A modest proposal for hypergrid security

As John Rogate pointed out today, the 4096 bug — which limits hypergrid teleports to no more than 4,096 regions in any direction — is a significant impediment to hypergrid travel and to the growth of the metaverse as a whole.

But, as several people commented, there is another impediment as well — the lack of hypergrid security.

My proposed solution

I propose that, by default, only original creations or “all perms” content is allowed to travel the hypergrid — or be exported via OAR region exports and IAR inventory exports.

That is, if creators allow copy, transfer and modify for their content, then the buyers of that content can take it  to other grids or back it up to local disk drives.

But if any of these options are not allowed by creators, then the content stays on its grid of origin.

Today, four grids – Kitely and Virtyou, as well as TalentRaspel’s Wilder Westen and Open Neuland — already do these checks for OAR exports.

Grid owners will still be able to over-ride these permission checks to make backups of their entire grids, of course. And some hosting companies — especially those serving corporate, education, and creative markets — will still allow full OAR and IAR exports. So, for example, if I’m a school and have several teachers and students working on a build, I need to be able to save regular OAR files in order to have archives of the work. And if I’m a company with a virtual corporate campus, I’ll be able to save copies of my campus, even if I have outside contractors come in to do the building.

However, if I’m an owner of my own grid, and I travel to other grids, the only content I’ll be able to bring back to my home grid and export will be full-perms content.

Another benefit of this solution is that grid owners don’t have to worry about whether their visitors are coming from “trusted” or “untrusted” grids. After all, who’s got time to keep track of that? And a grid that’s “trusted” today might decide to allow full exports tomorrow — and vice versa.

This solution does not address the CopyBot issue. But then, there is no perfect system to prevent against copybotting. However, having full perms checks in place will allow creators to decide whether their content stays on one grid, or is allowed to travel. And it also let people leave commercial, content-protected grids without showing up naked elsewhere — simply by choosing to wear full-perms clothing on their trips.

How this affects shopping:

  • Local grid residents will be able to buy high-end content that is set to no copy, no transfer, or no modify, but will not be able to export it off the grid.
  • Foreign visitors will not be able to buy this kind of content unless they register for local accounts.
  • Foreign visitors will only be able to buy full-perms content. Creators can either charge extra for full-perm objects, or only offer full-perms on out-of-season or promotional items.

How this affects creators:

  • If I create something from scratch, I can export it as an OAR or IAR file, or take it with me when I travel the hypergrid and give it to anyone I like.
  • If I give or sell my original creation to someone when I travel to a distant grid, then that person will have the “next owner” permissions — and, unless the item is given full-perm, will not be able to export it.

The checks to do all this are all on the server. So the only programming required will be in the OpenSim server code. This is important because OpenSim users can continue to use whatever viewer they prefer — including official Second Life viewers.

Hypergate on the Logicamp grid.

Benefits to grid owners

New casual visitors. Commercial grids would be able to allow casual visitors come in and check out the grids — and allow them to look at the content they could have access to if they became full grid members. That content could be high-end fashions, role playing equipment, fancy vehicles, or business tools, for example.

More customers for merchants. In-world merchants could choose to sell some of their products full-perm to the entire hypergrid community, while restricting their latest content, or their premium content, to local residents only. Merchants could also set up hypergrid teleport links to stores on other grids — so that buyers could teleport to a store on their home grid to buy the premium content.

Grids could offered tier services. A role playing grid, for example, could offer some basic options to hypergrid visitors — a small section of role playing costumes and equipment, say. Users who create in-world avatars, however, would get access to the full range of roleplaying content and equipment.

Grids could rent land to foreigners. Today, a commercial grid can only rent land to its own residents. But some users might want to have land on multiple grids without having to have multiple avatars. A merchant, for example, might want to have stores on multiple grids, or an event organizer might want to rent land for an event.

Grids could hold big public events. Today, a commercial grid hosting, say, a fashion show or a concert, can only attract visitors from among its own user base. With secure hypergrid teleports, however, a grid could promote the event across the entire metaverse. Some of the visitors might decide they like the grid, and get their own user accounts there.

Grids could attract small event organizers. Today, someone planning a meeting for their organization or business group has to pick a grid that’s easily accessible to all their members — either on Second Life, or on an open OpenSim grid, or on a commercial grid where the majority of members already have accounts. If all commercial grids were on the hypergrid, organizations could pick venues with the best facilities, or highest region capacity, or best performance. Grids could rent out meeting facilities by the hour, or offer facilities for free in order to showcase the grid to outside visitors — and attendees won’t have to create new avatars to attend the events.

Clubs could market to the entire hypergrid. A club owner could have a club on a commercial grid and charge an entry fee at the door to visitors — regardless of which grid they come from. Fitness clubs could sell memberships to the entire metaverse. Musicians could put up PayPal or OMC tip jars and take money from everyone. Other types of clubs that could sell memberships via PayPal or OMC include role playing clubs, kinky sex clubs, business networking groups, language schools and other educational institutions.

Meanwhile, new multi-grid businesses and organizations could spring up. We could see multi-grid treasure hunts. Fashion designers could hold multi-grid trunk shows. Language schools could organize language tours — visiting, say, all the French-speaking grids. Role playing game vendors could organize multi-grid games. Real estate agencies could show customers available land on multiple grids.

Current plans have flaws

OpenSim developers are currently planning to revamp the permissions system to include a separate permission for hypergrid travel. This means that existing viewers will no longer work with OpenSim — the viewers will have to be changed, or there will need to be a separate piece of software that sits between the viewer and the server.

The problem is that most Second Life-compatible viewers are used primarily to access Second Life, and are optimised to work with Second Life. OpenSim support — such as grid management — is only added as an after-thought.

There’s a good reason for this. The user base of all the OpenSim grids put together is still a tiny fraction of Second Life’s users.

Yes, OpenSim is growing, and will, eventually, overshadow Second Life.

But setting up a system where existing Second Life viewers can’t be used to access OpenSim grids will hinder that growth.

Another advantage of my proposal is that grid operators don’t have to wait for the core developers to implement this. Any grid, can, acting on its own, add the permission checks to its OpenSim deployment– and instantly protect its content while at the same time allowing its residents to freely travel the hypergrid.

It would be nice, of course, if they follow in Kitely’s model and donate the new code to the community, so that each grid doesn’t have to develop it on its own.

Or commercial grid operators can get together, and pitch in towards a bounty to pay a developer to write the new code. After all, the permission checks would primarily benefit commercial grid operators and might not be the sexy kind of project — like mesh or physics — that attracts volunteer developers.

Not that I have anything against mesh and physics — those are great, too!

Some implementation suggestions

When the permission checks are implemented, I would also suggest a few features that might improve usability:

  • When a hypergrid visitor tries to buy an item that’s not full perm, send out a warning message and cancel the sale before it goes through.
  • When a local resident tries to do a hypergrid teleport to another grid while wearing some items that are not full perm, issue a warning that those items will not appear on other grids — and give the resident the opportunity to cancel the teleport and change outfits.
  • Similarly, when a resident requests an OAR or IAR export, issue a warning that the only items exported will be full-perm items and items that the resident themselves created.
Finally, it would be nice to have creator names be saved in the database as full names, not just local grid names. So, for example, if I create an item on OSGrid, the creator name would be saved as “Maria.Korolov@osgrid.org” instead of as “Maria Korolov.” Then, when the item is rezzed on OSGrid, the creator name could be displayed as “Maria Korolov” — and when its rezzed on other grids, it would be displayed as the full name, “Maria.Korolov@osgrid.org.”
Again, this is something that, in theory, can be handled with just the server code.

The current situation

Today, grid owners have three options when it comes to the hypergrid:

  • Turn off hypergrid teleports. To get into the grid, users have to register for an account and log in directly.
  • Turn on hypergrid teleports, but turn off object transfer. Visitors can still teleport in from other grids without creating new accounts, but they can’t take any content out with them. Grid residents who teleport out to other grids show up naked — their clothes don’t travel with them.
  • Turn on hypergrid teleports and allow object transfer. Anyone can teleport in and out the grid, taking anything they want with them. Owners of foreign grids can’t steal inventory items from visitors because of new security checks implemented as part of Hypergrid 1.5, and supported in all recent versions of OpenSim.

The majority of grids have hypergrid turned on and allow object transfer because they value interoperability over content security. For example, a school using open source buildings for its classes and open source avatars and clothes for its students might not be overly concerned about users taking that content to other grids. Similarly, a museum or an art installation might have few worries about employees or member artists taking objects off-grid, and be more interested in having the maximum number of users come and enjoy the work.

Commercial grids, however, have content protection as the highest value. In order for merchants to feel secure about selling content on their grids, they need to ensure that the average resident can’t take the content anywhere they want in the metaverse, and have hypergrid turned off.
A few grids, such as Nova, have hypergrid turned on but object transfer turned off, allowing foreign avatars visit but not take anything out with them.

Copybotting — where visitors use illegal software to take content that they don’t have the right to take — is a separate issue, and unrelated to the hypergrid. Copybotters can teleport in via the hypergrid, or they can create a new user account, and log in directly just as easily to steal content.

The hypergrid settings do not keep content 100 percent secure — creators still have to monitor other grids and marketplaces, file DMCA take down notices, and make sure that buyers have legal and convenient ways to get content legitimately.

What do the developers think?

I asked a few OpenSim experts what they think of this plan. Hypergrid inventor Crista Lopes, professor of informatics at the University of California, Irvine, has not yet responded.

Virtyou CTO Michael Steinmetz said he thought it was “a very good idea,” though it would need a different approach than what he did to implement permission checks on OAR exports.

“Filtering the hypergrid output would be more complicated than my solution of repacking the OARs, since OARs are file based, so you can just unpack them, analyse the content and repack again, while the hypergrid is a network stream, so one would have to control it on the fly either within the application layer, or build a kind of Layer-7-Firewall for it,” he said. “But that is definitely doable, and would improve the security and thus acceptance of Opensim even further.”

Kitely CEO Ilan Tochner said his company has other priorities right now — but that implementing my plan doesn’t sound too hard to do.

“Theoretically speaking, I don’t think it should be very difficult to implement what you suggested,” he said. “Probably just a few days work to get acquainted with the existing code, enhance it and make sure that it works properly.”

However, OpenSim core developer Justin Clark-Casey said that my proposal “probably is quite difficult” to implement.

“I’m not sure the feasibility without looking at the code in detail,” he said.

Another core developer, who did not want to be quoted by name, said, “Yes,  as temporary solution full perm can be used as export allowed permission setting. I am sure it is possible to add such a feature elegantly, still allowing old or Second Life viewers to be used.”

However, he said he prefers to see a separate permission class added, just for hypergrid exports, so that creators could allow or not allow their creations to travel between grids separately from their decision to allow copying, transferring, or modifying the items.

Another alternative is to use licensing, instead of technical restrictions, to protect content, Kai Ludwig, owner and manager of the Wilder Westen and Open Neuland grids and CEO of OpenSim hosting company TalentRaspel virtual worlds Ltd, told Hypergrid Business.

On the World Wide Web, content such as text and images can be easily copied to other sites — but many companies and individuals make money by selling licensed copies of those photographs and articles.

Take this article for example. Hypergrid Business owns the copyright, but there is no technical obstacle keeping people from copying the entire thing and saving it to their hard drives, emailing it to all their friends, or reposting it on their blogs. In fact, there are even convenient “Email” and “Print” buttons to help people do just that.

Someone could even copy the entire publication if they wanted to — there are no technical measures in place to stop them. And, occasionally, a site does pop up full of copied articles from other sources. When that happens, I get a Google Alert and file a DMCA report, and the site is usually taken down within a day by its hosting company. If I don’t catch them, one of the other publications they ripped content from will notice and will do the same — usually with more lawyers behind them, as well.

Okay, maybe my content isn’t all that valuable. But there are also consulting companies selling thousand-dollar research reports online in the form of DRM-free PDF files — and, without digital rights management, they can be distributed easily as well. For music and movie lovers, iTunes sells content without DRM as well and is able to do so quite profitably. Music and video piracy is still rampant, but the availability of legal, affordable and convenient options is quickly cutting into that market. And those who continue to pirate content would probably not have spent the money to buy the products in the first place but would have listened to it for free on the radio or watched it on television.

Even 3D content is sold online in this manner.

“Take a 3D-model from TurboSquid as an example,” said Ludwig. “Buy it, get full unrestricted access to the data, receive a licence and stay within its restrictions. If not, bad things may happen.”

More restrictions are neither necessary nor useful, he added.

“Every form of content protection can be worked around in some way,” he said. “Too much DRM will kill the hypergrid. Instead we focus on using content in the way that is standard to the 3D-industry — provide a license with the content and use the content accoriding to the license. Leave up the remainings to the lawyers.”

For OAR exports, TalentRaspel has a permission checks system that allows exports of items that were created by the user, that are owned by the user and are full-perm, or ones for which a licensing agreement is on file with the company.

“In addition, we require the customer to explicitely state that he has the proper intelectual property rights for receiving the OAR-exported data,” Ludwig added.

TalentRaspel doesn’t just do OAR exports for their own regions, however. They will also do OAR exports of Second Life regions, starting at US $273 (200 Euros)  a pop, plus tax — for content that complies with the same criteria. Contact TalentRaspel for an exact price, which varies with the complexity of the built.

Maria Korolov