, first with the ban on buyingbonds for less than the face value and later with the gradual erosionof our investments, both of these things ceased to be possible and my position became even weaker than it was when I created the bonds. The fact is, there is no way for me to meet this quarter’s interest payment. Neither of our main in-world investments got off the ground(BNT and HCL), though they may still do so sometime in the future. The stocks are too weak to be sold to help meet this quarter’s interestpayment. The L$2,400,000 we have inside Allenvest, despite Allen’s lie about me having withdrawn everything, are locked and probably lostforever.The situation is such that I am left with no choice here. The bonds needto be converted to a fund, which will hold these assets. Namely, theWSE Traders Fund (WTF) already listed on the WSE. Interest payments are no longer part ofthe equation and as I am transferring the assets to Luke, I will nolonger be involved with anything regarding Ginko Financial as it willno longer exist. Assets previously held by Ginko Financial are beingtransferred to the WTF.I am sorry that things did not work out.

Best Regards,
Nicholas Portocarrero

My summary for those of you who didn’t want to wade through all that turgid whiny garbage:

  • I’m an fool who made empty promises to fools who followed me (Thank you Obi-Wan)
  • Lots of fools followed me, and I rode the gravy train, laughing my sides off with my friends.
  • Ummm, Ooops. People actually want their money back! Damn. Never mind, have some junk bonds instead. They’re great, I promise.
  • Ooops again. You know that promise I made a couple of months back? You guys believed me again! Hahaha. But if you argue with me, you’re a liar! Dammit.
  • I’m walking away from it all. Its someone else’s problem now, I need to finish my homework. But I tell ya, this will look great on my resume! Dammit again.
  • I promise, I won’t ever do THAT again. Hey, you lost money? Sucks to be you then.

Now just in case you didn’t quite get the irony, the next piece in my RSS feed was this from the World Stock Exchange:

CHAIRMAN’S LETTER—————————

My fellow Shareholders and WSE Traders,I joined Second Life in December 2006 and within the first week I was convinced that virtual worlds with endless possibilities such as Second Life will provide an extended platform to the existing website and over time would provide Internet users with a complete Broadband Entertainment experience that included live and On-Demand Audio and Video services along with the huge potential for e-Commerce.At the heart of most economies is a Stock Exchange and therefore I felt it was the right time to establish a stock market for the Second Life economy.

On the 22 December 2007 Hope Capital Ltd a Second Life based company was nothing more than a vision in a pdf file. Today it operates the first and leading fully operational virtual securities exchange in the world. The World Stock Exchange has experienced exceptional growth over the past 8 months and this growth is expected to continue. The World Stock Exchange is History in the making and has exceeded our expectations.The WSE has faced will continue to face challenges such as market volatility, high levels of day trading, smear campaigns against Second Life, the WSE, Hope Capital and its management along with false or misleading conduct by a small percentage of companies on the WSE.The WSE has overcome a number of recent direct challenges that resulted in significant losses. These include development bugs, the loss of approximately L$3m due to theft from a former employee and his accomplices who successfully hacked the system using insider system knowledge just prior to the WSE Security system upgrade that now prevents such actions from occurring, recent policy changes by Linden Lab regarding gambling in Second Life and negative market sentiment regarding virtual banks which combined to create panic and concern which resulted in a significant increase in user withdrawals and the implementation of Risk API, an imposed security feature which at the time resulted in a large number of users being unable to make deposits.Although the WSE has overcome the above financial challenges well it would not be appropriate or advisable for Hope Capital Ltd to pay a dividend for the quarters ending 6 August 2007 and 6 November 2007 and the bond interest payment for period ending 2nd November 2007. All profits currently being generated by Hope Capital Ltd are being held to offset previous unexpected losses. We expect to be in a position to meet all dividend and bond interest payments in the future as we will see a significant increase in trading volume and profit resulting from the anticipated high growth of WSE entering Mid November 2007 to February 2008.We have also seen a wave of stock exchange and bank start-ups trying to gain a share of the lucrative market through lots of empty promises that try to create the impression of a safer and more regulated trading environment along with offering unrealistic interest rates or by using questionable tactics to acquire customers.We express caution to all users before considering to use a start-up exchange or banking service. Such operations are small, extremely risky due to a lack of credibility, brand awareness and experience. We have seen more than enough examples of banks with high interest rates and start up exchanges closing down and suffering extreme losses for customers or going completely bankrupt due to fraud or empty promises.Although it is good to have competition in all markets especially those that have matured it is important to remember that in a small emerging economy such as Second Life there is limited liquidity and available capital in the market and as a result it is imperative that we have a large strong solid Stock Exchange and Bank backed by real life people who can pool all its vast resources into continued Research & Development, Growth and Marketing rather than many small operations that are likely fraudulent or scams and simply dilute the precious market that remains.These challenges are expected in a new emerging market and economy that is in many cases emotionally driven, ambitious and apprehensive.The WSE has constantly made every effort where possible to improve and develop our services while providing information to allow all stakeholders an opportunity to share in the future growth and prosperity of the World Stock Exchange and virtual world economies such as Second Life.I’m pleased to announce that since March 7th 2007 the World Stock Exchange has achieved over 25,000 user accounts, raised virtual businesses over L$145 million Linden Dollars and total Exchange Turnover has exceeded L$462 million.The WSE is well established in the virtual world of Second Life and is now poised to reach new heights thanks to the hard work of our development team and the integration of a new fictional currency called the World Internet Currency (WIC) which will provide all Internet users with the opportunity to learn and participate in the new world of virtual securities trading.WSE 4.0 AND BEYONDWe have almost completed the release of WSE 4.0 which includes:- Full shareholder voting on company resolutions- Financial reporting system on monthly or quarterly earnings.- Automatically generated company data such as Price to Earnings Ratio, Net Tangible Asset and Earnings Per Share with more to come in the future.- Market Analyst reporting system allowing approved WSE analysts to provide reports on the operational and financial performance of listed companies along with buy and sell recommendations that includes the target price.- Market Rating system allowing all WSE traders to apply a 1 – 5 star rating on all companies based on their experiences as a shareholder or on their opinions of the companies operational and financial performance.- IPO Applications List allowing all WSE Traders and Analysts to review and apply a marketing rating to all IPO Applications thereby allowing the WSE to view the markets preferred choices prior to making any approvals.- Portfolio News section allowing WSE traders to stay informed on any events, outstanding resolutions or news from companies listed in their Watchlist and Portfolio.- THE KILLER APP OF VIRTUAL FINANCE NOT YET REVEALED BUT COMING SOON….THE SECRET IS REVEALED!Yes its true, it has always been part of the WSE’s agenda to ensure that all WSE Traders whom we class as stakeholders would be indirectly protected as much as possible from the potential ethics based fraud and misconduct that would come from businesses listing on the WSE during the start-up and development phase which has been almost entirely unregulated environment in order to cultivate and encourage growth.The Secret is out and the time has now come as we feel there is an improved regulatory environment and sufficient information available to WSE traders in order to help them make informed decisions when trading on the WSE.World Stock Exchange Traders Fund (WTF) is a specially designed fund that holds shares in Hope Capital Ltd on behalf of all WSE account holders who have lost their virtual shares or bonds in delisted companies up to the 19th October 2007. All WSE account holders are stakeholders in the business.Management alone did not make the WSE what it is today and it is through the participation of our customers that the WSE has become what it is today and what it will become in the future.WSE account holders will have all their shares in any company that was delisted due to fraud or bankruptcy converted into shares in the World Stock Exchange Traders Fund (WTF).The WSE Traders Fund will be allocated shares in Hope Capital Ltd on 23rd October 2007 and will begin actively trading on the WSE on the 24th October 2007.CURRENT CONVERSIONS INCLUDE:APT 1 – 3PNK 1 – 1IBM 1 – 1MPR 1 – 1PCL 1 – 1PPC 1 – 1RIN 1 – 1SEX 1 – 1TSF 1 – 10WED 1 – 1TLS 1 – 1XAN 1 – 1XDT 1 – 1SBJ 1 – 1TGC 1 – 1PGI 1 – 3AMD 1 – 0.5CIG 1 – 1

We will announce any new conversions to the WTF on the 19th October 2007.’

2004 – ’06 were the years of Google, YouTube & MySpace’

2007 – ’09 will be the years of IPTV, Wikipedia, FaceBook, Second Life and the World Stock Exchange!

Kind Regards,

LukeConnell Vandeverre,Chairman & CEO

Summary again:

  • Hey, are you guys still here? Oh my. Look! They’re still here!
  • Ok, we got caught with our pants down, hands in the cookie jar. But we promise we’ll never do THAT again. C’mon, you can trust us.
  • Real banks coming into SL. Dammit!
  • We’ve got a brilliant secret sauce. Please enjoy the dogfood that we smother it with.
  • We call our trade fund WTF, and our capital fund “Hope Capital”. Don’t think about the injokes.
  • Real names? But why? Dammit!

Please Dear Lord, remind people that giving your money to cartoon characters that can be erased, rubbed out, and transmogrified by their owners is a bit like trusting the Leprachauns to provide you with a retirement pension.

Recruiting giant lobsters (and worse)

I was tickled by this article on Computer Weakly that tells how Corporates use Second Life to recruit bright young talent.

While its certainly true that I’ve met some exceptionally bright people on Second Life, a lot of them are pretty expert at digital mayhem, and spend their time gleefully creating stuff like this. I won’t tell you what PN stands for, except that polite society now calls them “Patriotic African Americans”.

Gosh wouldn’t that be fun to have rattling around in the computer that controls your bank accounts, or for that matter, audits them (KPMG, I’m talking to you).

Second Life, same old con

Ponzi schemes are not new, they’ve been around since the 1920′s. And one would think, with the FSA, SOX, the SEC, offices of fair trading, and ultimately the courts, that adequate protection exists for the consumer today. Right?

Wrong.

Enter Second Life, and more specifically, Ginko Financial, a “virtual company” offering high-interest bearing savings accounts. It used to call itself a bank, until … oh wait, you read their website already right? Terribly sad, holding onto their assets to avoid devaluing the market, any customer funds have been converted into “Ginko Perpetual Bonds”, paying a rate of interest two orders of magnitude lower than that originally offered by Ginko.

Ginko appears to be wholly owned by a nom de joue called Nicholas Portocarrero, although recent research has revealed a possible name behind this pseudonym, one Andre Sanchez.

A major landowner/landlord in Second Life, Anse Chung, has declared that Ginko is “most likely a Ponzi scheme” – this was before the recent collapse. The chances of it being a Ponzi fraud scheme, it has to be said, appear better than average right now. Of course, looking back on it, if there was a legal way to pay 60% on investments, then surely banks both virtual and real would be doing it?

While I had a small amount of virtual cash in Ginko, I know many other people who have lost big – concerns over leaving money in virtual pockets, ready to be picked by a malicious object, have led people to entrust their funds, some would say, less than wisely.

So the question turns back to: Who is responsible? Is this fraud? If so, who is the perpetrator? Are Linden labs, the owners and operators of the Second Life infrastructure, simply the duped instruments of a con man, or do they share a responsibility and financial liability for failing to safeguard information and assets entrusted to them.

Watch this space.