[sword-devel] encryption and integrity checking.

[Kahunapule Michael Johnson]

Personally, I would like to see God's Word copied freely with no
barriers to copying, but I do like the idea of authentication with
digital signatures to detect tampering. We can do that with some texts,
but will not get legal permission to distribute some of them without
some annoyances. So, ironically, we get more permission to make more
copies of God's Word if we put some barriers in place on some of the
proprietary modules. You can argue until you are blue in the face about
the morality of men claiming ownership of God's Word, copyright laws
notwithstanding, but that line of reasoning will likely not bear fruit
with most Bible publishers. (Rejoice that we have a few Public Domain
Bible translations and permission for some proprietary copyrighted ones,
and go on within the law as much as we can.)

Open source software can do pretty much the same things that proprietary
software can do. The main difference is that one level of security by
obscurity is stripped away. Instead of decompiling and/or disassembling
the source code, you can just download the source code. Most security
experts (the ones that know what they are talking about) say that
security by obscurity is not really security. Neither proprietary nor
open source software can really do effective copy protection, also known
as digital rights management, without some unique and hack-resistant
hardware. You can make keys that are unique to a given user to unlock or
enable operation of a given item, but with any system that presents
information, be it Scripture, songs, or some mind-numbing game, the
information must be presented in some kind of useful, unencrypted form
at some point. At that point, it can be intercepted by some other
process. Anything I can see on my screen or hear in my headphones can be
copied.

Copy protection/DRM is essentially impossible to do perfectly, but it
can be done well enough to annoy and alienate massive numbers of
customers. Copy protection is very unpopular with any customers, and
unpopular with the vast majority of open source programmers. I once had
a copy of WordSearch Bible study software that I liked EXCEPT that it
forced me to do telephone "activation" many times for the same version
of software because of its attempted copy protection.

The net result is that I eventually just uninstalled the thiefware (that
which kept stealing back what I thought I bought), and bought another
more expensive, but lest restrictive, proprietary program that came with
another copy of all of the Bible translations and resources I used in
the thiefware. I still use it when I want to use resources or features I
can't find in The Sword Project. This new proprietary program has a
solid reputation with the major Bible publishers, and pretty much any
major-language Bible translation that I can read and many that I can't
read is in there. It doesn't do real DRM. It just uses a serial number
to enable the program, and unlock codes for some of the resources. I
don't know if the unlock codes are customer-unique or not, but since the
resources are fixed in the same format on all of the distribution CDs or
DVDs, there must be a non-unique key internal to the code somewhere. I
never bothered to figure it out. I just happily use the program. (It is
a Windows program, but runs under WINE on my Linux box just fine.) I
think the unlock code paradigm, is probably a good measure of the
maximum annoyance a customer will tolerate. And, you can do that in open
source software just fine. Just use Public Key cryptography. RSA has
been in the Public Domain for several years, now. Stable GPL code for
both RSA and DSA is available for free from Gnu Privacy Guard's library.
Even with an encrypted module, full source code, and the public key
embedded in the source code being available, there is not sufficient
information to decrypt a locked module. All you can do with that is
verify a digital signature on a module, locked or unlocked-- and
optionally refuse to display a non-signed module. Or maybe just display
a warning.

The unlock code for a locked module can be a unique user ID combined
with the actual unlock key, encrypted with the module librarian's
private key, and decrypted with the embedded public key. If someone
posts an unlock key, it can be traced, and the proprietary content
vendor can sue the offender.

Now, once a module is unlocked (or if it was never locked in the first
place), the text can be extracted and shared. If the text is Public
Domain, like the World English Bible, this is not a problem. It is a
good thing. If the text is a proprietary translation, it is a problem
only if the person doing the copying didn't get proper written
permission from the copyright holder, first. It is not our job to
enforce that process, but to simply properly display what the legal
status of the text is, and who to contact for permission beyond any
commonly-stated permissions (like the permission grants you often find
in the front matter of a printed Bible).

Getting parity with proprietary software by Open Source software with
respect to publisher respect is not impossible. Just hard. There are
prejudices and misconceptions to overcome. The best way to do that is to
make the best Bible study software available from any source, open or
proprietary, and to make it possible to mimic the things in successful
proprietary Bible translation software that makes it popular with the
big Bible publishers.