Someone is in my Computer – How *Not* to Properly Secure your VR Server

Blog Posts ,Random Musings ,Virtual Reality
January 9, 2017

A few days ago, between sniffling, sneezing, and attempting to nap away a pretty nasty cold, I was spending some time working on my home-away-from-the-physical-world that I’m building using High Fidelity when something quite literally out of my imagination happened. It was very clearly a scenario where the “problem was between the chair and monitor” – my mistake – and I immediately found the situation hilarious, if not a bit out of a science fiction novel.

Allow me to set the scene.

In the High Fidelity interface, you can switch between VR and non-VR mode, so I had changed to a traditional desktop window to switch in and out of the editor while I was also looking for new models to use in my domain. Since I had my sandbox running, my VR home was accessible to the outside world, but I had (thought) that I had set up my server to only allow people I had added to my friend list to join me. Besides, I hadn’t shared my domain or my IP address with anyone, so I was pretty confident that I was alone in my corner of the metaverse…

Until I turned my avatar around and saw someone else’s avatar standing in the middle of my empty virtual house!

A few things that I had going for me that made this drop from a nightmare-inducing level to “moderately traumatizing” in terms of my personal space being visited:

  • I was not in my headset. I can’t even imagine how terrifying it would be to literally look over your shoulder to another human-like being in what you thought was a private space. It was startling enough just in the 2D window I had open.
  • I keep my microphone muted in social VR experiences until I’m actively talking to someone, so the visitor wasn’t likely to be hearing anything other than the reassuring ocean music I have playing in my VR home.
  • I knew that it was my fault, because I had tried to get a friend to hang out with me in High Fidelity a few weeks ago, and had opened up the server to other people coming in.
  • My volume was muted, so if the other person had been talking to me, I missed it entirely.

Generally, my primary VR-server-security strategy was taken care of by me simply turning off my home server when I wasn’t using it, and it didn’t occur to me until this incident that I should a) really start building up (and paying attention to who I added) on my friends list, and b) actually confirm that my security settings were what I thought they were.

Sure enough, when I logged into the server in the browser to check my settings, I had checked “Any connected user” as having visit rights to my server. I had also forgotten that High Fidelity has a list of online users, and I had set myself to appear on that list so that anyone could move around the metaverse by going to wherever I was – so not having the IP address or domain name didn’t matter, I was still visible in the world. Ooops.

It was a matter of a single check box and the stranger vanished – and oddly, what I walked away from with was a sense of mild vulnerability, but also, interestingly enough, the feeling that me panicking and disconnecting my server was actually rude of me!

Across the industry, we’ve only touched the very tip of the iceberg in terms of our understanding of VR’s relationship to our social psychology, and to me, this whole event was a truly hallmark example of a series of emotions that I could only really ever achieve in a virtual world. Looking at the list of people online at the time, I suspect that the person who came to visit was actually one of the two people that I know AFK, but my emotional response was strikingly similar to the sensation of being snuck up on while engrossed in a task.

The first level of novelty that virtual reality applications provide is the level where you get to experience something that is physically impossible, like a roller coaster through Jurassic Park. The second level of that novelty is getting to create something that is physically impossible, like a pet made out of lightning that responds to sound in TiltBrush – but the true hallmark of the power VR has is when an experience allows you to feel new combinations of emotions that previously didn’t exist in your life.

In this experience, I felt a rush of adrenaline paired with guilt that I hadn’t properly set up my server, rudeness in how I responded, excessive humor and delight over a harmless, yet incredibly futuristic-feeling interaction, as well as pride when I fixed the security settings – all in the time frame of about 60 seconds. It was a tiny, universally insignificant event, but to me, the idea of someone out there, visiting the metaverse, stumbling upon a mostly-empty virtual space, and giving me an incredibly memorable event – that’s what keeps me coming back. That’s what keeps me so optimistic and excited at the opportunity to connect with people, and to truly redefine the definition of possible and the human experience.


Related Posts

Leave a Reply