VRChat models are insecure, unencrypted and you can download anyone's model!!!
tracked
OneVoltTen
VRChat developers have ignored model copyright and basic protection for years now. Any model can easily be downloaded, they have absolute disregard towards basic encryption. Several unpatched exploits exist to completely download unity packages for models files. This should strictly not be allowed, the VRChat developers have turned a blind eye to this practice and expected model developers to obfuscate (CATS tool) to fix this issue as they've ignored it for years now, a complete disregard towards this has led to models being stolen and misused.
Log In
PDB
misused how?
ni1chigo2115
Protecting avatar and world asset assets protects the opportunity to use expensive assets in sandbox games.
If nothing is done to protect them and they can be grabbed and taken as much as they want, then of course some assets will be considered file-sharing tools on VRChat and their use will be banned.
That would just mean fewer assets available on the sandbox game.
If only avatars, or even world assets, are banned, the number of things you can do will be greatly reduced.
Even though it can be used as a VRChat sandbox, it is not a file sharing tool.
I think it is one revolution as a sandbox to be able to bring in assets without sharing files with your partner in the sandbox.
(There are many avatar assets that cannot be used in GMod because of this. Having to share files with the other party means that it is difficult to maintain your own unique looking identity, and if you want to introduce an avatar and make a statement, you have to buy and introduce paid assets for each other's target).
BΣBΛ
Isn't everyone in the game that make models using assets from eachother? Isn't vrchat a sandbox ??
BΣBΛ
is this canon
T̷I̷M̷E̷
last time I checked, this was a sandbox game that advertises the ability to be creative. The few people who feel entitled to create a business in a sandbox game are the problem.
Any person I come across who is wearing an avatar of mine without paying, gets a free coupon so they can receive updates. In the rare chance that I see someone in a screwed up ripped version of my personal avatar, I'll help them, teach them, or make them something cooler. More chances to be creative. Why would I shit on someone who clearly liked what I made?
I don't think making the game worse, so we can protect IP is the right choice. We were all creative in this game before anyone had the idea to start selling their work.
This canny post is all over the place, how is this even being tracked when it states multiple problems? FYI you don't need an exploit to download a vrca, it's already on your computer, unencrypted, because that's what is best for the rest of us who are busy being social in a social sandbox game.
For real go play the Facebook VR game if you want this. It is completely sterile. If you are scared to go to a public world because someone might "steal" (copy) your personal avatar, get a life.
Shiro K
Oh nice - this canny is finally marked as tracked :-) Here some ideas, how ripping could be prevented. And I am sure, they are not all new...
As I understand, R
pp
rSt*** works this way: A background process scans your harddisk for vrca-files (maybe also vrcw-files) and uploads them to RS. So - as soon someone loads your avatar, it is potentially on RS few seconds after. Some solutions which could defeat that:1) During upload the avatar in Unity, simply encrypt the vrca-file with a random key (e.g. encrypted zip). Store the key somewhere safely on the VRC servers. When a user is downloading the vrca-file and it will be sent to RS, it is usless for them, because the key is unknown. In runtime, the VRChat client should get the key from the servers and decrypt the vrca-file and load it's content, without storing the decrypted content or key to disk.
2) Instead to save every vrca-file to disk, store them in an temporary created encrypted database as BLOB (or whatever similar solution, e.g. encrypted file system). The key of this database can be created on begin of every session. When the session has ended, the database can be deleted/flushed. This way, a background process has no chance to access the vrca files.
3) Simply do NOT download vrca-files, as long a user gives not a permission to another user. This could be done by the user menu. Point on a user a select something like "disallow see my avatar", "allow see my avatar during this session", "allow see my avatar permanent". Someone which is not allowed will see the standard fallback avatar and will not get the vrca-file. The first option should be the default for private avatars. (Maybe allow an option to disable that, if someone doesn't care about ripping).
4) I dont know, if someone can simply download a vrca-file from backend without any authentication. If no authentication is needed, the vrca-file should be encrypted by default (by the way vrcw-files too).
I know, there are probably many other ways to get avatar data. But get a vrca-file is almost as easy as get an unity package of an avatar. Everything needed for a illegal copy is contained in it. It is so simple to encrypt this file or suppress the download of it. And it would immediately stop RS from getting data for free.
I wish, I could visit public worlds with a private avatar and can be safe, that no one can rip it. In my opinion, it's not important, that all users see my avatar. I want only allow users see my avatar, which I trust (and I trust not all my friends in the list).
Scout - VRChat Head of Quality Assurance
tracked
✩Frisk✩
This Idea will slow it down or mitigate some but still can happen
ni1chigo2115
Players accustomed to creating their own private avatars will no longer go to Public to defend themselves against theft.
I think that improving avatar security is something that is desperately needed in order for people to feel safe coming to Public.
Akaa
if AAA game studios cant stop people ripping from their games with custom engines what exactly are you expecting a game based in unity to do..?
Load More
→