Duping flaw in Second Life causing chaos among SL businesses

[ForumBot 0.8 beta]

Duping flaw in Second Life causing chaos among SL businesses

Hundreds of stores in Second Life have been closing shop because of a "CopyBot" tool that allows for the duplication of supposedly "copy protected" items in game. The duplication is possible because the Second Life network protocol is not secure by design and allows non-game clients that understand the protocol to read and write packets from and to the game servers. A group of developers have been working on the reverse engineering of the Second Life network protocol, with the blessing of Second Life creators Linden Lab, and have released their tools called libsecondlife which includes CopyBot (or did until they pulled it from their source code control system) as open source software.

The official response from Linden Lab is that using CopyBot and similar tools is a violation of the Terms of Service but they are claiming that there is no way for them to prevent this sort of copying from occurring and that filing ToS abuse charges and DMCA claims is the only recourse item creators have against those who make unauthorized copies of their items.

Note that the current functionality of CopyBot does not allow for the copying of any scripts that may be attached to an item so more sophisticated items have some protection from being fully duped (they can be physically duped but they won't operate properly). I don't know enough about the protocol to know if script duping is theoretically possible and the libsecondlife guys just haven't gotten around to it yet or if those are somehow better protected from unauthorized duplication.

Detailed coverage of the events can be found at The Second Life Herald.

[schild]

This is what happens when you let IBM engineers play a game hookers can figure out.

/green?

[Sky]

When did dupe get another p?

OMG F13 DUPPERS MAKING P!

[Trippy]

When did dupe get another p?

OMG F13 DUPPERS MAKING P!

That's a good question. I've seen it both ways.

Alright I just read something about consonant doubling which made my head hurt but barring the hundreds upon hundreds of exceptions to the rule I got it wrong.

[stray]

Even though duping isn't a real word, it should have one P, just like Duplicating. It should have a long U, like in "Musing" or "Fuming". Two P's would make it sound like "Fussing" and "Cussing", with a short U.

[tazelbain]

Woot *dances a jig*

[Sky]

Duping is a real word, to deceive or trick. This is a newish slang meaning for the word, of course.

[sinij]

Can someone explain 'item creation' in SL and what is the big deal?

[Soln]

some people use the scripting and IDE in SL to import textures, make new models etc.  They in turn sell those for in-game currency. Those created assets are now under threat of being duplicated.

[Yoru]

Can someone explain 'item creation' in SL and what is the big deal?

It is pretty close to what it sounds like - actual creation of items, which can be most anything.

In SL, you can create and save 'designs' for your own items, which can be basically anything. You make the visual appearance either out of geometric primitives using the in-game editor or by uploading an export from a real 3D modeling program, and texturing it (again, either with in-game tools or uploaded content). Then you can give it some behaviors using a scripting language and their built-in eventing system.

Then you can take your 18" furry cock design, make copies of it, and sell those copies to other people in SL for in-game currency.

Edit: Soln got all Quickdraw McGraw on my ass.

[HaemishM]

My wife, who plays SL and makes and sells stuff on SL (not furry cocks, but things like buildings, eyes, etc.) was laughing about this. Mostly about the whiners complaining about how their intellectual property was getting stolen. This was from people who stream radio stations in SL, people who do so without paying royalty fees on the music they are streaming.

OH, MY VAGINA HURTS.

The program is bad for SL business, though, because the buying and selling of user-created goods stimulates the Linden economy, and Linden Labs is the one selling Linden (the SL currency). So if people stop buying other people's furry cocks, no one needs to buy Linden anymore and the whole thing is up shit creek.

[Krakrok]

I agree. What a bunch of whiny fucks. Guess they have never created web sites where all the graphics are freely downloadable and dupable and where the entire HTML/Javascript code of the webpage is downloadable and dupable. And the server side code is not.

Welcome to the fucking internet. We have the RIAA, the MPAA, and now the WFBISL (whiny fucking bitchs in second life).

I don't know enough about the protocol to know if script duping is theoretically possible and the libsecondlife guys just haven't gotten around to it yet or if those are somehow better protected from unauthorized duplication.

The scripts run server side. I'm going to make a guess here and say it isn't theoretically possible.

[Trippy]

I don't know enough about the protocol to know if script duping is theoretically possible and the libsecondlife guys just haven't gotten around to it yet or if those are somehow better protected from unauthorized duplication.

The scripts run server side. I'm going to make a guess here and say it isn't theoretically possible.

Yes but the actual text of the script has to be entered on the client side, no? So there should be some way to pass script information from the client to the server. So the question is is there someway to force to server to send back down to the client the script information which would then should allow duping of that as well.

[Evangolis]

If you haven't seen it, I'd recommend Raph's comments on this, which are a bit more articulate than most have been, but seem to me to mirror what most folks are saying.

Linden seems disinclined to apply technical fixes to this, perhaps out of a philosophical pose, or perhaps because they think it would be technically impossible in the long run.

While I don't agree with taking the IP and running, I think anyone who wants to sell their ideas in any form needs to be ready to accept that they need to either provide something ongoing with the idea, like some form of service or support, or accept that other people will make free use of the idea without compensation.  You can't just have an idea and sit back watching the money come in, you'll need to do something more.

[Soln]

Linden seems disinclined to apply technical fixes to this, perhaps out of a philosophical pose, or perhaps because they think it would be technically impossible in the long run.

that to me is the real story.  That they encouraged the open source project with a crappy protocol that created this otherwise avoidable situation.  It's pretty much and SWG-NGE controversy for SLers.

[Sky]

Hey, you got your capitalist greed in my socialist utopia!

[Quinton]

Linden seems disinclined to apply technical fixes to this, perhaps out of a philosophical pose, or perhaps because they think it would be technically impossible in the long run.

that to me is the real story.  That they encouraged the open source project with a crappy protocol that created this otherwise avoidable situation.  It's pretty much and SWG-NGE controversy for SLers.

Well, technical fixes are *hard* for this.  The client has to be provided with the meshes and textures for objects in order to render them.  A closed client and encrypted protocol stream would not actually change that -- just make it a little more difficult to extract the data, but if somebody wanted to they could.  You can enter an arms race with pirates but it does just delay the inevitable. 

So, what are some solutions that don't involve closing the client (which doesn't *really* solve the problem and doesn't work with the idea of supporting open access, which seems to be something LL wants).

Could you watermark the mesh and texture data?  Maybe compute a hash of the dataset and maintain a registry of the creator?  The watermark/hash model would have to be flexible enough to avoid bypassing it by just making trivial (non human observable) changes to the dataset.

If transfer of ownership / copies of objects happens entirely serverside and permissions are already enforced there (presumably yes, otherwise you wouldn't need a special client to duplicate things), all you need to do is compute a signature when a "new" object is uploaded and refuse to accept it if the signature is already known and the uploader is not the registered creator.

This doesn't solve the problem of someone stealing this information from SL clients/protocol streams and using it in another application, but that is also an existing problem and one that does not have as significant of an economic impact on the content creators (since they're creating content for SL and selling it within SL).

This does depend on being able to effectively create a signature or fingerprint of the objects in question inexpensively enough that you can verify them not being bootlegs when they're created.  So it's not a completely solved problem, but it's a potential *technical* solution that avoids having to lock down the client and protocol.

-Q

[Murgos]

Flatten the mesh to a 2-d image and use any one of a million recognition algorithms to check for similarity.  0_o

My consultation fee is 10,000 USD, sorry we do not accept Linden.  Please pay at the window.