Subscribe to this topicForums > General Investment Discussion > Topic: Ancapex WARNING - IntLibber Brautigan rogue trader.
| Apr 13th 2008, 00:57 LeoTheo Bing |
Ancapex WARNING (Insecure); IntLibber Brautigan rogue trader.
Edited by author Apr 13th 2008, 01:50 |
|
| Dear reader, (This is in no way related to the 2 week Ancapex outage - that was another (unrelated) chronic example of incompetence) Ancapex has (or had); a major design flaw - it literally had no transaction security. As a result anyone can use anyone elses account to buy and sell shares - this is shocking for a service that claims to be secure. Since its opening, anyone has been able to change the account number on the transaction confirmation page (using notepad e.t.c.) and sell your shares. It requires no hacking of any kind (before accusations are made) and allows the complete emptying of you account or false inflation of a share price. Some additional info: I complained to IntLibber Brautigan about the shocking security holes in Ancapex at 4pm SLT on 12th April 2007 I was banned from SL by 12.30 SLT on 13 April 2007 (although possibly sooner) After banning me from SL - IntLibber Brautigan decided that he would sort out the problems after-all - and took down http://www.ace-exchange.com/ (again) So basically - he has used his influence to suspended my SL account for no reason at all User ID (in one of the submission forms) It should be verified against the password/user account on the server side - but it isn't - allowing you to buy or sell anybodies shares just by editing one number - it's so fundementally flawed that I actually discovered it by accident (I switched accounts prior to completing a transaction). Its bad enough that the site has no secure data transfer - but leaving an exploit that basic is entirely negligent. In light of other recent examples of Ancapex negligence I find this disgusting. |
||
| log in to reply | ||
| Apr 13th 2008, 02:28 Bogart Beck |
Re: Ancapex WARNING - IntLibber Brautigan rogue trader. | |
SL CapEx was made aware of this potential exploit recently and has taken reasonable precautions to secure transactions that could be jeopardized by this particular methodology. From a disclosure standpoint I should acknowledge that Leo Bing originally reported the exploit to us confidentially and was cooperative in helping to identify and isolate the condition which enabled the exploit. Intlibber contacted me this afternoon as well. Given the unfortunate recent technical challenges ACE has experienced, and, recognizing that we are all still one collectve financial community, SL CapEx offered to have our CTO (Chango Kanto) share his Fix for this exploit with the ACE technical team to help ACE isolate and secure their system. I suspect ACE should be back online shortly if they aren't already. I return you now to your regularly schedued SL drama. Bo |
||
| log in to reply | ||
| Apr 13th 2008, 06:19 Scott Nestler |
Re: Ancapex WARNING - IntLibber Brautigan rogue trader. | |
| Bogart, I hope CapEx is charging ACE a fee for assisting ACE.... At least make him buy SLW shares :) |
||
| log in to reply | ||
| Apr 13th 2008, 08:01 Chango Kanto |
Warning - Rant | |
| This reminds me of a long time ago when I was still in the Uni, and I just couldn't keep my fingers off of the main frame and Unix systems whose security holes were very inviting. I had a lot of fun time, hacking into these systems and finding innovative ways of creating trouble. My favourites were, swapping display screens between two students sitting next to each other, randomly causing students' screens to scroll, and the cookie monster which keeps asking for cookies after each typing each command :) Jokes apart, when I finally got after my mate dobbed me in, I was hoping for some kind of accolade by the authorities, but instead I was grilled for the next 2 weeks by everyone from the data operator to the assistant dean. When I tried to explain the lax security and how easy it was to break in, things just got worse and was threatened to be expelled. Luckily when the matter came to the Dean, he was able to look at the lighter side of things ... he even chuckled a couple of times when the charges were read to him, and finally let me go with the compulsery warning - "If you try this shit again I wont be able to help you." Anyway, a couple of years later on, when the same systems systems started misbehaving again, guess whom they bought in to investigate? ME! In my personal opinion, the stronger a hacker is attacked, the more imbecile the sysadmin is. There is a sense of security that comes to the clueless moron running the system, when he thinks that the "evil" hacker has been barred and dealt with, and would never bother them again ... in reality it just makes a benign hacker into a vindictive one. In anycase, I would like to concur with Bo that Leo Bing seems to be one of those people who like to tinker with stuff and when they find problems try to dramatically show what they found. He was co-operative in disclosing what he knew and I did not see any malicious intent, in his activities - Yeah Leo, dont think I didn't notice your $5000 "profits" in one day's trading ... :) Anyway, word of advice, careful what you tinker with. People in SL are extremely paranoid, and are only looking for any oppurtunity to blame some hapless hacker for all their poor decisions. Hope you don't get crushed in the crossfire! /CK |
||
| log in to reply | ||
| Apr 13th 2008, 12:04 Insouciant Yue |
Re: Ancapex WARNING - IntLibber Brautigan rogue trader.
Edited by author Apr 13th 2008, 12:22 |
|
| Call the BOFH! This is always a difficult thing to do - especially when you are trying to help... too often "shoot the messenger" is the reaction simply because "THEY CAN" understand and comprehend that "response" (as inappropriate as it usually is) rather than be able to understand the threating exploit vector being described. That the exploit has been demonstrated "gives" them reason to "attack the person" and justifies the common knee-jerk (and usually reaction) in trying to deflect "blame". The EVIL is the person trying to show/inform about an exploit, not the shoddy programmers or manager who allowed an exploit to exist or be missed by internal security checking, auditing, and target testing. Insecurity and pride -- why are these character traits found in such high measure in many sysops!?! Anyway LeoTheo, thanks for bringing this to light (and for going to those who COULD/SHOULD do something about it first). |
||
| log in to reply | ||
| Apr 13th 2008, 12:53 Jimmy Bligh |
Re: Ancapex WARNING - IntLibber Brautigan rogue trader. | |
| Bo that was nice of you to help IB. You know that anything that goes wrong at ACE from here on out, he could, and knowing his history, will try to put the blame on you. And Chango, you said it best. "Anyway, word of advice, careful what you tinker with. People in SL are EXTREMLY PARANOID, and are only LOOKING FOR ANY OPPURTUNITY TO BLAME some hapless hacker for all thier POOR DECISIONS. Hope you don't get crushed in the crossfire! " |
||
| log in to reply | ||
| Apr 14th 2008, 10:35 Ashleigh Wade |
Re: Ancapex WARNING - IntLibber Brautigan rogue trader.
Edited by author Apr 14th 2008, 10:44 |
|
| Bo- I think you are a good man and my respect level for you has gone up up up with the way you handled this. You put the interests of the account holders at ACE above that of petty differences between ACE and SL Capex to benefit the greater financial community. I doubt your actions would be misconstrued any other way. Leo- Thanks for bringing this to light. However, I read where you posted over at SL Exchange and someone mentioned you exploited this vulnerability at ACE and then withdrew funds, and that resulted in your ban. Is this true? If so then it's most concerning. Also the time line is a little off. If appears you were preferential in your notifications. Here's the link for your reference: http://www.slexchange.com/modules.php?name=Forums&file=viewtopic&t=45973&postdays=0&postorder=asc&start=0 |
||
| log in to reply | ||
| Apr 14th 2008, 11:02 BurnA Greenwood |
Re: Ancapex WARNING - IntLibber Brautigan rogue trader.
Edited by author Apr 14th 2008, 11:06 |
|
| Worrying times for all concerned. I think it just brings light to the unsustainability of some organisations in SL - especially under certain management... | ||
| log in to reply | ||
| Apr 14th 2008, 15:04 Gen Ferraris |
Re: Ancapex WARNING - IntLibber Brautigan rogue trader.
Edited by author Apr 21st 2008, 11:44 |
|
| edit: this (slcapex) isn't any of my biz anymore. | ||
| log in to reply | ||
| Apr 14th 2008, 18:39 Crystal Parisi |
Re: Ancapex WARNING - IntLibber Brautigan rogue trader. | |
| http://www.ace-exchange.com/home/story/system/362 |
||
| log in to reply | ||
1 | 