Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Breaking Google's DRM

michael posted more than 9 years ago | from the don't-be-evil dept.

Google 892

An anonymous reader writes "Google's new Google Print service (that lets you see scanned pages from printed books) has a pile of advanced browser-disabling DRM in it ('Pages displaying your content have print, cut, copy, and save functionality disabled in order to protect your content.'). This works with JavaScript turned off, even in Free Software browsers. Seth Schoen has posted preliminary notes on some breaks to the DRM (beyond just automating a screenshotting process), including a proposal for a circumventing proxy that would fetch Google Print pages and strip out the DRM. A full exploration of the html obfuscation and DRM employed by Google would be very interesting; certainly the ability for a remote attacker to disable critical browser features like save, right-click, copy and cut against the user's wishes is a major security vulnerability in Moz/Firefox and should be fixed ASAP."

cancel ×

892 comments

Sorry! There are no comments related to the filter you selected.

That explains those mysterious hirings (5, Insightful)

waynegoode (758645) | more than 9 years ago | (#10470721)

Knowing how to develop stuff like this is not a skill everyone has. This might explain why Google recently hired [nypost.com] some browser-type software developers (as discussed on Slashdot [slashdot.org] ).

Re:That explains those mysterious hirings (0, Offtopic)

grazzy (56382) | more than 9 years ago | (#10470776)

Google is not god.

Re:That explains those mysterious hirings (5, Funny)

Gentoo Fan (643403) | more than 9 years ago | (#10470808)

Google is not god.

Correct, Google is much more useful.

Re:That explains those mysterious hirings (1, Offtopic)

Bingo Foo (179380) | more than 9 years ago | (#10470922)

Well, perhaps God has written fewer lines of code [ucdavis.edu] , but as far as usefulness is concerned, I'll take existence over cool tech any day.

Re:That explains those mysterious hirings (5, Funny)

Sqwubbsy (723014) | more than 9 years ago | (#10470926)

Google is not god.

Blasphemer!

Re:That explains those mysterious hirings (3, Insightful)

wo1verin3 (473094) | more than 9 years ago | (#10470829)

Maybe not, these hirings were only a few weeks ago.. the article you link is from Sept 19th. There must have been planning way before this...

fp? (0)

Anonymous Coward | more than 9 years ago | (#10470726)

Probably missed fp but... How in the world can something totatlly disable a browser's features like that?

FIRST POST (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#10470727)

HAHA

Security issue? (5, Insightful)

radish (98371) | more than 9 years ago | (#10470733)


certainly the ability for a remote attacker to disable critical browser features like save, right-click, copy and cut against the user's wishes is a major security vulnerability in Moz/Firefox and should be fixed ASAP

While I agree it would be nice to fix this from a convenience point of view, and a "it's my computer - it'll do what I want" point of view, how is this a security risk? How do I get a trojan, or lose files, because of an inability to copy & paste on a particular page?

Re:Security issue? (5, Insightful)

Rude Turnip (49495) | more than 9 years ago | (#10470780)

"...how is this a security risk?"

A part of your security is having control over your computer. Your security has been compromised when you lose that control.

Re:Security issue? (4, Insightful)

American AC in Paris (230456) | more than 9 years ago | (#10470917)

A part of your security is having control over your computer. Your security has been compromised when you lose that control.

...by this logic, an operating system that does not permit a user to dive directly to an arbitrary RAM address and twiddle bits is an operating system that poses a security risk, as you've lost the control to directly manipulate your machine's memory.

Re:Security issue? (1, Interesting)

Anonymous Coward | more than 9 years ago | (#10470946)

Are you joking? Every single modern operating system I know of will let you bypass memory protection if you are running as an administrator and wish to do so. It's the choice that matters.

Re:Security issue? (1)

hunterx11 (778171) | more than 9 years ago | (#10470953)

If that's the case let's all run at security level -1 mode.

Re:Security issue? (5, Insightful)

lukewarmfusion (726141) | more than 9 years ago | (#10470791)

No kidding... you may not like having those features disabled, but calling them a "security vulnerability" is like shouting "terrorist" because you don't like what someone else says.

There are plenty of sites that go to great lengths to turn off functionality like copy, back button, print, etc. When a major corporation does it, suddenly it's a risk?

Google can only offer that information because they can employ DRM.

Re:Security issue? (1)

alienw (585907) | more than 9 years ago | (#10470897)

So, your definition of a security hole is an intrusion? Easy ways to do DoS are security holes, as well, and this constitutes denial of service.

Re:Security issue? (1)

EvilSS (557649) | more than 9 years ago | (#10470924)

Security Risk? I'm still trying to figure out how someone would consider them "critical". For a browser, wouldn't critical features be: 1.) Can display pages

Re:Security issue? (1)

Kaa (21510) | more than 9 years ago | (#10470971)

While I agree it would be nice to fix this from a convenience point of view, and a "it's my computer - it'll do what I want" point of view, how is this a security risk? How do I get a trojan, or lose files, because of an inability to copy & paste on a particular page?

I guess denial-of-service attacks do not fall under your classification of security risks... Well, at least you have a unique viewpoint :-)

In any case, we have a demonstrated capability of a web server to alter major behavior characteristics of a program running on my local machine. How exactly do you know the limits of this capability? Can you guarantee that the mechanism used to prevent saving images to disk cannot be used to do something more malicious?

Google are Evil (0, Interesting)

Anonymous Coward | more than 9 years ago | (#10470740)

They are. Just as evil as every other company out to make a buck. Seriously... the sooner the Blogerati's wake up to this and stop stroking off of the Googleplex the better.

Re:Google are Evil (2, Insightful)

Tongo (644233) | more than 9 years ago | (#10470886)

Wow, move to Cuba or N. Korea why don't you. Just because a company (or an individual, I want to make money and lots of it :o) wants to make money doesn't make it Evil. This is propoganda fed to you by socialism. There is nothing wrong with money or wanting to aquire it. It's the lust for money that get's people into trouble. When earning money becomes more important that your own morals, this is when earning money becomes evil.

First, how go I get to Google Print (1)

hey (83763) | more than 9 years ago | (#10470747)

Sorry to be so dumb but how do I get to
actually use print.google.com - ie search.
Anybody got a URL?

Plain google search on book titles (2, Informative)

JLavezzo (161308) | more than 9 years ago | (#10470787)

Searching google on book titles returns a Print match if they have the book in their records. Not too many yet, it seems.

Re:First, how go I get to Google Print (5, Informative)

deicide (195) | more than 9 years ago | (#10470833)

Seacrh for "economic development".

moo? (-1, Troll)

Anonymous Coward | more than 9 years ago | (#10470748)

mooga booga shmooga?

It's doomed. (5, Insightful)

gowen (141411) | more than 9 years ago | (#10470751)

Facts :

i) To display the books, they've got to send that information to the browser, on your machine.
ii) Once its displayable on your machine, there is *absolutely* no way they can stop a determined person from printing it.
iii) If its going to work on Open-Souce browsers, the DRM must be fairly transparent.
iv) If it works on Open Source browsers, someone cleverer than me will modify that browser so that it works as the user intends, rather than the sender. Their only protection is the DMCA, which may stop a US coder from writing/distributing the hacked app, but the rest of us will be laughing.

Frankly, if Google were as smart as they're hyped to be, they'd know this.

It doesn't matter... (4, Interesting)

wyoung76 (764124) | more than 9 years ago | (#10470816)

... if their DRM can be broken or not.

The point is that it is "good enough" to stop the average person from lifting the material.

If you're determined enough, nothing is going to stop you from getting what you want.

Re:It's doomed. (2, Insightful)

Firehawke (50498) | more than 9 years ago | (#10470830)

What makes you think they don't know this? It's like copy protection-- they only need to make it hard enough to discourage casual capture and printing.

Re:It's doomed. (1)

apachetoolbox (456499) | more than 9 years ago | (#10470838)


They dont have to really worry about ii, iii, or iv. Just like the MPAA/RIAA... they only have to worry about it being simple and easy to do by default, on Windows/IE. That covers 90%+ of the user base and thats good enough.

Re:It's doomed. (1)

gcaseye6677 (694805) | more than 9 years ago | (#10470881)

I'd say Google is aware of this, but they are hoping that other people and organizations, namely the ones that will be paying money for this service, are unaware. This way, they get people to use the service without fear that their material can be lifted. In any case, it will be interested to see how it all plays out once it becomes known that people can disable these browser hacks.

Re:It's doomed. (4, Insightful)

ricotest (807136) | more than 9 years ago | (#10470934)

You should be thankful they used an open-source browser friendly technique. They could have just as easily wrapped the images in ActiveX or maybe Java in such a way that the data is never cached in an accessible form. The only way to get the image would then be screen-capture (made even harder if they used the graphics card buffer, but maybe that's overkill)

Do you want Google to drop this technique and go for something more proprietary that won't work at all?

Re:It's doomed. (4, Funny)

Naikrovek (667) | more than 9 years ago | (#10470945)

why do they not simply create an HTML table, make it [image width] cells wide, and [image height] rows, insert a 1x1 clear gif in each cell and change the bgcolor of each cell to the color on the corresponding image?

while they work on that i'm gonna upgrade my memory.

Re:It's doomed. (2, Insightful)

angryelephant (678279) | more than 9 years ago | (#10470957)

v) The service checks the DRM in your browser. If it isn't approved you don't get to use the service. Google likes to make their services display correctly with all browsers but I doubt there is anything in their business model that says they have to be open source compatible even if it ruins a market segment.

My wishes??? (1, Funny)

Spackler (223562) | more than 9 years ago | (#10470753)

the ability for a remote attacker to disable critical browser features like save, right-click, copy and cut against the user's wishes is a major security vulnerability in Moz/Firefox and should be fixed ASAP."

IE (and windows for that matter) have been doing things that are against my wishes for years. I guess this is a cross-platform issue.

Re:My wishes??? (2, Insightful)

Lt Cmdr Tuvok (810548) | more than 9 years ago | (#10470903)

I believe humans have a saying: 'You can't always get what you want'. These are wise words.

The human propensity to obsess over their wants and wishes is rather puzzling, in my view. This viewpoint reeks of indivduality, a curiously human trait. Sometimes, bowing to the greater good is more beneficial than stubbornly sticking to one's own particular desires.

In the case of 'Windows', that particular piece of programming follows the philosophy of utilizing the combined knowledge of specialists to guide the less sophisticated users of the software and ease their work. That some people object to this on the grounds that it forces restrictions on them is understandable to a point, but this scheme of things is beneficial on the whole. Opponents of this approach may call this approach 'Appealing to the lowest common denominator,' or some variation thereof, but I myself prefer to call it 'Sacrifice for the benefit of the greater good.'

Discussion on this issue is something that I very much look forward to seeing.

Mirror? (0)

Anonymous Coward | more than 9 years ago | (#10470756)

Seth Schoen has posted preliminary notes . . .

Well, that went down pretty quick. Did anyone get a chance to copy it or mirror it?

typical approach (0)

Anonymous Coward | more than 9 years ago | (#10470763)

just like music, if it comes to your computer, you can save it. I'm sure a hack will come out very very soon.

here we go again. (4, Funny)

bLindmOnkey (744643) | more than 9 years ago | (#10470765)

and so begins a new age of literature piracy

Getting stuff for free? (3, Insightful)

Mr_Silver (213637) | more than 9 years ago | (#10470770)

Seth Schoen has posted preliminary notes on some breaks to the DRM (beyond just automating a screenshotting process), including a proposal for a circumventing proxy that would fetch Google Print pages and strip out the DRM.

Whilst I'm all for breaking DRM that hinders the rights you have to use your content in the way you want - this just looks like breaking DRM to get stuff for free.

If that really is the case, then I'm extremely concerned that someone is doing this. Mainly because it adds extra ammunition to those who (wrongly) try to push the line that the only people who want to break DRM are those who want to rip people off.

Re:Getting stuff for free? (5, Insightful)

ImaLamer (260199) | more than 9 years ago | (#10470875)

this just looks like breaking DRM to get stuff for free.

You are 100% right.

It isn't about "security" or even "fair use" it's about the ability to cut and paste, save and print someone else's content without their permissions.

I could understand if you owned the books but you don't. Sounds like a good way to bite the hand that feeds you.

If you are really concerned with Google messing with your browser... don't go to any Google domain, ever. Add an entry in your HOSTS file for google, froogle, gmail, gbrowser and whatever else you'd like.

It's a free service, free in the sense that you are free not to use it.

Hmmm (4, Insightful)

Auckerman (223266) | more than 9 years ago | (#10470933)

You are adding to the fire by allowing them to change the definition of copyright. Copyright gives holder no right to determine how one USES content, it merely gives them a monolopy right over copying the content for distributation. There are some copyright limitations on use, such as public displaying and the like, but fair use clearly says once you give ME a copy of your work, I can do anything I damn well chose to it.

It already gave me a copy of the work for free, if I chose to burn it, make a hat out of it, or print it out, it's my business.

Re:Getting stuff for free? (1)

etymxris (121288) | more than 9 years ago | (#10470974)

This is as illegal as xeroxing a few pages from a book at the library. I'm not sure how anal retentive laws are at the moment, but is it really so wrong for someone to print a few pages to read on the train on the way to work or something?

Re:Getting stuff for free? (0)

Anonymous Coward | more than 9 years ago | (#10470982)

this just looks like breaking DRM to get stuff for free

No, it's breaking my browser so that it no longer functions as I configured it.

The web content, by the way, has already been delivered to the browser in plaintext. At that point, we're no longer talking about DRM.

Re:Getting stuff for free? (1)

gcaseye6677 (694805) | more than 9 years ago | (#10470991)

While I don't disagree with what you're saying, I do think that any company whose revenue model depends on preventing their material from being "stolen" by disabling a person's web browser might as well go ahead and fold up now. CDs have always been copy-able, but CD publishers still manage to sell them. Same with books. If someone's only business model is to put some crap on a website, charge a bunch of money for access, and hope to sit back and watch the cash roll in, I think they will be in for a rude wakeup call. Legal issues aside, it's a matter of what people are willing to pay for, and the sale of crippled content does not exactly have a track record of success.

free speech? (2)

100MHzperhour (587160) | more than 9 years ago | (#10470775)

whats the difference between this and going to my local library and making copies of the pages, *which are allowed*? I for one do not want to see google heading towards this direction. With the onset of their sensoring items in china, and now this in the media, it makes you wonder where their management is making google head towards...Google would make such a great web portal...and even move beyond the ranks of yahoo if it would just put the right things in the right place, they are so far ahead in the game already, why can't they realise that?

Nature of Information (3, Insightful)

iammrjvo (597745) | more than 9 years ago | (#10470782)


Information, by its very nature, is copyable. DRM schemes may stop a casual user from copying information, but it is theoretically impossible to make an invincible DRM system like this due to the very nature of information.

That having been said, Google is smart enough to know this. They have to put what they can in place in order to convince publishers to agree to their system.

Re:Nature of Information (4, Informative)

hype7 (239530) | more than 9 years ago | (#10470880)

this is a damn good point.

I copied this from a post I saw earlier on slashdot - I have lost the link but still have the text.


That's why they need the dumb-ass DMCA, because it's impossible to make secure DRM. DRM is not and can never be cryptographically secure because it is not actually a cryptography problem. Cyrpography is about keeping secrets away from unauthorized people. That's fairly easy. DRM is about GRANTING people authorized access and GIVING them the key and then attempting to keep what you've given to them a secret from them.

DRM is a schizophrenic and fundamentally impossible task.

All they can do is the key obscurely inside the player and hope that no one makes the effort to look at it.


It was written about SACDs, but it applies just as equally to stopping people copying text. In the long run, DRM won't work. It's just a serious pain in the ass, especially for legitimate users (how can you get fair use if the damn copy/paste functionality is disabled?)

-- james

Just get it from your cache! (4, Funny)

nagora (177841) | more than 9 years ago | (#10470784)

Works for me on Opera 7.54. DUH!

TWW

Re:Just get it from your cache! (1)

dapyx (665882) | more than 9 years ago | (#10470835)

Even right-clicking and selecting save works in Opera!

Re:Just get it from your cache! (1)

RangerRick98 (817838) | more than 9 years ago | (#10470935)

Works for me in Firefox as well.

So? (5, Interesting)

lxs (131946) | more than 9 years ago | (#10470788)

Messing with our browsers and DRM

Does this mean that Google is now officially an Evil Company(TM)?

We control the horizontal, we control the vertical (3, Insightful)

Doc Ruby (173196) | more than 9 years ago | (#10470793)

We're entering an age where all data is passed as objects. OS'es won't have common facilities to save data, merely to access the storage HW. Objects might or might not have facilities to save themselves, depending on their producer. PCs are probably a lost cause, but once phones submerge in the viruspam tide, their OS'es will prove the perfect platform for "trusted computing". Software distributors will control your gizmos, and you won't even be able to turn them off.

Re:We control the horizontal, we control the verti (1)

Ironsides (739422) | more than 9 years ago | (#10470849)

and you won't even be able to turn them off.

If they have batteries, batteries need to be recharged (or can be ripped out). If it has a power cord, it can be unplugged.

Critical Features? (1, Interesting)

gregarican (694358) | more than 9 years ago | (#10470797)

"certainly the ability for a remote attacker to disable critical browser features like save, right-click, copy and cut against the user's wishes is a major security vulnerability in Moz/Firefox and should be fixed ASAP"

A little extreme journalism? Such functions (and lacks thereof) have been around across the various browsers for years now. People want to protect their work. Big deal. I'm sure that there will be black hats who will find a way around any copy protection process. Be it for DVD, MP3, Windows Media, AAC, PDF, etc. Legal to do so? Perhaps? Does that make it ethical? Probably not.

Re:Critical Features? (1)

stevesliva (648202) | more than 9 years ago | (#10470912)

A little extreme journalism?
Ha, you called a Slashdot story "journalism." And I thought the esteem of journalism couldn't get any lower these days.

Article Text (5, Informative)

Anonymous Coward | more than 9 years ago | (#10470798)

Google DRM

To further protect your book content, printing and image copying functions are disabled on all Google Print content pages.

Similarly:

We've put a number of measures in place to prevent the downloading, copying, or printing of your content [...] Pages displaying your content have print, cut, copy, and save functionality disabled in order to protect your content.

I'm surprised at how much effort Google went to here. I would have expected my browser not to be vulnerable to having any of its "functionality disabled", yet, with a recent Firefox, I found that I couldn't

1. print the page to a PostScript file,
2. right-click on the page at all,
3. save the page to disk (the image would somehow not be downloaded at all),
4. view the precious image in Page Info/Media (although I could see which image it was),
5. save the precious image in Page Info/Media,
6. find the precious image in the DOM Inspector (which seemed like the really heavy artillery), although the DOM Inspector did let me see its URL as part of an uninterpreted style definition, and seem to reveal the trick: defining a style called ".theimg", with the definition

{ background-image:url("http://print.google.com/long url with cryptographic signature"); background-repeat:no-repeat; background-position:center left; background-color:white; }

and then invoking that style inside a
tag:



So I tried turning off JavaScript, and I found that I was essentially no better off: right-clicking caused a copy of cleardot.gif, not the .theimg background, to be saved to disk. For some reason, Save Page As.../Web Page (complete) still declined to download the background image at all, even in the absence of JavaScript, as if perhaps the CSS parser in the display logic in Firefox is smarter than the CSS parser in the Save Page As... code.

The two ways I've found so far that work to capture images from Google Print are a screen capture (I used xwd, which of course worked perfectly) and looking in the on-disk cache (ls -lrt .mozilla/firefox/default.*/Cache/[0-9A-F]*). I'm still puzzled about why Page Info and the DOM Inspector won't actually reveal the image referenced in the .theimg style or allow it to be saved.

If you wanted to write a proxy that would make Google Print pages capable of being saved to disk, you would presumably want to match

background-image:url("http://print.google.com/\( [^ "]+\)")

(although you'd need to be careful to match only the one in the definition of ".theimg", because it looks like there may at least one other background-image:url) and then replace



I haven't tried this because it felt like too much work relative to the previous two methods.

Contrary to what I expected, Google Print does not seem to check referer, so it seems to be possible merely to extract the URL from the definition of .theimg, and then to load it directly. Perhaps that will change in the future.

Google must have hired some experts on html image protection or html obfuscation. To be sure, there are lots of other tricks in Google Print that I had never seen before. It is hard to think that the author of that HTML obfuscation was not the subject of Richard Stallman's accidental haiku. It is amusing to think that Mr. Bad's "other" DeCSS might at last be used for some kind of circumvention (although I doubt it, because presumably Google Print simply won't work at all with the CSS removed).

Re:Article Text (0)

Anonymous Coward | more than 9 years ago | (#10470884)

I already explained this, I guess nobody really cares about AC posts...

http://slashdot.org/comments.pl?sid=124683&cid=104 56592 [slashdot.org]

is it a bug with mozilla, or really a design flaw (0)

Anonymous Coward | more than 9 years ago | (#10470801)

Is this really an issue with Mozilla, or rather a design flaw from Google? would it not have made more sense to use j2ee technology, and thus ensure that regardless of browser technology, the situation is under control... rather than adopting the bad standards of writing purely for an (unamed) browser??

Or have I simply mis-understood?

Re:is it a bug with mozilla, or really a design fl (1)

dapyx (665882) | more than 9 years ago | (#10470905)

Not even java is secure enough, as with enough skill, you can tamper with its data. I know this, because the there is a "cheat" program that calculated the trajectory for yahoo! pool game. :-)

And anyway, everything that is displayed on the screen can be saved.

The simple fact is... (1, Interesting)

mat catastrophe (105256) | more than 9 years ago | (#10470807)

...the internet as a tool for sharing and disseminating information is falling short of what people said it would do years ago.

Google is scary enough to think about, what with their gargantuan server farm, their bizarre "don't delete your email (and even if you do, we're going to keep a copy)" policy, their odd way of censoring things in image and web results, but now we have a Google that has come right out and made it possible to really strip a web browser's secondary functionality?

I think it is time to stop treating Google as the mystic, all-holy and wonderful search engine and perhaps begin treating it as a hostile assault on the general idea and purposes of the web.

I hope that doesn't sound too extreme....

-1 Troll (2, Informative)

jbellis (142590) | more than 9 years ago | (#10470900)

their bizarre "don't delete your email (and even if you do, we're going to keep a copy)" policy

It's been explained ad nauseum that google does not archive deleted email indefinitely; deleting just isn't instantaneous, because of the nature of the system.

Some news stories have suggested that Google intends to keep copies of users' email messages even after they've deleted them, or closed their accounts. This is simply not true. Google keeps multiple backup copies of users' emails so that we can recover messages and restore accounts in case of errors or system failure. Even if a message has been deleted or an account is no longer active, messages may remain on our backup systems for some period of time. This is standard practice in the email industry, which Gmail and other major webmail services follow in order to provide a reliable service for users. We will make reasonable efforts to remove deleted information from our systems as quickly as is practical.
from the gmail privacy page [google.com]

I don't think it does. (0)

Anonymous Coward | more than 9 years ago | (#10470952)

Google should simply not be branching out from web searching.

Their stated corporate motto is: "Don't be evil."

If a guy, without any prompting, tells you, "I'm not evil! In fact, that's my motto: don't be evil." should you be more or less suspicious of them?

mozilla acceptance (1)

minus_273 (174041) | more than 9 years ago | (#10470812)

yes, circumventing copyright protection is certainly going to improve the image of mozilla. We all know it is getting good press right now because of problems with IE. It will only take a few articles in major papers and magazines about its links to piracy and it will be banned like kazaa in a corporate environmant. Sometimes i really do wonder if many other free software types are really just software pirates.

Why bother? (0)

tod_miller (792541) | more than 9 years ago | (#10470815)

No really, why?

You can use firefox and simply do a DOM search and pull out the image that way.

You can probably tweak browser setting to allow for cross frame javascript dom, set the source automatically to an image in top frame, and create a bookmarklet that always wraps a google search.

I do like the idea of pulling apart thier obfuscated code, or maybe using similar code on other websites.

I have my own usable solution involving backgrounds, javascript etc, but then I realised since anyone can print screen, just let them...

Re:Why bother? (0)

Anonymous Coward | more than 9 years ago | (#10470944)

That makes me laugh. Ill post this anonymously.

I worked for SBC and they had an employee database for benifits on a web page that you logged into. The HR never sent out the passwords for our group so guessing at the passwords I looked at the code to try and get a hint what it might be. I traced the submitt java script down to a procudure that had a hash lookup to basicly a social security number. If you saved the web page and modified the submit redirect to ignore the hash lookup, you could access anyones information. I showed my manager and fellow employees who were big java script security fans and let them know that physical security is the first line of security you must have with any security model.

Explanation Provided (4, Informative)

Gerv (15179) | more than 9 years ago | (#10470819)

A full exploration of the html obfuscation and DRM employed by Google would be very interesting

I've been looking at this - there's a blog post [mozillazine.org] with some preliminary discussions, and a follow-up [mozillazine.org] giving some ways of getting around it. The short answer is that if you just want to save the image to disk, it's not too hard in a decent browser [mozilla.org] .

Gerv

Please provide demo URLs (4, Interesting)

Buran (150348) | more than 9 years ago | (#10470825)

Where can we see a sample of this to test whether it actually does these disabling things?

I do agree that this is a security problem. We already have options in some browsers (I use Firefox, for example) to block sites from changing status bar text, changing images, etc. And there was no fuss about that. I think disabling such basic functions as copy, paste, print falls in the same "no-no" category as changing statusbar text, changing images, etc.

A site presents a page in a certain way, but I as the user get to select how I view it, with what functions I want to view it, which parts of the site I want active and which ones I don't. You can't force me to accept what I don't want to accept. If I set my software to ignore part of your site, that's my choice, not yours.

You don't go disabling functions in users' browsers. You let them do that themselves. Conversely, you don't enable stuff the user didn't enable themselves.

Isn't it now about to be illegal to go changing peoples' browser settings via the use of spyware? Doesn't this come awfully close to doing the same thing? If it changes how my software behaves, it's awfully close to being malware.

Why use DRM in the first place? (2, Interesting)

openSoar (89599) | more than 9 years ago | (#10470844)

Why are the pages even protected by any kind of DRM in the first place? AFAIK, They don't let you view the whole book - just a few selected pages - isn't this just the same as the track clips you can listen too (and save if you wish) at most of the music stores?

gerv talks about this (5, Informative)

glob (23034) | more than 9 years ago | (#10470851)

gerv, a mozilla developer, has a few blog entries that talk about how the print service tries to stop you from getting to the jpeg's, and how to bypass that.

Google Print, And Clue Barriers [mozillazine.org]
Google Print Hacking Ideas [mozillazine.org]

For those with tinfoil hats (4, Informative)

OverlordQ (264228) | more than 9 years ago | (#10470854)

Last comment on Bug 226572 - Google branded Mozilla browser [mozilla.org] was:
This is a duplicate of a private bug about working with Google. So closing this one.


*** This bug has been marked as a duplicate of 213362 ***


Now they're both [mozilla.org] mysteriously restricted to general viewing.

DRM is necessary here (2, Insightful)

ShatteredDream (636520) | more than 9 years ago | (#10470856)

They're preventing people from walking off with free books. If Google doesn't do that, then they cannot offer this service. Sometimes it is better to accept a little inconvenience. There is nothing stopping you from retyping an entire small passage if you want to quote it.

Re:DRM is necessary here (1, Insightful)

0123456 (636235) | more than 9 years ago | (#10470986)

"If Google doesn't do that, then they cannot offer this service"

And? Why should my browser be broken just so Google can make money?

Oh, googy, more ways to get corporations mad (0)

Anonymous Coward | more than 9 years ago | (#10470863)

Ya just gotta love slashdot, always the first to promote someone breaking the rules.

Why is someone breaking DRM news worthy? How about posting an article about some guy who broke into a house last night and his notes about how he did it? Why isn't that interesting? What about posting an article about some guy who is selling stolen laptops off of the back of a truck? Why isn't that interesting?

Why is it that you think that stealing content is OK but you don't think that stealing physical goods is OK? And would it be OK to steal that content if you were the owner of that content and it was being stolen against your will?

What any man can do... (3, Insightful)

Space cowboy (13680) | more than 9 years ago | (#10470865)

... another can undo.

It seems rather futile to try and restrict what people can do with images on the net. Given that fundamentally it's an open easily-parsed format, and wget is your friend, it ought to be relatively easy to write a harvester, if anyone could be bothered.

And there's the rub. Unless Google publishers are suffciently stupid (I've not seen much evidence of online stupidity in book publishers to date...) to put significant excepts from the book online, who'd care if you could download the images ?

At the end of the day, the best protection is to make sure that the good information is kept in the book, and the online imagery gives an indication of what you get when you pay for the book. This all presupposes the book is worth buying, of course, and perhaps that's the market they're trying to protect...

I guess this will protect against casual copying by the clueless, and that's probably all they're trying to do, but Google is every tech's favourite lovechild (brought about by those clever marketing peeps, which, er, aren''t most tech's favourite people. Well, moving swiftly on...). So Google are popular, and they do something that those tech peeps will react to (DRM), and quick as a flash there are workarounds. Hell, I expect a firefox plugin by tomorrow! A waste of time, perhaps ? Or just another example where the clueful (Mozilla users) have the advantage over the clueless (IE users :-)

Simon.

Oooo! I know! (3, Funny)

hartba (715804) | more than 9 years ago | (#10470866)

Just put your monitor on a copy machine!

It's a documentation problem ... (2, Interesting)

slagdogg (549983) | more than 9 years ago | (#10470868)

Change the line:

"Pages displaying your content have print, cut, copy, and save functionality disabled in order to protect your content."

to:

"Pages displaying your content have print, cut, copy, and save functionality disabled in order to protect your content from most users."

It's magic.

Ethereal? (0, Redundant)

JUSTONEMORELATTE (584508) | more than 9 years ago | (#10470869)

C'mon, if you are delivering the info to me, then it has to come across a network device, and Ethereal can see it.
If someone is motivated to get a copy, then it's not that hard to write code to read the packet dumps and re-create the content.


--
How about cash? [slashdot.org]

Mirrordot mirror (1)

Digital_Quartz (75366) | more than 9 years ago | (#10470871)

Seth Schoen's notes are mirrored here [mirrordot.org] .

A simple solution (1)

Bull999999 (652264) | more than 9 years ago | (#10470873)

Here's a simple solution; don't use it. Those mega-crops will stop dishing out crap if enough people boycott the copyprotected medias.

Security vulnerability? (1)

Mr_Silver (213637) | more than 9 years ago | (#10470878)

certainly the ability for a remote attacker to disable critical browser features like save, right-click, copy and cut against the user's wishes is a major security vulnerability in Moz/Firefox and should be fixed ASAP

Let me get this right. Website has javascript that requests browser disables "save", "cut", "paste" and a few others.

The browser disables the aforementioned buttons because the javascript requests it.

How exactly is that a "major security vulnerability"? It sounds more like a correct functional implementation which happens to do something which could be an annoyance to the end-user.

preventing cut, copy etc. (1)

circusboy (580130) | more than 9 years ago | (#10470885)

I was under the impression that preventing the saving of an image from a web page is actually a feature that has been present for some time, no?

at least there being some way of disabling the right-click menu, anyway. which wouldn't stop you from finding the image in the cache file and saving it I suppose.
or saving the whole page in toto...

no?

Dont be Evil (1)

beattie (594287) | more than 9 years ago | (#10470887)

Is this the beginning of the end of "Don't be evil"?

Calm Down Chicken Little (0)

Anonymous Coward | more than 9 years ago | (#10470892)

Losing the ability to cut, copy, paste on a particluar Web site for copyrighted material is not a bad thing. This is a valid way of protecting copyright holders while making the content generally available to the public. I can live with this. It is completely different from the tactics employed by the RIAA and the MPAA. Google is not hampering my ability to browse the content from any computer using any OS with any browser. So, it's a good thing for everybody.

Well .. (1)

z0ink (572154) | more than 9 years ago | (#10470910)

I hate DRM as much as the next guy, but maybe this is something worth a little sacrifice and actually is useful to the author's IP. It's not like google is region locking their content and only allowing people to use this if they live inside the US and use only a certain browser running on a certain operating system powered by a certain processor.

This isn't viable.... (1)

olympus_coder (471587) | more than 9 years ago | (#10470914)

in the long term. This is a hack that takes advantage of undocumented features and quirks in browsers. Quirks and features change.

I don't think they can even use the DMCA to pretect it either. If a browser changes the way it renders a page for printing in general, that isn't circumvention. Because they arn't using a actual DRM technology, but bugs and quirks in implementations of standards, at some point, it will become printable.

Now, if they were to create a plugin viewer, and licence the viewer, then it would be defendable. We all know how popular plugins are thought...

Google has to do it, not make it work (4, Insightful)

RealAlaskan (576404) | more than 9 years ago | (#10470915)

Google has to do this, but they don't have to make it work.

They have to show the suits at the publishing houses that they are being responsible, safeguarding the suits' ``intellectual property''. It doesn't really matter whether it actually works, just as it doesn't really matter if the features in the checklist on the box of software work. It's a tool for the salesman to use.

If this feature exists but really doesn't work, then the suits get the illusion that their ``intellectual property'' is protected, and they get free advertising of the try-before-you-buy variety. For this best of all possible worlds scenario, it has to work well enough to fool the suits, but not well enough to stop the rest of us.

Sounds to me as if Google has gotten it to work just about well enough to do a good job for all concerned: Google, us readers, and even the suits.

DRM my arse (1)

slobber (685169) | more than 9 years ago | (#10470919)

"This works with JavaScript turned off, even in Free Software browsers."

Ok, how about lynx? Can't you just save image to disk? Ok, forget lynx, telnet 80 & GET should do the trick.

As usual, this DRM attempt will make it a pain for legit users to use but won't stop any determined abusers. On the other hand, I imagine that Google is under immense pressure from the industry to put sime kind of DRM so this could provide sufficient cover for them.

The only way this stuff is going to work is if they make text image all warped and wavy to defeat automatic OCR but that would greatly impact the usability of this service.

very easy to break... (5, Informative)

AmigaAvenger (210519) | more than 9 years ago | (#10470948)

Guess I just broke it...

First, turn off javascript. then turn on image dimensions. right click on the dimensions for the main image, and click view background image.

http://print.google.com/print?id=ULQSG0Zs7vcC&pg=3 &img=1&q=mastering+digital+photography&sig=gv2nFpt Ef0dj7Gzb8eZ4U8UdtUo [google.com]

is the URL that is used, and surprisingly it is linkable from outside, it doesn't appear to check IP's, browsers, or anything else. (deep link away!)

Dear Slashdot, (0)

Anonymous Coward | more than 9 years ago | (#10470949)

Please write a little script so that you can put URLs in Coral Cache automatically.

Here's the URL: http://www.scs.cs.nyu.edu/coral/ [nyu.edu]

For example we'd have
http://slashdot.org.nyud.net:8090/ [nyud.net]

or for the article in this story
http://vitanuova.loyalty.org.nyud.net:8090/weblog/ nb.cgi/view/vitanuova/2004/10/07/2 [nyud.net]


That way people won't just get annoyed and copy the full text of articles into an anonymous comment.

Damn you broke print.google.com (0)

Anonymous Coward | more than 9 years ago | (#10470962)

I couldn't find the search page so I did a query

http://www.google.ca/search?q=allinurl%3Aprint.goo gle.com [google.ca]

none of the links work. ( google 1, slashdot 0)

Next time you 'break' DRM or talk about it... lets not put it on slashdot mmm kay?

Google adding DRM is a red herring (2, Insightful)

sideswipe76 (689578) | more than 9 years ago | (#10470964)

It's about time books went digital, and google is in a great position to do it. But there is fear on behalf on content owners. For google to proceed forward (legally) they HAD to address that fear. Yes, yes, we will implement DRM and all of your content will be safe. The whole while, they knew it would be cracked. I don't think Google deceived themselves, they just placated content owners. Exactly like mac did with iTunes. As an aside, what do people think of taking images and fracturing them into single pixel lines for DRM purposes? The browser can nicely reconstruct the image, but you can't save it without doing a printscreen.


Google me! [rr.com]

Misplaced Feelings of Responsibility (1)

RAMMS+EIN (578166) | more than 9 years ago | (#10470966)

Why is it that Google, of all companies, has this misplaced feeling of responsibility? It shouldn't be _their_ problem if the user decides to do illegal things. The Google search engine links to lots of content that is illegal somewhere somehow. It's users' own responsibility to deal with this, as Google cannot be expected to know what's legal and what's not in for every user they get.

I think that companies who take up the responsibility to protect users against themselves should also be held accountable for any glitch (legal stuff that doesn't work, illegal stuff that does work) in their system.

Opera: "Save with images as..." (0)

Anonymous Coward | more than 9 years ago | (#10470983)

What a joke.

In Opera, choose "Save with images as..." from the File menu. Takes 2 seconds.

Google is insane.

Warning to Americans Posting in This Forum (0)

Anonymous Coward | more than 9 years ago | (#10470985)

Ve vill not tolerate disobedience.

(signed)

the DMCA Squad

No vulnerability, CSS Background (0)

Anonymous Coward | more than 9 years ago | (#10470992)

It's not a vulnerability at all... Just obfuscation. The image is set to be a background image, using CSS. Like a background on Table, or on a website, the page doesn't let you click on it, to directly alter it. But in the code itself, it's pretty obvious... An example, of the straight JPEG [google.com]

Bah. (1)

gptelemann (801687) | more than 9 years ago | (#10470993)

I know everyone has probably repeated this or variations a hundred times already, but yet another workaround is to just press Ctrl-U in FireFox to view source, and search for "theimg" a few times. Take the URL, plug it in to the browser, do whatever.

Hypocrites (0)

Anonymous Coward | more than 9 years ago | (#10470994)

Working around the DRM protection is stealing, plain and simple. And it has costs for all of us honest people.

I assume that you people you think that it is okay to steal software, music, videos, etc take pains to leave their houses unlocked, computers un-fire walled and the keys in their cars so that everyone can share in what you have? Clearly you dontappear to like ownership, or the concept that people should earn something from their hard work so I assume you all live in co-ops and log onto the web via the town library computers.

Open Source Project? (1)

GoodNicsTken (688415) | more than 9 years ago | (#10470996)

I can't wait for someone to write a program that requests page after page, and saves it off to a text file automatically. Forget about the browser, just write a program to do it. See what happens then.

W007 7p (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#10470997)

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>