Monday, January 4, 2010

OpenSimulator's Fail: Admin Powers for Sim Owners

For anyone who has run opensimulator at one point or another, you are probably already familiar with the "god powers", or the Admin menu. Like its name implies, it gives you some elevated powers that let you do things not normally possible. While very useful, they have a darker side to their utility.

By default, sim owners on OpenSimulator are able to obtain admin powers without restriction. There are three main admin powers that are of particular concern under the Admin->Object menu: Take Copy, Force Owner To Me, and Force Owner Permissive. The first two allow the sim owner to force ownership of a rezzed object to themselves, or to take a copy of it into their inventory. The last one, Force Owner Permissive, allows them to obtain creator permissions on a rezzed object: it effectively becomes full permission to them.

The implications of these abilities are obvious: a dishonest sim owner can become a content thief easily. All he needs to do is rez an object on his sim, or trick someone into rezzing the object, and can immediately take ownership and gain full permissions. But it doesn't just stop there. At least two online marketplaces for Second Life are branching out into OpenSimulator, allowing merchants to sell on opensim grids.

What does that mean? A dishonest sim owner can gain creator permissions on the ATM's and Vendors used by the marketplace, and gain full view of their networking protocols. Using this, they can steal funds from other marketplace users by spoofing their UUID's, or try and trick the system into delivering free merchandise to them.

Copybot can't do this: it can only "steal" the content it can see, and it is unable to grab the object contents because it can't see them. And even if it could see them, the permissions would prevent theft to a degree. But what can be done with admin powers is worse: copybot just rips what it can see. The admin powers let you directly grab the ownership of an object and change its permissions.

With these capabilities at the fingertips of sim owners, commercial activity within opensimulator grids simply is nowhere near viable. Virtual commerce can only be viable on grids that do not allow sim owners access to admin powers. To my knowledge, there aren't any grids which block access to admin powers. Not even professional grids like ReactionGrid block it. So, until we get grids that block access to admin powers, you can just forget trying to sell content on opensimulator.


  1. This is a very serious issue that should be addressed by the OpenSim devs(and the professional grid runners too). One way I can think of to mitigate this problem is to change the OpenSim server code to allow connecting to a pre-existing grid, but with the proper restrictions imposed by the grid admins as a condition of connecting.

  2. At ReactionGrid, we host and maintain all regions on our grid, and we run with god powers restricted on all public regions. Customers with private machines with us have the ability to modify some permissions, but our clients are honourable people. May I ask where you have been able to use these abilities on our grid?

    Chris Hart - CTO ReactionGrid

  3. There never has nor will there ever will be a technological solution to what is essentially a political and economic problem! In words of one syllable: DRM does NOT work nor will it EVER work! Piracy and theft will always be possible! Panic is not the solution, but reasonable agreements among users/owners MAY give us workable solutions.

  4. Judy, that's like saying you shouldn't put locks on your doors because someone can pick them or break down the door.

  5. Though perhaps a bit late to "join this party" - just couldn't resist commenting.
    Placing the onus of this "FAIL" on the OpenSim crew is all too easy - but I'd remind you that they have clearly and repeatedly emphasized that currency (and other matters deeply intertwined with this issue) are "outside the scope of the project". While I rather wish that they'd consider "addressing" some aspects of this - if even just for "play money" entirely the responsibility of sim / grid managers - I can also see why they'd choose to steer well clear of this (and related issues) and all the associated "slippery slopes" involved.
    If anything, any attempts to address such matters would fall to sim / grid management. If you feel particularly 'ambitious', you *might* try to convince members of OpenCurrency or other projects / entities to develop and "stand behind" proposed implementations, and *maybe* then you'd find further support within the OpenSim project itself - but I'm guessing that would still be questionable, to say the least.
    So - I'd strongly suggest deeper research into the underlying issues & related history before being so quick to point the "FAIL finger". The OpenSim project / crew sure aren't perfect - but they've done some great work, including their wise(-ish) choices in delimiting "project bounds".
    Be well & enjoy, all ; )

    - MJake

  6. I hadn't been speaking of currency at all, MJake. I was speaking about sim manager powers on the public grids and how content is not safe with the admin powers.

    So far, the safest grid I've found for selling content is SpotOn3D, which I'll be blogging about sometime soon.

    PS: I was ****ed off when I used the "FAIL Finger"

  7. I want a virtual world - for free
    I want a sim - for free
    I want a client - for free
    I want an asset server - for free

    I think the developers are SPOT ON by saying they are not getting involved in this type of thing. At the very end it'll just end up exactly how it was with LL and lawsuits regarding copyright.

    I believe that if you upload it then you run the risk of it being copied/stolen - if you don't want that to happen then don't upload. Simple.

  8. Insightful and valid posts all. The first I'd like to address is from Chris, with whom I've had a working relationship for a year on Reaction Grid (she's a business, I'm a customer). Chris said, "Customers with private machines with us have the ability to modify some permissions, but our clients are honourable people." I will be the first to agree that Reaction Grid is a stand-up board with an unusually high caliber of customers. However, trusting customers to be honorable is like leaving one's door unlocked because s/he lives in a "nice neighborhood". NOT a good idea.

    I have wondered about the protection policy aspect for some time. For example, grids may indeed have God Powers turned off... but that is not the only way to access sim assets. Zauber is entirely correct in saying that the entire OpenSim project has been built totally ignoring intellectual property rights and industry-standard security.

    So I have to agree with Zauber's initial post, and while I don't believe pointing a "fail finger" is apropos here... I do believe the OpenSim devs and administrators should think more carefully about what they are doing-- and approach the project with a little more professionalism. Volunteer does not equate to non-professional... especially when professionals are volunteering.

    One of Linden Lab's major flaws have been failed board security. Does OpenSim wish to travel down that same road?

    Imo, right now the OpenSim project needs to make a decision: Are you going to protect user rights to administer their own creations and block such administration to others (decent, responsible security) or do you wish to officially throw open the entire system and announce, "WARNING! Anything you create on this grid may be copied, usurped, plagiarized and otherwise stolen. Enter at your own risk!"

    Responsibility or chaos... you folks choose. Myself, I foresee a future of locked down, viable grids, and total-anarchy micro-grids (1-4 sims) that people know better than to visit and rez something.

    There is a difference between a public "for money" grid and a private sim run out of someone's home. Obviously the one run out of someone's home will have little or no viable security. If someone is going to run a grid... then they have to realize they do fall under Federal and International copyright laws unless their user charter and license CLEARLY states that all items on the grid instantly become "public domain" with now ownership rights by the end user.

    Again... responsible security or open anarchy. Either method will work, to an extent. That is a decision that will be up to not only the OpenSim core project devs... but up to grid owners as well.

    (BTW I have to agree with Zauber... saying "no one can stop pirate so DRM is absurd" is in itself an absurd statement. Zauber's illustration is quite valid: that's like leaving your car unlocked because a thief can get in anyway. That's simply not rational, common-sense thought. Just because people CAN and DO steal doesn't mean that stores still don't have shoplifting policies... or that you won't do 5 years in prison if you're caught.)

    Sometimes the best deterrent is the one instituted by Inworldz: If you are discovered breaching copyrights, you WILL be banned. Security is always about applying sufficient restriction methods-- along with significant punishment if people are stupid enough to try to bypass them. There are ALWAYS criminal elements who have no respect for the rights and properties of others. That doesn't mean we should leave our cars unlocked and make it that much easier for them.

  9. Pardon the follow up, but I do have a core question: what in the wildest weed-dreams of OS devs caused them to believe that allowing a sim owner to transfer creator and ownership rights of items not belonging to them is a viable and proper "god" power?

    Sure, it may have some very, very limited legitimate uses. Those uses are far outweighed by the potential for outright theft of property.

    Some things are simply very visibly an abuse of power. It reminds me of Linden Lab's refusal to ban copybot because "there are legitimate uses for it". Hogwash. The damage done to their board and merchants by allowing copybot far exceeded any potential "legitimate use" of what was clearly a theft-intended product... and wound up getting the company sued in Federal court as an alleged intentional accomplice to copyright infringement. Duh. That one was pretty predictable... and was something I did predict and tell them years ago. Some companies are just plain dense.

    Some powers simply should not be available, ever, to anyone. Claiming there is no 100% foolproof way of protecting things while perhaps technically accurate, denies the reality that things can be secured and protected to a degree sufficient to meet the need. Those rare individuals with the skills / lack of honor to bypass and breech those security measures can then be harshly dealt with on an individual basis.

    But in the mean time, come on people, WAKE UP and show some common sense. Computer security concepts have been around for decades, and shouldn't be set aside just because it's a virtual community. So is the Web... and people still take security precautions on their websites.

  10. The god powers in opensim, to my knowledge, are the same as the god powers held by the Lindens when they turn on admin mode. They do have some legitimate uses, such as for debugging purposes, but opensim's developers for some boneheaded reason decided to allow it to be used by region owners by default.

    And, to my knowledge, there was a period of time when the setting to disable god powers for region owners would not work.

    Not only that, but there was a bug in opensim where if a region owner turned on god powers, he would fully retain them when teleporting to regions owned by other people. I do not know if either of these bugs were fixed in opensim core or not.