Builder Content

Replies to This Discussion

Permalink Reply by Doctor on August 14, 2008 at 11:39pm

I think the proper solution would be for the VRML browser developers to incorporate a public key cryptographic system (or something similar) right into their software, as well as provide the matching encryption tool for VRML authors. PGP is an open source system that should work for this purpose, and any existing tool for encryption with PGP could be used on the content files, provided that a public encryption key is provided along with the browser.
One problem with this is that every browser developer will likely provide his own public encryption key, and so only his browser would be able to decrypt and display a world file that has been encrypted using that key. (Bad news, in my opinion.)

Alternatively, one could use a single public encryption key and multiple private decryption keys, and only issue a private decryption key to a trusted developer of a VRML browser. Or perhaps a standardized vrmldecrypt.dll library could be made available to browser vendors so that they never actually see the decryption algorithm nor private decryption key. To get around the problem of someone getting a pirate copy of the dll and writing their own cracking software, the dll might have to contain some sort of activation/expiration system that allows legitimate browser developers to keep the dll operating, but make the dll of limited/temporary use to the pirate. The standardization agency that provides the dll would then have to issue renewal codes to the legitimate browser developers, and to users running recognized software. This is essentially a periodic security update that each user's VRML browser would have to download automatically using some sort of secure download protocol (i.e. like the updates of your virus scanner).
There is a decent discussion of public-key cryptography and digital
signatures on Wikipedia at http://en.wikipedia.org/wiki/Public_key_cryptography.

I would not be surprized to hear that the Web3D Consortium has some sort of encryption system in its X3D specification (or, at least, that such a system is in development).

As a temporary measure, consider the following proposal.
A VRML Proto could be created (using javascript) that can be used in a very basic wrl file to load the actual full wrl using a javascript call, thus preventing the world from appearing in a browser cache.
If the final world is actually served up from a server side PHP script then the proto could also do an initial message exchange with the PHP script to first tell the server which browser is being used to load the world. Then, the server would serve the final wrl to the user's system if that browser is in a list of recognized browsers. In this way one could, for instance, make it difficult for someone to use VRMLpad to download the final wrl.
There are ways for a crafty scripter to modify a copy of the loader proto and get the final VRML world from the PHP script, but the point of this temporary/interim measure is to make it more difficult to pirate VRML content, not to completely prevent it.
The exchange between client and server might go something like this:
1) The user loads the startup wrl file.
2) The loader proto tries to load either the final wrl file or from a web link that is a server php script (Both possibilities are made available so that the VRML author can have a choice, since some authors may not have access to a web server that supports running PHP scripts). The PHP script is called using a web link that will have a parameter string appended to it (eg. the ID string for the VRML browser).
3) The server replies by sending the wrl data for the final world, or (in the case of the PHP script) it only sends the wrl data if the supplied browser ID string is recognized.

The PHP script could also be written so that it can serve up more than one VRML world, depending on a second parameter in the URL formed by the loader proto.

Below is an example of th

▶ Reply to This

Permalink Reply by Doctor on August 15, 2008 at 12:35am

Grrrr. I hate this kind of edit box on forums.
It makes offline composition and then copy/paste very difficult.
Please ignore my last post that was cut off.

I am now going to repost my response in the form of a hyperlink to my webspace:
Please click on this link to view my post.

▶ Reply to This

Permalink Reply by Hiperia3D - Jordi R Cardona on August 15, 2008 at 5:31am

Dealing with the web browser is always a pain, because as almost of you know most of the content thieves copy the worlds from InternetExplorer's cache. Even if you use no_cache, IE copies all to its cache, and there's no way to avoid it.

X3D has binary compressed format. It makes more difficult to copy to illiterate copiers. But the final solution is like Doctor points, encryption.

In my opinion, the best option would be to use an standalone browser with encryption of contents, or just that hides the urls of the files so they remain private just for the owner.

To answer Alain's comment, I agree that watching other people's code helps learning, but there are tons of tutorials and info about how to build VRML worlds out there. Even more, there's a lot of forums, and people willing to help. And the typical horrible minimalists tutorials are often much more useful to learn than complex worlds.
And I would add that just asking to worldbuilders is a good way. Most of them will tell their "secrets" to everyone that asks, aren't they?

▶ Reply to This

Permalink Reply by fabricator on August 17, 2008 at 10:37am

Doctor said:

As a temporary measure, consider the following proposal.
A VRML Proto could be created (using javascript) that can be used in a very basic wrl file to load the actual full wrl using a javascript call, thus preventing the world from appearing in a browser cache.
If the final world is actually served up from a server side PHP script then the proto could also do an initial message exchange with the PHP script to first tell the server which browser is being used to load the world. Then, the server would serve the final wrl to the user's system if that browser is in a list of recognized browsers. In this way one could, for instance, make it difficult for someone to use VRMLpad to download the final wrl.

I've made one world that simply cannot be downloaded with vrmlpad. Relies on things like passwords and cookies.

Checking if the requesting application is a valid vrml browser doesn't work. I checked using Apache, php etc and there isn't a proper plugin name being passed. As it uses the network portion of the parent Browser, eg IE, Firefox, Opera, so you get the html brower's name instead.

▶ Reply to This

Permalink Reply by Doctor on August 18, 2008 at 9:34pm

Paul Aslin said:

I've made one world that simply cannot be downloaded with vrmlpad. Relies on things like passwords and cookies.

Can your world be loaded into the VRML browser in the same way as any other VRML world (i.e. without a special password or cookie)? I am only considering how one might make it more difficult for someone to view the VRML source for publicly enterable worlds, not worlds that are protected by a password page before the VRML can be loaded (i.e. a private world that is by invitation only).

Checking if the requesting application is a valid vrml browser doesn't work. I checked using Apache, php etc and there isn't a proper plugin name being passed. As it uses the network portion of the parent Browser, eg IE, Firefox, Opera, so you get the html brower's name instead.

When I use the proto I created and provided in my earlier post, the call to Browser.getName() returns the string "blaxxunCC3D", and not "IE7" nor "Mozilla" nor anything like that. So it is not clear to me what you are claiming about the "network portion of the parent Browser". Can you elaborate a bit more on what you did with Apache and PHP scripting?

▶ Reply to This

Permalink Reply by fabricator on August 19, 2008 at 8:50pm

Doctor said:

Paul Aslin said:

I've made one world that simply cannot be downloaded with vrmlpad. Relies on things like passwords and cookies.

Can your world be loaded into the VRML browser in the same way as any other VRML world (i.e. without a special password or cookie)? I am only considering how one might make it more difficult for someone to view the VRML source for publicly enterable worlds, not worlds that are protected by a password page before the VRML can be loaded (i.e. a private world that is by invitation only).

Checking if the requesting application is a valid vrml browser doesn't work. I checked using Apache, php etc and there isn't a proper plugin name being passed. As it uses the network portion of the parent Browser, eg IE, Firefox, Opera, so you get the html brower's name instead.

When I use the proto I created and provided in my earlier post, the call to Browser.getName() returns the string "blaxxunCC3D", and not "IE7" nor "Mozilla" nor anything like that. So it is not clear to me what you are claiming about the "network portion of the parent Browser". Can you elaborate a bit more on what you did with Apache and PHP scripting?

I mean the web server can't tell if your using IE, Contact or vrmlpad.
using php:
print $_SERVER['HTTP_USER_AGENT'];

will ALWAYS return something like:
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506; Media Center PC 5.0)
Which is the header sent to the server by IE.

print $_SERVER['HTTP_REFERER'];
returns nothing, so you can't use most anti hotlinking systems either.

▶ Reply to This

Permalink Reply by mars on August 20, 2008 at 7:50am

Even if we carried out such a scheme as you suggest Doctor, there would still be a problem. that is that the browser is not the only object which contains copies of the code.
the activex control also contains all of the scene graph in nicely formatted strings, all of these are easily reconstructable into a full version of the world. an avatar simply needs to instance the world root and send it to the console.. also i keep getting the feeling that this is leading us towards something like a closed format.
Obsfication, although usually defeatable with a bit of work, can give even the most determined a seious headache. also it combines someting unique about the coder and the method, that is that both require/have special skill and have/require a degree of intelligence.
my code is often so dense that i can not read it myself, so i pity someone else trying to unscramble it.
perhaps we could develop a software which could systematically scramble code with a key. so that the coder/development team had access to it when required
the active x could have a layer of code to read this. it would be best if somehow the code logic could be scrambled in some way. perhaps with a systematic(reversible) substitution of variable names, so that x1 became y2 etc.
hm.. the problem still remains that at some point a non encypted scene graph is going to exist, a directx card memory reader could read it if nothing else.
there are other issues too, like protection of image copyright. and other media.

▶ Reply to This

Permalink Reply by Doctor on August 20, 2008 at 11:31pm

mars said:

Even if we carried out such a scheme as you suggest Doctor, there would still be a problem. that is that the browser is not the only object which contains copies of the code.
the activex control also contains all of the scene graph in nicely formatted strings, all of these are easily reconstructable into a full version of the world. an avatar simply needs to instance the world root and send it to the console.. also i keep getting the feeling that this is leading us towards something like a closed format.
Obsfication, although usually defeatable with a bit of work, can give even the most determined a seious headache. also it combines someting unique about the coder and the method, that is that both require/have special skill and have/require a degree of intelligence.
my code is often so dense that i can not read it myself, so i pity someone else trying to unscramble it.
perhaps we could develop a software which could systematically scramble code with a key. so that the coder/development team had access to it when required
the active x could have a layer of code to read this. it would be best if somehow the code logic could be scrambled in some way. perhaps with a systematic(reversible) substitution of variable names, so that x1 became y2 etc.
hm.. the problem still remains that at some point a non encypted scene graph is going to exist, a directx card memory reader could read it if nothing else.
there are other issues too, like protection of image copyright. and other media.

When I wrote a script to traverse the scene graph and recreate just some of the objects I seem to remember running into difficulties --- like not having DEF and USE appear anymore, not having PROTO and EXTERNPROTO declarations appear, and having to write a handler for every possible node encountered so that the correct fields, field values, and children, can be printed to the console correctly. It has been a while since I looked into scenegraph traversal, so I may be mistaken about these things. It just seems that such a strategy for recovering a world from the plugin scenegraph would be a lot of work, so my proto proposal would be an effective deterrent to all but the most determined and talented scripters. So as a temporary solution (i.e. until proper encryption is incorperated into the VRML-X3D specification and added into VRML browsers) I think my proposal is still a simple (yet effective) way of making things more difficult for the content pirate. Though, as you have said, it is not unbreakable.
Incidentally, all texture URLs within a world could also query the same PHP script instead of an image file directly. That way, URL requests for all VRML resources can be checked by the script and denied if the vrml browser is not recognized. Any attempt to traverse the scenegraph and get the URLs to textures, for instance, would not yield a URL to a png, gif or jpg file. Instead it would yield the URL to the PHP server script and the pirate would be forced to try and decode the loaded texture information directly out of the scenegraph (Does anyone know if it is even possible to access the bitmap of a loaded texture from within vrmlscript?).

Once again, I am defending (or, at least, trying to defend) my proto proposal as a temporary and imperfect measure that might be taken until a proper solution is implemented.

Perhaps I should just make the time to write a PHP script that does what I want, then post one of my test worlds onto my website for all of you to try and crack. I could put a few test items into my world and not tell you about a specific property about each item (i.e. What is the DEF name for the cone? What is the hidden ROUTE and how is it triggered? What text does the texture on the inner cube display if the surrounding cube were not there? What object does the IFS represent before a script node moves the verticies around to scramble it? etc.). The first person to correctly produce the missing information (i.e. that is hidden in the displayed scenegraph but easily found in the VRML source code) would win the "Crack Doc's World" contest. :)
The (prizeless) contest would give us all an idea of how easy or difficult it would be to thwart my proto+PHP idea.
What do people think of this idea? A waste of time? A fun exercise for everyone?

Thank you, everyone, for the comments.

▶ Reply to This

Permalink Reply by mars on August 21, 2008 at 12:21pm

I think your's is a great idea Doctor, I can see it becoming the principle way in which such issues are handled, until, as you say, a solution hard written into the browser comes about.
I am suggesting that, not only should we deal with this by using your proto, but that we also include other tactics which bolster the defence. if i seemed to criticize then it was only to assist in identifying potential problems or weaknesses.
you are right that protos become lost in the scene graph, as do def names for nodes generated by scripts, however pretty much everything else remains, protos become full instanced versions inside other nodes and worse, script nodes are complete and unaltered. which is why something like a systemized/reversible obsfucation might be useful too.

▶ Reply to This

Permalink Reply by mars on August 21, 2008 at 1:02pm

btw
great idea about a contest to crack your code Doctor :)

▶ Reply to This

Permalink Reply by alain on August 24, 2008 at 12:43pm

mars said:

btw
great idea about a contest to crack your code Doctor :)

LOLLOL , count on me ! ahahah , btw :)

▶ Reply to This

Permalink Reply by alain on August 24, 2008 at 1:24pm

well ...more seriously

( because I have great respect for this group
- and indeed I am only an amateur playing with vrml )

I thought about all that since ages , and more recently since that topic LOL ,

and I had been in that trip :


Citation:

about

" asking to worldbuilders is a good way. Most of them will tell their "secrets" to

everyone that asks, aren't they?"


what I saw is that the best ones always told me " go on , the show must go on " ,
and some others , a few ...hum ...had crisis for a chair LOL


And to stay a bit off the topic LOL .

I add that : I made that months ago


http://pagesperso-orange.fr/alaindumenieu/artvrml/041007.htm

and I added that just now :

http://pagesperso-orange.fr/alaindumenieu/artvrml/250908.htm

But .. no controversy .. I agree to protect all artists
( most of all against sharks who made money with )
and I am not an "authorized" guy , just liking reading you
( and your good arguments )


....


btw I had fun to add that last one recently , on my artvrml pages :

http://pagesperso-orange.fr/alaindumenieu/artvrml/021008.htm


well ...I continued to think about all these Levine or Duchamp stuff etc ..

Of course it is not a right way to "answer" about protecting artwork ..

I dont agree with stealing suff and hacking it , of course ,
..so ..I tought that now :

why this question is so relative to numeric art when it is less to painting ?

1 - may be it is more easy to stole a stuff from caches ..
2 - numeric art is more young and has less protections ( ? )
3 - on the other hand the copyright stuff had been developed , and we know creative
commons etc ..
4 -many artists lives from web art stuff now , even if I saw that they had to go in

the real galleries too ...
The reasons are not only money ..
( Chatonsky and others )

So .. my question is :

Is the web , as it is more young than art painting , is the web
more "far west" , AND / OR , more shy about "recreation " ?


for "recreation " , take a look at my 3 links plz

▶ Reply to This

▶ Reply to This

• First
• Previous
• Next
• Last