WHAT LINDENLABS ARE NOT DOING - Solutions to the copybot problem.

someone said "those that trade liberty for a bit of security deserve none of them"

Im am getting sick and tired of hearing peoples that have no f*cking clues of what is going on that yell and propose half assed solutions. It's because of YOU guys that big companies think thye can protect their cd's with rootkits and securom, because you guys want a solution to a problem that cannot be solved technically.

You want your stuffs to be shown right? but on the other side you don't want peoples to be able to copy em, i understand that, but you can't on one side allow your stuffs to be shown and on the other side do not allow it. Everything that arrive on the client machine in one way or another is copyable and modifyable, until the day end users aren't allowed anymore to own computers , they WILL be able to alterate everything on their machine as they wish.

I am a builder in SL too, this thing can potentially ruin my SL business but its a SOCIAL solution that we need, a way to fall sharply on the peoples that are breaking the ToS by doing this. A technical solution can ALWAYS be bypassed in these cases, on top of it it slow down devellopment and lock the door for third party applications.

And, frankly, it shows.

1) Challenge/response login ? Dump the challenege response image into a file and use another command line tool to pop another window up showing it. Have the bot wait in it's window for the owner to type in the mangle-word manually. Bypassed with about as much time as it took you to think of it.

2) Challenge response from LindenBot - rinse and repeat previous trivial bypass

3) PACKET LOSS - a support nightmare if the only cause for packet loss is an upstream router. You think people are waving pitchforks and torches now? Try having this on the main grid for a day.

4) Disable multiple logins from the same IP. -- So, one connection per household? What about small companies behind a NAT firewall? Who cares, they're probably all thieves... screw'm.


Now, LISTEN - i'm not saying these are AMAZING HOLY GRAIL fixes to copybot. ... no kidding.


Ok I'm done, hippies, you may commence stoning me to death with bits of organically farmed tree stump and happy, loved, rocks.

I
If you can't convince people with logic, reason and good ideas... resort to accusatory name calling and belittling. Winning strategy... I'm sure it will help your cause tremendously.

So,

"If you can't convince people with logic, reason and good ideas... resort to accusatory name calling and belittling. Winning strategy... I'm sure it will help your cause tremendously."

yet the start of your post

"
Quote:
Originally Posted by Apollo Korvin
'Ok, I thought about this for about, ooh, ten minutes last night,'

(you then said--> And, frankly, it shows."

firstly - of course it f**king does, because I SAID IT you fool.

Straight away, you're hypocritical, directly condascending - but ok, different strokes for different hippies, I suppse its natural for people like you to get pretty pissed off after finally realising that nobody actually does really give a f**k about saving the whales..

" 1) Challenge/response login ? Dump the challenege response image into a file and use another command line tool to pop another window up showing it. Have the bot wait in it's window for the owner to type in the mangle-word manually. Bypassed with about as much time as it took you to think of it."

Assuming that someone has the technical knowhow and impetus to do it. So far as I'm aware, LibSL arent working on Copybot any more, they've said it was never supposed to get out. It is compiled into a single, .exe file, which would have to be decompiled before it could be seriously messed with. So actually, it'd be a little bit harder than you're saying.
Also, to re-iterate, we need a range of options to stop copybot, this is one of many copybot killers that would be deployed simultaniously.

----

" 4) Disable multiple logins from the same IP. -- So, one connection per household? What about small companies behind a NAT firewall? Who cares, they're probably all thieves... screw'm." -

Yes, unfortunatley, they would suffer. Blame LibSL for creating a situation that requires such drastic measures to protect the interests of content creators across SL. Until a more permanent system is developed, they'd be unable to access SL. If it happend to me, I'd be like "man, that sucks big time. I hope they fix it soon". But I'd understand. And I'd be p*ssed at lib-sl for making copbot. Not LLabs for defending their users.

----

" 3) PACKET LOSS - a support nightmare if the only cause for packet loss is an upstream router. You think people are waving pitchforks and torches now? Try having this on the main grid for a day."

Again, like I said originally - there would be some innocent bystanders caught in the crossfire, and like I said these are stopgap fixes, designed to stop this thing while a longer term solution is developed. Those who get disrupted access would indeed require tech support, or be denied access to SL for a time. Sorry but that to me is still better than the alternative of copybot being unstopped. I think I made that clear, Stop smoking so much pot and maybe you'll be able to remember what I've actually said at the start of a thread.

Also I said that the packet loss would have to be identical at the same time on 2 different clients, in the same sim at the same time, and also if packet loss isnt enough, there is a sh*t ton of stats available under stats if you hit ctrl shift 3 - 2 machines with identical stats means two accoutns logged onto the same computer. Again, not a total copybotkiller, but as part of a gamut of approaches, effective.

----

" 'Now, LISTEN - i'm not saying these are AMAZING HOLY GRAIL fixes to copybot.' ... no kidding."

Yes, I wasnt kidding.. thats why I said it.. I dont get your point here... Did you fall out of your tree and bang your head? Aww.

----


I know my post was fairly anti-hippy, but I did it in a friendly way, as it has been taken by most people. Lets just exchange some ideas. Dont get serious, or start to cry about it, jesus...

Oh... Sorry... I was just responding to your exchange of ideas in the tone you seemed to have set for the thread. Sorry, would it have been clearer if lumped you in with the typical short-sighted suburban SUV driving gas wasting republican ditto heads who doesn't care about anything except racking up more travel points and as much debt as possible?

CopyBot is only the begining... The fence has been knocked down. Adding more guards to the gate isn't going to protect anything.

No, because I'm from London, UK so neither a republican OR a democrat, and no again because I use public transport or ride a bicycle.

Hey all,

There's a partial, server-side solution to this. No viewer update required, just a rolling restart:

For *only* the packets that are used for rezzing or editing new objects/prims, texture UUIDs should have the same owner or creator as the prim creator. Otherwise, don't accept the packet.

You'll still have the facility to copy shapes (with work), but perfect copies /w textures will not be easy. And since only specific packets (initially) are affected, sim runtime overhead should be minimal.

And yes, sims are not doing simple checks like this on the backend. They're not checking for malformed packets, and rejecting them. That's the REAL tragedy here.

--Alan

No, because they get a FULL PERM VERSION, allowing them to not only only copy, but also transfer other ppls work.

Question: I'd like to know where you get your information that 2 connections on SL "causes" packet loss. Because that's not even the slightest bit true. I don't even know where you can come up with this idea. The tcp/ip protocol does not function in this fashion, and actually is not written to function in this fashion. NOW, on the other hand, if some hardware happens to drop a packet, then there's always the possibility that the other client will also drop a packet. But this is just the behavior of tcp/ip. When it doesn't get a response, it retries. Two computers doing this at the same time doesn't mean that the second client is causing that latency.

This would be like saying that if you have to copies of internet explorer open, and both navigate to secondlife.com, that the second connection might time out or lose packets because both computers are trying to connect at the same time. That's just not how NAT and tcp/ip work.

Assuming you are right & i'm wrong then, perhaps the principle can be applied to something else, some other stat aside from packet loss.. Like I said, its just an idea. Hit ctrl shift 3, there's a ton of stats there, surely a sim can be programmed to recognise when those stats are corresponding and when its more than just a fluke occurance..

When I have run two clients simultaineously, it has caused packet loss, but I take on board what you're saying, that it could just be my machine.


Any hippies from MIT wanna shot me a cray so we can work it out?

What about when you have modify rights on someone stuff and you're working with them on a build, you wouldnt be able to copy their stuff?

As a builder of laaarge projects.. I that'd be a problem.

However, I'd accept that, as a fix, if it'd work. Maybe Lindenlabs could then offier an account tier for high-level content creators who are named validated trusted etc etc, similar to SLDev. Lindenlabs regularly has face to face meetings with developers of SLdev, they're about as validated as it gets.

OMG! You're a self-hating hippie?! That explains so much!

This would be trivial to work around, by rezzing the prim with the plywood texture and applying the new texture in a separate operation.

Minor technical correction: SL doesn't use TCP, it uses UDP for all transactions between the client and the server, with TCP-like packet loss recovery layered on top.

You want to know something?

LL will ban by computer ID (they use the MAC address). People have had to buy new network cards because a friend used their computer and did something stupid. This punishes the innocent. LL still does it.

LL will ban by IP. This can even more easily punish the innocent.

The next one floored me when I found out, and I hope that I misunderstood the person who told me about it - they had been permabanned because of a chargeback, apparently due to a billing error by LL. Because they have no way of tracking anonymous alts, LL will in some case sanction accounts that have merely logged in from the same computer ID as a "sufficiently" banned account.

It sounded like their friends had to call LL and try and get their accounts reinstated.

This is more of a danger than the possibility that someone's stuck a trojan in a hacked version of copybot!

Over 1 million people NOT responding?? LOL are you new here or just slow. There is not 1 Million people playing SL, surely not the 1.4 mil listed on the page as "residents". You can put the number of unique users here at WELL less than half that.

I do agree with adding authentication at login, and it will stop copybot in its current form. Copybot is nothing more than a completely stripped down version of a 3rd party client. Random letters and/ or numbers in jpeg or some other format cant be read by the bot. This doesnt do away with the flaws exposed by it, but it does take it out of the hands of the common person who wouldnt know how to develop it into a client with a viewer to see the authentication, and it gives LL time to work on more permanent fixes. It also shows the community that LL is willing to do something about it other than just throw up their arms and cry about all the bad press its getting.

If LL put a manditory poll when you logged in about your views on copybot, there would be more than 200 people unhappy about how they handled it.

This would require a complete ground-up rewrite of the client. The UUID's are required to draw the scene. Simply rendering the scene does not take into account who owns each prim you're looking at - to add this would severely load the client, possibly to the point of making it completely unusable.

Further, when you buy a texture and use it on one of your own creations, it still carries the same UUID as when the original texture was created. There is no possible binding between UUID and creator. This would require a complete rewrite of the entire asset system.

Considering there's more than 600 in the stop the copybot group.... I'd say so.. and there's tons more that aren't even in that group.

Its a constant pain that never ends.

Fine by me.

If they dont fix this, then a competing world will come along with better security within the next few months and poof, no more SL.

Competing products/worlds/online environments/metaverse thingis/whatever the hell Sl counts as/ ARE in development anyway.

"The world we have made as a result of the level of thinking we have done thus far, creates problems we cannot solve at the same level of thinking at which they we created them" -Einstein
Any technical fix for this problem will only lead to more problems, you don't get hackers to fight hackers, you get lawyers and support staff that can actually decern the difference between a new item and a cheap knockoff. Does that mean that they shouldn't patch bugs and attempt to fix issues like this? No of course not but they need to still put people behind desks and deal with these complaints like a law office insted of the current method of letting them off without question or investigation.

Edit:
Appearently they are attempting this, http://blog.secondlife.com/2006/11/16/copybot-action/ , still this needs to be a constant issue with everything, copybot, GLI, whatever else comes along.

Yes you do, thats why the "Cult of the Dead Cow" (cDc - elite hacking group) is now contracted almost exclusively by the US Department of Defense after about 15 years of being ostensibly 'legal' whilst releasing programs like back orifice 2000 for 'legitimate' use....

No, an undercover hippy assassin. Have you seen Akira? I'm like that, but with pedals.

CopyBot = Tetsuo?

Apollo there are other virtual worlds in Dev yeah but most are junk comparatively to SL. Either they forget the socialistic aspects and just focus on development (which by the way the virtual worlds out there aren't focused on the average end user of the product but rather people that know how to use programs like this) Second Life's aspect on developmental tools and the social aspects keep it at the head even with what is out there developing. Take into account there are about 7 virtual worlds out there in development at the moment and the only one that looks promising in the least is Kaneva and maybe just maybe the multiverse project (although it takes it much to far) (both these project can be found and I have a Kaneva Profile .... Think Myspace attached to a virtual world and allowing one to make a 3d representation of said myspace page.....) (Multiverse Is a tool in development to build up your own MMOG's)

As far as someone swooping in and crushing SL it is a possibility but they'd need to develop the world taking the same considerations LL has taken towards the end user as far as developmental and socialistic aspects of a virtual world and Improve on them making them easier for the end user and adding more functionality, stability, and security. As far as I've seen (keep in mind I'm a game designer in real life) There is nothing remotely a worry to SL in development at this current date and time. Will something come up in the future? Likely but not for awhile.