The L$100,000 Scripting Lesson
by Pixeleen Mistral on 16/06/07 at 10:33 am
Slot machine machine maker enrolled in school of hard knocks
by Pixeleen Mistral, National Affairs desk
Bob Perry got a metaverse schooling in secure scripting
The notecards and complaints arrived together in the Herald offices early one Sunday. An angry Bob Perry claimed that sly old Frosty Fox must have used an exploit in the payment system for the slot machines Mr. Perry was running – a cool L$200,000 had been diverted into Mr. Fox’s pockets. Had a virtual crime been committed against a virtual casino owner? Before leaping to conclusions, recall that nothing is simple in the metaverse.
For an entrepreneur, laws and regulation can create opportunities to serve new markets. If the Lab’s crackdown on in-world gambling had not done away with the demand for virtual world gambling, could there be a market for a stealth slot machine? Evidently so, since Mr. Perry was giving away a heads up display (or HUD) slot machine, and raking in the house take on the L$s wagered.
This should have been a sweet stealthy business flowing low under the Second Life radar. The HUD allowed anyone to play the virtual slot machines privately – HUD controls are only visible to the HUD owner – so LL should have been none the wiser. To sidestep the Linden’s ban on casino advertising, Mr. Perry was distributing the slot machine HUD via third party web sites – slexchange.com and slboutique.com – where ads and controls on what is bought and sold can be a bit less stringent than in-world. There was only one small problem – securing payments made to gamblers.
Missing money
The invisible slot machine business was going well, until Mr. Perry noticed to his horror that he had suddenly come up about L$200,000 short. When he asked his script developer Jason Hashimoto what was happening, Mr. Hashimoto assured him that it would take a very long time to guess the secret to the payment scheme. Could the problem have been an exploit? Had someone managed to see the source code for the scripts? If an exploit had been used, perhaps the Lindens could be enticed to punish Frosty Fox and return the money.
The would-be HUD casino operators confronted Frosty Fox – the recipient of L$200,000 (US$700 at current exchange rates) in payments and shared the chat logs of these encounters with the Herald:
Jason Hashimoto: Hey I heard you got a lot of money from Bob Perry, I’m just interested about what exactly happened.
Frosty Fox: i bought a slotmachine from slboutique. it takes money from you wen you play and wen ya win it sends a email and sends me a payment. it was totally unsecure
Jason Hashimoto: so you used like an exploit from a script?
Frosty Fox: it’s happned to me years ago, i could do nothing about it, had to learn the hard way. ive givven him half back
Jason Hashimoto: somebody did it to me and I got my money back and the person got banned
Bob Perry: i don’t want to start a fight
Frosty Fox: look m8, u should have fully tested your slot machine, it was so simple. i’ll give u half back ok?
Bob Perry: plse
Frosty Fox: i also bought your ATM/Server and i might have a go at that. i’m sorry
Bob Perry: ok now return the rest
Frosty Fox: sorry thats it . i cannot believe how the slot worked. totally unprofessional
Bob Perry: ok great… now i’m going to make sure u don’t have another day in sl
Frosty Fox: the wiki clearly says you should not link your wallet up to anything if its unsecure. you have not used md5 hash codes or base64 codes
After some heated exchanges with Frosty Fox, a poorer, but wiser Bob Perry contacted the Herald in hopes of extracting some sort of justice in the metaverse. Though Mr. Perry had saved his chat logs, he was disappointed that the Linden Lab game gods presented with his evidence were blowing him off. He claimed to have attempted to contact 30 Linden staffers in the hope of reaching someone online, and sent multiple IMs to King Philip Linden – all to no avail. Contacted over a month later, Mr. Perry lamented that the LL staffers are still blowing him off. On the other hand, at least he got half of his L$200,000 back.
Frosty Fox offers scripting lessons – for a fee
The sly scripting Fox
Since Mr. Perry had paid the tuition for an expensive course in scripting payment systems, it seemed best if our readers might audit the lecture section of the course, so I contacted Frosty Fox for a copy of the class notes.
Mr. Fox told me that he had been badly burned himself by an insecure payment scheme when he was a noobie, and LL had done nothing. This is apparently part of how one learns the ropes in the LL scripting game. Mr. Fox said that he did not use an SL exploit to divert the cash – instead he used a simple one line command — see the end of this story for details.
Mr. Fox was studying Bob Perry’s slot machine HUD because he was considering building something similar – and was surprised to see that the Perry HUD was making what Mr. Fix says is an elementary technical mistake that he had made himself at one point.
When is it gameplay and when is it real?
The events described here occurred well over month ago, so presumably the statue of limitations has expired on any LL actionable abuses – unless this is considered broadly offensive to the community or Daniel Linden. Given the mercurial nature of Linden justice, this story may serve as a cautionary tale for entrepreneurs in the metaverse – protect your payment system – and don’t depend on the Lindens to police your game.
Deeper questions remain, however. How much trickery is legitimate in SL? Should the Lab protect noobies from scams? Certainly underhanded schemes and inter-resident drama are major parts of SL’s gameplay and excitement for at least some of the populace, but what constitutes unacceptable levels of inter-resident drama?
With an opaque abuse reporting and police blotter system, the Lindens generally take the role of disinterested Gods – except when one of their pets has been bothered or their own business is threatened. In the metaverse, it appears that stealth slot machine makers are simply left to their own devices. Meanwhile, if I need any custom scripting, I think I’ll have a chat with Frosty Fox.
Frosty Fox’s scripting advice:
I bought a HUD slot machine from SLB, it was No mod Copy Transfer, I took the scripts out, put them into a new slot machine i re-creator-ed, and added a linked_message debugger, then I played a few games, I got a win, it told me that it needed a linked message using:
llMessageLinked(1,*AMOUNT,”Game Payment!”,*AVATAR_UUID);
this is totally insecure, extremely simple
*AMOUNT is the amount to Get Payed,
*AVATAR_UUID is the AV ID to get payed
after finding this out, I IMed him and left a message something like this
hiya your HUD slotmachines are very bad,
llMessageLinked(1,*AMOUNT,”Game Payment!”,*AVATAR_UUID); is a really poor way to handle Payments. You should look into llMd5String(source,nounce), and use Base64Correct strings to encrypt everything
sage
Jun 16th, 2007
Base64, learn to edit your posts. Also, Base64 is not secure, it is a form of ENCODING for transfer of nonansi information over ansi protocols.
Pixeleen Mistral
Jun 16th, 2007
Somewhere between the newsroom and the printing press base64 turned into bass64 – once again, Audrey in typesetting seems to have worked her magic. I had the production staff stop the presses, made typesetting fix the problem, and have sent runners out to all the newsstands to gather up the edition with the typo.
Anonymous
Jun 16th, 2007
Still confused about something. It’s a known fact that only the owner of a script can give debit permissions. How could a HUD owned by Mr. Fox use llMessageLinked (internal communication within the HUD) to debit Mr. Perry?
Buckaroo Mu
Jun 16th, 2007
Well, folks, it’s called “Gambling” for a reason. I guess the house doesn’t always win. Seriously, though, If I were Perry, I’d be having a deep conversation with Hashimoto about who exactly owes who. Talk about a beginner mistake. Not only should that have been encrypted, monetary transactions should NEVER have been allowed outside a single script – using llMessageLinked for secure communication? That’s just asking for trouble. He should be glad this Fox guy isn’t a faceless alt, glad that he was willing to explain the hack, and that he returned half his money.
Prokofy Neva
Jun 16th, 2007
Brilliant report, Pix, and so very SL!
Ordinal Malaprop
Jun 16th, 2007
It’s all very well saying “you shouldn’t have done that” – and that doesn’t sound like a properly secured script – but I’m sorry, surely it is not in doubt that taking a few hundred dollars from somebody and saying “ha ha it’s your fault” is simply criminal behaviour? If my neighbour didn’t lock their door and I went in and stole their TV and DVD player – but then gave the DVD player back – does anyone think that the courts would take “they were just dumb not to lock their door” as justification?
Ordinal Malaprop
Jun 16th, 2007
It is useful to see the actual exploit, though, I must say.
Coincidental Avatar
Jun 16th, 2007
>How much trickery is legitimate in SL? Should the Lab protect noobies from scams? >Certainly underhanded schemes and inter-resident drama are major parts of SL’s gameplay >and excitement for at least some of the populace, but what constitutes unacceptable levels >of inter-resident drama?
Yes, I often have have been wondering what the legislation of California says? SL resides juridically in California at the address of Linden Lab. However, other jurisdictions may be applied too.
LL has touted much about the “economy” but has avoided to provide even basic legal guidance to residents about Californian/US federal and international/foreign laws applied in SL. Well, their attitude stinks.
Could somebody living in California tell, does LL’s TOS follow the consumer legislation of California and the USA, or is TOS an illegal agreement between a consumer and Linden Lab? And is LL’s TOS a legal or illegal agreement between two businesses (the other is LL and the other is the customer of LL).
You see, I haven’t made any agreement with LL because the LL TOS is illegal in my jurisdiction: I can’t give those rights to LL which LL is asking. But LL has standard legal obligations to me!
What comes to money, I stole few L$s from LL, and learnt that they are much more vigilant to watch after their own monies than the avatars’ money.
Roleplay??? Woot??? Did somebody consent to a roleplay in which he is being cheated? And what Californian law says about roleplays? I assume that as soon as a crime occurs, it is no more called a roleplay.
Well, I think that the US legislation about inaction is extremely loose compared to my jurisdiction, in which inaction is often a crime. You have that “conspiracy” concept in the USA, but does it require active involvement?
LL does get money from criminals, but so do lawyers. And the police were unemployed without the bad guys.
Is there any law in California/USA which requires LL to stop their inaction about crime in SL because LL receives their share via currency exchange from criminal activity?
Coincidental Avatar
Jun 16th, 2007
>If my neighbour didn’t lock their door and I went in and stole their TV and DVD player – >but then gave the DVD player back – does anyone think that the courts would take “they >were just dumb not to lock their door” as justification?
First, I’ve read many times how Americans are confused with the concept of ownership. On the other hand, some of them tout about imaginary virtues capitalism etc. I see some contradiction here. Maybe, because Americans don’t anymore know what ownership is, they speak so lightly about capitalism, because they don’t know what capitalism is either. Usually Americans don’t know what they speaking about, I have noticed.
In my jurisdiction everything is owned by somebody (person)/something (juridical person= corporation, state..).
Thus, the insurance company doesn’t pay for dumb people, but the court would say that the ownership of TV never changed. That would apply too, if your neighbor had left his TV+DVD in front of your house. Finding something doesn’t mean that you become automatically the owner too, except in the children’s books. Similarly, if I transfer accidentally L$ to your account, you don’t own them. If you use them, you commit a crime.
And I still wonder where Americans lost the concept of ownership.
Silje
Jun 16th, 2007
i cant belive that Frosty gave half..
this is Perry’s fault not have llGetCreator checkup and any way of encrypt the info needet to be sendt.
I wud not given half my self cus when a creator do that bad jobb he deservers the smack on his fingers
Kahni Poitier
Jun 16th, 2007
And when someone makes a mistake, you should screw them as fully as possible.
Well, okay, halfway….
He may be a decent scripter, but he’s still a thief.
Artemis Fate
Jun 16th, 2007
“Though Mr. Perry had saved his chat logs, he was disappointed that the Linden Lab game gods presented with his evidence were blowing him off. He claimed to have attempted to contact 30 Linden staffers in the hope of reaching someone online, and sent multiple IMs to King Philip Linden – all to no avail. Contacted over a month later, Mr. Perry lamented that the LL staffers are still blowing him off.”
Haha is he serious? That’s like a drug dealer running to the cops to report that someone ripped him off, and expecting to get his full money back.
Honestly, I give Frosty Props for that one, and he was nice enough to even give back half of it, he could have kept it all and never got in trouble. Gambling in SL is just what he did, a way to scam people out of their money, Bob did it to every person who bought his illegal slot machine, and he got burned by someone who outsmarted him, and now he’s bitching. Well all I can say to that is “wah wah, cry cry cry cry.”, I doubt Bob was giving back half of the money to all the people HE scammed with his slot machines.
altic Plasma
Jun 16th, 2007
Pronunciation: ‘theft
Function: noun
Etymology: is the fraudulent taking of property or monies belonging to another, with intent to permanently deprive the owner of the property or monies.
frosty wasnt authorised to take the money, he took it unlawfully so it is theft, and to me frosty is the lowest kind of person in SL.
Coincidental Avatar
Jun 17th, 2007
>Haha is he serious? That’s like a drug dealer running to the cops to report that someone >ripped him off, and expecting to get his full money back.
I explain why I think that Americans are completely lost with such basic concepts as justice and ownership. I’ve encountered plenty of evidence on discussion boards.
A theft from a drug dealer is a theft and a crime. Dealing drugs is another crime. Crimes don’t cancel each others.
It is just impractical and risky for a drug dealer to contact the police.
Offering online gambling is illegal in the USA and I suspect that additionally gambling is anyway illegal in California?
But calling it scamming might be a criminal act (defamation).
And why do I have to explain this?
Anonymous
Jun 17th, 2007
hahahahaha, Bob Perry got what he deserved!
Anonymous
Jun 17th, 2007
hahaha
Yo Brewster
Jun 17th, 2007
No doubt Frosty should have given the money back as it’s called stealing even if the money is there right in front of you to grab. And no doubt should Frosty have secured his app a bit better. Nice story though – it clearly shows you the difference between RL and SL. In SL people always seem to get away with their crimes… – oh no wait – lol – they sometimes get banned and have to start a new account! What a hassle!
Artemis Fate
Jun 17th, 2007
“And why do I have to explain this?”
I don’t know, nothing I said stated I had trouble understanding this concept.
“But calling it scamming might be a criminal act (defamation).”
I doubt it. Gambling is already a form of scamming, since it’s an unfair game (talking more about Dealer to player games like Slots and Black Jack, than player to player like Poker), but add on that Gambling is illegal in SL now, and that these are Slots (probably the easiest gambling system to consistently scam people with), I don’t think it’s a stretch at all. The point is to get the person’s money without giving them anything in return, at least Frosty gave half back, I don’t see Bob doing the same.
Ordinal Malaprop
Jun 17th, 2007
Gambling is not “illegal in SL”. The only thing that is prohibited is advertising it on the Search or Classifieds or Events.
Given the enormous number of scams and con-tricks and freebie sales and so on in SL, gambling now seems a relatively harmless way to waste your money. People find it fun at least, as opposed to being ripped off by a scripting exploit, which few people find fun. The subject of camping, of course, is a different matter, but a HUD gambling device means no campsites, which seems like progress to me.
Shockwave Yareach
Jun 18th, 2007
Frosty stole the money, plain and simple. That he gave part of it back is irrelevant – taking all my computer gear and giving me back teh monitor and keyboard is still wrong. *adds Frosty Fox to his Never do Biz With list* And I’ll bet if Bob Perry took lotta L$ from Frosty, he’d be screaming all the way to the police.
All this being said, Bob was a fool for not using encryption to handle comm in any money transaction. It’s likely he won’t get his money back, but at least it’s only 400US$ and not thousands as has happened to the Dark Life people.
Morgaine
Jun 19th, 2007
Ethically, the position was in Perry’s favour until he made one fundamental mistake: he accepted the offer of half-payment from Fox, and then reneged on this settlement after receiving the money.
So now, neither of them holds the high ground. And nor does Hashimoto, since he claimed security for his script, falsely.
Of course, Perry took the half-payment by deceit in order to recoup at least SOME of his loss. Instead of “Plse” though, he should have said “Plse return half the money if you think that is right, but I will claim against you for the remainder as well.” It would then have been up to Fox.
Hopefully lessons were learned all round.
Ordinal Malaprop
Jun 19th, 2007
Generally, in this sort of case, the party who _hasn’t_ stolen several hundred dollars from the other tends to retain the moral high ground, regardless of whether they get back a part of the sum that has been stolen from them. The “stealing” thing vs the “not stealing” thing, you know, it’s a bit of a giveaway.
Sin
Jun 20th, 2007
I know it was Perry’s game and cash, but what about the scripter? If i dont know nothing about scripting and i ask someone for it, if there is a problem with it, i think the scripter has half the responsability of that. At the end, he was the one that created the game. Perry just made the marketing and sold it.
Chimchim Femicoloud
Jun 29th, 2007
are you guys this square in RL? stealing is cool, especially in SL, fuck off
Redux Dengaku
Jul 4th, 2007
LET THE SELLER BEWARE
The fact of the matter is that this is not theft. This is on the same level as someone getting a can of corn for free by using two 50% off coupon on double coupon day.
What if the story was “oops my scripter calculated the odds wrong, please give the money back to me so i can re-rig the system in my favor to make sure you lose next time”, would it still be theft?
More than one person (myself included) told Bob exactly why this was a very dangerous idea months ago… which didn’t stop him from hiring the cheapest person who was willing to tell him exactly what he wanted to hear. (I wonder if this is the same system he sold for 150,000 lindens a mere 10 days later… strange he mentioned that to his shareholders but left out the part where the system lost him 100k). I’m willing to bet it’s STILL totally unsecure on the server side as well… probably something like…. http://www.bobpsage.com/send_money_secret_page_123.php?id=&amt=12345&password=bob
Ryozu Kojima taught me to pretend your script is going to be distributed with full permissions and then look for ways to have it still be secure, which is brilliant advice. We’ve had permissions bugs reveal scripts full perms more than once over the years, even as recently as last month. Encryption and passwords are by no means bullet proof, which goes double in SL.
(Incedentally, IMing an offline Philip Linden to complain that someone exploited a system you designed in order to break the rules isn’t a very good way to get a problem solved, especially considering that most linden’s IMs get capped within about 15 minutes of them going offline).
Ian Newt
Jul 24th, 2007
There is nothing inherently “unfair” about gambling. It’s not about fairness; it’s about risk. “You pays your money, and you takes your chances.” (who said that?)
A gambler agrees to the terms of the game simply by playing, even though the odds are weighted in favor of “the house”. Winning odds of 1% or 49% are equally “fair”.
However, exploiting a flaw in the code in order to effectively change the odds in favor of the player — in this case 100% odds of winning, essentially — this is clearly unfair and wrong.
Forget about legality. Think of this in terms of ethics, because that’s what really matters. Bob clearly did not intend for someone to be able to take 200,000 lindens from him in this manner. Therefore, it was wrong to do so.
There is no justification for unethical behavior.
P.S. I’m an American
Cracker Hax
Sep 3rd, 2008
First of all, this was monopoly money. No court is going to prosecute somebody for conning somebody out of make believe money. If this were the case, you would see people suing each other over games like WoW and Everquest. It would be silly.
“OMFGX0RZ!!11one!! PWNX0R THE BARBARIAN CONNED ME OUT OF 5 COPPER!!” *calls attorney*
That is all we need in this country, even more frivolous lawsuits to tie up our legal system and eat up our tax money. Give me a break.
Second of all, it is Linden Labs policy that loss of money due to weak scripting is entirely the fault of the person running the script.
Tie these two factors together, and you would see people intentionally writing weak scripts, knowing that somebody will rip them off, and abuse the legal system to get them in trouble.
Doesn’t anybody use their brain anymore? THINK A LITTLE, PEOPLE!