Slashdot Mirror


Breaking Google's DRM

An anonymous reader writes "Google's new Google Print service (that lets you see scanned pages from printed books) has a pile of advanced browser-disabling DRM in it ('Pages displaying your content have print, cut, copy, and save functionality disabled in order to protect your content.'). This works with JavaScript turned off, even in Free Software browsers. Seth Schoen has posted preliminary notes on some breaks to the DRM (beyond just automating a screenshotting process), including a proposal for a circumventing proxy that would fetch Google Print pages and strip out the DRM. A full exploration of the html obfuscation and DRM employed by Google would be very interesting; certainly the ability for a remote attacker to disable critical browser features like save, right-click, copy and cut against the user's wishes is a major security vulnerability in Moz/Firefox and should be fixed ASAP."

22 of 892 comments (clear)

  1. That explains those mysterious hirings by waynegoode · · Score: 5, Insightful

    Knowing how to develop stuff like this is not a skill everyone has. This might explain why Google recently hired some browser-type software developers (as discussed on Slashdot).

  2. Security issue? by radish · · Score: 5, Insightful


    certainly the ability for a remote attacker to disable critical browser features like save, right-click, copy and cut against the user's wishes is a major security vulnerability in Moz/Firefox and should be fixed ASAP

    While I agree it would be nice to fix this from a convenience point of view, and a "it's my computer - it'll do what I want" point of view, how is this a security risk? How do I get a trojan, or lose files, because of an inability to copy & paste on a particular page?

    --

    ---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"

    1. Re:Security issue? by Rude+Turnip · · Score: 5, Insightful

      "...how is this a security risk?"

      A part of your security is having control over your computer. Your security has been compromised when you lose that control.

    2. Re:Security issue? by lukewarmfusion · · Score: 5, Insightful

      No kidding... you may not like having those features disabled, but calling them a "security vulnerability" is like shouting "terrorist" because you don't like what someone else says.

      There are plenty of sites that go to great lengths to turn off functionality like copy, back button, print, etc. When a major corporation does it, suddenly it's a risk?

      Google can only offer that information because they can employ DRM.

    3. Re:Security issue? by American+AC+in+Paris · · Score: 4, Insightful
      A part of your security is having control over your computer. Your security has been compromised when you lose that control.

      ...by this logic, an operating system that does not permit a user to dive directly to an arbitrary RAM address and twiddle bits is an operating system that poses a security risk, as you've lost the control to directly manipulate your machine's memory.

      --

      Obliteracy: Words with explosions

    4. Re:Security issue? by EvilSS · · Score: 5, Insightful

      A denial of what service? Your inaliable right to Copy-Paste-Repeate? Your God given right to duplicate copyrighted works?

      Even though most of /. may not like it, Google has to protect the copyright of the books in its search, or not offer them at all.

      Take your pick:
      Google offers book searching with DRM
      Google does not offer book searching

      --
      I browse on +1 so AC's need not respond, I won't see it.
    5. Re:Security issue? by rackhamh · · Score: 5, Insightful

      Your computer is a physical piece of hardware. Unless somebody has locked the case and/or tied your hands behind your back, you retain full control over it... including the decision of which software to install, and which services you choose to use.

      If Google Print doesn't offer the save/print/whatever functionality you desire, then don't use it.

      There, you just exercised your control over your computer.

    6. Re:Security issue? by arose · · Score: 5, Insightful

      Copyright isn't a god given right either. People tend to foerget that...

      --
      Analogies don't equal equalities, they are merely somewhat analogous.
    7. Re:Security issue? by Meostro · · Score: 4, Insightful

      What the hell is wrong with you people?

      This is a *feature* of nearly all modern ECMAScript browsers: You can specify what happens when someone clicks on your page! This "feature" is how you (or more likely someone else) can create a swanky custom context-menu for a browser that matches the functionality in your OS. My goodness, the sky really IS falling!

      Quit bitching, just because Google does it a little better than the average disable right-click page does... (right-click and hold it, hit enter for the Alert() and let go, your context menu will pop up)

      WindowsUpdate uses document.contextMenu to disable right-clicking there too, but I don't see anyone bitching about Windows DRM for patch management, only for video/audio.

      Oh, wait... M$ uses it, therefore it's evil. Bad Google! No cookie for you!

    8. Re:Security issue? by Feanturi · · Score: 5, Insightful

      That definition's too broad though. Is crippleware of any sort then, a security risk? That doesn't make sense. Though, we're talking about a full app here that already saves other things fine but just not this particular content. So what? How is that a loss of 'control'? I still have control over *my* system, just not the ability to manipulate *someone else's* material.

    9. Re:Security issue? by cduffy · · Score: 5, Insightful

      This is distinctly unlike crippleware, unless that crippleware were to (for instance) disable some OS-level functionality until it's paid for.

      Web content shouldn't be able to affect browser functionality without the user's consent, just the same as an application shouldn't be able to disable a part of the OS.

      Finally, and I've said this elsewhere: It's not "someone else's" material in the sense that they have complete and total ownership; it's "someone else's" material in the sense that they own copyright over it. Copyright is, by intent, limited: It controls reproduction, public performance, and several other actions, and no more. It also have a number of execeptions where reproduction and so forth can be permitted (for instance, exerpting for a review).

      Pretending that ownership of the exclusive right to reproduce (and some other actions as well) is equivalent to complete and total control is a modern myth -- but if folks folks don't fight for that distinction, we may well lose it; and in that case, it's the public as a whole that misses out.

    10. Re:Security issue? by radish · · Score: 5, Insightful

      You have complete control. Don't go to that site. See? Easy. No one is forcing you to use this service. If you choose to use it, you are subject to certain rules, one of which is - no copy & paste. Don't like the rules? Don't use the service.

      Counter Example 1: Many popular games won't run without the CD in the drive. In other words, if you try to start the app without the CD, it will not do what you want (it will exit). Did you just lose control of your computer? Is your security at risk? Of course not.

      Counter Example 2: Hard drives have firmware built into them. It is this firmware, not any software on the machine itself, which controls exactly where on the disk data is written. If this firmware fails, data can be lost. This firmware is in ROM, on the drive itself. When you save a file you are trusting it to do the right thing, whatsmore, there's no way you can actually tell what it is doing, or affect what it does. Have you lost control? Is your security compromised?

      --

      ---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"

  3. It's doomed. by gowen · · Score: 5, Insightful

    Facts :

    i) To display the books, they've got to send that information to the browser, on your machine.
    ii) Once its displayable on your machine, there is *absolutely* no way they can stop a determined person from printing it.
    iii) If its going to work on Open-Souce browsers, the DRM must be fairly transparent.
    iv) If it works on Open Source browsers, someone cleverer than me will modify that browser so that it works as the user intends, rather than the sender. Their only protection is the DMCA, which may stop a US coder from writing/distributing the hacked app, but the rest of us will be laughing.

    Frankly, if Google were as smart as they're hyped to be, they'd know this.

    --
    Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
    1. Re:It's doomed. by ricotest · · Score: 4, Insightful

      You should be thankful they used an open-source browser friendly technique. They could have just as easily wrapped the images in ActiveX or maybe Java in such a way that the data is never cached in an accessible form. The only way to get the image would then be screen-capture (made even harder if they used the graphics card buffer, but maybe that's overkill)

      Do you want Google to drop this technique and go for something more proprietary that won't work at all?

  4. Re:Getting stuff for free? by ImaLamer · · Score: 5, Insightful

    this just looks like breaking DRM to get stuff for free.

    You are 100% right.

    It isn't about "security" or even "fair use" it's about the ability to cut and paste, save and print someone else's content without their permissions.

    I could understand if you owned the books but you don't. Sounds like a good way to bite the hand that feeds you.

    If you are really concerned with Google messing with your browser... don't go to any Google domain, ever. Add an entry in your HOSTS file for google, froogle, gmail, gbrowser and whatever else you'd like.

    It's a free service, free in the sense that you are free not to use it.

  5. Google has to do it, not make it work by RealAlaskan · · Score: 4, Insightful
    Google has to do this, but they don't have to make it work.

    They have to show the suits at the publishing houses that they are being responsible, safeguarding the suits' ``intellectual property''. It doesn't really matter whether it actually works, just as it doesn't really matter if the features in the checklist on the box of software work. It's a tool for the salesman to use.

    If this feature exists but really doesn't work, then the suits get the illusion that their ``intellectual property'' is protected, and they get free advertising of the try-before-you-buy variety. For this best of all possible worlds scenario, it has to work well enough to fool the suits, but not well enough to stop the rest of us.

    Sounds to me as if Google has gotten it to work just about well enough to do a good job for all concerned: Google, us readers, and even the suits.

  6. Hmmm by Auckerman · · Score: 4, Insightful

    You are adding to the fire by allowing them to change the definition of copyright. Copyright gives holder no right to determine how one USES content, it merely gives them a monolopy right over copying the content for distributation. There are some copyright limitations on use, such as public displaying and the like, but fair use clearly says once you give ME a copy of your work, I can do anything I damn well chose to it.

    It already gave me a copy of the work for free, if I chose to burn it, make a hat out of it, or print it out, it's my business.

    --

    Burn Hollywood Burn
  7. + AdBlock on cleardot.gif by FooAtWFU · · Score: 4, Insightful
    That doesn't get around the cleardot.gif file, but you can AdBlock that image easily enough, and if your AdBlock is set to hide ads instead of removing them, you can then view the background image.

    I seem to recall them using a simiar trick on the official site for Lord of the Rings when it came out.

    --
    The World Wide Web is dying. Soon, we shall have only the Internet.
  8. Re:Getting stuff for free? by phurley · · Score: 4, Insightful

    Even within the framework of our eroding copyright laws, fair use allows quoting of copyrighted works. Why should I not be allowed to cut and paste (to prevent distorting a quote)? So I would say this is not an open and shut case.

    I understand the necessity for the DRM by Google -- without it their library of content will be severely limited; however, do not paint the actions of everyone attemting to circumvent the DRM.

    --
    Home Automation & Linux -- now I know I'm a geek
  9. This is just the beginning by dmeranda · · Score: 4, Insightful

    What's next, banning cell phone cameras in book stores, or libraries?

    This sort of HTML onfuscation abuse is just the beginning. This is a general problem with any sufficiently rich presentation language. There are hundreds of different ways to obfuscate things.

    Just wait until MS finally decides to properly support PNG alpha transparency! Combine this with CSS absolute positioning, and you'll start seeing images which are composited from many different layers of semi-translucent images; each of which is just noise of it's own. You also have already seen for a long time the cutting up of images into many small pieces.

    This could be taken to an extreme as well. With absolute positioning you could also do this with text as well as images. Just position each letter on the page separately and randomize the order in which they appear in the HTML stream. Or even worse, use a custom downloaded font, where the glyphs are all randomized, so although it may look like an "A", it's really in the slot for a "Q"...try to cut and paste that.

    Consider the PDF format as an extreme of where XHTML+CSS+DHTML+PNG can go wrt. obfuscation. Sure, the determined and savy can always get the text copied out; but that doesn't mean its not going to be very difficult.

    Maybe we should all go back to ASCII and lynx.

  10. You're missing the point... by rpdillon · · Score: 4, Insightful

    This was always intended as a "feel good" feature of the Google print system so that pulishers would feel safer sending tons of books to Google.

    The "real" DRM here isn't DRM. As a previous post so astutely pointed out, DRM is schitzophrenic by nature: it involves trying to give someone something without *actually* giving it to them.

    Google's "real" protection is that the service won't let you view more than a certain percentage of the book in any given month. That percentage is determined by the book's publisher at submssion time, anywhere from 20% to 100%.

    Even if you can copy/paste/print, you're still only going to get a portion of the book - certainly not enough to replace a valid sale. Disabling that functionailty basically returns us to the age of photocopying a few pages of a book/article in a library. Except now we can search, so it's faster.

    If one solution is as simple as "grab th data from your browser's cache" this is clearly meant to only stop the "average" user, something that is in very short supply here on /. But it's good enough for Google to run the business, most likely.

    Here's to hoping this headline appearing on /. isn't going to spread enough FUD to publishers that would have otherwise sent in their material. Google print is still in its infancy, and could fail if Google doesn't assert some spin control on the situation, I suppose. Maybe I overestimate /.'s influence.

  11. Hey retard by autopr0n · · Score: 4, Insightful

    Most people arn't aware of that workaround. But browsers are supposed to work for the user not the website designer. "Features" that irritate the user in order to placate designers are antithetical to that the concept.

    Designers didn't pay for my machine, why should they have any right to control what I do with it.

    --
    autopr0n is like, down and stuff.