A default avatar could make you look like a copybotter

If you’re using a default avatar that comes with some versions of OpenSim, your name might wind up on copybotted content without you knowing about it.

That’s just what happened to a user known as “Gemini Fullmoon,” a resident of the Great Canadian Grid. Fullmoon is also the owner of the Full Moon Designs store on the Kitely Market.

Last summer, Fullmoon set up a private mini-grid on a home computer, renamed the default avatar to “Gemini Fullmoon” and then traveled to a couple of other grids to test it out.

“It was pretty kool at the time I have to say,” Fullmoon told Hypergrid Business. “Once I figured out how to do it I quickly lost interest and pretty much stopped playing with Sim-on-a-Stick.”

However, that was enough time for the “Gemini Fullmoon” avatar name to get attached to copybotted inventory items uploaded by totally unrelated people, and, last month, Fullmoon’s name came up in a discussion about illegal content on the OpenSim Virtual community on Google Plus. One of Fullmoon’s alts, “Alex Reese99,” also had the same problem.

Allegedly stolen content discovered on various freebie shops. (Image courtesy Moonrise Azalee.)

“I would just like to warn people not to make the same mistake I did and also to get the word out that I’m not a copybotter,” said Fullmoon.

The problem is that the default avatars that come with the Diva Distro or Sim-on-a-Stick, software people use to create free OpenSim mini-grids on their personal computers, all have the same avatar UUID. That’s like a Social Security number for avatars. So when someone using a default avatar travels to another grid via hypergrid, their new avatar name becomes associated with that UUID in the new grid’s database — even if someone else had that UUID previously.

And the original copybotter avatar with the same UUID doesn’t even have to visit those grids personally — they might have ripped and uploaded the content then shared it with other users, who, unknowingly, took it to other grids.

“It appears if there is an item on a grid with that UUID but that avatar that actually created never landed on the grid it will retain its name until someone actually lands on the grid and then the name may switch out magically to the new person after an unknown amount of time passes,” said Chris Mac, known as Lite House on the Great Canadian Grid, who helped Fullmoon investigate the issue.

That means that the names of innocent users can show up — incorrectly — as owners of other people’s content. That’s a security issue for the other grid, since someone who isn’t the actual owner is now showing as the owner of the content. And if that other content is pirated, that can be a PR nightmare for the innocent user.

How not to share your UUID with a copybotter

It’s easy enough to keep the same thing from happening to you in the first place, just by creating a brand new avatar when you first set up your mini-grid.

“Using any new avatar during the start up on Sim-on-a-Stick would not create this issue since it hashes out a new UUID each time randomly,” Mac told Hypergrid Business.

But once the damage is already done, getting it fixed is extremely difficult, experts say.

Now, not only can your avatar name show up on other, random content, but your own content might wind up coming up as belonging to someone else.

Diva Distro does not have this fault in the default avatar but Sim-on-a-Stick has it by default, because it has a pre-defined database. However, you can keep it from getting worse. If you are using Sim-on-a-Stick, Diva Distro, or any version of OpenSim that uses the mySQL database, you can create a new grid and start over from scratch.

Or you can follow the following steps, as suggested by DreamWorld owner Fred Beckhusen:

  • Save backups of all regions using OAR files
  • Save backups of all inventories using IAR files
  • Delete the contents of the folder mysql\data\opensim\*
  • Delete the mysql\data\* files
  • Leave the folder mysql\data\mysql alone, along with an empty \mysql\data\opensim folder
  • Start Mowes.exe
  • Start Opensim.exe
  • It will rebuilt a blank system with new UUIDs after prompting you for the name of your master avatar

Mini-grid owners can also switch to the DreamWorld version of OpenSim, which is more up-to-date and, more importantly, is currently being supported. The Diva Distro hasn’t been updated since 2015, and Sim-on-a-Stick hasn’t been updated since 2014.

Diva Distro creator and hypergrid investor Crista Lopes did not respond to a request for comment.

DreamWorld, like the Diva Distro and Sim-on-a-Stick, is also a distribution of OpenSim that allows people to easily set up a mini-grid on their home computer. However, DreamWorld creates a brand new avatar, with a random new UUID, when the grid is first set up, Beckhusen told Hypergrid Business. That means that users don’t have the shared UUID problem.

Problem hard to solve for big grid owners

For owners of the big social grids, where random users upload a lot of random content, shared UUIDs are a much thornier issue.

Deleting all content with that UUID, and banning all avatars with that UUID, will hurt a lot of innocent people who use those default avatars by accident. And there is only so much that bans can do, since users may still continue to bring in content labeled with the problematic UUID.

“You can ban an avatar by UUID, but I don’t know of a way to ban an inventory UUID,” said Beckhusen.

And it won’t stop folks who deliberately create duplicate UUIDs for their avatars — or for their content — in order to mess with permissions.

That could create PR problems for social grids, since they could be accused by users of violating their content rights.

OpenSim does allow for avatars and inventory items to improperly share UUIDs, confirmed Metropolis grid manager Lena Vanilli.

But grids aren’t responsible for the problem, she told Hypergrid Business.

“This is not a bug but is related to the standard behavior of a viewer which is optimized for Second Life, with one database, not for OpenSim with many different databases and duplicate UUIDs,” she said.  “We are not responsible for the way Sim-on-a-Stick creates UUIDs.”

In general, no grid — and that also includes closed grids like Second Life and InWorldz — can guarantee perfect security for their content. And most creators understand that they have to prepare themselves for the possibility of theft. After all, even the biggest Hollywood studios can’t protect their movies from piracy, content that they spend millions of dollars to create.

Dierk Brunner

If someone has the technical skills, and runs their own grid, they can intentionally edit ownership of items inside a grid to appear as creators, Dreamland Metaverse CEO Dierk Brunner, also known in-world as Snoopy Pfeffer, told Hypergrid Business.

“In general it is always possible to intentionally create user accounts with an UUID used by someone else on another grid,” he said. “Then when objects of that creator are loaded the chances are high that at the other new location this user account with the same UUID is seen as creator.”

And, of course, grid owners can give their avatars “god powers” or edit their own grid databases.

Thieves who do not manage their own grids also have other options, including copybot tools.

“There is no 100 percent security unless encryption would be used up to the graphics cards,” Brunner said. “Currently it is only possible to make clear legal statements and to enforce them at court, if necessary.”

Shared UUIDs pose challenges for copyright enforcement

The UUDI problem also makes it difficult for content creators to track down the actual copybotters who originally stole and distributed the content.

Fred Beckhusen

“No one knows who actually uploaded the items when two or more people share the same UUID,” said DreamWorld’s Beckhusen. “So accusing one person of stealing, without better proof, is potentially libelous. There are multiple people running around with the same UUID, so how would you know?”

Beckhusen investigated the issue personally, setting up a new Sim-on-a-Stick minigrid, changing the default avatar name to “NotAlex Reese99” and teleporting to his own Outworldz grid.

The default avatar UUID, for those out there who are technically inclined, is “26ecc3a5-9243-470e-b8d9-4afcacdecf58,” he reported.

After that one visit to Outworldz, Beckhusen checked his grid’s database.

(Image courtesy Fred Beckhusen.)

“I scanned through the inventory tables and found a mountain that had been uploaded by this UUID,” he said. “It is now magically created by NotAlex, who literally was created today.”

Folks who have access to the OpenSim management console can take advantage of this security hole, said Beckhusen, since they can create new avatars with any UUID they want.

Creating a new avatar with OpenSim.exe. (Image courtesy Fred Beckhusen.)

Beckhusen then took his “NotAlex” avatar to other grids, and confirmed that the ownership and creation issues came up elsewhere, as well.

Chris Mac was also able to confirm the problem when traveling to other grids.

 

The avatar shape seen as created by NotAlex Reese99 to Beckhusen appears as created by brasiltropical.owner to a Craft resident. (Image courtesy Fred Beckhusen.)

One thing that might help, to some degree, is to clear viewer and inventory caches, Metropolis grid’s Vanilli told Hypergrid Business. 

That includes manually clearing the viewer cache after each hypergrid jump, she suggested. The instructions for doing so on the Firestorm viewer are here.

However, the cache is there to make things load faster, and clearing it will slow down performance.

The viewer cache saves local copies of content, and it also creates a situation where different creator or owner names show up for the same content for different users, or at different times.

“It might appear as Alex Reese now but later it will be another name or another user that gets cached,” OSgrid president Dan Banner told Hypergrid Business. “They might see the Simona Stick avatar as their own name because that is how it’s cached to them.”

One thing that content creators may consider is attaching a notecard to their content describing who the owner is, and how the content can be used. If the creator has a store or website, the notecard may also include directions for where to get more content. A brief summary can be included in the item’s description, as well.

In the OpenSim Virtual discussion thread about the issue, for example, Beckhusen notes that some of the content has an incorrect name for the creator, but the attached notecard shows that it was originally distributed by “Gladiatrix Athena SHAREORDiE.”

A notecard, or a description line, won’t keep criminals from stealing the content, of course. Notecards and descriptions are easy to change. But they will give legitimate users information about the content.

In addition, content owners could make it easier for their legitimate customers to check whether content is legal by putting up notes on their websites describing where the content is available for sale, whether or not free copies are available, and, if relevant, explaining the shared UUID situation. Then double check that a Google search for, say, “Gemini Fullmoon content” brings people to that page. (You can help improve that page’s search rankings by linking to it in your signature, store listings, and social media posts.)

Related Posts

David Kariuki

David Kariuki is a technology journalist who has a wide range of experience reporting about modern technology solutions. A graduate of Kenya's Moi University, he also writes for Cleanleap, and has previously worked for Resources Quarterly and Construction Review. Email him at [email protected].

  • Gemini Fullmoon — If you set up an info page for your content, such as an FAQ on your Google Plus or Facebook page, or on your website, or on your Kitely Market store, or anywhere else, please let us know and we’ll update the story and link to it, so you’ll get the SEO for it, and when people search for it, it will come right up.

    If any other creators have similar issues, please let us know, and I’ll add them to the story. (Disqus comments links help a bit, but weird things happen to them sometimes so they’re not as permanent, and may not have the same SEO clout, as a link in a story.)

  • 1derworld

    Interesting now everyone knows how to copybot and get away with it, Good tutorial on this subject, Not to mention also supplying the UUID. This is just a tiny sand granule in the beach of Virtual Thief’s. 🙁 sad to see this written

    • I agree.. I think the details weren’t needed.. it only helps to entice those considering using it, to use it by telling them how.

    • I didn’t see a tutorial on copybotting in the story when I edited it… I guess I could have missed it? Maybe you’re referring to the console screenshot? However, everyone who has access to an OpenSim console has already seen that screen. And the rest of it — the database modifications, etc… — are for a very technically sophisticated person (I wouldn’t be able to do it) who would already be expected to know about the problem. Regular old copybotting (from what I hear) is faster and easier. Plus, while some of the copybotted content makes its way into OpenSim, the bulk of the action is in Second Life, which is where the bulk of the content is.

      Also, when David says that using the default avatar makes you look like a copybotter — it doesn’t actually MAKE you a copybotter. (Which is the point of the story.) You still have to go out and do the copybotting to be a copybotter.

      Or maybe you meant that there are people out there who would like to copybot, but didn’t know that such a thing existed, and now that they’ve heard about it, they’ll Google it and go out and do it?

      That’s a problem with covering any kind of crime. I’ve done a number of articles at my day job about how easy and lucrative ransomware has become. It is theoretically possible that someone would read that article and say, hey, I gotta get me some of that.

      My take on it is that the benefit of warning people that the problem exists, so that they can personally avoid it, and grid owners can keep an eye out for it, is worth it.

      • 1derworld

        Anyways, We all know that Virtual Worlds opens doors for Copybotters/Rippers of Games/Animated Movies and Free non commercial 3D content. This is fact, But when we start to analyze how its done and write about it the bad guys and what they did wrong. They are educated now not to make that mistake again. Posting such things in a blog is not the right way to stop it, It shows a very bad light on our Opensims. Maybe try and speak to developers rather than the general public. We surely do NOT need to educate the bad guys any further These so called opensim police with accusations on grids and people copybotting just makes things worse, If it bothers them so much I suggest hanging up the towel and go back to sitting on the porch

      • Arielle

        David points at the Diva Distro install as having default avatars which as far as I can tell, it DOES NOT. Diva distro only has a default WiFi admin account and nothing in her documentations says anything about a default login account. If it did, the same issue would exist for a lot of standalones and grids including Outworldz.

        The problem is that Ener Hax setup a default Grid account in her SOAS distro to make it easier for people to log in initially on her Standalone, non-hypergrid enabled distribution and it was the community that figured out how to convert it to enable hypergrid mode which leads to the problem. It was at that point people should have created a new account to hypergrid around with instead of using the default Simona Stick account it came with. I just spent a half hour trying to duplicate how to change the name of that default account without coming to a solution as I don’t see the configuration for that account in any ini files. From that I would have to assume it is a very small minority who actually accomplished it and if they were smart enough to figure how to, should have realized it would lead to problems. Opensim for the past 5 years or so will not allow an avatar account with the same UUID to jump to a grid that has an account with the same UUID.

        This issue as far as i can tell is limited to those who used an SOAS distro and then configured it to enable hypergrid and used the default account to jump around to those grids that didn’t already have an account with that UUID. The fix should involve no more then sorting out the account with that identification. Another Tempest in a teapot. :eyeroll:

        • David

          Arielle, your last statement that the problem is experienced by those using SOAS distro and then configures it for hypergrid to other OpenSim grids, is very true and correct. The story is pointing to SOAS, which is based on Diva Distro.

          • Arielle

            Your sentence: “The problem is that the default avatars that come with the Diva Distro or Sim-on-a-Stick,” strongly implies that both SOAS and Diva Distro have the issue which is factually incorrect as far as I can see.

          • Fred Beckhusen

            All versions of Opensim have this issue, but not by default. SOAS has it as a default, but is actually the hardest one to accomplish , as it is not HG-enabled.

        • JozeeTungsten

          Good catch Arielle!

        • Fred Beckhusen

          One of the reasons I believe Gemini is totally speaking the truth is that she had to first enable HG in Diva Distro, which is not easy, and use MYSQL twice to change the name, and then, hypothetically, copy bot something. It is much easier to paste any UUID (UUIDS are not secrets) in the console on any HG-enabled grid (Dreamworld, Diva, SOAS modified for HG, Opensim standalone HG, or any Full HG grid), and the original person and UUID on any OTHER grid is the person blamed for it.

          • Susannah Avonside

            HG is enabled by default in Diva Distro though.

          • Fred Beckhusen

            Good catch. I edited my reply to add the SAS version of Diva….

          • Fred Beckhusen

            Good catch. I edited my reply to add the SOAS version of Diva….

          • Fred Beckhusen

            Sent via the Samsung Galaxy S7, an AT&T 4G LTE smartphone
            ——– Original message ——–From: Disqus Date: 8/14/17 7:46 PM (GMT-06:00) To: [email protected] Subject: Re: Comment on A default avatar could make you look like a copybotter
            “HG is enabled by default in Diva Distro though.”

            Settings

            A new comment was posted on Hypergrid Business

            Qqqz3

            Susannah Avonside

            HG is enabled by default in Diva Distro though.

            8:46 p.m., Monday Aug. 14

            |

            Other comments by Susannah Avonside

            Reply

            to Susannah Avonside

            Susannah Avonside’s comment is in reply to

            Fred Beckhusen:

  • Carlos Loff

    I believe the name Opensim says it all – OPEN – With all the pros and cons that brings… And there is just so little we can all do about it… It all comes to either we play or we don’t…

  • well said

  • I don’t travel to other grids so it doesn’t affect me much. I don’t use Sim-On-A-Stick because I knew it had a lot of problems with it. And thanks for your alt name Alex, I can ban it from my regions too now.