If you’re using a default avatar that comes with some versions of OpenSim, your name might wind up on copybotted content without you knowing about it.
Last summer, Fullmoon set up a private mini-grid on a home computer, renamed the default avatar to “Gemini Fullmoon” and then traveled to a couple of other grids to test it out.
“It was pretty kool at the time I have to say,” Fullmoon told Hypergrid Business. “Once I figured out how to do it I quickly lost interest and pretty much stopped playing with Sim-on-a-Stick.”
However, that was enough time for the “Gemini Fullmoon” avatar name to get attached to copybotted inventory items uploaded by totally unrelated people, and, last month, Fullmoon’s name came up in a discussion about illegal content on the OpenSim Virtual community on Google Plus. One of Fullmoon’s alts, “Alex Reese99,” also had the same problem.
“I would just like to warn people not to make the same mistake I did and also to get the word out that I’m not a copybotter,” said Fullmoon.
The problem is that the default avatars that come with the Diva Distro or Sim-on-a-Stick, software people use to create free OpenSim mini-grids on their personal computers, all have the same avatar UUID. That’s like a Social Security number for avatars. So when someone using a default avatar travels to another grid via hypergrid, their new avatar name becomes associated with that UUID in the new grid’s database — even if someone else had that UUID previously.
And the original copybotter avatar with the same UUID doesn’t even have to visit those grids personally — they might have ripped and uploaded the content then shared it with other users, who, unknowingly, took it to other grids.
“It appears if there is an item on a grid with that UUID but that avatar that actually created never landed on the grid it will retain its name until someone actually lands on the grid and then the name may switch out magically to the new person after an unknown amount of time passes,” said Chris Mac, known as Lite House on the Great Canadian Grid, who helped Fullmoon investigate the issue.
That means that the names of innocent users can show up — incorrectly — as owners of other people’s content. That’s a security issue for the other grid, since someone who isn’t the actual owner is now showing as the owner of the content. And if that other content is pirated, that can be a PR nightmare for the innocent user.
How not to share your UUID with a copybotter
It’s easy enough to keep the same thing from happening to you in the first place, just by creating a brand new avatar when you first set up your mini-grid.
“Using any new avatar during the start up on Sim-on-a-Stick would not create this issue since it hashes out a new UUID each time randomly,” Mac told Hypergrid Business.
But once the damage is already done, getting it fixed is extremely difficult, experts say.
Now, not only can your avatar name show up on other, random content, but your own content might wind up coming up as belonging to someone else.
Diva Distro does not have this fault in the default avatar but Sim-on-a-Stick has it by default, because it has a pre-defined database. However, you can keep it from getting worse. If you are using Sim-on-a-Stick, Diva Distro, or any version of OpenSim that uses the mySQL database, you can create a new grid and start over from scratch.
Or you can follow the following steps, as suggested by DreamWorld owner Fred Beckhusen:
- Save backups of all regions using OAR files
- Save backups of all inventories using IAR files
- Delete the contents of the folder mysql\data\opensim\*
- Delete the mysql\data\* files
- Leave the folder mysql\data\mysql alone, along with an empty \mysql\data\opensim folder
- Start Mowes.exe
- Start Opensim.exe
- It will rebuilt a blank system with new UUIDs after prompting you for the name of your master avatar
Mini-grid owners can also switch to the DreamWorld version of OpenSim, which is more up-to-date and, more importantly, is currently being supported. The Diva Distro hasn’t been updated since 2015, and Sim-on-a-Stick hasn’t been updated since 2014.
Diva Distro creator and hypergrid investor Crista Lopes did not respond to a request for comment.
DreamWorld, like the Diva Distro and Sim-on-a-Stick, is also a distribution of OpenSim that allows people to easily set up a mini-grid on their home computer. However, DreamWorld creates a brand new avatar, with a random new UUID, when the grid is first set up, Beckhusen told Hypergrid Business. That means that users don’t have the shared UUID problem.
Problem hard to solve for big grid owners
For owners of the big social grids, where random users upload a lot of random content, shared UUIDs are a much thornier issue.
Deleting all content with that UUID, and banning all avatars with that UUID, will hurt a lot of innocent people who use those default avatars by accident. And there is only so much that bans can do, since users may still continue to bring in content labeled with the problematic UUID.
“You can ban an avatar by UUID, but I don’t know of a way to ban an inventory UUID,” said Beckhusen.
And it won’t stop folks who deliberately create duplicate UUIDs for their avatars — or for their content — in order to mess with permissions.
That could create PR problems for social grids, since they could be accused by users of violating their content rights.
OpenSim does allow for avatars and inventory items to improperly share UUIDs, confirmed Metropolis grid manager Lena Vanilli.
But grids aren’t responsible for the problem, she told Hypergrid Business.
“This is not a bug but is related to the standard behavior of a viewer which is optimized for Second Life, with one database, not for OpenSim with many different databases and duplicate UUIDs,” she said. “We are not responsible for the way Sim-on-a-Stick creates UUIDs.”
In general, no grid — and that also includes closed grids like Second Life and InWorldz — can guarantee perfect security for their content. And most creators understand that they have to prepare themselves for the possibility of theft. After all, even the biggest Hollywood studios can’t protect their movies from piracy, content that they spend millions of dollars to create.
If someone has the technical skills, and runs their own grid, they can intentionally edit ownership of items inside a grid to appear as creators, Dreamland Metaverse CEO Dierk Brunner, also known in-world as Snoopy Pfeffer, told Hypergrid Business.
“In general it is always possible to intentionally create user accounts with an UUID used by someone else on another grid,” he said. “Then when objects of that creator are loaded the chances are high that at the other new location this user account with the same UUID is seen as creator.”
And, of course, grid owners can give their avatars “god powers” or edit their own grid databases.
Thieves who do not manage their own grids also have other options, including copybot tools.
“There is no 100 percent security unless encryption would be used up to the graphics cards,” Brunner said. “Currently it is only possible to make clear legal statements and to enforce them at court, if necessary.”
Shared UUIDs pose challenges for copyright enforcement
The UUDI problem also makes it difficult for content creators to track down the actual copybotters who originally stole and distributed the content.
“No one knows who actually uploaded the items when two or more people share the same UUID,” said DreamWorld’s Beckhusen. “So accusing one person of stealing, without better proof, is potentially libelous. There are multiple people running around with the same UUID, so how would you know?”
Beckhusen investigated the issue personally, setting up a new Sim-on-a-Stick minigrid, changing the default avatar name to “NotAlex Reese99” and teleporting to his own Outworldz grid.
The default avatar UUID, for those out there who are technically inclined, is “26ecc3a5-9243-470e-b8d9-4afcacdecf58,” he reported.
After that one visit to Outworldz, Beckhusen checked his grid’s database.
“I scanned through the inventory tables and found a mountain that had been uploaded by this UUID,” he said. “It is now magically created by NotAlex, who literally was created today.”
Folks who have access to the OpenSim management console can take advantage of this security hole, said Beckhusen, since they can create new avatars with any UUID they want.
Beckhusen then took his “NotAlex” avatar to other grids, and confirmed that the ownership and creation issues came up elsewhere, as well.
Chris Mac was also able to confirm the problem when traveling to other grids.
One thing that might help, to some degree, is to clear viewer and inventory caches, Metropolis grid’s Vanilli told Hypergrid Business.
That includes manually clearing the viewer cache after each hypergrid jump, she suggested. The instructions for doing so on the Firestorm viewer are here.
However, the cache is there to make things load faster, and clearing it will slow down performance.
The viewer cache saves local copies of content, and it also creates a situation where different creator or owner names show up for the same content for different users, or at different times.
“It might appear as Alex Reese now but later it will be another name or another user that gets cached,” OSgrid president Dan Banner told Hypergrid Business. “They might see the Simona Stick avatar as their own name because that is how it’s cached to them.”
One thing that content creators may consider is attaching a notecard to their content describing who the owner is, and how the content can be used. If the creator has a store or website, the notecard may also include directions for where to get more content. A brief summary can be included in the item’s description, as well.
In the OpenSim Virtual discussion thread about the issue, for example, Beckhusen notes that some of the content has an incorrect name for the creator, but the attached notecard shows that it was originally distributed by “Gladiatrix Athena SHAREORDiE.”
A notecard, or a description line, won’t keep criminals from stealing the content, of course. Notecards and descriptions are easy to change. But they will give legitimate users information about the content.
In addition, content owners could make it easier for their legitimate customers to check whether content is legal by putting up notes on their websites describing where the content is available for sale, whether or not free copies are available, and, if relevant, explaining the shared UUID situation. Then double check that a Google search for, say, “Gemini Fullmoon content” brings people to that page. (You can help improve that page’s search rankings by linking to it in your signature, store listings, and social media posts.)
- High-end VR makers try to gain traction lackluster market - March 21, 2020
- China’s COVID-19 epidemic in VR - March 19, 2020
- AR Helps Companies Work During Coronavirus Outbreak - February 28, 2020