Posted December 31, 2014
llirium: Being relatively inexperienced with hash checking methods, is there anything else I could do in a non-technical sense?
Could you clarify that first part? I'm not really sure which possible interpretation of "Being relatively inexperienced with hash checking methods" is applicable here. As for the second part, do you feel up to looking through what I've written, both here and on the reddit thread and then finding and responding to the simpler, more obvious inaccuracies in blog posts and news posts as the news spreads?
1. Point out that RAR encryption has nothing to do with catching corruption. Garbage in, garbage out. The CRC32 or BLAKE2 hashes catch corruption and they function the same with or without a password. (UnRAR doesn't know whether the output of the decrypt phase is gibberish. Decryption just converts one bag of bytes into another. The only way you know you have the right password is if the result makes sense and that's the job of the hashes. The only reason you need a password before you can try to extract is that, unlike Zip, RAR also encrypts the table of contents to hide any incriminating filenames.)
2. Point out that RAR encryption is worthless at protecting against malware being added because it's symmetric crypto, which means that the key you use to unpack it is also the key GOG used to create it and, thus, the key crooks need to add malware.
3. Point out that, even for Windows users, there are perfectly valid uses for unpacking the RARs without running the installer. (Like playing enhanced Duke Nukem 3D or Dungeon Keeper via EDuke32 and KeeperFX without having to install the game just so you can copy some files out and then run the uninstaller.)
4. Point out that circumventing the restriction doesn't change what it is. (Just like how a crack doesn't retroactively make always-online DRM no longer DRM.)
5. Point out that this kind of "artificially vendor-added (Digital) Restriction on what paying customers can do" meets the definition of DRM given in that quote by TheEnigmaticT (who was speaking on behalf of GOG's official position)... especially since it's a great candidate for being stripped from pirate releases. (Also a good indicator of DRM)
6. Point out that what Gowor claims to want are digital versions of tamper-resistant screwheads (like on the Gameboy Advance and Gamecube) and holographic, tamper-evident warranty seals and there are proper, well-understood ways to get that in the digital world which are quite distinct from RAR encryption.
UPDATE: As Rixasha said, point out that, in some parts of the world, copyright law bans bypassing restrictive measures, no matter how trivial, and that could scare off people who want to automate unpacking the RARs. (It's far too likely that, in the legal world, a RAR password would be seen as a restrictive measure by default, while a "customized" RAR header or something else similar wouldn't. Everyone knows lawyers are subject to human failings... they can just ruin your life if they make a mistake.)
...and feel free to PM me if there are places you think I should come in as a knowledgeable party.
Post edited December 31, 2014 by ssokolow