Land Auction Abuse

They did not.

They snuck in the back door and started the auctions by using a hack to bid on them before they were actually set for auction, they were just in the database. As a result, the auction timer started and ended normally, but never showed up on the main auction page. It was only noticed by people looking through the completed auction listings.

..and what do the LL say in this matter - OFICIALLY???

Any Linden that will write at this place (forum) about it - what will they do..

A hack cant be OK or legal.


/Tina - EXAKT as always.

Deletion of the offending accounts isn't an official enough response for you?

The Lindens also acknowledged there was a problem with the auctions and that it was being fixed.

But WAIT! If I had gone to that page, I could have also bid! A valid auction was in fact running, from what I can gather. You just had to do a little bit of research to find it, because it wasn't plastered all over the auctions home page like the others. Good deals are often hidden in this way, you must work to find them.

Aparently it was just a matter of looking at the auction ID on the actual parcel of land and entering it into the auction web page, right? And when you did this, the auction came up and was progressing normally? It just wasn't indexed correctly on the auction listing? It will be interesting to see how hard the auction winners press this issue.

If it were me who won, I'd want the sims. That said, I didn't bid on any of these $1.00 sims.

Sorry I havent seen any thread about that.. sorry sorry -dident know about that..

Sorry - so why writing meters of text when its over?

/Tina

The deletion is rediculous. It's a good way to shut people up, though. Whatever you do, don't bid on any more auctions! If LL changes their mind about the price they've entered into their auction database, they may delete your account in order to rectify their error so they can sell the land to someone else for a different price!

This doesn't really inspire a whole lot of confidence in me. Like I said before though, there is pleanty of blame to go around. I don't think it all falls on LL's shoulders.

From what I gathered, it wasn't quite that simple. I don't know, however, because I didn't actually talk to him. Perhaps nimrod or someone else can explain it in detail now that it's been fixed, but from the little poking around I did it looks like you would've had to alter hidden form fields in the code. Just going to the auction by punching in the auction ID yields a page that shows the parcel information and NO BIDDING OPTION. To get around this, you can go to a live auction, alter the hidden form fields containing the auction ID of the parcel being bid on and it processes the bid like the auction you entered was open, even though it's not, because you're not supposed to be able to get to that bidding form if the auction is not open.

There's no way you can spin that as being an accident or an intended feature, sorry.

Edit: Altering hidden form fields is trivial at best, but it's most certainly not an intended feature, and very deliberate. There's no two ways about it.

You haven't seen any threads about it? You mean like, um, this one? That you posted to? Curious.

I haven seen any from a Linden about this.... sorry.. maybe you can send a link if so.. please..


/Tina

This thread in General Topics: /108/0b/103510/1.html

Spawned this thread in Second Life Answers: /139/be/103999/1.html

Which spawned THIS thread in SLLM and Land and Economy with the offender using someone elses account to whine about his account being deleted.

Tks... /Tina

here are the facts the land was purple when thunder went there and he was haveing trouble finding the auction page he then asked live help with no answer ...go figure!
so he went to adam linden and asked about it before he ever bid on it .
adam said i can see it hmm thunder then found it on the web page and said to adam linden do you know if these reagions sell cheep this might be bad for the economy
he said yes i could be.
then told Thunder good luck in the auctions!

now this is all fact LL can look it up! but do they no!
it will make them look bad
as when a player tells them about something and they did nothing, but now want to say it was a glitch and they didnt know!
lets blame the little guy
now you ask how do i know all this I AM THUNDER this is my wifes account i have no alts
and when this is all done there will be severl people here that can apologize.

so i say LL go back and read the logs of the night i bid on the first pease of land you will see the truth in what i am saying

Shaun, you can't go to the page without explicit exploits. From reading the thread I'm pretty sure I know what happened and it includes altering the URL. See for a running bid the URL will be like:
http://secondlife.com/auctions/detail.php?id=0026198347

The URL will turn into that when you click on an auction in the listing. AFAIK there's no way to enter arbitrary ID's on the SL auction site in a form. You'll never try to alter the id in the URL yourself unless you suspect bugs in the auctioning system will allow you to get an unfair advantage. As they had found a way to know the id for an auction in advance they used it to alter the URL. Now contrary to their claims this can not be considered legal use of the website, it's hacking.

It was LL's mistake that the auctions accepted bidding even when they were not really running but you can't break into someones house just because he did not lock the door. Note that you can easily define the concept "running auction": it must be on the list. As these auctions were not on the list during this bidding they could not be considered "running".

In the end everyone knows that buying a sim for 1US$ is a bug and hence the only thing one should do when he finds a way to do so is to notify LL.

and if you read my post i did let adam linden know

I'm afraid i can't agree with the original post...
You can say (exactly) the same thing when you use a security hole to hack a computer over internet :

- the computer was publicly available, running a website, on internet.
- the database was open to internet without any password
- so i ordered something on this web-shop adding an ordering entry to the "publicly available" database instead of using the web interface.
- what wrong with that ? the sysadmin made a mistake not protecting his database... don't blame me !!
- no, i didn't knew it was wrong to do that

I think they just altered the URL but as it is fixed it's unlikely you can test it. While altering forms fields is another possibility I don't think they are smart enough for that (judging on their posts in this thread).

Sometimes I severely dislike choosing this name

But you've qualified all of this by saying essentially that it's just your opinion, and that you have no clue if what you're saying has any connection to reality whatsoever. You don't know, and you didn't even talk to whomever you indicate MAY know. In spite of this, you're willing to post a derrogatory comment indicating that I'M trying to put some kind of spin on the facts? That's some nerve!

All I'm doing here is asking questions, and trying to figure out what the facts are. I'd just like to hear from someone who can share some facts regarding this matter, so that I can better understand what's occured and avoid rendering too many useless opinions. I still think that I'd want the sims if it were me who won though. LL would have probably needed to delete my account to shut me up too.

Do you honestly believe telling a Linden you were doing this makes it legal? LL is not a tiny company, for all we know Adam has no clue at all on how the auctioning is supposed to work. When you noticed he did not understand the full extent of the exploit you were using you should've explained it more clearly. Any smart person knows in advance that buying land in this way will only result in trouble.

From what I can gather, they went to the parcel and looked at the auction id. It is clearly displayed. Just look at about land in any auction parcel to see it. The place where the auction id is supplied to the web app is right in the URL. It's not even a hidden form post. It's right there as part of the web application, where you can specify any auction id for any parcel you're interested in.

This entry method, combined with the fact that LL publishes the auction id that you need to enter on each parcel, indicates to me that this meets the criteria of a running auction. It may not be indexed on the page, but it's still accessable and running. It's not uncommon to have to do a little bit of digging or know someone on the inside at the lab in order to get a good deal that the general public doesn't have access to.

Let me give you an example of this. You probably know of the land buyback LL did in recent virtual history. After introducing p2p, they offered to buy back SOME (now worthless) ex telehub land parcels. However, MOST residents had to meet some specific criteria in order to sell their now worthless ex telehub land back to the lab. It had to be within so many meters of a telehub, and it had to have been purchased within a specific time frame that went back a month or two.

However, these rules didn't apply to one resident. In fact, one resident was permitted to sell back now worthless ex telehub land to the lab, which this resident had purchased BEFORE I EVEN JOINED SL (and I was here over a year at that time). Now, is this an exploit? Or is this simply doing the research/labor/social engineering required to get a better deal from LL than the average joe?

I figure that either this resident used a connection at LL to be able to sell back land that nobody else would have been able to, OR the resident sold the land from one of their groups to another, in order to make the in-world interface APPEAR as if the land had been purchased by the resident at a different time. Some would call this an exploit, others would call it working within the system to achieve a desired outcome.

I will grant that this auction wasn't available to those who didn't do the research/labor/social engineering required to secure a better deal than the average joe. You had to work to find this deal. I still think it probably meets the criteria of a running auction, though.

edit: but I can see LL's side of this also.

But Shaun, with all you've invested personally in SL (time and business ambitions) would you really have taken the risk in the first place of trying to profit on an exploit and hoping that LL wouldn't get a bit hacked off about it - maybe with a permaban as a result?

If it had been a valid auction that was visible to anyone visiting the auctions page that is one thing - if the only way to see it (even after it had started) required some manual editing of URLs then that is clearly an exploit and not an open and fair auction.

I agree totally with previous statements about doors being left open and breaking and entering. I suspect the law does too - URL exploits are hardly new after all.

there were alot of people bidding on the auctions not just 1 or 2 so yes others could see it

No, I didn't buy any of these sims. I don't know if I would have if I were in the market, though. Frankly, LL couldn't pay ME to take a mainland sim off of their hands at this perticular moment in time. I may or may not have bid on these.. it's hard to say without being in the situation.

If I had consulted with a Linden on the price, as the bidder indicates that they had, and after that consultation I TRULY DID BELIEVE that there was an offer on the table, I don't see any clear and compelling reason why I shouldn't take LL up on that offer. Maybe my moral compass would have guided me away from an offer that I knew everyone else didn't have easy access to. Then again, after seeing others get these private sweet deals, maybe not! It's so hard to say.



The fact that YOU can't easily access a deal from LL does not mean that LL doesn't have a deal ON THE TABLE for others. Please see my recent post in this thread about the telehub buybacks for an example of how someone has, in recent history, received a VERY good deal from LL that the general public had no access to. Personally I'm suprised that LL isn't letting this slide and enjoying the tiering income from these sims.



But this isn't a totally cut and dry exploit. It's labeled that the ID of the parcel you're interested in goes there. On the parcel, the ID is provided. It's not such a leap, in my view, to enter the auction ID from the parcel into the URL where it obviously goes, in order to access the perticular auction you're interested in. Honestly, there's so much junk on that auction in recent times that people probably do this as a shortcut so they don't have to page through it all.

Shaun,

I'm pretty sure that LL will win this if it goes to court. As I already said defining when you can consider an auction running is clear and easy: It must appear in the list on the auction site. All normal use of the auctioning system implies this rule. They would have issues if the auctioning site had a search facility in which you could type arbitrary ID's.

Explicit altering of URL's to gain an unfair advantage or do damage is hacking and there are many precedents.