[bt-devel] NET Bible Unlock Bug

[Troy A. Griffitts]

This issue is partly a decision we made in the SWORD engine.  It was 
never our intent to allow automated determination if an unlock key was 
correct.  This was to avoid brute force cracking of keys.  In the 
windows frontend, we allow the user to type in their key, we use the key 
to decipher a couple verses and display for them and ask them if they 
would like to continue to use this key.  Basically, in the frontend, if 
there is a key present, we assume that the module has been unlocked.

There are a number of flaws to this protection; as Martin has shown, it 
is fairly easy to determine a likely success programmatically by 
checking for mostly printable chars.

Jeremy Erickson wrote:
> 	As I posted on the wiki, I found a bug in the port of BibleTime to KDE 4 
> which it turns out is also present in the current KDE 3 version.  When I 
> start BibleTime, it prints a message, "WARNING: Unlock key of module NET is 
> not valid."  However, it is nonetheless possible to use the module as if 
> there was no problem.  I found out that the message is being printed from 
> line 178 in src/backend/drivers/cswordmoduleinfo.cpp when it encounters a 
> nonprinting character in the text of Genesis 1.  It does in fact decrypt the 
> text properly, but some Hebrew characters (the name "Elohim" in footnote 2 of 
> 1:1) are represented improperly in the QString and as such test as 
> nonprinting characters.  This causes the test for a proper unlocking to fail.  
> I think the root cause is using fromLatin1() when the text itself was not 
> encoded in Latin 1.  Would there be a simple fix to make sure the text 
> encoding is handled properly?  I think this would be sufficient to fix the 
> bug.  Alternatively, would there be a cleaner way to check for unlocking?
> 
> -Jeremy Erickson
> 
> _______________________________________________
> bt-devel mailing list
> bt-devel at crosswire.org
> http://www.crosswire.org/mailman/listinfo/bt-devel