WHAT LINDENLABS ARE NOT DOING - Solutions to the copybot problem.

Ok, I thought about this for about, ooh, ten minutes last night, having read lindenlabs say "It's totally impossible to stop copybot, so we arent trying"

I came up with several short term ways to stop copybot, which leave time for a longer term solution.

1) Challenge/response login - I dont know if anyone from lindenlabs actually had the sense to download and look at copybot, but It runs from a command line interface. Thats an MS-Dos box for anyone still confused. No graphics. To see what its doing, you need to run a second avatar alongside to act as your eyes, while copybot acts as your thieving b**tard little hands..
So how does that help us? Simple - you know websites where you have to enter a little code, that is a graphic that bots cant read? you know, maybe type "donkey" having read it in a reallly strange font... ? Solution number one: Authentication code on the login screen. now that its html based, wouldnt take very long at all to implement. Personally, I say pull the grid and implement it with now major apologies for downtime.



2) Challenge response from LindenBot - Like I said, its a command line interface. Have something that IM's users as they login, with a computer created texture, of numbers, that has to be replied to in IM, typed back, to avoid a kick within 30 seconds. I think it'd increase the server load, and be a bit hassle to set up, I dont care. I'd take a short term knock in SL's performance to have no more copybot, I think any content creator would, setting aside tree hugging hippies.

3) PACKET LOSS - Remember how i said that you needed to run 2 clients to use copybot? Otherwise you cant see what the heck you're doing.. Well, running 2 clients creates packet loss, and it should, I reckon, not be too hard a thing to have a simulator coded to realise, "hey, these two avatars have exacccctly the same packet loss, at exaccctly the same time..." and then boot them subject to investigation. If packet loss isnt sufficient, then go into SL and hit CtrlShift3 - look at the massive array of stats, which would likely correspond across both avies. I know this would lead to occasional logging off of genuine accounts, but again, I'd be happy to be logged off because I'd know, at least stuff is being taken care of.

4) Disable multiple logins from the same IP. So stupidly simple, I dont even need to explain it but I will - one internet connection, one IP, one account online at all times.


Now, LISTEN - i'm not saying these are AMAZING HOLY GRAIL fixes to copybot. There are ways that copybot could be changed to get around them, but what it does do is stop the current version of copybot from access, and give time for a longer term solution. I would hope that from what LibSL have said, they would decide not to pursue creating a version of copybot that does circumvent them, leaving it down to other coders to try, and there arent many, if any, that would have the ability to code a new copybot to do it.

What really ticks me off is that like I said, I thought of these in about 10 minutes, and I am not the sharpest tool in the box. Actually I'm the tool that fell out, got left in the rain, rusted, and was found by a 10 year old kid who now uses it to scratch his name into trees (he hates hippies too) Sure other people have better ideas, or ways to change my ideas to make them better so go nuts. Bust out your own mental "copybot" on my ideas. But plainly, obviously, Lindenlabs took one look at the nuclear bombshell that copybot is and thought "whoaaaa.. look at all the legal stuff, whoaaa thats gonna be hard to stop... whoa... we're not touching that, let them sort it out.... screw it."

NOR AM I SAYING that these should replace the solutions offered by Lindenlabs. Personally I think that considering how we all feel about this, (unbathed hippies aside) saying "oh yeah, well, ok.. how would you feel about some floating text?" - doesnt cut the mustard. Thats the kind of response that is either going to win a comedy award or just have people leaving in disgust. Which they have been. Is your favourite store closed today..? Anyway, yeah, Do ALL those things you're talking about lindenlabs, and do MORE. Floating text with the creators name? To heck with that, I want a giant, flashing red prim that ISNT phantom attaching to every copied item with rotating text on it that says "I AM A DIRTY THIEF, HATE ME FOR THE DISGUSTING SCUM I AM!". Or at least something along those lines..

That, would be a serious discouragement ;p




Ok I'm done, hippies, you may commence stoning me to death with bits of organically farmed tree stump and happy, loved, rocks.



Apollo.

With all due respect, you're feeding the techies who are saying that we are all overreacting.

One other thing - they can't do your idea of limiting one login per IP. There are many RL couples, flat mates, colleges, businesses, and so forth who would be completely screwed by that.

Yep, I know about the multiple user / single IP login problems..

It'd suck, but sorry. I'd still do it. At least until a better permanent solution is found.


*edited: to fix typo'.

Good ideas. There are a lot of possible solutions. Two other ideas:
1.) send prim data to the clients in a way that doesn't allow re-upload. An invisible permission file in each prim's inventory for example, that is checked upon rez but isn't needed to display the prim.
2.) Have the asset server apply a digital watermark to every uploaded texture. If this watermark is found, the texture can't be re-uploaded.

It's a constant struggle since someone will possibly find a way around that too. But until then, the SL world is a little safer. Microsoft doesn't stop fixing security holes too, and doesn't just say "our OS won't ever be secure, the hackers are too ingenious".

I have discovered the perfect solution to copybot.

Accept it.

Linden Labs remove the no copy option in SL and problem solved.

not there was a problem to begin with.

Rememebr all the protestors here what 200 people max ?

Thats over 1 million people NOT protesting.

so please hush now and go spend 4 weeks making yet another flexi exclusive clothing line.

Yay, I've found another slapworthy idiot!

No, seriously, Im assuming thats just a "stir the pot" wind up post, so I'm not going to let this serious thread become a flame war.

Nice try tho

Oh yeah, interesting to note no actual Linden comments on their lack of action.

The problem is that's very, very difficult to do. As I understand it the way CopyBot recreates things is by "fooling" Second Life into thinking that the CopyBot avatar just clicked on "build" and then typed in all the correct numbers for each prim in the object at superhuman speed. If that doesn't result in the "permission file" being created, then how would it be created?

One way I can think of would be for SL to send the 3D mesh of each item, rather than the prim settings, because that way in order to re-upload them the prims would have to be recalculated from the mesh which would be a very difficult process. But unfortunately, 3D meshes are too large to send - that's why we have prims in the first place..



CopyBot doesn't re-upload textures, it re-instantiates them. In other words, it finds out the key of the texture, and then tells SL to put that keyed texture onto the prim.

Question:

If I have a roomate on another PC that is linked through my mega-fat pipe DSL to SL from her PC and then I login from my PC which goes through a NAT router - we'll now have TWO legitimate, premium paying, soon to be land owning avatars that under your proposal will be instantly villified. How do you propose that multiple, premium paying and legit avatars login from a single IP? IP banning - doesn't work. ;>

Fixing this problem will require a significant rearchitecting of the SL protocol - and regardless of what fiddly things you do with prim permissions checking, it's easy enough to fake those validations by modifying the outgoing packets of information on their way back to the server. So long as the SL client uses Internet protocols to talk to the servers, there's no way to prevent that from happening.

On the positive side of things, CopyBot has been removed from SLExchange, and the source has been removed from the repository in response to the public outcry. CopyBot encounters are going to be exceedingly rare from this point forward.

<== Is a tree-hugging hippie. You've got issues, Apollo. You really need to talk them through with someone. A good counsellor, perhaps? As for your suggestions, the challenge/response thingy would certainly block automated logins. The block on multiple logins from a single IP address would mess up people who share a single internet connection. For instance I share my connection with my next-door neighbours. So at any time there can be anything up to 4 different people (verified & premium) all logged into SL over the one connection. So I doubt that idea would fly at all.

The challange/response's are about the most viable, though it will probably possible to allow the Bot to stop at the user screen to allow a Human user to log the bot in.

I don't know, I've not mucked about with CopyBot.

Actually it would be interresting to find out whether it is possible to integrate the copybot functionality into the framework provided by SLProxy. Intercepting an action based on packet-type and working directly with the logged in account would be much more userfriendly anyway.

The IM/Texture verify would likely backfire as users wait for the texture they recieve to actually load up, not to mention the load on the asset server.

As for libSL bots being given a captcha, nothing would stop them from popping up a dialog box with the image and a text field to type it in.

Good ideas

I didn't know that much about copybot, and I haven't had time to read the thousands of posts/complaints about it either.

How about this:
Every computer has it's own ID number. Each SIM could have a simple program that could scan for multiple ID numbers at the same time. If found, boot.

SL already tracks an hardware ID number for each computer.

And copybot already sends a fake one.

I went to one, she told me to try and get in touch with nature, so I threw her potted plants at her. It did actually make me feel better.

Now,

I know folks, maybe banning multiple accounts using the same IP is harsh.. perhaps its not the way forward. But I'm talking about using it as a stopgap measure... I know it'd peev people off, and its not fair, but sorry the existing situation isnt fair either, and I'd still if given the choice myself, block multiple connections and issue serious personal apologies and some sort of refund on tier fees.

Another good idea.

Drat.

Many people do have more than one PC.

There are a few ways to get a unique number from a computer, although they also have drawbacks.

* Use the network card's physical address (NOT IP) - Unlikely to have duplicates, although if you're using a router at the house, SL will see 2 clents with one - the one from the router.
* Calculate it from hardware info - Sounds good. Bots can just make up what they want though, and get by. Perhaps if the key encodes some system info the bot will be delayed until what it encodes is discovered.

I'll tell you what WILL somewhat reliably find a libSL bot. The current version of libSL doesn't allow for movement, so if a client doesn't move in the first 5 minutes at all (ignoring teleports or bumps) it just might be a bot. Expect this to change at any time though.

it would be nice if LibSL could make clear, what their intentions are now. Do they regret releasing the bot onto the market? Do they state catagorically that they will not be updating the bot to keep it working because it was just an experiment/project that got leaked, or are they saying this is something they've made and are proud of and want to keep going?

If they're saying they wont improve the current 1.0 release, perhaps some of these measures, or better, a good combination of them, would be enough.

The worms are out of the can, as well as all of the pieces to make more worms.

lets go fishing.

Seriously tho, where are lindenlabs on this? We have solutions, stopgap as they may be, lets use them..

moved message

Have a look at this thread i started and follow the links and do have a good read and draw your own conclusions, but i dont think libSL are in this just for the pats on the head from LL

/327/96/149169/1.html