The Alphaville Herald

Is LL’s Copy Protection Pwned?

by Pixeleen Mistral on 13/11/06 at 10:50 pm

Content shall go forth and multiply

by Pixeleen Mistral, National Affairs desk

Metaverse citizens who hoped to make a living selling objects may want to consider a different line of work – a new tool is making the rounds that makes it trivial to defeat Second Life’s copy protection of objects – as well as cloning one avatar’s looks onto others. How is this possible – and how will in-world content creators be able to sell their wares if object copying tools are widely available?

When Prokofy Neva broke this story yesterday it was evident serious damage might be done to the in-world economy – but the details of how the copying was accomplished were unclear.

Today, the Herald was contacted by an anonymous source with detailed information on how the Lab’s Digital Rights Management (DRM) system may be bypassed due to the design of the Second Life software – given the help of some some tools developed using the libsecondlife libraries. Although we were unable to directly verify all the claims of our source, we did see a demonstration of much of what is described below in-world, and it appears that it may only be a matter of time before similar copying tools become more widely available – bypassing LL’s object copy protection. Based on what we have learned, it appears that there are two distinct methods for overriding Linden Lab’s DRM controls – one based on altering messages sent from the Second Life Client to the server, and another based on capturing the prim descriptions sent to the client for drawing the object and transforming these into “create object” commands which are then sent to the server. What follows is an interview conducted today with AA (Anonymous Avatar).

PM: Hi.

AA: Hello. I would like to direct your attention to the fact that SL servers perform absolutely no verification of commands sent by the SL client. This allows anyone with the ability to forge communications to copy any asset inworld. This is not difficult for anyone with moderate technical capability. Obviously, this is an issue for content creators on all levels from personal to corporate. LL has been aware of this for years, and has done nothing. It is the foundation of their protocol and server code which allows such insecurities, and to fix this would require major redesign of SL back-end programming. However, if LL is to promote SL as a “platform for business and development”, security is required. Perhaps a bit more public attention would push LL to secure their servers.

The main tool used in this process is named SLProxy, which is based on libsecondlife. It sits between the client and server, acting as a proxy and allows the user to modify incoming and outgoing communications, as well as forge completely new data to be sent to the server or client. LL is in favor of the libsecondlife project, which is not necessarily a Bad Thing. The issue is with the lack of verification on the server side, which allows anyone to do anything.

Certain things are validated on the server side, such as money transactions. There have been other things which were previously unvalidated, but then validated at a later time once they became abused on too wide of a scale. The two most well known are “god mode” and “oversized prims”.

PM: for example?

AA: One example of trivial content theft would be the example stated in the thread I have linked to here. One avatar obtains the asset id of an object in their inventory. Any user can do this using the client alone. This asset id is given to another avatar. This other avatar then logs their client in, using SLProxy. By modifying the packets going from the client to the server, it is possible to tell the server to rez inworld a copy of any object not owned by the user simply by specifying the asset id of the object to be rezzed. This object is then taken back into inventory.

PM: How hard would it be for the server to check who the request came from to decide whether or not to rez the object? Is all the object security depending on nobody findng out the ID of the objects? That is what is sounds like to me.

AA: Unfortunately, it would create an amazing amount of database load to verify permissions each time an object is rezzed. I am not sure that there is a solution for this. There are already serious issues due to existing database load with teleportation and sims crashing.

Without intercepting communication between client and server, the current security model works “well enough”. But yes, as long as a person is willing to share their asset id for an object, it is possible to transfer no-transfer items. And as long as client is allowed to tell the server when to leave copies of no-copy objects in the inventory, no-copy objects may be copied.

PM: I can see how a program could copy everything in my inventory since it would have access to all the object IDs when the inventory is downloaded to the client. What about some other avatar’s inventory? Is there a way to ask for all the object IDs of another avatar or do you have to be logged in as that avatar for inventory requests to be honored?

AA: You would need to be logged in as the avatar to copy the inventory.

PM: I guess what I am thinking is that if you can change the messages the client is sending to the server, and the server just believes them, then about the only thing holding back wholesale copying is the secrecy of the object ID. Does the server check to see if and object ID is “mine” before it rezes things? I think you are telling me the server doesn’t really look at permissions, it just depends on the client to handle that – is that right?

AA: Correct. If you give me the asset id of a no-copy, no-transfer object from your inventory, I will be able to rez it in-world as owned by myself, then take it back into inventory. Perhaps LL will add server-side validation to prevent this in the future.

It is important to note that this is different than what the “CopyBot” is doing. The CopyBot is intercepting prim geometry as it comes into the client, then sending rez commands back to the server for each prim with the captured geometry to recreate the object using new prims owned by the person making the copy. This means, of course, that the object is re-created with full permissions.

PM: How does the CopyBot thing work?

AA: The concept is similar to GL Intercept. It is an external application built on top of libsecondlife, just like SLProxy. It will duplicate any object or avatar which is rezzed inworld.

In order for objects to be drawn on your screen, the geometry of every prim must be sent to the client. This “CopyBot” is intercepting this data and sending it back to the server to create new prims to rebuild an object. By now you have most likely heard this is being done with avatars. On the server side, the avatar is simply another object. The libsecondlife team has used this to duplicate their headquarters from one sim onto another.