Why Hypergrid to Go?

Ancient history

Back in September 2010, I had some fun creating Hypergrid to Go. It is essentially a Linux virtual machine (or live disk, or installer, depending on your choice of download) with a hypergrid-enabled copy of OpenSim's Diva distro. You launch it in a hypervisor like VirtualBox (freely available for Windows, Mac and Linux) or VMware Player (or boot from the live disk, a USB stick or hard drive), start OpenSim, and are ready to go (hence the name). Out of the box, it features a large island with plenty of content and an even larger, well-structured inventory. A few more clicks on its graphical user interface configure OpenSim's network connections and get you onto the hypergrid, where it's freebie mall galore. It is all very easy.

Also in September 2010 (only a few days after I made Hypergrid to Go public, as far as I can tell from this), the well known and prolific virtual world enthusiast David René Miller (a.k.a. Ener Hax — René backwards, I guess) released Sim-on-a-Stick, consisting of the Diva distro on a portable WAMP (Windows-Apache-MySQL-PHP) stack. Like Hypergrid to Go, it is free to download and use. Unlike Hypergrid to Go, it only works on Windows, does not include additional tools like Radegast and phpMyAdmin, does not let visitors connect from other computers, and only provides the minimal content offered by the Diva distro. With Sim-on-a-Stick, you start out as a Ruth standing on a square, flat island, empty apart from a bucketful of gold coins (!). There is no hypergrid connectivity (although hacks around this limitation have been noted), so the only way to get more content is to make it yourself or import it from archive files.

Sim-on-a-Stick: first login
Sim-on-a-Stick: first login
Sim-on-a-Stick: square, flat and empty
Sim-on-a-Stick: square, flat and empty

Hypergrid to Go and Sim-on-a-Stick both did well, each in its own way. Hypergrid to Go accomplished what I created it to do. Sim-on-a-Stick racked up an impressive download count (more than 40,000 as of September 2014, according to its site). As it gained traction, I started noting frequent mention of it on Hypergrid Business, but saw little reason to look closer. It clearly only did a small fraction of what Hypergrid to Go does, and its relative popularity was easy enough to understand:

So no mystery there, and no reason to try Sim-on-a-Stick myself.

What finally made me look was this article on Hypergrid Business, which once again recommends Sim-on-a-Stick to anybody matching this description:

I want to create a small, free virtual world for myself or my friends
It contains some technical inaccuracies (Sim-on-a-Stick won't get you onto the hypergrid as is, and the Diva distro is not a "mini-grid"; it's a standalone configuration) but that's par for the course, and my eyebrows only started climbing after I followed the link to simonastick.com, which promises
OpenSimulator 0.8 - running with its own isolated instances of MySQL, Apache, and PHP for Windows
That would be quite a feat in only 108 MB, so I downloaded Sim-on-a-Stick looking forward to some serious technological illumination.

Alas, it was not to be.


What I found

There is nothing "isolated" about Sim-on-a-Stick. It runs MySQL 5.5.8.0 (from 2010) and the Apache web server (2.2.11.0, from 2009) with PHP (5.3.5.0, from 2011) right on Windows, with the same level of access to the PC as the user. The only discernible reason it even includes Apache and PHP is that they are part of MoWeS, short for "Modular Webserver System", to which Miller simply added the Diva distro. OpenSim does not use them, and there is nothing else in Sim-on-a-Stick which uses them, either.

Sim-on-a-Stick: MoWeS user interface
Sim-on-a-Stick: MoWeS user interface

Are you curious about MoWeS? I was too after I saw its main window pop up with a manifestly broken "Information" box (no information there, just markup tags). Clicking "About" rewarded me with an oddly sloppy text claiming that MoWeS is open source software (OSS) distributed under the GNU General Public License (GPL), but offering no indication as to how the source code might be obtained (a fundamental GPL requirement). Checking the usual OSS sites (GitHub, BitBucket, Gitorious, Google Code, SourceForge) only turns up an inactive repository without any files and a link to CH Software, where the visitor is informed (in German) that the company stopped trading on November 7, 2012. Clicking "Help" in MoWeS takes you to a page on the same site, with links to MoWeS downloads, forum and wiki, all redirected to the same notice.

The company may be defunct, but MoWeS still tries to call home and report your language settings ("chsoftware.net/feedback.php?a=status&l=English" in my case) every time you launch it, presumably to collect usage statistics. There is no mention of this (or of ways to prevent it) in the documentation.

A little more digging reveals that MoWeS was written by German developer Cornelius Herzog (the "CH" in "CH Software") in (hold on to your hat) Visual Basic 6 (VB6), released back in 1998. Microsoft dropped support for the VB6 development environment in 2008; Windows XP, also unsupported since April 2014, was the last operating system which would run it. So even if you could somehow get your hands on the MoWeS source code, you would have to resurrect a bunch of other dead software before you could actually do anything with it.

Maybe you subscribe to the view that Microsoft will have to keep supporting the VB6 runtime ("the un-killable cockroach") on Windows 9 Windows 10 and beyond due to the sheer amount of legacy software like MoWeS which still depends on it. But good luck fixing any security vulnerabilities or other bugs.

Summing up, Sim-on-a-Stick is based on a piece of de facto closed source VB6 zombieware which unnecessarily runs a very old version of the Apache web server with many known vulnerabilities, plus an old version of the PHP interpreter with even more vulnerabilities. It also runs a MySQL server (which, unlike Apache and PHP, is actually used by OpenSim), but it is, again, an old version full of known security holes. Finally, it runs OpenSim, which only gets a small fraction of the attention to security enjoyed by more mature and widely deployed software (just to give you an idea, it stores unencrypted passwords in plain text files). Contrary to its claim of "isolation", Sim-on-a-Stick does all this with the same level of access to the PC as the user, directly exposing Windows to any exploitable vulnerabilities in MoWeS, Apache, PHP, MySQL and OpenSim.

In contrast, Hypergrid to Go is based on current software (with online update support) and includes a firewall which, by default, only lets through OpenSim server traffic (plus outgoing Windows network and web connections). It is most conveniently run as a virtual machine, i.e. inside a real isolated environment created by the hypervisor of your choice (personally, I like VirtualBox, a mature, actively maintained and frequently updated OSS project depended on by millions). This way, even if an attacker or a piece of malware were to get into Hypergrid to Go, only the virtual machine would be compromised; it would take another, most likely far greater effort on the attacker's side to gain access to your PC from within the hypervisor sandbox. Such feats are not entirely unheard of, but they are few and far between, and a lot harder to pull off than simply exploiting a known vulnerability in a server which hasn't been patched since 2009.


Conclusion

Even if you do not care about the cross-platform availability, the elegant user interface, the easy setup, the hypergrid access, the huge curated asset database and the large island full of sights and surprises which you get with Hypergrid to Go, I still think you should choose it over something like Sim-on-a-Stick. Because unlike the latter, Hypergrid to Go runs in a virtual box, and what you put there can be trusted to stay there.

Try Hypergrid to Go now!

(Yes, it's free.)

Tommy Anderberg
September 27, 2014
Updated September 30, 2014