Slashdot Mirror
E-Book Copy Protection, For What It's Worth
AudioBooksForFree.Com writes "WHSmith have challenged AudioBooksForFree.Com to breaks Microsoft Reader e-book protection. It just took 30 minutes." No, they didn't break the encryption; instead, this is just an application of the idea that it's very hard to make something which can be displayed but not copied.
I just popped of the "PrtScn" keycaps from all my keyboards and burnt them. I don't want Microsoft's lawyers after me for DMCA violations.
The article hits the nail on the head: if you can see it, you can copy it. Please note that the recording industry thinks they can change this sort of thing, by requiring all analog to digital converts (ADCs) to respect some sort of digital protection. Those dumb shits... :)
1) Create a font that bit-encodes every character in a machine recognizable fashion.
2) Write a program/script that launches an e-book reader and scrolls down taking screenshots and running them from primitive OCR(not really character, since your font is just monospaced pixel encoding with no anti-aliasing, it should be very easy).
3) Decide if certain areas are noise, whitespace or pictures. Apply.
4) Generate LaTeX file, or PostScript.
Oh dear, did I just violate DMCA?
Print Screen, a treacherous tool of terrorists for twenty-rwo years.
Obviously, only terrorists use Print Screen.
Opinions on the Twiddler2 hand-held keyboard?
Correct me if I'm wrong, but isn't this exactly the kind of thing that Palladium aims to prevent ? If you are not allowed to capture your screen or to record sound via the soundcard, then you can't copy protected material.
>|<*:=
..more ammo for the folks who want to legislate Palladium and hardware implemented digital restrictions management.
That Jesus Christ guy is getting some terrible lag... it took him 3 days to respawn! -NJ CoolBreeze
I used to work for a typesetting company on my industrial placement (internship in US terms), and we also produced SGML documents for another company who created audio versions of the files we supplied.
The previous placement student came in handy when the audio book company lost the master password to a whole archive of audio books, he cracked the files and unlocked the affected files. The other company was run by friends of the management of our company, so there weren't any 'confidentiality agreements' or anything... but I dread to think how the current laws (which weren't implemented then) would have affected us there.
Are you local? There's nothing for you here!
My initial reaction to this article was, "Big whoopitydoo... this guy can take screenshots."
But then another point from his mini-essay leapt out at me. How many millions of dollars have companies spent on creating "copy-protected" file formats, and how pointless is this pursuit? Heck, that's the business to go into... the snake oil of the 21st century.
)I know many people have made this point before, but it just hit me in an interesting way today, and I thought I'd throw it out there for all to see.)
I mentioned this in the book review of God's Debris about a year ago, but it bears repeating here.
Over a year ago I paid for and downloaded the DigitalOwl TitleVision ebook version of Scott Adams' interesting God's Debris. I paid $5 for it.
I also downloaded the reader, installed it, and read the ebook. I liked the book, but hated the proprietary, Windows-only "reader" application. So, using a screen capture utility, I took screen shots of all 90 pages of the book, saving them as .PGMs. Then I booted into Linux and used gOCR and a shell script to do initial OCR conversion of all the images. Finally I spent a while with grep and a spell checker cleaning everything up. Overall, this took me about five hours.
Now I've got a 143KB ASCII text file with the same content as my 195KB encrypted .OWL file. I don't ever plan to give anyone a copy of my plain text version; I like Scott Adams and want him to get paid for his work.
I'm sure what I did would be considered illegal by Digital Owl (though probably not by Scott Adams). I'm just glad I won't have to try to hunt down a copy of the TitleVision viewer fifteen years from now if I want to read the book again.
The moral of the story is: there's always a way.
Graham "Teach" Mitchell, computer science teacher, Leander HS
My PrtScn key has been defective ever since I tried to copy a DVD at 60 frames per second.
IANAL, but imagine a beowulf cluster of in Soviet Russia all your belong are base to us welcoming the new SCO overlords.
"Ok everyone. Here is the newest unbreakable scheme. On the license, we give everybody their unique key to unlock their content. When they playback/read the file we've given them, we deliver the bitstream through the speakers, then the use their heads to calculate the unencrypted result. Don't follow? Here's a demo!"
"Here's Dustin Hoffman, he's going to show us how this is done. I just hit play here, and..."
*a blindfolded Dustin Hoffman walks onto the stage*
*a modem-like squeal is emitted from the speakers*
*presenter holds up a placard reading "Oops, I did it again"*
dustin: "Yeah, definitely Britney Spears."
*audience claps*
*more squealing*
dustin: "Yeah, definitely Crime and Punishment. Yeah."
Presenter: "Thank you, thank you. Be sure to come back next time, when we will discuss the solution to the "humming/speaking" circumvention method"
*everything* is Orwellian to cats.
For another answer to DRM garbage, Baen, publishers of sci-fi and fantasy books have the 100% correct idea about eBook copy restriction and encryption:
Don't do it!
They just released the latest book in their Honor Harington series on Tuesday, and it included a CD with various formats of eBooks of every book in that series and other books that they publish. And best of all, no stupid restrictions. Here's their release about the CD.
I applaud their move, and recommend purchasing this book and others from them (Note: I'm a big fan of the author, David Weber, but not involved with Baen in any way, etc...).
Baen Books, who are known on Slashdot for their Free Library, and who also offer their WebScriptions, all of which in several formats including e-books, do not to use encryption in the e-books they publish. Roughly, their argument is that it's costly, useless and unfair.
From the 6th Prime Palaver: The Library's track record shows clearly that the traditional "encryption/enforcement" policy which has been followed thus far by most of the publishing industry is just plain stupid, as well as unconscionable from the viewpoint of infringing on personal liberties. (...) the fundamental obstacle to the success of electronic publishing [is] the industry's obsession with encryption. I suggest you read the whole document, it's quite interesting.
In 2000, I was working for a startup e-publishing venture. As such, we had the usual lemmings coming to us and saying that if we'd just license their whizbang technology we could never lose a single text to those "internet-based piracy groups". Since I was the only employee with experience in crypto and security, I was invited to sit in on the sales pitches these guys made to our executives. (Our executives were mostly Marketing guys, but the CEO was technically an engineer. In a striking show of how weird start-ups could be, the Marketing guys actually listened to Engineering and the `engineer' CEO not only couldn't write a line of code, but got convicted of felony fraud...)
... So I printed it out on the company's high-quality color laser and scanned it back in as a .JPG. Burned the new image to a CD-ROM and walked back to the sales pitch. Gave them both CD-ROMs and told them, "thank you for coming down, but I believe we'll go with another vendor." Total time: less than five minutes.
One Canadian firm showed up with a dog-and-pony show involving a CD-ROM with a "protected" picture of a sailboat. They claimed that the image was watermarked and whenever anyone tried to copy the image, the OS would recognize the copymark and refuse to copy it. Not only that, but the image was in a special proprietary format, so nobody could even view the image until they installed the DRM software. They were obviously very pleased with their offering.
At that point I took the CD-ROM they were showing us and excused myself for a few minutes. I went into one of the back offices and threw it into a Win32 machine. Installed the DRM software, loaded up the image. Beautiful picture of a sailboat. Tried to copy it. Couldn't. Screenshot? Disabled. But they'd let me print it out...
Now for the real punchline:
That DRM solution racked up $12.6 million in sales for their firm in the 1999-2000 fiscal year. Almost all of that was profit, given how minimal their development costs were. That's $12.6 million dollars for a DRM system that wouldn't even stop a twelve-year-old.
This is what I think a lot of us here are overlooking. There's a tremendous amount of money to be made in the field. Palladium, if it goes through, absolutely regardless of whether it works or not, will be a cash cow for Microsoft the likes of which they can't imagine.
Microsoft knows that Palladium doesn't have to work. They just have to make people believe that it'll work--which explains all the Palladium PR blitz as of late.
Almost every PC-like computer today lets you get at instructions to the video display adapter somehow. As computers move to tighter integration, with low-to-medium-end graphics adapters built into the system chipsets, this may require more cooperation from the operating system because there's nowhere to stick a digital logic probe, but it's still doable.
Almost every video display adapter available today lets you get at the digital version of the image before it's fed to the D/A converters. (Audio probably doesn't.) In the past it was simply a result of the obvious architecture for building the things - using some kind of frame buffer than your equipment can write in. Depending on the system, this may take some complex programming, but it can be done. It's also convenient for some applications, such as print-screen and other screen dumps, so it's good to have. (And OCR is good enough you don't need special OCR fonts any more, just simple conventional ones.) The systems that don't let you do that are largely special-purpose things that don't have general-purpose programming available to the users (e.g. video games.) And
But that may not always remain true - the Digital Rights Management crowd are agitating to get control of system design, because all your bits are belong to them and they want to keep it that way. Imagine if your video board and sound board or their integrated chipset equivalents used encrypted data formats instead of unencrypted - it wouldn't matter that you put a logic probe in the line, because you couldn't read the bits. It wouldn't even require much extra CPU - the RC4 encryption algorithm is strong enough, fast enough, and uses very little memory. Key exchange is requires some CPU, but it would be pretty simple to build a public-private keypair into the adapter, where the public key is retrievable by the CPU but the private key is only accessible to the adapter, and require a setup message (either at boot time, or perhaps on a per-application basis) that creates a session key, pk-encrypts it, and hands it to the adapter.
As a crypto geek, I've got mixed feelings about this - I'd like to be able to write an encrypted voice telephony or video conferencing system that not only couldn't be eavesdropped on, but also couldn't be wiretapped by a virus stealing the data path. But the TCPA / Palladium / Fritz Hollings view of DRM basically requires the system to give root access to any program that wants to use the security, and that's blazingly unsafe. It's not clear to me that you can get away with much less than that and still get real application security, but the stuff's obviously Not Ready For Prime Time even on a requirements basis, much less a design or implementation basis.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
And it took only 30 secs for slashdot to bring them down. If the RIAA/MPAA were crafty enough you think they could use slashdot to destroy their enemies. "Hey dudz go to www.dvdinstoripandincodethingy.com, with this you can rip and encode any DVD in 3 minutes on a 386!" *Screams are heard 3 seconds later from the poor server, running openBSD on a gameboy, as it melts* Why waste money on laweryes when one slashdot story will do all you need. And if the site comes back up just re-submit, and its on the front page again. Gotta love slashdot ;).
Pretty hilarious :) Wonder if that book collection is protected...
The problem with the e-book reader is one of the greatest hurdles to overcome in order to transition to a truely electronic society. How can you protect the rights of the author when anybody with a bit of patience or some programming skills can just print screen his / her blood, sweat and tears and give it away to free for anybody on a p2p network? Anybody who argues that all information should be free obviously isn't relying on a royalty check to provide food for their children.
I have a unique idea for the e-publishing world, but there's no point in executing it if the ability to easily circumvent any security precautions exists. So basically I'm asking any programmers out there if they've come across a way to disable the print screen function in a windows app? Or to return a black window when a screen request is being made for a print screen?
Polluting the Internet since 2003...
http://percep
Someone else mentioned that Windows Media Player prevented screen copy. The reason for this is video overlay. Most graphic cards support overlays as faster ways of writing streams of changing video frames to the display without worring about the actual window. If you turn graphic acceleration all the way down in WMP I believe it will play directly to the player window rather than overlay, thereby allowing a capture but most cards won't be able to keep up the same performance that way. I was on some site looking at satellite images a few months ago (I think TerraServer) and they gave me the option of smaller images, or nice big images with copy protection (which required a plugin download to see them, though still right in the browser). I tried to capture the images then using PrtScrn and got logos of the copy protection with no sat image. It seemed likely that the window showed the logo, then they used video overlay for the actual images. I wonder why makers of eBook readers don't use overlays in the same manner for this reason. I used the MS Reader awhile ago and it seemed to allow specific titles to allow/disallow printing, clipboard copy, and Save As functionality. If they also used overlays they would be much harder to defeat (though of course still not impossible). As it is, it would take less than an hour to automate PrtScrn, OCR/save, push keystrokes to change to next page. Images are nice, but MS Office XP includes nice OCR now so the tools are mostly at hand!
If the lack of DRM was going to harm books, it would have happened years ago. Anyone can take a book, rip off the binding, put the pages in a self-fed scanner, use text recognition software to turn the images into text, then upload the text file into a P2P network. It only takes a few hours and almost no effort. The fact that print publishing still thrives tells me that people still value browsing through a store full of already-printed books. E-books are already inconvenient compared to printed books and free web pages (each in its own way), so DRM will kill them outright.
Allow me to reproduce a 'cracked' copy of a digitally available text, right here, right now:
.the Bible?
.to burn all the books.
Now is the winter of our discontent made glorious summer by this sun of York, and all the clouds that lowered upon our house in the deep busom of the ocean buried. Now our brows are bound with vitorious wreaths, our brusied arms hung up for monuments, our stern alarums changed to merry meetings, our dreadful marches to delightful measures. Grim visaged war hath smoothed his wrinkled front, and now, instead of mounting barbed steads to fright the souls of fearful adversaries, he capers nimbly in a ladies chamber to the lacivious pleasing of a lute.
etc., etc., etc..
How did I accomplish this grand task? I *memorized it.* Yes, the whole frickin' play, from start to finish and I'm not exactly the only one. I personally know dozens of others who have done the same thing. It's actually not that difficult once you've decided to do it.
But wait, don't buy now, there's MORE!
Oh sure, a 4 hour Shakespeare play, anyone can memorize that, but what about. .
Sure, across the world there are literally thousands of people who have actually managed to commit the entire Bible to memory. And these people have nothing on the Indian Pandits who memorize the Vedic texts. These people memorize them, then memorize every other word, then every third, etc.. Then they repeat the process *backwards.*
So, is every digital device capable of storing at least 256 bits of data going to have to have an installed database of every text in the known universe to compare against what I manually enter into it? Nevermind this digital to analog conversion device I can interface directly with my brain called. . . a pen.
The fact that I can, and may have to, rely on the circumvention device of Farenheit 451 gives you some idea of the whole moral temperature of digitally locking books. It ain't bookburning but it's treading powerfully close on its heels. In fact, the only way for e-books to ever triumph will be. .
KFG
The author hit the nail on the head - copy protection is impossible. However, the example he used (capturing data with the printscreen key) is a weak illustration of this fact, especially considering the recent speculation about palladium. For example, think about clips played using video overlay in windows media player. Pressing print screen while playing one would yield an off-black rectangle where you would expect a video frame to be. The real reason copy protection is not possible is a little more complicated than "print screen".
I think it's pretty well understood that now, in the pre-palladium/TCPA universe, copy prevention is impossible. If you can read a CD, you can copy it. Perhaps your specific cd burner's firmware isn't robust enough to write specific "strange" bit patterns, but bit-for-bit cd-duplicating machines cannot be fooled. If you can watch a movie contained in a file, you can send it to a friend. Even if that file is encrypted, the player program must decrypt it in order to play it and that decrypted data can be grabbed and written to disk.
At first glance, it seems like palladium will put a stop to this with its careful use of encryption and digital signatures. This is not true. Information physics didn't just fly out the window. All that Palladium accomplishes in connection with modified PC hardware is a separation of user and computer into two entities. Currently, users have complete control over their systems. Any OS can be run and no information is hidden from it by the hardware. The system, all by itself, is incapable of protecting its own private keys from the user. It is incapable of preventing the user from assuming its identity. A palladium OS running on TCPA-compliant PC hardware changes this. A TPM, or Trusted Platform Module, charged with the responsibility of certifying that a DRM-aware OS is running on the hardware is included on the motherboard and has its own sets of private and public keys. The critical difference between a TCPA-compliant computer and a PC of today is that the TCPA PC has its own "identity" separate from its user as defined by its ability to keep its keys confidental and process information using them.
It is well known that the only way to be sure a secret is kept is to make sure that all entities who know that secret agree to keep it a secret. If even one entity "in the know" decides to divulge it to an outside party, that information can no longer be controlled. Palladium/TCPA tries to implement copy protection by ensuring that the only entities that get access to that information agree to keep it a secret - namely the TPMs. In other words, if you were to enter your credit card information into a web site in order do download a palladium-protected movie, you didn't purchase the video for yourself. As it would be transmitted as data encrypted using the TPM's public key, you actually be purchasing the video for another entity, your TPM. The idea is that TPMs will obtain various metrics of the system on boot (is the OS signed or unsigned? the drivers? etc...) and only perform cryptographic operations at the request of the system if everything checks out. In addition, a special "trusted" cpu mode that has the same kind of power over kernel mode that kernel mode has over user mode (an inexact description but good analogy) is used to provide for allocating memeory that is only readable by a trusted application through calls to the program running in trusted mode. That's Palladium/TCPA in a nutshell. The reason that everyone seems to be so upset about it is that, in a bug-free environment, there are no software attacks on the system. The are many hardware attacks, such as special memory that can be used by the system and read by another device, soldering capture devices into output cards, or physically opening the TPM and extracting its cryptographics keys. The list goes on. Also, as information only has to be liberated from the "circle of friends", including all TPMs in all computers and the ??AA, once a single hardware mod would create an unpluggable leak through which an infinite amount of infomation could flow.
Critical and unrepairable holes in Palladium have been found before it has been deployed.
This brings me to the reason I'm writing this post: slashdot is permeated with ignorant fear. People believe that their ability to get copies of music, movies, and software without paying a cent is going to be in jeopardy. While this creates a great deal of support for anti-palladium initiatives (which is good), ignorant advocates can seriously hurt the fight for sensible treatment of information and universal recognition of the truth of information physics by providing passionate but incorrect and empty arguments against palladium and the TCPA (which is bad). So, if you'll still be able to get free entertainment in a palladium world (albeit with much more difficulty and a soldering gun), why is palladium bad? A number of very serious reasons:
Palladium will work reasonably well as attacks, though possible, are difficult. Over time, the majority of computer users would be convinced to believe the dangerous fallacy that copy protection is possible with the support of sufficient laws and technology. This belief (whether fostered by ignorance or campaign contributions) in our elected representatives what spawned the DMCA. In other words, your freedoms are in jeopardy as well as your friday night movie-and-popcorn party.
Palladium claims that it is capable of protecting your personal information - your name, address, credit card number, etc... - and puts you in a position of total control over how that information is used. Users that are bamboozled by the tantalizing promise of "trusted computing" will place their important personal information into the care of an unreliable system under the control of an entity that has profit rather than the users' best interests at heart. That is, they will forego the only true way to make sure personal information is kept confidential - not giving it to the computer. This may become incredibly difficult when the latest version of windows kindly demands it during the install process to activate the user's initial one-year license term.
In order to work, palladium-enabled service providers must be able to verify whether or not the cryptographically signed message coming from the client computer saying "This computer is running DRM-aware software," was signed by a TPM which is reporting accurate system metrics. In order to make sure those messages are unspoofable (by emulating the TPM in software) a central registry of all TPMs and their individual public keys must be maintained and made accessible. In other words, all palladium computers will have unique indelible ID tags and will report them over the internet to whoever asks. I don't have to explain to slashdot the privacy implications of this kind of system.
Hopefully I've managed to replace some ignorant fear with some informed fear. If you're not a member of the EFF, ask yourself why. Right now.
Unlimited growth == Cancer.
As you see now, anything can be copied as long as it becomes photons/sound waves somewhere along the way to our brains. So, the ONLY way to make your precious material totally locked down is to deliver it directly to our brain. You see what I'm getting at?
Neuroscience, man, neuroscience!
Invest a billion or two of the dollars you have lying around into developing a good, non-dangerous brain-computer interface. Then you can deliver digital content directly to our minds, with no worries about it getting stolen along the way! But that's not all!
Millions of geeks will hail you for bringing this invention to light! The ones that were once against you will say your names with awe and respect! Isn't it tempting?
So do it! Go for neuroscience, to make the world better for all of us!
(Yes, I want my Matrix-like spine plug that bad.
And it has nothing to do with the fact that I could then be the star of my very own pr0n reality. Really.)
Back in the late 80's, SimCity (original PC version) shipped with this dark red paper that was impossible to photocopy and just as bloody difficult to read except if you held it at the wierdest angles. All you would get is a full page of black from the copier.
;-), but I learnt way back then, that if you can view it, so can a machine, and hence make a copy.
A friend of mine got the bright idea of running it thru the fax machine. He ran each succesive copy thru the fax a few times, and voila! It was clear enough to read!!
Of course I just kracked the game later (gotta luv the one byte "patch"
--
Maybe there is a reason why the cliché "Turn off the TV, turn on your life" is true:
Television: Opiate of the masses
I've been emailing the guy who did this - he hadn't even *heard* of Palladium or the ridiculous laws proposed to close the analog hole. So all of his bold assertions about this stuff ALWAYS and FOREVER being ways to circumvent copy-protection are just so much ill-informed nonsense.
www.sjbaker.org
Imagine if your video board and sound board or their integrated chipset equivalents used encrypted data formats instead of unencrypted - it wouldn't matter that you put a logic probe in the line, because you couldn't read the bits. It wouldn't even require much extra CPU - the RC4 encryption algorithm is strong enough, fast enough, and uses very little memory. Key exchange is requires some CPU, but it would be pretty simple to build a public-private keypair into the adapter, where the public key is retrievable by the CPU but the private key is only accessible to the adapter, and require a setup message (either at boot time, or perhaps on a per-application basis) that creates a session key, pk-encrypts it, and hands it to the adapter.
I think this is the eventual plan, but as far as I know it's not implemented yet, nor is it in the works. However, I remember reading in an article about HDTV that the DVI interface currently supports almost exactly this scheme. Scary, no?
But the TCPA / Palladium / Fritz Hollings view of DRM basically requires the system to give root access to any program that wants to use the security, and that's blazingly unsafe. It's not clear to me that you can get away with much less than that and still get real application security, but the stuff's obviously Not Ready For Prime Time even on a requirements basis, much less a design or implementation basis.
I actually took the time to start reading through the "general" and "PC-specific" TCPA specs and, while it's certainly a bad idea, it doesn't require as much of a security sacrifice as you suggest. Individual applications that need to make use of "security functions" have two resources at their disposal.
The first is a crypto coprocessor soldered onto the motherboard. If that crypto chip is satisfied with the state of the system (signed OS, signed drivers, encrypted display connection) then it releases certain private and public keys to signed applications on request. In order to be signed, executable code (in the OS, drivers, or software package) must not at any time disclose those keys to other applications, store them unencrypted on disk, or do anything else that could lead to exposure of those keys to an untrusted entity.
The second resource all programs have access to is the a small program running in what I guess could be called "ring -1" (in palladium it's called "the nub"). By making requests to this program, an application can allocate "secure" memory for itself that neither the OS nor any other program can access. This could be used to store unencrypted uncompressed video frames, for example, before they are sent to the video card.
In other words, individual programs that make use of TCPA "security" functions don't gain root access to the system - they access a limited TCPA API to perform a few functions that execute at a privilege level above that of the OS. The TCPA effectively eliminates the rights of the end user, but it does so in a tidy way.