I was going through some files today and found this chatlog. It’s from when I reported an exploit where an avatar could debit money from any other avatar in SL. I reported it to the emergency e-mail they gave the libsl folk, and Brent Linden was awake within an hour taking care of it. 10 minutes after getting into the office, Philip, Linden Lab’s CEO, sent me an IM:
[7:10] Philip Linden: hey there!
[7:10] Gene Replacement: hi what’s up
[7:10] Philip Linden: can I come and talk to you about your reported exploit?
[7:11] Gene Replacement: ok sure but I’m not at a nice place
[7:11] Philip Linden: let’s go somewhere else then.
[7:11] Philip Linden: hang on.
[7:12] Philip Linden: actually let’s talk in IM to be really secure.
[7:12] Gene Replacement: secure :p
[7:12] Philip Linden: OK so can you tell me the time and source->dest of the test you did?
[7:13] Gene Replacement: honestly, I have no idea. I’ve been messing with packet shaping SL stuff for a few hours last night/today and was messing with various stuff.
[7:13] Gene Replacement: I debited two different avatars and paid them back to do the test.
[7:13] Philip Linden: OK which ones?
[7:14] Philip Linden: I want to look at our logs and see what is there?
[7:14] Gene Replacement: Tiny Marbles and Huns Valen
[7:14] Gene Replacement: I received their permission via voice chat
[7:14] Gene Replacement: I also debited NULL_KEY when testing it, as the idea originally came from modifying asset upload fees and the default avatar paid is NULL_KEY
[7:15] Philip Linden: OK are you referring to a transact between you and him at 3AM this morning?
[7:16] Philip Linden: that is what I see.
[7:16] Gene Replacement: yeah that sounds right
[7:16] Gene Replacement: I was messing with the upload fees a few days ago but wanted to try spoofing the payment source/destination today
[7:16] Philip Linden: there is a ‘gift’ transact of value 1L$?
[7:16] Philip Linden: is that correct?
[7:16] Gene Replacement: to Huns?
[7:17] Philip Linden: there is first a payment from huns->gene, and then backwards.
[7:17] Gene Replacement: yes that is correct
[7:17] Philip Linden: OK so what account were you logged in as when you sent the packets?
[7:18] Gene Replacement: Gene Replacement
[7:18] Philip Linden: So basically you were able to get Huns to xfer to you, though you were logged in as you?
[7:18] Gene Replacement: yes
[7:18] Gene Replacement: it’s really simple I could do it to you :p
[7:19] Philip Linden: OK
[7:19] Gene Replacement: you are asking me to debit money from you?
[7:20] Philip Linden: can you do it right now?
[7:20] Gene Replacement: yes
[7:20] Philip Linden: OK let’s do that so we have a good record.
[7:20] Philip Linden: XFER L$1 from me to you.
[7:20] Gene Replacement: ok it will take a few mins
[7:21] Philip Linden: OK
[7:22] Gene Replacement: there we go
[7:22] Philip Linden: Got it.
[7:22] Philip Linden: Let me check the logs.
[7:22] Gene Replacement: no I got it :p
[7:23] Philip Linden: OK I’ve got it confirmed in the logs.
[7:23] Philip Linden: Wow that is a really big problem.
[7:23] Philip Linden: I can’t tell you how much I appreciate the find.
[7:24] Philip Linden: Why we aren’t confirming that event at the server is beyond me,
[7:24] Philip Linden: OK so it looks like we’ve at least got good logs,
[7:24] Philip Linden: which would allow us to look for this happening.
[7:24] Philip Linden: I was still able to see that you were the one who initiated the transfer (from me to you)
[7:25] Philip Linden: so that makes me feel somewhat better in terms of the time it will take to fix.
[7:25] Gene Replacement: this is why an open policy on reverse engineering is a good thing 🙂
[7:25] Philip Linden: Obviously please keep under wraps. We’ll probably fix it today.
[7:25] Gene Replacement: yup, I don’t plan on telling anyone how to do this.
[7:26] Philip Linden: OK thanks.
[7:26] Philip Linden: We will be working on it within couple hours.
[7:26] Philip Linden: I
[7:26] Philip Linden: I’m in the office now.
[7:27] Philip Linden: OK talk to you soon.
[7:27] Gene Replacement: ok bye
The chatlog is from August 1st 2006, about a month and a half before my Gene Replacement account was banned from Second Life. It had been an exciting few months, with some game changing exploits like megaprims.