I assumed it’s because every single one goes to a public instance and many people don’t feel like going into public instances. I have never once gone into a static portal I don’t think. I end up just searching for the world and spawning my own portal.
I am really not a fan of security through obscurity, but given the circumstances of how VRChat works, I honestly don’t even have a better suggestion.
I hope this can be released ASAP. I hate having to run robots in dense instances. I feel like impostors (assuming you can set them as a per-avatar fallback + quest avatar) will revolutionize VRChat. I hope to only need to use robots on bad actors.
Tupper has explained time and time again: If you can decrypt it locally, there is zero point in encryption because people can easily find out how to decrypt them manually. Encryption only works for P2P stuff. If everyone has a key to your door, your door doesn’t have a lock.
I know someone mentioned the ability to block avatars from being seen by other users. But will anyone use VRChat if everyone is just a robot or fallback?
As long as the game is on Unity, it will be easy. There are generic tools that work on every single Unity game.
Until people get past EAC (which happens daily and is VERY easy) and figure out how/what keys are used to decrypt and they can just decrypt it anyways.
Can people seriously stop talking about encryption? That topic has been beaten to death and will not solve the problem at all.
Implementing asset encryption on Unity needs to consider issues caused by performance and memory copying, and Unity is not open source, so you can’t change the dll as you like.
In addition, it cannot be completely prevented, but just increase the difficulty. It is impossible to expect to solve the problem so easily.
This is a dynamic process, as long as it doesn’t hurt ordinary players.
Takedown Notice . If you have an intellectual property rights-related complaint about material posted on the Service, you may send a Takedown Notice by filling out our form at forms.gle/3wxhvxbLVfousTCKA.
The rest of that section details what to include in order to file the takedown.
Encryption could still help make it more difficult but it would require decrypting content on the fly, and securing the memory it’s in enough, quite possibly through additional anti-cheat changes, in such a way that it’s at very least more difficult to capture.
It’d also require hard coding the decryption key in the client, and server side encryption of assets, as well as obfuscation in code to make the decryption key difficult to obtain, and allowing the key to be updated with the client in the event the key is cracked.
It could still provide a pretty high level of friction, but it would require a dedicated effort, and would risk upsetting the player base with heavier handed anti-cheat.
Well here is what I was thinking.
We know that VRChat uses assetbundles which are encrypted in LZMA. We also know that VRChat has a part of their server that will immediately ban users if it detects a malicious user is accessing it outside of the Client (known as Photon).
So what if only a specific amount of the avatar/world asset bundles were handed over to the client to download and store and the rest is stored on the server. Then internally, after the client recognizes it has the partial file in its cache, it asks the server for the rest of the hash and the points in memory it has to inject before it gets sent to load. Once in memory, it becomes much harder to rip (still possible, but annoying). And if they wouldn’t mind it being volatile, they could pop it out of memory after it is successfully loaded into the scene.
This would leave the malicious user two options:
Hook to the point it gets loaded into memory as a full assetbundle, and save it.
-or-
Find a way to lie to photon and cache the fill in parts.
Alas, I am not a VRChat Developer, so I don’t really know where the limit will lie… I am sure there is a huge hardware limit stopping my suggestion, but we hit a point where we just want something to prevent someone from simply getting it from cache.
Compression is data dependent, otherwise it cannot be compressed
And being quite fragmented will lead to increased IO pressure to a certain extent, reducing the sequential speed to 4K speed, although it is no problem for currently common SSDs.
Secondly, the shredding of files must be processed before uploading, which will cause some problems. Many changes must be made to Unity’s packaging compression mechanism, and some features and implementations may be added to it, which will lead to C# in the SDK. After being exposed, I only need to easily use tools to quickly check the design, so a lot of detection methods can be added for crackers, although they may be very primitive and difficult to use.
The biggest problem is that the CDN on the Internet is under greater pressure and the hit rate is lower, which results in downloads that may not be as stable and fast and puts greater pressure on the source server. The cost will be higher, and the implementation may be unstable.
In VRChat SDK 3.3.0, it seems that if I do not check “Compress Assets on Import” in the Unity preferences, it is treated as uncompressed, is this a specification?
This is not a project setting and therefore affects other projects and is inconvenient.
I’m really interested in the “Impostors” feature.
A question about it: which state of the avatar does it use to generate an impostor (i.e. default toggles and blendshape values)?
As an extreme example, some people that have NSFW-features on their avatars might have “naughty bits” toggled ON or have their clothes OFF by default.
What is going to happen then?
For the portal bit, I really just wish the static world portals would be set to the privacy level of the instance they are in. Friends world, all friends portals. Or make it so we can click on a portal to reinstantiate it by it’s world info page popping up as if you’d searched for it.
Ideally you generate your imposter and look at it before using it. I’m pretty sure most people with NSFW avatars are willing to use a different avatar at times
I was more hoping we’d be given the ability to setup our avatar first, before generating an impostor.
As an example, I might be using an avatar with specific customization (blendshapes, colours, etc.) and I want my impostor to look like that, and not like the default avatar.
I wouldn’t say avatar ripping harms the overall community much at all frankly. Maybe upsets individuals.
Ripping worlds is impractical because the scripts all break, so there’s not much to worry about in that respect… As far as avatars, it’s very rare for someone to use a ripped avatar maliciously or to defame. Any time i’ve seen it over the years has just been for personal enjoyment (which if in public domain can be argued as fair use) or “haha look at me i have x’s avatar!” and then they get bored pretty quick.
The only “harm” really is just individuals who have their avatars ripped have chosen themselves to personally be upset by it because they are morally opposed to it happening. I always give the advice to just accept it or consider it flattery if it happens. And honestly, if people are taking stuff, reversing it, and learning from it, that benefits everyone because it marches progress (and is legal in US as fair use until valid DMCA’s are filed). — Also, ripping someone’s recoloured booth model is not pirating that person’s avatar, it’s pirating the booth model, as that person does not have any legal copyrights to that avatar.
That’s just how i feel about this, and while i understand trying to reduce it happening, there are some systems like DexProtect that DO work and does make your avatar indescribably impractical to rip, for individuals that are paranoid enough to want a hardcore safety system… It’s usually better for everyone’s and the community’s health if we just try to ignore it instead of making it a competition.
Avatar ripping is already nowhere near what it was in like 2018/2019, because most of the “gang” stuff settled down and people got bored and the clout became less relevant (and les crasher avatars to steal). Which leads me to wanting to add, that the less value put into it, the less taboo and challenging and rebellious it is perceived as, the less appeal there will be to even bother trying.
What about Avatar Recovery?
As a final note, there is something that is an issue that does happen as a cost of implementing more strictness to supposedly reduce avatar theft, and that is that avatar recovery has become increasingly difficult and risky to undertake. Avatar recovery is important. Many people lose their files or their drives die or something, and having a way to recover assets in worst cases is a big deal.
I don’t want to be alarming, but Unity is currently being boycotted by everyone. Unity is backstabbing everyone. I am already questioning myself if I should continue creating worlds and avatars for VRChat? is it worth developing for VRChat considering that Unity might die soon? One thing is sure, if Unity dies, VRChat will die too. And I know that people will tell me something like “Unity isn’t gonna die…” Yea? Go outside of your VRChat bubble and inform yourself. Yet Unity is currently in really big troubles.
Unity isn’t going to die lol (it’s extremly unlikely), but it is turbulence to watch over the progress of, and it may affect how VRChat is monetized in the future. Having gone over the actual pricing, it’s not THAT egregious, the main issue is the change of policy without consent, but there might be legal backlash due to extraneous details regarding the situation.
I have been going over this situation with a fine tooth comb with many technically inclined individuals, and will even be talking to a unity employee about it, it’s been blown out of proportion due to misinformation and unity’s own horrendous conveyance of info… not saying it’s good, but it’s not as bad as people make it out to be.
People SHOULD continue to boycott and protest the change, but it’s not an apocalypse.
I highly agree. The platform that will not be named is only supported by a bunch of script kiddies who have no idea what they’re doing. Once you make the skillfloor to rip something too high and it takes more than a few clicks to do it, they’re done. The amount of content being stolen will drop dramatically, the webhosting costs will incur losses, their platform dies. Love to see it.