» Mon Mar 11, 2013 9:49 pm As some of you are undoubtedly aware by now, there was a recent debacle where a nefarious individual on the Steam Workshop uploaded several mods from Skyrim Nexus and tried to claim them as her own. The modding community responded swiftly and, thanks to the efforts of both the community and moderators at these forums and at Valve, the (immediate) issue was resolved.
I became aware of the resulting theft while reading the forums, and one of my first thoughts was: How do we, as a community, prevent this from happening in the future?
I first thought about how to combat mod theft from a scripting perspective and performed research on methods that software companies use to prevent theft of their source code. While there are several potential methods to embed digital signatures within Java byte-code, I was unable to find anything that would be a similar solution for Papyrus code. Thus I began looking for other ways to prevent mod theft.
This write-up will explore several related issues that surround trying to protect intellectual property, insofar as this impacts the modding community. It is my assumption that modders wish to see their work credited to them and not stolen by others - this thread is not meant to be a discussion of whether a mod can be "stolen" or not, or a discussion regarding the legality of such.
I will try to write this with the non-modder in mind, however there will be times where I use terms and concepts that may not be familiar to the average mod user (or those not versed in cryptography). I will try to define terms as necessary in order to facilitate a discussion between modders and mod users.
I have had an interest in cryptography and steganography for several years – I have even gone so far as to create several hand-ciphers (cryptography that can be performed by hand with pencil and paper). While I am certainly no expert on the mathematics that goes into 'real' cryptography, I have a good understanding of what can be accomplished.
1. Definitions
Cryptography - The practice and implementation of secure communications between two parties while in the presence of others.
Steganography - The use of 'cover' material to hide the existence of sensitive information. Can be combined with cryptography to ensure the sensitive data is not read if the use of steganography is detected.
Public-key cryptography - This is a variant of standard cryptography. It typically is implemented by using what are known as key-pairs. These key-pairs are linked via mathematical functions so that information that is encrypted by one 'key' can only be decrypted by the other paired 'key'. One key is kept secret (the private key) while the other key is distributed (the public key). Information encrypted with the private key can only be decrypted with the public key, thus (assuming the private key has not been stolen and the two keys are understood to be linked) ensuring that the information came from the owner of the private key.
2. Scope
The method I will outline here will not prevent mod theft. It will simply make it much more difficult for a thief to say that the mod is theirs. If a thief is persistent enough and has the skills, they will be able to remove any number of safeguards, aside from out-and-out file encryption which would render the mod useless.
Further, this method is certainly not complete or all encompassing. I would appreciate any additions or changes that others may suggest. The scope of the current method uses readily-available tools to function and has a somewhat limited range of application in terms of the mods it will help protect (or rather it requires minor changes to some specific mod types).
3. One Implementation
Modding is very much an free-for-all endeavor in terms of mod creation, a successful mod protection system will only be useful if it is both easy to implement and also widespread. Thus I believe that the best way to ensure that such a system is adopted by modders is to focus on the implementation of only one such system, and expand upon it as necessary when new protection methods are discovered. By following one implementation set, it will also be easier for mod users to verify the authenticity of a mod by following simple instructions.
4. Open-source
While it may seem counterproductive, some of the best cryptography available today has been developed as open-source. In that spirit, this implementation is and should remain freely available and written in easy-to-understand language. The tools used in this implementation are all open-source.
5. The Method
You will need two open-source tools to successfully implement this mod theft prevention system:
1. OpenStego (http://openstego.sourceforge.net/)
2. GnuPG (http://www.gnupg.org/) (technically optional)
Installing these two tools is relatively easy. Both websites offer documentation on how to properly use the programs, though GnuPG can be a bit fussy. For GnuPG you will wish to install GPA to easily create a key-pair. When creating the key-pair make sure you use a strong password, and if you use a password manager like KeePass you can easily add your key-pair files to the protected database file that KeePass uses.
Once you have successfully installed both OpenStego and GnuPG, the (relatively obvious) method is very simple:
1. Create a text file with identifying information within it.
2. Use OpenStego to add the text file with identifying information to all the textures and other images that your mod uses.
An alternate, and potentially more secure, method:
1. Create a text file with identifying information within it.
2. Use GnuPG to sign the file.
3. Use OpenStego to add the signed text file with identifying information to all the textures and other images that your mod uses.
6. Good Practices
There are other practices that can make it easier for modding websites such as TES Nexus and Steam Workshop to verify that a mod is in fact yours. These include:
1. Avoid antagonizing the thief. While it may seem justifiable, it only makes the situation more inextricable. By acting in a professional manner, you will build more trust that what you are saying is the truth.
2. Create screen captures of the mod creation process and websites where the mod is already uploaded. These screen captures can include dates to demonstrate that the mod was created or uploaded prior to the thief stealing your work.
3. Contact moderators on the website where the thief has uploaded your work and explain in detail the situation.
7. Conclusion
While this outlined implementation is certainly not foolproof by any stretch of the imagination, the use of stenography and digital signing will dissuade most of the fly-by-night mod thieves that simply try to change the modder's name in the ESP file.
