Breaking Google's DRM 892
An anonymous reader writes "Google's new Google Print service (that lets you see scanned pages from printed books) has a pile of advanced browser-disabling DRM in it ('Pages displaying your content have print, cut, copy, and save functionality disabled in order to protect your content.'). This works with JavaScript turned off, even in Free Software browsers. Seth Schoen has posted preliminary notes on some breaks to the DRM (beyond just automating a screenshotting process), including a proposal for a circumventing proxy that would fetch Google Print pages and strip out the DRM. A full exploration of the html obfuscation and DRM employed by Google would be very interesting; certainly the ability for a remote attacker to disable critical browser features like save, right-click, copy and cut against the user's wishes is a major security vulnerability in Moz/Firefox and should be fixed ASAP."
Plain google search on book titles (Score:2, Informative)
Article Text (Score:5, Informative)
To further protect your book content, printing and image copying functions are disabled on all Google Print content pages.
Similarly:
We've put a number of measures in place to prevent the downloading, copying, or printing of your content [...] Pages displaying your content have print, cut, copy, and save functionality disabled in order to protect your content.
I'm surprised at how much effort Google went to here. I would have expected my browser not to be vulnerable to having any of its "functionality disabled", yet, with a recent Firefox, I found that I couldn't
1. print the page to a PostScript file,
2. right-click on the page at all,
3. save the page to disk (the image would somehow not be downloaded at all),
4. view the precious image in Page Info/Media (although I could see which image it was),
5. save the precious image in Page Info/Media,
6. find the precious image in the DOM Inspector (which seemed like the really heavy artillery), although the DOM Inspector did let me see its URL as part of an uninterpreted style definition, and seem to reveal the trick: defining a style called ".theimg", with the definition
{ background-image:url("http://print.google.com/lon
and then invoking that style inside a
So I tried turning off JavaScript, and I found that I was essentially no better off: right-clicking caused a copy of cleardot.gif, not the
The two ways I've found so far that work to capture images from Google Print are a screen capture (I used xwd, which of course worked perfectly) and looking in the on-disk cache (ls -lrt
If you wanted to write a proxy that would make Google Print pages capable of being saved to disk, you would presumably want to match
background-image:url("http://print.google.com/\
(although you'd need to be careful to match only the one in the definition of ".theimg", because it looks like there may at least one other background-image:url) and then replace
I haven't tried this because it felt like too much work relative to the previous two methods.
Contrary to what I expected, Google Print does not seem to check referer, so it seems to be possible merely to extract the URL from the definition of
Google must have hired some experts on html image protection or html obfuscation. To be sure, there are lots of other tricks in Google Print that I had never seen before. It is hard to think that the author of that HTML obfuscation was not the subject of Richard Stallman's accidental haiku. It is amusing to think that Mr. Bad's "other" DeCSS might at last be used for some kind of circumvention (although I doubt it, because presumably Google Print simply won't work at all with the CSS removed).
Explanation Provided (Score:5, Informative)
I've been looking at this - there's a blog post [mozillazine.org] with some preliminary discussions, and a follow-up [mozillazine.org] giving some ways of getting around it. The short answer is that if you just want to save the image to disk, it's not too hard in a decent browser [mozilla.org].
Gerv
Re:First, how go I get to Google Print (Score:5, Informative)
gerv talks about this (Score:5, Informative)
Google Print, And Clue Barriers [mozillazine.org]
Google Print Hacking Ideas [mozillazine.org]
For those with tinfoil hats (Score:5, Informative)
Now they're both [mozilla.org] mysteriously restricted to general viewing.
Re:Nature of Information (Score:5, Informative)
I copied this from a post I saw earlier on slashdot - I have lost the link but still have the text.
That's why they need the dumb-ass DMCA, because it's impossible to make secure DRM. DRM is not and can never be cryptographically secure because it is not actually a cryptography problem. Cyrpography is about keeping secrets away from unauthorized people. That's fairly easy. DRM is about GRANTING people authorized access and GIVING them the key and then attempting to keep what you've given to them a secret from them.
DRM is a schizophrenic and fundamentally impossible task.
All they can do is the key obscurely inside the player and hope that no one makes the effort to look at it.
It was written about SACDs, but it applies just as equally to stopping people copying text. In the long run, DRM won't work. It's just a serious pain in the ass, especially for legitimate users (how can you get fair use if the damn copy/paste functionality is disabled?)
-- james
-1 Troll (Score:3, Informative)
It's been explained ad nauseum that google does not archive deleted email indefinitely; deleting just isn't instantaneous, because of the nature of the system.
from the gmail privacy page [google.com]One-line bookmarklet for your convenience (Score:4, Informative)
It's not tough "DRM"... my university's local online student newspaper equivalent [wfu.edu] effectively does the same thing.
very easy to break... (Score:5, Informative)
First, turn off javascript. then turn on image dimensions. right click on the dimensions for the main image, and click view background image.
http://print.google.com/print?id=ULQSG0Zs7vcC&pg=3 &img=1&q=mastering+digital+photography&sig=gv2nFpt Ef0dj7Gzb8eZ4U8UdtUo [google.com]
is the URL that is used, and surprisingly it is linkable from outside, it doesn't appear to check IP's, browsers, or anything else. (deep link away!)
Gerv did it (Score:5, Informative)
Re:here we go again. (Score:3, Informative)
And how about Usenet?
Re:Please provide demo URLs (Score:5, Informative)
Next idea: use the DOM Inspector to inspect the entire browser XUL. This means that the context menu will still work. It's more difficult to do, because you can't locate elements by clicking in the content area - it only works for the chrome. Still, we finally track down the clear GIF and delete it. Boom! This time Firefox crashes (taking with it an earlier version of this blog post.)
OK, let's try another approach. Let's find the surrounding
Success! This works. We can chop off the CSS gubbins, paste the result into a web browser URL bar, and finally get an image we can save.
In fact, you can also get the URL of the page graphic by viewing the source. It turns out that it's not as hard as I made out, because currently, the
so it's easy to find.
Re:Article Text (Score:1, Informative)
On one the known issues with Mozilla's save-a-complete-Web-page feature is that it doesn't download background images specified in CSS.
Just use the Firebird extention (Score:1, Informative)
Re:So? (Score:4, Informative)
From the Google Print FAQ: (Score:4, Informative)
What can I do with books that I find?
Well, you can browse a few pages, learn more about the topics explored by the book, buy it, or commit a selection to memory. To further protect your book content, printing and image copying functions are disabled on all Google Print content pages.
I don't see the big deal. As long as they let me still use "back", "forward" and "exit" I'll be happy. Sure it sucks that you might have to buy a book or write down your favorite quote, but it's free as in gratis at this point.
Amazon only lets you get about 3 pages into a book and usually you can't leave the introduction.
I can print with Safari (Score:3, Informative)
I am afraid, however, that Apple will face pressure to restrict this rather useful feature. At one time, it could be used to evade Quicktime silliness, but it seems the feature has since been disabled.
(The transparent.gif overlay technique has previously been used by (ahem) vendors of photography, and (of all people) ebay sellers. It's not quite novel.)
502 Error (Score:3, Informative)
The text is an image (Score:2, Informative)
# telnet print.google.com 80
GET
Trying 64.233.161.118...^M
Connected to print.google.com (64.233.161.118).^M
Escape character is '^]'.^M
HTTP/1.0 200 OK
Content-Type: image/jpeg
Set-Cookie: PREF=ID=3a4b3c405b55e316:TM=1097254155:LM=1097254
Sun, 17-Jan-2038 19:14:07 GMT; path=/; domain=.google.com
Server: OFE/0.1
Content-Length: 95942
Date: Fri, 08 Oct 2004 16:49:15 GMT
Connection: Keep-Alive
^@^PJFIF^@^A^A^@^@^A^@^A^@^@^@C^@^H^F^F^G^F^E^H
<snip>
The jpeg can be converted to postscript, which can be converted to text.
This gets one page. If someone could reverse-engineer the "sig" argument I'm sure you could specify a page number.
To be honest, it would probably be easier to just check the "Economic Development" out from the library.
I also notice the slashdot effect is starting to crush print.google.com.
Re:That explains those mysterious hirings (Score:2, Informative)
Second, even without Javascript, CSS offers numerous ways to make saving a webpage a complicated problem. Some browsers also honor cache timeouts when you try to save a page and make revealing roundtrips to the server. You could also trigger alarms based on page frequency. Humans don't read a page per second...
Ultimately however, what you can see you can save. Google doesn't give you plain text, only images which are hardly suitable for OCR, but for some that may be enough. I for one wouldn't want to read a text which is presented at what looks like 50 ppi.
Re:That explains those mysterious hirings (Score:3, Informative)
Re:For those with tinfoil hats (Score:2, Informative)
<title>Ook!</title>
<body>
Sorry, links to Bugzilla from Slashdot are disabled.
</body>
</html>
Wow. That's a sentence I never expected to read.
Re:Getting stuff for free? (Score:5, Informative)
Which DRM? I have no DRM installed on my machine. I have agreed to no contracts or EULAs with regard to DRM.
Google sends me some copyrighted information. The copyright law limits what I can do with it (e.g. I cannot republish), but for my own private use I can do pretty much anything I want with it.
That image already exists as a file (or part of a file) on my machine. What Google is doing is trying to prevent me from looking at it in non-approved ways. Well, it can try, but I have no legal or ethical obligations to follow its wishes. If I want to take that image, load it into Photoshop and play with it there, I am completely within my rights.
So, no, I don't see any problems (either legal or ethical) with breaking this pseudo-DRM -- and I am willing to bet it will be breakable very easily -- and using these images however I want within the limits set by the copyright law.
Re:It's doomed. (Score:5, Informative)
They also use the standard context-menu disabling Javascript, which IE respects (and Mozilla does as well if you tell it to). Other than this (standard-issue) trick, they aren't doing anything sneaky to the user's browser at all. They could even disable the DRM for non-copyright pages if they wanted to (don't use the transparent cover image, and don't disable the context menu). All in all, it seems like a pretty slick implementation!
Re:So? (Score:4, Informative)
Re:First, how go I get to Google Print (Score:3, Informative)
Table graphics (Score:2, Informative)
Took me 30 seconds and a packet sniffer (Score:2, Informative)
All you need is a script [mac.com] to retrieve CSS background-images and *poof* goes Google copy protection. It was doomed from the start, anyway.
Re:Security issue? (Score:2, Informative)
Re:That explains those mysterious hirings (Score:5, Informative)
@media print {
#content { display: none; }
}
Toss in half a dozen other spoilers such as multi-part mime & redirects (to hide URLs), DOM event handlers (to handle & ignore mouse clicks), transparent gifs (to mangle context menus), transparent DIVs that become opaque when printed and you achieve the desired effect.
They're all surmountable, but I suppose Google want to be seen to be making a concious effort to block people from printing out pages.
Easy to circumvent (Score:2, Informative)
This is easy to circumvent, at least in X. You can copy text by simply selecting it.
http://print.google.com/print/doc?articleid=y4tfu9 YqpnG [google.com] (sans formatting):
Re:It's doomed. (Score:3, Informative)
Re:Security issue? (Score:2, Informative)
And yes, you can right click on a Google image and save it. Well, almost. First, you have to use AdBlock to block the "cleardot.gif" file, the transparent GIF that overlays the image. Then you right-clicksually called) to "View Background Image". Then you will get the JPEG image of the book's page. You can then right-click the JPEG image and save it where you wish.
If one wanted to make this process a little easier, one could use a proxy server that saved all images that passed through. Of course, the proxy server would have to ignore the No-Cache headers that Google probably puts on the images, but that shouldn't be difficult.
DRM is a misnomer (Score:2, Informative)
On the other hand, Copy-protection indiscriminantly curtails duplication.
Easy to break in Firefox + adblock (Score:3, Informative)
Re:Easy to circumvent (Score:2, Informative)
That, or Google just gave up all the protection thing, because on the url you posted I can select, right-click-copy with Firefox 1.0PR AND Internet Explorer on Windows XP SP2. (oh wait 'XP' has 'X' too
For crying out loud... (Score:1, Informative)
Re:Security issue? (Score:5, Informative)
Block sites from:
[X] Disabling right-click context menus
In Firefox:
* "Edit" -> "Preferences"
* Select "Web Features"
* Click the "Advanced" button next to "Enable JavaScript"
* Uncheck "Disable or replace context menus"
(This was bug 86193, checked into the code in March. It's in 1.0PR)
As for single-window mode, there are plenty of extensions. Try the one called "Tabbrowser Extensions [sakura.ne.jp]", for instance.
You can read the whole book on Amazon (Score:4, Informative)
So:
Re:Article Text (Score:2, Informative)
They are resizing a clear GIF file to cover the entire face of the background image. Save the source in notepad search for cleardot.gif. Change all of the size specifications for these IMG tags to 10. Save the file and reopen with firefox. There will be a small narrow band where you can see part of the target document. Right-click and "Copy Background Image", then open paint and paste and you have it.
DRM cracked in 30 minutes. This shit doesn't work...
Re:That explains those mysterious hirings (Score:3, Informative)
Break it in one minute with IE, no less. (Score:4, Informative)
-Load up the book in the browser.
-Click the View menu, select Source.
-Search for "div class=browse"
-Immediately before that, you'll find something like this in a CSS style:
{ background-image:url(http://print.google.com/prin
-Take that URL, copy and paste it into a new browser window and voila, you have the full size image. Save As or Print on this image works fine. No problems at all.
Seriously, this is trivial to break.
What's not trivial is getting an entire book. How to figure out how to get every page is the tough part. Getting the image itself is a cakewalk. It's just Javascript tricks to break right-clicking and CSS tricks to break direct printing from that window. Saving gets broken because of the tricky CSS using the IMG as a background image. The browser doesn't think to save the image, is all.
It takes two seconds with Safari (Score:2, Informative)
1. Go to a "protected" page, like the sample page [google.com].
2. Select the Activity window from Safari.
3. Double click on the largest image, i.e. this [google.com] page.
4. Do what ever you want with it.
5. Profit!!!
I FOUND AN EASY FIREFOX WORKAROUND (grin grin) (Score:1, Informative)
Ok, so go to a bookpage, this will help finding one: http://www.google.com/search?q=mastering+digital+
Next, use the Web Developer extension (you have that one right?) to Display ID & Class details. You will see a class named theimg. Now right click that red little box and "View background image".
I thank you very much.
Hopla
Re:That explains those mysterious hirings (Score:3, Informative)
Actually works extremely well, so such things can be used for good.
Not that hard? (Score:2, Informative)
2) Click on the book link.
3) View source.
4) Search the source for something like: http://print.google.com/print?id=iGvy3fB-D-QC&pg=
5) Go to that URL in your web browser.
6) Save the image.
Step one INCORRECT (Score:3, Informative)
Tools -> Options -> Web features -> Advanced Button -> uncheck "Disable or replace context menus"
most of the time "edit" is used to copy, paste find and undo. never seen a preference selection in an edit menu before.
Firefox + javascript bookmark = Fix (Score:1, Informative)
javascript:for(var i =0;i < document.images.length
Re:Step one INCORRECT (Score:3, Informative)